Cybersecurity is one of the few fields in which the talent shortage has grown rather than diminished as the industry matures. The 2023 ISC2 Cybersecurity Workforce Study estimated a global cybersecurity workforce gap of 4 million positions — the gap between the number of practitioners needed and the number currently employed. This structural shortage, combined with the stakes of the work (data breaches now cost organisations an average of $4.45 million per incident according to IBM's 2023 Cost of a Data Breach Report), makes cybersecurity one of the most reliably employable technical careers of the decade.

Yet the field is also frequently misrepresented. The popular image of a cybersecurity professional as a lone hacker typing furiously in a dark room is as accurate as the image of a surgeon as someone who never does paperwork. The day-to-day reality — particularly for SOC (Security Operations Centre) analysts, who represent the largest segment of the cybersecurity workforce — involves systematic monitoring, pattern recognition, alert triage, documentation, and communication. It is methodical, demanding, and important work that relies on rigour and process as much as technical intuition.

The Bureau of Labor Statistics projects employment of information security analysts to grow by 32% between 2022 and 2032 — roughly four times the average growth rate for all occupations. That growth is being driven by the continuing expansion of digital infrastructure, the proliferation of ransomware and nation-state threat actors, and increasing regulatory requirements that mandate security programs across industries. For people entering the field, the structural tailwinds are exceptional.

This guide covers what cybersecurity analysts actually do across different specialisations, the certification landscape from CompTIA to CISSP, salary ranges at different career stages, and the career ladder from entry-level helpdesk work through to CISO (Chief Information Security Officer). If you are considering entering the field or are trying to understand what your security team actually does, this is the honest picture.

"Security is not a product, but a process." — Bruce Schneier, security technologist and author of "Beyond Fear"

Key Definitions

SIEM (Security Information and Event Management): A platform that aggregates log data from across an organisation's infrastructure — servers, endpoints, network devices, applications — and applies rules and analytics to identify suspicious patterns. SOC analysts spend most of their monitoring time in SIEM dashboards. Leading platforms include Splunk, Microsoft Sentinel, IBM QRadar, and Elastic SIEM.

SOC (Security Operations Centre): A dedicated function within an organisation (or provided as a service by an MSSP) that monitors, detects, and responds to security events. SOC analysts are tiered by seniority and investigative depth, from Tier 1 triage through to Tier 3 threat hunting.

Threat hunting: Proactive search through systems for indicators of compromise that have not triggered automated alerts. Distinguished from reactive incident response — threat hunters are looking for attackers who are already present but have not yet been detected.

Vulnerability management: The ongoing process of identifying, classifying, prioritising, and remediating security weaknesses in an organisation's systems. Typically involves regular scanning tools (Nessus, Qualys), CVE tracking, and coordinating remediation with system owners.

Incident response (IR): The structured process for detecting, containing, eradicating, and recovering from a security incident. Mature organisations have detailed IR playbooks for common incident types.

IOC (Indicator of Compromise): Artifacts — IP addresses, domain names, file hashes, registry keys, network signatures — that indicate a system may have been compromised. SOC analysts search for IOCs to identify affected systems and scope incidents.

EDR (Endpoint Detection and Response): Security software deployed on endpoints (laptops, servers, workstations) that provides real-time monitoring, threat detection, and response capabilities. Leading EDR platforms include CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne.

MITRE ATT&CK: A globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Used by SOC analysts to map attacker behaviour to known patterns, prioritise detections, and structure threat hunts.

What a Cybersecurity Analyst Does: The Real Day-to-Day

The day-to-day experience differs significantly between SOC analyst roles (the most common entry and mid-level path) and non-SOC specialisations like vulnerability management, penetration testing, or security engineering. This section focuses on the SOC environment, since it is where most analysts begin.

Tier 1: Alert Triage

The entry-level SOC analyst role is primarily alert triage. A mature SOC receives thousands of security alerts per day — automated notifications from the SIEM, endpoint detection tools (EDR), network intrusion detection, email security gateways, and cloud security monitoring. According to the Ponemon Institute's 2023 State of SOC research, the average enterprise SOC receives over 11,000 security alerts per day and is only able to fully investigate 56% of them. The overwhelming majority of these alerts are false positives or low-severity events that require no action.

