RoleCybersecurity

Detection Engineer

Write Sigma/Splunk rules, tune noise, hunt the gap your SIEM missed.

The verdict

The most defensible blue-team specialism going. Smaller market than SOC, much harder to be bad at, much harder to be replaced.

Pick this if

You enjoy adversary behaviour more than alerts and dashboards
You can write code, properly, not just KQL one-liners
You want a seat that compounds, every detection you write is yours
You're patient enough to tune for months before you see clean signal

Skip this if

You're hoping detection engineering will get you off shift work without doing the homework
You don't enjoy reading other people's incident reports for fun
You can't work without immediate feedback, the loop here is long

What "doing well" looks like in the seat

Your detections survive a year without retuning
You can read a threat report and ship coverage from it the same week
Red team finds your rules before they find your gaps
Other analysts copy your detection structure without being told

The bit you're probably underestimating

The role assumes a foundation that bootcamps don't teach: SOC time, IR exposure, real coding ability, and a working theory of how adversaries operate. Without that, you'll spend a year writing rules that fire on benign noise and a second year being quietly moved back to triage. Earn the seat by doing detection-adjacent work inside SOC first. Skip the queue and you'll get found out fast.

Tradeoffs at a glance

Hover any chip for the calibrated meaning. Ratings are directional, not absolute.

Promotion ceiling

Strong. Staff Detection / Threat Engineering tracks are well established.

Who actually gets in

+SOC analyst
+IR analyst
+Sysadmin with security interest

Common misconceptions

−That it's just rule-writing, modeling adversary behavior is the real work.

Where this leads

Threat Hunter
Security Engineer
Purple Team

Certifications people pair with this

Listed because the graph connects them to this role, not because you need all of them. Most practitioners pick one or two.

Pathways that pass through here

Where this fits

Roles connect to pathways, certs and other roles. Use one to test the next.

Pathways that touch this

Roles to consider

Certifications in scope

Perspectives that bear on this

The realistic SOC analyst path
Most guides describe the job a SOC analyst wishes they had. Here's the one they actually do.

The serious next step

You've read about the role. The harder question is whether it's the right one for you.

A Career Verdict is the written, practitioner-authored call on your specific route into and out of this role. Six primitives, same format every time.

Plateau zone

The flat year nobody warns you about, named and timed.

Reality vs Fantasy

Your actual five-year curve against the one you've been sold.

What to sit and what to skip

Each cert on your list: useful, optional, or skip, with reasons.

The call

A single written judgment on whether your plan holds up.

Tradeoff spectrum

What you're giving up for what you're choosing, plotted.

Decisive factors

The two or three things that will actually make or break this.

See what a Career Verdict looks like £25 · one verdict, yours to keep

Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.

All roles