Roadmap
Security Engineer
The technical security professional who designs, implements, operates, and automates security controls across the organization's infrastructure, cloud platforms, and applications. Builds the defenses that protect systems at scale through tooling, detection engineering, and security automation.
OPTIMISTIC 3-4 years · REALISTIC 4-5 years
Stage 00
IT and Networking Fundamentals
Security engineers defend systems they must understand. Technical credibility is the foundation.
Complete IT Depth Required
- All content from System Administrator path — Windows Server, Active Directory, Linux, virtualization
- All content from Network Administrator path — TCP/IP, routing, switching, VLANs, firewalls, VPN
- All content from IAM / Identity Engineer path — AD, Entra ID, Kerberos, SAML, OAuth 2.0, PAM
- Cloud fundamentals — AWS/Azure/GCP services, IAM, networking, storage, compute
Security-Specific System Literacy
- Windows security model — access tokens, integrity levels (Low/Medium/High/System), privileges, UAC
- Linux security model — DAC (rwx), ACLs, capabilities, namespaces, cgroups, SELinux/AppArmor
- Network security — stateful vs stateless inspection, IDS vs IPS, NGFW application awareness, WAF
- PKI — certificate lifecycle, CA hierarchy, certificate pinning, TLS 1.3 handshake, HSTS
- Authentication — all protocols at implementation level (see IAM path)
- Logging architecture — syslog, Windows Event Forwarding, agent-based vs agentless log collection
Scripting Foundations
- Python — Stages 0–3 from Data Analyst path; plus security libraries: requests, socket, scapy (packet manipulation), pwntools (exploitation context), subprocess for tool orchestration
- PowerShell — Stages from Sysadmin path; security operations: Get-WinEvent, Invoke-Command for mass collection
- Bash — Linux scripting for automation, log parsing, system hardening
Resources
- Professor Messer Security+ (free YouTube)
- TryHackMe Pre-Security and SOC Level 1 (free)
- SANS Cyber Aces (free)
Stage 01
Security Fundamentals — Deep
Security engineers must understand the threat landscape, attack techniques, and defense frameworks deeply, not just theoretically.
Threat Landscape Knowledge
- MITRE ATT&CK Enterprise — full technique taxonomy; technique IDs, sub-techniques, procedures
- MITRE D3FEND — defensive countermeasure catalog aligned to ATT&CK
- Cyber Kill Chain — 7 phases; understanding attacker progression
- Current threat actor categories: Nation-state APTs, Ransomware-as-a-Service groups, Initial Access Brokers, commodity malware operators
Attack Technique Depth — What Engineers Must Understand
- Initial Access: Phishing (T1566), Spearphishing credentials (T1566.002), Public-facing app exploitation (T1190), Valid accounts (T1078), External remote services (T1133)
- Execution: PowerShell (T1059.001), WMI (T1047), LOLBins (mshta, regsvr32, certutil), Command and Scripting Interpreter (T1059)
- Persistence: Registry Run Keys (T1547.001), Scheduled Tasks (T1053.005), Services (T1543.003), WMI Event Subscriptions (T1546.003), DLL Hijacking (T1574.001), Boot/Logon Autostart (T1547)
- Defense Evasion: AMSI bypass, ETW patching, Process injection (T1055), Log clearing (T1070), Timestomping (T1070.006), Obfuscated files (T1027)
- Credential Access: LSASS dumping (T1003.001), DCSync (T1003.006), Kerberoasting (T1558.003), AS-REP Roasting (T1558.004), DPAPI (T1555.004)
- Lateral Movement: PsExec (T1021.002), WMI (T1021.003), RDP (T1021.001), Pass-the-Hash (T1550.002), Pass-the-Ticket (T1550.003)
Detection Frameworks
- Pyramid of Pain — attacker TTPs are hardest to change; hash/IP indicators are easiest; implication: build detections at TTP level when possible
- Diamond Model of Intrusion Analysis — Adversary, Capability, Infrastructure, Victim — useful for attribution
- Cyber Kill Chain detection coverage — build at least one detection per phase
Resources
- MITRE ATT&CK website (free)
- SANS FOR508 overview materials
- The DFIR Report (free)
- Red Canary Threat Detection Report (free annual)
- CrowdStrike Global Threat Report (free annual)
Stage 02
Detection Engineering and SIEM
Detection engineering is the craft of translating attacker TTPs into reliable, high-fidelity alerts. It is the core technical discipline of defensive security engineering.
