Discover the Coolest and Most In-Demand Cybersecurity Careers

1: Threat Hunter (Threat/Warning Analyst)

A Threat Hunter applies new threat intelligence against existing evidence to identify attackers that have evaded real-time detection mechanisms. This role requires several skills, including threat intelligence, system and network forensics, and investigative development processes. Threat hunting shifts incident response from a reactive investigative process to a proactive approach, uncovering adversaries or their footprints using emerging intelligence.

Why is this role important? Threat hunters actively search for evidence of attackers that traditional detection methods have missed. Their work often reveals adversaries who have remained undetected for extended periods, helping organizations address long-term security threats.

“Digging below what commercial anti-virus systems are able to detect to find embedded threat actors in client environments makes this job special. Shoutout to Malware and Threat Intelligence Analysts who contribute their expertise to make threat hunters more effective against adversaries.” - Ade Muhammed

Recommended SANS courses:

FOR508™: Advanced Incident Response, Threat Hunting, and Digital Forensics™

GIAC Certified Forensic Analyst (GCFA) Practitioner Certification

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response™

GIAC Network Forensic Analyst (GNFA) Practitioner Certification

FOR578: Cyber Threat Intelligence™

GIAC Cyber Threat Intelligence (GCTI) Practitioner Certification

FOR608: Enterprise-Class Incident Response & Threat Hunting™

GIAC Enterprise Incident Response (GEIR) Practitioner Certification

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques™

GIAC Reverse Engineering Malware Certification (GREM) Practitioner Certification

SEC504™: Hacker Tools, Techniques, and Incident Handling™

GIAC Certified Incident Handler Certification (GCIH) Practitioner Certification

SEC541: Cloud Security Threat Detection™

GIAC Cloud Threat Detection (GCTD) Practitioner Certification

ICS515: ICS Visibility, Detection, and Response™

GIAC Response and Industrial Defense (GRID) Practitioner Certification

ICS612: ICS Cybersecurity In-Depth™

2: Red Teamer (Adversary Emulation Specialist)

As a Red Teamer, your challenge is to approach problems and situations from an adversary’s perspective. The primary goal is to strengthen the Blue Team by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role involves performing adversary emulation—Red Team exercise that mimic how real adversaries operate. These exercises follow the same tactics, techniques, and procedures (TTPs) as actual threats, with objectives aligned to realistic scenarios. The role may also involve creating custom implants and command-and-control (C2) frameworks designed to evade detection. 

Why is this role important?

This role addresses the critical question: “Could the attack that brought down [insert company name] happen to us?” Red Teamers provide a comprehensive assessment of an organization’s preparedness for a sophisticated attack by testing not just the defenses, but also the defenders themselves.

“The only way to test a full catalog of defense is to have a full catalog of offense measure its effectiveness. Security scanning is the bare minimum and having Red Team perform various operations from different points will help the organization fix weaknesses where it matters.” - Beeson Cho

Recommended SANS courses:

SEC504™: Hacker Tools, Techniques, and Incident Handling™

GIAC Certified Incident Handler Certification (GCIH) Practitioner Certification

SEC542: Web App Penetration Testing and Ethical Hacking™

GIAC Web Application Penetration Tester (GWAPT) Practitioner Certification

SEC560: Enterprise Penetration Testing™

GIAC Penetration Tester Certification (GPEN) Practitioner Certification

SEC565: Red Team Operations and Adversary Emulation™

GIAC Red Team Professional (GRTP) Practitioner Certification

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking™

GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) Practitioner Certification

SEC670: Advanced Exploit Development for Penetration Testers™

SEC699: Advanced Purple Teaming – Adversary Emulation & Detection Engineering™

SEC760: Advanced Exploit Development for Penetration Testers™

3: Digital Forensics Analyst

 Digital Forensic Analyst uses advanced forensic skills to examine a wide range of digital media involved in investigations. This role requires expertise in evidence collection, as well as computer, smartphone, cloud, and network forensics. Analysts must also possess an investigative mindset. These experts analyze compromised systems or digital media to uncover the facts of what occurred. Digital evidence often contains footprints that physical forensic data or crime scene cannot provide.

