Better future?: Detection Engineering/Threat Hunting or Malware Reverse Engineering?
I'm currently interviewing for a good amount of detection engineering/threat hunt and malware RE roles and I already have two companies that said they are currently getting approvals to make an offer (I expect another 1-2 offers outside of these two)...so now I really need to decide which area I want to pursue. I honestly enjoy both areas, so I'm hoping other security professionals can give me their take. I like DE/TH because I get to review/understand new attacks daily, hunt for said attacks, and potentially use ML/intermediate stats. CONS: Even though I code and do some fun ML stuff with security logs, it feels like I'm just a fancy security analyst. I like malware reverse engineering because I love to code, I find malware super interesting (how it works and keeping up with the latest creative ways), and its a fun brain exercise. CONS: niche skill, I feel like I might pigeon myself in this area, and it will be hard to find jobs because there arent many of them...most malware/Re jobs include some kind of IR or other stuff outside of malware/RE. For future growth I could see them both staying roughly the same or increasing because malware isnt going to stop anytime soon and even though security products say AI/ML, most do a shit job of correlating anything. TC:255k YOE:10 #cybersecurity #security #malware #detectionengineering
Interesting. They are some what related but also very different. One thing to think about is that a lot of companies have mixed views about DE/TH, some think it's something they can have a security analyst do and some think its a senior role. None the less, its still "SecOps" and I feel like that department pays the least in security. REM is an interesting skill that many people don't have, I feel like I would say go that route because its so niche and I bet you can get paid for that niche skill...more than a DE/TH would get. Just my thought.
I definitely feel like the red headed step child being in SecOps. Even though I can code and do some advanced detection, RT/AppSec/Prod/Management sometimes look down on you because of the operations aspect. Being a "real" engineer, outside of operations would be nice.
But then again, if you can add real value with ML to your DE/TH, you'll make bank for the next decade. Let us know what the offers are
Honestly do whatever you enjoy most. Security work is pretty technical so you really gotta enjoy it or it'll be hell. If you're good you'll have a job
Solid advice.
I would probably say malware/RE only because you said "you love to code." Sure, there can be plenty of that with DE/TH but you might be doing so in a crappy pipeline or spending your coding time on things that don't matter that much to you. I'm sure you'd likely still have exposure to the DE/TH side of things, depending where you are, since you'd likely be telling them what signatures to look for based on your analysis. At least that's the case for my current team (response side) since we work closely with our intel team. DE/TH is probably more generalized and if you are doing it at a larger company, you'll probably have more technical debt to deal with. I can't speak for the RE/malware side of things since I have less exposure to that in my role. While you might think that RE/malware is niche, I think that field will continue to grow/be valuable in particular with the growth in ICS security companies. You'd be dealing with different malware but already have the foundation to apply it to a new sector/industry. And if you ever want to be full remote / live somewhere else, you'd probably have more leverage being in a specialized field like that vs a more generalized role. In any case, good luck!
Out of the two, I would recommend RE. But as you rightly said, it's a niche skill and down the line you might get limited opportunities, so it's not bad idea to simultaneously develop other skills like appsec.
Appsec is very different from malware/system programming, just a heads up.
I would suggest the DE route, add in some nice ML skills, and maybe automation. You will be sought after for the next decade.
IMO DE/TH is fine as long as you dont get silo'd into analyst type work, and have opportunities to do sec engineering work, build automation, tools, etc. Not sure about RE but working a niche area is not necessarily a bad thing IMO. If you're freaking good at it, publish articles, present stuff at conferences, do work/research that are impactful enough to contribute to the community etc. you'll still be highly sought after by companies. Large tech companies have large teams and roles with narrow enough focus areas so you'll still be an asset there. Loving your job is definitely the most important thing. If you really enjoy the work, you will have the drive to excel at what you do, present good stuff at conferences / make contributions to the info community. Visibility matters a lot in the infosec industry - if you become well-known in the community to be really good at what you do, it doesnt matter what domain in security, people will hire you.
From a cloud security perspective I'm seeing DE/TH with ML gaining a lot of interest from big tech. Lots of investments being made in this area. Maybe small companies with less security experience use security analysts for those roles, but FAANG treats Threat Detection engineers with a lot of respect + solid TC.
DE/TH requires a broad set of skills. Not many people can do this well. I foresee demand for this specific skillset increasing as more and more companies realize that their quasi-security SOAR engineers can’t do anything other than setup the default playbooks. Being able to find a threat, investigate it, then automate the process is worth $$$. Feel free to DM me if you’re looking around.
I’m following 👀