Windows Logs
- Windows Security Event Log (Security.evtx) — authentication, authorization, privilege
- Windows System Event Log (System.evtx) — service events, driver loads, hardware
- Windows Application Event Log (Application.evtx) — application errors, event IDs
- PowerShell Operational Log — EID 4104 script blocks; EID 4103 module logging
- Sysmon — extends Windows telemetry with EID 1 (process create), 3 (network), 7 (image loaded), 8 (CreateRemoteThread), 10 (process accessed), 11 (file created), 13 (registry), 17/18 (pipes), 22 (DNS)
- Windows Defender logs — EID 1116 (malware detected), 1117 (action taken), 5001 (real-time protection disabled)
- Windows Firewall logs — connection allowed/blocked
- Task Scheduler logs — Microsoft-Windows-TaskScheduler/Operational; task creation, execution
Linux Logs
- /var/log/auth.log or /var/log/secure — SSH logins, sudo usage, PAM events
- /var/log/syslog or /var/log/messages — general system activity
- journalctl — systemd journal; querying all log sources
- /var/log/audit/audit.log — auditd; syscall-level auditing; must configure rules
- /proc/[pid]/ — process metadata; live system
- Last, lastb, lastlog — login history
Network Logs
- Firewall — allow/deny with 5-tuple + bytes + duration
- DNS — query/response with client IP, domain, record type, answer
- Web proxy — HTTP/HTTPS with URL, user agent, response code, bytes
- NetFlow/IPFIX — connection summaries; high-volume traffic analysis
- Zeek logs — conn.log, dns.log, http.log, ssl.log, files.log; rich network context
- Email gateway — message headers, delivery status, attachment analysis
Cloud Logs
- AWS CloudTrail — all AWS API calls; critical for cloud security detection
- AWS VPC Flow Logs — network traffic between resources
- AWS GuardDuty — ML-based threat detection with findings
- Azure Activity Log — resource management operations
- Azure Entra ID Sign-in Logs — authentication with risk scores
- GCP Cloud Audit Logs — admin activity, data access, system events
Splunk
- Architecture — Indexers (storage + search), Search Heads (UI + queries), Forwarders (collection), Deployment Server (management)
- SPL (Search Processing Language): basic search, rex extraction, stats, timechart, eval, lookup, subsearch, join, transaction
- Common SPL patterns for detection: authentication anomalies (failed login spike), lateral movement (host count), data exfiltration (byte threshold)
- Splunk alerts — scheduled searches; trigger conditions; throttling; actions (email, webhook, ticket)
- Splunk dashboards — panels; drilldowns; time range inputs; token passing
- Splunk SOAR integration — automated response workflows triggered by alerts
Microsoft Sentinel
- Architecture — Log Analytics Workspace; data connectors; analytics rules; workbooks
- KQL (Kusto Query Language): where, project, extend, summarize, join, union, render, let, mv-expand; time functions; string functions; statistical functions; table joins
- Analytics rules — scheduled (custom KQL), NRT (near real-time), ML-based (anomaly detection)
- Sentinel Playbooks — Azure Logic Apps automated response; isolate host, disable user, enrich with TI
- Watchlists — reference data for enrichment; import CSV; use in KQL lookup
Elastic SIEM
- Elasticsearch — distributed search; inverted index; JSON documents
- Kibana — visualization; SIEM app; Timeline for investigation
- Beats (collection agents) — Winlogbeat (Windows), Filebeat (logs), Packetbeat (network), Auditbeat (audit)
- Logstash — parsing and transformation pipeline; Grok patterns for unstructured log parsing
- EQL (Event Query Language) — sequence detection with process + network correlation
- Elastic detection rules — TOML format; maps to ATT&CK
Sigma Rules — Cross-SIEM Detection Standard
- What Sigma is — vendor-agnostic detection language; converted to Splunk SPL, KQL, Elastic EQL
- Sigma rule structure — YAML with title, id, status, description, tags, logsource, detection (selection + filter + condition), falsepositives, level
- Writing quality Sigma rules — specific enough to catch real attacks; filters to reduce false positives; testing against real telemetry
- SigmaHQ — GitHub repository of 3000+ community rules; essential resource
- pySigma — Python library for Sigma conversion; converting to backend queries
- MITRE ATT&CK tagging — every rule tagged to technique; enables coverage tracking
Detection Engineering Practice
- Detection development lifecycle: threat intel → hypothesis → log source identification → rule development → testing → tuning → deployment → monitoring
- False positive management — the primary challenge; aggressive filtering reduces noise but may miss attacks
- Coverage mapping — ATT&CK Navigator to visualize detection coverage; identifying gaps
- Detection as code — version-controlled detection rules; CI/CD for rule deployment
- Atomic Red Team — community library of ATT&CK technique simulations; test detections
Resources
- SigmaHQ GitHub (free)
- SANS FOR508 detection content
- Splunk BOTS (Boss of the SOC) challenges (free)
- Blue Team Labs Online (free)
Stage 03
Cloud Security Engineering
Modern security engineering is predominantly cloud security engineering. Deep cloud platform security is the most in-demand specialization.