Why is this role important?

As the detective of the cybersecurity world, you delve into computers, smartphones, cloud data, and networks for evidence in the wake of an incident or crime. In this role, the opportunity to learn never stops. Technology is always advancing, as is your career.

“Forensics is about diving deep into any system and device and locating the problem so as to develop a solution.” - Patricia M 

“Data doesn’t lie, and the digital forensic analyst looks at the data to convey the stories that they tell.” - Anthony Wo

Recommended SANS courses:

FOR498: Digital Acquisition and Rapid Triage™

GIAC Battlefield Forensics and Acquisition (GBFA) Practitioner Certification

FOR500: Windows Forensic Analysis™

GIAC Certified Forensic Examiner (GCFE) Practitioner Certification

FOR508™: Advanced Incident Response, Threat Hunting, and Digital Forensics™

GIAC Certified Forensic Analyst (GCFA) Practitioner Certification

FOR509: Enterprise Cloud Forensics and Incident Response™

GIAC Cloud Forensics Responder (GCFR) Practitioner Certification

FOR518: Mac and iOS Forensic Analysis and Incident Response™

GIAC iOS and macOS Examiner (GIME) Practitioner Certification

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response™

GIAC Network Forensic Analyst (GNFA) Practitioner Certification

FOR585: Smartphone Forensic Analysis In-Depth™

GIAC Advanced Smartphone Forensics Certification (GASF) Practitioner Certification

SEC501: Advanced Security Essentials – Enterprise Defender™

GIAC Certified Enterprise Defender (GCED) Practitioner Certification

4: Purple Teamer

In this role, you bring a deep understanding of both defensive (“Blue Team”) and offensive (“Red Team”) cybersecurity practices. Your responsibilities include organizing and automating adversary technique emulations, identifying potential new log sources and use cases to enhance SOC detection coverage, and recommending security controls to improve resilience against adversarial techniques. Additionally, you play a crucial role in fostering effective communication and collaboration between traditional defensive and offensive roles. 

Why is this role important?

The Purple Teamer bridges the gap between Blue and Red teams, helping them to understand each other’s perspectives. Blue Teams often focus on security controls, log sources, and use cases, while Red Teams concentrate on payloads, exploits, implants. By ensuring both teams speak a common language and collaborate effectively, you contribute to strengthening the organization’s overall cybersecurity posture.

“The combination of red team blue team operations is very interesting and you get to see both sides. I have been on a Purple Team for a while now and it has driven a lot of positive change for us.” - Andrew R

Recommended SANS courses:

SEC504™: Hacker Tools, Techniques, and Incident Handling™

GIAC Certified Incident Handler Certification (GCIH) Practitioner Certification

SEC599: Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses™

GIAC Defending Advanced Threats (GDAT) Practitioner Certification

SEC568: Product Security Penetration Testing – Safeguarding Supply Chains and Managing Third-Party Risk™

SEC598: Security Automation for Offense, Defense, and Cloud™

SEC699: Advanced Purple Teaming – Adversary Emulation & Detection Engineering™

5: Malware Analyst

Malware analysts face attackers’ capabilities head-on, ensuring the fastest and most effective response to and containment of a cyber-attack. They delve deep into malicious software to understand the nature of the threat – how it infiltrated, the vulnerabilities it exploited, and actions, intentions, and potential impact. 

Why is this role important?

When tasked with exhaustively analyzing a piece of malicious code, you know you’re facing a case of the utmost importance. Properly handling, disassembling, debugging, and analyzing binaries requires specific tools, techniques, and procedures and the knowledge of how to see through the code to its true functions. Reverse engineers possess these precious skills, often tipping the scales in the favor of investigators during incident response operations. Whether extracting signatures for improved detection or generating threat intelligence to share across the industry, malware analysts are an indispensable investigative resource.

