Cybersecurity is one of the few fields in which the talent shortage has grown rather than diminished as the industry matures. The 2023 ISC2 Cybersecurity Workforce Study estimated a global cybersecurity workforce gap of 4 million positions — the gap between the number of practitioners needed and the number currently employed. This structural shortage, combined with the stakes of the work (data breaches now cost organisations an average of $4.45 million per incident according to IBM's 2023 Cost of a Data Breach Report), makes cybersecurity one of the most reliably employable technical careers of the decade.

Yet the field is also frequently misrepresented. The popular image of a cybersecurity professional as a lone hacker typing furiously in a dark room is as accurate as the image of a surgeon as someone who never does paperwork. The day-to-day reality — particularly for SOC (Security Operations Centre) analysts, who represent the largest segment of the cybersecurity workforce — involves systematic monitoring, pattern recognition, alert triage, documentation, and communication. It is methodical, demanding, and important work that relies on rigour and process as much as technical intuition.

This guide covers what cybersecurity analysts actually do across different specialisations, the certification landscape from CompTIA to CISSP, salary ranges at different career stages, and the career ladder from entry-level helpdesk work through to CISO (Chief Information Security Officer). If you are considering entering the field or are trying to understand what your security team actually does, this is the honest picture.

"Security is not a product, but a process." — Bruce Schneier, security technologist and author of "Beyond Fear"

Key Definitions

SIEM (Security Information and Event Management): A platform that aggregates log data from across an organisation's infrastructure — servers, endpoints, network devices, applications — and applies rules and analytics to identify suspicious patterns. SOC analysts spend most of their monitoring time in SIEM dashboards.

SOC (Security Operations Centre): A dedicated function within an organisation (or provided as a service by an MSSP) that monitors, detects, and responds to security events. SOC analysts are tiered by seniority and investigative depth, from Tier 1 triage through to Tier 3 threat hunting.

Threat hunting: Proactive search through systems for indicators of compromise that have not triggered automated alerts. Distinguished from reactive incident response — threat hunters are looking for attackers who are already present but have not yet been detected.

Vulnerability management: The ongoing process of identifying, classifying, prioritising, and remediating security weaknesses in an organisation's systems. Typically involves regular scanning tools (Nessus, Qualys), CVE tracking, and coordinating remediation with system owners.

Incident response (IR): The structured process for detecting, containing, eradicating, and recovering from a security incident. Mature organisations have detailed IR playbooks for common incident types.

What a Cybersecurity Analyst Does: The Real Day-to-Day

The day-to-day experience differs significantly between SOC analyst roles (the most common entry and mid-level path) and non-SOC specialisations like vulnerability management, penetration testing, or security engineering. This section focuses on the SOC environment, since it is where most analysts begin.

Tier 1: Alert Triage

The entry-level SOC analyst role is primarily alert triage. A mature SOC receives thousands of security alerts per day — automated notifications from the SIEM, endpoint detection tools (EDR), network intrusion detection, email security gateways, and cloud security monitoring. The overwhelming majority of these alerts are false positives or low-severity events that require no action. The Tier 1 analyst's job is to work through this queue systematically, applying documented playbooks to determine which alerts merit escalation and which can be closed.

This is demanding work that requires sustained attention and the discipline to follow process rigorously even when alerts feel repetitive. The stakes of getting it wrong in either direction are real: missing a genuine attack buried in noise, or escalating everything and creating an unsustainable burden for the Tier 2 team.

A typical Tier 1 shift involves reviewing the alert queue at the start of shift, working through each alert using the relevant playbook, documenting decisions and rationale in the ticket system, escalating confirmed or suspected incidents to Tier 2, and handing off open items at the end of shift with clear status documentation.

Tier 2: Incident Investigation

Tier 2 analysts handle alerts escalated from Tier 1, conducting deeper technical investigation. This means examining endpoint telemetry to understand what a suspicious process actually did, reviewing network logs to trace attacker movement, correlating indicators of compromise (IOCs) across multiple data sources, and determining the scope and severity of a confirmed incident.

Tier 2 work requires stronger technical skills — understanding of attacker tactics, techniques, and procedures (TTPs) documented in frameworks like MITRE ATT&CK, ability to read logs across diverse system types, and comfort with scripting to automate repetitive investigation steps.

When an incident is confirmed, the Tier 2 analyst initiates the incident response process: containing affected systems (isolating them from the network), preserving evidence, notifying relevant stakeholders, and beginning eradication and recovery steps according to the IR plan.

Tier 3: Threat Hunting and Advanced Analysis

Tier 3 analysts and threat hunters operate proactively rather than reactively. Rather than waiting for alerts to arrive, they form hypotheses about attacker behaviour — based on threat intelligence, knowledge of the organisation's environment, and awareness of current attack campaigns — and hunt for evidence of those behaviours in the data.

