Cybersecurity Analyst Resume Examples by Level (2026)

Cybersecurity Analyst Resume Examples for 2026

The Bureau of Labor Statistics projects 29% employment growth for information security analysts through 2034 — roughly 16,000 annual openings added to the 182,800 professionals already employed — with a median salary of $124,910 as of May 2024. Meanwhile, ISC2's 2024 Cybersecurity Workforce Study measured a global workforce gap of 4.8 million unfilled positions, a 19.1% increase from the prior year, and found that 90% of organizations report skills shortages in their security teams. The demand is real, but so is the competition: applicant tracking systems at Fortune 500 companies now parse resumes for exact tool names like "Splunk Enterprise Security," "CrowdStrike Falcon," and "Palo Alto Cortex XSIAM" — and a resume that says "SIEM experience" without naming the platform gets filtered out before a hiring manager reads it. This guide provides three complete, annotated cybersecurity analyst resumes for entry-level SOC analysts, mid-career incident responders, and senior security architects — each built with the specific metrics, certifications, and technical vocabulary that ATS systems and security hiring managers actually search for.

Key Takeaways

• **Quantify your incident response work** — Alerts triaged per shift (200-400 in a Tier 1 SOC), mean time to respond (MTTR), mean time to detect (MTTD), false positive reduction percentages, and incidents escalated to Tier 2/3 are the numbers that separate a credible security resume from a list of tool names. A bullet saying "triaged security alerts" is invisible next to one that says "triaged 350+ daily alerts in Splunk ES, reducing false positive rate from 68% to 31% over 6 months."
• **Name every tool with its vendor and version** — Splunk Enterprise Security, CrowdStrike Falcon Insight XDR, SentinelOne Singularity, Palo Alto Cortex XSIAM, Microsoft Sentinel, Tenable Nessus, Qualys VMDR, Rapid7 InsightVM, Wireshark, Burp Suite Professional, and Metasploit Framework. Generic "SIEM tools" or "vulnerability scanner" triggers zero ATS keyword matches. Each named product is a separate keyword hit.
• **Reference frameworks by their full designation** — NIST Cybersecurity Framework (CSF) 2.0, NIST SP 800-53 Rev. 5, NIST SP 800-61 Rev. 2 (Incident Handling), MITRE ATT&CK for Enterprise, CIS Controls v8, ISO 27001:2022, SOC 2 Type II, and PCI-DSS v4.0. Hiring managers in regulated industries (finance, healthcare, government) filter specifically on these framework identifiers.
• **Show the certification hierarchy with issuing bodies** — CompTIA Security+ (SY0-701) from CompTIA, CompTIA CySA+ (CS0-003) from CompTIA, Certified Ethical Hacker (CEH v13) from EC-Council, GIAC Security Essentials (GSEC) from SANS/GIAC, and Certified Information Systems Security Professional (CISSP) from ISC2. Include certification numbers and expiration dates — DoD 8140 roles require verifiable credentials.
• **Match the job posting's compliance language exactly** — If the posting says "SOC 2 Type II audit," write "SOC 2 Type II," not "SOC 2 compliance." If it references "NIST 800-171," use that exact designation, not "NIST framework." If it mentions "threat hunting," write "threat hunting," not "proactive threat analysis." ATS systems are literal string matchers.

Entry-Level Cybersecurity Analyst Resume (0-2 Years Experience)

Full Resume Example

**MARCUS CHEN** Austin, TX 78701 | (512) 555-0193 | [email protected] | LinkedIn: linkedin.com/in/marcuschen-sec

**PROFESSIONAL SUMMARY** CompTIA Security+ certified cybersecurity analyst with 14 months of SOC Tier 1 experience at a managed security services provider (MSSP) monitoring 85+ client environments. Triages 300-400 alerts daily in Splunk Enterprise Security and CrowdStrike Falcon Insight XDR across Windows, Linux, and macOS endpoints. Reduced alert queue backlog by 22% within first 6 months by developing 15 custom Splunk correlation rules targeting known false positive patterns. Completed SANS SEC401: Security Essentials Bootcamp Style and earned GIAC Security Essentials (GSEC) certification. Trained in MITRE ATT&CK for Enterprise framework for alert classification and NIST SP 800-61 Rev. 2 incident handling procedures. Seeking a SOC Analyst Tier 2 or Junior Incident Responder role in the Austin–San Antonio corridor.

**CERTIFICATIONS** - CompTIA Security+ (SY0-701) — CompTIA, Cert #COMP001234567, Exp. 03/2029 - GIAC Security Essentials (GSEC) — SANS/GIAC, Cert #GSEC-56789, Exp. 06/2028 - CompTIA Network+ (N10-009) — CompTIA, Cert #COMP001234566, Exp. 03/2029

**EDUCATION** **Bachelor of Science in Cybersecurity** University of Texas at San Antonio — College of Business, School of Data Science Graduated: May 2024 | GPA: 3.65 / 4.0 | NSA/DHS Center of Academic Excellence in Cyber Defense (CAE-CD)