“Being a malware analyst provides a great opportunity to pit your reverse engineering skills against the skills of malware authors who often do everything in their power to make the software as confusing as possible.” - Bob Pardee

Recommended SANS courses:

FOR518: Mac and iOS Forensic Analysis and Incident Response™

GIAC iOS and macOS Examiner (GIME) Practitioner Certification

FOR585: Smartphone Forensic Analysis In-Depth™

GIAC Advanced Smartphone Forensics Certification (GASF) Practitioner Certification

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques™

GIAC Reverse Engineering Malware Certification (GREM) Practitioner Certification

FOR710: Reverse-Engineering Malware: Advanced Code Analysis™

SEC501: Advanced Security Essentials – Enterprise Defender™

GIAC Certified Enterprise Defender (GCED) Practitioner Certification

6: Chief Information Security Officer (CISO) (Executive Cyber Leadership)

The CISO leads efforts to identify, develop, implement, and maintain processes that reduce information and IT risks across the organization. This role responds to incidents, establishing appropriate standards and controls, managing security technologies, and guiding the development, implementation, and enforcement of policies and procedures. The CISO is often responsible for information-related compliance initiatives, such as supervising efforts to achieve ISO/IEC 27001 certification for part or all of the organization. The CISO's influence typically extends across the entire organization, shaping its security posture and strategic priorities.

Why is this role important?

CISOs require a strong balance of business acumen and technology expertise. They must stay current on information security issues from a technical standpoint, integrate security planning into broader business objectives, and cultivate a long-lasting security and risk-based culture. Their leadership is essential to protecting the organization and aligning its security strategy with its overall mission and goals.

“The chief gets to coordinate the plans. The chief gets to know the team, know them well and disperse them appropriately to strategically defend and test org networks and security posture.“ - Anastasia Edwards

Recommended SANS courses:

LDR512: Security Leadership Essentials for Managers™

GIAC Security Leadership (GSLC) Practitioner Certification

LDR514: Security Strategic Planning, Policy, and Leadership™

GIAC Strategic Planning, Policy, and Leadership (GSTRT) Practitioner Certification

LDR516: Building and Leading Vulnerability Management Programs™

LDR520: Cloud Security for Leaders™

LDR521: Security Culture for Leaders™

LDR551: Building and Leading Security Operations Centers™

GIAC Security Operations Manager Certification (GSOM) Practitioner Certification

LDR553: Cyber Incident Management™

GIAC Cyber Incident Leader (GCIL) Practitioner Certification

SEC566: Implementing and Auditing CIS Controls™

GIAC Critical Controls Certification (GCCC) Practitioner Certification

ICS418: ICS Security Essentials for Leaders™

7: Blue Teamer – All-Around Defender (Cyber Defense Analyst)

This role, which may go by various titles depending on the organization, requires a broad range of tasks and knowledge. The all-around defender, or Blue Teamer, often serves as the primary security contact in smaller organizations, taking on responsibilities such as engineering and architecture, incident triage and response, security tool administration, and more.

Why is this role important?

This role is crucial, particularly in small to mid-size organizations that lack the budget for a full-fledged security team with specialized roles. The all-around defender may not have an official job title, but their scope of work spans many aspects of cybersecurity, acting as a versatile resource to handle “a little bit of everything” for the organization’s defense.

“In this day and age, we need guys that are good at defense and understand how to harden systems.” - David O

Recommended SANS courses:

SEC450: Blue Team Fundamentals: Security Operations and Analysis™

GIAC Security Operations Certified (GSOC) Practitioner Certification

SEC503™: Network Monitoring and Threat Detection In-Depth™

GIAC Certified Intrusion Analyst Certification (GCIA) Practitioner Certification

SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring™

GIAC Continuous Monitoring Certification (GMON) Practitioner Certification

SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise™

GIAC Defensible Security Architect Certification (GDSA) Practitioner Certification

SEC555: SIEM with Tactical Analytics™

GIAC Certified Detection Analyst (GCDA) Practitioner Certification

8: Security Architect (NICE) & Engineer

Security Architects and Engineers design, implement, and optimize a combination of network-centric and data-centric controls to balance prevention, detection, and response. These professionals take a holistic look at enterprise defense, building security into every layer of the organization. They balance business and technical requirements while adhering to security policies and procedures to implement defensible security architectures. 

