Skip to main content
POST ATLAS
All perspectives
Perspective · Domains

Most people should not target offensive security first

The offensive-first route is presented as a default and behaves like a low-probability bet. The pentesters doing work clients actually pay full rate for came up through defensive and infra. The detour is faster than the direct route.

Published 15 June 2026·10 min read·By the POST editor, 20 yrs, helpdesk to security architect
Verdict

Targeting offensive security as your first role in the industry is almost always a mistake. Not because pentesting is glamorous and you're being talked down to. Because the people who succeed in offensive roles got there with three or four years of defensive or infrastructure depth underneath, and the route in without that depth is harder, longer, lower paid, and has a much higher dropout rate than the YouTube content shows.

Who this is for

  • You're considering OSCP, HackTheBox grinding, or a pentest bootcamp as your way into the industry.
  • You've been told the SOC is boring, GRC is paperwork, and the only real security work is offensive.
  • You're already six months into a labs-and-CTFs grind and the job applications aren't moving.

What the offensive market actually looks like

UK offensive consultancies hire small numbers, mostly senior, and the junior pool they do hire from is dominated by people with a CS degree, a placement year, and a CTF record going back to school. The total number of cold external juniors who get into offensive work in any given year is small enough that you could fit them in a meeting room.

The shops that hire more loosely are also the ones with the worst pay, the worst training, and the highest churn. You'll spend two years running automated scans and writing up findings on someone else's template, which is not the skill you thought you were buying.

The thing nobody explains about offensive work

Good offensive work is the inverse shape of defensive work. A pentester is paid to find what the defender missed. If you've never been the defender, you don't know what gets missed and why, and you end up producing reports that read like a Nessus export with prose on top. That's the level the market is saturated at, and it's the reason offensive juniors plateau.

The pentesters who do the work clients pay full rate for spent years as sysadmins, SOC analysts, network engineers, or developers before they ever ran an engagement. They know which findings are real, which are noise, which would actually get exploited, and which a competent ops team will close in a sprint. You don't get that from labs.

Why the YouTube route looks easier than it is

Offensive content is the most watchable corner of the industry. It's cinematic, it has clear wins, and the people producing it are usually already in the role they're describing. None of that tells you what the job market gatekeepers are looking at when they triage CVs.

Hiring managers at offensive shops read CVs in roughly this order. Relevant degree or placement. Production engineering or defensive time. CVE or research output. CTF record. Certs. The cert-heavy CV with no production time is at the bottom of that stack, and the bootcamp grad with no engineering background isn't usually on the stack at all.

The realistic route in, if you actually want offensive

Start defensive or infrastructure. Two to three years on a SOC, a sysadmin team, an infra team, or a network engineering team gives you the operational substrate that makes your offensive work credible later. During that time, keep the offensive learning going privately. Labs, write-ups, a small piece of original research if you can manage it. Move into a purple team or detection engineering role next, then offensive.

That route takes four to five years. The "OSCP then job" route, on the data, takes longer than that for most people, ends in a worse role, or doesn't end in an offensive job at all. The detour through defensive work is faster than the direct route in expectation, and it leaves you with a fallback that pays.

The exception worth naming

If you've been doing offensive work seriously since you were fifteen, you have public research, a CVE or two, a strong CTF history, and a relevant degree, ignore this essay. You're the person the small junior pool is for. The advice here is for the much larger group who've been told that grinding HackTheBox for a year substitutes for that profile. It doesn't.

The honest tradeoff

Defensive and infra work pays less in year one than the offensive salaries you've seen quoted, and the work is less cinematic. By year four the curves cross, and by year six the person who went defensive first is usually doing more interesting offensive work than the person who went offensive first, for more money, with less precarity.

Offensive-first isn't impossible. It's a low-probability bet with a long timeline and a high dropout rate, presented to beginners as the default route. That mismatch is the problem.

Where this connects on POST

For the defensive starting point, read what a Tier 2 SOC analyst actually does at 2am. For why operational time on production systems is the real ceiling in security careers, read the real bottleneck in cybersecurity careers. The pathways page lays out the defensive and infrastructure routes that actually feed offensive work later.

Authored by

The POST editor. Twenty years in the work. Helpdesk, sysadmin, network, cloud, security engineering, security architecture. POST exists because the advice given to people entering this industry is, on average, dishonest.

Last reviewed 15 June 2026. Career advice without a date is worth what you paid for it.

POST Atlas is independent practitioner commentary. Certification and product names belong to their respective owners. Views are based on observed hiring patterns, public job-market signals and practitioner experience, not vendor endorsement.

Where this fits

This essay describes one pattern. The question is whether it applies to your route.

Perspectives that bear on this

The next step

This essay named one failure mode. The verdict tells you whether it's yours.

A Career Verdict is the practitioner-authored call applied to your specific situation. Same six primitives, every time.

A route shows what people usually do. A Career Verdict judges whether it's realistic for you.

A Career Verdict includes

The call
A single written judgement on whether the route is realistic for you.
Plateaus and failure modes
The flat years and the specific ways this route tends to stall.
Where you stand
The strongest and weakest parts of your current position, named.
Salary reality
What this route actually pays, set against what you've been told it pays.
Certification rulings
Each cert on your list: useful, optional, or skip, with reasons.
Likely timeline
How long this route takes from where you actually are, not from zero.
Get a judgement on your situation£39, one-off. Built for your inputs, yours to keep.

Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.

All perspectives