**PROFESSIONAL EXPERIENCE** **SOC Analyst Tier 1** — Secureworks (Dell Technologies), Austin, TX June 2024 – Present - Triage 300-400 security alerts per 12-hour shift in Splunk Enterprise Security and CrowdStrike Falcon Insight XDR, classifying events against MITRE ATT&CK for Enterprise tactics (Initial Access, Execution, Persistence, Lateral Movement) and escalating confirmed incidents to Tier 2 analysts within 15-minute SLA - Investigate phishing campaigns using Proofpoint TAP and Microsoft Defender for Office 365, analyzing email headers, embedded URLs, and attachments in a sandbox environment (Any.Run, Joe Sandbox), processing 40-60 phishing reports per week with 94% accurate classification rate - Authored 15 custom Splunk Search Processing Language (SPL) correlation rules to suppress recurring false positive patterns from endpoint telemetry, reducing overall false positive rate from 68% to 47% across 85 monitored client environments - Perform initial triage on vulnerability scan results from Tenable Nessus and Qualys VMDR for client environments, prioritizing critical and high findings (CVSS 7.0+) and generating remediation tickets in ServiceNow — processed 2,200+ vulnerabilities in Q3 2025 - Execute weekly threat intelligence briefings by aggregating indicators of compromise (IOCs) from MISP, VirusTotal, and AlienVault OTX, publishing 12 threat intelligence reports to the SOC team that correlated with 8 confirmed incidents - Conducted log analysis across 40+ data sources including Windows Event Logs (Event IDs 4624, 4625, 4688, 4720), Linux syslog, firewall logs (Palo Alto PAN-OS), and DNS query logs using Splunk SPL and regex pattern matching - Participated in 4 tabletop exercises simulating ransomware, business email compromise (BEC), DDoS, and insider threat scenarios, documenting response procedures aligned with NIST SP 800-61 Rev. 2 incident handling lifecycle **IT Help Desk Technician / Security Intern** — Rackspace Technology, San Antonio, TX May 2023 – May 2024 - Provided Tier 1 support for 1,200+ employees across Windows 10/11 and macOS environments, resolving 45-55 tickets daily via ServiceNow with 97% SLA compliance and average resolution time of 2.4 hours - Assisted the security operations team with monthly vulnerability scans using Tenable Nessus across 3,500 endpoints, compiling scan results into remediation priority reports and tracking patching compliance from 72% to 89% over 8 months - Configured and deployed Microsoft Intune mobile device management (MDM) policies for 400 BYOD devices, enforcing encryption, PIN requirements, and remote wipe capabilities - Completed onboarding access provisioning and offboarding revocation for 30-40 employees monthly in Azure Active Directory and Okta, ensuring compliance with least-privilege access policies

**TECHNICAL SKILLS** SIEM/XDR: Splunk Enterprise Security, CrowdStrike Falcon Insight XDR, Microsoft Sentinel Vulnerability Management: Tenable Nessus, Qualys VMDR Email Security: Proofpoint TAP, Microsoft Defender for Office 365 Sandboxing: Any.Run, Joe Sandbox Threat Intelligence: MISP, VirusTotal, AlienVault OTX Ticketing: ServiceNow Identity: Azure Active Directory, Okta, Microsoft Intune Languages/Scripting: Python, Bash, PowerShell, Splunk SPL, KQL, Regex Operating Systems: Windows Server 2019/2022, Ubuntu 22.04, CentOS 8, macOS Frameworks: MITRE ATT&CK, NIST SP 800-61, NIST SP 800-53, CIS Controls v8

What Makes This Entry-Level Resume Effective

• **Alert volume is specific** — "300-400 alerts per 12-hour shift" tells a hiring manager this candidate has handled real SOC volume, not a classroom lab with 10 alerts.
• **Tools are vendor-specific** — Splunk Enterprise Security, CrowdStrike Falcon Insight XDR, Tenable Nessus, Proofpoint TAP. Each named tool is a separate ATS keyword match.
• **MITRE ATT&CK is applied, not just listed** — The resume shows how the candidate classifies alerts by tactic (Initial Access, Execution, Persistence), not just "familiar with MITRE ATT&CK."
• **False positive reduction is quantified** — From 68% to 47% with 15 custom SPL rules. This demonstrates analytical thinking and measurable SOC improvement.
• **The career progression from IT to security is visible** — Help desk to security intern to SOC Tier 1 is a common and credible path that hiring managers recognize.
• **Certifications include exam codes and cert numbers** — Security+ (SY0-701), GSEC, Network+ with certification IDs and expiration dates. DoD and government positions require this level of detail.
• **NSA/DHS CAE-CD designation is noted** — This school designation matters for government and defense contractor positions.

Mid-Career Cybersecurity Analyst Resume (3-7 Years Experience)

Full Resume Example

**DIANA KOWALSKI, CISSP, CySA+** Denver, CO 80202 | (720) 555-0318 | [email protected] | LinkedIn: linkedin.com/in/dianakowalski-infosec

**PROFESSIONAL SUMMARY** CISSP-certified cybersecurity analyst with 6 years of progressive experience spanning SOC operations, incident response, and threat hunting at a Fortune 500 financial services firm. Led the incident response for 47 confirmed security incidents in 2025, including 3 ransomware events and 12 business email compromise (BEC) attacks, reducing mean time to contain (MTTC) from 8.2 hours to 3.1 hours through process automation in Palo Alto Cortex XSOAR. Built and tuned 120+ detection rules in Microsoft Sentinel mapped to MITRE ATT&CK techniques across 14 tactic categories. Conducted threat hunting operations using CrowdStrike Falcon OverWatch methodology, identifying 6 previously undetected persistent threats including a supply chain compromise in a third-party SaaS vendor. Manages SOC 2 Type II and PCI-DSS v4.0 evidence collection for annual audits. Pursuing GIAC Certified Incident Handler (GCIH) certification.