Why is this role important?

A Security Architect and Engineer is a versatile Blue Teamer and cyber defender who possesses an arsenal of skills to protect an organization’s sensitive data—from endpoints to the cloud and across networks and applications.

“A security architect needs to understand workflows, networks, business requirements, project plans and sometimes even budget restraints. A very diversified role!” - Chris Bodill

Recommended SANS courses:

SEC503™: Network Monitoring and Threat Detection In-Depth™

GIAC Certified Intrusion Analyst Certification (GCIA) Practitioner Certification

SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring™

GIAC Continuous Monitoring Certification (GMON) Practitioner Certification

SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise™

GIAC Defensible Security Architect Certification (GDSA) Practitioner Certification

SEC549: Cloud Security Architecture™

GIAC Cloud Security Architecture and Design (GCAD) Practitioner Certification

9: Cyber Defense Incident Responder/Law Enforcement Counterintelligence Forensics Analyst

While preventing breaches is the ultimate goal, one unwavering truth in information security is that a sufficiently determined attacker will eventually succeed. When a breach is identified, incident responders are called into action to locate the attackers, minimize damage, and remove them from the environment. This role requires quick thinking, solid technical and documentation skills, and the ability to adapt to evolving attacker methodologies.

Why is this role important?

While preventing breaches is the ultimate goal, one unwavering truth in information security is that a sufficiently determined attacker will eventually succeed. When a breach is identified, incident responders are called into action to locate the attackers, minimize damage, and remove them from the environment. This role requires quick thinking, solid technical and documentation skills, and the ability to adapt to evolving attacker methodologies.

Incident responders work as part of a team with diverse specializations and must effectively communicate their findings to audiences ranging from technical experts to executive leadership. Their work is crucial for limiting the impact of breaches and safeguarding organizational assets.

“Incidents are bound to occur and it is important that we have people with the right skill set to manage and mitigate the loss to the organization from these incidents.” - Anita Ali

Recommended SANS courses:

FOR508™: Advanced Incident Response, Threat Hunting, and Digital Forensics™

GIAC Certified Forensic Analyst (GCFA) Practitioner Certification

FOR509: Enterprise Cloud Forensics and Incident Response™

GIAC Cloud Forensics Responder (GCFR) Practitioner Certification

FOR518: Mac and iOS Forensic Analysis and Incident Response™

GIAC iOS and macOS Examiner (GIME) Practitioner Certification

FOR572: Advanced Network Forensics: threat Hunting, Analysis, and Incident Response™

GIAC Network Forensic Analyst (GNFA) Practitioner Certification

FOR578: Cyber Threat Intelligence™

GIAC Cyber Threat Intelligence (GCTI) Practitioner Certification

FOR608: Enterprise-Class Incident Response & Threat Hunting™

GIAC Enterprise Incident Response (GEIR) Practitioner Certification

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques™

GIAC Reverse Engineering Malware Certification (GREM) Practitioner Certification

FOR710: Reverse-Engineering Malware: Advanced Code Analysis™

SEC402: Cybersecurity Writing: Hack the Reader™

SEC504™: Hacker Tools, Techniques, and Incident Handling™

GIAC Certified Incident Handler Certification (GCIH) Practitioner Certification

ICS515: ICS Visibility, Detection, and Response™

GIAC Response and Industrial Defense(GRID) Practitioner Certification

10: Cybersecurity Analyst/Engineer (Systems Security Analyst)

As one of the highest-paid roles in the cybersecurity field, this position requires advanced skills and expertise. Cybersecurity Analysts/Engineers must excel in threat detection, analysis, and protection. This role plays a vital part in safeguarding an organization’s data and maintaining its integrity. 

Why is this role important?

This is a proactive role, responsible for creating and implementing contingency plans in the event of a successful attack. With cyber attackers constantly using new tools and strategies, cybersecurity analysts and engineers must stay informed about emerging threats and techniques to mount a strong defense.