This requires deep technical knowledge and creativity. Threat hunters design custom detection logic, analyse large datasets for subtle patterns, and often discover compromises that automated systems missed because the attacker was sufficiently sophisticated to avoid triggering standard rules.

Other Specialisations

Vulnerability management analysts run regular scans of the organisation's asset inventory, triage discovered vulnerabilities by severity and exploitability, and work with system owners to track remediation. This role is less reactive than SOC work and involves significant project management alongside the technical work.

Security engineers build and maintain the security tools and infrastructure the SOC uses — configuring SIEMs, building detection rules, deploying EDR agents, managing firewalls and WAFs, and integrating security tools into the broader IT environment.

GRC (Governance, Risk, and Compliance) analysts focus on ensuring the organisation meets regulatory requirements (SOC 2, ISO 27001, HIPAA, PCI DSS), managing security policies, and conducting risk assessments. This is the least technical of the major cybersecurity specialisations but is critical to large organisations.

Certifications: The Cybersecurity Credential Landscape

Certifications play a larger role in cybersecurity hiring than in most technical fields, partly because many employers (particularly government contractors) have specific certification requirements, and partly because the field lacks the degree consensus that guides hiring in other disciplines.

CompTIA Security+: The most widely recognised entry-level certification. Covers network security fundamentals, cryptography, threat intelligence basics, identity management, and risk management. Requires no experience to attempt, though most candidates study for 2-3 months. Required by US Department of Defense Directive 8570 for many roles. Exam cost: approximately $392.

CompTIA CySA+ (Cybersecurity Analyst+): Intermediate certification specifically focused on SOC analyst skills — threat detection, data analysis, and incident response. Suitable after 3-4 years of experience or Security+.

CEH (Certified Ethical Hacker): Covers offensive techniques and penetration testing fundamentals. Valued for roles involving red team or penetration testing work, though often criticised by practitioners for being less rigorous than OSCP.

OSCP (Offensive Security Certified Professional): Highly respected hands-on penetration testing certification from Offensive Security. Requires completing a 24-hour practical exam. Considered the gold standard for penetration testing roles.

GCIH (GIAC Certified Incident Handler): SANS-affiliated certification specifically for incident handling and response. Well-regarded for Tier 2 and Tier 3 SOC work.

CISSP (Certified Information Systems Security Professional): The senior credential in the field, issued by ISC2. Covers eight domains spanning the full scope of information security. Requires five years of professional experience to certify (two years with certain exemptions). Exam is broad and challenging. Widely required for senior analyst, security manager, and CISO roles. Cost: approximately $749 for the exam.

Salary Ranges

The following figures reflect US market data from CyberSeek, BLS, and SANS salary surveys (2023-24).

Role / Level Annual Salary (USD)
IT Helpdesk / Entry $38,000 - $52,000
Tier 1 SOC Analyst $52,000 - $72,000
Tier 2 SOC Analyst $72,000 - $95,000
Security Engineer (mid) $90,000 - $130,000
Senior SOC Analyst / Threat Hunter $100,000 - $140,000
Security Architect $130,000 - $175,000
CISSP-holding Senior roles $130,000 - $170,000
Security Manager / Director $150,000 - $220,000
CISO (large enterprise) $200,000 - $400,000+

Government roles (federal civilian and contractors) often pay somewhat less in base salary but offer exceptional stability, retirement benefits, and in some cases security clearance premiums.

United Kingdom: Tier 1-2 SOC analysts earn GBP 28,000-50,000. Senior analysts and security engineers earn GBP 60,000-90,000. CISOs at large organisations earn GBP 120,000-200,000.

Australia: Mid-level security analysts earn AUD 90,000-130,000. Senior roles AUD 130,000-170,000.

Career Ladder: From Helpdesk to CISO

IT Helpdesk / Desktop Support (0-2 years): Many security professionals enter through general IT support, where they develop foundational skills in operating systems, networking, and troubleshooting. CompTIA A+ and Network+ certifications support this entry point.

Tier 1 SOC Analyst (1-3 years): Entry-level security role. Focus on alert triage and playbook execution. CompTIA Security+ and some experience with SIEM platforms (Splunk, Microsoft Sentinel, IBM QRadar) are typical requirements.

Tier 2 SOC Analyst / Security Analyst (3-5 years): Deeper investigation capability. Beginning specialisation in incident response or a specific technical domain. CySA+, GCIH, or early work toward CISSP at this stage.

Senior Analyst / Security Engineer / Threat Hunter (5-8 years): Independent technical leadership on investigations or projects. Often a transition point into specialisation — penetration testing, cloud security, AppSec, threat intelligence, or security engineering.

Security Manager / Security Architect (8-12 years): Managing a team or programme, or designing security architecture at enterprise scale. CISSP typically required. Strong communication and stakeholder management skills become as important as technical depth.