Cloud Security Fundamentals
- Shared responsibility model: AWS/on-prem/SaaS/PaaS/IaaS breakdown of provider vs customer duties
- Cloud-specific attack surface: IAM misconfiguration, exposed storage, metadata service abuse, API key exposure, container escape, serverless security
AWS Security Engineering — Deep
- IAM security: least privilege, IAM policy types, conditions, avoiding root account, cross-account access, Access Analyzer, permission boundaries, SCPs, detecting misconfigurations (Prowler, ScoutSuite)
- AWS Network Security: Security Groups, NACLs, VPC design, gateway types, PrivateLink, Network Firewall, WAF, Shield Advanced
- AWS Logging and Detection: CloudTrail, CloudWatch Logs, GuardDuty (30+ finding types), Security Hub, Config, VPC Flow Logs
- AWS Identity Security: IAM Identity Center (SSO), Cognito, STS AssumeRole, IMDSv2
- CSPM (Cloud Security Posture Management): Security Hub + Config native; Prowler; ScoutSuite; Checkov; common findings (public S3, unrestricted SGs, no MFA, no CloudTrail, overpermissive IAM)
Azure Security Engineering
- Microsoft Defender for Cloud — CSPM + CWPP; secure score; recommendations; security alerts
- Entra ID Conditional Access — policy-based access control; MFA enforcement; device compliance; named locations
- Azure RBAC — role assignments at management group/subscription/resource group/resource scope
- Azure Policy — governance; audit and enforce resource configurations; remediation tasks
- Azure Key Vault — secrets, keys, certificates; access policies + RBAC
- Azure Sentinel (Microsoft Sentinel) — native SIEM/SOAR for Azure environments
- Microsoft Defender XDR — endpoint, identity, cloud apps, email unified threat protection
- Network security — NSGs, Azure Firewall, DDoS Protection, Private Endpoint, Service Endpoint
GCP Security Engineering
- Cloud Security Command Center (SCC) — threat detection, vulnerability findings, compliance
- Organization Policy constraints — preventing insecure resource configurations
- Cloud IAM — project-level, org-level roles; conditions; workforce identity federation
- Cloud Armor — WAF and DDoS protection; Adaptive Protection
- VPC Service Controls — restricting API access to within a security perimeter
- Binary Authorization — deploy-time attestation for container images
Container and Kubernetes Security
- Container security (Docker): image scanning (Trivy, Snyk, Clair), distroless images, non-root user, no privileged containers, read-only filesystem, runtime secrets management
- Kubernetes security: pod security standards, RBAC, network policies, admission controllers (OPA/Gatekeeper, Kyverno), runtime security (Falco), secrets, audit logging
CWPP (Cloud Workload Protection Platform)
- Extending EDR to cloud workloads — agents on EC2/VMs and containers
- CrowdStrike Falcon for Cloud — cloud-native sensor; container security; serverless
- Microsoft Defender for Servers — Defender for Cloud plan; integrates with Defender XDR
- Sysdig Secure — container and Kubernetes runtime security
- Aqua Security — full lifecycle container security
Resources
- AWS Security specialty study materials
- AWS security blog (free)
- SANS SEC540 overview
- Wiz blog (free cloud security research)
- CloudSecDocs (free)
Stage 04
Vulnerability Management
Systematic vulnerability management is a core security engineering function, not just running a scanner, but building a program.
