Security Engineer

Linux is an open-source operating system kernel that powers the majority of servers, cloud infrastructure, and security tooling. The command line interface provides direct control over the filesystem, processes, user permissions, and network configuration. Proficiency with shell commands, file permissions, and log inspection is foundational to working in any security environment.

Why it matters · Most security tooling, servers, and cloud workloads run on Linux, so you must navigate the filesystem, manage permissions, and read logs from the shell.

TCP/IP is the suite of protocols that governs how data is addressed, routed, and delivered across networks, while DNS, DHCP, and HTTP handle name resolution, address assignment, and web communication respectively. Ports identify specific services on a host, and firewalls enforce rules about which traffic is permitted. Together these concepts describe how data moves through a network and where access controls are applied.

Why it matters · You can't detect or stop attacks without knowing how traffic flows, what normal looks like, and where controls belong.

Operating system internals encompass the subsystems that manage processes, memory, filesystems, and privilege separation, including the Windows registry and Linux permission model. Host hardening is the practice of reducing attack surface by disabling unnecessary services, enforcing least-privilege configurations, and applying secure baseline settings. Understanding both Linux and Windows internals enables accurate detection of misconfigurations and anomalies.

Why it matters · Understanding filesystems, processes, the Windows registry, and privilege models lets you spot misconfigurations and lock hosts down.

Bash is a Unix shell scripting language used to automate command-line tasks, chain tools together, and manipulate text streams on Linux systems. Python is a general-purpose programming language widely used in security for parsing logs, building automation, writing exploits, and interacting with APIs. Together they form the primary scripting toolkit for security engineering work.

Why it matters · Security engineering is automation: you'll parse logs, wire tools together, and write detection/response scripts, with Python as the common language.

Git is a distributed version control system that tracks changes to files over time and enables collaborative development through branching and merging. It stores a complete history of modifications, supports code review workflows, and is the foundation for CI/CD pipelines. Security artifacts such as detection rules, infrastructure configurations, and policy definitions are managed and audited through Git repositories.

Why it matters · Detection rules, IaC, and pipeline configs all live in Git, and later stages (detection-as-code, DevSecOps) hard-depend on shipping and reviewing security changes as code.

The CIA triad (Confidentiality, Integrity, Availability) defines the three core properties that security controls are designed to protect. Defense-in-depth is the strategy of layering multiple independent controls so that no single failure creates a breach, while least privilege restricts access to only what is strictly necessary. Distinguishing threats (potential actors or events), vulnerabilities (weaknesses), and risk (likelihood times impact) provides the vocabulary for systematic security reasoning.

Why it matters · Every design decision and interview answer traces back to these first principles.

Cryptography provides mathematical mechanisms for protecting data confidentiality, integrity, and authenticity. Symmetric encryption uses a single shared key, asymmetric encryption uses a public/private key pair, and hashing produces a fixed-length digest used to verify data has not changed. TLS and PKI (Public Key Infrastructure) apply these primitives to secure communications and authenticate identities through certificates.

Why it matters · You'll configure TLS, judge encryption choices, and reason about data protection constantly; weak crypto remains a top real-world failure.

Identity and access management (IAM) governs who can authenticate to a system (authN) and what they are permitted to do once authenticated (authZ). OAuth2 and OIDC are open standards for delegated authorization and federated identity in web and API contexts, while SAML handles enterprise single sign-on. Multi-factor authentication (MFA) adds a second verification step, and role-based access control (RBAC) organizes permissions into reusable roles.

Why it matters · Identity is the new perimeter, broken access control tops the OWASP list, and most cloud breaches are IAM failures.

MITRE ATT&CK is a publicly maintained knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real-world attacks, organized into matrices for enterprise, cloud, and mobile environments. The Cyber Kill Chain describes the sequential phases of an intrusion from initial reconnaissance through the final objective. The NIST Cybersecurity Framework provides a structured approach to managing security risk across five functions: Identify, Protect, Detect, Respond, and Recover.

