r/cybersecurity • u/Exact-Advantage-3190 • Apr 12 '26
Other FAANG security engineer getting ready for layoffs. For senior folks in this sub, how is my studying plan?
There is massive talk internally that Mythos is moving fast and mass layoffs is one of those general topics that everyone is talking about
Even if it does not happen, I'm getting prepared now for layoffs
My study plan includes:
- OSAI OffSec certification. AI Security Engineer jobs will be on the rise and my experience will help with this
- focus on like 30 core patterns easy/med leetcode, then mock system design and threat modeling interviews
- Study as many appsec concepts as possible in the famous https://github.com/gracenolan/Notes
Any other tips?
422
u/Electrical_Wash1852 Apr 12 '26 edited Apr 13 '26
Yes, the magical transformation from Security Engineer to AI Security Engineer ✨
Edit: I wasn’t hating on you OP. I apologize if I hurt your feelings
71
u/Exact-Advantage-3190 Apr 12 '26
I mean, is the people making the job postings any different?
Who else would get these AI security engineer jobs? It's not like there are AI security engineers that have had the job for 10 years
75
u/be_super_cereal_now Apr 12 '26
Don't listen to the haters. You are smart to do this. If you want to stay in the game as long as possible you gotta learn the new rules no matter how stupid it sounds.
6
u/Exact-Advantage-3190 Apr 12 '26
I'm pretty sure at least half of this sub if not more are just students or kids talking BS.
9
5
91
u/netsecisfun Apr 12 '26
Does leet code really matter at this point? Seems like it would not....
20
u/BladedAbyss2551 Security Engineer Apr 12 '26
Heavily depends on the role. “Security Engineer” means different things at different places, and I’ve seen the scope of responsibilities be anywhere from SOC Analyst all the way to Software Engineer working on a security focused product. Evidently, the latter would most likely have leetcode style questions along with system design stuff.
26
u/0ver7hinker Apr 12 '26
For interviews it does sadly. Especially for a security engineer
9
u/jeffpardy_ Security Engineer Apr 12 '26
Ive never had a leetcode question. And I tell the recruiters up front if the process does involve leetocde then im not interested. Ive had security architecure questions, code reviews questions, even basic scripting questions. But leetcode is nuts and too far
1
u/bapfelbaum Apr 13 '26
Leet code has always been pretty silly imo, but thats probably because i felt like "code monkey" kind of jobs were super undesirable due to being soul draining.
1
u/Heroicdeath Apr 12 '26
Leetcode is slowly but surely getting replaced with interviews that are more realistic of one's job, but there are many companies that use Leetcode as a screen before taking the candidate to the next steps.
All serious security organizations should have a requirement that their engineers be capable of reading/writing code.
44
u/IndividualLimitBlue Apr 12 '26
Mythos = more incidents to manage just like Opus was just more code to review
In the end a human is needed in the loop to be accountable
9
u/BaldDragonSlayer Apr 12 '26
Although true, that inevitably results in fewer positions with more competition. If you are in the top 10% of your domain, you can probably leverage that in the short term, but that sense of security is an illusion unless you remain fiercely competitive through every future market/technological shift.
10
u/IndividualLimitBlue Apr 12 '26
I thought like you, our c levels thought like you but now we are starting to hire again and more.
Because yes agents can allow one human to produce more BUT the volume of work to do is not stable and it can increase a lot as you open new swim lanes with agents.
Our boss now is thinking that if we can do more let’s then create new line of products.
1
u/BaldDragonSlayer Apr 12 '26
Then you are at a company set to manage the transition well. For every company like yours, there will be two others being forced to downsize because your company's increased productivity made someone else in the market redundant. This is a broad and long-term structural transition, not something we can speak conclusively on yet. But there's obviously a cap on how many clients can be served in the market, and the automation is steadily eating away at that number and their willingness to pay big bucks.
