Cybersecurity career paths: 2025 job guide

Cybersecurity is much bigger than just pentesters and SOC analysts. Protecting the world’s people, systems, and data from cyberattacks takes an army: that means policy experts, lawyers, secure software developers, cybersecurity architects, and more. Below is a list of 11 major cybersecurity career paths currently available in 2025. 

* Note: All average salary data below is in USD and sourced from Glassdoor as of September 2025. Salary ranges will differ depending on your country and state.

Pluralsight's tech career roadmap series

• Software developer career paths: 2025 job guide
• Cloud career paths: 2025 job guide
• Cybersecurity career paths: 2025 job guide

1. Cyber defense and analysis

Cyber defenders (also known as SOC or cybersecurity analysts) are at the forefront of a company’s defenses. Junior analysts typically review alerts to determine if they’re suspicious or not, putting their keen instincts to work. Senior analysts typically handle escalated incidents, administer and maintain security tools, and communicate with the business.

Who would thrive in cyber defense and analysis?

Anyone who has sharp attention to detail and critical thinking skills. At a junior level, you’ll be filtering through hundreds of false alerts, but any one of them could be that ticking bomb that causes things to heat up quickly. A continuous learning mindset will help with career success and progression, especially if you squeeze your learning in during the lulls.

Typical salary range

The average salary range for a cybersecurity analyst is between $57k to $170k per year.

Becoming a SOC analyst

To learn more about being a SOC analyst, including useful qualifications, skills, and certifications to help you land your first role, read our article: “What is an SOC analyst? Cybersecurity roles explained.”

2. Penetration testing / Red teaming

Penetration testers (also known as red team operators or offensive security specialists) use ethical hacking techniques to simulate a real-world attack by bad actors, trying to compromise an organization’s system to expose its vulnerabilities and weaknesses. They stay on top of the latest hacking trends and techniques and use them to improve your company’s defenses through trial by fire.

Who would thrive in penetration testing / red teaming?

People who are creative, out-of-the-box thinkers and love a good challenge. Pen testers are often competitive and love proving how clever they are by doing what should be impossible, finding gaps in defenses using limited resources.

Typical salary range

The average salary range for a penetration tester is between $115k to $203k per year.

Becoming a penetration tester

To learn more about being a pen tester, including useful qualifications, skills, and certifications to help you land your first role, read our article: “What is a penetration tester? Cybersecurity roles explained.”

3. Governance, risk, and compliance

Governance, Risk, and Compliance (GRC) specialists evaluate risks and develop security standards, procedures, and controls to manage them. They’re the one with all the answers on how things should be done in the organization, making sure it’s ready for any audits, assessments, and future cyber attacks.

Who would thrive in GRC?

GRC specialists are typically great communicators with exceptional stakeholder and risk management skills. If you can see how things should be handled, how things can go wrong if they’re not, and get people to buy into your vision, then you’re likely to do well in GRC. 

Typical salary range

The average salary range in GRC is between $88k to $192k per year.

Becoming a GRC specialist

To learn more about being a GRC specialist, including useful qualifications, skills, and certifications to help you land your first role, read our article: “What is a GRC analyst? Cybersecurity roles explained.”

4. Incident response and forensics

Unlike other cybersecurity roles, which are more day-to-day and project-based, Incident Response and Forensics Specialists are the firefighters of an organization. At the first indication of a cyber attack, they jump in to identify and analyze the situation, and shut it down. Afterwards, they conduct a post-mortem to share what happened and lessons learned so it doesn’t happen again.

Who would thrive in incident response and forensics?

People who can stay calm during a crisis, have a strong attention to detail, and find the idea of getting to the bottom of things exciting—even if there’s a ticking clock. 

Typical salary range

The average salary range for a cyber incident response specialist is between $78k to $184k per year.

Becoming an incident response specialist

To learn more about incident response, including useful qualifications, skills, and certifications to help you land your first role: “What is incident response? Cybersecurity roles explained.”

5. Security engineering and security architecture

Security engineers and architects thrive on turning complex challenges into simple, elegant solutions. They zero in on how your company is currently protecting its digital assets, data, and systems, and they design ways to better defend them from threats and vulnerabilities. By thinking ahead, they take the pressure off other cybersecurity defenders and minimize any risk to the business. 

In most organizations, security engineers focus on design and enablement, while security architects focus on design and strategy. Traditionally these can be part of a single career path, as you may join an organization as a security engineer and then advance into an architect role.

Who would thrive in security engineering and security architecture?

Systems thinkers who can come up with creative ways to solve cybersecurity and organizational problems. People who can think holistically and strategically about business needs as well as future threats.

Typical salary range

The average salary range for a security engineer is $128k to $202k per year, while the salary for a security architect is $177k to $286k a year.

Becoming a cybersecurity engineer

To learn more about cybersecurity engineering, including useful qualifications, skills, and certifications to help you land your first role, read our article: “What is a security engineer? Cybersecurity roles explained.”

