Branxl Academy

Career Hub

Cyber Security

Overview

Cyber security professionals protect systems, networks, and data from compromise. The field divides broadly into blue team (defence, monitoring, incident response), red team (offensive testing, penetration testing), and governance, risk, and compliance (GRC). Most entry roles are blue team. Defensive analysts working in security operations centres form the largest entry-level hiring pool in the UK.

What does the Cyber Security role involve?

  1. Blue team analysts monitor SIEM dashboards, triage alerts, investigate suspicious activity, and escalate confirmed incidents.
  2. GRC analysts review policies, run risk assessments, manage supplier questionnaires, and prepare for certifications such as ISO 27001 or Cyber Essentials.
  3. Penetration testers scope engagements, exploit vulnerabilities in a controlled way, and write detailed reports.
  4. Security engineers embed controls into software delivery: threat modelling, SAST/DAST tooling in CI pipelines, and secrets management.
  5. Most career starters begin in a SOC or IT security support role before specialising.

Skills Required

  1. Networking: TCP/IP, HTTP/S, DNS, firewalls, proxies, VPN, and packet analysis with Wireshark.
  2. Operating systems: Windows and Linux internals, Active Directory concepts, user and permission management.
  3. SIEM basics: log ingestion, query writing, alert tuning (Splunk, Microsoft Sentinel, or Elastic).
  4. Vulnerability management: understanding CVE severity, patch priority, and scanning tools.
  5. Scripting: Python or PowerShell for automation and log analysis.
  6. Identity and access management.
  7. Understanding of common attack techniques from MITRE ATT&CK.

UK Salary Range

  • Entry level (0-2 years): £22,000 to £30,000 for SOC Analyst L1 roles. £28,000 to £35,000 for roles that require some hands-on experience or a relevant cert. London adds roughly 15 to 20 percent.

  • Mid-level (2-5 years): £35,000 to £55,000. SOC L2/L3, Threat Intelligence Analyst, Security Engineer roles. Salary is higher for those who combine technical depth with certifications.

  • Senior (5+ years): £55,000 to £80,000. Security architects and heads of security at mid-size companies reach £90,000 to £120,000.

  • Penetration testing: Junior testers start at £28,000 to £38,000. CHECK Team Leader status (UK government certification tier) pushes base to £60,000 to £80,000. Contractors with CEH, OSCP, and CHECK qualifications charge £400 to £700 per day.

  • GRC specialists: £30,000 to £45,000 entry; £50,000 to £70,000 for those with ISO 27001 lead auditor or CISM credentials.

UK Job Market

  1. The UK has a declared cyber skills shortage.
  2. Government-backed initiatives including the Cyber Security Council and NCSC CyberFirst push demand into public sector and critical infrastructure.
  3. MSSPs (managed security service providers) such as BT Security, Deloitte Cyber, and smaller specialist firms hire regularly at junior level.
  4. Financial services, healthcare trusts, and defence primes also have established security operations teams.
  5. Salary transparency is improving: junior SOC analyst roles advertise at £22,000 to £30,000; mid-level analysts with two to three years reach £35,000 to £50,000.
  6. Penetration testers command a premium after qualification, with CHECK-qualified testers at £50,000 to £75,000.

Who This Career Path Is For

  1. Detail-oriented people comfortable with continuous learning as the threat landscape shifts.
  2. Those who have done CTF challenges and found the process engaging.
  3. IT support professionals who want to specialise in protection and response.
  4. Career changers with a background in risk, compliance, or audit who want technical depth.

How to Get Started

Phase 1: Foundations (weeks 1-6)

  • Networking fundamentals (complete the CompTIA Network+ syllabus even if you do not sit the exam).
  • Windows and Linux operating systems: understand file permissions, process management, user accounts, and the registry.
  • Set up a home lab: one Windows Server VM and one Kali Linux VM on VirtualBox or VMware.
  • Learn to capture and read packets with Wireshark.

Phase 2: Security concepts (weeks 7-12)

  • Study the CIA triad, common attack types (phishing, SQL injection, privilege escalation), and the MITRE ATT&CK framework.
  • Practise on TryHackMe or HackTheBox using free-tier rooms.
  • Build your first investigation: take a PCAP file and write a narrative of what you see.

Phase 3: SIEM and detection (weeks 13-18)

  • Deploy a free SIEM (Elastic or Splunk Free Trial).
  • Ingest Windows event logs from your lab VM.
  • Write three detection rules: failed login attempts, new user account creation, and unusual process execution.
  • Document false positive tuning.

Phase 4: Specialise (weeks 19-24)

  • Choose a lane.
  • Blue team: deepen SIEM, incident response playbooks, and threat intelligence.
  • Red team: begin PortSwigger Web Security Academy and structured lab exploitation.
  • GRC: study ISO 27001 controls, NCSC Cyber Essentials, and GDPR risk documentation.