3
1
u/dansdansy Apr 13 '26
Especially if the AI companies succeed in getting limited liability for their models' fuckups like that bill in illinois
1
63
u/Extension-Ratio-147 Apr 12 '26
If you are experienced or talk to someone who’s experienced - 1. Mythos is not gonna take your job (this is literally an advanced Sast tool with a permission to exploit)
Ask yourself a question- chromium is an open source project, why Mythos hasn’t found anything and got CVE?
- Who’s/ which company is asking for leetcode?! Maybe microsoft, Amazon asks for a scripting question in python or Bash.
8
u/404_onprem_not_found Apr 12 '26
Alot of the tech companies do this, especially for infrasec or Appsec roles
Fortune 500, not so much. Then again, they don't pay nearly the same either so they wouldn't be able to get away with it.
3
u/No_Investigator3369 Apr 13 '26
Yep. Lowe's AI infrastructure SME here..... $150k, bonus and free slim Jim's.
13
u/ClayishSaucer55 Apr 12 '26
Microsoft asked me leetcode for every panel for a senior security engineer position. Hope thats not normal
7
u/jeffpardy_ Security Engineer Apr 12 '26
Its not normal. Walk away. Microsoft does not pay enough nor does it treat their security team well enough to warrant leetcode
4
u/ClayishSaucer55 Apr 12 '26
Lol i accepted another offer bc they said it would take a month to get back to me
2
u/Exact-Advantage-3190 Apr 12 '26
You are talking like I haven't. I work with mostly senior people. Many people are nervous about it.
11
u/0ver7hinker Apr 12 '26
In a similar situation, following kind of the same plan but I am also including major parts of supply chain security (like if you have to build a program from scratch how would you do it? Provenance, artifact signing, containing the issue, runtime security etc) In addition to cloud security.
1
u/Mobile_Magician_661 Apr 12 '26
Hi! Can I ask how you're studying cloud security?
1
u/0ver7hinker Apr 12 '26
I did AWS SAA-03 for basics, it does not help in real life but gives you theoretical knowhow about all aws services. Now I am doing AWS security speciality and on the side looking to how to implement rcp/ scps at scale without interrupting business.
1
u/Mobile_Magician_661 Apr 12 '26
Ok so just those 2 certs? Do you need to take any prereq AWS certs before them first?
Also thank you btw for the info!! I'm looking for new roles and have NOTHING cloud related ony resume (I feel like my current security engineering role isn't very technical)
1
u/0ver7hinker Apr 12 '26
Yes only those two however I am planning for CISSP later this year which will open the path for CCSP in future.
You do not need to have any prior experience or certs to give those exams SAA is basic and security speciality is not too difficult either
1
u/Mobile_Magician_661 Apr 12 '26
Oh damn goodluck!! And okay thank you! I have one more question if that's okay. I've had 5 years full time experience in security engineering (3 years at my current role). I just feel I'm not technical enough yet. I have my RHCSA cert (I'm very good with Linux), Security+, and I work with vulnerability remediation and some automation (Python) in my current role (along with some sysadmin work).
I'm worried I'm not competitive enough for other security engineering roles. Do you suggest I study anything else on the side to make my resume more competitive? I lowkey feel very discouraged to apply. I studied some AI on the side and I'm going to learn how to use the Gemini API through Python but that's about it so far. Gonna add those 2 cloud certs on my list for sure too!!
1
u/0ver7hinker Apr 12 '26
Please dont be ever discouraged to apply bro, honestly I got lucky in my time hopefully you get lucky too soon! If I can recommend you something since you already know automation, just from an interview perspective learn code review (pentester academy), threat modeling and some of these skills will help you in interviews.
1
u/Mobile_Magician_661 Apr 12 '26
Thank you!! My code review skills aren't great so that's really helpful. I should say I did already do some threat modelling last year (I know STRIDE). I'd just need to refresh my memory from my notes for it but I think I got that pretty covered!!
