Cybersecurity Career Paths Explained: SOC Analyst, Pen Tester, Security Engineer, CISO

Published on BirJob.com · March 2026 · by Ismat

The Night I Watched a Scraper Attack in Real Time

BirJob is a job aggregator. It's not a bank. It doesn't store credit card numbers or social security data. It scrapes job listings and displays them. So when I first noticed unusual traffic patterns hitting our API at 3 AM — hundreds of requests per second from rotating IP addresses, probing for SQL injection in query parameters — my first thought was: why? There's nothing here worth stealing.

But that's the thing about cybersecurity: attackers don't care what you think your site is worth. They care about what they can find. An unsecured database. A misconfigured server that can be used as part of a botnet. An admin panel with default credentials. The attacks aren't personal — they're automated, relentless, and indiscriminate.

That experience gave me a visceral appreciation for the people whose entire job is to defend against this. And it made me realize that most developers (myself included) know almost nothing about what cybersecurity professionals actually do day-to-day. The field is vast, specialized, and shockingly under-staffed. If you're considering a career in cybersecurity — or even just curious about what those roles entail — this is the guide I wish someone had written for me.

The Numbers First: A Field Drowning in Demand

The cybersecurity talent gap isn't a future problem. It's a present crisis that has been getting worse every year.

The ISC2 2024 Cybersecurity Workforce Study estimates that there are 3.4 million unfilled cybersecurity positions worldwide. That's not a vague projection — it's the current gap between the number of professionals working in cybersecurity and the number organizations say they need. The global cybersecurity workforce is approximately 5.5 million people, which means the field needs to grow by roughly 62% just to meet current demand. Not future demand. Current demand.

The U.S. Bureau of Labor Statistics projects 33% growth for information security analysts from 2023 to 2033, making it one of the fastest-growing occupations in the entire economy. For context, the average growth rate across all occupations is about 4%.

Cybersecurity Ventures estimates that global cybercrime costs will reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. Every dollar of that creates demand for people to prevent it, detect it, and respond to it.

The World Economic Forum's Global Cybersecurity Outlook 2025 reports that 90% of cyber leaders believe the cyber skills gap is a critical challenge, and that two-thirds of organizations report moderate-to-critical skills shortages.

What does this mean for you? If you can break into this field, you will not struggle to find work. The supply-demand imbalance is staggering and shows no signs of correcting itself.

The Taxonomy: Four Core Cybersecurity Roles

"Cybersecurity" is not one job. It's a field with specializations as varied as medicine. You wouldn't ask "what does a doctor do?" without specifying whether you mean a surgeon, a radiologist, or a psychiatrist. Cybersecurity is the same way. Here are the four roles that define the career ladder, from entry to executive.

Role 1: SOC Analyst (Security Operations Center Analyst)

What they do

The SOC Analyst is the frontline defender. They sit in a Security Operations Center (which, despite the dramatic name, is usually just an open-plan office with a lot of monitors) and monitor an organization's systems for security threats in real time. Think of them as the security equivalent of an ER triage nurse — their job is to identify threats, assess severity, and either handle them or escalate them.

Day-to-day

• Monitoring SIEM (Security Information and Event Management) dashboards for alerts
• Investigating alerts to determine if they're real threats or false positives (spoiler: most are false positives)
• Analyzing log data from firewalls, IDS/IPS, endpoints, and applications
• Writing incident reports when real threats are detected
• Escalating critical incidents to senior analysts or the incident response team
• Tuning alert rules to reduce false positives without missing real threats
• Running basic threat intelligence lookups on suspicious IPs, domains, and file hashes

Tools

Certifications that matter

• CompTIA Security+ — the de facto entry-level certification. Most SOC job postings either require it or list it as preferred.
• CompTIA CySA+ (Cybersecurity Analyst) — a step above Security+, focused specifically on SOC analyst skills.
• GIAC Security Essentials (GSEC) — more respected in technical circles but also more expensive.

Salary

Salary data compiled from Glassdoor, Payscale, and the ISC2 Workforce Study.

The honest truth about SOC work

SOC analyst roles have high turnover. The work can be repetitive — you spend hours triaging alerts, most of which are false positives. Shift work (nights, weekends, holidays) is common because attacks don't respect business hours. Many people use the SOC as a stepping stone to more specialized roles, not as a career destination. That's fine — just go in with open eyes.

