Ask HN: Pay and Specializations in Security?
I am reading a post on security here (linked below) and it identifies three specializations (also below).
My questions are: Are these really three distinct specializations? Which is considered the most fun / prestigious / well paying / has the best career prospects?
1. "offensive security" (scanner jockey -> netpen -> appsec -> vuln research / red team)
2. defensive security (secops -> seceng -> security management)
3. malware analysis (malware analysis -> malware analysis -> still more malware analysis).
https://news.ycombinator.com/item?id=18487547
4 comments
[ 3.0 ms ] story [ 19.9 ms ] threadWhatever you consider must fun, is the most fun.
Are these really three distinct specializations?
No, I've never heard of them being categorized into three specialisations before, and the progression tree you have listed certainly isn't true.
If you are interested in getting into security, just research and experiment with what interests you.
* If you like appsec, why not learn some programming languages and attempt some bug bounties.
* If you like netsec why not setup some labs and simulate some pentests, or sign up to HackTheBox which offeres pentest environments.
* and so on.
You will succeed in security by doing it because you love it, not because you are told it has good prospects.
As for the most prestigious, there is no such thing. Red Team and Blue Team operations are both vital to any organization. The Red Team verifies attacks are caught, and Blue Team catches incidents to minimize damage asap. Prestigious probably depends on the company and which one they respect more.
As for most fun, I really enjoy breaking things and being malicious. It's why I do well in the field. I'd say you have to discover what you enjoy for yourself. You don't want to get pigeonholed into just doing code reviews your whole life or reading through log files. In order to get through this level you have to show you can do more than be a checklist jockey.
Pay is pretty much the same for all of these at the larger organizations.