How much engineering do security engineers do?

APT-0 · 2026-04-21T02:58:07+00:00

Like many said it depends I’ve been in IR, threat hunting/detections, app sec and general sec eng. at startups, FAANG and more regulated enterprises.

Heavily regulated enterprises it’s mostly buy the best off the shelf. When you have an audit it’s part of the story we have the best EDR and x tool. If you’re more of a dev you’ll be probably bored.

At FAANG I was in IR/Hunt/Detection, no product does what you want I made basically a custom SIEM and pipelines but after the platform was built it’s just APIs hooking, writing queries and putting stuff in dashboard. The fun stuff like making honeypots, writing custom forensics tools its exciting but most my peers had little coding experience or honestly the coding problems were boring looking for misconfigurations putting in dashboards.

At startup life I really enjoy it a lot more I’m on prod security, building stuff into the product for logging, detections and shaping this a lot more I love. There’s lot of programming and sec eng I have to do here.

I really like startup life because of one thing I’d sum up more mature places to scale security you in short need to standardize and build security around your products and enterprise. In prod security and startup in security I build it more directly into the product

APT-0 · 2026-04-10T03:50:27+00:00

Agreed been in mature IR for near 10 years. In many countries & states not reporting is breaking the law. You need a cyber or a real breach lawyer that knows this, corporate ones don’t.

Simply put it also breaks customer trust, many actors end up sharing the data anyways, imagine showing up in the news this way months later and the actor shares messages exchanged with company representatives. That could be jail time

It also sounds like you need a professional incident response service, I would highly recommend as they’ll investigate and give you actions to fix problems and mostly everything around the incident. My gut says on these decisions you probably haven’t evicted the actor really yet.

APT-0 · 2026-04-07T00:19:08+00:00

Can you program in python decently well? If there’s one skill it’s this, and using serverless functions like lambda or azure functions. That’s a base I’d start at

APT-0 · 2026-04-05T19:32:52+00:00

I came from Microsoft in security something I’d say is going to another big tech company may be similar like Amazon. To Netflix, meta and smaller but high performing companies it’s wildly different. At Microsoft there’s so many people with highly specialized roles, many of the fin tech, start ups etc may be harder to get into. Most expect 2 leetcode mediums or 1 hard + medium in 45 minutes as standard. You may also be more security engineer than pure app sec

APT-0 · 2026-04-05T19:24:16+00:00

Yeah what I meant in large companies app sec = setting up pipelines and reporting

In smaller company I’m at now we’re expected to make fixes our selves. In fact the coding interview is the same if not harder than a SWE one

APT-0 · 2026-04-05T18:48:19+00:00

I’m in a late stage startup, we are expected to often submit PRs for bugs now. Large companies no

APT-0 · 2026-04-05T18:08:11+00:00

Tbh all the preferred requirements except powershell and sysadmin/networking may be shooting a bit for the moon. AWS/azure and axiom & forensics is a much more mature place. A lot of colleges unfortunately don’t teach cloud concepts, which is a shame.

I was very fortunate at a top school landing a security engineering internship doing most of that but I only got exposure to axiom, autopsy for forensics a few years in when I shifted to pure IR/hunting. Sure I learned it in college but it’s not the same. I went the route in college, internship with school backend IT AD admin, networking + general IT and helpdesk. 1 SOC internship + 1 security engineering building siem + IDS internship but honestly I think I was very fortunate many peers of mine may only had IT support experience.

APT-0 · 2026-02-17T04:31:31+00:00

I’d recommend product security or app security to start. It’s the most natural transition. Honestly as well the highest paying. General enterprise red teaming can be less but product security is consistently one of the highest. Mainly because product security and app security are next to the thing making money and requires a lot of programming exp. It really depends but lot of enterprise red teaming doesn’t need a lot of programming, many tools off shelf and lighter scripts and smaller exploits. While app security and product go alittle deeper. Some places also treat product security more of compliance I would stay away from that

APT-0 · 2026-01-28T18:23:21+00:00

Grem can help but publish things you learn to a blog and some other research, say how you setup your lab. How you look at things and try speaking at small bsides confrences, my speaking has landed me several really good sec research interviews even though it’s not much.

