Information Security Analysts
Plan, implement, upgrade, or monitor security measures for the protection of computer networks and information. Assess system vulnerabilities for security risks and propose and implement risk mitigation strategies. May ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure. May respond to computer security breaches and viruses.
š¬Career Video
šKey Responsibilities
- ā¢Develop plans to safeguard computer files against accidental or unauthorized modification, destruction, or disclosure and to meet emergency data processing needs.
- ā¢Monitor current reports of computer viruses to determine when to update virus protection systems.
- ā¢Encrypt data transmissions and erect firewalls to conceal confidential information as it is being transmitted and to keep out tainted digital transfers.
- ā¢Perform risk assessments and execute tests of data processing system to ensure functioning of data processing activities and security measures.
- ā¢Modify computer security files to incorporate new software, correct errors, or change individual access status.
- ā¢Review violations of computer security procedures and discuss procedures with violators to ensure violations are not repeated.
- ā¢Document computer security and emergency measures policies, procedures, and tests.
- ā¢Confer with users to discuss issues such as computer data access needs, security violations, and programming changes.
š”Inside This Career
The information security analyst protects organizational systems and data from cyber threatsāa role that combines technical expertise with strategic thinking as threats evolve constantly. A typical day involves monitoring security alerts, investigating potential incidents, reviewing access logs, and working on security improvement projects. Perhaps 40% of time goes to monitoring and responseāevaluating alerts, triaging potential threats, and responding to incidents when they occur. Another 30% involves proactive work: vulnerability assessments, security architecture review, and implementing protective measures. The remaining time splits between policy development, compliance documentation, and the continuous learning that cybersecurity demands. The work requires constant vigilance as adversaries adapt to defenses.
People who thrive in security analysis combine technical curiosity with paranoid thinkingāthe ability to imagine how systems can be abused. Successful analysts develop deep expertise in specific security domains while maintaining the breadth to understand how different attack vectors connect. They communicate security risks in terms that business leaders understand and act upon. Those who struggle often cannot maintain the constant learning that evolving threats require or find the stress of protecting against determined adversaries overwhelming. Others fail because they cannot translate technical findings into business risk language. Burnout affects those who cannot disconnect from the always-on nature of security monitoring.
Information security has produced figures who shaped the field, from early researchers who demonstrated vulnerabilities to contemporary analysts who detect and expose major breaches. The CISO role has elevated security leadership to executive positions. The profession appears in popular culture through its dramaā*Mr. Robot* portrayed security work extensively, while countless films feature hackers and defenders. The security analyst often appears as either a hero preventing breach or a figure who failed to prevent one.
Practitioners cite the intellectual challenge of defending against skilled adversaries and the critical importance of the work as primary rewards. The compensation in cybersecurity is strong given persistent talent shortages. The career security from ongoing demand provides stability. The variety of threats and technologies prevents monotony. Common frustrations include the imbalance between attackers who need to find one vulnerability and defenders who must protect everything. Many resent being seen as the department of "no" when trying to protect organizations from risks. The stress of incidents when they occur is intense. The continuous learning requirement is exhausting but necessary.
This career develops through various pathsāIT operations, development, or security-focused educationāwith certifications like CISSP, Security+, and CEH providing credentials. Bachelor's degrees in computer science or cybersecurity are common but not universal. The role suits those who enjoy technical problem-solving and can maintain security focus despite the frustrations of organizational resistance. It is poorly suited to those who need work-life separation (incidents don't respect schedules), find constant learning exhausting, or struggle with the stress of high-stakes protection. Compensation is strong and growing, with specialized skills and senior positions commanding premium salaries.
šCareer Progression
šEducation & Training
Requirements
- ā¢Entry Education: Bachelor's degree
- ā¢Experience: Several years
- ā¢On-the-job Training: Several years
- !License or certification required
Time & Cost
š¤AI Resilience Assessment
AI Resilience Assessment
Moderate human advantage with manageable automation risk
How much of this job involves tasks AI can currently perform
Likelihood that AI replaces workers vs. assists them
(BLS 2024-2034)
How much this role relies on distinctly human capabilities
š»Technology Skills
āKey Abilities
š·ļøAlso Known As
šRelated Careers
Other careers in technology
š¬What Workers Say
47 testimonials from Reddit
Soā¦ I all the ATOs for basically all of the government are justā¦ voided? Musk is installing his own, non-cleared, servers on-prem to access govt systems.
This is not a political question, but honestly, what the hell does the ATO say now? I work on govt security and honestly have NO IDEA what is waiting on us when we login on Monday. (Contractor)
NBC News seeking CISA sources
Hi Reddit, I'm Kevin Collier, the cybersecurity reporter at NBC News. Here'sĀ [my bio page at NBC](https://www.nbcnews.com/author/kevin-collier-ncpn1110251). Right now I'm specifically reporting on the Department of Government Efficiency's access to CISA systems, layoffs at CISA, and cuts to cybersecurity programs, funding, and employees at any agency. If that's something you have direct knowledge about and can contact me via Signal, or if you know someone to whom this applies and you can share this with them, I'd be grateful. We adhere to best practices for source protection. My signal handle is kevincollier.01. Happy to verify my identity if you want to email me (though please don't use your work address) atĀ [kevin.collier@nbcuni.com](mailto:kevin.collier@nbcuni.com). Thank you!
China just used Claude to hack 30 companies. The AI did 90% of the work. Anthropic caught them and is telling everyone how they did it.
September 2025. Anthropic detected suspicious activity on Claude. Started investigating. Turns out it was Chinese state-sponsored hackers. They used Claude Code to hack into roughly 30 companies. Big tech companies, Banks, Chemical manufacturers, and Government agencies. The AI did 80-90% of the hacking work. Humans only had to intervene 4-6 times per campaign. Anthropic calls this "the first documented case of a large-scale cyberattack executed without substantial human intervention." The hackers convinced Claude to hack for them. Then Claude analyzed targets -> spotted vulnerabilities -> wrote exploit code -> harvested passwords -> extracted data, and documented everything. All by itself. Claude's trained to refuse harmful requests. So how'd they get it to hack? They jailbroke it. Broke the attack into small, innocent-looking tasks. Told Claude it was an employee of a legitimate cybersecurity firm doing defensive testing. Claude had no idea it was actually hacking real companies. The hackers used Claude Code, which is Anthropic's coding tool. It can search the web, retrieve data run software. Has access to password crackers, network scanners, and security tools. So they set up a framework. Pointed it at a target. Let Claude run autonomously. The AI made thousands of requests per second; the attack speed impossible for humans to match. Anthropic said "human involvement was much less frequent despite the larger scale of the attack." Before this, hackers used AI as an advisor. Ask it questions. Get suggestions. But humans did the actual work. Now? AI does the work. Humans just point it in the right direction and check in occasionally. Anthropic detected it, banned the accounts, notified victims, and coordinated with authorities. Took 10 days to map the full scope.
Cyber security and all security is a joke
Guess I worked for nothing, if someone doesn't have clearance I'll just let them into my servers anyway... Can't make this stuff up. This is not political, but from a security perspective guarding classified data then getting fired for doing your job has me shaking my head at the fact all security is going to be dead soon since anyone even without clearance can get unfettered access to payments and personal info.
I canāt believe I have to say this
If you work in cybersecurity or a adjacent space DO NOT post private information related to your job on public websites like Reddit or Facebook nor LinkedIn It may win you some quick fake internet points but there can be long lasting effects to your career. Someone who claims to work in the cybersecurity space did just that on Reddit and people are applauding them because itās juicy content This can and will ruin your career chances if it gets linked back to you. Itās not worth it people..
I run a Red Team that routinely succeeds in compromising F500 companies. AMA.
