I&#x27;ve spent much of the last 15 years hiring pentesters and not only have I never considered OSCP, I&#x27;ve never talked to a peer that did either. It may be a big thing with body shop netpen firms; don&#x27;t work for those.

you’re probably in a tech company. most security jobs (most software jobs period) are in non tech companies. insurance, healthcare, auto parts, you name it. in most of those roles, certs are very helpful if not mandatory to even get your foot in the door.

I&#x27;ve been in security for the better part of a decade. I have none of these certs (I have no security certs at all). The OSCP is the only certification in this list that I&#x27;ve ever even heard of being part of hiring discussions, and even then I&#x27;ve really only ever seen it required&#x2F;desired in penetration testing roles.In fact, this article is very narrowly focused on penetration testing-type roles. There are a whole host of other security roles that require all kinds of different skillsets which aren&#x27;t even mentioned here.If you do want a penetration testing role, I don&#x27;t see anything wrong with this roadmap other than the fact that it over-emphasizes the need for certs. Like all other types of roles, some hiring managers might be part of the &quot;certification chaser&quot; crowd and might require certs for candidates, but IME most don&#x27;t care and someone not having a cert has never stopped me from hiring them, and quite frankly if someone does have certs it doesn&#x27;t make me any more inclined to hire them.

Absolutely echo this. You need to really start with the basics, and focus on understanding (i.e. asking yourself) *how* and *why* everything works and happens.In order to find vulnerabilities, you need to understand how a system works, and how all the parts that lead up to it work. You&#x27;ll ultimately want to understand how $high_level_language ends up as bytecode that executes on the CPU, and if&#x2F;how you can modify&#x2F;manipulate that. And a bit about the underlying hardware and electronics never does any harm for some rowhammer type attacks.If you want to defend and secure a system, you need to understand it, and all its dependencies, and the assumptions it makes. You&#x27;ll want to understand the hardware, and how it&#x27;s secured etc.For networked systems, get a really good understanding of TCP, UDP and IP. Learn how firewalls work.The aim is to get to a point where you know the fundamentals and how things work to the point there&#x27;s no &quot;magic&quot; in how the computer works - you know enough to explain a PC from reset vector through to UEFI, bootloader, OS load, software load, network exchanges, etc. And similar for an IP network - you want to know everything about subnets, how VLANs work, how tagging works, how 802.1x works, how WiFi works, etc. And this is just the start!You&#x27;ll struggle to secure something you don&#x27;t understand - this is why $bigcompany can&#x27;t secure their basic IT network - those responsible didn&#x27;t understand the basic principles, or how the moving parts worked (either on their own or as part of the bigger system), and it ends up compromised by someone who does understand those principles.

As someone who’s gone deep down the rabbit hole of trying to learn this stuff, I’ll give this advice. Focus on learning computer science, computer architecture and networks as a foundation.Learning all this technology without understanding the fundamentals is a waste of time.Most certs are overrated. They don’t actually test your understanding that well. The people who care a lot about certs are people who you probably don’t want to work with. They’re just a way for the IT guys who run the cert programs to make extra cash. By all means, if your company is willing to pay for cert training get it but don’t waste too much time studying for them.

Agreed, and I have a variety of these (certifications).Most of the top tier people that I know in cyber security are not certified professionals, but rather people that have deep knowledge in their area of expertise with the ability to apply security knowledge to it.The list of certifications is bad because:- it only focuses on offensive security work, which is a small part of the actual field (there is the entire blue side as an example)- it focuses heavily on the software side of the house which is once again not the entire field (more than a few places have been popped due to infrastructure misconfigurations and issues)- it ignores many common enterprise environments that use things like Active Directory, Otka, EUA, SSO, etc. These are things that you will encounter and must know how to work with or secure if you are a generalist in the field (if you&#x27;re specialized you may never touch these things at all).In short, this is good if you want to be a consultant doing generic penetration testing but not much more than that. They may also serve as HR checkboxes for recruiters that do not understand the job requirements.

I agree with this.FWIW, IMO, the best form of proof is showing how hard you can pwn boxes :)

&gt; &quot;Cyber Security is one of the most expensive fields, You are required to do a number of exams and certification. Unlike Software Development, These certifications are very crucial, They are more or less like a &quot;Get out of jail free&quot; Card.&quot;This is terrible advice. You don&#x27;t need lots of BS certs to get into security.The only cert here worth doing is OSCP, and even that has lost respect&#x2F;value in recent years to rampant cheating and answer sharing.