The Tier 1 analyst's job is to work through this queue systematically, applying documented playbooks to determine which alerts merit escalation and which can be closed. This is demanding work that requires sustained attention and the discipline to follow process rigorously even when alerts feel repetitive. The stakes of getting it wrong in either direction are real: missing a genuine attack buried in noise, or escalating everything and creating an unsustainable burden for the Tier 2 team.

A typical Tier 1 shift involves reviewing the alert queue at the start of shift, working through each alert using the relevant playbook, documenting decisions and rationale in the ticket system, escalating confirmed or suspected incidents to Tier 2, and handing off open items at the end of shift with clear status documentation.

False positive management is a critical but underappreciated skill at Tier 1. Analysts who can identify patterns in false positives — recognizing that alerts from a specific internal tool are consistently benign due to a configuration quirk — add significant value by refining detection rules to reduce noise, improving the signal-to-noise ratio for the entire SOC.

Tier 2: Incident Investigation

Tier 2 analysts handle alerts escalated from Tier 1, conducting deeper technical investigation. This means examining endpoint telemetry to understand what a suspicious process actually did, reviewing network logs to trace attacker movement, correlating indicators of compromise (IOCs) across multiple data sources, and determining the scope and severity of a confirmed incident.

Tier 2 work requires stronger technical skills — understanding of attacker tactics, techniques, and procedures (TTPs) documented in frameworks like MITRE ATT&CK, ability to read logs across diverse system types, and comfort with scripting (Python, PowerShell, Bash) to automate repetitive investigation steps.

When an incident is confirmed, the Tier 2 analyst initiates the incident response process: containing affected systems (isolating them from the network), preserving evidence, notifying relevant stakeholders, and beginning eradication and recovery steps according to the IR plan.

The NIST Incident Response lifecycle — Preparation, Detection and Analysis, Containment and Eradication, Post-Incident Activity — is the standard framework that governs how mature organisations structure their response process. Tier 2 analysts execute steps two through four; Tier 1 primarily handles detection and initial analysis.

Tier 3: Threat Hunting and Advanced Analysis

Tier 3 analysts and threat hunters operate proactively rather than reactively. Rather than waiting for alerts to arrive, they form hypotheses about attacker behaviour — based on threat intelligence, knowledge of the organisation's environment, and awareness of current attack campaigns — and hunt for evidence of those behaviours in the data.

This requires deep technical knowledge and creativity. Threat hunters design custom detection logic, analyse large datasets for subtle patterns, and often discover compromises that automated systems missed because the attacker was sufficiently sophisticated to avoid triggering standard rules.

"The job of threat hunting is to find the attacker who has already gotten past your defenses. By the time your automated tools alert on them, they have usually been inside for weeks or months. The hunter's job is to find them on day two, not day sixty." — David Bianco, security researcher and creator of the Pyramid of Pain framework, in a talk at SANS DFIR Summit

The Pyramid of Pain, developed by Bianco (2014), remains a foundational threat hunting concept: a hierarchy of IOC types from the easiest for attackers to change (hash values, IP addresses) to the hardest (attacker tactics, techniques, and procedures). Effective threat hunters focus on detecting TTPs rather than atomic indicators, because TTPs require fundamental changes to attacker methodology to evade.

Other Specialisations

Vulnerability management analysts run regular scans of the organisation's asset inventory, triage discovered vulnerabilities by severity and exploitability, and work with system owners to track remediation. The Common Vulnerability Scoring System (CVSS) provides a standardised framework for scoring vulnerability severity, but experienced vulnerability management analysts know that CVSS scores are context-independent — a vulnerability rated 9.8 (Critical) in isolation may be low-priority in an environment where the affected system is not internet-facing and has no privileged access.