Why it matters · Postings explicitly ask for these, and ATT&CK is the shared language for describing, detecting, and mapping adversary behavior.

NIST 800-53 is a catalog of security and privacy controls for federal information systems that is widely adopted in enterprise security programs. ISO 27001 is an international standard for establishing and certifying an information security management system (ISMS), while SOC 2 is an auditing framework for service organizations covering security, availability, and confidentiality. GDPR is the European Union regulation governing personal data protection, imposing obligations on how organizations collect, process, and secure personal information.

Why it matters · Engineers turn compliance requirements into technical controls; you needn't be an auditor, but you must speak the language.

CompTIA Security+ (SY0-701) is a vendor-neutral certification covering foundational security concepts including threats, cryptography, network security, identity management, and incident response. It is accredited under ISO 17024 and recognized by the US Department of Defense for baseline cybersecurity roles. Passing the exam demonstrates broad, structured knowledge across the core domains of security practice.

Why it matters · The most common resume filter for entry security-engineer roles; studying SY0-701 (current through 2026) also forces broad, structured coverage.

A Security Information and Event Management (SIEM) system aggregates logs from across an environment, normalizes them into a common schema, and provides search, correlation, and alerting capabilities. Splunk, Microsoft Sentinel, and the Elastic Stack are the dominant platforms, each with its own query language (SPL, KQL, and EQL/Lucene respectively). Detection engineering is the practice of authoring, tuning, and maintaining correlation rules and dashboards that turn raw log data into actionable alerts.

Why it matters · Real postings center on designing, tuning, and authoring detections in a SIEM, the core defensive engineering skill.

Sigma is an open, vendor-neutral rule format for describing log-based detections that can be compiled into backend-specific queries for Splunk, Sentinel, Elastic, and other SIEMs. YARA is a pattern-matching language used to identify malware and suspicious files based on byte sequences, strings, or structural attributes. Threat hunting is the proactive, hypothesis-driven search through telemetry for attacker activity that has not yet triggered automated alerts.

Why it matters · Modern detections are portable, version-controlled, and proactive; Sigma plus ATT&CK mapping is how teams share and test them.

Security Orchestration, Automation, and Response (SOAR) platforms such as Splunk SOAR, Microsoft Sentinel playbooks, and Palo Alto XSOAR connect security tools through APIs and execute automated workflows called playbooks. Playbooks codify repeatable analyst tasks including alert triage, indicator enrichment, containment actions, and ticket creation. SOAR reduces mean-time-to-respond (MTTR) by automating the high-volume, low-judgment steps of incident handling.

Why it matters · Postings increasingly want SOAR playbook development; automating triage is how lean teams scale and cut response time.

Vulnerability management is the continuous process of discovering, classifying, prioritizing, and remediating security weaknesses across an environment. Nessus and OpenVAS are network-based scanners that identify known vulnerabilities in operating systems, services, and applications by comparing observed configurations against CVE databases. The Common Vulnerability Scoring System (CVSS v4.0) provides a standardized numeric severity score used to prioritize which findings require the most urgent remediation.

Why it matters · Finding, prioritizing (CVSS v4.0), and driving remediation of vulnerabilities is a recurring core duty in nearly every security-engineer role.

Incident response (IR) is the structured process of preparing for, detecting, containing, eradicating, and recovering from security incidents, as defined by the NIST SP 800-61 lifecycle. Triage is the initial step of determining scope, severity, and affected assets to prioritize containment actions. Digital forensics involves the collection and preservation of evidence (memory dumps, disk images, log exports) in a forensically sound manner to support analysis and legal or compliance requirements.

Why it matters · When detections fire, engineers help contain and investigate; knowing the IR lifecycle and basic forensics is expected.

