So you’re thinking of going into cybersecurity but don’t know what path to go down. You’ve heard of red teaming, blue teaming, and possibly even purple teaming (a combination of both). What’s the difference between these? What team should you be a part of?

What’s the difference?

The main difference is that blue team focuses on defending systems whereas red team focuses on attacking and finding weaknesses within those systems. Blue team can be anything from performing on-demand surveillance for companies to dissecting malware and observing how it can affect machines. Red team can be anything from performing intentional tests in a controlled environment to pretending to be an outside attacker and trying to break into the live systems of a company. Although most people assume that red team is better because it sounds more “cool”, both sides play an important role in cybersecurity and each come with their own benefits.

The average red teamer makes about $63,000 annually, according to Zip Recruiter, and the average blue teamer makes roughly $132,000 annually. Keep in mind that actual salaries can vary greatly depending on experience level, location, certifications, and whether the role is in-house or consulting. Because companies find active defense against hackers generally more valuable than penetration testers, blue teamers tend to make more money than red teamers. In addition, blue teamers generally have more job availability and a much lower barrier to enter the field than red teamers, making it a much more appealing career for many. However, there are also benefits to being a red teamer. Since they don’t need to constantly monitor systems like blue teamers, red teamers generally have a much better work/life balance and work regular hours. The choice of which is better ultimately comes down to individual preference and what you value the most.

General paths available

These are the most popular career paths chosen for each team. A more comprehensive overview of the jobs will be linked down below in the citations section as well as in the beginning of each section.

Blue team

SOC analysts actively monitor computer systems to make sure that nobody is trying to hack into the company they’re defending. They use a Security Information and Event Management (SIEM) system to analyze entire networks of computers. SIEMs collect data from computers connected to networks and analyze all the information sent to them, looking for any suspicious behavior indicating a hacker. If anything is found, an alert is sent to the SOC analyst and analyzed to determine if it’s a false positive or an actual breach. Due to the nature of the job, they generally have much calmer work (depends on the company) but have to work longer hours to constantly protect a company’s systems.

Security engineers focus on creating security solutions for problems within a company. These are the people that focus on patching recently found exploits and making sure that the current security solutions are ready for modern day exploits. They also help with incident response, working to secure a system once it’s been compromised by a hacker. These are the backbone of a security team, making sure that the company remains as secure as possible from attackers.

Computer forensics analysts focus on gathering information about cyber attacks and analyzing data related to illegal online activities. They work on espionage for potential attacks and use their skills to analyze any major incidents that happened recently. Although they sometimes work for private companies, they often end up working in law enforcement. Due to the variety of work they do, these professionals need to be proficient in multiple programming languages and technologies to analyze various kinds of illegal software.

Red team

Penetration testers work to break into and exploit any vulnerabilities within a security system. They typically work in controlled environments and are hired to test a specific part of a computer’s security. Their day to day work can vary a lot due to this, and they often work at consultation firms rather than a single tech company. Due to the fast-changing nature of malware, they need to be up to date with the most common exploits and ready to use them in their own work, making this a hard although exciting career path to choose.

Vulnerability assessors are responsible for detecting the weaknesses within a system’s security solutions. They perform an analysis on the current security measures using automated tools and then create reports on how to improve them to protect against the most recent exploits. These reports can then be used by blue teamers to improve the security of their company. Vulnerability assessors can work either in-house in a single company or for a consulting firm. Since many companies have sensitive data online and need to make sure that it’s secure, this job is in high demand and highly sought after by large companies.

Exploit developer is a more niche career path in cybersecurity that focuses on writing code to exploit new vulnerabilities. Similar to vulnerability assessors, they analyze software to identify and demonstrate potential vulnerabilities. Once they find a potential vulnerability, they write code to demonstrate how they can take advantage of the vulnerability and then publish it as a proof-of-concept exploit to coordinated disclosure programs.

How to start learning

Before I talk about specializing in either team, you need to focus on the basics of cybersecurity. The most important topics to master for either team include the fundamentals of networking and how computers communicate (TCP/IP, OSI model, TCP vs UDP vs ICMP, etc.), the basics of cryptography (hashing/encryption, public/private keys, certificates), and how to interact with different computer systems (Windows Active Directory, Linux). Although it’s boring, mastering these core fundamentals is essential for advancing into cybersecurity. You can’t defend or attack a network if you don’t understand how it works and why it’s vulnerable. Spend a lot of time learning these things as they’re the most important things to learn about in the field.

One of the most commonly discussed topics in cybersecurity is certifications and whether or not they actually matter. Certificates are good for showing employers that you understand the core topics of computer, and, depending on which one you obtain, can even show that you’re ready to be hired by a professional company. However, the better certificates tend to be more expensive and take more time to study for. A list of the most common certificates for each path can be found here. That being said, there are some certificates that stand out for each path. In general, the CompTIA Security+ is known as the gold standard for cybersecurity, and is recommended for any path in cybersecurity. This should be the first certificate you go for since it’s industry recognized and teaches the most important topics for the field.

If you are interested in pursuing any role in blue team, I highly recommend you start by learning the security solutions used today and what they’re designed to protect against. Learn about the most common solutions, such as SIEM and firewalls, as well as their potential weaknesses. The most common path for those interested in blue team is becoming a help desk/IT specialist and learning about the existing security solutions for the company you’re working for. This allows you to see a current security solution in action and learn about what potential exploits can bypass their current technologies. Learn as much as you can from simple IT jobs and then use that knowledge to advance into a more specialized field within cybersecurity.

Red teamers have a much less straightforward path than those in blue team. Some people start in blue team and then use that experience to carry them into a red team position. Others grind for major certificates like the OSCP and then get a job directly after they obtain it. The advantage of red team is that there’s no single path to get a job. There are many possibilities out there for how to enter the field that you could really choose to learn it your own way. The most important thing to do is to gain practical experience with hacking, whether it’s in capture the flag events or through experimenting on your own with personal projects. Master the fundamentals of computers and then spend as much time hacking computers through CTFs or through a home lab. The more experience and background knowledge you have on computers and how they’re breached or exploited, the easier it’s going to be to get into a position in this field.

Closing thoughts

In cybersecurity, there’s no single path to take. Within the field, there are two major categories of profession, each having their own unique job opportunities. Blue teamers specialize in defending companies from hackers and preventing exploits from being abused, whereas red teamers focus on breaking into those companies (in a legal controlled environment) to expose current vulnerabilities to security engineers. Whichever path you choose, remember that experience and knowledge of the fundamentals is the most important thing you can do. Once you get the fundamentals down and learn about each of the different fields, you’ll realize what you enjoy doing the most. After that, it’s simply a matter of getting as much experience as possible through constant practice. Start with a platform like TryHackMe, or dive into beginner-friendly certifications like Security+ to test your interest. If you want to read about how I got into cybersecurity, the link is here.

Cybersecurity Career Paths: Red Team vs Blue Team