Security engineers build and maintain the security tools and infrastructure the SOC uses — configuring SIEMs, building detection rules, deploying EDR agents, managing firewalls and WAFs, and integrating security tools into the broader IT environment. This role requires stronger software and infrastructure engineering skills than analyst roles, and typically commands higher compensation at equivalent experience levels.

GRC (Governance, Risk, and Compliance) analysts focus on ensuring the organisation meets regulatory requirements (SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR), managing security policies, and conducting risk assessments. This is the least technical of the major cybersecurity specialisations but is critical to large organisations and growing rapidly as regulatory requirements multiply. The EU's NIS2 Directive (effective 2024) and the SEC's cybersecurity disclosure rules (2023) have significantly expanded compliance requirements for large organisations, driving demand for GRC professionals.

Penetration testing / Red team: Simulating attacks against the organisation's own systems to identify weaknesses before real attackers do. Requires deep offensive security knowledge. OSCP is the key credential; competitive teams also look for participants in CTF (Capture The Flag) competitions.

Digital forensics: Collecting and preserving digital evidence for legal proceedings or internal investigations. Works closely with legal and HR teams and requires specific tools (Autopsy, FTK, Cellebrite). Digital forensics and incident response (DFIR) is an increasingly common combined specialisation.

Cloud security: Specialising in securing cloud environments (AWS, Azure, GCP). The shift to cloud infrastructure has created enormous demand for security professionals who understand cloud-native architectures. AWS Security Specialty, Azure Security Engineer, and GCP Professional Cloud Security Engineer certifications are valued. The Cloud Security Alliance (CSA) reported in 2023 that cloud security was the fastest-growing specialisation in the field.

Application security (AppSec): Working with development teams to identify and remediate security vulnerabilities in software during the development process. The DevSecOps movement — integrating security practices into CI/CD pipelines — has expanded the AppSec role from occasional auditing to continuous partnership with engineering teams. Knowledge of OWASP Top 10, SAST/DAST tools, and software development is required.

Threat intelligence: Analysing threat actor behaviour, tracking campaigns, and providing actionable intelligence to improve detection and response. Requires broad awareness of the threat landscape and strong analytical and writing skills.

Certifications: The Cybersecurity Credential Landscape

Certifications play a larger role in cybersecurity hiring than in most technical fields, partly because many employers (particularly government contractors) have specific certification requirements, and partly because the field lacks the degree consensus that guides hiring in other disciplines.

Certification Issuer Level Primary Value Approximate Cost
CompTIA Security+ CompTIA Entry Broad baseline; DoD 8570 compliance $392
CompTIA CySA+ CompTIA Mid SOC analyst skills focus $369
CompTIA CASP+ CompTIA Senior Enterprise security architecture $494
CEH EC-Council Mid Offensive techniques overview $1,199
OSCP Offensive Security Mid-Senior Practical penetration testing $1,499
GCIH SANS / GIAC Mid Incident handling $949
GCIA SANS / GIAC Mid Intrusion analysis $949
CISSP ISC2 Senior Broad senior credential $749
CISM ISACA Senior Security management $760
AWS Security Specialty Amazon Specialty Cloud security (AWS) $300

CompTIA Security+: The most widely recognised entry-level certification. Covers network security fundamentals, cryptography, threat intelligence basics, identity management, and risk management. Requires no experience to attempt, though most candidates study for 2-3 months. Required by US Department of Defense Directive 8570 for many roles.

CompTIA CySA+: Intermediate certification specifically focused on SOC analyst skills — threat detection, data analysis, and incident response. Suitable after 3-4 years of experience or Security+. More role-specific than Security+ and increasingly valued for Tier 2 analyst positions.

CEH (Certified Ethical Hacker): Covers offensive techniques and penetration testing fundamentals. Valued for roles involving red team or penetration testing work, though often criticised by practitioners for being less rigorous than OSCP. The OSCP's practical exam format — requiring candidates to actually compromise systems rather than answer multiple-choice questions — gives it more credibility in the technical community.

OSCP (Offensive Security Certified Professional): Highly respected hands-on penetration testing certification from Offensive Security. Requires completing a 24-hour practical exam during which candidates must compromise a defined set of target machines. Considered the gold standard for penetration testing roles.

