Skip to content
Open source security career ladders
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.
.DS_Store Commit Dec 23, 2019

Security Ladders


Product Security Group (PSG) offers Security Ladders; a collection of documents to categorize the knowledge and experience expected of security experts at a given point during their careers.


Well, in our journey through the ranks we had to make these up as we went. That coupled with the number of folks we mentor asking us how to advance, we felt the best way to help is to open source what we developed so the community could benefit from what we have learned. They are by no means complete but they are a good start for folks that need some guidance.

Blog Series

🆕 1/13/2020 - We decided to launch a 3-part blog series to help folks get the most out of these career ladders. Part 1 dropped today which expands sections of the README to provide more detail.

PART 1 - We don't need no stinking ladders

PART 2 - No I've been nervous lots of times

PART 3 - Harry I've reached the top

General structure

Functional Skills

Specific area folders in root specifies a specific career track in the security field. Initially, Security Ladders covered 7 security areas:

  • Chief Security Officer
  • Information Risk
  • Infrastructure Security
  • Physical Security
  • Product Security
  • Business Security Managers
  • Security Operations (SOC)

These initially included three file types:

  • [AREA] - Expected functional duties/knowledge
  • [AREA] - U.S. Federal NICE equivalents
  • [AREA] - salary/time-at-level expectations for Boston

Non-functional Skills

Additionally, there is a folder called ( GENERAL_KNOWLEDGE GK) This folder contains the business/non-functional skills that are required for each level. There are three files in the folder.

 * - This outlines non-functional skills required for your level.
 * - This outlines management specific skills for those positions.
 * - Like the other roles, we added a generic mapping to NICE.

How do I use these files

  1. Start with the function you are looking for and locate the folder.
  2. Open the file (Abbreviation) - this contains the functional requirements for each level.
  3. Find the level you are looking for and review the skills.
  4. Open the located in the General_Knowledge folder to see the non-functional for the level you are looking for.
  5. Review the non-functional skills.
  6. To determine where you sit in the salary department, we provided Boston-area salary information. Just a note: Salaries in Boston tend to be roughly 25% greater than the US national average.
  7. If you are basing you program on National Initiative for Cybersecurity Careers and Studies, we have provided a basic mapping to the NICE roles/skills we thought were relevant.


PSG anticipates, with collaboration throughout the security field, to add more specific career ladders in each area and expand on salary/time expectations in other geographical locations.

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Templates_[TMP] directory

If you want to create a brand-new ladder, we provided a template directory that has an example of each type of file.


You can’t perform that action at this time.