Skip to main content
POST ATLAS
← All editions

POST Atlas Market Note. Mid-2026.

POST Atlas Market Note.

UK Infrastructure, Cloud, Security and Architecture. Mid-year read.

Methodology and confidence ratings are explained at the end of the note.

Download the note (PDF)No email required.

Key Calls

Three lines.

  • Market.Healthy for specialists. Harder for generalists.
  • Cyber.Shortage has moved up the ladder.
  • Cloud.One title. Two different jobs.

01. The Call

The market is healthy for specialists and increasingly difficult for generalists.

The collapse many candidates expected never arrived. Nor did the recovery many hoped for. What's happened instead is that hiring has become more selective. Employers are still spending on cloud, security and platform capability, but the bar for what counts as a credible candidate has risen across almost every job family we track.

Two shifts sit underneath the headline. The cyber shortage has moved up the ladder, away from entry-level analyst seats and toward people who can run an incident, harden a cloud estate, or take ownership of a control framework end to end. And architecture interview loops appear to have hardened, with operating history weighted more heavily as a filter, often at mid-career.

The story being told to career changers and graduates has not caught up with either shift.

The market is healthy for specialists and increasingly difficult for generalists.

Confidence.
Shape High. Magnitudes Medium.
Changes if.
  • 01Generalist hiring volumes recover to 2022 levels for two consecutive quarters.
  • 02Entry-level cyber postings rise materially while applicant volumes fall.
  • 03Architecture interview loops shorten back to the 2023 norm of three to four stages.

02. Finding 01. Cyber.

The cyber shortage moved up the ladder. The messaging didn't.

Entry-level cyber is oversubscribed. Mid-level and senior cyber roles are harder to fill than they were two years ago. Both things are true at the same time, and the gap between them is the story.

On the entry side, SOC analyst pipelines remain full. Graduate schemes, cyber academies, bootcamp graduates and self-taught Sec+ holders are all competing for the same junior seats, and employers have responded by raising the operational bar. A first cyber job in 2026 routinely asks for prior helpdesk or NOC time, not just a certification stack.

Instance of: Wrong Pool

On the senior side, the picture inverts. Incident response leads, cloud security engineers, GRC specialists who can actually read a control framework rather than recite one, and detection engineers who write rather than tune are all in short supply. MSSPs have absorbed some of the demand, but only the L1 and L2 layers. The shortage above that has not been automated away and is not being filled by the entry-level pipeline.

The shortage moved up the ladder. The messaging didn't.

Verdict.
Strong
Confidence.
High on shape. Medium on magnitudes.
Changes if.
  • 01Entry-level cyber postings rise faster than applicant volumes for two consecutive recruiter guides.
  • 02MSSP and automation absorption visibly extends above the L2 layer.
  • 03Mid-level cyber time-to-fill drops back to 2023 norms.

03. Finding 02. Cloud.

Cloud engineer is now two different jobs sharing one job title.

The role has split in two and the market has not agreed on what to call each half. One track is operator: someone who runs production workloads, owns the on-call rota, lives in the console and the ticketing queue, and is judged on uptime. The other track is platform: someone who writes Terraform daily, owns the CI/CD pipeline, debugs Kubernetes, and is judged on what other engineers can ship because of it.

Most postings still say cloud engineer. Most interviews now test for the platform half. That mismatch is where careers stall.

The operator track is not disappearing, but the salary ceiling has flattened and the title has lost prestige. The platform track has absorbed most of the senior cloud hiring. The salary movement has gone with it. A cloud-curious sysadmin who has not made the jump to code is in the weakest position in this market: too senior to be hired as junior, not technical enough for the platform interviews.

Cloud engineer is now two different jobs sharing one job title.

Verdict.
Strong
Confidence.
High on the split. Medium on the pace of compression.
Changes if.
  • 01Console-based cloud profiles return to senior shortlists at parity with platform profiles.
  • 02Terraform, Kubernetes and CI/CD requirements drop out of senior cloud job descriptions.
  • 03Platform engineering vacancy growth flattens for two consecutive quarters.

04. Finding 03. Architecture.

Architecture loops lengthened. Operating history is now the filter.

The architect interview has changed shape. Where a strong mid-2024 candidate could expect a three or four stage loop ending in a design exercise, the same candidate in mid-2026 should expect the loop to have lengthened, often by an additional stage or two, with at least one stage now focused on operating history. Who ran the migration. What broke. What it cost. Who escalated to you and why.

Design ability has become table stakes. The differentiator is whether the candidate has stood in front of a steering committee with a failing programme and explained it.

Internal promotions appear to be absorbing a meaningful share of senior architecture seats this year. External hiring still happens, but the loops are longer, the bar is higher, and the gap between an internal promotion and an external hire at the same grade has widened.

Verdict.
Strong
Confidence.
High on shape. Low on magnitudes.
Changes if.
  • 01Architecture loops shorten back to three or four stages across two consecutive hiring cycles.
  • 02Operating-history questions stop appearing in mid-level architect interviews.
  • 03External hires close at parity with internal promotions at the same grade.

