> For the complete documentation index, see [llms.txt](https://book.ahmad.science/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ahmad.science/chapter-1-breaking-in/choosing-an-advanced-career/career-in-cyber-security.md). # The Career Landscape Cybersecurity isn't one job. It's a collection of disciplines that share a common mission but look completely different in practice. A penetration tester and a compliance analyst both work in "cybersecurity" but require entirely different skills, mindsets, and daily routines. Most careers in the field fall under one of four pillars. Understanding them is how you stop feeling overwhelmed by the breadth of the field and start making targeted decisions about where to invest your time. *** ## The Four Pillars at a Glance | Pillar | What You Do | US Salary Range | Best Entry Point | | ------------------------ | ---------------------------------------------------- | --------------- | --------------------- | | **Offensive Security** | Attack systems (with permission) to find weaknesses | $80k-$180k | eJPT, then OSCP | | **Defensive Security** | Detect, contain, and respond to attacks | $60k-$160k | Security+, BTL1 | | **Security Engineering** | Design and build the systems everyone else relies on | $100k-$200k+ | Security+, cloud cert | | **GRC** | Manage risk, compliance, and policy | $70k-$180k | Security+, CISM | Salary ranges are US figures as of 2026 and vary heavily by city, company size, and remote policy. Other markets run lower in absolute terms — but the skills transfer globally, and remote hiring keeps widening the map. *** ## Pillar 1: Offensive Security You think like an attacker. Your job is to find weaknesses in systems, networks, and applications before real adversaries do, through simulated attacks, technical exploitation, and creative problem-solving. This is the area most people picture when they hear the word "hacker." The key word here is *ethical*. You work with written permission, defined scope, and legal authorization. **What the work actually looks like** You spend a lot of time on reconnaissance, mapping out a target's attack surface before touching anything. Then you systematically probe for vulnerabilities, attempt to exploit them, and document what you find in detail. The documentation part is unavoidable and honestly takes as long as the hacking. Clients pay for the report as much as they pay for the testing. Red team operations go further. Instead of a focused technical test, you simulate a real adversary over weeks or months, testing not just technology but also the people and processes supposed to detect and respond to you. **Common roles:** * Penetration Tester (Web, Network, Mobile, Cloud) * Red Team Operator * Vulnerability Researcher * Bug Bounty Hunter * Application Security Engineer (offensive focus) {% hint style="info" %} **Best for:** People who love puzzles and who don't give up when something doesn't work the first five times. Patience matters more than people expect. Most penetration testing isn't a movie montage. It's methodical enumeration, dead ends, and careful documentation. The creative breakthrough comes after the boring groundwork. {% endhint %} **Certifications to pursue:** * **eJPT.** Affordable and beginner-friendly. A solid first step. * **CompTIA PenTest+.** Broad vendor-neutral foundation. * **OSCP.** The industry gold standard. 24-hour hands-on exam, highly respected by employers. *** ## Pillar 2: Defensive Security You detect, contain, and respond to attacks. This is where the majority of cybersecurity jobs exist. Whether you're working in a Security Operations Center (SOC) monitoring alerts, hunting for threats that have already slipped through the perimeter, or leading incident response when a breach is confirmed, defensive security professionals are the emergency responders of the digital world. **What the work actually looks like** At the entry level, you're a SOC analyst watching a queue of security alerts, triaging each one to determine if it's a real threat or a false positive. It can be repetitive. Most alerts are noise. But the ones that aren't are the ones that matter, and learning to quickly distinguish signal from noise is a skill that takes time to develop and is genuinely valuable. At higher levels, you're hunting: looking for signs of compromise that automated tools missed, building detection rules, and leading the response when something real is happening. **Common roles:** * SOC Analyst (Tier 1, 2, 3) * Threat Hunter * Incident Responder * Digital Forensics Analyst * Detection Engineer * Security Operations Manager {% hint style="info" %} **Best for:** People who enjoy analysis, pattern recognition, and staying composed under pressure. The professionals who advance from Tier 1 analyst to threat hunter or incident response lead are the ones who stay curious, invest in learning outside work hours, and build familiarity with how real attacks unfold, not just what the alert says. {% endhint %} **Certifications to pursue:** * **CompTIA Security+.