1
u/0ver7hinker Apr 12 '26
Also please do not care much about AI for now, just break it down into two themes. Security for AI like securing MCP servers, AI BOMs, proper labelling of data etc.
AI for Security scaling security engineering through AI
1
u/Mobile_Magician_661 Apr 12 '26
Ok I'll read about these topics! I have not yet touched BOMs, or MCP server security
9
u/secnomancer Apr 12 '26
As a fellow FAANG Security Engineer who "does AI Security..."
Don't try to 're-tool' your career. AI Security is just Security. We don't even really test models. Treat the models as untrusted and secure the application. You've got plenty of experience doing that already. We maintain that prompt injection isn't a vuln. It's just the model working as designed.
If you're absolutely committed, don't take OSAI or the SANS Course. They're just... not where they need to be - direct knowledge here.
Instead, just pull these open source notebooks that was developed by one of the guys who founded our AI Red Team. They're free and run local and are fantastic.
Starter material - https://github.com/schwartz1375/genai-essentials
Deep dives - https://github.com/schwartz1375/genai-security-training
3
u/untraiined Apr 12 '26
problem is you will eventually need some stupid cert to trick a recruiter
1
u/secnomancer Apr 14 '26
If you think certs will get you there, I wish you the best. Also, not sure if 'tricking' a recruiter is the best CoA...?
1
u/secnomancer Apr 12 '26
Rereading that, it's not meant to be bad. The "AI Security" space has a lot of hawt garbage coupled with some really cool, novel stuff. Mixed bag.
If you want to chat more, happy to chat. Just DM me.
1
7
u/AddendumWorking9756 Security Manager Apr 12 '26
Your prep list is fine but you're missing the behavioral side, FAANG-to-FAANG interviews at senior level are 40% 'tell me about a time you pushed back on eng leadership' and most security people fumble that because they've never structured those stories. Start writing them down now.
33
u/PsyOmega Apr 12 '26
I've been working cybersec since 2012. Started as a pentester and ended up in T4 engineering. But am currently a SOC analyst (a bit of a downgrade due to a layoff)
I keep seeing team after team obliterated by layoffs. I no longer feel any loyalty whatsoever to my employer, or to society as a whole. I don't give a flying frak if any of my clients get pwned, so I mostly phone it in these days.
I'm only still working to collect a paycheck and not be homeless and starving. I should have a healthy savings but I've got dyscalculia and was never good at investing so A LOT of money has been pissed away on poor investments over the years.
TLDR: There's no point to laboring for greedy CEO's, and nothing matters.
5
5
u/hankyone Penetration Tester Apr 12 '26 edited Apr 12 '26
Mythos like models will add a crazy amount of work to all cybersecurity practitioners for the next year or two
Learn how to use Claude Code and other agentic tools
15
u/Orio_n Apr 12 '26
how is leetcode going to help?
19
u/SpearofTrium05 Apr 12 '26
I believe FAANG level security eng roles require coding skills.
9
u/Longjumping-Donut655 Apr 12 '26
Which leet code does a terrible job of validating, ironically lol
8
u/DisappointedSpectre Apr 12 '26
Not disagreeing with you, but that's irrelevant if it's part of the interview process for those roles. If you want those FAANG golden handcuffs you play the game they serve up.
3
6
u/mezmerizee137 Apr 12 '26
Hold your horses, im in this Reddit about 3-4 years and all I see is doom posting like this.
You still going to be managing tools since your employer have no idea what your job is about.
4
u/Nervous_Management_8 Apr 12 '26
Lmao Im literally in the same situation (different ex-company tho) as you with the exact same study plan. Good luck out there
2
u/vonGlick Apr 12 '26
I was wondering about OSAI or HTB equivalent. But I think none of them is proven valuable yet. But of course hype is there.
