To echo a sibling - that's not a bad thing. But let's add some context.
Security is one of the few fields that can truly benefit from a holistic approach. Really good QA people who can code and work directly with both marketing and engineering can lay the same claim to their field.
Once you have enough experience in development AND security, it's easy to add product life-cycle[0] considerations into the mix. When you get that far, you're expanding into architecture and workflow engineering. And this is where it gets interesting...
If you end up being responsible for security matters as part of engineering workflow, you will find yourself also deeply involved in compliance. People who have solid background in development, work on architecture or product life-cycle, focus on practical security, care about engineering workflow -- and can tie all this together to satisfy compliance requirements are rare. Very rare.
Not to mention employable.
The ability to meet ever-changing compliance requirements WHILE maintaining sanity, engineering workflow and development velocity is already in high demand. It can be very satisfying too, because you end up covering architecture, production systems, development and business needs, all together. The approach has to be holistic, because nothing else works.
The common wisdom is that security is a process. It's also a mindset. And a mindset can be taught...
0: Magic acronym is "PDLC" - Product Development Life Cycle
I didn't really find it that difficult to move from security consulting/research/code audits => dev/researcher at security vendors => machine learning engineer.
So I don't know how we decide whose anecdote wins here :p
Simple. If you value your career as a dev, you won't become a pentester. :) There's no upside except intellectually. Being a dev pays more and gives you more options going forward.
That's a harsh way to frame it, but it's also accurate. (I'm speaking from experience FWIW.)
In other words, you could have become an ML engineer anyway. No reason to risk it by becoming a pentester.
One thing to note is Dev paying more than security is a bit geographically dependent.
I know dev salaries in the US are very high, but in other countries (e.g. the UK) security posts can pay pretty well relative to many development posts.
In terms of options, there's a fair number of options available after pentesting, although most of them revolve around security in one guise or another. On top of the obvious moves into IT/Infosec management, there are new fields in security which open up alongside tech.
Recently there's been an expansion with fields like malware analysis, blue teaming, incident response and red teaming showing quite good expansion.
Within "pentesting" there's areas like IoT, Automotive, maritime etc which can offer moves for people wanting to move on from more trad. pentest roles.
Security is one of the few fields that can truly benefit from a holistic approach. Really good QA people who can code and work directly with both marketing and engineering can lay the same claim to their field.
Once you have enough experience in development AND security, it's easy to add product life-cycle[0] considerations into the mix. When you get that far, you're expanding into architecture and workflow engineering. And this is where it gets interesting...
If you end up being responsible for security matters as part of engineering workflow, you will find yourself also deeply involved in compliance. People who have solid background in development, work on architecture or product life-cycle, focus on practical security, care about engineering workflow -- and can tie all this together to satisfy compliance requirements are rare. Very rare.
Not to mention employable.
The ability to meet ever-changing compliance requirements WHILE maintaining sanity, engineering workflow and development velocity is already in high demand. It can be very satisfying too, because you end up covering architecture, production systems, development and business needs, all together. The approach has to be holistic, because nothing else works.
The common wisdom is that security is a process. It's also a mindset. And a mindset can be taught...
0: Magic acronym is "PDLC" - Product Development Life Cycle