JobJourney Logo
JobJourney
AI Resume Builder

Security Engineer Resume Example

Professional Security Engineer resume example with ATS-optimized template covering SOC pivot, cloud security, AppSec, and cleared-track lanes. Built by a Principal Security Engineer who has reviewed 200+ resumes.

Last Updated: 2026-05-06 | Reading Time: 5 min

Written by: Sofia Ramirez, Principal Security Engineer · 12 years across SOC, AppSec, and cloud security · OSCP / CISSP / CCSP · Security hiring committee at FS SaaS

Quick Stats

Average Salary
$110,000 - $220,000
Job Growth
29% projected through 2034
Top Hiring Companies
Google, AWS, Cloudflare

Summary

A 2026 security engineer resume is a single page (1-2 for senior IC) that maps directly onto the security bar at your target lane: shipped controls, authored detections, and named scope (events/day, alert volume reduction, accounts secured), not certifications listed without context. The Bureau of Labor Statistics reports a median annual wage of $124,910 for Information Security Analysts (May 2024) with 29% projected growth through 2034 — approximately 16,000 annual openings, "much faster than average." In 2026, 95% of organizations report cybersecurity skills gaps and 59% rate them critical (ISC2 2025 Workforce Study, n=14,865), 41% list AI security as the top skill need, and 36% list cloud security. Twenty-four percent experienced cybersecurity layoffs in the same study. Resumes that get interviews lead with translation — SOC alert work re-framed as detection authorship, sysadmin work re-framed as hardening, and code review re-framed as AppSec — not flat tool lists.

Security Engineer Job Market Overview

BLS Median Salary
$124,910
Total Employed (US)
180,720
Annual Job Openings
16,000
Competition Level
high

Top-Paying States for Security Engineers

New York$158,870
Virginia$152,830
California$149,820
Maryland$145,760
Washington$144,290

Typical education: Bachelor's degree in cybersecurity, information assurance, computer science, or related field; relevant certifications often required | Source: U.S. Bureau of Labor Statistics, Occupational Outlook Handbook

Security Engineer Hiring Landscape in 2026

The 2026 hiring landscape for security engineers is structurally bifurcated. The ISC2 2025 Cybersecurity Workforce Study (n=14,865 across 84 countries) reports that 95% of organizations identify cybersecurity skills needs, 59% rate the gap critical, 41% list AI security as the top skill need, and 36% list cloud security — yet 24% of orgs experienced cybersecurity layoffs in the same window, 36% experienced budget cuts, and 39% paused or slowed hiring. The result is a market where senior engineers fluent in cloud-native tooling, detection-as-code, and AI-application-security are scarce while entry-level SOC and generic-security roles are not. Title fragmentation runs deeper than other tech roles: postings split across Security Engineer, Cybersecurity Engineer, Cloud Security Engineer, Application Security Engineer, Detection Engineer, DevSecOps Engineer, and the cleared-track Cybersecurity Engineer (TS/SCI) — all competing for non-identical applicant pools. Employer mix anchors compensation at three tiers: hyperscalers (Google Security Engineer total comp $188K-$484K per Levels.fyi), mid-cap tech and AI-native companies (Stripe, Datadog, Anthropic, OpenAI) above enterprise software at the senior IC bar, and federal contractors (Booz Allen, Leidos, SAIC) where TS/SCI-cleared candidates command 15-25% wage premiums. Title disambiguation matters at the ATS layer: Greenhouse, Lever, and Ashby match the posting title literally against the resume's headline for relevance scoring — match the posting's exact phrasing in your headline, then surface specialty in the summary and skills sections.

What Security Engineer Hiring Managers Actually Look For

Sourced from public hiring-manager surveys, recruiter editorial, and practitioner commentary — not invented.

"Demonstrate your desire to learn, ability to tackle problems independently, and your hands-on technical skills." The implication is that home-lab specifics, GitHub commits, and CTF performance are not optional padding — they are the hands-on evidence Tanna is screening for. A resume with three certifications and a substantive home-lab description outperforms a resume with eleven certs and no public artifacts.

Hack The Box Cybersecurity Resume Examples — Kunjal Tanna (Recruiter, LT Harper)

"List what you're doing to further your professional development, and relate your experience to security." This is the explicit translation-work directive for SOC-pivot, sysadmin-pivot, and SWE-pivot candidates: prior-role bullets have to be re-framed to surface the security-adjacent work. "Reviewed alerts" becomes "authored Sigma rules"; "managed servers" becomes "implemented hardening to CIS Benchmark."

Hack The Box Cybersecurity Resume Examples — Sabastian Hague (Lead Cybersecurity Mentor, HTB)

"I pay attention to a candidate's attitude and extracurricular activities. One example is HTB activity on a resume when hiring juniors." HTB and TryHackMe rank, CTF placements, and home-lab specifics are the credibility signal Chisamore explicitly screens for at the junior bar. Generic "active TryHackMe user" reads as nothing; "Top 5% TryHackMe; HTB Pro Hacker rank, 47 boxes pwned" reads as checkable evidence.

Hack The Box Cybersecurity Resume Examples — Jeremy Chisamore (Senior Cybersecurity Manager, Oracle)

"What I look for is GitHub profiles, vlogs/blogs, hacker community participation, HTB accounts, and continuous learning evidence." A static resume with eleven certs and no public artifacts loses to a resume with three certs and an active GitHub. Public-artifact discipline (one Sigma rule on GitHub, one tutorial repo, a blog post on a detection technique) outweighs an additional certification at the entry-and-mid bar.

Hack The Box Cybersecurity Resume Examples — Jayson Ek (Cybersecurity Director, Oasis Systems)

"Foundational certs first: CompTIA A+, then Network+, then Security+. Research certifications before investing — watch reviews and read blogs." This is the cert-by-lane calibration directive. Order matters; quantity does not. Drop entry-level certs (Security+, Network+, A+) once you have lane-appropriate advanced ones (CISSP / GCIH / OSCP / AWS Security Specialty). Listing all of them simultaneously reads as test-prep career.

Hack The Box Cybersecurity Resume Examples — Champagne Ryder (Cybersecurity Talent, Critical Insight)

"Cybersecurity skills matter more than headcount in the AI era. We're entering an environment where we have to do more with less in many cases, and that means thinking critically about what skills our teams need rather than how many bodies." The macro framing for why the 2026 security resume has to lead with named-tool capability — the hiring committee is screening for "productive on day 30," not "trainable in 18 months." Per the 2025 study (n=14,865), 95% of orgs report skills gaps and 59% rate them critical, while 24% experienced layoffs in the same window — bifurcation favors candidates who signal specific named-tool depth.