Role 2: Penetration Tester (Pen Tester / Ethical Hacker)

What they do

Penetration testers are paid to break into things. They simulate real-world attacks against an organization's systems, networks, and applications to find vulnerabilities before actual attackers do. It's the most glamorized role in cybersecurity — the one you see in movies and at DEF CON talks — and it's also one of the most technically demanding.

Day-to-day

• Scoping engagements with clients (what's in scope, what's off-limits, rules of engagement)
• Reconnaissance: OSINT gathering, network scanning, service enumeration
• Vulnerability scanning and manual testing
• Attempting exploitation: SQL injection, XSS, privilege escalation, buffer overflows, misconfigurations
• Writing detailed reports that explain vulnerabilities, risk levels, and remediation steps
• Presenting findings to technical teams and (sometimes) executives
• Staying current on new attack techniques, CVEs, and zero-days

Tools

Certifications that matter

• OSCP (Offensive Security Certified Professional) — the gold standard for pen testing. It's a 24-hour practical exam where you must hack into multiple machines. No multiple choice. You either pop the boxes or you don't. Brutal, respected, career-defining.
• CEH (Certified Ethical Hacker) — more widely known but less technically respected than OSCP. Good for checking HR boxes. The exam is multiple choice, which tells you something about its practical relevance.
• GPEN (GIAC Penetration Tester) — solid mid-tier certification, well-regarded in enterprise environments.
• OSWE, OSEP, OSED — advanced OffSec certifications for web app, evasion, and exploit development respectively.

Salary

Sources: Glassdoor, Salary.com, ISC2.

The honest truth about pen testing

Pen testing is about 20% hacking and 80% report writing. If you hate writing, you will hate this job. The actual exploitation is thrilling — the documentation is not. Also, most pen testers work at consulting firms, which means client management, travel, tight deadlines, and the constant pressure of finding something even when systems are reasonably secure. It's not like the movies.

Role 3: Security Engineer

What they do

If SOC analysts are the ER doctors and pen testers are the quality inspectors, security engineers are the architects. They design, build, and maintain the security infrastructure that protects an organization. They're the ones who decide which SIEM to deploy, how to configure the firewall rules, how to implement zero-trust architecture, and how to integrate security into the CI/CD pipeline.

This is the role that bridges traditional cybersecurity with software engineering. Security engineers write code. They build automation. They design systems. They're not just using security tools — they're often building them.

Day-to-day

• Designing and implementing security architecture for cloud environments (AWS, Azure, GCP)
• Building security automation: SOAR playbooks, automated vulnerability scanning, policy-as-code
• Implementing identity and access management (IAM) systems
• Conducting security reviews of application code and infrastructure configurations
• Managing secrets, certificates, and key rotation
• Integrating security scanning into CI/CD pipelines (SAST, DAST, SCA)
• Incident response: investigating breaches, containing damage, leading forensic analysis
• Writing security policies and standards
• Mentoring developers on secure coding practices

Tools

Certifications that matter

• CISSP (Certified Information Systems Security Professional) — the heavyweight. Requires 5 years of experience. Broad and management-oriented, but it's the most recognized certification in the field. Many senior security engineer and security architect roles require it.
• AWS/Azure/GCP Security Specialty certifications — increasingly important as security becomes cloud-native.
• CompTIA Security+ and CySA+ — good foundations.
• GIAC certifications (GCIH, GCIA, GCSA) — well-regarded for hands-on technical roles.

Salary

Sources: Glassdoor, Levels.fyi, ISC2.

The honest truth about security engineering

This is arguably the best role in cybersecurity for career longevity and compensation. You combine security domain knowledge with software engineering skills, which makes you valuable in a way that's hard to automate or offshore. The downside: the scope is enormous. You're expected to understand networking, cloud infrastructure, application security, cryptography, compliance, and software development. It's a role that demands continuous learning at a pace that can be exhausting.

Role 4: CISO (Chief Information Security Officer)

What they do

The CISO is the executive responsible for an organization's entire information security program. They report to the CEO or CTO, sit in board meetings, manage budgets, hire and lead the security team, and are ultimately accountable when things go wrong. This is where cybersecurity meets business strategy.