**CERTIFICATIONS** - Certified Information Systems Security Professional (CISSP) — ISC2, Member #789012, Exp. 09/2028 - CompTIA Cybersecurity Analyst (CySA+) (CS0-003) — CompTIA, Cert #COMP001987654, Exp. 12/2027 - CompTIA Security+ (SY0-601) — CompTIA, Cert #COMP001987653, Exp. 12/2027 - AWS Certified Security – Specialty (SCS-C02) — Amazon Web Services, Exp. 03/2028 - Certified Ethical Hacker (CEH v12) — EC-Council, Cert #ECC-345678, Exp. 06/2027

**EDUCATION** **Master of Science in Cybersecurity Engineering** University of Colorado Boulder — College of Engineering and Applied Science Graduated: May 2022 **Bachelor of Science in Computer Science** Colorado State University — College of Natural Sciences Graduated: May 2019 | GPA: 3.58 / 4.0

**PROFESSIONAL EXPERIENCE** **Senior Cybersecurity Analyst / Incident Response Lead** — Charles Schwab, Denver, CO January 2023 – Present - Lead incident response for a 24/7 SOC protecting 35,000 endpoints and 12,000 employees across 400+ branch offices, managing a team of 4 Tier 1 and 2 Tier 2 analysts handling 1,800+ alerts weekly in Microsoft Sentinel and CrowdStrike Falcon Insight XDR - Responded to 47 confirmed security incidents in 2025 including 3 ransomware events (LockBit 3.0, BlackCat/ALPHV, Play), 12 BEC attacks ($2.1M in prevented wire fraud), 8 data exfiltration attempts, and 24 malware infections — achieving 100% containment within 4-hour SLA - Reduced mean time to contain (MTTC) from 8.2 hours to 3.1 hours by building 35 automated response playbooks in Palo Alto Cortex XSOAR, automating IOC enrichment, endpoint isolation, and account lockout workflows - Built and tuned 120+ custom detection rules in Microsoft Sentinel using Kusto Query Language (KQL), mapped to MITRE ATT&CK techniques covering Credential Access (T1003, T1110), Lateral Movement (T1021, T1570), Exfiltration (T1041, T1567), and Command and Control (T1071, T1105) - Conducted quarterly threat hunting campaigns using CrowdStrike Falcon OverWatch methodology and Elastic Security, identifying 6 previously undetected threats: 1 supply chain compromise via compromised SaaS OAuth token, 2 rogue employee data staging operations, and 3 command-and-control beacons communicating through DNS tunneling - Managed SOC 2 Type II and PCI-DSS v4.0 compliance evidence collection across 14 control domains, coordinating with external auditors (Deloitte) and maintaining a 98% evidence submission rate within 48-hour deadlines across 3 consecutive audit cycles - Performed internal penetration testing on quarterly cadence across 12 web applications and 8 API endpoints using Burp Suite Professional and Metasploit Framework, identifying 34 vulnerabilities (4 critical, 11 high) and coordinating remediation with development teams within 30-day SLA for critical findings - Presented monthly threat landscape briefings to the CISO and VP of Technology, covering emerging threat actor TTPs, industry-specific financial sector threats (FIN7, Scattered Spider), and recommended defensive posture adjustments **Cybersecurity Analyst / SOC Tier 2** — Optiv Security, Denver, CO August 2020 – December 2022 - Analyzed and investigated 80-120 escalated alerts weekly from Tier 1 analysts in Splunk Enterprise Security across 45 MSSP client environments spanning healthcare, financial services, and retail industries - Developed 55 Splunk correlation searches and notable event rules that reduced mean time to detect (MTTD) by 41% across monitored environments, from 14.3 minutes to 8.4 minutes average detection-to-alert time - Performed malware analysis on 200+ samples annually using REMnux, Ghidra, and IDA Pro, creating YARA rules for signature-based detection that caught 23 additional malware variants across client networks - Executed vulnerability assessments using Rapid7 InsightVM and Tenable.io across 15,000+ assets, generating risk-prioritized remediation reports and tracking patch compliance from 64% to 91% over 18 months - Authored the Incident Response Plan (IRP) and 12 runbooks aligned to NIST SP 800-61 Rev. 2 phases (Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity), adopted by 28 client organizations - Obtained CISSP certification after completing the required 5 years of professional experience across Security and Risk Management, Security Architecture, and Security Operations domains **SOC Analyst Tier 1** — Optiv Security, Denver, CO July 2019 – July 2020 - Monitored 25+ client environments during 12-hour overnight shifts in Splunk Enterprise Security, triaging 250-350 alerts per shift and escalating 15-25 confirmed incidents weekly to Tier 2 analysts - Processed 30-40 phishing reports daily using Cofense PhishMe and Proofpoint TAP, performing header analysis, URL detonation, and attachment sandboxing with 96% accurate classification rate - Created 8 Splunk dashboards for real-time SOC metrics tracking: alert volume by source, MTTD, MTTR, false positive rate, and analyst throughput — adopted as the standard SOC dashboard set across 3 shifts