6. Cloud security

Cloud security specialists not only secure cloud platforms and services, but also automate existing processes and make life simpler. Through continuous learning, they’re constantly upskilling in cutting-edge cloud solutions, finding new and better ways to keep your organization secure. 

Who would thrive in cloud security

People who have a passion for technology, particularly keeping up with the latest cloud services and solutions, and using these to solve real business problems.

Typical salary range

The average salary range for a cloud security engineer is between $149k to $242k per year.

Becoming a cloud security engineer

To learn more about cloud security engineering, including useful qualifications, skills, and certifications to help you land your first role, read our article: “What is a cloud security engineer? Cybersecurity roles explained.”

7. Threat hunting

Adversaries are smart, and often able to evade regular security solutions: this is where threat hunting comes to the rescue. Threat hunters don’t just rely on alerts, instead proactively searching internal telemetry for adversary behavior. 

A threat hunter comes up with a hypothesis (“Is there evidence of an adversary in our finance systems?”) based on threat intelligence, previous incidents, or unusual activity patterns, then they set out to prove or disprove it. If they’re right, they find and contain the threat before it does any more damage. 

Who would thrive in threat hunting?

Critical thinkers who question assumptions, have great ingenuity and intuition, and are able to paint a larger picture from fragmented evidence. Continuous learning is a must: threat hunters must always be hungry to learn about the latest threats, tools, and techniques.

Typical salary range

The average salary range for a cyber threat hunter is between $112k to $207k per year.

8. Threat intelligence

Threat intelligence is all about collecting and curating intelligence from outside sources to drive detection and strategy. Think of it as figuring out what your organization should be worried about, or “let’s see if those terrible things happening to everyone else could happen or are happening here.” 

Threat intelligence can be based on a wide range of sources, ranging from open source intelligence, recent CVEs, logs, threat feeds, dark web marketplaces, and more.

Who would thrive in threat intelligence?

People who love to be the know-it-all about threats on the horizon and can communicate these to the business concisely to keep them well informed. A natural fit for research lovers and those curious about what bad actors are up to.

Typical salary range

The average salary range for a cyber threat intelligence analyst is between $112k to $201k per year.

Becoming a threat intelligence analyst

To learn more about being a threat intelligence analyst, including useful qualifications, skills, and certifications to help you land your first role, read our article: “What is a threat intelligence analyst? Cybersecurity roles explained.”

9. Secure software development

Security software developers help create computer applications that protect systems and networks. Their role involves designing, testing, implementing and managing programs that defend against malicious activity, combining their love of software and cybersecurity together.

Who would thrive in secure software development?

Tech-savvy individuals who want to mix their love of software development and cybersecurity into a single profession. Anyone who has the problem-solving skills essential to software development paired with the security mindset.

Typical salary range

The average salary range for a secure software developer is between $101k to $169k per year.

Becoming a security software developer

To learn more about being a security software developer, including useful qualifications, skills, and certifications to help you land your first role: “What is a security software developer? Cybersecurity roles explained.”

10. Security awareness and education

People aren’t born with cybersecurity awareness and skills: they’re taught. That means someone has to do that teaching, whether or not it’s educating end users or seasoned security professionals. There are many roles that fall under this banner—developer relations (DevRel) experts promoting a novel solution, being a cybersecurity course author teaching people about solutions and strategies, or a security consultant or instructor training organizations on best practices. However, all of these roles share a desire to educate and uplift others, helping turn them into heroes.

Who would thrive in security awareness and education?

Anyone who has a desire to educate and uplift others, helping turn them into heroes. Those who can communicate effectively, breaking down complex topics into something that’s easily digestible.

Typical salary range

The average salary range for a cybersecurity awareness professional is between $112k to $206k per year.

11. Cybersecurity legal advice

There are a lot of legal aspects to cybersecurity, which you’d expect when a cyber attack involves breaking the law, and also all the legislation and regulations organizations need to comply with. Organizations often need legal advice when it comes to issues like cyber incident response, privacy and data security, and technology liability.

Who would thrive

This domain is perfect for people who come from a legal background and have a strong interest in cybersecurity, data privacy, and/or digital law.

Typical salary range

The average salary range for a privacy counsel—a legal professional responsible for dealing with data privacy laws, regulations, and best practices—is between $166k and $274k per year.

Conclusion

This guide is just a high-level snapshot of the cybersecurity careers available to you; there are a lot more nooks and crannies than we’ve covered in this article (or could be realistically covered in any article). If there’s one thing you should come away with, it’s the knowledge of how broad cybersecurity is, and that there are many different career paths for you to pursue.

Remember that there is not one path to success in cybersecurity, and there are many different ways you can get your start. To quote Larry Trittschuh—an airforce pilot who went on to be a seasoned CISO and CSO, including at Barclays Americas—success isn’t a ladder, but a menu, and no one meal suits everyone’s tastes. For you, success might mean a high wage, a challenging role, or spending time with your family. 

Best of luck with the next step in your cybersecurity journey!

Pluralsight's tech career roadmap series

• Software developer career paths: 2025 job guide
• Cloud career paths: 2025 job guide
• Cybersecurity career paths: 2025 job guide