CISO (12+ years): Executive leadership of the entire information security function. Responsible to the board and C-suite, managing risk at organisational level. Requires deep experience, business acumen, communication skills, and typically a track record of managing security through significant incidents.

Specialisations Within Cybersecurity

Penetration testing / Red team: Simulating attacks against the organisation's own systems to identify weaknesses before real attackers do. Requires deep offensive security knowledge (OSCP is the key credential).

Digital forensics: Collecting and preserving digital evidence for legal proceedings or internal investigations. Works closely with legal and HR teams and requires specific tools (Autopsy, FTK, Cellebrite).

Cloud security: Specialising in securing cloud environments (AWS, Azure, GCP). AWS Security Specialty and related cloud-native certifications are valued.

Application security (AppSec): Working with development teams to identify and remediate security vulnerabilities in software during the development process. Requires software development background and understanding of OWASP Top 10.

Threat intelligence: Analysing threat actor behaviour, tracking campaigns, and providing actionable intelligence to improve detection and response. Requires broad awareness of the threat landscape and strong analytical and writing skills.

Practical Takeaways

The cybersecurity field has genuine career continuity: the foundational skills of network understanding, log analysis, and systematic investigation do not become obsolete the way specific software frameworks do. The threat landscape evolves but the analytical discipline required to navigate it transfers across a long career.

The fastest path into the field for someone without a technical background is typically IT helpdesk → CompTIA A+/Network+/Security+ → Tier 1 SOC role → CySA+ or GCIH → Tier 2 analyst. This progression takes 2-4 years and can be accomplished without a four-year degree. Home labs — setting up virtual environments to practice log analysis, run attack simulations, and experiment with security tools — are valuable portfolio evidence for early-career candidates.

References

  1. ISC2. "2023 Cybersecurity Workforce Study." ISC2, 2023.
  2. IBM Security / Ponemon Institute. "Cost of a Data Breach Report 2023." IBM, 2023.
  3. CyberSeek. "Cybersecurity Supply/Demand Heat Map." CyberSeek.org, accessed 2024.
  4. SANS Institute. "SANS 2023 Cybersecurity Salary Survey." SANS, 2023.
  5. Bureau of Labor Statistics. "Occupational Outlook Handbook: Information Security Analysts." BLS.gov, 2023-24 edition.
  6. MITRE Corporation. "MITRE ATT&CK Framework." attack.mitre.org, 2024.
  7. CompTIA. "Security+ Certification Exam Objectives." CompTIA, SY0-701 edition, 2023.
  8. ISC2. "CISSP Candidate Information Bulletin." ISC2, 2024.
  9. Schneier, B. "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." Copernicus Books, 2003.
  10. ACSC (Australian Cyber Security Centre). "Cyber Security Industry Report." ACSC, 2023.
  11. Palo Alto Networks. "The State of Cloud-Native Security Report." Palo Alto Networks, 2023.
  12. NIST. "Cybersecurity Framework 2.0." National Institute of Standards and Technology, 2024.

Tags

Cybersecurity Career Guide Tech Careers Information Security SOC Analyst

Frequently Asked Questions

What does a cybersecurity analyst do every day?

A SOC (Security Operations Centre) analyst monitors alerts from SIEM systems, investigates suspicious activity, responds to incidents, and writes reports. Tier 1 analysts triage large volumes of alerts; Tier 2 and 3 analysts handle deeper forensic investigation and threat hunting. Non-SOC analysts may work on vulnerability management, compliance, or security architecture.

What certifications do cybersecurity analysts need?

CompTIA Security+ is the most common entry-level certification and is often required by government contractors. Intermediate certifications include CompTIA CySA+, CEH (Certified Ethical Hacker), and GCIH. The CISSP (Certified Information Systems Security Professional) is the standard senior credential, requiring five years of experience to sit.

How much does a cybersecurity analyst earn?

Entry-level cybersecurity analysts in the US earn \(55,000-\)80,000. Mid-level analysts earn \(80,000-\)120,000. Senior analysts and security engineers earn \(120,000-\)160,000. Security architects and CISOs can earn \(200,000-\)350,000+. Demand consistently outpaces supply, keeping salaries strong across the field.

Do you need a degree to work in cybersecurity?

A degree is helpful but not always required. Many practitioners enter through IT helpdesk roles, then obtain certifications such as CompTIA A+, Network+, and Security+ to move into security. Some employers, particularly government agencies and defence contractors, do require degrees for certain clearance-bearing roles.

What are the main specialisations within cybersecurity?

Major specialisations include: SOC analysis (monitoring and incident response), penetration testing (ethical hacking), digital forensics, cloud security, application security (AppSec), threat intelligence, compliance and governance (GRC), and security architecture. Each has its own certification paths and skill requirements.

Share this article