Certifications are far less important than this article makes out - this roadmap seems to really just be a roadmap of certifications for some reason, rather than a true roadmap for a beginner. If you focus on certificates, you won&#x27;t gain the rounded knowledge you&#x27;ll need.You don&#x27;t need certifications at all to do well in the sector - people are still judged on their merits (and previous gigs), as there&#x27;s a broad recognition, by those who are any good at least, that certifications are very prescriptive and don&#x27;t signal quality. I have none, nobody has ever asked about them.The recent scandal around some large security companies sharing cheat-sheets and answers to certification exams [0] shows one reason people don&#x27;t trust certifications.Some &quot;customers&quot; will want certifications, generally those that have no clue about cyber security, and who therefore have no clue what they want. You might find it hard to break into those kinds of roles in the first instance without some kind of certification, however once you&#x27;ve got some experience and track record, you tend to find they go away.[0] <a href="https:&#x2F;&#x2F;www.theregister.com&#x2F;2020&#x2F;08&#x2F;14&#x2F;crest_investigates_ncc_group&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.theregister.com&#x2F;2020&#x2F;08&#x2F;14&#x2F;crest_investigates_nc...</a>

As someone who has done hiring for various cyber security roles I can tell you that I only look at degrees and certs when the role is more junior and I get more excited seeing someone with a personal tech blog than any degree&#x2F;cert. After junior roles I will usually simply have a conversation with the applicant and ask them what they have worked on in the field, the conversations tend to feel very natural when the person is legit with their knowledge level.

Haven&#x27;t commented in an extremely long time but I&#x27;m popping into voice my opinion here on two specific certs in that list: eJPT and eCPPTThose certs are for self study only, the applicable value for them in the hiring process is non existent. No one knows who they are or what they do. Used to be a huge advocate of those certs until I actually bought them, then I immediately regretted it. It&#x27;s been a few years now but I had an awful time with the latter; buggy, filled with errors, typos, non working software. Back then at least, you had to spend hours fiddling with with the settings just to get it to work at a base level. The eJPT itself is extremely basic, it&#x27;s just using like 5-10 basic techniques to retrieve a few flags worth of info. Really didn&#x27;t like how the modules were set up. The main resources are powerpoint slides to cover all the text info, then you may have a few minute video occasionally that explains 1 topic barely. The labs would come with lab guides that were all but useless. The authors are Italian so typos and grammatical errors are rampant.Curiously enough back when I bought them, they sold their courses individually and they were insanely expensive. Looking at them now, it seems they went away from that and now offer a one for all subscription of 2k&#x2F;year. The eCPPT alone cost me almost that back much when :&#x2F;Since then it seems the company has kind of given up. They used to be pretty active on social media trying to advertise themselves, now they barely ever post. It&#x27;s like they&#x27;ve given up and are just maintaining the content they have until the ship sinks.If you can get your company to pay for the subscription, go for it. If for nothing else, just the collection of powerpoints and curated information. Other than that, I&#x27;d stay away.

Certs are not vital, but OSCP is well known and highly regarded.I haven&#x27;t heard of any of the rest, beyond CEH (the &quot;joke&quot;), and OSCE (just next-level OSCP).A lot of people do get OSCP (for it&#x27;s perceived value) and CEH (as a box-ticking exercise), and the former is of definite benefit, but I wouldn&#x27;t call any of them necessities.The roadmap seems more of a completionists reference rather than anything else.All that said, they do seem to know what they&#x27;re talking about (particularly The CEH joke)