My name is Jason, and I run the Targeted Operations Red Team at TrustedSec - an end-to-end offensive security shop founded by David Kennedy and based in the Cleveland, OH area. We run all manner of advanced offensive security engagements and have succeeded in compromising some of the largest companies in the world. We work to improve defense teams and routinely present at conferences and board meetings alike. I'm joined by several Targeted Operations operators: u/oddvarmoe u/int128 u/bebo_126 No question is off the table, but if you ask a troll question you are liable to get a troll answer (or no answer). xD [www.trustedsec.com](http://www.trustedsec.com) EDIT1: For newcomers wanting to get more into red team, offsec: [https://www.reddit.com/r/cybersecurity/comments/1p5jah5/comment/nqjqpnc/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/cybersecurity/comments/1p5jah5/comment/nqjqpnc/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button) Also: [https://trustedsec.com/blog/a-career-in-it-where-do-i-start](https://trustedsec.com/blog/a-career-in-it-where-do-i-start) EDIT2: For those wanting to get into physical: [https://www.reddit.com/r/cybersecurity/comments/1p5jah5/comment/nqjlmnb/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/cybersecurity/comments/1p5jah5/comment/nqjlmnb/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button) EDIT3: My favorite question so far: [https://www.reddit.com/r/cybersecurity/comments/1p5jah5/comment/nqk1d2c/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/cybersecurity/comments/1p5jah5/comment/nqk1d2c/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button) EDIT4: On imposter syndrome: [https://www.reddit.com/r/cybersecurity/comments/1p5jah5/comment/nqkq6a5/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/cybersecurity/comments/1p5jah5/comment/nqkq6a5/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
F* it, I'm (34M) going back to the SOC
I spent a long time as an Information Security Officer and it has pushed me to 5-minutes-to-burnout. The endless discussions with stakeholders that wouldn't recognize security if it hit them in the face drove me bonkers. I spent most of my days in and out of meetings, with almost half of them with people who want exceptions/waivers/get-out-of-jail-free cards. Leaving me doing actual work in the evenings and weekends. I spent these last 2 holiday weeks doing nothing but work with people who ow so badly needed their last minute compliancy before the end of year. I'm going back to L1,2,3 incident response and I will never look back. People tell me that it is a step back in my career, but idgaf anymore. Here's to quarantaining devices juuuuuuust to be sure. Edit: oke .... I see all the messages of people saying that I am in a privileged position to be able to make that joice. I genuinely apologize for complaining about my luxury position. I truly hope everyone who's passionate about it can join the CS game; for better or worse, the game is fun. Edit 2: several people have asked me how they can manoeuvre themselves into infosec.....i have no shortcut guys, i really don't. I started as a software developer, learned about app security, SASt/Dast, vulnerability mgmt, service mgmt and some other stuff before I felt like i made it as a security pro. Certs definitely help; the CISSP being the golden standard for infosec. Easier are MS certs like the Sc set looks good, as well as cloud certs such as az104. Az500 is also a winner. You cant just step into it, you have to grow towards it.
Finally got a job!!
Well boys, Iāve done it. Graduated a year and a half ago with a BBA in Cybersecurity (stupid degree I know) Sent out hundreds of applications and finally got an interview with an insurance company in my city for an entry level incident management role. They sent me an offer shortly after the second round interview. Iām beyond excited to finally start my career in this industry. Iāve been stuck working at Starbucks this whole time and I just canāt believe itās finally over. I just wanted to post somewhere about this win and Iāve been a lurker here for a while and I just wanted to share a little hope.
What I look for in a resume
We get a ton of people posting in the various cybersecurity and IT subs on how hard the job market is. Especially when first starting out. Hundreds of resumes sent each month and no responses. You feel you are a perfect fit for all the job requirements and no responses. I want to help and share my perspective and what goes through my mind on the other side. I've been hiring in cyber and IT for a bit over 25 years. I feel I've gotten pretty good at reading resumes at this point. I'm currently in cyber as an ISSM and need to hire an engineer to manage my tools. A SIEM, a vulnerability scanner, and an endpoint security solution. The job req just lists these technologies. I am not looking for specific tools as there are tons of them out there. This is a junior role looking for 2 years of experience with degree an associates degree or 4 years without. **Why I passed on a resume...** 1: Proofread your AI slop. AI can be a handy tool. Don't let it do all the work for you though. Pretty sure you aren't currently employed at three different companies. I'm also pretty sure your current job time of employment isn't "10/2025 - Current". When you send a resume it represents the quality of what you consider to be a completed task. If you aren't going to double check your resume you aren't going to double check your work on the job. 2: Get to the point of who you are. Don't have a 6 page resume, that is double spaced, filled with keywords and no substance. "Responsible for strategic goals in a multifaceted team for multiple sites". What am I supposed to make out of that? If you aren't able to focus in on your message I'm not sure if you can or if you even have a point when we talk during the day. Will our conversations take forever? Will you be able to ask me for what you need? Yes I am aware of the irony in saying this in a long wall of text post lol. There is a time and place for both. Its not that I feel I am too good for your time, its that I have 6 hours of meetings and 2 hours of doing my actual job I was hired to do. Those 2 hours will include supporting my entire team and everyone deserves support. 3: Bad spelling and grammar. This not only goes back to putting time and effort for quality output, but also you need to show that you can communicate well. I'm understanding that English isn't your first language so I am not looking for perfection. But if I see a lot of red underlines that word or google docs is throwing at me, it did the same to you. 4: Your resume should reflect your job experience. When you are brand new you have to blow out of proportion your contributions. "Responsible for the vulnerability management of 10,000 computers and improving security posture by 25%" I get it. You pushed out patches with WSUS or YUM. We all had to start somewhere. However this sort of wording should not be with someone who has 5, 10, or more years of experience and multiple IT related jobs. Tell me your actual accomplishments. If you can't, I'm going to question what you did with all that time. This is a junior role but I am seeing a heck of a lot of over experienced and over qualified people applying. Again, this job market sucks. 5: Job hopping too soon. Its takes about a month to open a job req, conduct interviews, select someone, and then have them give their 2 weeks notice to their existing job. Its then going to take another month to get your equipment and accounts that are needed, for you to learn the team and office dynamics and for you to start contributing. Then probably a 3rd month of needing my or a teammates support. Finally by month 4 of my team being short staffed, you are a net contributor in time vs productivity to the team. This is why people say you should be in a job for 1 year. If you change jobs every 6 months I'll never get my time investment back. I'm understanding that RIFs happen, your previous jobs weren;t a good fit. 1 or 2 quick job hops is understandable. But two in a row and your current job has only been 3 months I'm going to pass on you. **Why I selected a resume...** 1: Color and formatting. Look I have 2 dozen resumes to go through. They all start looking the same in context and substance and I sometimes read too fast. While I try to be conscious of this and give your resume the time its due, see above 2 hours of my real job a day. I saw a resume yesterday with a blue steel banner and a gray left hand column of skills. It stood out and make me take notice. 2: 2 pages tops. I don't need to know where you went to high school or what your GPA in college was. For senior positions I'll take more pages as long as the pages are applicable to the role. 3: Multifaceted skillset. I list my current needs as job requirements in the req. e,g, the three tools I listed above. However I am also thinking about the future and what technical skills are needed next year. Remember that you are competing for my attention vs all the others. Yes you are a perfect fit for the reqs but someone else might be too, and bring more. 4: Homelab. I get it that we often get stuck in narrow skills and your past jobs didn't let you do anything outside a few things. I also get it that you are starting your career and dont have much job experience. Are you going to let that stop you? A homelab proves you are going to take extra steps to expand your skills. Should you have to do this in addition to college and certificates to get a job? No but clearly there are limited quality jobs for the amount of job seekers out there. Give yourself a leg up against the other resumes I will read. A homelab also shows that you can problem solve. I'm seeing more and more a big problem with "learned helplessness" in the workplace. Show me on your resume you know how to problem solve. We managers hate problems brought to us and nothing was tried. We do appreciate a problem brought to us where you tried X, Y, Z. We dont expect you to know everything. We have more experience than you and we should have answers. But one of my biggest headaches of my career are team members who dont contribute and take up their peers time for unecessary help. A resume tells a heck of a lot more than you may think. It represents who you are in what you choose to add in, or leave out, how you phrase your skills, and it represents your quality of effort.
I'm losing my mind looking at these crazy salaries!
I hear so many people say that they earn 200k-300k in cybersecurity. I just wanted to ask if this salary is real? If it is, how do you guys do it and what are your years of experience?