** Baseline requirement for most SOC roles. * **CompTIA CySA+.** Focused on threat detection and analysis. * **BTL1** (Blue Team Level 1). Hands-on, affordable, well-regarded for breaking into defensive roles. *** ## Pillar 3: Security Engineering and Architecture You design and build the security systems that everyone else relies on. Firewalls, identity management, secure cloud infrastructure, network segmentation, encryption pipelines. These don't appear by accident. Security engineers and architects create, implement, and maintain the technical foundation of an organization's security posture. **What the work actually looks like** You're less likely to be responding to incidents and more likely to be building the infrastructure that makes incidents easier to detect and respond to. That means working closely with IT teams on network design, with developers on secure software pipelines, with cloud teams on identity and access management, and with leadership on evaluating new security tools. DevSecOps is a significant and growing area here. As software development has accelerated, integrating security earlier in the development lifecycle (rather than bolting it on at the end) has become a priority. Security engineers who understand both development and security are in high demand. **Common roles:** * Security Engineer * Cloud Security Engineer * IAM Engineer * DevSecOps Engineer * Security Architect * Application Security Engineer {% hint style="info" %} **Best for:** People with a networking, systems, or software development background who want to design and build rather than investigate and respond. This pillar tends to require more prior technical depth, making it a common destination for professionals who started elsewhere and developed strong fundamentals over time. {% endhint %} **Certifications to pursue:** * **AWS Certified Security Specialty** or **Azure Security Engineer Associate** * **CompTIA Security+** as a foundation * **CCSP** (Certified Cloud Security Professional) * **CISSP** (senior-level; requires five years of experience) *** ## Pillar 4: Governance, Risk and Compliance You make sure organizations manage risk intelligently, meet legal and regulatory requirements, and have security policies that actually work. GRC professionals translate between technical security teams and business leadership. They ensure an organization can demonstrate its security posture to regulators, auditors, and customers. This pillar is less hands-on-keyboard than the others, but don't underestimate it. Organizations that fail at compliance face massive fines. Organizations that mismanage risk suffer breaches they could have predicted. The GRC function is what keeps security from being treated as a cost center no one understands. **What the work actually looks like** You're conducting risk assessments, developing and maintaining security policies, preparing for audits, and advising leadership on where security investment makes business sense. You spend a lot of time in documentation and communication, explaining complex technical risks in terms that a CFO or board member can understand and act on. Regulatory frameworks are at the center of much of this work: ISO 27001, SOC 2, NIST CSF, PCI-DSS, HIPAA, GDPR. Understanding what these frameworks require, how to implement controls that satisfy them, and how to demonstrate compliance to auditors is a specialized skill that organizations pay well for. **Common roles:** * Compliance Analyst * Risk Analyst * Information Security Auditor * Data Protection Officer * GRC Manager * Virtual CISO (vCISO) {% hint style="info" %} **Best for:** People with strong writing, analysis, and communication skills. Critical thinking and the ability to understand both technical concepts and business context matter more than deep technical hands-on experience. This is often the most accessible entry point for people transitioning from non-technical backgrounds, particularly those with legal, business, project management, or policy experience. {% endhint %} **Certifications to pursue:** * **CISM** (Certified Information Security Manager) * **CRISC** (Certified in Risk and Information Systems Control) * **CISA** (Certified Information Systems Auditor) * **CompTIA Security+** as a foundation *** ## The Specialization Cutting Across All Four: AI Security Since 2023, a fifth area has been growing faster than any of the four pillars: securing AI systems, and using AI to do security work. It isn't a separate pillar because it touches all of them. Offensive folks red-team LLM applications for prompt injection and data leakage. Defenders use AI to triage alerts and hunt threats — and defend against attackers doing the same. Engineers build guardrails around AI agents that hold real credentials. GRC teams