GCIH (GIAC Certified Incident Handler): SANS-affiliated certification specifically for incident handling and response. Well-regarded for Tier 2 and Tier 3 SOC work. SANS courses are expensive but widely considered the highest quality technical security training available.

CISSP (Certified Information Systems Security Professional): The senior credential in the field, issued by ISC2. Covers eight domains spanning the full scope of information security management. Requires five years of professional experience to certify (two years with certain exemptions). Widely required for senior analyst, security manager, and CISO roles. ISC2 reports that CISSP holders earn a median salary of $125,000 in the United States, approximately 30% above non-certified peers at equivalent experience levels.

Salary Ranges

The following figures reflect US market data from CyberSeek, BLS, and SANS salary surveys (2023-24).

Role / Level Annual Salary (USD)
IT Helpdesk / Entry $38,000 - $52,000
Tier 1 SOC Analyst $52,000 - $72,000
Tier 2 SOC Analyst $72,000 - $95,000
Security Engineer (mid) $90,000 - $130,000
Senior SOC Analyst / Threat Hunter $100,000 - $140,000
Penetration Tester (mid-senior) $95,000 - $145,000
Cloud Security Engineer (mid) $110,000 - $155,000
Security Architect $130,000 - $175,000
CISSP-holding Senior roles $130,000 - $170,000
Security Manager / Director $150,000 - $220,000
CISO (large enterprise) $200,000 - $400,000+

Government roles (federal civilian and contractors) often pay somewhat less in base salary but offer exceptional stability, retirement benefits, and in some cases security clearance premiums. A TS/SCI clearance can add $20,000-$40,000 to base salary for cleared positions in the defense and intelligence sector.

United Kingdom: Tier 1-2 SOC analysts earn GBP 28,000-50,000. Senior analysts and security engineers earn GBP 60,000-90,000. CISOs at large organisations earn GBP 120,000-200,000.

Australia: Mid-level security analysts earn AUD 90,000-130,000. Senior roles AUD 130,000-170,000. The ACSC (Australian Cyber Security Centre) reported in 2023 that Australia faces a projected shortfall of 30,000 cybersecurity professionals by 2026, creating particularly strong hiring conditions.

Canada: Mid-level analysts earn CAD 75,000-105,000. Senior roles CAD 105,000-145,000.

Career Ladder: From Helpdesk to CISO

IT Helpdesk / Desktop Support (0-2 years): Many security professionals enter through general IT support, where they develop foundational skills in operating systems, networking, and troubleshooting. CompTIA A+ and Network+ certifications support this entry point. Not strictly required — direct entry to Tier 1 SOC is possible — but provides context that makes security decisions more meaningful.

Tier 1 SOC Analyst (1-3 years): Entry-level security role. Focus on alert triage and playbook execution. CompTIA Security+ and some experience with SIEM platforms (Splunk, Microsoft Sentinel, IBM QRadar) are typical requirements. Home lab practice — running a virtual network, generating logs, and simulating attacks in an isolated environment — significantly accelerates development at this stage.

Tier 2 SOC Analyst / Security Analyst (3-5 years): Deeper investigation capability. Beginning specialisation in incident response or a specific technical domain. CySA+, GCIH, or early work toward CISSP at this stage. Scripting ability (Python, PowerShell) becomes important for automating repetitive investigation tasks.

Senior Analyst / Security Engineer / Threat Hunter (5-8 years): Independent technical leadership on investigations or projects. Often a transition point into specialisation — penetration testing, cloud security, AppSec, threat intelligence, or security engineering. At this stage, a second specialisation credential (OSCP for red team, AWS Security Specialty for cloud, GCIA for network analysis) differentiates candidates significantly.

Security Manager / Security Architect (8-12 years): Managing a team or programme, or designing security architecture at enterprise scale. CISSP typically required. Strong communication and stakeholder management skills become as important as technical depth. At this point, the career divides into a technical track (architect, principal engineer) and a management track (security manager, director).

