What are the main cybersecurity career paths?

Cybersecurity career paths are wider than the popular image of the field suggests. The NICE Framework (NIST SP 800-181, Rev. 1, 2020) defines 52 distinct work roles across 7 categories, and the actual industry adds dozens more that NICE does not formally track (cybersecurity sales, marketing, recruiting, vendor risk). For practical planning, these collapse into four main tracks plus a fifth commercial track, each with clear progression from entry-level through senior leadership.

Defensive operations is the largest track by headcount. SOC Analysts (median $87,400 per BLS, 2024) monitor security alerts, triage incidents, and escalate confirmed threats. Tier 1 SOC work in Atlanta with one year of experience runs roughly $60,000 to $75,000. Incident Responders ($105,300 median) handle active breaches. Threat Intelligence Analysts ($110,800 median) research adversary tactics and write reporting against MITRE ATT&CK. Security Engineers ($124,900 median) build and maintain defensive infrastructure: SIEM rules, EDR policies, identity controls.

Offensive security suits hands-on problem solvers. Penetration Testers ($112,200 median) simulate attacks against authorized scope to find vulnerabilities before real adversaries do. The path typically starts with eJPT or PNPT, then CompTIA PenTest+, then OSCP (Offensive Security Certified Professional, $1,599 per OffSec, April 2026 pricing). Red Team operators combine penetration testing with adversary emulation, evasion techniques, and long-haul C2 operations. The work rewards persistence and a high tolerance for hours of unproductive failure.

Governance, Risk, and Compliance suits people who prefer policy and audit logic to log analysis. GRC Analysts ($82,500 median per BLS-derived industry data, 2024) manage compliance frameworks (SOC 2, ISO 27001, HIPAA, PCI DSS, CMMC) and run risk assessments. Career progression runs through Senior GRC Analyst, GRC Manager, Director of Risk, and ultimately CISO ($232,000 median). The track benefits people from prior audit, legal, healthcare compliance, or business operations backgrounds because the writing and stakeholder management skills transfer directly.

Architecture and engineering is the high-impact technical track. Security Architects ($158,600 median per BLS, 2024) design enterprise security control sets, evaluate vendor products, and own the blueprints other engineers implement. The track typically requires five to ten years of cybersecurity experience plus deep familiarity with frameworks like NIST CSF 2.0 (2024) and the Zero Trust Architecture model (NIST SP 800-207, 2020). CISSP is effectively the price of entry above senior engineer.

Cybersecurity sales is the commercial track. SDR/BDR roles open at $80,000 to $130,000 OTE. Mid-market Account Executives at vendors like CrowdStrike, Palo Alto Networks, Zscaler, and SentinelOne earn $150,000 to $300,000 OTE. Enterprise AEs closing seven-figure deals reach $250,000 to $500,000+ OTE. Sales Engineers blend technical depth with presentation skills and earn $150,000 to $350,000 OTE. The track suits strong communicators with high competitive drive who want six figures without deep technical study.

Decision logic. Pick defensive operations if you want a clear ladder, are comfortable with shift work and on-call, and like investigative work. Pick offensive security if you have strong patience for failure, enjoy systems puzzles, and write code fluently. Pick GRC if you have prior business or compliance background and prefer writing to terminal work. Pick architecture once you have five years of operational experience. Pick sales if you have communication strength and tolerance for quota pressure.

Tradeoffs to acknowledge. Each track has a structural ceiling. Pure individual contributor SOC work caps around $130,000 for most analysts without moving into engineering or detection. Penetration testers who do not develop business skills cap around $160,000. CISOs are paid more but carry personal liability under SEC cyber disclosure rules (Item 1.05 of Form 8-K, effective 2023) and increasingly under state AG actions. Sales caps highest but ties income tightly to performance.

For deep dives on each track, see the related career entries for soc-analyst, penetration-tester, grc-analyst, security-engineer, and ciso, plus the certification entries for cissp and oscp and the glossary entry for grc. Each entry maps specific skills, certifications, and realistic five-year trajectories.