Day-to-day

• Setting the organization's security strategy and roadmap
• Managing the security budget (which can range from $500K at mid-size companies to $50M+ at enterprises)
• Reporting security posture to the board of directors
• Leading incident response during major breaches
• Managing compliance with regulations (GDPR, SOC 2, HIPAA, PCI-DSS, etc.)
• Hiring, mentoring, and retaining security talent
• Vendor management: evaluating and purchasing security tools
• Risk assessment: deciding which risks to mitigate, transfer, accept, or avoid
• Cross-functional collaboration with engineering, legal, product, and HR

Skills (less about tools, more about leadership)

Certifications that matter

• CISSP — almost universally required or expected.
• CISM (Certified Information Security Manager) — ISACA's management-focused certification, specifically designed for the CISO track.
• MBA or similar business degree — increasingly common among CISOs, especially at large enterprises.

Salary

Sources: Glassdoor, Heidrick & Struggles CISO Survey 2024, ISC2.

The honest truth about being a CISO

CISO tenure is notoriously short — industry surveys put the average at around 2-4 years. The role is high-stress, high-visibility, and often thankless. When everything is secure, nobody notices. When there's a breach, the CISO is the first person the board looks at. Burnout rates are significant. The compensation reflects this risk.

Red Team vs Blue Team: The Divide That Defines the Field

If you've spent any time around cybersecurity people, you've heard the terms "red team" and "blue team." Here's what they actually mean:

Red Team (Offense): These are the attackers. Pen testers, vulnerability researchers, exploit developers, social engineers. Their job is to think like an adversary and find ways to break into systems. Red team roles include penetration testers, red team operators, vulnerability researchers, and bug bounty hunters.

Blue Team (Defense): These are the defenders. SOC analysts, incident responders, security engineers, forensic analysts. Their job is to detect, prevent, and respond to attacks. Blue team roles include SOC analysts, security engineers, incident response specialists, and threat intelligence analysts.

Purple Team: A relatively newer concept where red and blue teams work together, sharing attack techniques and defensive strategies in real time. The goal is collaborative improvement rather than adversarial testing.

The important thing to understand: there are far more blue team jobs than red team jobs. Offensive security is exciting and gets all the conference talks, but defense is where the jobs are. For every pen testing role, there are roughly 5-10 defensive security roles. Plan accordingly.

Career Progression: From Zero to CISO

Here's a realistic career progression through cybersecurity. Timelines are approximate and vary wildly based on talent, opportunity, and luck:

The Defensive (Blue Team) Track

The Offensive (Red Team) Track

The Certification Landscape: Which Ones Actually Matter

Cybersecurity has a certification problem. There are hundreds of certifications, many of them expensive, and the signal-to-noise ratio is low. Here's my honest breakdown:

My recommendation for career changers: Security+ first, then either OSCP (if you want offensive) or CySA+ (if you want defensive). CISSP comes later when you have the experience to back it up. Don't try to collect certifications like Pokemon — each one should be strategic.

The Talent Gap: What It Actually Means for Career Changers

Let me be direct about what the 3.4 million unfilled jobs number means and doesn't mean.

What it means: There is genuine, structural demand for cybersecurity professionals. Companies are struggling to hire. Salaries are elevated because of supply constraints. If you get qualified, you will find work faster than in most other tech fields. The ISC2 data shows that cybersecurity unemployment rates are near zero in most markets.

What it doesn't mean: Companies are not desperate enough to hire anyone who can spell "firewall." Entry-level roles still receive hundreds of applications. The gap is most acute at the mid and senior levels, not at entry level. There are plenty of people with Security+ certifications and no experience. There are not enough people with 5 years of security engineering experience and cloud expertise. The gap is a skills gap, not an awareness gap.

What career changers should actually do:

• Build a home lab. Set up a SIEM (Elastic Stack or Wazuh), monitor traffic, investigate alerts. This is more impressive to hiring managers than any certification.
• Compete in CTFs on HackTheBox, TryHackMe, or PicoCTF. These provide verifiable skills.
• Contribute to open-source security tools. Even documentation contributions show engagement with the community.
• Get an IT support or sysadmin role first if you have zero tech experience. Jumping directly into cybersecurity without understanding how systems work is like trying to be a surgeon without knowing anatomy.

Common Misconceptions

"I need a computer science degree to get into cybersecurity." No. The ISC2 Workforce Study shows that cybersecurity professionals come from diverse educational backgrounds. Many successful security professionals started in IT support, networking, or even completely unrelated fields. Certifications and practical skills matter more than degrees in this field, though a degree doesn't hurt.

"Pen testing is the most important cybersecurity role." It's the most visible, not the most important. Defense employs 5-10x more people, and a single good security engineer protecting systems 24/7 arguably prevents more damage than a pen tester who finds vulnerabilities in a once-a-year engagement. Both matter. Defense just gets less glory.