05. The Biggest Lie

Get a cyber cert and you'll get a cyber job.

This was an overstatement in 2022. It is materially false in 2026.

Sec+, CySA+, CCSP, even CISSP for the people who shouldn't have taken it yet, none of these credentials reliably convert to a first cyber role on their own. What they prove is direction. What employers now hire on is operational exposure: a year on a helpdesk where you triaged real alerts, six months on a NOC where you escalated real incidents, time spent close enough to production to have broken something and fixed it.

Instance of: Cert Stacking

The advice to skip the operational years and go straight to cyber was always optimistic. In a market where employers can pick from a pile of candidates who hold certs but haven't worked an incident, it has stopped working entirely.

Certificates prove direction. They don't prove capability.

Confidence.
High on shape. Medium on magnitudes.
Changes if.
  • 01Employers visibly hire candidates with certs but no operational time into first cyber roles at 2022 rates.
  • 02Entry-level cyber job descriptions drop the operational-exposure requirement across two consecutive quarters.
  • 03Cyber academies and bootcamps publish first-role placement rates that hold up to scrutiny.

06. Route Watch

Eight routes worth watching between now and January 2027.

Verdict. Confidence. What would change the call. Same three lines as a Career Verdict, applied to a route rather than a person.

  • Infrastructure to Cloud

    Still the cleanest crossover in the market for an experienced infrastructure engineer who is willing to commit to code.

    Strong

    Confidence. High

  • Infrastructure to Security

    Underrated. The operational grounding employers want for mid-cyber is exactly what this route produces.

    Strong

    Confidence. Medium

  • Sysadmin to Platform

    Conditional on actually making the jump to code. The cloud-curious sysadmin variant of this route is weak.

    Strong

    Confidence. Medium

  • Helpdesk to Cyber

    Still possible. No longer fast. Two to three operational years are now the baseline, not the shortcut.

    Harder than it was

    Confidence. High

  • Networking to Cloud

    Works for the candidates who treat networking as a launchpad into platform engineering. Stalls for the ones who treat cloud as a console.

    Medium

    Confidence. Medium

  • Senior Engineer to Architect

    Lengthening loops are the main friction. Internal promotions are clearing faster than external hires at the same grade.

    Medium

    Confidence. Medium

  • Career Changer to Cyber

    Possible only via the operational route. Direct entry from a bootcamp or career-change scheme has stopped working at scale.

    Constrained

    Confidence. High

  • Career Changer to Cloud

    Better odds than cyber for a determined career changer, but the platform/operator split decides which half of the market hires you.

    Medium

    Confidence. Medium

07. What Would Change Our Mind

The consolidated falsification index.

Every call in this note carries its own conditions. Two or more of the following firing by year end would prompt a revision of The Call itself, not just the underlying finding.

  • 01Generalist hiring volumes recover to 2022 levels for two consecutive quarters.
  • 02Entry-level cyber postings rise materially while applicant volumes fall.
  • 03MSSP and automation absorption visibly extends above the L2 layer.
  • 04Console-based cloud profiles return to senior shortlists at parity with platform profiles.
  • 05Platform engineering vacancy growth flattens for two consecutive quarters.
  • 06Architecture loops shorten back to three or four stages across two consecutive hiring cycles.
  • 07External architect hires close at parity with internal promotions at the same grade.
  • 08Employers visibly hire candidates with certs but no operational time into first cyber roles at 2022 rates.

08. Methodology Note

How the calls are made and how they can be wrong.

The Market Note is read off public evidence and POST interpretation. Public evidence in this edition draws on UK Government cyber skills reports, ONS labour market data, DSIT publications, NCSC guidance, Tech Nation, and the recruiter market guides from Hays, Robert Walters and Harvey Nash. Interpretation is POST's own.

Confidence ratings are coarse on purpose. High means the shape of the call is well supported by multiple converging sources. Medium means the shape is supported but the magnitudes are not. Low means the shape is the author's read and the evidence is thin.

Every finding carries a falsification condition. The point is to be allowed to be wrong without being allowed to be vague. The next edition, the Atlas Report 2027, will revisit each of these conditions explicitly.

Interpretation versus evidence.

A note on interpretation versus evidence. Public datasets describe the shape of the labour market. They do not, on their own, tell you why a cyber loop now asks for a year of NOC time or why a cloud engineer interview is really a platform engineer interview. Those reads are POST's, not the data's. Where this note states a shape, treat the cited sources as the evidence. Where it states a cause, treat it as interpretation that the next edition is committed to grading.

Selected sources.

  • 01DSIT. Cyber Security Skills in the UK Labour Market 2025. UK Department for Science, Innovation and Technology.
  • 02ONS. Labour market overview, UK. Office for National Statistics, monthly releases through Q2 2026.
  • 03Hays. UK Salary & Recruiting Trends 2026. Technology section.

Full source mix and weightings are published with the Atlas Report 2027.

Two ways to use it.

Download the PDFOr get a verdict on your own plan

Published June 2026. Free to share. Free to quote with attribution.