Part 12: Security Career
In one line: "Security engineer" is an umbrella over several distinct careers — offensive, defensive, cloud, and governance — and this chapter maps the roles, the certifications that actually matter, how to build a credible portfolio (CTFs, a home lab, bug bounties), and the multi-year path into and through them.
Security isn't one job. A red-teamer, a SOC analyst, an application-security engineer, a cloud-security specialist, and a GRC (governance/risk/compliance) professional do very different work with different skills and certs. This chapter helps you see the landscape, pick a lane that fits, and build the evidence that gets you hired — which in security is unusually practical: CTF results, a home lab, write-ups, and bug-bounty findings often matter more than a résumé line. It's the security analog of the career chapters in the companion guides.
What this chapter covers
- The roles — AppSec, penetration testing/red team, blue team/SOC, detection engineering, cloud security, GRC.
- Certifications — which are respected for which roles (e.g. OSCP for offensive, CISSP for breadth/GRC) and which are noise.
- Portfolio — CTFs, a home lab, bug-bounty findings, and write-ups as proof of skill.
- The multi-year path — entry points, transitions between lanes, and how seniority compounds.
The lessons in this chapter
- The Roles & Specializations → — offensive, defensive, AppSec, cloud, GRC, and how each maps to chapters you've studied.
- Certifications & Skill-Building → — hands-on vs. knowledge-based, which matter for which lane, and why skill beats collecting.
- Building a Portfolio & Getting Hired → — CTFs, labs, bug-bounty findings, and write-ups; showing beats telling.
- The Multi-Year Path → — pivoting in, specializing, crossing lanes, the IC-vs-management fork, and continuous learning.
Finish with the Chapter 12 checkpoint → to certify the map before Chapter 13.
→ Start here: The Roles & Specializations.