**TECHNICAL SKILLS** SIEM/XDR: Microsoft Sentinel, Splunk Enterprise Security, CrowdStrike Falcon Insight XDR, Elastic Security SOAR: Palo Alto Cortex XSOAR EDR: CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint Vulnerability Management: Rapid7 InsightVM, Tenable.io, Tenable Nessus Penetration Testing: Burp Suite Professional, Metasploit Framework, Nmap, Nikto Malware Analysis: REMnux, Ghidra, IDA Pro, YARA Cloud Security: AWS (GuardDuty, SecurityHub, CloudTrail, IAM), Azure (Sentinel, Defender for Cloud) Languages: Python, KQL, Splunk SPL, Bash, PowerShell, SQL, YARA Frameworks: NIST CSF 2.0, NIST SP 800-53 Rev. 5, NIST SP 800-61 Rev. 2, MITRE ATT&CK, CIS Controls v8, ISO 27001:2022, SOC 2 Type II, PCI-DSS v4.0

What Makes This Mid-Career Resume Effective

• **Incident counts and outcomes are precise** — 47 incidents, 3 ransomware events by name (LockBit 3.0, BlackCat, Play), $2.1M in prevented fraud. These numbers are verifiable and concrete.
• **MTTC reduction is the headline metric** — From 8.2 hours to 3.1 hours with the automation method (XSOAR playbooks) explained. This shows process improvement, not just alert chasing.
• **MITRE ATT&CK technique IDs are cited** — T1003, T1110, T1021, T1570, T1041, T1567, T1071, T1105. This level of specificity signals deep familiarity with the framework, not surface-level awareness.
• **Threat hunting results are specific** — 6 threats found, including supply chain compromise via OAuth token and DNS tunneling C2 beacons. These are real-world findings, not textbook scenarios.
• **Compliance work names the standards and auditors** — SOC 2 Type II, PCI-DSS v4.0, Deloitte as external auditor, 98% evidence submission rate. Financial sector hiring managers filter on these exact terms.
• **Career progression is clear** — Tier 1 (2019-2020) to Tier 2 (2020-2022) to Senior/IR Lead (2023-present), all within recognizable companies (Optiv, Charles Schwab).
• **Cloud security credentials are current** — AWS Certified Security Specialty with specific services named (GuardDuty, SecurityHub, CloudTrail).

Senior Cybersecurity Analyst / Security Architect Resume (8+ Years Experience)

Full Resume Example

**ROBERT NAKAMURA, CISSP, CISM, GCIH** Washington, D.C. 20001 | (202) 555-0427 | [email protected] | LinkedIn: linkedin.com/in/rnakamura-security

**PROFESSIONAL SUMMARY** CISSP and CISM-certified cybersecurity leader with 12 years of experience building and managing enterprise security programs across federal government, defense contracting, and Fortune 100 environments. Currently directs a 22-person security operations team at a federal systems integrator, protecting 180,000+ endpoints and 85 PB of classified and unclassified data across Department of Defense (DoD) networks. Designed and implemented a Zero Trust Architecture (ZTA) program aligned with NIST SP 800-207 and OMB M-22-09 that reduced the attack surface by 62% over 24 months. Manages $8.4M annual cybersecurity budget covering personnel, tooling (CrowdStrike Falcon, Palo Alto Cortex XSIAM, Splunk Enterprise Security), and incident response retainer contracts. Led the organization through FedRAMP High authorization, CMMC Level 3 assessment, and NIST SP 800-171 Rev. 3 compliance — zero POA&M findings on most recent assessment. Holds active TS/SCI clearance with CI polygraph.

**CERTIFICATIONS** - Certified Information Systems Security Professional (CISSP) — ISC2, Member #345678, Exp. 12/2027 - Certified Information Security Manager (CISM) — ISACA, Cert #CISM-901234, Exp. 06/2028 - GIAC Certified Incident Handler (GCIH) — SANS/GIAC, Cert #GCIH-67890, Exp. 09/2027 - GIAC Certified Enterprise Defender (GCED) — SANS/GIAC, Cert #GCED-12345, Exp. 09/2027 - Certified Cloud Security Professional (CCSP) — ISC2, Member #345679, Exp. 03/2028 - AWS Certified Security – Specialty (SCS-C02) — Amazon Web Services, Exp. 06/2028 - CompTIA Security+ (SY0-601) — CompTIA, Cert #COMP001456789, Exp. 09/2027 (DoD 8140 baseline)

**EDUCATION** **Master of Science in Information Security Engineering** SANS Technology Institute — Arlington, VA Graduated: June 2018 **Bachelor of Science in Computer Engineering** Virginia Tech — College of Engineering Graduated: May 2013 | GPA: 3.71 / 4.0