Disclaimer: my account is a biased one. With that said, I hope the following comment helps.Not working there but have a friend that does and looked around a bit myself.My experience:- 3 university courses from VUSec (e.g. how to do Rowhammer via JavaScript? How to analyze a binary? How to do a XSRF, XSS or SQLi? &lt;-- is stuff I learned there)- Hack The Box full-time for 2 months, most difficult machine I pwned was PlayerTwo (making a working heap exploit by poisoning the t-cache).My friend also did OSCP after that and he rated it between easy to medium level compared to Hack The Box. However, you did need to be faster at finding the easy to medium exploits compared to Hack The Box (since OSCP is time-based and Hack The Box isn&#x27;t). The levels of Hack The Box are: easy, medium, hard and insane. IMO, this is a false characterization, since the levels are more like:Easy: metasploit vulnerabilityMedium: some payload vulnerabilityHard: harder to find the vulnerabilities, but most vulnerabilties are of level &quot;medium&quot;, mixed in with some binary stuff that&#x27;s quite easy to do (if you know binary, because if you don&#x27;t, you&#x27;re gonna cry with how hard it is. I suspect most people don&#x27;t know how to do it, but VUSec prepped me well for that)Insane: medium web level vulnerabilities (same as hard), but the binary stuff becomes a lot harder, also mixed in with C vulnerabilities (e.g. heap exploit).That&#x27;s it for the education side, now for the work side.-----My insight is, there are two types of companies:- Tech companies (they don&#x27;t care about things like OSCP)- Traditional companies (they care a lot about things like OSCP)The job ads that I saw for tech companies, or tech-related companies (e.g. Airbus [1]) were quite deep. Most of them require deep C&#x2F;C++ skills with binary stuff and less on the web side.The job ads that I saw for traditional companies were more web-based, had no clue about binary&#x2F;low level stuff and terms like OSCP were mentioned quite often but not always.My friend now works at a traditional company. He noticed a few things that the article doesn&#x27;t touch (I skimmed it, I might be wrong).- The level that he needs is at most medium hack the box level (technically)- The level of social skills that he needs is quite high, because you&#x27;re always telling some IT team that they didn&#x27;t secure their shit properly- The level of political skills that he needs is quite high as well, because not only do you deal with the IT team, you also deal with all the managers relevant to itSo yea, that&#x27;s what I know. So the resources that this article gave were quite good for getting a job at a traditional company as a pentester, because it&#x27;s more or less what my friend did. However, if you want to work at Google or something, I think another path is required that probably starts at VUSec.FYI, VUSec is the systems security department at the Vrije Universiteit Amsterdam.Btw, I&#x27;m for hire as a junior pentester or junior reverse engineer.

I have hired numerous folks in building out a very successful security team. None had certificates, and I didn&#x27;t even ask. It is better to study deep technical topics rather than to study for certs, e.g., decompilation, how to do SSRF, how to audit AWS, how to get developers to build secure code.

The article focuses exclusively on the technical side. No, certifications are not required. Sure, they will get your resume higher on the list.Security is much more than simply breaking stuff. You need to understand the fundamentals, CIA triad, risk, misunderstandings that arise from the fundamentals, issues that generally arise with security due to the context etc. Debunk also some common myths around security. Fundamentals can land you in tables that technical skills won&#x27;t. It is one thing to land bugs and another to be able to sit in a meeting with a guy from engineering and reason with his team and reach an agreement. Generally, working with non-security folks is hard and knowing the fundamentals helps. This also requires soft skills. Know your limits and be honest about them. Also, it is good to listen to people and their concerns. Generally, soft skills are super important in security because in most cases your opening statement is going to be one of the following:
- I found some bugs that I want to discuss with you.
- You did X which violated that policy and it rang an alarm in SOC. 
- We have this issue and I came up with this plan to build this to address it. 
Being able to calm the other side is crucial or you risk derailing the conversation. Also, being able to write code helps a lot. As a matter of fact, I forced team-members to work for other teams for two months. Not only they brought skills back, my team now had an understanding of their work and potential pain points.Being able to understand the pain of the other side and also come up with solutions (incl. writing code) 
If I started again, I&#x27;d do the following:
1) Understand the fundamentals and the limitations
2) Build stuff. It helps relate with people.
3) Break stuff. It&#x27;s fun and useful to understand what went wrong.
4) Have a broad knowledge but focus on specific fields. Some people like defending, some people like attacking, some like building stuff.
5) As every job, it has its laundry list and boring tasks that people need to make. Yes, Excel spreadsheets are a thing in infosec.
6) Don&#x27;t focus too much on certifications.Worthy reads
[1] <a href="https:&#x2F;&#x2F;www.freecodecamp.org&#x2F;news&#x2F;so-you-want-to-work-in-security-bc6c10157d23&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.freecodecamp.org&#x2F;news&#x2F;so-you-want-to-work-in-sec...</a>[2] <a href="https:&#x2F;&#x2F;lcamtuf.blogspot.com&#x2F;2016&#x2F;08&#x2F;so-you-want-to-work-in-security-but-are.html" rel="nofollow">https:&#x2F;&#x2F;lcamtuf.blogspot.com&#x2F;2016&#x2F;08&#x2F;so-you-want-to-work-in-...</a>Edit: Saw this[3] comment. That comment reminded me of something. We&#x27;ve had, time and time, candidates with certificates that could do exploit stuff but couldn&#x27;t use SSH. One of my first hiring questions was &quot;How do you use SSH&quot; and &quot;How do you delete files from the terminal&quot;. I wasn&#x27;t sure whether this guy was making fun of me or my resume sucked. Apparently, the guy was fed up with people not knowing to use a system that he started asking such questions regardless if you had a Ph.D. in Computer Science.
[3] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;reply?id=25814333&amp;goto=item%3Fid%3D25812025%2325814333" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;reply?id=25814333&amp;goto=item%3Fi...</a>

