[arboghast]

Blue Team positions, junior or senior. There’s no shortage of decent penetration testers but when it comes to the other side, whether it’s incident response, detection engineering, security operations, etc it’s been very difficult.

I’m talking months to find someone. Many candidates apply and look good on paper but turn out to just lie and made us waste many hours of interviews.

As for the why, I suspect one of the following:

- good candidates already have a job they love

- people are not willing to relocate (job is remote but inside one of the countries we are operating in, which is 80)

- there is simply not enough people in the field, which goes back to my first point

[SCHiM]

My view on this is that, unfortunately, blue team positions are seen as entry positions. In general blue team members have little autonomy. They don't chose the suite of tools, protocols and have little mandate in a company to change a single thing since they're a cost centre.

The job is frustrating because many socs are beholden to central IT to fix even high severity issues, this generates a lot of friction. Most organizations have a big feed of alerts that trigger on everything from ransomware, to a user plugging in a razor mouse... This makes the job frustrating and boring. Contrast this to red team positions. If they're lucky they get to cowboy all through the network never asking permission after initial sign-of. And why would they? Nobody spots what they're doing anyway, as long as you don't create problems in prod.

[arboghast]

Those are very valid points. I had not thought of them. However, what you describe here really is not the reality of our team but I agree it’s the case in most places.

I work for a large multi-national in the entertainment industry with a really good work culture. We leave a lot of autonomy (we in fact expect people to become autonomous) and trust that we all know how to do our job. It has been very rewarding so far.

On the technical side, very few of our positions are entry level, some are but most are more advanced.

For example, we reached a maturity level where we don’t only build detection but we also build unit tests for them, either by making our own payloads or use and contribute to projects like Atomic Red Team. This requires excellent knowledge of OS internals, cloud security, system programming, etc.

Your comment makes me think we should try to reflect all of this in the job description to make the positions more appealing. There might be good candidates out there hesitating, thinking it’ll be like life in an MSSP SOC.

[detaro]

> My view on this is that, unfortunately, blue team positions are seen as entry positions. In general blue team members have little autonomy. They don't chose the suite of tools, protocols and have little mandate in a company to change a single thing since they're a cost centre.

And companies looking for experienced people somehow expect the pipeline of candidates that often come from such a typical environment to have all kinds of advanced skills already. Which obviously doesn't work, and thus they compete for the same small-ish talent pool (which has skills also applicable in plenty other roles too) instead of building that pool.

[LAC-Tech]

- people are not willing to relocate (job is remote but inside one of the countries we are operating in, which is 80)

If you hire contractors you can hire people from anywhere - you don't need a business presence.

(This message is brought to you by a contractor living in the middle of nowhere).

[MattGaiser]

Unlikely to switch careers as I am an SWE already, but for my own learning, how does one learn the blue team side? Any recommended courses? I see far more penetration testing material out there.

[arboghast]

If you don’t want to start in a junior position such as triaging, aim for things like detection engineering by learning OS internals (Windows or Linux), then also aim to learn the Win32 API. There are also lots of SOC and Blue Teams doing automation and orchestration where your existing skills could be handy.

[machiaweliczny]

I think people don’t want to work in blue team as it’s harder than red team. You need to keep watch 24/7 while red side just needs to get lucky

[t3ssel]

This, and the sibling answer, actually quite resonate with what I could be looking for! Is there any way to know more about the role(s)?