ISC2 2025 Cybersecurity Workforce Study — Andy Woolnough (EVP Corporate Affairs)

Security Engineer Resume Examples

4 role-specific resume examples covering different career stages — each with role-specific bullets and an honest "why this works" breakdown grounded in 2026 hiring-manager practice.

Entry-Level — SOC Analyst Pivoting to Security Engineer

Entry-Level
412 words

Scenario: Tier 2 SOC analyst with 2 years in a 24x7 rotation, applying to security engineer (detection-engineering-leaning) roles at mid-cap SaaS and financial-services companies. Has Security+, GCIH (in progress), one substantial home lab, and authored Sigma rules during their SOC tenure. The highest-volume internal funnel question in the security vertical.

Marcus Adeyemi

SOC Analyst → Detection Engineer

Plano, TX • (469) 555-0177 • marcus.adeyemi@email.com

Professional Summary

Tier 2 SOC analyst (2 yrs, 24x7 financial-services org) pivoting to detection engineering. Authored 23 production Sigma rules in Splunk SPL during the last 12 months, mapped to MITRE ATT&CK T1059 / T1547 / T1218 families. Comfortable in Splunk SPL and Microsoft KQL; reading-and-modifying depth in Python for detection automation. Active TryHackMe Top 5%; Hack The Box rank Pro Hacker.

Experience

Tier 2 SOC Analyst·Sentinel Bank (regional financial-services)·Plano, TX
May 2024 – Present
  • Authored and tuned 23 production Sigma rules covering credential dumping (T1003.001), scheduled-task persistence (T1053.005), and PowerShell encoded-command execution (T1059.001); converted via SigmaHQ to Splunk SPL and Microsoft KQL. Reduced false-positive escalations to Tier 3 by 38% over the second half of 2025, measured against the prior trailing-90 baseline.
  • Owned the SIEM playbook rewrite for the email-borne-threat workflow after the March 2025 BEC incident; documented the analyst decision tree, mapped each step to a MITRE ATT&CK technique, and added two new detection use cases (T1566.001 and T1566.002). Cited as the playbook the team uses for new-analyst onboarding.
  • Pulled into the May 2025 P1 (commodity ransomware in a finance-team subsidiary) as the on-shift Tier 2; my contribution was reading the runbook honestly, isolating the affected segment in 11 minutes via the EDR console, and writing the post-incident enrichment query that the IR lead cited in the blameless postmortem.
  • Reduced mean-time-to-acknowledge on Splunk-routed alerts from 9 minutes to 4 minutes during my rotation by tuning two false-positive-heavy correlation searches that had been generating 280+ noise alerts per shift.
SOC Intern → Tier 1 Analyst·Sentinel Bank·Plano, TX
Jun 2023 – Apr 2024
  • Promoted from intern to Tier 1 after eight months. Triaged ~120 alerts per shift on the rotation; flagged a misconfigured CrowdStrike sensor on a critical Domain Controller that had been silently failing telemetry submission for 14 days.
  • Wrote the team's first internal alert-quality scorecard (Confluence page, still maintained); used by the SOC manager to drive the Q4 2024 detection-tuning sprint.

Education

B.S., Cybersecurity·University of North Texas
May 2023 · GPA 3.6/4.0

Relevant coursework: Network Defense, Digital Forensics, Secure Coding, Cryptography Fundamentals

Skills

Technical: Splunk SPL (rule authorship, dashboard tuning) — production · Microsoft KQL (Sentinel queries) — production · Sigma (rule authorship + SigmaHQ conversion) — production · CrowdStrike Falcon — production · Microsoft Defender for Endpoint — production · Wazuh — lab depth · Python (detection automation scripts) — read-and-modify · PowerShell — read-and-modify · MITRE ATT&CK Navigator — read-and-modify · Suricata — reading · Zeek — reading · Velociraptor — reading · Volatility 3 — reading

Professional: Detection-as-code discipline · Runbook authorship and incident-handoff hygiene · Self-aware skill calibration (depth tiers stated honestly) · Postmortem-quality scorecard authorship

Certifications

  • CompTIA Security+ · CompTIA · 2023
  • GIAC Certified Incident Handler (GCIH) · GIAC · In progress, expected July 2026

Projects

Three-Tier Active Directory Home LabJan 2024 – Present

Deployed a three-host AD environment (DC, member server, attack box) on a Proxmox hypervisor with Wazuh SIEM ingesting Sysmon (with SwiftOnSecurity config) and Windows Security event logs. Configured Group Policy to CIS Benchmark v2.0 Level 1 for the member-server tier.

  • Deployed a three-host AD environment (DC, member server, attack box) on a Proxmox hypervisor with Wazuh SIEM ingesting Sysmon (with SwiftOnSecurity config) and Windows Security event logs.
  • Configured Group Policy to CIS Benchmark v2.0 Level 1 for the member-server tier.
  • Simulated and detected Mimikatz credential dumping, Kerberoasting, and DCSync via the attack box; the corresponding three Sigma rules I wrote against my own lab telemetry were refactored into the production rule set at work after a peer review.

Tech: Proxmox · Wazuh · Sysmon · SwiftOnSecurity config · Active Directory · CIS Benchmark v2.0 · Sigma

Top 5% TryHackMe + Hack The Box Pro Hacker2023 – Present

TryHackMe Advanced AD path completion and Hack The Box competitive performance; CTF placements with a six-person team.

  • TryHackMe Advanced AD path completion: Windows Privilege Escalation, Active Directory Pentesting, Pentesting Fundamentals modules.
  • HTB Pro Hacker rank with 47 boxes pwned; 4th place team finish in HTB Business CTF 2025 (six-person team).

Tech: TryHackMe · Hack The Box · Active Directory pentesting · CTF

Why this resume works

Five editorial choices do the work. First, the summary names "detection engineering" as the target lane, not "security engineer" generic — the rebrand that recruiter-side commentary in r/SecurityCareerAdvice consistently recommends for SOC-pivot candidates. Second, every alert bullet has been translated to engineering language ("authored 23 Sigma rules" not "reviewed 100 alerts per shift"; "owned the SIEM playbook rewrite" not "escalated tickets") — the translation work that Sabastian Hague at Hack The Box flags as the highest-leverage move on a SOC-pivot resume. Third, the home-lab section is specific in the exact way Jeremy Chisamore (Senior Cybersecurity Manager, Oracle) recommends — three-host AD with named hypervisor, named SIEM, named CIS Benchmark version, named adversary techniques. Fourth, the certifications block is honestly tiered with an "In progress" flag for GCIH. Fifth, the skills section is structured by depth tier rather than as a flat alphabet-soup dump — the pattern Champagne Ryder calls out as the differentiator between candidates who pad and candidates who calibrate.