**PROFESSIONAL EXPERIENCE** **Director, Security Operations** — Leidos, Reston, VA March 2021 – Present - Direct a 22-person security operations team (8 SOC analysts, 4 incident responders, 3 threat hunters, 2 vulnerability management engineers, 3 security engineers, 2 compliance analysts) protecting 180,000+ endpoints across DoD networks with an annual budget of $8.4M - Designed and implemented Zero Trust Architecture (ZTA) aligned with NIST SP 800-207 and OMB M-22-09, deploying micro-segmentation (Illumio), identity-aware proxy (Zscaler Private Access), and continuous device trust verification (CrowdStrike Falcon Zero Trust Assessment) — reduced lateral movement attack surface by 62% over 24 months - Led the organization through FedRAMP High authorization (325 controls), CMMC Level 3 assessment (130 practices), and NIST SP 800-171 Rev. 3 compliance with zero Plan of Action and Milestones (POA&M) findings on the most recent DIBCAC assessment - Managed deployment of Palo Alto Cortex XSIAM as the primary SIEM/SOAR platform across 14 data centers and 3 cloud environments (AWS GovCloud, Azure Government, GCP), ingesting 4.2 TB of telemetry daily with sub-30-second mean time to alert - Reduced security incidents by 43% year-over-year (from 312 in 2023 to 178 in 2024) through implementation of automated threat detection, deception technology (Attivo Networks ThreatDefend), and enhanced endpoint hardening per DISA STIG benchmarks - Established a threat intelligence program integrating MITRE ATT&CK for Enterprise, Mandiant Threat Intelligence, Recorded Future, and CISA Known Exploited Vulnerabilities (KEV) catalog — producing 48 threat intelligence products annually consumed by 6 government agency stakeholders - Negotiated and managed $2.1M in incident response retainer contracts with CrowdStrike Services and Mandiant, establishing pre-negotiated rates and 2-hour response SLAs for Severity 1 incidents - Presented quarterly cybersecurity posture briefings to the Chief Information Officer (CIO), Defense Information Systems Agency (DISA) stakeholders, and Authorizing Officials (AOs), covering risk metrics, compliance status, and capital investment recommendations **Senior Cybersecurity Analyst / Team Lead** — Booz Allen Hamilton, McLean, VA June 2017 – February 2021 - Led a team of 8 cybersecurity analysts supporting the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) program across 12 federal civilian agencies, monitoring 95,000+ endpoints - Developed and deployed 200+ Splunk Enterprise Security correlation searches aligned to MITRE ATT&CK, increasing threat detection coverage from 47% to 89% of ATT&CK techniques applicable to the federal environment - Managed vulnerability remediation program using Tenable SecurityCenter across 95,000 assets, reducing critical vulnerability mean time to remediate (MTTR) from 45 days to 12 days through automated ticketing integration with ServiceNow and executive escalation workflows - Led incident response for 28 significant cyber events including APT-attributed intrusions (APT29/Cozy Bear, APT28/Fancy Bear), coordinating with US-CERT and FBI Cyber Division on attribution and remediation - Authored the enterprise Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan compliant with NIST SP 800-34 Rev. 1, NIST SP 800-61 Rev. 2, and FISMA requirements — plans adopted across all 12 supported agencies - Conducted Red Team / Blue Team exercises with quarterly cadence using MITRE ATT&CK Navigator to map coverage gaps, resulting in 34 new detection rules and 12 defensive architecture improvements **Cybersecurity Analyst** — Northrop Grumman, Chantilly, VA August 2014 – May 2017 - Performed continuous monitoring and incident response for classified DoD networks (SIPRNet, JWICS) supporting intelligence community missions, maintaining 99.97% network availability across 22,000 endpoints - Investigated 150+ security events annually using Splunk, ArcSight, and EnCase Forensic, producing incident reports and forensic analysis packages for the Authorizing Official (AO) and Inspector General - Executed monthly vulnerability assessments using ACAS (Assured Compliance Assessment Solution — Tenable-based) across classified environments, identifying and tracking 4,500+ vulnerabilities to remediation with 95% closure rate within DISA-mandated timelines - Implemented DISA Security Technical Implementation Guide (STIG) hardening across 800+ Windows Server 2012/2016 and Red Hat Enterprise Linux (RHEL) 7 systems, achieving 98.2% STIG compliance on quarterly audits - Obtained initial CISSP certification (2016) and TS/SCI clearance with CI polygraph, meeting DoD 8570 IAT Level III requirements **Information Assurance Analyst** — General Dynamics IT, Fairfax, VA June 2013 – July 2014 - Supported Risk Management Framework (RMF) Authorization to Operate (ATO) packages for 6 DoD information systems, documenting security controls per NIST SP 800-53 Rev. 4 and preparing artifacts for DISA CCRI inspections - Conducted annual security control assessments on 6 systems totaling 1,400+ controls, identifying 23 deficiencies and coordinating POA&M remediation within 90-day deadlines - Performed System Security Plan (SSP) development and maintenance, vulnerability scanning with ACAS, and Plan of Action and Milestones (POA&M) tracking for all assigned systems