Vulnerability Scanning
- Nessus / Tenable.io — industry standard; credentialed and uncredentialed scanning; plugin ecosystem
- Qualys VMDR — SaaS vulnerability management; asset management + scanning + remediation
- Rapid7 InsightVM — vulnerability risk scoring; remediation workflow; cloud scanning
- OpenVAS — open-source; community rules; suitable for labs and small organizations
- Scanning types: credentialed (agent/creds, low FP, high detail), uncredentialed (external perspective, more FP)
- CVSS scoring — see Cybersecurity Program Manager Stage 3
- Prioritization with EPSS and KEV — combine CVSS + EPSS probability + KEV catalog for realistic priority
- Asset management — knowing what you have is required before knowing what to scan
Vulnerability Management Program
- Scanning cadence — weekly for critical systems; monthly for all assets
- Authenticated agent-based scanning — most accurate; Tenable Agent, Qualys Cloud Agent
- False positive management — accepting and tracking false positives with justification
- Remediation SLAs — see Cybersecurity Program Manager Stage 4
- Exception process — risk acceptance with compensating controls; documented; time-limited
- Patch management integration — integrating vuln findings into WSUS/Intune/Ansible patch cycles
- Network and cloud coverage — ensuring scanning reaches cloud-native assets
Infrastructure Hardening
- CIS Benchmarks — consensus-based hardening guidelines for OS, cloud, middleware (Windows Server, Linux L1/L2, AWS Foundations, Kubernetes)
- DISA STIGs — Defense Information Systems Agency hardening guides; used in government/DoD
- Security baselines implementation: Windows GPO, Linux Ansible + OSCAP, Cloud Config/Policy
- Attack surface reduction — disabling unnecessary services; removing unused software; closing unused ports
Penetration Testing Coordination
- Penetration Testing Coordination — See Cybersecurity Program Manager Stage 4
Resources
- Tenable Vulnerability Management fundamentals (free)
- CIS Benchmarks (free download with registration)
- OpenVAS documentation (free)
Stage 05
Security Automation and Engineering
Security engineers build the tooling and automation that lets small teams operate at scale.
Security Automation Frameworks
- SOAR: Palo Alto XSOAR, Splunk SOAR, Microsoft Sentinel Playbooks, Swimlane, Tines
- Common SOAR automation use cases: phishing response, alert enrichment, account lockout, vulnerability ticket creation, incident escalation
Python Security Automation
- Building security tools: log analysis scripts (Windows Event Logs, syslog, JSON), IOC extraction (regex), SIEM integration (Splunk/Sentinel API), TI enrichment (VT/Shodan/AbuseIPDB), cloud automation (boto3), vuln report processing
- Security libraries: python-nmap, scapy, pyOpenSSL, shodan, OTXv2/pytivli, dfir_iris
Infrastructure as Code Security
- Security guardrails in Terraform: public access blocks, encrypted resources, validated CIDR blocks; Checkov scanning; HashiCorp Sentinel; OPA/Rego
Security Tool Integration and APIs
- CrowdStrike Falcon API — device management, detection management, IOC management
- Splunk REST API — search jobs, alerts, inputs management
- Microsoft Defender API — alert management, device actions, investigation packages
- VirusTotal API — file/URL/IP/domain reputation; hash lookups
- Shodan API — internet asset discovery; port scanning from the cloud
- Palo Alto Cortex XSOAR API — playbook execution; incident management
Resources
- SANS SEC530 overview (SOAR)
- GitHub security automation repositories
- Tines academy (free)
- Splunk developer documentation (free)
Stage 06
Security Operations Leadership
Senior security engineers provide technical leadership by designing the security architecture, mentoring analysts, and communicating risk to stakeholders.