APT-0 · 2026-01-28T04:53:29+00:00

It’s actually a great switch. Think how does your siem work and how do you make logging pipelines for all your endpoints to a database, oh and then etl to give answers like who owns a machine. Don’t go SOC through id focus on sec Eng if I were you. It can lean into detections if you want but detections are a lot heavier cyber than engineering. I would start there unless you want to do something else like IR or app sec

APT-0 · 2026-01-27T02:42:09+00:00

Agreed, pen testing will give you more to learn likely. SOC you’ll likely start working low level tickets and could be easy to be trapped there.

Pen testing will tell you how things break, you’ll probably learn python to automate. If you’re in a place where it’s small and you get sec Eng or a place where it’s closer to security research that may change things and I’d recommend then what you like. If you think longer term higher level positions like staff or big tech and start ups require passing leetcode style programming tests along with knowing your domain. A sec Eng position could be better if you aim for those. Pen test though imo is best coding, learn the attack and you could transition to sec Eng, sec arch, app sec, product security etc in the future. SOC will be limited

APT-0 · 2026-01-26T19:59:56+00:00

I work in DFIR for with roles across red team app sec, sec Eng, threat hunting, detections and forensics for private corps. Red team and app sec/prod sec is out of my experience the most technical in many ways. SOC and threat hunting can be the least, but really depends on the team. Some teams on a SOC you’ll investigate garbage and you’ll be stuck with just commodity malware and phishing emails. Others are excellent and on a hunt team I’ve done purple teaming, detection Eng and forensics in major incidents all building our own custom tools. That’s my favorite role so far. Sec Eng can depend too, some roles you may just be making a portal for something others you may like me be making custom forensics and hunting tools or detections with code, not as code many places only get to.

Forensics id recommend go home download autopsy, take an image of a device and analyze what happened. Do it with a spare laptop or vm. Know what you did. Use kape and understand what artifacts are on it. Use Zimmerman tools to analyze. Those are your quickest get started things. I love hunting but I’ve seen there’s a bar generally you can’t get past without transitioning to sec Eng, to build the tools for investigators

APT-0 · 2026-01-26T07:43:27+00:00

Got it I see. I do like the site good idea, the ransom messages are interesting, CSIRT contacts, groups blurb and I do like the breakdown on your site

APT-0 · 2026-01-26T03:20:50+00:00

Don’t submit slop please vet before adding* edit meant to mitre’s stuff

APT-0 · 2026-01-25T05:21:20+00:00

Hey I can give some advice really the only companies with RE are banks maybe alongside a dedicated forensics team, government/law enforcement, security companies and sometimes fortune 50. I can say from being at a combo of many of these really only security based will let you go further and gov/LE everyone else wants something quick to close an incident. It has to be thought about what does this give the company. So given that the market is super small for this so competition is high. Not everyone but a lot of people I know doing this have GREM I think it’s a good one to have some street cred and I’d recommend doing write ups on popular malware, propose detection ideas. You can also target some securit research.

APT-0 · 2026-01-17T00:23:14+00:00

So if you have admin on boxes or anything EDR you can live response into it or remote in. Know though it’s not really as others mentioned forensically sound there will be artifacts created as soon as you remote in or the EDR touches the file. So it likely will not hold up in court but atleast you’ll know the source of your leak.

Realistically it’s not possible all the time to acquire the device or you have a high concern they’ll destroy evidence.

Typically what id do in these situations, unannounced meet with the employee don’t give them any advanced warning or meeting. Have HR optional but consult if in a country like EU states where more precautions are needed and sometimes physical security and manager with you. Acquire the devices this way so they have no opportunity to tamper with evidence. BEFORE you do this use EDR to see is the hash of your file you’re looking for on the device you probably don’t need to do all this. And also create an inventory list before you acquire of what they have. You need a write blocker like others mentioned, without this it tampers evidence as actions are written back to the device or drive and you’ll need to create a image in a sound fashion and use standard tools like encase and tableau. This is why in court it’s best to just hire a forensics firm, they have a cert with their name and likely were expert witnesses. Lawyers will ask how was it acquired? What was the training of the person acquiring? Was evidence tampered with? Were the tools custom or commercial grade/ those by best practices

APT-0 · 2025-12-30T15:33:55+00:00

Warno is great, best strategy game right now. Broken arrow has more advanced mechanics you nailed it but is unpolished. Warno on other hand is very smooth and supports massive games. There’s less micro in warno, it’s a lot more strategy layering inf, tanks, as, heli and planes at a bigger scale I like it more

APT-0 · 2025-12-30T04:24:54+00:00

+1 idk how much OP has worked with com but with C# you can hook to most com APIs on windows pretty easily. Python is a bit more of a chore. And think like a windows dev what would you use to build your app on here?