Mid-Level — Cloud Security Engineer (3-7 Years)

Mid-Level
458 words

Scenario: Engineer with 4 years of cloud-security experience targeting Senior Cloud Security Engineer roles at SaaS companies and AWS-heavy enterprises. Shifted from sysadmin to cloud-security over three years; currently leads CSPM/CIEM rollout. Targets the "cloud security engineer resume" + "AWS cloud security engineer resume" + Wiz/CSPM cluster.

Esther Kim

Senior Cloud Security Engineer

Oakland, CA(650) 555-0143esther.kim@email.com

Professional Summary

Cloud security engineer (4.5 yrs) responsible for security architecture across three AWS organizations (612 accounts) and one GCP organization (84 projects) at a Series-D fintech. Drove the misconfigured-S3-bucket count from 1,847 to 23 in six weeks via Wiz CSPM rollout and remediation campaigns. Comfortable in production Terraform and AWS-native security controls; competent in Python and Go at the read-and-modify level. Currently on-call for the cloud-security tooling stack handling ~2.4M daily compliance evaluations.

Experience

Senior Cloud Security Engineer·Latitude Lending·Oakland, CA
Mar 2024 – Present
  • Led the Q3 2025 CSPM rollout (Wiz, after a three-vendor evaluation against Lacework and Prisma Cloud). Wrote the evaluation memo arguing for Wiz on the basis of Cloud Detection and Response (CDR) graph depth and IAM-graph correlation, accepted the trade-off of higher list price against pricier remediation engineering on Lacework. Deployed across three AWS organizations (612 accounts) in six weeks; misconfigured-S3-bucket count dropped from 1,847 to 23, and 89% of CIEM toxic combinations resolved in the same window.
  • Owned IAM hardening for production AWS: deprecated 47 unused service roles, enforced permission-boundary policies on all developer roles, and rolled out IAM Access Analyzer external-access findings as a blocking gate in the Terraform CI pipeline. Cut over-privileged-role count by 73% measured against the November 2024 baseline.
  • Architected and shipped the GCP-to-AWS workload-identity-federation pattern that replaced 142 long-lived AWS access keys used by GCP-resident batch jobs; the design doc was reviewed by a Staff infra engineer who pushed back on the trust-boundary story, and I incorporated the feedback into v2 (added per-job audience claims to scope the federation token).
  • Authored the cloud-security on-call runbook for the Wiz + Datadog Cloud SIEM stack; rewrote it after the May 2025 P2 (compromised CI/CD credential triggered cross-account lateral movement attempts) to include the "first-15-minutes" containment checklist that the IR lead now references in cross-team training.
  • Argued explicitly against the proposed multi-CNAPP procurement (one CSPM + a separate CWPP + a separate CIEM); the integrated platform decision saved an estimated $340K annualized in licensing and three engineer-quarters of integration work that would have hit the platform team.
Cloud Security Engineer II·MidCloud Networks·Oakland, CA
Jan 2022 – Feb 2024
  • Migrated the org-wide AWS account structure from a flat-account model to AWS Organizations with three OUs (production / non-production / sandbox), enforced via AWS Control Tower guardrails. Cut "shadow AWS account" count from 18 to 0 over the rollout.
  • Implemented S3 bucket hardening across 240+ production buckets: encryption at rest with KMS CMKs, public-access block at the account level, and CIS Benchmark-aligned bucket policies. Caught one historical misconfiguration that had silently exposed log data to the public internet for 9 months; coordinated the disclosure and remediation.
Linux Systems Administrator → Junior Security Engineer·MidCloud Networks·Oakland, CA
Jun 2020 – Dec 2021
  • Promoted into security after 14 months in sysadmin; the promotion bullet was the MFA-everywhere rollout I led across the engineering organization (487 users) following the Q2 2021 phishing campaign that had bypassed legacy SMS-based 2FA.

Education

B.S., Information Systems·San Jose State University
May 2020 · GPA 3.7/4.0

Skills

Technical: AWS (Organizations, Control Tower, IAM, IAM Access Analyzer, GuardDuty, Security Hub, Config, KMS, S3, CloudTrail) — production · GCP (IAM, VPC Service Controls, Workload Identity Federation) — production · Wiz CSPM/CIEM — production · Datadog Cloud SIEM — production · Terraform (with Sentinel policies) — production · HashiCorp Vault — production · Python (boto3 automation, custom Lambda detections) — read-and-modify · Go (extending in-house IAM tooling) — read-and-modify · Azure (read-level for cross-cloud audits) — read-and-modify · Zero-trust architecture (Cloudflare Access + Okta) · CSPM/CIEM/CNAPP tooling · Supply-chain security (SBOM via Syft, SLSA L3 attestations on internal builds)

Professional: Three-vendor evaluation memos with explicit trade-offs · Cross-cloud trust-boundary review discipline (incorporates v2 feedback) · On-call ownership at 2.4M daily compliance evaluation scale · Procurement-decision argumentation against multi-vendor CNAPP

Certifications

  • AWS Certified Security — Specialty · Amazon Web Services · 2024
  • Certified Cloud Security Professional (CCSP) · (ISC)² · 2023
  • AWS Solutions Architect — Associate · Amazon Web Services · 2022

Why this resume works

Five editorial choices do the work. First, the Wiz-vs-Lacework-vs-Prisma evaluation memo bullet names the alternative options considered and rejected, with the explicit trade-off — the architectural-judgment signal hiring committees specifically screen for at the cloud-security mid-senior bar. Second, the IAM hardening bullet names the baseline (November 2024) and the percentage reduction (73%) — checkable in interview. Third, the workload-identity-federation bullet names the trust-boundary review feedback and the v2 fix (per-job audience claims) — the design-doc-iteration pattern almost no competitor template includes. Fourth, the "argued against multi-CNAPP procurement" bullet is the deliberate-non-action signal staff-leaning IC reviewers read as judgment. Fifth, the 2026-specialty line names CSPM/CIEM/CNAPP, SBOM via Syft, and SLSA L3 attestations — the supply-chain framing 2026 hiring screens for and that doorway competitors are 12-18 months behind on covering.