Certs are not that important to people in the industry, but they are important to HR. 
As a beginner who wants to get into infosec, very very often a cert or two is the difference between the resume being thrown out or getting an interview.
As an experienced security professional with years of experience, a cert is literally never the reason you do or do not get an interview.I have mentored 4 people into security within the last 3 years, 3 from IT and one from general sales (of golf carts), and my advice is always the same to them all. 
1. Start the networking game immediately. If I was to guess, I would say 2&#x2F;4 or 3&#x2F;4 infosec hires are because the new hire knows someone on the infosec team before applying. Find your local infosec meet ups, (They still meet virtually, and soon in person again). Start going to local infosec conferences (look into bsides), and look for community hosted events. Infosec is full of nut jobs who think its a good time to spend hundreds of hours hosting a CTF for no freakin reason other than it is fun. Go to these, get to know the local infosec community.2. While doing #1, Start Getting a general understanding of all areas of IT. Know what helpdesk does, what windows admins do, what nix admins do, what developers do, what network admins do, and of course what security analyst&#x2F;engineers do. Develop the skills necessary so that you could confidently do the entry level job of the IT vertical.3. While Doing #1 and #2 Focus heavily on identifying what aspect of security you want. Like all IT verticals, once you get into it, there are a million specializations, identify if you want to go Offensive, or Defensive. If you are into Risk and Compliance, SOC analyst, Solutions Engineer, pretesting, red team, exploit development, the list goes on and on and on. For the most part, identifying Offensive or Defensive will be enough. There are probably 5 Defensive Infosec jobs for every 1 offensive job. And there is plenty of opportunity to switch to &#x27;the other team&#x27; during your career. And just because you are defensive doesnt mean you will NEVER do any offensive work, you will dabble in it weekly&#x2F;monthly, you just will be like 90% focused on defense. And for those reasons I usually recommend people trying to get into infosec to try and land a defensive infosec role for their first infosec job, even if they know they ultimately want to go offensive.4. Pick up at least one cert focused on either offensive or defensive infosec (depending on what you want). I specifically recommend OSCP for offensive, and I recommend Sec+ for defense. This is not to develop skills, but for those other 1&#x2F;4 or 2&#x2F;4 hires that are not placed by networking. The reality of our world is that Certs get you past the HR filter. These certs are specifically for landing you interviews, no amount of certs will help you perform well in an interview, and if you only do certs for training, you will 100% fail every single interview. Getting a cert almost always increases the number of interviews to places where you do not know someone.5. While doing #1 and #4, and after #2, #3, focus in on what you find interesting about infosec. Try to become an expert on that area. Not only should you learn about that area, you should learn about every technology that supports that area. If you think webapp security is interesting, learn every single piece of technology that is even peripheral to webapp (A lot of stuff). Security is a mindset, not a skill set. The knowledge a nix admin has and the security engineer have are similar, the difference is mindset and priority.Once you are working on #5, you should start applying full force. You 100% can apply while you still know absolutely nothing, but odds are against you, but still dont let an opportunity pass you up. The first infosec job is the hardest one to get.

Can anyone with experience in cyber security attest to the value of the recommendations given in the article? Are certificates really that important? Is the roadmap a good roadmap to follow if one wants to get into cyber security? Any other recommendations for a beginner?