**TECHNICAL SKILLS** SIEM/XDR: Palo Alto Cortex XSIAM, Splunk Enterprise Security, Microsoft Sentinel, ArcSight, Elastic Security SOAR: Palo Alto Cortex XSOAR, Splunk SOAR (Phantom) EDR: CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, Carbon Black Zero Trust: Zscaler Private Access, Illumio, CrowdStrike Falcon ZTA Vulnerability Management: Tenable SecurityCenter (ACAS), Rapid7 InsightVM, Qualys VMDR Forensics: EnCase Forensic, FTK, Volatility, Autopsy, Velociraptor Threat Intelligence: Mandiant, Recorded Future, MISP, CISA KEV Penetration Testing: Metasploit, Cobalt Strike, BloodHound, Burp Suite Cloud Security: AWS GovCloud (GuardDuty, SecurityHub, Macie), Azure Government (Sentinel, Defender), GCP Scripting: Python, PowerShell, Bash, KQL, SPL, YARA Frameworks: NIST CSF 2.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 3, NIST SP 800-207 (ZTA), MITRE ATT&CK, CIS Controls v8, ISO 27001:2022, FedRAMP, CMMC, FISMA, DISA STIGs, SOC 2 Type II, PCI-DSS v4.0

What Makes This Senior Resume Effective

• **Budget ownership signals leadership** — $8.4M annual budget and $2.1M in IR retainer contracts. Security leadership roles require demonstrable financial stewardship.
• **Zero Trust implementation is concrete** — NIST SP 800-207 alignment, specific tools (Illumio, Zscaler, CrowdStrike ZTA), and a measurable result (62% lateral movement reduction). This is not "implemented zero trust strategy."
• **Compliance results are audit-verified** — FedRAMP High, CMMC Level 3, NIST 800-171 with zero POA&M findings on DIBCAC assessment. These are verifiable through government audit records.
• **APT attribution is named** — APT29/Cozy Bear, APT28/Fancy Bear, coordination with US-CERT and FBI Cyber Division. This signals work at the highest classification levels.
• **Team size and structure are explicit** — 22 people broken into 8 SOC analysts, 4 IR, 3 threat hunters, 2 VM engineers, 3 security engineers, 2 compliance analysts. This tells a hiring manager exactly what scope of management this candidate brings.
• **Clearance is stated clearly** — "TS/SCI with CI polygraph" in the summary. For federal and defense roles, this is often a hard filter.
• **Career progression spans four recognizable defense contractors** — General Dynamics, Northrop Grumman, Booz Allen Hamilton, Leidos. Each is a known prime contractor that validates experience claims.

Common Cybersecurity Analyst Resume Mistakes

Mistake 1: Listing Tools Without Context

**Wrong:** "Experienced with Splunk, CrowdStrike, Nessus, and Wireshark." **Right:** "Built 55 Splunk Enterprise Security correlation searches mapped to MITRE ATT&CK techniques that reduced mean time to detect (MTTD) by 41%, from 14.3 minutes to 8.4 minutes across 45 MSSP client environments." Why it matters: A tool list tells a hiring manager nothing about how you used the tool, at what scale, or what outcome it produced. Every tool name should appear inside a bullet that includes volume, outcome, or scope.

Mistake 2: Missing Incident and Alert Metrics

**Wrong:** "Monitored security events and responded to incidents." **Right:** "Triaged 300-400 alerts per 12-hour shift in Splunk ES, escalating 15-25 confirmed incidents weekly to Tier 2 analysts within 15-minute SLA. Reduced false positive rate from 68% to 47% through 15 custom SPL correlation rules." Why it matters: Every SOC role has measurable throughput — alerts triaged, incidents handled, MTTD, MTTR, MTTC, false positive rates. Without these numbers, a recruiter cannot compare you to other candidates or assess whether you operated in a small shop (50 alerts/day) or a major SOC (500+).

Mistake 3: Generic Framework References

**Wrong:** "Knowledge of NIST and ISO security frameworks." **Right:** "Managed SOC 2 Type II and PCI-DSS v4.0 compliance evidence collection across 14 control domains. Authored security controls documentation per NIST SP 800-53 Rev. 5 for FedRAMP High authorization (325 controls)." Why it matters: "NIST" is not a framework — it is an organization that publishes dozens of frameworks. ATS systems parse for specific publication numbers (800-53, 800-61, 800-171) and standard designations (SOC 2 Type II, PCI-DSS v4.0, ISO 27001:2022). The generic version triggers zero keyword matches for the specific standard the job posting requires.

Mistake 4: Omitting Clearance and Compliance Credentials

**Wrong:** "Security clearance held." **Right:** "Active TS/SCI clearance with CI polygraph. CompTIA Security+ (SY0-701) meeting DoD 8140 Cyberspace Workforce baseline requirements for Cyber Defense Analyst (212) work role." Why it matters: Government and defense cybersecurity positions — which represent approximately 30% of the U.S. cybersecurity job market — have hard clearance requirements and mandatory DoD 8140 (formerly 8570) certification baselines. Vague clearance references fail the automated filter. Be specific about clearance level, polygraph type, and which DoD work role your certifications satisfy.

Mistake 5: Writing a Functional Resume Instead of Reverse Chronological

**Wrong:** A skills-based layout grouping experience under categories like "Incident Response," "Vulnerability Management," and "Compliance" without clear timelines and employers. **Right:** Reverse chronological format with employer names, dates, and title progression that shows career growth from Tier 1 to senior roles. Why it matters: ATS systems are built to parse reverse chronological resumes. They extract company names, dates, and titles from expected positions on the page. A functional format confuses the parser and often results in missing or misattributed experience data. Security hiring managers also specifically look for career progression — moving from Tier 1 to Tier 2 to IR lead to management is a signal of verified competence.