Senior — Network Security / Incident Response / Detection Engineering (7+ Years)

Senior
532 words

Scenario: Senior/Staff IC (8 years total, last 4 leading multi-team detection-engineering and IR programs) targeting Senior/Staff Security Engineer roles at financial-services and large-SaaS companies. Active TS/SCI from prior defense-contractor work; currently leads the detection-engineering team at a financial-services SaaS. Targets "senior security engineer resume" + "network security engineer resume" + zero-trust/ZTNA + cleared-track keywords.

Daniel Whitford

Staff Security Engineer (IC) — Active TS/SCI Clearance

Reston, VA • (703) 555-0119 • daniel.whitford@email.com

Professional Summary

Senior security engineer (8 yrs total, 4 yrs cross-team scope) with a track record on the kinds of program-level work that is hard to fake on a resume: 47 production detections mapped to MITRE ATT&CK, two ZTNA rollouts at >4,000-employee scale, one tabletop exercise authored that is now on the org's annual cadence, and 31 blameless postmortems. Currently leading the detection-engineering team at a financial-services SaaS. Active TS/SCI from prior defense-contractor work.

Experience

Staff Security Engineer (IC)·Northbridge Capital Markets·Reston, VA
Jun 2022 – Present
  • Led a multi-quarter detection-engineering platform consolidation that took the org from a fragmented Splunk + ArcSight + Sentinel stack with 380 unmapped legacy alerts to a single Splunk Cloud + Sigma-rule-as-code pipeline with 47 production rules mapped to MITRE ATT&CK (T1059 / T1547 / T1218 / T1003 / T1078 family coverage). Wrote the consolidation proposal (14 pages, including a coverage-gap heat map against MITRE ATT&CK Navigator and an explicit list of rules I was not willing to keep), ran it through three rounds of review, and shipped four weeks late on a planned 8-month schedule. Tier-2-escalation MTTR dropped from 38 minutes to 11 minutes; analyst-tier-2 false-positive escalations dropped 41%.
  • Designed and rolled out ZTNA controls (Cloudflare Access + Okta) for the 4,200-employee organization, deprecating legacy VPN and reducing the lateral-movement surface across 18 enterprise apps. Took the heat from the network-engineering organization on the deprecation timeline; the rollout completed on schedule with one near-miss authentication-loop incident I caught in canary at the 5% traffic ramp.
  • Authored the strategic-kill memo for an in-flight UEBA project (eight pages, with an evaluation showing the cheaper Sigma-on-Splunk path covered 92% of the proposed UEBA detection coverage at 14% of the cost). Took the heat from the executive sponsor, got the decision overturned, and redirected one of the two engineers to detection-engineering, where she is now the directly responsible individual for cloud-detection coverage.
  • Owned the IR program for two years: wrote 31 blameless postmortems, four of which are still cited in onboarding material; authored the annual tabletop exercise (the 2025 ransomware-in-finance scenario was used twice as an executive briefing); served as the on-call lead for the highest-tier incident severity bucket (P0/P1) over 18 months.
  • Sponsored the team's first detection-as-code discipline; Sigma rules are now version-controlled, peer-reviewed, and shipped via GitHub Actions with automated SigmaHQ-to-Splunk-SPL conversion. I review every detection rule written by an engineer at the team-lead-and-below tier in my org.
Senior Security Engineer·Northbridge Capital Markets·Reston, VA
Jan 2020 – May 2022
  • Designed and shipped the v1 of the centralized log-pipeline with Splunk Heavy Forwarders feeding the SIEM cluster; now ingests roughly 18B daily events across the platform with a tail-sampling strategy for high-volume noisy sources that I am still proud of three years later.
  • Co-led the response to the December 2020 SolarWinds-Orion incident across the organization; the cross-functional checklist I drafted in the first 72 hours was reused as the template for two later supply-chain incidents in 2022 and 2024.
Network Security Engineer·Booz Allen Hamilton (cleared engagement)·Falls Church, VA
Aug 2017 – Dec 2019
  • Cleared TS/SCI engagement supporting a federal civilian agency. Owned network-security architecture for a multi-segment classified network; details of systems, programs, and customer remain unclassified by my own discipline. Outcomes I can describe at the unclassified level: led the migration from a hub-and-spoke firewall topology to a segment-isolation model, wrote the network-security ATO documentation that was accepted by the agency security officer on the first review pass, and trained six junior engineers who all passed clearance-cycle evaluations.

Education

M.S., Information Security·Carnegie Mellon University
May 2017
B.S., Computer Engineering·Virginia Tech
May 2015

Skills

Technical: Splunk Cloud (SPL authorship, app development) — production, last 24 months · Sigma (production rule authorship + SigmaHQ workflow) — production · MITRE ATT&CK / D3FEND — production · CrowdStrike Falcon — production · Microsoft Sentinel (KQL) — production · Cloudflare Access (ZTNA) — production · Okta — production · AWS GuardDuty + Security Hub — production · Snort / Suricata — read-and-review (still active) · Zeek — read-and-review · Velociraptor — read-and-review · Volatility 3 — read-and-review · Python detection automation — read-and-review

Professional: Detection-as-code platform consolidation leadership · ZTNA migration with cross-org deprecation timeline ownership · Strategic-kill memo authorship (UEBA-vs-Sigma, executive-sponsor overturn) · Cleared-engagement unclassified-outcome-only writing discipline · Blameless postmortem authorship at 31-postmortem volume

Certifications

  • CISSP · (ISC)² · 2021
  • GCIH — GIAC Certified Incident Handler · GIAC · 2019
  • AWS Certified Security — Specialty · Amazon Web Services · 2023

Why this resume works

Five editorial choices do the work. First, the "Active TS/SCI Clearance" line sits at the top of the document, on its own line, exactly where cleared-jobs ATS systems search for it — and the body never names compartments, codewords, programs, or systems. This is the placement NSA's resume guidance recommends and that doorway templates miss. Second, the strategic-kill memo bullet (UEBA-vs-Sigma-on-Splunk, 92% coverage at 14% of cost, redirected engineer, took heat from executive sponsor) is the willingness-to-disagree signal that is the rarest senior pattern on the SERP. Third, the platform-consolidation bullet names the framework (MITRE ATT&CK Navigator coverage-gap heat map), the scale (380 legacy alerts → 47 production rules), and the operational outcome (MTTR 38 → 11 min) — the three-layer specificity ISC2 EVP Andy Woolnough's "skills matter more than headcount" framing implies hiring committees screen for. Fourth, the Booz Allen cleared-engagement bullet demonstrates the unclassified-outcome-only writing pattern explicitly — outcomes described at the unclassified level, never naming systems, programs, or customer. Fifth, the certifications block is tiered (CISSP for managerial calibration, GCIH for IR, AWS Security Specialty for cloud) — three certs, not eleven.