20 Years in IT/InfoSec, Over 1000 Applications In One Year, No Offers, What The ACTUAL Heck Is Going On?
Starting this somewhat crudely, because I want to make the point clear early on - SOMETHING feels wrong right now, specifically with the way that hiring and layoffs keep happening in our industry. I don't care to draw attention to my own personal situation but want to provide some background which will hopefully establish some bonafides. I got started in IT services doing End-User/Small Business PC diagnosis and repair. I spent approx. 15 years doing various degrees of the IT career ladder (Service Desk, SysAdmin, Network Admin, Systems Engineer, etc.) before finding out how exhausting and soul sucking that was. Having been so tired, I asked around to see what I might be able to take my experience and use it for besides what I was already doing. The topic of using the skills in cybersecurity was one that came up quite a bit, being recommended to roles in SecOps. This was in roughly 2020/2021. I took the advice and found a place that let me engage in ransomware remediation (more than I had been doing at my level). I was able to keep that one on my resume for a couple years as I was contracting for them on an as needed basis. The work was AWESOME. I operated as the lead for a MSSP startup that was dealing in mostly reactive manners to ongoing ransomware cases. I got to spend 8-14 hours a day digging into how TA's TTP (Threat Tactic Procedures) changes as the event is happening. Working against some of the largest players at the time in the space (BlackBasta, Conti, Lockbit, etc.) After doing that role for a couple of years, I eventually moved into a more consultant based role where I got to be a bit more proactive (with a healthy bit of reactive mixed in). I got to engage in audits based off of the NIST CSF 2.0 Framework and got to remediate the actions items I found during the audits. I thought that this would surely help me round out my security resume and that if I ever ended up back in the job market I would be better off for it. To be fair, I wasn't counting on not having a job at any point (then again, who is?) I was fully committed to this company, when one of their customers got hit w/ ransomware because of a decision one of the previous owners had made in creating local accounts on their exploitable firewall that were eventually found and used - I was the one that spent 80 hours over 7 days in that customers office getting things back up (despite the ESXi host being completely encrypted along with the datastores). But alas, bad things tend to come quarterly when your industry is considered a cost-center for most companies. After taking vacation in Nov '24 out of the country, I came back and was told "We don't have enough work to sustain your bosses salary AND yours, so we are laying you off effective immediately. I was as cordial as possible, returned my equipment, and asked for severance since this was a layoff and not a termination. "We have never done that in the past, so we won't be doing it now." Obviously, as someone who likes the work I do I immediately shifted gears, tried to find as many companies as I could to apply to with the experience I have. Trying to use the 80-90% required experience rule (if you meet 80-90% apply anyway) that I was always taught growing up and on my way into this field. But it really seems to have gone absolutely nowhere. It's been 10 months now and I am still looking, very actively at that. I spend hours a day on LinkedIn looking for companies (which is how I found the last 4 roles I had prior to this) to apply to. Even ditching the 80-90% rule in favor for a 100% one. I do OSINT on companies and try to connect and DM hiring managers/recruiters/other employees. Again, adding more time to the already miserable process. I was forced to apply for unemployment, which at this stage has come and went - leaving me with absolutely nothing to bring in income (which I can only imagine based on what I see on LI that several others with similar skills and experience are going through the same). But when you look at the people that are specifically in charge of that first level of contact? The recruiters? They are too busy making posts on LI about how they "can't be humanly expected to view every candidate that submits an application." Even better is the "Just let AI handle it, it'll tell you which ones are the good ones worth reaching out to" people. Because from what I can see, the ATS doesn't like your resume formatting? Low rank. Doesn't understand the similarities between keywords in your resume/profile and the job description? Low rank. What happens when that does finally get to the recruiters eyes? They call the first 20 in their "top ranking" list and schedule them interviews. Everyone else gets a crappily worded message (if they are lucky) about how the company loves that they put their time in but aren't going to even do them the kindness of talking to them before assuming they don't have what they are looking for. The hardest part? Now there's all these services that will submit your app for you autonomously, inputting in your data/etc and matching you to whatever keywords you tell it to apply for and basically every AI will write you a resume if you tell it to. So what is really going on? AI is reading the resumes that AI is writing? Nobody is getting work? There's people with double my time in the field saying they are seeing the same problem. They aren't getting work either. They get completely ignored when 2-3 years ago they were called early into the process and typically saw all of the processes through to the end. SO back to the point - what the actual heck is going on? (I'd love to be more animated here) How many times should you edit your LI profile, your resume, your email header, etc. before everyone stops for a second and recognizes something is wrong. Companies like ISC2 ignoring/not validating 5-year requirements and letting SD people that did PW resets in AD for 5 years pass the mark for their minimum requirements, yet somehow are the expected industry norm now? Honestly, as much as the work makes me feel like a used towel, I'd rather go back to systems engineering making half the money just to avoid these companies that really feel like walking on eggshells. Which makes me super sad, when I talk to others in the industry they say they love the work too. That it brings them enjoyment or at the least fulfillment. But not working for 10 months? No interviews in the last 3? I just don't know anymore if it feels like the place I can keep trying to stay in when there really doesn't feel like much of a foundation to stand in. TL;DR Cybersecurity job market in the USA feels very shifty, on constantly unsettling sands. Doesn't matter if you have or don't have experience, people all across the sector are saying it feels impossible to get hired or to even get the time of day from recruiters. It feels like something is broken and wrong, and not sure how else to pinpoint the issue other than it feels like a market created by HR/recruiters who don't actually have any knowledge of what we do but disqualify us based on what their ATS tells them (even if frequently wrong). EDIT: Before anyone else comments here with the same rough advice let me be clear and save you some time. I already reach out to friends/past co-workers extensively when able. No, I do not have a bad relationship with anyone of my recruiters or past co workers just because I respond negatively to your cookie cutter advice. Yes, I do cater my resume to each job I apply to and have done so for at least six out of the ten months I have been in the market. Yes, my experience goes extensively beyond what is listed in the post because I was trying not to bore everyone with my life's story. If you're that interested, look at the comments and I am sure you can put together some of my experience. No, I have not ever had an issue like this in the past 20 years worth of networking and applying to jobs (short of a 5 month window in 2020 after my contract ended for lack of physical work) or in trying to set up business with customers/clients. Lastly, yes I REALLY have been doing this since I was 12 - it's fine if you got to live a privileged upbringing but if I wanted to make enough to eat and have even the smallest amount of required items to go to school and live a decent childhood I had to work for it early on. I don't care if "you read that and immediately thought it was bullshit" nor do I care if you caught one slip I made while writing the original post on TTP (Tactics, techniques, procedures) in the middle of the night. The reality of the amount of ransomware I have stopped, the amount of attacks I have reversed, the amount of companies that wouldn't have been running if not for my help, the amount of courts that have paid me to be an expert witness, frankly - it's enough proof for me. If it's not enough for you, rather than berate me and tell me I am in the wrong industry or that I "need to edit my resume" for the 1000th time, why not instead question others in your own network and ask them if they are going through something similar. Because I would go beyond a shadow of a doubt to say that they'd agree. Everyone I know, 3,5,10,20,25 years of experience is going through this. It's not a matter of us just suddenly forgetting how to make a decent resume or how to communicate with people. To even insinuate that is a fallacy built on your own misconception of the job market. Be it based on your own bias from experience or seeing others. Stop trying to give me unnecessary advice that I didn't ask for and getting upset that I am not reciprocating that. Because things like "Edit Resume, Message your network, surely you are just not doing it right" not only are completely worthless, they're already being done and have been being done for YEARS. They just are not working now, and that is my whole point in this post.
Take that help desk position. It will help you in the long run.
I've been seeing a lot of people on this subreddit who are immediately wanting to break into IT without putting in the time and effort to get to that position. Many people think that you can go into a coding or IT bootcamp for a couple weeks and fully expect to start making a 6 figure salary right out of the gate. I'm here to tell you that while it is possible, it is **extremely** unrealistic. I think a lot of this has to do with the recent cyber craze on social media where influencers are guaranteeing that you will make 6 figures if you just get into cybersecurity/IT. With how the job market is right now, it is **crucial** that you have some IT experience on your resume before you think about going into any analyst or engineering position in IT. That's why I believe that your rank in the IT market can easily be boosted by taking the shitty help desk IT positions whether it is fully remote, over the phone, or even in-person. Before getting the position that I have now, I solely worked as technical support for multiple companies and I have to say that it has helped me get to the position I have today. It helps you build those soft-skills like probing, troubleshooting, and working with people who aren't as tech-savvy to get the information you need to properly help them. While these positions absolutely **SUCK** they will help you land that IT job of your dreams. I'd like to know what you all think, I'd love to hear different perspectives from current IT professionals and people who are looking into getting into IT. Feel free to ask any questions!
There are way too many Career and AI questions in this sub.