"AI will replace cybersecurity jobs." AI is a tool in cybersecurity, not a replacement. AI helps SOC analysts triage alerts faster and helps pen testers scan more efficiently. But the adversaries are also using AI, which means the cat-and-mouse game continues with higher sophistication on both sides. If anything, AI is creating more cybersecurity jobs (securing AI systems, defending against AI-powered attacks) than it's eliminating. The WEF Cybersecurity Outlook 2025 explicitly calls out AI as a driver of increased cybersecurity demand.

"You need to know how to code to work in cybersecurity." It depends on the role. SOC analysts need basic scripting (Python, PowerShell). Pen testers need moderate scripting and some exploit development skills. Security engineers need strong programming skills. CISOs don't need to code at all. But here's the thing: even basic scripting ability will set you apart from the majority of entry-level candidates.

What I Actually Think

After running a tech product and seeing the security landscape from the builder's perspective, here's my take:

Security engineering is the best-kept secret in tech careers. It pays as well as or better than software engineering, has better job security (literally — you cannot outsource or automate away the need for someone who understands your specific security architecture), and the demand curve is only going up. If I were starting a tech career today and didn't already love building products, I'd seriously consider security engineering.

Don't romanticize offensive security. Pen testing gets all the conference talks and YouTube videos because hacking is visually exciting. But the career path is narrower, the job market is smaller, and many pen testers eventually move into security engineering or management because the role plateaus. There's only so many times you can run the same Nmap-to-Metasploit pipeline before it stops being intellectually stimulating.

The CISO path is a management path. If you want to stay technical, CISO is not your destination. The best CISOs I've read about and heard speak are translators — they translate technical risk into business language. If that doesn't excite you, aim for Staff/Principal Security Engineer instead. The pay is comparable, and you stay hands-on.

The cybersecurity talent gap is real, but it's not a free pass. You still need to be good. You still need to demonstrate practical skills. The gap means you'll find a job faster once you're qualified — it doesn't mean you'll get hired before you're qualified.

If You're Choosing Right Now

If you're completely new to tech: Start in IT support. Learn networking fundamentals (CompTIA Network+), then get Security+. Apply for SOC Analyst Tier 1 roles. Total time: 6-12 months of focused study.

If you're a software developer looking to transition: You have a massive advantage. Your coding skills are directly applicable. Target security engineering roles. Study for the CISSP or get an AWS Security Specialty certification. Learn about OWASP Top 10, secure coding practices, and cloud security. You could be in a security engineer role within 3-6 months.

If you want to do offensive security: Start on HackTheBox or TryHackMe today. Work through the OSCP syllabus. Be prepared for a 12-18 month journey to your first pen testing role. It's harder to break into than defense, but the community is supportive and the skills are genuinely fun to learn.

If you're mid-career in cybersecurity and feeling stuck: The jump from SOC analyst to security engineer is the most impactful career move in the field. It requires learning cloud infrastructure and programming, but it roughly doubles your earning potential and opens the door to either the CISO track or the Staff IC track.

If you're in an emerging market (Azerbaijan, Turkey, etc.): Cybersecurity roles are growing in this region but the local market is still small. Consider remote work for US/EU companies or focus on industries with strong local security needs: banking, oil & gas, government, and telecom. International certifications (Security+, CISSP, OSCP) carry significant weight because they signal globally recognized competence.

Sources

• ISC2 Cybersecurity Workforce Study 2024
• U.S. Bureau of Labor Statistics — Information Security Analysts
• Cybersecurity Ventures — Jobs Report 2025
• World Economic Forum — Global Cybersecurity Outlook 2025
• CompTIA Security+
• OSCP (Offensive Security)
• CISSP (ISC2)
• CEH (EC-Council)
• Glassdoor — SOC Analyst Salaries
• Glassdoor — Penetration Tester Salaries
• Glassdoor — Security Engineer Salaries
• Glassdoor — CISO Salaries
• Levels.fyi — Security Engineer Compensation
• Heidrick & Struggles CISO Survey 2024
• HackTheBox
• TryHackMe

I'm Ismat, and I build BirJob — a job aggregator that scrapes 91 sites across Azerbaijan. Cybersecurity roles show up regularly on the platform, especially from banks, telecoms, and oil companies. If you're looking for your first security role in the region, start here.