Web application security encompasses the controls, testing techniques, and secure design patterns used to protect server-side and client-side components of web software. The OWASP Top 10 is a consensus list of the most critical web application security risks, updated periodically based on real-world incident data and community input, with the 2025 edition finalized in early 2026. Categories include injection, broken access control, security misconfiguration, cryptographic failures, and server-side request forgery, among others.

Why it matters · The web is the dominant attack surface, and the OWASP Top 10 (finalized early 2026) is the baseline checklist every employer assumes you know cold.

Burp Suite is an integrated platform for web application security testing, developed by PortSwigger, and is the industry-standard proxy used by penetration testers and security engineers. It intercepts and modifies HTTP and WebSocket traffic between a browser and a server, enabling manual inspection and manipulation of requests and responses. Its tooling includes a scanner, intruder for automated fuzzing, repeater for manual testing, and decoder for payload transformation.

Why it matters · Burp is the industry-standard testing proxy; intercepting and tampering with traffic is how you actually find and prove vulnerabilities.

API security addresses the specific risks introduced by REST and GraphQL interfaces, which expose data and functionality differently from traditional web pages. The OWASP API Security Top 10 catalogs the most prevalent API-specific risks, prominently including broken object-level authorization (BOLA), broken function-level authorization, and excessive data exposure. Controls include strict authZ enforcement at the object level, input validation, rate limiting, and proper versioning and deprecation policies.

Why it matters · APIs are now a primary attack surface, and broken object-level authorization is among the fastest-rising risks.

Offensive security fundamentals cover the attacker methodology of reconnaissance (gathering information about a target), exploitation (leveraging a vulnerability to gain initial access), and privilege escalation (elevating access from a low-privilege foothold to administrative control). Understanding these phases in practical terms, through platforms such as HackTheBox or TryHackMe, develops intuition for how attacks unfold and which defensive controls interrupt each stage. This attacker perspective directly informs detection rule design and hardening priorities.

Why it matters · You defend better when you can think like an attacker, and hands-on CTF-style practice cements ATT&CK techniques.

Threat modeling is a structured process for identifying potential security threats and design weaknesses in a system before it is built or changed. STRIDE is a classification model covering Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Data-flow diagrams (DFDs) are used to map trust boundaries, data stores, processes, and external entities so that each component can be systematically analyzed for applicable threats.

Why it matters · Designing security in rather than bolting it on is a named requirement in many security-engineer JDs and a key thing that distinguishes engineers from analysts.

Cloud computing delivers on-demand compute, storage, networking, and managed services through providers such as AWS and Azure. The shared responsibility model defines the division of security obligations between the cloud provider (physical infrastructure, hypervisor, managed service internals) and the customer (OS configuration, identity, data, application code). Understanding this boundary is prerequisite to knowing which controls must be implemented and maintained by the security team.

Why it matters · You can't secure a cloud you don't understand, and the shared responsibility model defines exactly which controls are yours to own.

Cloud IAM governs access to cloud resources through roles and permission policies attached to users, service accounts, and compute instances. Security groups and network ACLs act as virtual firewalls controlling inbound and outbound traffic to cloud resources. Key Management Services (KMS) provide centralized creation, storage, and lifecycle management of cryptographic keys used to encrypt data at rest and in transit, while cloud-native logging (CloudTrail, Azure Activity Logs) records all API-level actions for audit and detection.

Why it matters · Misconfigured IAM and storage cause most cloud breaches, so least-privilege policy design is the core cloud-security skill.

Cloud threat detection services such as AWS GuardDuty and Microsoft Defender for Cloud analyze telemetry including DNS queries, network flows, and API call patterns to identify malicious or anomalous activity without requiring manual rule authorship. Cloud Security Posture Management (CSPM) tools continuously assess cloud resource configurations against security benchmarks and compliance frameworks, surfacing misconfigurations such as publicly exposed storage buckets or overly permissive IAM policies. CloudTrail and Azure Activity Logs provide the underlying audit trail of all API calls, which feeds both detection and forensic investigation.