I think moderators should stop allowing the constant deluge of career questions in this subreddit. I joined because i want to keep tabs of what is going on in the business and nothing else. If you didn't bother to check, there are specific places where you can ask your career questions so please go there. /r/SecurityCareerAdvice/ /r/ITCareerQuestions/ And then the is the subject of AI that pops up every damn day with repetitive and daily posts like "Is aI GoINg tO TaKE OuR joBS?" seriously - enough already! This is supposed to be for cyber security related questions, as per rules "Must be relevant for Cyber Security PROFESSIONALS". Right now, the topics in this sub are drifting far away from that initial goal. Sorry for the editorialising, which is also against the rules, but i'm extremely tired of the loss of quality here.
Iām a CISO who started from the help desk and it taught me everything I need to know about cybersecurity and people. Ask Me Anything
Hello everyone. We're again joined by the team at [CISO Series](http://cisoseries.com/) who have assembled security leaders who worked their way up from the help desk. They are here to answer any relevant questions you may have about the value of working the help desk and career growth. This has been a long-term partnership, and the CISO Series team has consistently brought cybersecurity professionals in all stages of their careers to talk about their experiences. This week's participants are: * Adam Glick, ([/u/CISOAdam](https://www.reddit.com/user/CISOAdam/)), CISO, PSG * Adam Koblentz, ([/u/APT-Delenda-Est](https://www.reddit.com/user/APT-Delenda-Est/)), Field CTO, Reveal Security * Ryan Link, ([/u/legendofnon](https://www.reddit.com/user/legendofnon/)), Principal of Threat Detection and Response, CDW * Sounil Yu, ([/u/sounilyu](https://www.reddit.com/user/sounilyu/)), CTO, Knostic [Proof Photos](https://imgur.com/a/ama-i-m-ciso-who-started-from-help-desk-taught-me-everything-i-need-to-know-about-cybersecurity-people-ask-me-anything-03-23-25-to-03-29-25-lvcp8qi) This AMA will run all week from 2025-03-23 to 2025-03-29, starting at 2100 UTC. Our participants will check in over that time to answer your questions. All AMA participants are chosen by the editors at CISO Series ([/r/CISOSeries](https://www.reddit.com/r/cisoseries/)), a media network for security professionals delivering the most fun youāll have in cybersecurity. Please check out our podcasts and weekly Friday event, Super Cyber Friday, at[ cisoseries.com](https://cisoseries.com/).
CompTIA sold to operate as a for-profit company
**In 2025, the CompTIA brand, along with its training and certification business, was sold to operate as a for-profit company. As a result, our existing membership-based association (formerly known as the CompTIA Community) was separated from CompTIA. It will continue its mission of service to the IT industry as the Global Technology Industry Association (GTIA).**āÆ **source:** [**https://gtia.org/about-us**](https://gtia.org/about-us) I was surprised to read.. CompTIA claimed to be a non-profit in past, its business model resembles a for-profit entity. It generates substantial revenue from certification exams, training materials, and partnerships. More like a business rather than a mission-driven non-profit. Even the top management and executives took millions of salaries :) So, yes, like many, it was a strategic tax advantage rather than a purely altruistic mission, which from a business point is a great strategy they worked out, no wonder everyone believed it too. By claiming **non-profit** status, CompTIA benefits from tax exemptions while still operating like a revenue-driven business.
How (almost) any phone number can be tracked via WhatsApp & Signal ā open-source PoC
Iāve been playing with the āCareless Whisperā side-channel idea and hacked together a small PoC that shows how you can track a phoneās **device activity state** (screen on/off, offline) via WhatsApp ā without any notifications or visible messages on the victimās side. **How it works (very roughly):** \- uses WhatsApp via an unofficial API \- sends tiny āprobeā reactions to special/invalid message IDs \- WhatsApp still sends back silent delivery receipts \- I just measure the round-trip time (RTT) of those receipts From that, you start seeing patterns like: \- low RTT ā screen on / active, usually on Wi-Fi \- a bit higher RTT ā screen on / active, on mobile data \- high RTT ā screen off / standby on Wi-Fi \- very high RTT ā screen off / standby on mobile data / bad reception \- timeouts / repeated failures ā offline (airplane mode, no network, etc.) \*depends on device The target **never sees any message, notification or reaction**. The same class of leak exists for Signal as well (per the original paper). In theory youād still see this in raw network traffic (weird, regular probe pattern), and on the victim side it will slowly burn through a bit more mobile data and battery than ānormalā idle usage. Over time you can use this to infer behavior: \- when someone is probably at home (stable Wi-Fi RTT) \- when theyāre likely sleeping (long standby/offline stretches) \- when theyāre out and moving around (mobile data RTT patterns) So in theory you can slowly build a profile of when a person is home, asleep, or out ā and this kind of tracking could already be happening without people realizing it. **Quick āhotfixā for normal users:** Go into the privacy settings of WhatsApp and Signal and turn off / restrict that unknown numbers can message you (e.g. WhatsApp: Settings ā Privacy ā Advanced). The attack basically requires that someone can send stuff to your number at all ā limiting that already kills a big chunk of the risk. My open-source implementation (research / educational use only): [https://github.com/gommzystudio/device-activity-tracker](https://github.com/gommzystudio/device-activity-tracker) Original Paper: [https://arxiv.org/abs/2411.11194](https://arxiv.org/abs/2411.11194)
Microsoft Ignite 2025 - Microsoft cares a lot about cybersecurity, not so much about cyber professionals
So, I spent the week in San Francisco at Microsoft Ignite, and the disheartening message I left with was, "don't worry about skills - we'll give you agents instead." I'm sure that plenty has already been said about the organizational issues at the conference - the security checkpoints, the keynote shuttles stuck in rush-hour traffic, the box lunches - so I'll just talk about the sessions. When I went to the RSA Conference in 2016 and 2017, I sat in sessions with titles like "Effectively Measuring Cybersecurity Improvement," "The Seven Most Dangerous New Attack Techniques, and What's Coming Next," and "The Changing Face/Fate of Identity." At last week's conference, I heard announcements about Security Copilot agents, Purview/Defender integration using Copilot, and Agent 365, Microsoft's new tool for managing AI agents - and then I heard about them again. And again. And again. The security-and-compliance-focused content was repetitive and almost entirely focused on Copilot. Almost everyone on stage was a Microsoft employee. Executives from large customers would be brought on in the last five minutes to read awkwardly off teleprompters about how Copilot has improved their operations. Even the one actual panel discussion I attended was moderated by Microsoft product managers who pushed the panelists to talk more about AI. In a session about Defender for Enterprise (the only session I was in where Copilot wasn't mentioned,) one of the presenters joked that she had to mention AI in the first five minutes. I assume she was later fired for insubordination. Yesterday I came across [this post](https://www.darkreading.com/cybersecurity-careers/with-ai-reshaping-entry-level-cyber-what-happens-to-the-security-talent-pipeline-) from Dark Reading titled "With AI Reshaping Entry-Level Cyber, What Happens to the Security Talent Pipeline?" It underscores and clarifies a lot of the thoughts I had leaving the conference. One thing it doesn't address, however, is the next iteration of the digital divide. Large companies and organizations will spend, spend, spend on agentic AI and create increasingly automated cyber programs. Small companies, like the one I work for, won't be able to afford it and will do things in very different ways. (And if you think that the newly-announced free Security Copilot licenses for E5 customers are being distributed equally, know that the day after I got the email from Microsoft about this, I got another email saying that it was a mistake, that my company wasn't actually eligible, that our Security Copilot billing would immediately resume, but we'll apparently be granted licenses "in the coming months.") Suffice to say that while I left the conference better informed about Microsoft's roadmap, I didn't leave it with any new knowledge, skills, or intelligence. There was nothing worth flying across the country and spending thousands of dollars on.
A bad workplace will destroy you, not make you stronger
The reason iām posting this here is because alot of people here suffer from āmachismoā and seem to be okay having your life interrupted with these on-call rotations. Or worse, your sleep health. Alot of people will promote that you should choose a career that you absolutely dislike or with undesirable on call rotations just cause the earning potential is high. Alot of people here have that David Goggins like mentality where you have to tolerate everything and stay hard no matter what comes your way. On the other hand, thereās the idea that if you continue tolerating and handling unpleasant work situations and people, the mental fatigue will result in mental problems, physical problems, and unhealthy coping mechanisms such as binge shopping, drinking, or smoking because āyou need to treat yourselfā. The idea that challenges are meant to fortify you is often misapplied. There are both healthy and unhealthy challenges. A healthy challenge would be losing weight to be healthier. An unhealthy challenge would be to stay at a job that destroys your sanity. Bad work environment is like being with an abuser in a relationship. Yes there are specific challenges and hardships that will help you grow, but being in a constant never ending exhausting situation will only wear you down. āOh but at least i drive a Teslaā yeah as if thatās going to eliminate a bad work environment. Nothing will make a bad work environment disappear. Not a car, not a watch, not a fancy apartment, nothing. Youāll feel that high for a few months and then itāll disappear. Unfortunately some of you will never learn and stay just cause it pays decent. Doctors have literally stated that this is unhealthy, yet you guys remain ignorant.