Mistake 6: Listing Certifications Without Exam Codes or Issuing Bodies

**Wrong:** "Certified: Security+, CEH, CISSP" **Right:** "CompTIA Security+ (SY0-701) — CompTIA, Cert #COMP001234567, Exp. 03/2029 | Certified Ethical Hacker (CEH v13) — EC-Council, Cert #ECC-345678, Exp. 06/2027 | CISSP — ISC2, Member #789012, Exp. 09/2028" Why it matters: Bare acronyms can match multiple certifications or be ambiguous. "CEH" without EC-Council and version number could be any edition. CISSP without the ISC2 member number cannot be verified. Government positions and FedRAMP-authorized contractors require verifiable credentials, and some ATS systems search for the exam code (SY0-701) as a separate keyword from the certification name.

Mistake 7: Ignoring Cloud Security Entirely

**Wrong:** A resume in 2026 that mentions only on-premise tools with no reference to cloud platforms. **Right:** "Managed security monitoring across AWS GovCloud (GuardDuty, SecurityHub, CloudTrail), Azure Government (Sentinel, Defender for Cloud), and GCP using native CSPM and CWPP tools." Why it matters: ISC2's 2024 Workforce Study identified cloud security as one of the top skills gaps in the industry. Nearly every organization runs hybrid or multi-cloud environments, and job postings increasingly require experience with cloud-native security services. A resume with zero cloud security mentions in 2026 signals a candidate who has not kept pace with the industry.

ATS Keywords for Cybersecurity Analyst Resumes

Security Tools & Platforms

Splunk Enterprise Security, CrowdStrike Falcon, SentinelOne Singularity, Palo Alto Cortex XSIAM, Microsoft Sentinel, Elastic Security, ArcSight, Palo Alto Cortex XSOAR, Tenable Nessus, Qualys VMDR, Rapid7 InsightVM, Burp Suite Professional, Metasploit Framework, Wireshark, Nmap

Frameworks & Standards

NIST Cybersecurity Framework (CSF) 2.0, NIST SP 800-53 Rev. 5, NIST SP 800-61 Rev. 2, NIST SP 800-171, NIST SP 800-207, MITRE ATT&CK, CIS Controls v8, ISO 27001:2022, SOC 2 Type II, PCI-DSS v4.0, FedRAMP, CMMC, FISMA, HIPAA Security Rule, DISA STIGs

Certifications

CompTIA Security+ (SY0-701), CompTIA CySA+ (CS0-003), CISSP, CISM, CEH, GSEC, GCIH, GCED, CCSP, AWS Certified Security – Specialty, OSCP

Techniques & Disciplines

Incident Response, Threat Hunting, Vulnerability Management, Penetration Testing, Malware Analysis, Digital Forensics, Security Operations Center (SOC), Alert Triage, Threat Intelligence, Risk Assessment, Zero Trust Architecture, Cloud Security, Identity and Access Management (IAM), Security Awareness Training

Metrics to Include

Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), Mean Time to Contain (MTTC), False Positive Rate, CVSS Score, Vulnerability Closure Rate, Patch Compliance Percentage, Incident Volume, Alert Throughput, STIG Compliance Score

Frequently Asked Questions

Should I get CompTIA Security+ or go straight for CISSP?

Start with CompTIA Security+ (SY0-701). CISSP requires five years of cumulative paid work experience in at least two of eight ISC2 domains — you cannot sit for the exam without it (or you become an Associate of ISC2 and have six years to earn the experience). Security+ serves as an immediate credential for entry-level roles, meets the DoD 8140 baseline requirement for multiple cyber work roles, and counts as one year toward the CISSP experience requirement. The typical career path is Security+ (year 0-1), CySA+ (year 2-3), CEH or GCIH (year 3-4), and CISSP (year 5+). Each certification builds on the previous and opens progressively senior roles. Security+ alone qualifies you for SOC Tier 1, junior analyst, and IT security specialist positions paying $65,000-$90,000. CISSP unlocks senior analyst, security architect, and management roles paying $130,000-$180,000+.

How do I transition from IT support to cybersecurity?

The most common path is IT help desk or system administration to SOC Analyst Tier 1. Start by earning CompTIA Security+ while in your current IT role — the exam covers network security, threats, and risk management fundamentals. Apply for SOC Tier 1 positions at managed security services providers (MSSPs) like Secureworks, Optiv, Rapid7, or Arctic Wolf — these companies hire heavily from IT backgrounds because they value candidates who understand how networks and endpoints actually work. On your resume, reframe your IT experience to highlight security-adjacent tasks: account provisioning and deprovisioning (identity management), patching and system updates (vulnerability management), antivirus alert handling (endpoint detection), and firewall rule requests (network security). Build a home lab using Security Onion, Splunk Free, and a vulnerable virtual machine (HackTheBox, TryHackMe) to demonstrate hands-on skills. Many entry-level SOC positions pay $60,000-$85,000 and provide extensive on-the-job training with production SIEM tools.

How important is a security clearance for cybersecurity jobs?