now own AI governance, model risk, and compliance with regulations like the EU AI Act. Two things make this relevant to someone breaking in. First, almost every security job now expects you to work *with* AI tools competently and skeptically. Second, AI security specialists are scarce enough that demonstrable skill — a portfolio of prompt-injection findings, an LLM security writeup — gets attention even without years of experience. This book dedicates a full chapter to it later: the attack surface, the defenses, and the career path. Don't start here, though. AI security builds on fundamentals — networking, application security, threat modeling. Pick a pillar first, then layer AI security on top of it. That combination is far more employable than either alone. *** ## Which Pillar Is Right for You? There's no wrong answer. Most professionals touch multiple pillars over the course of their careers. Many great CISOs started as penetration testers. Many great security architects started as SOC analysts. The pillars are starting points, not life sentences. | If you want to... | Start with... | | ----------------------------------------------- | -------------------- | | Find and exploit vulnerabilities hands-on | Offensive Security | | Analyze data, monitor, and respond to incidents | Defensive Security | | Design and build security systems | Security Engineering | | Come from business, legal, or policy background | GRC | {% hint style="success" %} **Still unsure?** Start with **Defensive Security**. SOC analyst roles are the most plentiful entry-level positions in the field, CompTIA Security+ is a credible first certification, and the skills you build there, reading logs, understanding attack patterns, writing incident reports, make you better at everything else. {% endhint %} *** ## Career Progression Cybersecurity careers don't follow a single linear track, but here's a rough picture of how the levels typically work. | Level | Timeline | What It Looks Like | | -------------- | ---------- | --------------------------------------------------------------------------------------------------------------- | | **Entry** | 0-2 years | SOC Analyst Tier 1, Junior Pentester, Junior Compliance Analyst. Heavy on learning and repetitive tasks. | | **Mid** | 2-5 years | Complex tasks with minimal supervision. You have a specialty. You mentor juniors and make decisions. | | **Senior** | 5-10 years | Design solutions, lead projects, influence direction. Trusted to own problems, not just subtasks. | | **Leadership** | 10+ years | Security Director, VP of Security, CISO. Deep technical credibility separates great leaders from adequate ones. | Worth noting: you don't have to become a CISO. Many highly skilled technical professionals build long, well-compensated careers staying hands-on. Staff security engineers, principal penetration testers, and senior threat hunters earn very well and never manage anyone. The field accommodates both paths equally. *** ## Key Takeaways * Cybersecurity is four distinct career families — offensive, defensive, engineering, and GRC — with different skills, daily work, and entry requirements. Choose deliberately instead of drifting. * GRC is the most realistic entry point from a non-technical background; defensive security (SOC) has the most entry-level openings overall. * AI security is the fastest-growing specialization, but it layers on top of a pillar — it isn't a substitute for fundamentals. * Pillars are starting points, not life sentences. Most careers cross between them, and the senior technical track pays as well as the management track. *** ## Further Reading | Resource | What it covers | | ------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------ | | [MITRE ATT\&CK](https://attack.mitre.org) | Definitive knowledge base of adversary TTPs. Essential for defensive security. | | [Paul Jerimy's Cert Roadmap](https://pauljerimy.com/security-certification-roadmap/) | Visual map of the entire cert landscape by domain and difficulty. | | [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) | Most widely adopted framework for organizing security programs. | | [SANS Reading Room](https://www.sans.org/reading-room) | Practitioner-written white papers across all pillars. High quality. | | [Krebs on Security](https://krebsonsecurity.com) | Investigative journalism on real cybercrime and breach cases. | *** *Not sure which pillar fits you? Want someone to think it through with you? Join the community on* [*Discord*](https://discord.gg/vkXWVFdFe) *or reach out on* [*LinkedIn*](https://www.linkedin.com/in/ahmadscience/)*. And if this book helped you, contribute to it. Your commit here is a real open-source credit worth putting on your CV.* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ahmad.science/chapter-1-breaking-in/choosing-an-advanced-career/career-in-cyber-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.