Iām a Chief Information Security Officer (CISO). I also happen to be a woman. Ask me anything.
Hello, Here at /r/cybersecurity we are serious about ensuring that we have a diverse space that enables everyone who is passionate about cybersecurity and being a cybersecurity professional to join our industry. We've had a long term partnership with CISO Series which has allowed us to bring AMAs from many different industry veterans that we hope have inspired many new people to join our industry. This week, the amazing editors at [CISO Series](http://cisoseries.com/) has assembled a panel of women who are all accomplished Chief Information Security Officers (CISOs). They are here to answer any relevant questions about leadership, representation, and career growth. This week's participants are: * Krista Arndt, ([u/thedrivermod](https://www.reddit.com/user/TheDrivermod1/)), Associate CISO, St. Luke's University Health Network * Renee Guttmann, ([u/Broad_Oil4879](https://www.reddit.com/user/Broad_Oil4879), Founder & Principal, CISOHive * Mandy Huth, ([u/cyberfortress](https://www.reddit.com/user/cyberfortress/)), SVP, CISO, Ultra Clean Technology * Bethany De Lude, ([u/SheOwnsRoot](https://www.reddit.com/user/SheOwnsRoot/)), CISO emeritus, The Carlyle Group * Patty Ryan, ([u/CyberMT1024](https://www.reddit.com/user/CyberMT1024/)), Sr. Director & CISO, QuidelOrtho * Hadas Cassorla, ([u/SafetyAgreeable732](https://www.reddit.com/user/SafetyAgreeable732/)), Principal Consultant, SideChannel * Janet Heins, ([u/JBossOnTheLake](https://www.reddit.com/user/JBossOnTheLake/)), CISO, ChenMed [Proof Photos](https://imgur.com/a/JqZIlNt) This AMA will run all week from 18 May 2025 to 24 May 2025. Our participants will check in over that time to answer your questions. All AMA participants were chosen by the editors at CISO Series ([/r/CISOSeries](https://www.reddit.com/r/cisoseries/)), a media network for security professionals delivering the most fun youāll have in cybersecurity. Please check out our podcasts and their weekly Friday event, Super Cyber Friday, at[ cisoseries.com](https://cisoseries.com/).
Why is technical incompetence both rampant and accepted in our career field?
I started as an exploit developer, moved into pentesting, and now as I've grown up have spent plenty of time both in the security office or on the other side interacting with it. What absolutely floors me is not the ubiquitous technical incompetence, but the acceptance of it. Incredibly short list of anecdotal experience; I work for big tech and my conversation yesterday was regarding someone blocking \*\*our own official Github\*\* at the proxy. This is a household name company and to my absolute shock, these guys didn't know what Github was nor did they seem to understand why blocking Github (the very same our customers go to) is problematic. I hear things like, "You don't need to be technical to set policy" and I hear it with some degree of regularity as if policy can be competently set without a baseline knowledge of the thing for which it is being set. "You don't need to be able to program to work in security." is another of my favorites when it is for an organization that does software development. You're setting policy for software development at a multi-billion dollar organization and somehow it is ok for you to set security policy... but you don't even know how to write a basic program? It is unsurprising that much of the subsequent security policy is nothing short of asinine. I'm curious, what have other people's experiences been? Why do we as an industry seem to be ok with accepting technically incompetent or entirely non-technical people into roles which set org-wide policy that clearly requires technical competence?
2024 End of Year Salary Sharing Thread
Stealing this post from r/datascience [https://www.reddit.com/r/datascience/comments/1ia175l/official\_2024\_end\_of\_year\_salary\_sharing\_thread/](https://www.reddit.com/r/datascience/comments/1ia175l/official_2024_end_of_year_salary_sharing_thread/) Please only post salaries/offers if you're including hard numbers, but feel free to use a throwaway account if you're concerned about anonymity. You can also generalize some of your answers (e.g. "Large biotech company"), or add fields if you feel something is particularly relevant. **Title:** * **Tenure length:** * **Location:** * **Remote:** * **Salary:** * **Education:** * **"Field" of Cyber:** * **Prior Experience:** * **$Internship** * **$Coop** * **Relocation/Signing Bonus:** * **Stock and/or recurring bonuses:** * **Total comp:** **Optional:** * Company * Certification Note that while the primary purpose of these threads is obviously to share compensation info, discussion is also encouraged.
Certifications are expensive
So almost every good cert is expensive weather is CompTia or GIAC or anything for that matter. And we definitely end up doing at least a few to get somewhere in our Career. So 2 questions 1. Other than the 10% or so discount they keep offering, do they offer any significant discounts any time? I mean is it worth waiting for something? 2. Some certs have a discounted pricing for third world countries but not all (Microsoft has for example) is it worth asking others certs for the same? Sorry if this is discussed already. Thank you
[Project] I built a tool that tracks AWS documentation changes and analyzes security implications
Hey r/netsec, I wanted to share a side project I've been working on that might be useful for anyone dealing with AWS security. # Why I built this As we all know, AWS documentation gets updated constantly, and keeping track of security-relevant changes is a major pain point: * Changes happen silently with no notifications * It's hard to determine the security implications of updates * The sheer volume makes it impossible to manually monitor everything # Introducing: AWS Security Docs Change Engine I built a tool that automatically: * Pulls all AWS documentation on a schedule * Diffs it against previous versions to identify exact changes * Uses LLM analysis to extract potential security implications * Presents everything in a clean, searchable interface The best part? It's completely free to use. # How it works The engine runs daily scans across all AWS service documentation. When changes are detected, it highlights exactly what was modified and provides a security-focused analysis explaining potential impacts on your infrastructure or compliance posture. You can filter by service, severity, or timeframe to focus on what matters to your specific environment. # Try it out I've made this available as a public resource for the security community. You can check it out here: [AWS Security Docs Changes](https://awssecuritychanges.com/) I'd love to get your feedback on how it could be more useful for your security workflows!
