[throwaway8367]

A bunch of comments here warn that you may become unemployable in software engineering as a result. A so-called "security lifer".

I think that's a little silly. I work for one of the top security consulting firms and it's just not my or anyone else I know's reality. In fact, the total opposite seems to be true. We have talented code reviewers and tool writers move on to work at tech companies all the time. These people are still interested in security and from what I've heard, they end up working on or even leading some really cool software engineering projects.

I suppose if you woke up one day and decided that you're no longer interested in security at all, it may be difficult to pivot back if you stopped writing code. But that does not sound like the typical person who was originally interested in both security and code. Most security consultants I know who came from writing code really excel in security doing code review, architecture review, tool dev, etc. and those are all things that can translate back into software engineering experience on a resume.

Of course some people's experiences will differ. There are plenty of employers out there who are biased or looking for a very specific background. But these cases are far from the norm. Perpetuating the whole "security is a dead-end, life-long job" narrative is spreading needless FUD and prevents the industry from maturing.