Deep guidance

Build Your Portfolio

Blue team portfolio

  • Investigation write-up: Download a public PCAP file (available from malware-traffic-analysis.net).
  • Write a 600-word analysis: what did you find, what does the traffic indicate, what would your recommendation be to a SOC manager? Publish on a personal blog or LinkedIn article.
  • Home lab SIEM project: Document the setup of your Elastic or Splunk lab.
  • Write three detection rules with documented rationale.
  • Include a screenshot of a triggered alert and your triage process.
  • Publish the documentation on GitHub.
  • CTF write-ups: Complete five TryHackMe rooms at Easy to Medium difficulty.
  • Write a clear explanation for each: the vulnerability, your exploitation approach, and the lesson.
  • Three strong write-ups demonstrate more than a completed-rooms badge.

Red team portfolio (only if targeting offensive roles)

  • Build a deliberately vulnerable environment (DVWA or VulnHub machine).
  • Document your penetration test as if writing a client report: scope, methodology, findings ranked by severity, and remediation recommendations.
  • Never publish exploitation of real systems.

GRC portfolio

  • Document a mock ISO 27001 gap assessment for a fictional company.
  • Write a risk register with five to ten risks, their ratings, and treatment plans.
  • This format is exactly what employers test in GRC interviews.
How to Apply

Target roles at entry level

  • SOC Analyst L1, Junior Security Analyst, IT Security Administrator, Graduate Cyber Security.
  • Some MSSPs run structured graduate programmes (BT, Deloitte, PwC, KPMG cyber divisions).
  • These are worth applying to directly.

CV advice

  • List the platforms you have practised on (TryHackMe, HackTheBox) with your rank or completed path.
  • List your home lab tools.
  • Do not list tools you cannot explain.
  • Hiring managers will ask you to walk through your SIEM setup or describe a CTF challenge.

Certifications as signal

  • CompTIA Security+ is widely recognised and accelerates initial filtering.
  • CompTIA CySA+ is valued for SOC roles.
  • CEH is oversaturated and sometimes viewed sceptically — check what the employer actually asks for.
  • OSCP is the gold standard for penetration testing but is not required at entry level.

Where to look

  • CWJobs, LinkedIn, NCSC jobs board, and directly at MSSPs.
  • Check for CREST-accredited companies for penetration testing roles.
  • Cleared roles (SC/DV clearance) pay a premium but require nationality eligibility.
Interview Preparation

Technical questions

  • "What is the difference between IDS and IPS?" IDS detects and alerts.
  • IPS sits inline and can block.
  • Be ready to explain when you would prefer one over the other and the risk of false positives in blocking mode.
  • "Explain what a SIEM does." Collects logs from multiple sources, normalises them, applies correlation rules to detect patterns, and raises alerts.
  • Mention log ingestion, query languages, and alert tuning.

"Walk me through how you would triage a suspicious email report." Check headers for spoofing, check links against reputation services (VirusTotal, URLscan.io), check attachments in a sandbox, document IOCs, determine if the payload executed, check for lateral movement, advise the user.

  • "What is SQL injection and how is it prevented?" Attacker injects SQL syntax into an input field to manipulate database queries.
  • Prevention: parameterised queries and prepared statements, input validation, least-privilege DB accounts.
  • **"You see a spike of failed login attempts against a single user account.
  • What do you do?"** Check source IP, frequency, and timing.
  • If it looks like credential stuffing, block the IP, notify the user, check if any attempt succeeded, and review concurrent sessions.

Practical tasks

  • Some employers send a take-home: analyse a log file and write a brief report, or investigate a hypothetical incident timeline.
  • Practise writing clear, concise investigation summaries.
  • Non-technical managers often read these.
Common Mistakes to Avoid

Mistake 1: Listing tools without demonstrating use

  • Writing "Splunk, Wireshark, Nessus" on a CV means nothing without context.
  • Name the specific thing you used it for: "Built detection rules in Elastic SIEM to identify brute-force attempts in a home lab environment.".

Mistake 2: Only studying for certifications

  • Security certs are useful signals but they do not replace hands-on practice.
  • Employers test whether you can actually investigate an alert, not whether you passed a multiple-choice exam.

Mistake 3: Skipping the networking fundamentals

  • Candidates who do not understand TCP handshakes, port numbers, and how DNS resolution works will struggle with every practical security concept that follows.
  • Networking is the foundation.

Mistake 4: Targeting red team roles too early

  • Offensive security (penetration testing) is a specialist, often senior path.
  • Most entry roles are defensive.
  • Trying to start as a pentester without defensive experience is unusual and unnecessary.
  • Build defensive skills first.

Mistake 5: Vague investigation write-ups

  • "I found a vulnerability and reported it" is not a portfolio artefact.
  • Describe what you found, what evidence you collected, what it indicated, and what your recommendation was.
  • Specificity is what separates strong candidates.

Mistake 6: Not understanding the GDPR and UK data protection landscape

  • Many UK security roles intersect with compliance.
  • Even blue team analysts need to understand breach notification timelines and what constitutes personal data.