“It doesn’t become much more versatile than in this role, as oftentimes you’ll be challenged with whatever tasks or projects customers or managers envision, ranging from simple analysis support to introducing new solutions and implementing whole services such as a SOC.” - Harun Kuessner

Recommended SANS courses:

SEC401: Security Essentials – Network, Endpoint, and Cloud™

GIAC Security Essentials (GSEC) Practitioner Certification

SEC450: Blue Team Fundamentals: Security Operations and Analysis™

GIAC Security Operations Certified (GSOC) Practitioner Certification

SEC501: Advanced Security Essentials – Enterprise Defender™

GIAC Certified Enterprise Defender (GCED) Practitioner Certification

SEC503™: Network Monitoring and Threat Detection In-Depth™

GIAC Certified Intrusion Analyst Certification (GCIA) Practitioner Certification

SEC504™: Hacker Tools, Techniques, and Incident Handling™

GIAC Certified Incident Handler Certification (GCIH) Practitioner Certification

SEC510: Cloud Security Controls and Mitigations™

GIAC Public Cloud Security (GPCS) Practitioner Certification

SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise™

GIAC Defensible Security Architect Certification (GDSA) Practitioner Certification

SEC540: Cloud Security and DevSecOps Automation™

GIAC Cloud Security Automation (GCSA) Practitioner Certification

SEC549: Cloud Security Architecture™

GIAC Cloud Security Architecture and Design (GCAD) Practitioner Certification

SEC555: SIEM with Tactical Analytics™

GIAC Certified Detection Analyst (GCDA) Practitioner Certification

FOR508™: Advanced Incident Response, Threat Hunting, and Digital Forensics™

GIAC Certified Forensic Analyst (GCFA) Practitioner Certification

FOR509: Enterprise Cloud Forensics and Incident Response™

GIAC Cloud Forensics Responder (GCFR) Practitioner Certification

LDR551: Building and Leading Security Operations Centers™

GIAC Security Operations Manager Certification (GSOM) Practitioner Certification

ICS410: ICS/SCADA Security Essentials™

Global Industrial Cyber Security Professional Certification (GICSP) Practitioner Certification

ICS456: Essentials for NERC Critical Infrastructure Protection™

GIAC Critical Infrastructure Protection Certification (GCIP) Practitioner Certification

11: OSINT Investigator / Analyst

These resourceful professionals gather requirements from their customers and use open-sources intelligence (OSINT), primarily from internet resources, to collect data relevant to their investigation. They may research domains and IP addresses, businesses, people, issues, financial transactions, and other targets. Their mission is to gather, analyze, and report objective findings, providing with valuable insights to inform decision-making. 

Why is this role important?

The internet hosts a massive amount of accessible data, but many people lack the knowledge or skills to discover and harvest this information. OSINT investigators excel at uncovering and obtaining data from sources worldwide, supporting cybersecurity, intelligence, military, and business efforts. They are the “finders of things” and “knowers of secrets.”

“Being an OSINT investigator allows me to extract information in unique and clever ways and I am never bored. One day I’m working on a fraud investigation and the next I’m trying to locate a missing person. This job always tests my capabilities, stretches my critical thinking skills, and lets me feel like I’m making a difference.” - Rebecca Ford

Recommended SANS courses:

 SEC497: Practical Open-Source Intelligence (OSINT)™

GIAC Open Source Intelligence Certification (GOSI) Practitioner Certification

SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis™

FOR578: Cyber Threat Intelligence™

GIAC Cyber Threat Intelligence (GCTI) Practitioner Certification

12: Technical Director (Information Systems Security Manager)

The Technical Director defines technological strategies in collaboration with development teams, assesses risk, establishes standards and procedures to measure progress, and participates in creating and strengthening the cybersecurity team. 

Why is this role important?

With an ever-growing array of technologies requiring specialized management, a global shortage of cybersecurity talent, an unprecedented shift to cloud environments, and increasingly complex legal and regulatory compliance requirements, the Technical Director plays a key role in ensuring the organization’s operational success.