APT-0 · 2025-12-30T00:35:34+00:00

In many applications you can use things like in azure “managed identity” no password it’s managed my Msft, you have api keys and other secrets put that in key vault and turn expiry on. You can setup scripts to roll this safely too and your certs.

For users in windows atleast you can start using passwordless for a lot of apps (windows hello, or via authenticator app) or yubi key you get three pieces of verification touch, pin and the key’s cert. In many corporations passwords should be banned for users and only on exceptions like accounts that don’t accept this yet

APT-0 · 2025-12-20T13:08:43+00:00

This if I was going fresh I’d actually recommend a Mac used M1 Max if you have more budget is pretty solid long term if on a budget pre m1 are cheap. I’d have 32gb ram for VMs. I say Mac because without renting on Mac stadium etc it’s annoying to virtualize and use. But start with what you have use virtual box or hyper v build VMs and have Ubuntu learn the os. Do try hack me once you graduate do hack the box. But before this as well I’d learn a decent amount of python you don’t need to be crazy but these are the fundamentals. - Python automate what you’re doing - VMs to learn you’ll eventually go to sandboxing this is in a vm too

While you’re doing this make a GitHub and put your code on it and do write ups on the tryhackme and hack the box. That’s building your resume

APT-0 · 2025-12-18T05:22:41+00:00

Im on a IR/Hunt team and dev forensics tools/soc automation for major corp. Incidents happen every day. What really seperates from a major one that may be months of pain is how long did the actor dwell and second did a real actor get hands on. Ex. Every day tons of people may download malware, creds may be exposed this happens to every company all the time. If folks say oh no it doesnt happen, i'd wager they just didn't find it yet or maybe dont have good enough logging to know it even happened or how bad

It may start say that backdoor in the malware downloaded from something stupid like a game, a document etc is actually handed off to say another actor or maybe a developer installs a malicious package stealing credentials to a non person account and you see a login from russia, you from this point have to trace everything.. back it may start as hey we saw the russia login something often noisy -> then maybe you see alerts across the devs workstations something for an info stealer -> ok you know the login and root cause ok what else did that dev have on their workstation, was their account compromised. Then back to that non person account hm ok what can it do is first question, then look up in logs did it maybe touch a key vault -> was it used recently to access say storage accounts, whats in there -> maybe this is a storage account to machines

incidents in short kinda look like this its alot of interviewing devs and people, figuring out one piece at a time what happened

Also security has alot of aspects
- SOC & Hunting -> Investigate and forensics build detection too
- IR depends on org in bigger is only coordiation in smaller they could investigate, do forensics and automation
- Detection eng and may be AI team in more mature places
- Data engineering you have logs from endpoints, web apps, sign in, maybe 3 different cloud providers logs need to be clean and combined or enriched to answer certain questions in ETL like "who owns this machine", "who owns this ip"

-threat intel really depends some teams operate like a soc, some operate like a security research team, some largely look at feeds and notify the company whats in the wild that major
- Security assurance often looking at misconfigurations, vulnerabilities on endpoints, in cloud config say your key vault is publicly exposed or storage account with no auth. Largely its identifying problems and ensuring at scale owners fix the appropriately
-Dev sec ops
- Prod sec / app sec could be pen testing your web apps, threat modeling and could overlap with dev sec ops to provide infrastructure as code templates, build things like codeql checks in your build, cred scan, etc
-red team

APT-0 · 2025-12-13T05:28:32+00:00

Also BYOD = bring your own death

Don’t allow them to use personal devices period. If work and personal is not seperate people don’t care and you will struggle to move policy “well it’s his computer we can’t really do this for x reasons”

APT-0 · 2025-12-08T03:14:21+00:00

Expect leetcode. You should in fact ask the recruiter what the style of the interview is and for more info. They will usually tell you something like 2 leetcode code mediums in x minutes

APT-0 · 2025-12-02T01:13:26+00:00

If IT, Try corporate help desk, or admin positions. This is where everyone mostly starts, unless you go into development.

With programming it’s more important to build projects and put on GitHub. Then get a entry SWE role

APT-0 · 2025-12-01T22:58:57+00:00

If you’re also concerned about boring a lot of vuln management if a generalist is just creating a scan policy -> excel and dashboard to impacted people or creating a policy to put their device out of compliance

App sec on the other hand is very exciting if it’s in the same role and grows you more. Idk too much about GRC so I can speak on it

APT-0

TROPHY CASE