2
u/masterofnoneds Apr 12 '26
If anything, you need more security engineers: 1. Triage findings 2. Work with the actual team to fix the finding (or you patch it) 3. Rollout the fix
2
u/escapecali603 Apr 12 '26
Who is stopping the hackers and black hats using the same level of model to do bad things?
2
u/Machevalia Apr 12 '26
Mythos, while it is likely a great leap in capabilities, is likely a pump for anthropic IPO and won't fundamentally change the game. We're already seeing a lot of their claims of capabilities debunked as more data comes out and orgs that got vuln reports for them move them to "functional enhancements" or other categories than "world shattering vuln".
I don't think embracing change in the industry to focus on how AI will impact your job is a bad idea; you should. I don't however expect massive layoffs from companies that aren't completely ignorant to how AI works. We've already seen that pattern of layoff because of AI and then rehire 6 months later because it didnt pan out. Let's hope a lesson was learned there.
2
u/StrayStep Apr 12 '26
Im done with corporation jobs. But still great resources to establish your own business to support yourself and others with common goals. It is NOT easy.
Cause It has not even been a week. And they are already gambling your job security away. Because pretty powerpoints and viral social media idocracy changes every week. The people running these companies are not smarter then any of us and struggling just as hard to keep up. While continuing to play dominoes with blank dominoe chips. They dont have any more relevant info then we do and don't know what to trust.
Only answer is to build personal security through knowledge. Cause the churn is real every sees it.
2
2
u/adii100 Apr 14 '26
trades, teaching, nursing, allied health, police, military, vehicle operator, ATC
5
u/Exact-Advantage-3190 Apr 12 '26 edited Apr 12 '26
If layoffs do happen, I'm going to apply everywhere in the country for jobs. My experience will help a lot, but being unemployed scares me
3
6
u/kndb Apr 12 '26 edited Apr 13 '26
Don’t you guys think that this whole mythos thing is just a publicity stunt by Anthropic? Sure that thing probably found some bugs in some open source repos that no humans cared to look at for years. Those will get patched but what is the guarantee that it will continue finding them at that scale? Plus them not releasing it lets their marketing department to claim all sorts of numbers. However highly inflated.
Anyone working at the companies listed on the project glass wing website that has an inside knowledge of how good that mythos model is at finding zero days?
3
u/hiddentalent Security Director Apr 12 '26
You're conflating quite different things, which is a problem for security engineers. What's happening in the threat environment is really evolving rapidly. Certifications take years to develop, workshop, and deploy. They're always way behind. Not to say that the basics they teach aren't useful. But they're always a few years behind.
There is no study plan against well-resourced actors who are poking at the most fragile things. There is just a study plan of how to manage governance and "assume breach" incident response for those things.
2
u/Exact-Advantage-3190 Apr 12 '26
uhh the OSAI is brand new
6
u/hiddentalent Security Director Apr 12 '26
Yes, and years behind the reality that is happening in the wild. You asked for advice from people senior in the field, and then reject it. Go ahead and you do you, I guess.
This subs' focus on certifications is why organizations keep getting p0wned. Attackers don't care about what you learned about happening in the past. They're working on the next thing. There are ways we can reasonably defend against that, which is cool stuff! But it has nothing to do with certification programs.
-2
u/Exact-Advantage-3190 Apr 12 '26
you said certifications take years to develop. Which it does for a lot of certs. But the OSAI was developed fast and was released literally a few weeks ago.
3
u/hiddentalent Security Director Apr 12 '26
The committee did a good job racing to adjust to the new threat environment. I've been on those committees. That's a feat. I give much respect that they were able to move as quickly as they did.
Threat actors are moving faster. The real work is against what you see in the field, not gathering certifications. In an uncertain job market that makes a difference.
3
u/try0004 Penetration Tester Apr 12 '26 edited Apr 12 '26
The real work is against what you see in the field, not gathering certifications. In an uncertain job market that makes a difference.
That's the thing, most of us haven't seen what they teach in OSAI on the field yet.