“A technical director must have strong cybersecurity knowledge, a strategic view of the organization’s infrastructure and what’s to come, and communication skills. These things are hard to get, and I would imagine this job to be very challenging, no matter the organization size or business.” - Francisco Lugo

Recommended SANS courses:

LDR512: Security Leadership Essentials for Managers™

GIAC Security Leadership (GSLC) Practitioner Certification

LDR514: Security Strategic Planning, Policy, and Leadership™

GIAC Strategic Planning, Policy, and Leadership (GSTRT) Practitioner Certification

LDR516: Building and Leading Vulnerability Management Programs™

LDR551: Building and Leading Security Operations Centers™

GIAC Security Operations Manager Certification (GSOM) Practitioner Certification

SEC566: Implementing and Auditing CIS Controls™

GIAC Critical Controls Certification (GCCC) Practitioner Certification

ICS418: ICS Security Essentials for Leaders™

13: Cloud Security Analyst

The Cloud Security Analyst oversees cloud security and day-to-day operations. This role contributes to designing, integrating, and testing tools for security management, recommending configuration improvements, assessing the organization’s overall cloud security posture, and providing technical expertise to guide organizational decisions.

Why is this role important?

As organizations continue to transition from traditional on-premise solutions to the cloud, the demand for cloud security experts far exceeds the supply. This role ensures than an organization can position itself thoughtfully and securely in a multicloud environment necessary for today’s business world.

“This role is essential to find and patch vulnerabilities in the cloud environment to ensure that crackers and hackers are unauthorized in cloud environments.” - Ben Yee

Recommended SANS courses:

SEC488: Cloud Security Essentials™

GIAC Cloud Security Essentials Certification (GCLD) Practitioner Certification

SEC510: Cloud Security Controls and Mitigations™

GIAC Public Cloud Security (GPCS) Practitioner Certification

SEC541: Cloud Security Threat Detection™

GIAC Cloud Threat Detection (GCTD) Practitioner Certification

SEC401: Security Essentials – Network, Endpoint, and Cloud™

GIAC Security Essentials (GSEC) Practitioner Certification

SEC588: Cloud Penetration Testing™

GIAC Clou Penetration Tester (GCPN) Practitioner Certification

FOR509: Enterprise Cloud Forensics and Incident Response™

GIAC Cloud Forensics Responder (GCFR) Practitioner Certification

14: Intrusion Detection / SOC Analyst (Cyber Defense Analyst)

Security Operations Center (SOC) Analysts collaborate with security engineers and SOC managers to implement prevention, detection, monitoring, and active response measures. They work closely with incident response teams to address security issues quickly and effectively. With an eye for detail and a focus on anomalies, SOC analysts excel at seeing things that others miss. 

Why is this role important?

SOC analysts play an important role in enhancing an organization’s ability to quickly identify and mitigate before they cause significant damage. They also ensure compliance with regulatory requirements for security monitoring, vulnerability management, and incident response.

“The intrusion analyst is the guard at the gate and can get great job satisfaction from detecting and stopping network intrusions.” - Chuck Ballard

Recommended SANS courses:

SEC450: Blue Team Fundamentals: Security Operations and Analysis™

GIAC Security Operations Certified (GSOC) Practitioner Certification

SEC503™: Network Monitoring and Threat Detection In-Depth™

GIAC Certified Intrusion Analyst Certification (GCIA) Practitioner Certification

SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring™

GIAC Continuous Monitoring Certification (GMON) Practitioner Certification

SEC555: SIEM with Tactical Analytics™

GIAC Certified Detection Analyst (GCDA) Practitioner Certification

FOR508™: Advanced Incident Response, Threat Hunting, and Digital Forensics™

GIAC Certified Forensic Analyst (GCFA) Practitioner Certification

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response™

GIAC Network Forensic Analyst (GNFA) Practitioner Certification

SEC504™: Hacker Tools, Techniques, and Incident Handling™

GIAC Certified Incident Handler Certification (GCIH) Practitioner Certification

15: Security Awareness Officer (Security Awareness & Communications Manager)

Security Awareness Officers work alongside their security team to identify their organization’s top human risks and the behaviors that manage them. They develop and manage continuous programs to train and communicate with the workforce to promote secure behaviors. In highly mature programs, this role not only impacts workforce behavior but also creates a strong security culture across the organization. 

