Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.

Security Ladders


Product Security Group (PSG) offers Security Ladders; a collection of documents to categorize the knowledge and experience expected of security experts at a given point during their careers.


Well, in our journey through the ranks we had to make these up as we went. That coupled with the number of folks we mentor asking us how to advance, we felt the best way to help is to open source what we developed so the community could benefit from what we have learned. They are by no means complete but they are a good start for folks that need some guidance.

Change Log

🆕 11/02/2021 - We have posted out new salary data for the Boston area. Thing to note: In the COVID world of remote work, we have definitely seen salaries norm to a pretty standard level. We have not seen the big swings in salaries based on geography we have seen in the past. This is good news for a lot of folks that are living in smaller metro areas. Additionally, the demand for product security folks is surging and it is definitely a sellers market for folks with skills.

08/18/2020 - We have posted out new salary data for the rest of New England. There are a couple of notes:

  • Coverage - The New England ladders cover roughly from Portland, ME over to Burlington, VT down to New Britain, CT over to Providence, RI and up to Manchester, NH. This includes cities such as Hartford, Springfield, Worcester, Concord, etc.
  • Stamford, CT - This was a bit tricky. In many ways it was more like NYC than the rest of New England. Our suggestion is folks use the Boston ladders instead of the New England ladders for Stamford/Greenwich CT.
  • Northern Maine - To be honest, we were unable to get much in the way of data north of Portland, ME so the cities of Augusta and Bangor maybe slightly different.
  • CSO - There was very little difference in CSO pay across New England. We have included a file for continuity sake but the values will be the same as metro-Boston.

Blog Series

We provided a 3-part blog series to help folks get the most out of these career ladders. Part 1 dropped today which expands sections of the README to provide more detail.

PART 1 - We don't need no stinking ladders

PART 2 - No I've been nervous lots of times

PART 3 - Harry I've reached the top

General structure

Functional Skills

Specific area folders in root specifies a specific career track in the security field. Initially, Security Ladders covered 7 security areas:

  • Chief Security Officer
  • Information Risk
  • Infrastructure Security
  • Physical Security
  • Product Security
  • Business Security Managers
  • Security Operations (SOC)

These initially included three file types:

  • [AREA] - Expected functional duties/knowledge
  • [AREA] - U.S. Federal NICE equivalents
  • [AREA] - salary/time-at-level expectations for Boston

Non-functional Skills

Additionally, there is a folder called ( GENERAL_KNOWLEDGE GK) This folder contains the business/non-functional skills that are required for each level. There are three files in the folder.

 * - This outlines non-functional skills required for your level.
 * - This outlines management specific skills for those positions.
 * - Like the other roles, we added a generic mapping to NICE.

How do I use these files

  1. Start with the function you are looking for and locate the folder.
  2. Open the file (Abbreviation) - this contains the functional requirements for each level.
  3. Find the level you are looking for and review the skills.
  4. Open the located in the General_Knowledge folder to see the non-functional for the level you are looking for.
  5. Review the non-functional skills.
  6. To determine where you sit in the salary department, we provided Boston-area salary information. Just a note: Salaries in Boston tend to be roughly 25% greater than the US national average.
  7. If you are basing you program on National Initiative for Cybersecurity Careers and Studies, we have provided a basic mapping to the NICE roles/skills we thought were relevant.


PSG anticipates, with collaboration throughout the security field, to add more specific career ladders in each area and expand on salary/time expectations in other geographical locations.

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Templates_[TMP] directory

If you want to create a brand-new ladder, we provided a template directory that has an example of each type of file.



Open source security career ladders







No releases published


No packages published