The annoying truth is that offensive security roles, despite being the &quot;sexy&quot; face of security, are in much less demand compared to defensive security roles. There are some very prestigious pentesting or research shops that pay a lot for highly-skilled offensive security professionals, but they are rare. The average company treats offensive security as an entry-level position meant to attract newbies to security with the &quot;sexy hacker role&quot; before pushing them into more in-demand positions like application security. For context, many of the large companies I consult for have ~5 people max on their red teams, while having 100+ on the rest of their security teams (the &quot;blue&quot; teams). There just relatively aren&#x27;t that many offensive security positions available.If you really want to do security, then my advice is to either look at some dedicated security consulting shops that do penetration testing (and be prepared to take a pay cut), or alternatively use your software development experience to pivot into an application security role. From there, you might find it easier to get involved with some offensive security efforts through that.

Do you have a MS? If you were interested in government cybersecurity work, you could do something like SFS (<a href="https:&#x2F;&#x2F;www.sfs.opm.gov&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.sfs.opm.gov&#x2F;</a>) and get a MS with a pretty much guaranteed gov&#x27;t job at the end of it. It&#x27;s also a good program if you want to get working for FFRDC&#x27;s.edit: They also give a ~$25k-$35k stipend plus tuition, security certs, books, etc. It&#x27;s a pretty solid deal IMO.

This is good advice.Go to your local security meetups, network, meet people. Chances are most of the people you talk to are hiring or know people who are hiring.Get yourself a blog, write about your security research, write about your experiences with CTFs.Showing that you care about security enough to do it in your own time is worth more than any cert.

If you&#x27;re doing well at CTFs and HTB and similar, I guess you are now at the point where you should start to look at networking. Clearly given world circumstances right now, in-person networking events are not likely to be happening, but it&#x27;s likely that there&#x27;s a local community in your area with security people.They might still be doing virtual events, having some speakers etc. Get yourself known. I have been able to get junior people straight out of college&#x2F;university into roles by getting them into the &quot;networks&quot;. There&#x27;s a worldwide shortage of security people, caused partly by the inability of the people who need them to efficiently hire them (other causes include wanting top-level skills for bottom level pay, and blaming lack of people for their own lack of willingness to pay).The more you get known in your local security community, the better. After a while, perhaps they&#x27;ll be interested in a talk from you about something as well - it gets you seen and known, and it&#x27;s much easier to break into security when you&#x27;re known.

I&#x27;ve heard this a lot before and I&#x27;m sure its true in a lot of cases.But I&#x27;ve been in security over a decade, and have hired at smaller boutique pentest companies, and multi billion dollar companies. In all cases, the CVs&#x2F;resumes come straight to us, they never go via HR.

People saying certs aren&#x27;t worth it are only looking at half the picture. EVERYONE knows most certs suck, and the few that are good are drowned out by the volume of half ass shitty certs that are just money grabs.But certs are an unfortunate necessity in a world where fresh college graduates without a days worth of experience in IT or Security are pre-filtering resumes. Certs ARE worth it, to get past HR. I always tell everyone who wants to get into security that the first infosec job is the hardest to get, and for that, you need to play the HR game, and that means a couple certs. You need to sit down in front of the hiring manager for an interview to get the job, your hiring manager will know your cert means nothing, almost guaranteed he never even asks you about any of them.Your resume means everything to get in front of the manager, then your resume means jack shit to the manager. It is stupid, but is the world we live in.You can get hired into infosec without the certs though, and that&#x27;s know the hiring manager or know someone on the team you are applying for. Hiring managers can tell HR &quot;I want to interview Joe Somebody, he said he will apply this week&quot;, and in security, id say more than 50% of the hires are indeed that. So to do this, go to the local professional meetups that meet monthly, go out for beers with the people, go to the local conferences and make friends with many people already in the industry, maybe do a talk at the meetups or local conference. Then when a position opens up at a place where there is someone you know, you now can get an interview.But you really should be doing both at once. Most competent developers or IT people can pass Sec+ blindfolded, you most certainly do not have to take the class, at MOST skim the study guide book once, and your almost guaranteed to pass. It is a joke, everyone in the industry knows it, yet if you could dramatically increase your chances of getting an interview while you are taking the time to develop those relationships, what idiot wouldn&#x27;t?