Why is this role important?

Human error has become one of the top drivers of incidents and breaches today, however, many organizations still focus solely on technical solutions. This role is pivotal in bridging the gap by addressing the human side of cybersecurity and is arguably one of the fastest-growing and most impactful fields in cybersecurity today.

“This role allows me to use my previous experience to influence proper security behaviors, effectively improving our company’s defenses. And the rapidly evolving nature of threats means my job is never boring.” - Sue DeRosier

Recommended SANS courses:

LDR433: Managing Human Risk™

The SANS Security Awareness Professional (SSAP) Credential

LDR521: Security Culture for Leaders™

LDR512: Security Leadership Essentials for Managers™

GIAC Security Leadership (GSLC) Practitioner Certification

16: Vulnerability Researcher & Exploit Developer (Vulnerability Assessment Analyst)

In this role, you will work to find zero-day vulnerabilities—previously unknown weaknesses—in a wide range of applications and devices used by organizations and consumers. A Vulnerability Researcher and Exploit Developer’s missions is to find vulnerabilities before adversaries do.

Why is this role important?

Vulnerability researchers play an essential role in securing the technology we rely on every day. From Internet of Things (IoT) devices to commercial applications, network devices, and even medical devices like insulin pumps and pacemakers, are targets for exploitation. Without the expertise to research and find these types of vulnerabilities before the adversaries, the potential consequences can be devastating.

“I think researchers will play a crucial role in years to come. They will be able to identify and help us prepare for the vulnerability before it is exploited by the hacker so instead of responding to incidents we will then be able to proactively prepare ourselves for the future issues.” - Anita Ali

Recommended SANS courses:

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking™

GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) Practitioner Certification

SEC670: Red Teaming Tools – Developing Windows Implants, Shellcode, Command and Control™

SEC760: Advanced Exploit Development for Penetration Testers™

17: Application Pen Tester (Secure Software Accessor)

Application Penetration Testers probe the security integrity of an organization’s applications and defenses by evaluating the attack surface of web-based services, client-side applications, servers-side processes, and more. By mimicking the tactics of a malicious attacker, they work to bypass security barriers and identify vulnerabilities that could lead to unauthorized access, sensitive data exposure, or exploitation through techniques like pivoting and lateral movement.

Why is this role important?

Web applications are essential for conducting both internal operations and external business activities. However, their reliance on open-source plugins and third-party components often introduces security risks. Application Pen Testers help organizations identify and remediate these vulnerabilities, ensuring the integrity and security of business systems.

“It is not only about using existing tools and methods, you must be creative and understand the logic of the application and make guesses about the infrastructure.” - Dan-Mihai Negrea

Recommended SANS courses:

SEC542: Web App Pentration Testing and Ethical Hacking™

GIAC Web Application Penetration Tester (GWAPT) Practitioner Certification

SEC560: Enterprise Penetration Testing™

GIAC Penetration Tester Certification (GPEN) Practitioner Certification

SEC575: iOS and Android Application Security Analysis and Penetration Testing™

GIAC Mobile Device Security Analyst (GMOB) Practitioner Certification

SEC588: Cloud Penetration Testing™

GIAC Cloud Penetration Tester (GCPN) Practitioner Certification

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking™

GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) Practitioner Certification

SEC760: Advanced Exploit Development for Penetration Testers™

18: ICS/OT Security Assessment Consultant (ICS/SCADA Security Engineer)

This role combines offensive security operations with expertise in critical process control environments essential to modern life. Industrial Control Systems/Operational Technology (ICS/OT) Security Consultants discover vulnerabilities in industrial control systems and work with asset owners and operators to mitigate risks, ensuring essential systems are protected against adversarial exploitation. 