Threat Hunting
- Hypothesis-driven hunting — see Incident Response Consultant Stage 8
- Building a threat hunting program: hunting cadence, intelligence-driven hunting, gap analysis (ATT&CK), hunt documentation
- Hunting tools: EDR telemetry (CrowdStrike Falcon Insight, SentinelOne Deep Visibility, Carbon Black), SIEM hunting (Splunk Threat Hunting, Sentinel), Velociraptor
Security Metrics and KPIs — Engineering Level
- Mean Time to Detect (MTTD) — from attacker action to detection; target: hours not days
- Mean Time to Respond (MTTR) — from detection to containment; target: minutes to hours
- False Positive Rate — alerts that are not real incidents; high FPR → analyst fatigue
- Detection coverage — percentage of ATT&CK techniques with active detections; ATT&CK Navigator
- Alert volume trend — rising volume indicates either more threats or tool noise
- Vulnerability SLA compliance — percentage of vulnerabilities remediated within SLA
- Mean Time to Patch — average time from publication to patch; tracking separately by severity
Technical Communication
- Writing clear, actionable security findings for non-technical audiences
- Incident reports — summary, timeline, root cause, remediation; for management and legal
- Security review documents — approvals, risk acceptance documentation
- Architecture review participation — providing security input to engineering proposals
- Risk quantification — translating technical findings to business impact language
Resources
- "Practical Threat Intelligence and Data-Driven Threat Hunting" by Valentina Costa-Gazcón (book)
- Florian Roth's blog (free sigma/detection content)
- "The Defender's Advantage" by Mandiant (free)
Stage 07
Hands-On Practice & Portfolio
Practice Platforms
- TryHackMe SOC Simulator path (free) — blue team defensive scenarios
- CyberDefenders (free) — forensics and detection challenges with realistic datasets
- SANS Holiday Hack Challenge (free annual) — detection and IR challenges
- BlueTeamLabs Online (free) — IR and forensics scenarios
- Splunk BOTS (Boss of the SOC) — realistic Splunk investigation challenges (free)
- HackTheBox Sherlocks — DFIR-focused challenges (free)
Home Lab
- Elastic SIEM + Kibana (free) — ingest Windows event logs from VMs; write detection rules
- Atomic Red Team — execute ATT&CK techniques in your lab; triage in SIEM
- Velociraptor (free) — endpoint collection and interrogation
- Sigma rules — write detections for Atomic Red Team exercises; test with pySigma
- AWS free tier — build CSPM detections against your own misconfigurations
What to Document on LabList
- Detection engineering write-ups — hypothesis + log source + Sigma rule + test + FP analysis
- Cloud security projects — CSPM findings remediation, IaC security scanning pipelines
- Automation tools — Python security scripts on GitHub; SOAR playbook designs
- Threat hunting exercises — documented hypotheses, queries, and findings
- Cert progression — Security+ → CySA+ → CISSP or cloud security specialty
FAQ
Common questions
How long does it take to become a Security Engineer?
3–4 years optimistic at 20–25 hours/week, 4–5 years realistic. Security engineering demands engineering depth (Python at minimum, ideally Go), security control design, detection engineering, and cloud platform fluency. The fastest paths come from SDE-to-security-engineer or SOC analyst-to-detection engineer transitions. Pure self-taught paths exist but the technical bar is high — production systems, automation, and operational maturity all compound.
Which certifications matter for security engineering?
Security+ as foundation. CySA+ as a step up. CISSP for senior roles. AWS Security Specialty or AZ-500 for cloud-heavy roles. OSCP for offensive context. CISSP listed in 80%+ of senior security engineer postings. Cloud security is increasingly the differentiator — cloud security engineer roles average $152,773 (ZipRecruiter).
Do I need a CS degree?
Helpful but not strictly required. The technical bar is high — programming fluency, distributed systems intuition, security control design — which favors candidates with formal CS exposure but doesn't strictly require it. Self-taught paths through bootcamps, intentional self-study, and demonstrated portfolio work produce competitive candidates. Average security engineer salaries: $120K–$165K.
What separates a hired Security Engineer?
End-to-end security automation projects. Show one realistic security capability — a detection rule pipeline, a SOAR playbook, a SIEM content pack with documented detection logic — built and operated. Generic 'I know SIEM' candidates lose to candidates with portfolio evidence. Other differentiators: cloud security depth (multi-cloud preferred), detection engineering, and security automation through code. BLS projects 33% growth for information security analysts through 2033.