u/RoosterInMyRrari

I am currently a senior IR/Detection Engineer. I have never once in the 6 years I’ve been doing security operations ever had to write any code of substance outside of one-off scripts because of AI and low code/no code automation platforms

Because of this, I don’t ask about experience with coding at all when I interview folks for SecOps roles.

Do you guys write code often in your role outside of one-off scripts or something you could code in 5 minutes with AI? And if so, for what end?

I’ve now run through the technical interviewing process a few times as a Senior IR/DetEng person and just wanted to give my two cents on what I’ve learned about interviewing and the cyber talent pool today:

1. Making an interview more of a conversation about cyber or creating a scenario for candidates to work through rather than random trivia is going to tell you a lot more about a candidates ability to think and what level of knowledge they have. Candidates seem almost surprised by the end of the interview because they weren’t peppered with questions which imo is an indictment on the cyber interview process at a lot of places.

2. Many candidates embellish their resume far too much. Please be prepared to talk about what’s on your resume so if you put you reduced FP rates in the SIEM by X% you can actually tell me how you did it, thought processes, etc.

3. Unfortunately, many folks that come from SOC backgrounds tend to be on rails at their jobs. What I mean by that is alert comes in they do A, B, and C and by do A, B, and C it usually means triggering a SOAR workflow and then they may analyze that info and close it or pass to T2 or if they are T2 pass it to T3. I have never worked in a tiered SOC, but it is really unfortunate how pigeonholed people can get and it shows in interviews when it comes to critical thinking about an incident scenario (not saying it’s their fault, just an observation).

4. For your resume, if applying for higher level roles, please do not just put a job description of a SOC/IR Analyst or a Detection Engineer like triaged alerts, wrote reports, wrote alerts, etc). If you put those as your job title, I already know you do that stuff. Tell me about projects or what you did at your current spot that improved something (and be prepared to talk about it) or was maybe different from the other person who was applying that was also your same job title at a different org.

5. For folks trying to break in, put your cyber projects at the top of your resume above non-cyber related work experience. Also, do not just say “home lab”. Tell me what you did with that home lab and why what you did would matter if it was my orgs SIEM.

6. Please stay abreast of what’s happening in the cyber world. And I’m talking like log4j, ClickFix, etc level of notoriety. I don’t expect you to have read an article from a boutique cyber firm blog about a novel exploit. It goes a long way to know that at least you checked X or BleepingComputer in the last few months and are proactive about whatever the latest TTPs are.

These are just a few of my observations. Feel free to disagree, but this is what I’ve seen from where I’m at.