VP, Active Directory Engineer, Technology Group

Location: Singapore, SG

Job Function: Technology Group

Job Type: Permanent

GIC is one of the world’s largest sovereign wealth funds. With over 2,000 employees across 11 locations around the world, we invest in more than 40 countries globally across asset classes and businesses. Working at GIC gives you exposure to an extraordinary network of the world’s industry leaders. As a leading global long-term investor, we work at the point of impact for Singapore’s financial future, and the communities we invest in worldwide.

The Technology Group (TG) is a key enabler to keep our business moving forward and is constantly exploiting state‑of‑the‑art information technologies to enhance GIC’s ability to be the leading global long‑term investment firm. We aim to provide users with empowering and transformational capabilities, and to create an inclusive, innovative and integrated work environment.

We are seeking a highly experienced Senior Active Directory (AD) Security Engineer to focus on securing, hardening, and automating enterprise Active Directory environments, ensuring robust Tier 0 protection, privileged access controls, trust hardening, OU/GPO security, and cyber resilience. The engineer will work closely with Red Teams, Penetration Testing, and Threat Detection functions to identify attack paths, simulate AD‑based threats, automate recovery capabilities, and continuously strengthen the enterprise AD security posture.

Design, secure, and manage enterprise‑scale Active Directory environments to ensure resilience, integrity, and threat resistance.

Implement and maintain Tier 0 (Privileged Access) controls aligned with Microsoft’s Enterprise Access Model (EAM) and Zero Trust principles.

Harden AD forests, domains, and trust relationships to prevent privilege escalation, domain compromise, and lateral movement.

Design and manage Privileged Access Workstations (PAWs) and enforce administrative boundaries for Tier 0 and Tier 1 assets.

Develop and maintain PowerShell automation frameworks to:

• Audit and report AD configuration, permissions, and delegation.
• Enforce baseline hardening and compliance controls.
• Automate remediation, monitoring, and hygiene tasks.
• Support AD forest recovery and validation scripts to improve RTO (Recovery Time Objective).

Design and implement AD Forest Recovery plans, perform automated recovery drills, and build operational readiness for cyberattack or ransomware scenarios.

Manage and secure Organizational Unit (OU) delegation models following least‑privilege principles.

Manage and harden Group Policy Objects (GPOs) to enforce security baselines, prevent policy abuse, and maintain configuration integrity.

Collaborate with Red Team, Penetration Testing, and SOC teams to identify vulnerabilities, validate attack paths, and remediate exposures.

Simulate and analyze Active Directory attack scenarios (DCSync, DCShadow, Golden/Silver Ticket, Pass‑the‑Hash, Kerberoasting).

Conduct AD threat modeling and exposure assessments using tools like BloodHound, PingCastle, ADRecon, and PowerView.

Integrate Threat Detection and Response capabilities within SOC operations and SIEM tools (e.g., Microsoft Sentinel, Splunk, QRadar).

Support Privileged Access Management (PAM) solutions such as CyberArk, BeyondTrust, or Thycotic to enforce Just‑in‑Time (JIT) and Just‑Enough Access (JEA).

Maintain detailed documentation, baselines, recovery guides, and post‑assessment reports to enhance AD security and resilience posture.

• Bachelor’s or Master’s in Computer Science, Cybersecurity, or related field.
• Minimum 5 years in AD security engineering.
• Deep expertise in Active Directory internals, including replication, Kerberos, LDAP, DNS, and Group Policy management.
• Proven experience in AD hardening, Tier 0 protection, trust management, and privileged access isolation.
• Hands‑on experience in AD forest recovery design, automation, and periodic recovery drills to enhance RTO and cyber resilience.
• Strong experience in OU design, delegation, and access control aligned with least‑privilege principles.
• Advanced knowledge in GPO management, including security baselining, auditing, and change control.
• Expert‑level PowerShell scripting and automation for auditing, reporting, and enforcing AD configurations.
• Experience collaborating with Red Teams and Penetration Testing Teams to simulate attacks and strengthen defences.
• Proficiency with AD security tools such as BloodHound, PingCastle, PurpleKnight, ADRecon, PowerView, and DSInternals.
• Knowledge of Privileged Access Management (PAM) solutions and SIEM integration for identity threat detection.
• Strong understanding of Zero Trust and EAM principles as applied to on‑prem AD environments.

We need to be forward‑looking to attract the right people to help us become the Leading Global Long‑term Investor. Join our ambitious, agile, and diverse teams—be empowered to push boundaries and pursue innovative ideas, share your views, and be heard. Be anchored on our PRIME Values: Prudence, Respect, Integrity, Merit and Excellence, which guide us in how we make our day‑to‑day decisions. We strive to inspire and to make an impact.

At GIC, our offices are vibrant hubs for ideation, professional growth, and interpersonal connection. At the same time, we believe that flexibility allows us to do our best work and be our best selves. Thus, our teams come into the office four days per week to harness the benefits of in‑person collaboration, but have the flexibility to choose which days they work from home and adjust this arrangement as situational needs arise.

As an employer, we passionately believe every individual brings with them unique diversity of thought and perspectives to meaningfully enrich perspectives of GIC teams to drive competitive performance. An inclusive environment yields exceptional contribution.