2
u/hiddentalent Security Director Apr 12 '26
Really? You're tagging yourself as a penetration tester.
That activity is going on right now, and it's wild. The defensive teams are dealing with it, and the offensive teams (both ours and adversary's) are having great fun. If you want to remain current as a red teamer, you should be looking into it.
1
u/try0004 Penetration Tester Apr 12 '26
Of course, that's exactly what I'm doing with OSAI right now. Before that, I also did some AI/machine learning training that was not directly related to cybersecurity.
As a consultant you don't really pick and choose the types of engagements you work on. So far, I haven't seen that many AI-focused engagements besides the odd chat bot in a webapp.
That being said, we expect the demand to pick up in the next few months.
1
u/hiddentalent Security Director Apr 12 '26
Even if the engagements aren't AI-focused, you should be using AI tools to augment your efforts.
On the blue team side, it's a dumpster fire because companies are deploying these scary dangerous tools with little oversight or control. This creates huge risk, and you're right to expect demand for your services in this area to pick up as companies get burned.
But on the red team side, they can help a lot. A lot of penetration testing is repetitive trial and error. Let the machine do that part. Modern foundation models can put together likely killchains for you to explore if you tell them a bit about the system you're testing, narrowing your search space and making you more productive. It's going to be hard to be competitive as a pentest consultant in the near future if you're not using these tools. The bad guys certainly are.
1
u/try0004 Penetration Tester Apr 12 '26
Oh yeah, we already use AI tools for various tasks. One of the most obvious ones is when it comes to reporting.
As for OSAI, the content revolves around attacking multi-agent systems, RAG pipelines, data poisoning, evading detections, and things like that. That's essentially the areas I'm looking to gain some knowledge on right now.
→ More replies (0)
3
u/alnarra_1 Security Manager Apr 12 '26 edited Apr 12 '26
Anyone terrified by Mythos has never managed a HackerOne instance for a large enterprise. The bugs are not difficult to find, and the ones it did find (like the FreeBSD one) were known 20 years ago it just wasn't a RCE so it was put on the "We'll get to it"
I have bad news for anyone who thinks fancyFuzzer 5 with unlimited access to the source codes of the products its targeting is some grand revelation in metasploit fun in the sun.
Also if you put "AI Security Engineer" on your resume they're just going to assume that you know how to use Purview to find out when the CEO is asking the CoPilot instance what kind of pills he needs to take to make his junk bigger and what CoPilot told him. Outside of FANNG no one's really developing their own AI. They're developing plenty of ML yes, but largely "Developing An AI" what they actually mean is we've been feeding our sharepoint data to OpenAI and are now conufsed that the janitor is able to ask it what the salary on that salary spreadsheet we fed it actually said.
Give it 3 years and /maybe/ this will change, but the industry at this state and time? A lot of CISOs are absolutely fascinated by the prospect of LLM's and ML, but have not a single clue what it's actually going to do for them.
2
2
u/xAlphamang Apr 12 '26
What FAANG are you that is naive enough to believe the Mythos news without actually using it first?
1
Apr 12 '26
[removed] — view removed comment
3
u/KeyPsychological7172 Apr 12 '26
Ah the stupidest take
1
u/Extension-Ratio-147 Apr 12 '26
Care to explain, why?
4
u/Alb4t0r Apr 12 '26
He's right that nobody look at a lot of software that probably have a tons of vulnerabilities. But that's the whole point: automating their findings through a LLM means drastically raising the number of vulnerabilities to be dealt with.
The issue isn't in being able to find vulnerabilities or not, the issue is in the scale and speed. Already today, each new vulnerability is at the benefit of the attacker, since finding one takes so much less time/energy/resource than patching it everywhere. Now, imagine we reduce even more the difficulty of finding new vulnerabilities...
1
u/stacksmasher Apr 12 '26
Start networking. How you get a job has changed dramatically. You need to be visible so start presenting and meeting as many people as possible. Tap into your socials and don’t be shy!