We built a smart, searchable infosec library indexing 20+ years of resources
Hi Netsec, Keeping up with the constant stream of cybersecurity news, writeups, and research isĀ *hard*. So over the past couple of years, weāve been buildingĀ [Talkback.sh](https://talkback.sh/)Ā ā a smart, searchable infosec library we originally created to support our team, but chose to share it publicly because we figured others in the community would find it useful too. We did an initial blog post about it in early 2024 that ended up here on netsec, however since then it's evolved steadily, so this post summarises at this point in time what it does and how you can use it. **Firstly, what it does:** Talkback automatically aggregates content from: * 1000+ RSS feeds * Subreddits, blogs, Twitter/X, and other social media * Conference/infosec archivesĀ (e.g. Black Hat, USENIX, CTFtime, etc.) Then it enriches and indexes all that data ā extracting: * InfosecĀ categoriesĀ (e.g. "Exploit Development") * TopicsĀ (e.g. "Chrome") * MITRE ATT&CK,Ā CVE IDs, and more * Short focused summaries of the content * It also archives each resource via theĀ Wayback Machine, takes aĀ screenshot, calculates aĀ rank/score, tracksĀ hosting info via Shodan, and builds outĀ cross-referencesĀ between related items. **And how you can use it:** The Talkback webapp gives you a few different ways to explore the system: * Inbox ViewĀ ā a personalised feed * Library ViewĀ ā with powerful filtering, sorting, and full-text search * ChroniclesĀ ā explore content by Week, Month, or Year * Bookmarks,Ā Tags, etc. * CustomĀ Newsletters, RSS feeds, and aĀ GraphQL API Weāve found it incredibly valuable day-to-day, and hope you do too. Check it out here:Ā [https://talkback.sh](https://talkback.sh/)Ā \- happy to hear thoughts, feedback, or feature ideas!Ā
A bored CISO who wants to do more hands-on work
Over 20 years of experience in Cybersecurity, backed up by several certifications (CISSP, CISM, CISA, CEH, OSCP, GCIH, GPEN, GCFA). I have been working as a SOC Analyst, SOC Lead, Penetration Tester and Red Teamer, Security Architect and GRC Lead in the past, and for the last 6 years as a CISO for two mid-size organizations. I am officially bored. I have come to the conclusion that I dont like the CISO role as much as I thought. I am looking back to my career and although I have been very successful so far in this field, I am not sure there is a role out of those mentioned above that would spark my interest again. I just know that I dont want to deal with organization bs anymore at the CISO/Director level. I got tired of convincing people on the importance of security. But I have bills to pay. A lot of them. So I need to keep going. I have thought of working for myself, maybe as a practitioner freelancer. SOC Analyst and Pentesting/Red Teaming is not what I would like to do. Besides, freelance salaries for those roles are not that great here in Europe where I am located and is hard to find projects as a freelancer in those domains. What would be your suggestion considering my experience and qualifications? Update 1: I am doing a couple of side gigs - Red Teaming is one of those. Update 2: I understand some of you would dream to become a CISO. I was one of you. The salary, the reputation, the this and that. So you might see this as a first-world problem. I understand you. And you will understand me once you reach this level. The mix of burnout and boreout, oftentimes overlapping. Update 3: Do people realize that CISOs in Europe get significantly less compared to CISOs in the US? Do you realize that I have three people under me who receive much more than I do because they are in the US and I am in the EU? And they deserve it, because they are awesome, smart and they have worked hard. So people who comment that I should retire, I have made a lot of money, I am arrogant and showing off, they have no idea what a CISO of an average company makes in Europe. Unless you work for one of the big names, like Nike, SAP, ASML, Novo Nordisk, Siemens etc, your salary will be very good, but no where near the 6-7 US figures to retire in your 50s. Full disclosure - I work as a CISO for a Belgian company and my annual salary is 120K. I go a bit above this by doing some freelancing side projects like Red Teaming, Executive advisory and teaching at a local university.
Cybersecurity was my dreamā¦ now Iām lostā¦
**Just want to get this off my chest and maybe ask for some adviceā¦** My first job was in Technical Support for a security company. But to be honest, it felt more like a helpdesk role since most of the cases werenāt really technical. The few that were technical were challenging and interestingābut they didnāt come around often. After exactly two years, I decided to apply elsewhere because I felt like I wasnāt growing anymore in that role. Thankfully, I landed a new job as a SOC Analyst. I spent another two years in that role, and I did learn a lot. But if I were to rate myself from 1 to 10, Iād say Iām around a 6.5ājust okay. I wouldnāt call myself great, but I know I work hard and I work smart. Most of my tasks leaned more toward handling false positives than actual threat processing (a lot of whitelisting issues, if you know what I mean). Around 2023, I started job hunting again. I was searching for more growth and, to be honest, better pay. On top of that, I was also experiencing burnout, which made me decide to finally resign. After about two months of non-stop interviewsāliterally every single dayāI finally got an offer. It genuinely felt like an answered prayer. I was hired as a Technical Examiner in DFIR at a well-known company in the IR space. This role really expanded my knowledge and made me realize just how vast the field of cybersecurity really is. I got to work with some of the best people in the industry and was exposed to different teams and service lines. I had no plans of leaving anytime soon. Unfortunately, due to internal company struggles, I was included in a sudden round of layoffs. Now hereās where Iām strugglingāIāve been finding it really hard to land a new job. My last salary had already reached six figures (PH based), and Iām honestly hesitant to settle for something significantly lower. But at the same time, Iām starting to doubt myself. My resume doesnāt seem to be getting the same traction it used to, and it's making me question whether this path is still meant for me. š Has anyone here gone through something similar? How did you deal with it? Is it worth holding out for a role that matches your previous level, or should I consider pivotingāeven if it means starting a bit lower again? Also, do you have any recommendations for free reputable certifications or training resources that I could take? Any advice or insights would really mean a lot. š
CISSP Holders: Did this cert change your career trajectory?
Hello All, I wanted to get confirmation on people's experiences with obtaining the CISSP and your personal career trajectory post passing the exam. Did you stay where you're at in your position you held before, or did you get promoted or leave your organization for a better opportunity and higher salary? I keep seeing some people say that the CISSP isn't necessary, but in this tight job market and lack of IT jobs, I would say that the CISSP for security professionals to advance is needed going forward. Especially with the influx of h1b visa holders replacing US citizen jobs. This is one area where I would see having the CISSP wouldn't be impacted by foreigner visa holders to bypass a US worker for employment, especially in the security and defense fields were they need US citizens for classified work.
We managed to retrieve thousands of sensitive PII documents from Scribd! š¤Æ
Yes, you heard it right!! Scribd, the digital document library is being used by people to store sensitive documents without them realising that all of their documents are publicly accessible šØ Throughout this research we retrieved a whopping 13000+ PII docs just from the last one year targeting specific categories, which also means that this is just a tip of the iceberg! šµāš« The data constitutes of bank statements, offer letters/salary slips, driving licenses, vaccine certificates, Adhaar/PAN cards, WhatsApp Chat exports and so much more!! Its quite concerning to see the amount of PII voluntarily exposed by the people over such platforms but at the same time we believe Scribd and other document hosting platforms need to pay special attention to avoid PII from being publicly accessible. To read more about this research, check out our Medium post: https://medium.com/@umairnehri9747/scribd-a-goldmine-of-sensitive-data-uncovering-thousands-of-pii-records-hiding-in-plain-sight-bad0fac4bf14?source=friends_link&sk=bae06428fd9e13f191c69ac2c34113dc As always, stay tuned for more research works and tools, until then, Happy Hacking š
I thought this was satire at first. I don't think it is? Maybe phishing? join DOGE?
Camilo Sandoval, whitehouse CISO (https://www.linkedin.com/in/camintel) posted what appears to be a job ad for Department of Government Efficiency (DOGE) recruiting cyber and software tech talent. The website domain is .gov and goes to what appears to be an application page, not usajobs.gov. I opened in a sandbox This is strange. Thoughts? Why recruit tech when DOGE sounds more like an audit/investigative type thing? Image below, but you can also look at the posts on his linkedin (never used bashify just found it). Text below and link in the post/image `Interested in joining DOGE?` `The DOGE Team is looking for world-class talent to work long hours identifying/eliminating waste, fraud, and abuse. These are full-time, salaried positions for software engineers, InfoSec engineers, financial analysts, HR professionals, and, in general, all competent/caring people. Apply here!` [https://bashify.io/i/EyXfYZ](https://bashify.io/i/EyXfYZ)
Salary advice please: SOC Analyst
I am a SOC analyst with almost 6 years. I have my Security+ and will be getting my CISSP in July. Iām remote. On top of my SOC duties I am the prime communicator with all of our SOC clients which includes monthly, biweekly, or weekly calls with our SOC clients to share metrics and ensure any requests are being worked on. I am also the SME for a couple of tools like KB4 and the SEG SME for tools such as Trellix etp, proofpoint, area1, etc. and the back SME for our endpoint tools like Cylance, Falcon, Trellix HX, etc. I currently make about 66k annually in Tampa Florida. Is this a fair salary or should I be looking for another job?
Recommendations to transition out of Cybersecurity
Any CyberSec senior engineers that have transitioned out of Cybersecurity? What did you transition into or any recommendations on what to event try or how to start? About me: \- 20+ years of cyber experience, mostly on the protective/defensive side \- BS in Computer Science and Masters in Cybersecurity \- Industry certifications (CISSP, CEH) and have held others in the past \- well rounded experience, passion for Cyber, stay updated with latest security \- network infrastructure background \- remote worker for quite some time \- about 6 months searching for remote senior cyber jobs without success, 1K+ applications, handful of interviews, but no offer \- lacking on Cloud and AI experience, but can't seem to get a chance to work on the technology, individually working on training for those TLDR - I think my time in Cyber is done and need to move on to something else. It's frustrating and disheartening after putting so much time and effort into a career in Cybersecurity that I actually enjoy. I'm not burned out in Cyber, but since I have to make a living, I'm looking for recommendations on something else to go into. Note: My resume has been checked by multiple people, I do get referred to hiring managers, and I don't think I'm asking for too much salary based on my experience and skills.
What to ask for as salary for Security analyst position?