Specialty — Application Security Engineer (AppSec / Supply Chain / AI Security)

Specialty
487 words

Scenario: Engineer applying to AppSec / Product Security roles at fintechs, SaaS platforms, and AI-native companies where the bar is secure-SDLC integration and supply-chain depth. Five years in (3 SWE → 2 AppSec). Targets "application security engineer resume" + SAST/DAST/SCA cluster + 2026 supply-chain (SBOM/SLSA) and AI/ML-security (prompt injection, MLBOM) emerging-tech stack.

Léa Bourgeois

Senior Application Security Engineer

San Francisco, CA • (415) 555-0102 • lea.bourgeois@email.com

Professional Summary

Application security engineer (5 yrs total, 2 yrs AppSec after 3 yrs backend SWE). Embedded across four product squads at a Series-D AI-native fintech. Authored the secure-SDLC checklist that is now a required pre-merge gate; reduced critical-OWASP-Top-10 findings from 7 categories to 1 in two quarters. Production depth in Semgrep custom-rule authorship, Burp Suite Pro, Snyk Code, and Trivy + Syft for supply-chain. Currently building the org's first prompt-injection guardrail program against the OWASP Top 10 for LLMs.

Experience

Senior Application Security Engineer·Auriga AI·San Francisco, CA
Apr 2024 – Present
  • Led the secure-SDLC integration across four product squads (Python + Go + TypeScript backends; React frontend). Authored 38 custom Semgrep rules covering organization-specific patterns (custom-auth helpers, JWT validation paths, RAG-prompt-construction sinks); wrote the rule-tuning playbook that reduced false-positive findings by 67% over the first quarter and is now part of the AppSec onboarding sequence.
  • Identified and triaged 47 SQL injection (CWE-89), 12 broken-access-control (OWASP A01), and 8 insecure-deserialization (CWE-502) findings across 14 microservices in the first eight months — using Semgrep + Snyk Code + manual code review. Reduced OWASP Top 10 coverage gap from 7 categories to 1 (insufficient-logging-and-monitoring, which now sits with the detection-engineering team).
  • Built the org's prompt-injection detection program against the OWASP Top 10 for LLMs (LLM01 Prompt Injection, LLM02 Insecure Output Handling, LLM06 Excessive Agency). Designed and shipped guardrails for the production RAG pipeline (15M+ daily queries) including input-side classifier filtering, output-side moderation, and a red-team evaluation harness. Reduced successful jailbreak rate from 11.2% to 0.4% across the internal red-team suite over two quarters; the harness itself is now part of the pre-prod release gate for any model-update PR.
  • Implemented SLSA Level 3 build provenance across 47 microservices using GitHub Actions + in-toto attestations; the rollout detected three unauthorized dependency injections in the first quarter (one was a typosquat on a legitimate npm package, two were stale internal-mirror lookups bypassing the verification gate). Wrote the SLSA-rollout runbook that the platform team adopted as the template for their parallel build-system migration.
  • Owned the SBOM (Syft) + dependency-scanning (Trivy) tooling stack; rolled it into CI as a blocking gate above CVSS 7.0 with a documented exception process. Cut mean-time-to-remediate for high-severity third-party CVEs from 18 days to 5 days against the Q4 2024 baseline.
  • Argued explicitly against the proposed runtime application self-protection (RASP) procurement; the eval memo I wrote showed our existing WAF + tightened input validation + the SLSA pipeline already covered the threat model the RASP vendor was selling against, and the budget redirected funded the prompt-injection program above instead.
Application Security Engineer·Auriga AI·San Francisco, CA
Apr 2023 – Mar 2024
  • Joined as the second AppSec hire. Owned the migration from an unstructured "AppSec ticket queue" to a triaged-by-CWE workflow with named SLAs (critical 5d / high 14d / medium 30d). Cut backlog from 312 unrouted findings to 23 within four months.
  • Authored the org's first threat-modeling cadence (STRIDE + custom AI-augmentation column for LLM-feature work); now a required step on any product brief above the squad-pilot level.
Backend Software Engineer (Security-Adjacent)·Plaintext Systems·San Francisco, CA
Jan 2020 – Mar 2023
  • Backend engineer on the payments-events service; the security-adjacent work that became the AppSec-pivot bullet was the idempotent-write contract design (UUIDv7 + Postgres advisory locks for the dedup window) and the cross-region replication fencing that survived a third-party security review without findings.
  • Caught and fixed a TOCTOU race in the rate-limiting layer during code review (CWE-367) that would have allowed token-bucket bypass under specific concurrent-request patterns; wrote the per-account regression test that is still in the test suite.

Education

B.S., Computer Science·École Polytechnique Fédérale de Lausanne (EPFL)
Jun 2019

Distinction

Skills

Technical: Semgrep (custom rule authorship) — production · Snyk Code — production · Burp Suite Pro — production · OWASP ZAP — production · Trivy — production · Syft (SBOM generation) — production · CodeQL (read-and-modify on existing rule sets) · Python (AppSec automation) — production · Go (AppSec automation) — production · GitHub Actions (security-pipeline integration) — production · Checkov (IaC scanning) — read-and-modify · TruffleHog (secrets) — read-and-modify · Cosign (artifact signing) — read-and-modify · Supply-chain security (SBOM/SLSA/SSDF) · AI/ML application security (OWASP LLM Top 10, prompt-injection guardrails, MLBOM) · Secure-AI-coding-tool review discipline

Professional: Per-finding CWE / OWASP category mapping discipline · Threat-modeling cadence authorship (STRIDE + AI-augmentation) · Pre-prod release-gate harness integration for model updates · Vendor procurement argumentation (RASP-vs-WAF+SLSA budget redirection) · SWE-to-AppSec pivot translation discipline

Certifications

  • OSCP — Offensive Security Certified Professional · OffSec · 2024
  • CSSLP — Certified Secure Software Lifecycle Professional · (ISC)² · 2023
  • Burp Suite Certified Practitioner · PortSwigger · 2023