CISO (12+ years): Executive leadership of the entire information security function. Responsible to the board and C-suite, managing risk at organisational level. The modern CISO role is substantially a business and communications role: translating technical risk into business risk language, managing board relationships, overseeing compliance programmes, and building the case for security investment. Pure technical expertise without business acumen is insufficient at CISO level. Additional qualifications such as CISM (Certified Information Security Manager) or an MBA are common among senior CISOs.

Home Labs and Practical Skill Building

Cybersecurity is a field where hands-on practice is essential and largely self-directed. Unlike programming, where building projects demonstrates skill, security skill-building requires simulated environments where you can practice offensive and defensive techniques without legal risk.

Platforms for hands-on practice:

  • TryHackMe: Beginner-friendly, browser-based labs covering both blue team (defensive) and red team (offensive) skills. Subscription-based with free tier.
  • Hack The Box: More advanced platform requiring real exploitation skills. Highly respected in the penetration testing community.
  • DVWA (Damn Vulnerable Web Application): A deliberately vulnerable web application for practicing web security testing in a local environment.
  • Blue Team Labs Online: Focused specifically on defensive skills — log analysis, incident response, threat hunting.
  • PicoCTF: Free competition platform from Carnegie Mellon University, appropriate for beginners developing foundational skills.

Building a home lab — a virtual network running on a personal machine using VirtualBox or VMware — allows analysts to practice attack and defense scenarios, experiment with SIEM configurations, and understand how malware behaves in controlled environments. A basic lab with three virtual machines (attacker, target, SIEM) costs nothing beyond hardware and is one of the most effective ways to build practical skills.

Capture the Flag (CTF) competitions are team-based security challenges that simulate real attack scenarios. Participation in CTFs is widely recognized in hiring as evidence of genuine technical engagement — employers look for CTF participation on resumes as a signal of self-directed learning that goes beyond certification study.

The Regulatory Landscape Driving Demand

The demand for cybersecurity professionals is partly structural (more digital infrastructure to protect) and partly regulatory. Understanding the regulatory drivers helps analysts understand why certain types of work are prioritised.

NIST Cybersecurity Framework (CSF 2.0, 2024): The primary guidance framework for cybersecurity programs in the United States. Updated in 2024 to include a sixth function (Govern) alongside the original five (Identify, Protect, Detect, Respond, Recover). Many organizations use the CSF to structure their security programs and measure maturity.

US DoD Directive 8570/8140: Mandates specific certification requirements (including Security+) for personnel in information assurance roles at Department of Defense agencies and contractors. Creates substantial demand for certified analysts in the defense sector.

SEC Cybersecurity Disclosure Rules (2023): Require publicly traded companies to disclose material cybersecurity incidents within four business days and to provide annual disclosures about their cybersecurity risk management programs. Has driven significant demand for compliance-focused security roles at public companies.

GDPR and international privacy regulations: The European General Data Protection Regulation requires security measures commensurate with the risk of processing personal data. Non-compliance penalties of up to 4% of global annual turnover have made security program investment an economic necessity for companies operating in European markets.

HIPAA and healthcare security: The Health Insurance Portability and Accountability Act's Security Rule mandates specific cybersecurity controls for covered entities handling protected health information. Healthcare has historically been one of the most targeted sectors for breaches (ranking #1 in average breach cost at $10.93 million per IBM's 2023 report) and is a significant employment market for security analysts.

Practical Takeaways

The cybersecurity field has genuine career continuity: the foundational skills of network understanding, log analysis, and systematic investigation do not become obsolete the way specific software frameworks do. The threat landscape evolves but the analytical discipline required to navigate it transfers across a long career.

The fastest path into the field for someone without a technical background is typically IT helpdesk → CompTIA A+/Network+/Security+ → Tier 1 SOC role → CySA+ or GCIH → Tier 2 analyst. This progression takes 2-4 years and can be accomplished without a four-year degree. Home labs — setting up virtual environments to practice log analysis, run attack simulations, and experiment with security tools — are valuable portfolio evidence for early-career candidates.