It depends on the sector you target. In the Washington, D.C., Northern Virginia, and Maryland corridor — the largest cybersecurity job market in the United States — approximately 40-50% of cybersecurity positions require at least a Secret clearance, and senior positions frequently require TS/SCI with polygraph. Defense contractors (Leidos, Booz Allen Hamilton, Northrop Grumman, Raytheon, General Dynamics) cannot sponsor new clearances for most analyst positions — they need candidates who already hold active clearances. For the private sector (tech companies, financial services, healthcare), clearances are rarely required but may be a differentiator if you work with government clients. If you can obtain a clearance through military service, a government civilian position, or a defense contractor that sponsors clearances for specific contracts, it significantly expands your job market. TS/SCI-cleared cybersecurity analysts typically earn a 15-25% salary premium over their non-cleared counterparts in the same geographic area.

What is the difference between a Cybersecurity Analyst and a Penetration Tester?

A cybersecurity analyst is fundamentally a defensive (Blue Team) role focused on monitoring, detecting, and responding to threats. Your daily work involves triaging SIEM alerts, investigating incidents, hunting for threats, managing vulnerabilities, and ensuring compliance with security frameworks. A penetration tester (Red Team) is an offensive role focused on simulating attacks — exploiting vulnerabilities in networks, applications, and physical security to test an organization's defenses. Both roles require different toolsets (Splunk and CrowdStrike for analysts vs. Metasploit and Cobalt Strike for pen testers) and different certifications (CySA+ and GCIH for analysts vs. OSCP and GPEN for pen testers). Many professionals start as analysts and later specialize in penetration testing, or work in "Purple Team" roles that combine both disciplines. Analyst roles are more numerous — BLS counts 182,800 information security analyst positions — while dedicated penetration tester roles are a smaller subset of the field but often command premium compensation ($120,000-$200,000+ for OSCP-certified testers with 5+ years of experience).

Do I need a degree in cybersecurity to get hired?

A bachelor's degree is listed as a requirement on approximately 70% of cybersecurity analyst job postings, according to BLS, but the field is more flexible than many other professions. Relevant degrees include cybersecurity, computer science, computer engineering, information technology, and information systems. Programs designated as NSA/DHS Centers of Academic Excellence in Cyber Defense (CAE-CD) carry additional weight with government employers. However, candidates with strong certifications (Security+, CySA+, GSEC), practical experience (home labs, CTF competitions, open-source contributions), and demonstrated skills from IT roles regularly land cybersecurity positions without cybersecurity-specific degrees. Military veterans with signals intelligence (SIGINT) or cyber operations MOS codes frequently transition to civilian analyst roles based on their clearance and operational experience alone. For candidates without degrees, the certification path becomes more important: Security+ plus a year of SOC experience often outweighs a degree with no certifications in hiring decisions. SANS GIAC certifications (GSEC, GCIH, GCED) are particularly valued because they require practical hands-on exams.

Sources

1. U.S. Bureau of Labor Statistics, "Information Security Analysts," Occupational Outlook Handbook, https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm — Median salary $124,910 (May 2024), 29% projected growth 2024-2034, 16,000 annual openings, 182,800 employed.
2. ISC2, "2024 Cybersecurity Workforce Study," https://www.isc2.org/Insights/2024/10/ISC2-2024-Cybersecurity-Workforce-Study — 4.8 million workforce gap, 5.5 million active professionals, 90% report skills shortages, 19.1% gap increase YoY.
3. CompTIA, "The CompTIA Cybersecurity Career Pathway," https://www.comptia.org/en-us/blog/the-comptia-cybersecurity-career-pathway-employable-skills-found-here/ — Security+ to CySA+ to PenTest+ to CASP+ certification progression, DoD 8140 baseline requirements.
4. NIST, "Cybersecurity Framework (CSF) 2.0," https://www.nist.gov/cyberframework — Six core functions (Govern, Identify, Protect, Detect, Respond, Recover), reference for enterprise security program structure.
5. MITRE, "ATT&CK for Enterprise," https://attack.mitre.org/ — 14 tactic categories and 200+ techniques for classifying adversary behavior and mapping detection coverage.
6. CISA, "Cyber Defense Incident Responder Work Role," https://www.cisa.gov/careers/work-rolescyber-defense-incident-responder — Federal incident response role requirements, knowledge areas, and skill competencies.
7. SentinelOne, "Top 10 SIEM Tools for 2025," https://www.sentinelone.com/cybersecurity-101/data-and-ai/siem-tools/ — Market overview of Splunk, CrowdStrike Falcon, Palo Alto Cortex XSIAM, Microsoft Sentinel, and Elastic Security.
8. ISC2, "Growth of Cybersecurity Workforce Slows in 2024," https://www.isc2.org/Insights/2024/09/ISC2-Publishes-2024-Cybersecurity-Workforce-Study-First-Look — Budget cuts (37% increase), layoffs (25% of respondents), 66% job satisfaction rate.
9. Destination Certification, "Top Cybersecurity Certifications for 2025," https://destcert.com/resources/top-cybersecurity-certifications/ — CISSP experience requirements (5 years), Security+ as entry-level baseline, CEH prerequisites.
10. U.S. Bureau of Labor Statistics, "Employment Projections: 2024-2034 Summary," https://www.bls.gov/news.release/ecopro.nr0.htm — Cross-occupation growth comparisons, information security analysts among fastest-growing occupations.