Why this resume works

Five editorial choices do the work. First, every finding bullet maps to a named CWE or OWASP category — CWE-89 for SQLi, OWASP A01 for broken-access-control, CWE-502 for insecure deserialization. AppSec hiring managers map every triage to OWASP/CWE IDs in the actual job, so a candidate who does not do this on the resume signals they have not done it in the role. Second, the prompt-injection program bullet is genuinely AppSec-flavored — it names the OWASP Top 10 for LLM categories (LLM01, LLM02, LLM06), the scale (15M+ daily RAG queries), the red-team-evaluation harness, and the pre-prod release-gate integration. Third, the SLSA L3 + in-toto bullet names the specific finding-class outcome (three unauthorized dependency injections — typosquat, stale internal-mirror lookups) — the supply-chain framing 2026 AppSec roles explicitly hire for. Fourth, the "argued against RASP procurement" bullet is the deliberate-non-action senior signal applied to AppSec specifically, with the budget redirection tied to the prompt-injection program. Fifth, the SWE-to-AppSec pivot bullet at Plaintext Systems (TOCTOU race in rate-limiting, idempotent-write contract review) is the bridge work the "software engineer to AppSec engineer resume" search funnel looks for.

How to Write a Security Engineer Resume

Professional Summary

Lead with the specialty lane (cloud security / AppSec / detection engineering) and one quantified scale claim — accounts secured, S3 buckets remediated, or detections authored. Two to three sentences naming one specific named-tool capability.

Work Experience

Translate every alert-triage line into engineering language. Name the framework mapping (MITRE ATT&CK technique IDs, CWE numbers, OWASP categories). Include at least one bullet that names the alternative considered and rejected — that is the senior judgment signal.

Skills Section

Tier by depth ("production depth / read-and-modify depth / reading depth") and structure by category (SIEM, cloud, AppSec, frameworks). Avoid the flat alphabet-soup dump. Cert block tiered by lane with in-progress/expired flagged explicitly.

Action Verbs for Security Engineers

AuthoredArchitectedHardenedDetectedRemediatedTunedDeprecatedMappedTriagedInvestigatedContainmentMitigatedRolled outConsolidatedEnforced

Security Engineer Resume Keywords

These keywords appear most frequently in Security Engineer job descriptions. Include relevant ones in your resume:

Technical Keywords

SIEMEDRCSPMCIEMCNAPPSOARZTNAIAMMITRE ATT&CKOWASPCWEDetection EngineeringThreat HuntingVulnerability ManagementIncident ResponsePenetration TestingCloud SecurityApplication SecuritySupply Chain SecurityAI/ML Security

Industry Keywords

CybersecurityInformation SecurityCloud SecurityApplication SecurityNetwork SecurityDetection EngineeringRed TeamBlue TeamSOCDevSecOpsZero TrustComplianceNIST 800-53NIST CSFISO 27001PCI DSSFedRAMPCleared (TS/SCI)

Tools & Technologies

SplunkMicrosoft SentinelCrowdStrike FalconMicrosoft Defender for EndpointWazuhSigmaAWS GuardDutyAWS Security HubWizLaceworkPrisma CloudDatadog Cloud SIEMCloudflare AccessOktaTerraformHashiCorp VaultSemgrepBurp Suite ProSnyk CodeTrivySyftOWASP ZAPCodeQLTryHackMeHack The Box

Common Security Engineer Resume Mistakes to Avoid

Cert alphabet soup (most common 2026 mistake).

Tier the certs by lane (1-3 most-relevant top tier). Drop entry-level certs once you have advanced ones (no Security+ if you have CISSP). Tag in-progress with target date. Per infosecinstitute and r/SecurityCareerAdvice consensus, anything past 3-4 well-chosen certs starts looking like the candidate spent more time on test prep than real work. Lane-specific tiering: defensive (GCIH/GCIA/GCFA), offensive (OSCP/OSEP/CRTO), managerial (CISSP/CISM), cloud (CCSP/AWS Security Specialty), entry (Security+/CySA+).

SOC analyst NOT translating to engineering language.

Replace "Reviewed 100 alerts per shift" / "Escalated tickets to tier 2" with "Authored 23 production Sigma rules in Splunk SPL covering MITRE T1059 / T1547 / T1218 family, reducing Tier-3 false-positive escalations by 38%." Same work, different framing. The explicit Sabastian Hague directive in the HTB blog is to translate prior-role bullets into security-engineering language.

Home lab without specifics.

Hiring managers want WHAT you built, with WHAT tools, to WHAT spec. Pattern: "Deployed three-host AD home lab (DC, member server, attack box) on Proxmox with Wazuh SIEM ingesting Sysmon (SwiftOnSecurity config). Configured GPO to CIS Benchmark v2.0 Level 1. Simulated Mimikatz, Kerberoasting, DCSync; authored three Sigma rules detecting each." Per Chisamore and Hague in the HTB blog, named hypervisor, named SIEM, named adversary techniques are the credibility signal.

TS/SCI clearance buried at the bottom of resume.

Top of resume, immediately under name + contact, on its own line. Use exact phrasing "Active TS/SCI Clearance" or "Current TS/SCI." NEVER list compartments, codewords, or program names. Cleared-jobs ATS systems search the top one-third of the document for clearance keywords; buried equals miss. NSA Resume Do's and Don'ts PDF recommends top-of-resume placement.

Listing tools without scope or outcome.

Replace "Proficient in Splunk, Wireshark, Nessus, Metasploit" with named scope, framework mapping, and named scale: "Authored 47 production Sigma rules in Splunk SPL covering MITRE T1059 / T1547 / T1218, processing 18B daily events across a 4,200-employee org." Hiring managers cannot differentiate between "ran one Splunk query in a lab" and "maintained 200 detection rules in a SIEM ingesting 18B daily events" without the scope clause.

Listing CTF / TryHackMe without context.

Replace "Active TryHackMe user, completed 50+ rooms" with "Top 5% TryHackMe; completed Advanced AD path including Windows Privilege Escalation, Active Directory Pentesting modules. CTF: 4th place, Hack The Box Business CTF 2025 (six-person team)." Recruiters cannot differentiate 50 beginner rooms from 50 advanced rooms; named path, named modules, named CTF placement are the differentiators.

AppSec resume without OWASP Top 10 / CWE mapping.