Hi, I see a posting for a position for security analyst but unsure how much to ask for entry position in metro nyc. I have Comptia A+, Network+, Security+, CySA+ security analyst certs i accumulated. I'm entry level with no experience and web search pops up average 65k nationwide. What would you guys consider a reasonable offer for metro nyc starting out.
If you had to start again (red team)
A question from a person who wants to streamline (but not shortcut) his path to red-team cybersecurity. For ones with experience, how did your path look like? If you had to start again, what would you do different? On a side-note, what were some of your most exciting moments in your career? How many of you make a $100k+ salary?
Should I leave my job?
Hi everyone. I want to look for a new job in cyber security but I'm scared of the current market and not finding something stable. First here is a bit about me: I work in a 4-year college in vulnerability management for about 3 years now. My salary is 73k. I have a masters degree in cyber security from WGU and have the sec+, net+, cysa+, secx, SAL1, and az-900 certifications. My job is VERY comfy. I work for about 2 hours and the rest of the day I study for new certifications or watch YouTube videos. I have zero stress at my job which allows me to focus on my health and wellness. It's a very stable job and I have great benefits as part of a union. Unfortunately, the job doesn't pay enough. I just got married and we are planning to buy a house and have a kid. I'm looking at other opportunities but all I see are contact jobs for 3-6 months. Even though they pay more they are not stable. I could just stick it out at my current easy job and wait for pay raises which will happen. Eventually the 3% raise every year will become a six figure salary even if it takes a while. Or I could get a new job that pays well but might not be as stable with alot more stress. What do you guys think and what would you do in my shoes?
Big 4 Cyber Consultant Pros/Cons/Advice
Hi all, Seeking advice because I have just received an offer from EY as a full remote senior cyber consultant in their SIEM/SOAR space. Current job is very chill as an Engineer, <40 hour work weeks, 4-5 weeks (āunlimitedā) PTO a year, and I can pretty much work on whatever I want within reason. Iāve gotten to a point where Iāve been pretty boring after automating everything I can. The only issue is that there is no room for promotion internally and is why people on the team have left in the past. Manager and team are awesome though. Salary is $115k and I have a total of 5 YOE (3 as security analyst, 2 as engineer). MCOL city. My recent offer is for $170k base with $10k sign on. Iām single, 27, no girlfriend/kids so I would love to travel if it happens. Iām looking for advice based off my current variables because I hear consulting is a lot of work. Would this open up doors for me in the future? Is it worth it to get the senior title and compensation increase? Anything I should know about what I would be getting myself into? I know money isnāt everything, so Iām having a hard time making this decision. I would hate to give up something great, but even if 1-2 years could set me up better for the future then I think it could be worth while. Am I crazy for being reluctant about this?
Am I dumb for leaving while barely starting?
Iām finishing up my undergrad in cybersecurity this year and have been working at an MSP as an analyst for 2 months. Now that Iāve touched some real work experience and am finishing up my degree I donāt know if I can see myself sitting in meetings and frying my brain all day doing this until Iām 65 working 9-5 monday to friday. Iāve been thinking about making the jump to the reserves in the military as an officer with a cyber focus but getting into law enforcement as a full time career. I know the long term salary potential is lower than in cyber but the benefits are good and I wouldnāt be sitting around all day. Granted this first job is pretty rough on hours and workload, so maybe Iām just not thinking straight and am wasting my degree. Any insight is appreciated.
What was your starting salary for your first cyber job out of college / after training?
I'm going to be going into a cybersecurity program soon, and from what I've seen numbers can vary, and I also didn't see what degree people earned and how that connected to their salary. I'm going for my bachelor's degree, so I'm curious about some personal expierences!
State of the Job Market (Senior Level)
Iām trying to get a realistic pulse on the senior and managerial job market in cybersecurity as we close out 2025 and head into 2026. Specifically looking for input from people who meet roughly these criteria: ā¢ 5+ years of hands-on cybersecurity experience (not counting general IT/helpdesk time). ā¢ Relevant degree (CS, InfoSec, etc.) or equivalent experience. ā¢ At least one higher-level certification (CISSP, CISM, CCSP, CISA, OSCP, etc.) ā bonus if you hold multiple or a management-focused one. ā¢ Currently at senior individual contributor, or if all previous qualification are met above, junior transitioning into senior roles. ā How is the market treating you right now if youāre looking (or have looked in the last 6ā12 months) for a new role? A few specific questions to kick off the discussion: 1. How long is it taking you to land interviews once you apply? (Are you seeing 1ā2% callback rates like juniors, or significantly better?) 2. Once you get to the interview stage, are companies moving fast or dragging their feet with 6ā8 rounds, homework, presentations, etc.? 3. Salary trends ā are you seeing compression at the senior level, or are good roles still paying 2021ā2022 money (or even higher)? 4. Fully remote senior/manager roles: dead, dying, or still out there in decent numbers? 5. Are layoffs still rippling at the senior level, or is it mostly back to ānormalā attrition? 6. Any noticeable difference between industries (finance/healthcare/gov vs. tech startups vs. MSSPs/consulting)? 7. Geography ā if youāre in the US, are certain regions (TX, FL, NC, CO, etc.) clearly hotter than others right now? 8. For those who recently switched: what was the deciding factor (money, WLB, remote, title, etc.)? ā Please mention (roughly): ā¢ Your total YOE and current/previous title ā¢ Main certifications ā¢ Rough location or āUS ā fully remoteā ā¢ Whether youāre actively looking or just watching the market Trying to separate anecdote from trend here ā the more experienced voices, the better. No junior/early-career posts please (different market entirely). Thanks in advance ā really curious if the āsenior talent is still in demandā narrative matches reality on the ground right now.
Why do cybersecurity experts becomes content creator if the field pays well?
As the title suggests, I'm curious, does CyberSec really pay as well as people claim? I've heard from many that while not everyone, a good number of professionals in the field earn six-figure salaries. But then, others say that people in data science tend to earn even more than cybersecurity engineers. So, which one is actually true? A few months ago, I started considering a career switch. As an artist, I've had very few opportunities and low pay compared to the amount of work I put in. I have no IT background, but I've seen people break into the field without even having a degree. So, I decided to start studying part-time. Even if I donāt land a job soon, at the very least, I'll be equipped with a valuable skill in todayās world. Now, coming back to my question, while looking for learning resources, I noticed that so many people in CyberSec are also creating content: making courses, running career guidance websites, teaching online, and producing videos. It made me wonder, if thereās really good money in this field, why are so many professionals investing their time in content creation? Iāve seen the same thing happen in the art industry, but I understand why artists do it. Our jobs donāt pay well, and thereās zero job security, especially with big studios shutting down left and right. So, content creation became a solid backup for many. But why do CyberSec professionals do it? Is it because they want to escape hectic job schedules? Or is the field not as financially stable as people say? Also, I want to ask about the skill gap or lack of skilled talent that everyone talks about, does it still exist? EDIT: Thanks alot everyone for responding to this post, I am really overwhelmed by the response, these comments really helped me understand this field more now and have cleared many of my misconceptions (although still confused about few) but anyway thanks for this and apologise my ignorance, I have little to no knowledge about this field so all this questions are purely out of curiousity, I don't mean any disrespect towards anyone.
Cyber security job as felon in AR
Hi there everyone, so I am wanting to go back to college and get a degree in computer science. I am a felon in the state of Arkansas and was wondering if anyone knows if this would be a good career choice for me? I have drug charges, some are class A. Would this prevent me from getting jobs in this field? Would this degree be worth pursuing? I am feeling very discouraged lately and like a failure because I feel like I am so so smart and I wasted my potential because I went to prison. Getting a job anywhere has been hard for me due to my record and I heard that computer tech jobs are felon friendly and avg salary in my state is around 60k. Also is getting my degree in computer science better than maybe going to a computer tech bootcamp type of thing? Any recommendations on some tech boot camps if anyone has taken any? Thank you
haveibeenpwned.watch - Open-source, no-fluff charts showcasing haveibeenpwned.com's pwned account data
After discovering that the haveibeenpwned.com data is accessible via the API and noticing the lack of a visualization tool, I dedicated a few evenings to building haveibeenpwned.watch. This single-page website processes and presents data on leaks from Have I Been Pwned, with daily updates. The site provides details on the total number of recorded breaches, the number of unique services affected, and the total accounts compromised. Charts break down the data by year, showing the number of breaches, affected accounts, average accounts breached per year, accounts by data type, and accounts by industry. Additionally, tables highlight the most recent breaches, the most significant ones, and the services with the highest number of compromised accounts. Though simple, the website can be a useful resource for use cases like strategic security planning, cybersecurity sales, risk assessment, or simply tracking trends in the security landscape. The website is open source, with its repository hosted on GitHub.
