
Ask HN: Pay and Specializations in Security? - ohaideredevs
I am reading a post on security here (linked below) and it identifies three specializations (also below).<p>My questions are: Are these really three distinct specializations? Which is considered the most fun &#x2F; prestigious &#x2F; well paying &#x2F; has the best career prospects?<p>1. &quot;offensive security&quot; (scanner jockey -&gt; netpen -&gt; appsec -&gt; vuln research &#x2F; red team)<p>2. defensive security (secops -&gt; seceng -&gt; security management)<p>3. malware analysis (malware analysis -&gt; malware analysis -&gt; still more malware analysis).<p>https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=18487547
======
k4ch0w
They are all great career prospects. There aren't enough heads in the field to
meet the demand. I don't agree with the specializations you have listed.
People move around all the time. I'm currently Red Team and got here by doing
appsec, netpen and vuln research.

As for the most prestigious, there is no such thing. Red Team and Blue Team
operations are both vital to any organization. The Red Team verifies attacks
are caught, and Blue Team catches incidents to minimize damage asap.
Prestigious probably depends on the company and which one they respect more.

As for most fun, I really enjoy breaking things and being malicious. It's why
I do well in the field. I'd say you have to discover what you enjoy for
yourself. You don't want to get pigeonholed into just doing code reviews your
whole life or reading through log files. In order to get through this level
you have to show you can do more than be a checklist jockey.

Pay is pretty much the same for all of these at the larger organizations.

------
throwawayISQ
"Which is considered the most fun / prestigious / well paying / has the best
career prospects?"

Whatever you consider must fun, is the most fun.

Are these really three distinct specializations?

No, I've never heard of them being categorized into three specialisations
before, and the progression tree you have listed certainly isn't true.

If you are interested in getting into security, just research and experiment
with what interests you.

* If you like appsec, why not learn some programming languages and attempt some bug bounties.

* If you like netsec why not setup some labs and simulate some pentests, or sign up to HackTheBox which offeres pentest environments.

* and so on.

You will succeed in security by doing it because you love it, not because you
are told it has good prospects.

------
ideophobia
This is probably the most narrow and poorly organized list of security
specializations I've ever seen. If you literally just google "cyber security
specializations" you will see a lot more options and insights available. Fun,
prestige, pay, and progression are obviously four very different things, and
honestly they are pretty subjective except for maybe pay, but that could be
wildly different depending upon the area/region/country. So asking for so many
facets of a career with such a poorly developed list of career options is not
going to net you very useful answers. Instead, focus on researching and
understanding the whole of security better rather than trying to find the most
fun high paying prestigious job in the lot.

------
a_lifters_life
I'd say #2 is part of #1. #2 is especially tough to get right.