I don&#x27;t have any certs (apart from malformed X509 files..) so I can&#x27;t speak of their effectiveness. What has worked for me is having a strong presence in open source. I just show people one of my projects like [1] and nobody asks about certs or education, ever. I spend most of my free time on these projects so cultivating a sizeable project might not be a suitable route for anyone who has a life outside of computers, though having some kind of publicly available utility where a prospective employer can check out your coding style and skills is probably a decent way to stand out amidst a sea of applicants.[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;guidovranken&#x2F;cryptofuzz" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;guidovranken&#x2F;cryptofuzz</a>

Alright so lots of people are saying certs aren’t worth it here. But as someone desperately trying to pivot from software development (5 year exp) to anything security related (which I find far more interesting), how are you supposed to do that without certs? I’ve done CTF events and performed well, I’ve done HTB for well over a year at this point, and the only time I’ve ever heard back from a company regarding an (offense) security position was basically just to see if I could be persuaded to do software development for their company instead. It’s extremely frustrating.

Good, but pentesting is just one arm of cybersecurity. I’m in the GRC space myself, and it’s kind of lonely here ;)

No, its still difficult, but its still considered entry level.

About 10 years ago OSCP was considered difficult, or at least definitely not part of the beginner roadmap. Apparently this has changed?

OSCP kinda sucks because the pentesting industry kinda sucks (I have OSCP). Things are different now since there&#x27;s a ton of guides and videos specifically for it.Long term, you&#x27;re better off being a developer and getting into security that way. Plus you&#x27;re going to learn to program as a pentester anyway. The job market and day-to-day and salary is also much better. It is hilarious how necessary&#x2F;important security is but pentesters seem to get low salaries and have high barriers to entry.

Out of interest, are these larger, and more &quot;corporate&quot; focused shops? I have directly worked with a range of client companies, and none cared about certs (even government!)I&#x27;m wondering if OSCP is an &quot;easy resume filter&quot; in a time of online job applications being easier than ever before, rather than something they have a business need for, as their clients demand it?

I&#x27;m sure there are a bunch of marginal firms that require certification, but that&#x27;s a strong tell that you don&#x27;t want to work there.Pursuit of certification is not good advice.

A LOT of shops require OSCP to even get an interview. I know for a large number of them that OSCP is indeed a hard no go if you do not have it.Unless your plan is to go it your own, and either start your own business or go black hat, OSCP is indeed good advice.

Again, maybe for body shops. I&#x27;ve seen it (here, not among peers) described as &quot;the best cert&quot;, but that&#x27;s a low, low bar.

Just curious, why do you say that? I&#x27;m no expert in this field, but I thought the OSCP cert was viewed as being a valuable entry level cert in the field?

Don&#x27;t do any of these certifications. Yikes.

I remember doing a bootcamp for it many, many years ago when I was getting started in Infosec. I was already doing boot2root type challenges but this was a &quot;real&quot; cert and I was really nervous.I remember the relief washing over me on the first morning of the bootcamp when there were questions such as &quot;what&#x27;s a shell&quot; and &quot;What&#x27;s Linux?&quot;.100% of the people on the bootcamp passed.

First rule of &#x27;Cyber Security&#x27;: never use the phrase &#x27;Cyber Security&#x27; in any serious discussion on hacking. If I was going to hire-on a computer security professional. The first question I would ask is, how many machines have you owned?

Like all things, different niches attract different people. There&#x27;s a market for cyber security and if you&#x27;re well-versed and highly qualified, you could certainly make as much, if not more, than a software developer. Of course, we could get into the cynicism of how corporations view cyber security professionals (i.e. as someone to blame when something goes wrong, despite not listening to their cyber security employees because it would hurt their quarterly earnings), but that&#x27;s tangential.

You can do both in exploit development and there&#x27;s some really good money [1] if you come up with something very dangerous. However it&#x27;s a very hard field to break into unless you have tons of programming experience with system-level languages like C&#x2F;C++, x86, ARM (extremely relevant today since virtually everyone trusts their privacy to their mobile devices).[1] <a href="https:&#x2F;&#x2F;zerodium.com&#x2F;program.html" rel="nofollow">https:&#x2F;&#x2F;zerodium.com&#x2F;program.html</a>

&gt; and there does appear to be a much lower salary cap for developers than security engineers.Shit this is what’s kept me from leaving software. If that’s true, maybe I should try security, I’ve done some security adjacent stuff, but mostly implementing software for compliance purposes.

Security is more interesting work than development for many. 
Also, money and job security. At least from my experience, and intermediate Security Analyst will make about the same as a senior developer (Mid West market), and there does appear to be a much lower salary cap for developers than security engineers. In addition, Security seems to have far more available positions right now, as many corps are trying to &#x27;catch up&#x27; and finally admit they need security.

Why choose cyber security over software development?

Cyber Security; Beginner Roadmap