Howās your salary and work life balance as a cybersecurity engineer?
Curious to hear, 1- whatās your role? 2- whatās your base salary and total comp (if youāre comfortable sharing) 3- do you find your role stressful, and howās your work life balance?
Blind Enumeration of gRPC Services
We were testing a black-box service for a client with an interesting software platform. They'd provided an SDK with minimal documentationājust enough to show basic usage, but none of the underlying service definitions. The SDK binary was obfuscated, and the gRPC endpoints it connected to had reflection disabled. After spending too much time piecing together service names from SDK string dumps and network traces, we builtĀ [grpc-scan](https://github.com/Adversis/grpc-scan)Ā to automate what we were doing manually: exploiting how gRPC implementations handle invalid requests to enumerate services without any prior knowledge. Unlike REST APIs where you can throw curl at an endpoint and see what sticks, gRPC operates over HTTP/2 using binary Protocol Buffers. Every request needs: * The exact service name (case-sensitive) * The exact method name (also case-sensitive) * Properly serialized protobuf messages Miss any of these and you get nothing useful. There's no OPTIONS request, typically limited documentation, no guessingĀ `/api/v1/users`Ā might exist. You either have the proto files or you're blind. Most teams rely on server reflectionāa gRPC feature that lets clients query available services. But reflection is usually disabled in production. Itās an information disclosure risk, yet developers rarely provide alternative documentation. But gRPC have varying error messages which inadvertently leak service existence through different error codes: `# Calling`Ā `non-existent\`\`unknown service FakeService\`\`real service, wrong method\`\`unknown method FakeMethod for service UserService\`\`real service and method\`\`missing authentication token` These distinct responses let us map the attack surface. The tool automates this process, testing thousands of potential service/method combinations based on various naming patterns we've observed. The enumeration engine does a few things **1.**Ā Even when reflection is "disabled," servers often still respond to reflection requests with errors that confirm the protocol exists. We use this for fingerprinting. **2.**Ā For a base word like "User", we generate likely services * `User` * `UserService` * `Users` * `UserAPI` * `user.User` * `api.v1.User` * `com.company.User` Each pattern tested with common method names: Get, List, Create, Update, Delete, Search, Find, etc. **3.**Ā Different gRPC implementations return subtly different error codes: * `UNIMPLEMENTED`Ā vsĀ `NOT_FOUND`Ā for missing services * `INVALID_ARGUMENT`Ā vsĀ `INTERNAL`Ā for malformed requests * Timing differences between auth checks and method validation **4.**Ā gRPC's HTTP/2 foundation means we can multiplex hundreds of requests over a single TCP connection. The tool maintains a pool of persistent connections, improving scan speed. What do we commonly see in pentests using RPC? **Service Sprawl from Migrations** SDK analysis often reveals parallel service implementations, for example * `UserService`Ā \- The original monolith endpoint * `AccountManagementService`Ā \- New microservice, full auth * `UserDataService`Ā \- Read-only split-off, inconsistent auth * `UserProfileService`Ā \- Another team's implementation These typically emerge from partial migrations where different teams own different pieces. The older services often bypass newer security controls. **Method Proliferation and Auth Drift** Real services accumulate method variants over time, for example * `GetUser`Ā \- Original, added auth in v2 * `GetUserDetails`Ā \- Different team, no auth check * `FetchUserByID`Ā \- Deprecated but still active * `GetUserWithPreferences`Ā \- Calls GetUser internally, skips auth So newer methods that compose older ones sometimes bypass security checks the original methods later acquired. **Package Namespace Archaeology** Service discovery reveals organizational history * ā`com.startup.api.Users`Ā \- Original service * ā`platform.users.v1.UserAPI`Ā \- Post-merge standardization attempt * ā`internal.batch.UserBulkService`Ā \- "Internal only" but on same endpoint Each namespace generation typically has different security assumptions. Internal services exposed on the same port as public APIs are surprisingly commonādevelopers assume network isolation that doesn't exist. # Limitations * Services expecting specific protobuf structures still require manual work. We can detectĀ `UserService/CreateUser`Ā exists, but crafting a valid User message requires either the proto definition or guessing or reverse engineering of the SDK's serialization. * The current version focuses on unary calls. Bidirectional streaming (common in real-time features) needs different handling. Available at [https://github.com/Adversis/grpc-scan](https://github.com/Adversis/grpc-scan). Pull requests welcome.
Which career progression is better: GRC or Incident Response?
Hello all, I am wondering what you guys think is better long term, GRC or incidence response? I am new to the field (<6 months, recent graduate), and am currently in a GRC role (ISSO/ISSM tasks). I am not a huge fan of GRC, as I loved being technical throughout my internships and university, but I guess its not the end of the world for me. At my current org, I am able to do a 3 month rotation, and will probably go to our Incident Response team. I am confident I would enjoy IR more, but how is the career progression? Curious about how in demand and also how one usually progresses. I know that GRC can usually go ISSO -> ISSM -> Director -> VP/CISO (or something along those lines). But how is it for IR? Salary expectations? I would really appreciate any advice to a newbie in the field! Thanks!
/r/netsec's Q1 2025 Information Security Hiring Thread
**Overview** If you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company. We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education. Please reserve top level comments for those posting open positions. **Rules & Guidelines** Include the company name in the post. If you want to be topsykret, go recruit elsewhere. Include the geographic location of the position along with the availability of relocation assistance or remote work. * If you are a third party recruiter, you must disclose this in your posting. * Please be thorough and upfront with the position details. * Use of non-hr'd (realistic) requirements is encouraged. * While it's fine to link to the position on your companies website, provide the important details in the comment. * Mention if applicants should apply officially through HR, or directly through you. * Please clearly list citizenship, visa, and security clearance requirements. You can see an example of acceptable posts by [perusing past hiring threads](https://www.reddit.com/r/netsec/search?q=Information+Security+Hiring+Thread&sort=new&restrict_sr=on). **Feedback** Feedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)
How common is 1 round of interview in cybersecurity?
Iām not sure if this is an anomaly. So I applied for a 6 figure cybersecurity job in a large well known org in the US, and after only 1 round of interview, in-person, I got a call from the HR Talent Acquisition rep about two hours later that I got the job on the same day. There were about 10 employees in the interview room, including the HR rep. There were a few candidates interviewing that day, and the session was about 1 hour. Here are my questions: 1) How common is it that thereās only 1 round of interview in the cybersecurity world ? There was also the initial HR phone screening, but I donāt count that as a āround of interviewā since they were just discussing the position and to see if the salary and everything met my expectation before scheduling it. 2) Is it common for an HR rep to be in the interview room the entire time for in-person interviews? 3) How many rounds was your interview, or how many rounds is it typical for your company if you participate in the hiring process? EDIT1: Obviously, I am not complaining at all. It saves a lot of time. But in about 20 interviews in my entire life for professional roles, Iāve never had just one round of interview, and never had HR sit in on the entire interview.
When should you look at switching companies?
I currently work at a fortune 300 defense contractor in cybersecurity as a cyber solutions architect and make 85k. I have 2.5 years of experience, a bachelors degree, 10 certs, volunteer at open source non profit cybersecurity organizations, do ctfs, and frequently speak at conferences. Iāve been at my current company for 2 years now (in November) and my responsibilities have quickly expanded. Iām working proposals valued at over $800m as a solutions architect, have developed a cyber training program selling to customers that has rapidly grown, I pentest for government agencies and will be threat hunting shortly. Everyone I work with makes double what I make and the person that Iām managing (not directly) makes 50k more than I do. Iād like to get a promotion and my boss is supportive of this however HR and finance are incredibly strict on giving out promotions without changing to another sector. For example Iād have to go onto program which has poor job security compared to corporate/internal (where I am right now). DOGE has also not helped this matter. I love the people I work with and love my job, Iād prefer not to leave. However Iād like to make more. Would interviewing at another company in hopes to get an offer I can leverage be a bad idea? Should I just leave the company altogether? Am I wrong for wanting a higher salary?
šData Sources
Work as a Information Security Analysts?
Help us make this page better. Share your real-world experience, correct any errors, or add context that helps others.