Why it matters · Native detection and posture management are how you monitor cloud at scale and catch drift or misconfiguration before attackers do.

Cloud attack and defense practice involves working through deliberately vulnerable cloud environments (such as CloudGoat, flaws.cloud, or Microsoft's WhatTheHack labs) that simulate real-world IAM misconfigurations, exposed credentials, and insecure storage. These labs provide controlled experience exploiting the same weaknesses that appear in actual cloud breach reports, building practical intuition for how misconfigurations chain together into full compromises. The defensive side of the practice focuses on identifying the artifacts and log evidence each attack technique leaves behind.

Why it matters · Deliberately vulnerable cloud labs turn IAM and policy theory into real intuition for how cloud breaches actually unfold.

DevSecOps integrates security testing and policy enforcement directly into continuous integration and continuous delivery (CI/CD) pipelines so that vulnerabilities are caught at the point of code change rather than after deployment. Static Application Security Testing (SAST) analyzes source code for vulnerabilities without executing it, Dynamic Application Security Testing (DAST) tests running applications by simulating attacks, and Software Composition Analysis (SCA) identifies known vulnerabilities in third-party dependencies. Secret scanning tools (such as Gitleaks or GitHub Advanced Security) detect accidentally committed credentials and API keys before they are merged.

Why it matters · 2026 employers expect security embedded in the pipeline as code, not a manual gate at the end, this is a senior-track differentiator.

Container security covers hardening container images, enforcing least-privilege runtime configurations, and scanning images for known CVEs using tools such as Trivy, Grype, or Snyk. Kubernetes security extends this to cluster-level controls including RBAC for API access, network policies for pod-to-pod communication, and secrets management. Admission controllers (such as OPA/Gatekeeper or Kyverno) enforce policy at the time a workload is submitted to the API server, preventing non-compliant resources from being scheduled.

Why it matters · Containers and Kubernetes run most modern workloads, so scanning images and hardening clusters has become baseline rather than optional in 2026.

Infrastructure-as-Code (IaC) tools such as Terraform define cloud resources declaratively in version-controlled configuration files, enabling repeatable and auditable infrastructure provisioning. Checkov is a static analysis tool that scans Terraform, CloudFormation, and other IaC formats for security misconfigurations before resources are created. Open Policy Agent (OPA) is a general-purpose policy engine that enforces fine-grained rules as code across infrastructure, Kubernetes admission, and API authorization, allowing security guardrails to be expressed, tested, and version-controlled alongside application code.

Why it matters · Security is increasingly deployed as code; scanning IaC and enforcing guardrails with policy-as-code is core to scaling defense.

Secrets management is the practice of centrally storing, rotating, and auditing access to sensitive values such as API keys, database credentials, and TLS certificates rather than embedding them in source code or environment files. HashiCorp Vault is a widely deployed open-source secrets engine offering dynamic secret generation, fine-grained access policies, and audit logging. Cloud-native alternatives include AWS Secrets Manager and Azure Key Vault, and preventive controls such as pre-commit hooks and CI-integrated secret scanners (Gitleaks, Dependabot) stop secrets from being committed to repositories.

Why it matters · Leaked secrets are a leading breach cause, so centralized secrets plus scanning (gitleaks/Dependabot) is baseline modern hygiene.

A home lab is a self-hosted environment used to practice security techniques hands-on, typically consisting of virtual machines running vulnerable targets, network monitoring tools, and a personal SIEM or logging stack. A security portfolio is a public collection of artifacts such as detection rules, CTF write-ups, hardened pipeline configurations, or tool scripts that demonstrate practical competency. AI and LLM security literacy covers the emerging threat surface introduced by large language model integrations, including prompt injection, training data poisoning, insecure output handling, and the OWASP Top 10 for LLM Applications.

Why it matters · Hands-on artifacts, a lab, detection rules, write-ups, a hardened pipeline, are what convert interviews, and AI/LLM security is the fast-rising frontier to be conversant in.