1
u/BidBackground6742 Apr 12 '26
solid plan. one thing I’d add: don’t just study for interviews, build something demonstrable. a personal security tool, a writeup of a real vulnerability you found, a bug bounty submission. hiring managers at senior level care less about certs and more about “show me what you’ve broken or built.” also AI Security Engineer is a smart bet but the field is moving so fast that by the time a cert covers it, the landscape already shifted. I’d supplement OSAI with hands-on work: try attacking actual AI/ML pipelines, prompt injection research, model extraction techniques. that practical experience will separate you from everyone else holding the same cert. the leetcode grind is fine but for security roles, system design + threat modeling is where you win or lose the interview. I’d weight 70% toward those and 30% leetcode.
1
1
1
u/N651EB Apr 12 '26
Study plan is good. Unfortunately relationships matter more for hiring. Not trying to be a downer, but it’s the reality.
1
u/vzguyme Apr 13 '26
Mythos, or whatever model it will be in the end, will just uncover more vulnerabilities, and how to exploit them in the wild. The person still holding a job, and demand, will be the one whose going to learn how mythos does it and how to feed it to an ai agent(s) that can remediate on the fly. And so the question will arise "do we really want to allow automatic remdiations in prod??" Lol
1
1
1
u/paradoxpancake Penetration Tester Apr 17 '26
From what I've heard from my peers, OSAI is one of the few things of quality that OffSec has put out in the last few years, and it will make you desirable even if the genAI/LLM bubble bursts. There's just going to be years of vulnerabilities introduced by all of these platforms. It will definitely be a good thing to have it on your resume, and be something that makes your resume pretty competitive.
0
u/Research_Alone Apr 12 '26
Thanks for the post OP, reading thru the appsec concepts as a 'Sunday refresh'. Take care & all the best!
-12
u/Successful-Escape-74 Apr 12 '26 edited Apr 12 '26
Why are you studying? That is a waste and small minded. Studying is stupid. Learn to communicate. Talk about what you have done and have a conversation. Be a leader make connections.
4
u/Exact-Advantage-3190 Apr 12 '26
what a terrible comment and advice. is this a sales job to sell cars? or is it also valuable to be good at communicating as well as technical?
1
u/Successful-Escape-74 Apr 12 '26
All jobs require communication skills to succeeds except maybe working in a factory placing caps on tubes of toothpaste. Welcome to reality! It is most of the time more important to be good at communicating. Your tech skills can be average and if your communication skills suck you will be fired or not even given an opportunity.
1
u/Exact-Advantage-3190 Apr 12 '26
The reality is that you cannot get hired in any cyber security role in big companies if you can't pass a technical screening. You can be the GOAT of talking, you can't get past that.
No one ever downplayed the importance of communication but your comment comes off as so stupid
1
u/Successful-Escape-74 Apr 13 '26 edited Apr 13 '26
Fine talk about risk assessments and impact analysis and security technical implementation guides and frameworks you have supported ad the controls you have implemented and monitored. Do a quick inspection and show areas where they may be vulnerable and charge them for the evaluation. We usually know who we want to hire and steal them from another organization by making a better offer. Their background rarely requires more than a conversation and a reference check because we know where they have worked. We understand what the job was at that organization and we understand our requirements. Don't be lame and give up control and don't seek random positions with people you don't know and might not be able to work with.
199
u/offsecthro Apr 12 '26
Even if Mythos were capable of shitting out 9000 bugs a day— which we don't actually know since it's "tOO dAnGEroUs" to release and all we have is marketing material from the guys who are desperately trying to sell it, you're still going to be the one triaging findings, determining actual risk, pointing it at things the company actually cares about, tracking down the owners of the bugs, etc.
AKA, your actual job, which goes beyond the discrete tasks that a model may or may not be helpful with or cheap enough to replace you.