The most important skill that certifications do not teach and that distinguishes strong analysts from average ones is the ability to think adversarially: to reason about how an attacker would approach a system, what they would want to accomplish, and what evidence they would leave behind. This thinking is built through practice — attack simulations, CTF competitions, red team exercises — and is ultimately what makes the difference at Tier 2 and above.

References

  1. ISC2. "2023 Cybersecurity Workforce Study." ISC2, 2023.
  2. IBM Security / Ponemon Institute. "Cost of a Data Breach Report 2023." IBM, 2023.
  3. CyberSeek. "Cybersecurity Supply/Demand Heat Map." CyberSeek.org, accessed 2024.
  4. SANS Institute. "SANS 2023 Cybersecurity Salary Survey." SANS, 2023.
  5. Bureau of Labor Statistics. "Occupational Outlook Handbook: Information Security Analysts." BLS.gov, 2023-24 edition.
  6. MITRE Corporation. "MITRE ATT&CK Framework." attack.mitre.org, 2024.
  7. CompTIA. "Security+ Certification Exam Objectives." CompTIA, SY0-701 edition, 2023.
  8. ISC2. "CISSP Candidate Information Bulletin." ISC2, 2024.
  9. Schneier, B. "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." Copernicus Books, 2003.
  10. ACSC (Australian Cyber Security Centre). "Cyber Security Industry Report." ACSC, 2023.
  11. Palo Alto Networks. "The State of Cloud-Native Security Report." Palo Alto Networks, 2023.
  12. NIST. "Cybersecurity Framework 2.0." National Institute of Standards and Technology, 2024.
  13. Bianco, D. "The Pyramid of Pain." Enterprise Detection and Response blog, 2014.
  14. Ponemon Institute. "The State of the SOC 2023." Ponemon Institute / Devo Technology, 2023.
  15. ISACA. "State of Cybersecurity 2024: Workforce, Budget and Resources." ISACA, 2024.
  16. Cloud Security Alliance. "Security Guidance for Critical Areas of Focus in Cloud Computing v4.0." CSA, 2023.
  17. PMI / NIST. "National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework." NIST SP 800-181r1, 2020.
  18. SEC. "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure." Securities and Exchange Commission Final Rule, July 2023.

Tags

Cybersecurity Career Guide Tech Careers Information Security SOC Analyst

Frequently Asked Questions

What does a cybersecurity analyst do every day?

A SOC (Security Operations Centre) analyst monitors alerts from SIEM systems, investigates suspicious activity, responds to incidents, and writes reports. Tier 1 analysts triage large volumes of alerts; Tier 2 and 3 analysts handle deeper forensic investigation and threat hunting. Non-SOC analysts may work on vulnerability management, compliance, or security architecture.

What certifications do cybersecurity analysts need?

CompTIA Security+ is the most common entry-level certification and is often required by government contractors. Intermediate certifications include CompTIA CySA+, CEH (Certified Ethical Hacker), and GCIH. The CISSP (Certified Information Systems Security Professional) is the standard senior credential, requiring five years of experience to sit.

How much does a cybersecurity analyst earn?

Entry-level cybersecurity analysts in the US earn \(55,000-\)80,000. Mid-level analysts earn \(80,000-\)120,000. Senior analysts and security engineers earn \(120,000-\)160,000. Security architects and CISOs can earn \(200,000-\)350,000+. Demand consistently outpaces supply, keeping salaries strong across the field.

Do you need a degree to work in cybersecurity?

A degree is helpful but not always required. Many practitioners enter through IT helpdesk roles, then obtain certifications such as CompTIA A+, Network+, and Security+ to move into security. Some employers, particularly government agencies and defence contractors, do require degrees for certain clearance-bearing roles.

What are the main specialisations within cybersecurity?

Major specialisations include: SOC analysis (monitoring and incident response), penetration testing (ethical hacking), digital forensics, cloud security, application security (AppSec), threat intelligence, compliance and governance (GRC), and security architecture. Each has its own certification paths and skill requirements.

Share this article