What I learned reviewing 46 Detection Engineering resumes in 100 minutes (and why I only picked 6)

Experience & Leveling Bias

I won’t get into the debate about whether or not “Entry Level CyberSecurity” roles exist. Unless you stand out in some extraordinary way, if I can afford a candidate with 5 years I will pick them every time over a candidate with only 2 years experience.

In the current economy, staffing a team with a large backlog and a bit of technical & process debt, I really need the most senior candidates I can afford. I need engineers that can hit the ground running, dig into documentation, and make an impact in a remote environment in less than 60 days.

It is very unlikely that someone with only a CyberSecurity degree or certifications will succeed in this environment. I’m sympathetic if you are entering the job market, so read on. This is where aggressive networking and self-promotion and Open Source contributions can help. Don’t give up!

Cloud or GTFO

If you have decent experience in AWS, Azure, or GCP — you have my attention! When I see Terraform, CloudFormation, or Ansible, I keep reading. If you have written Lambda Functions with Serverless applications with SQS/SNS, you most likely will get an interview. Having Docker and Kubernetes experience really differentiates yourself.

Only a handful of candidates in the 44 I reviewed last night had this background. They immediately rose to the top. This is where certifications and Github projects can help you. I generally don’t care about Security/IT certifications, but my eyes actually see AWS or Azure certifications — even if you don’t have much experience in your day job in the cloud.

Enough with the Boring Corporate SOC Resume

Nearly every resume has SIEM and EDR and Phishing/Malware analysis and vulnerability management tools. It is simply not enough. You do not stand out.

What will differentiate you is Open Source tools. If I see Zeek, Suricata, ELK, and I take a look. Nuanced discussion of threat hunting (and not just mentioning Mitre ATT&CK/TTPs) will also help you stand out. AppSec experience will also set you apart. Weird data projects and Python programming does as well. PowerBI/Tableau or other analytics tools that shows you can do analysis outside the SIEM and won’t be scared by the idea of a Jupyter notebook.

Well Written Resumes with multiple 2–3 year stints at Brands I Know

While it is not a guarantee you will get picked from a sea of applicants, a well-written resume that demonstrates depth and breadth of experience in known companies is a differentiator if you don’t have all the skills.

Experience in large financial services, consulting, telecommunications, or software companies all help you stand out. I assume these brands are under constant and attack and that you may have seen some interesting (and scary) things. You might have been on a larger, stronger security team if you are lucky. I’m looking for any hints at the type of technical or organizational challenges you’ve encountered and overcome!

What Gets a Second (or Third) Look

I almost always follow Links to GitHub or LinkedIn to look for something that differentiates you from other candidates or helps you stand out. Take advantage of this.

Very few resumes actually link to GitHub and many don’t have an up to date LinkedIn profile. Stop this. Forking some Docker repos or Python Boto or Terraform scripts shows you can research and learn. I don’t expect a green commit history, but this is an easy one if you try. I still don’t understand why so few SOC and Cyber Analysts don’t do this.

Long Shots & Wild Cards

One of the six resumes I interviewed had zero Cyber security background, yet I gave them a shot. Why was that?

They had full stack development and data engineering experience and a beautiful hire me website.

They had Python, SQL, and data pipeline experience. They had real world industrial electronics experience with PLC programming and SCADA. One of the best hires I made in the last few years was a finance major that self-taught themselves programming. Real world experience with data and systems that matter is worth more than any cert or bootcamp.