Replace "Found bugs in code" with "Identified 47 SQL injection (CWE-89), 12 broken-access-control (OWASP A01), and 8 insecure-deserialization (CWE-502) findings across 14 microservices using Semgrep + Snyk Code + manual review." AppSec hiring managers map every triage to OWASP/CWE IDs in the actual job; not doing it on the resume signals you have not done it in the role.

Cert-stuffing in skills section.

Tier by lane (defensive: GCIH/GCIA/GCFA; offensive: OSCP/OSEP/CRTO; managerial: CISSP/CISM; cloud: CCSP/AWS Security Specialty; entry: Security+/CySA+). Flag in-progress and expired status explicitly. Listing 14 certs in a row including expired ones reads as test-prep career; expired certs without flagging the lapse are worse than not listing.

Layoff dating without context (2026 era).

Hiding a 2024-2025 cybersecurity layoff with vague dates or omitting the gap fails — ATS flags date gaps; the layoff itself is now common (24% of orgs per ISC2 2025). Pattern: "Position eliminated October 2024 in company-wide reduction; 80% of security team affected." If gap 6+ months, fill: "Oct 2024-Mar 2025: Pursued AWS Security Specialty cert; contributed 12 PRs to Sigma rules main." Hiding is more suspicious than naming.

Title mismatch with the job posting.

Match the posting's exact title in the headline of your resume. If the posting says "Security Engineer," do not headline "Cybersecurity Engineer." ATS keyword match (Greenhouse, Lever, Ashby) is binary on the exact phrase. Both spellings can appear elsewhere in the body — the headline match drives the relevance hit. Also avoid the common error of generic "Security Engineer" when the posting names a specialty (e.g., "Cloud Security Engineer," "Application Security Engineer") that you genuinely match.

Security Engineer Resume FAQs

How long should a security engineer resume be?

One page for entry-level and mid-level (0-7 years). Two pages maximum for senior, staff, and principal IC roles — and only if the second page contains material the hiring manager would read with the same attention as the first. For cleared-track resumes specifically, the one-page rule is stricter because cleared recruiters skim in 6-second windows and the clearance line + cert stack + named-tool depth all have to land on page one.

What does a security engineer resume look like in 2026?

Reverse-chronological, single-column, plain text, structured around named-tool capability rather than generic security-program framing. Structure: contact + clearance line if applicable + summary (3-4 lines, names lane and named tools) + experience + education + skills (tiered by depth) + certifications (tiered, in-progress/expired flagged). The 2026-specific differentiators doorway competitors miss: explicit zero-trust / ZTNA, supply-chain (SBOM/SLSA), AI-application-security if relevant, and cert-by-lane calibration. Build your resume with our AI-assisted editor at jobjourney.pro/resume-builder.

What do hiring managers look for on a security engineer resume?

Per the Hack The Box recruiter quotes (Tanna, Hague, Chisamore, Ek, Ryder): hands-on technical evidence (home lab, GitHub, HTB/CTF), continuous-learning signal, specificity over breadth (named tool + named scope + named outcome), and cert-by-lane calibration (3-5 well-chosen certs). Per ISC2 EVP Andy Woolnough: "skills matter more than headcount" — the hire has to land productive on the named tool stack on day 30, not be trainable in 18 months. The bifurcated 2026 market (95% of orgs report skills gaps, 24% have laid off in the same window) favors candidates who signal specific named-tool depth.

How do I list cybersecurity skills on a resume?

Tier by depth, structure by category. Three depth tiers ("production depth" / "read-and-modify depth" / "reading depth") and 3-5 named categories (e.g., "SIEM / detection," "Cloud-platform security," "AppSec tooling," "Frameworks," "2026 specialties"). Avoid the flat alphabet-soup dump 80% of doorway templates show. Example: "Production depth: Splunk SPL, Sigma, CrowdStrike Falcon, Microsoft Sentinel KQL. Read-and-modify depth: Python, PowerShell, MITRE ATT&CK Navigator. Reading depth: Suricata, Zeek, Velociraptor."

How do I write a security engineer resume with no experience?

Lead with hands-on evidence over credentials: home lab (specific — three-host AD with named hypervisor, named SIEM, named CIS Benchmark version, named techniques simulated), TryHackMe / Hack The Box performance (Top 5%, Pro Hacker rank, CTF placements), and one Sigma-rule or detection-rule on GitHub. Two relevant certs (Security+ + GCIH-in-progress) beat eleven beginner certs. Structure: projects + education + certifications + skills (tiered), with a summary that names the target lane explicitly. Per Jeremy Chisamore at Oracle in the HTB blog, HTB activity is the credibility signal he explicitly screens for at the junior bar.

How do I write a senior security engineer resume?

Senior security-engineer resumes are about scope: program ownership, detection authorship at fleet scale, IR-program leadership, ZTNA / supply-chain / AI-security rollout depth, willingness-to-disagree bullets (deliberate non-actions, kill memos), mentorship as team-level outcome. Two-page maximum. Lead with cleared status if applicable. Three tiered certs (CISSP + GCIH/GCFA + AWS Security Specialty) beats eleven undifferentiated. The strategic-kill-memo pattern (arguing against in-flight UEBA project, redirecting engineer, taking heat from executive sponsor) is the rarest senior signal and the hardest to fake — feature-shipping bullets require less organizational scope.

Should I include OSCP on my security engineer resume?

Yes, if you hold it and it serves your target lane. OSCP is the entry practitioner credential for offensive / red-team / AppSec / pen-test lanes — preferred-or-required on most AppSec and offensive-track 2026 postings. For pure blue-team / SOC / detection / cloud-security lanes, OSCP is positive but not central; CISSP, GCIH, or AWS Security Specialty often serve better. Do not mention "studying for OSCP" without a target sit date. The OffSec PEN-200 progression (OSCP → OSEP → OSED) is the standard offensive-track stack-rank.

Should I include CISSP on my security engineer resume?

Yes, with the qualifier that CISSP requires 5 years of qualifying work for full status (the "Associate of (ISC)²" path applies if you have passed without the work history). CISSP is the canonical managerial / governance credential and is preferred-or-required on most senior roles in financial services, defense, and consulting. For offensive / red-team / AppSec lanes, OSCP/OSEP/CSSLP often serve better. Flag "Associate of (ISC)²" if applicable. CISSP-vs-OSCP order on the resume depends on lane: managerial / governance leads with CISSP; offensive / AppSec leads with OSCP.