Why is this role important?Security incidents affecting OT, particularly in ICS systems, are classified as high-impact, low-frequency (HILF) events. While these incidents are rare, the consequences can be severe, with significant costs to the business. ICS-OT Security Consultants help organizations prevent such events, protecting vital infrastructure and minimizing risk.

“Working in this type of industry, I can see how the demand is increasing so rapidly that companies starting to desperately looking for people with proper skillsets.” - Ali Alhajhouj

Recommended SANS courses:

SEC560: Enterprise Penetration Testing™

GIAC Penetration Tester Certification (GPEN) Practitioner Certification

ICS410: ICS/SCADA Security Essentials™

Global Industrial Cyber Security Professional Certification (GICSP) Practitioner Certification

ICS456: Essentials for NERC Critical Infrastructure Protection™

GIAC Critical Infrastructure Protection Certification (GCIP) Practitioner Certification

ICS515: ICS Visibility, Detection, and Response™

GIAC Response and Industrial Defense (GRID) Practitioner Certification

ICS612: ICS Cybersecurity In-Depth™

19: DevSecOps Engineer

A DevSecOps engineer develops automated security capabilities and integrates them into the DevOps pipeline using cutting-edge tools and processes. This role encompasses leadership in key areas such as vulnerability management, monitoring and logging, security operations, security testing, and application security, ensuring security is embedded throughout the software development lifecycle. 

Why is this role important?DevSecOps addresses the bottleneck caused by traditional security models in modern continuous delivery pipelines. By bridging the gap between IT and security, DevSecOps Engineers enable the rapid, secure delivery of applications and business functionality.

“From my point of view it is a highly demanded position by companies which need to offer flexible, agile and secure solutions to their clients’ developers.” - Antonio Esmoris

Recommended SANS courses:

SEC488: Cloud Security Essentials™

GIAC Cloud Security Essentials Certification (GCLD) Practitioner Certification

SEC510: Cloud Security Controls and Mitigations™

GIAC Public Cloud Security (GPCS) Practitioner Certification

SEC522: Application Security: Securing Web Applications, APIs, and Microservices™

GIAC Certified Web Application Defender (GWEB) Practitioner Certification

SEC540: Cloud Security and DevSecOps Automation™

GIAC Cloud Security Automation (GCSA) Practitioner Certification

20: Media Exploitation Analyst (Cyber Crime Investigator)

Media Exploitation Analysts use digital forensic skills to analyze a wide range of media involved in investigations. If you’re passionate about investigating computer crimes and recovering file systems that have been hacked, damaged, or used in crime, this role could be your ideal career path. In this position, you will assist in the forensic examinations of computers and media from various sources to develop forensically sound evidence.

Why is this role important?

A Media Exploitation Analyst is often the first responder or the first to handle evidence involved in a criminal act. Common cases involve terrorism, counterintelligence, law enforcement, and insider threats. This role encompasses the entire process, from acquiring evidence to generating the final report, making it an integral part of the investigative team.

“This is like solving a puzzle or investigating a crime. There is an exciting element to the unknown and the technical complexity of countermeasures. The sensitivity of content and potential to get real evidence on something is exciting.” - Chris Brown

Recommended SANS courses:

FOR498: Digital Acquisition and Rapid Triage™

GIAC Battlefield Forensics and Acquisition (GBFA) Practitioner Certification

FOR500: Windows Forensic Analysis™

GIAC Certified Forensic Examiner (GCFE) Practitioner Certification

FOR508™: Advanced Incident Response, Threat Hunting, and Digital Forensics™

GIAC Certified Forensic Analyst (GCFA) Practitioner Certification

FOR518: Mac and iOS Forensic Analysis and Incident Response™

GIAC iOS and macOS Examiner (GIME) Practitioner Certification

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response™

GIAC Network Forensic Analyst (GNFA) Practitioner Certification

FOR585: Smartphone Forensic Analysis In-Depth™

GIAC Advanced Smartphone Forensics Certification (GASF) Practitioner Certification