How many certifications is too many on a cybersecurity resume?

Three to five well-chosen certs, tiered by lane. Past five, the pattern looks like test-prep rather than engineering, per infosecinstitute and r/SecurityCareerAdvice consensus. The exception is GIAC stacks (defensive candidates may legitimately hold GCIH + GCIA + GCFA + GCFE) — even then, list the four most-relevant on the resume. Drop entry-level certs once you have the senior version (no Security+ if you have CISSP, no Network+ if you have CCNP). Lane-specific tiering: defensive (GCIH/GCIA/GCFA), offensive (OSCP/OSEP/CRTO), managerial (CISSP/CISM/CRISC), cloud (CCSP/AWS Security Specialty/SC-100).

How do I list TryHackMe / HackTheBox / CTFs on my cybersecurity resume?

Specific or not at all. "Active TryHackMe user, 50 rooms completed" is unreadable. "Top 5% TryHackMe; completed the Advanced AD path including Windows Privilege Escalation and Active Directory Pentesting modules" is checkable. For HTB, name the rank (Pro Hacker, Elite Hacker, Guru) and any meaningful CTF placement. For CTFs, name event, finish position, and team size. Jeremy Chisamore in the HTB blog confirms HTB activity is a credibility signal at the junior bar specifically.

How do I describe my home lab on a cybersecurity resume?

Named tools, named scope, named techniques. "Built a home lab" is unreadable. Pattern: "Deployed three-host Active Directory home lab (DC, member server, attack box) on Proxmox with Wazuh SIEM ingesting Sysmon (SwiftOnSecurity config). Configured Group Policy to CIS Benchmark v2.0 Level 1. Simulated and detected Mimikatz, Kerberoasting, and DCSync; authored three Sigma rules detecting each." Hiring managers (per Chisamore/Hague in the HTB blog) want WHAT you built, with WHAT tools, to WHAT spec.

How do I transition from SOC analyst to security engineer on my resume?

Translate every alert-triage bullet into engineering language — "authored Sigma rules" not "reviewed alerts," "owned the SIEM playbook rewrite" not "escalated tickets," "tuned correlation rules to reduce false-positive escalations by 38%" not "improved alert handling." Lead the summary with the target lane explicitly named ("pivoting to detection engineering"). The Marcus Adeyemi entry-level resume above is the canonical template — every bullet on his Tier 2 SOC role is re-framed in the engineering language a hiring manager actually screens for.

How do I list my TS/SCI clearance on a security engineer resume?

Top of resume, immediately under name + contact info, on its own line. Use the recruiter-search phrasing: "Active TS/SCI Clearance" or "Current TS/SCI." NEVER list compartments, codewords, special-access programs. The NSA Resume Do's and Don'ts PDF recommends top-of-resume placement and never naming the systems or programs you supported. The Daniel Whitford senior resume above demonstrates the placement and the unclassified-outcome-only writing pattern for the cleared-engagement bullet.

How do I address a cybersecurity layoff on my resume?

Honest, brief, neutral — one phrase in the dates field, not a paragraph. Pattern: "Senior Security Engineer, [Company] — January 2023 — May 2025 (position eliminated, ~80% of security team affected in company-wide reduction)." With 24% of organizations reporting cybersecurity layoffs in 2024-2025 (ISC2 2025), the pattern is common enough to be unremarkable when handled cleanly. If gap is 6+ months, fill with cert work or open-source contributions. Do not editorialize, do not blame leadership, do not call it "an opportunity."

What is the best format for a security engineer resume?

Reverse-chronological with clear sections (Summary, Experience, Education, Skills, Certifications, plus Projects for entry-level / specialty pivots). Single-column, plain text. ATS systems (Greenhouse, Lever, Ashby) parse single-column reverse-chronological reliably. The "creative resume" templates on Resume.io and Zety are actively counterproductive at 80%+ of tech-native companies and at 100% of cleared / federal-contractor roles. The applicant pool faces specialty/title fragmentation deeper than other tech roles — match the posting's exact title in the headline (e.g., "Cloud Security Engineer" vs "Security Engineer (cloud focus)").

How do I make my security engineer resume ATS-friendly?

Five rules: (1) match the job posting's exact title in the headline; (2) use the named-tool keywords from the posting verbatim ("Splunk Enterprise Security" not "Splunk ES," "CrowdStrike Falcon" not "CS Falcon"); (3) plain text — no graphics, no two-column tricks; (4) tier certs and named-tool capabilities so the top-third of the document carries the highest-density keyword match; (5) for cleared roles, clearance line at the top using exact phrasing "Active TS/SCI Clearance." Greenhouse, Lever, and Ashby all parse single-column reverse-chronological reliably and match titles literally for relevance scoring. Verify with the JobJourney free ATS resume scan after exporting.

Ready to Build Your Security Engineer Resume?

Sign up free and get our full resume toolkit — ATS-optimized templates, AI-powered keyword matching for Security Engineer roles, and one-click tailoring to any job description.

Start Free TrialCreate My Account

Prepare for Security Engineer Interviews

Got your resume ready? Practice the most common Security Engineer interview questions with our AI coach and get real-time feedback.

Security Engineer Interview Prep Guide

Write a Matching Security Engineer Cover Letter

Pair your resume with a tailored cover letter. Browse three professionally written Security Engineer cover letter examples in different tones, plus writing tips and key phrases.

Security Engineer Cover Letter Examples

Related Resume Examples

Software Engineer Resume Example

Professional Software Engineer resume example with ATS-optimized template. Learn what recruiters look for and get hired faster at top tech companies.

Data Scientist Resume Example

Professional Data Scientist resume example with ATS-optimized template. Learn how to showcase your ML skills and statistical expertise.

Frontend Developer Resume Example

Professional Frontend Developer resume example with ATS-optimized template. Learn how to showcase your UI/UX development skills and land roles at top companies.

Sources & Further Reading

Every data point and insight on this page traces to a verified public source.

Last updated: 2026-05-06 | Written by Sofia Ramirez, Principal Security Engineer · 12 years across SOC, AppSec, and cloud security · OSCP / CISSP / CCSP · Security hiring committee at FS SaaS

Sofia Ramirez has built detection programs at a hyperscaler, led AppSec at a fintech, and currently runs cloud-security architecture at a financial-services SaaS. She has reviewed 200+ security engineer resumes and writes about the SOC-to-engineer pivot, certification stack-ranking, and the OSCP-vs-CISSP-vs-CISM debate.