Despite uncertainties, major cybersecurity companies are doing great. At the same time, cyber pros on social media are frustrated over hiring freezes or even layoffs, unrealistic requirements, and a lack of opportunities. What’s going on?
“Where are the Cybersecurity jobs?” cyber pros continuously ask on Reddit and share their horror stories of submitting hundreds of applications and attending multiple interviews only to get the “rug pulled at the end.” Some get fired.
The sense of distress seems widespread, and newcomers, who were promised an easy entry into the field without prior experience, feel they’ve been lied to.
On the other half of the coin, spending on cybersecurity increases, revenues grow by double-digits, and companies demonstrate confident forward guidance.
Gartner forecasts double-digit growth in end-user cybersecurity spending this year and next.
“Despite rosy earnings reports and massive funding rounds, many cybersecurity companies have quietly paused hiring. Junior roles are evaporating. Mid-career pros are being told to ‘hang tight.’ And those ‘we’re always hiring’ LinkedIn posts? Often smoke and mirrors,
Jay Bavisi said.
Palo Alto Networks (PAN), the largest pure-play cybersecurity company by market capitalization, has announced it’s swallowing CyberArk in a deal valued at over $20 billion. PAN is expected to report over 15% earnings growth in Q4, after its earnings grew by 23% in Q3 compared to the same period last year (non-GAAP).
CrowdStrike reported record cash flows, as its revenues increased by 20% compared to the previous year in the quarter that ended April 30th, 2025. But later, it announced it would cut 5% of its workforce, or 500 people.
The latest quarterly income statements demonstrate impressive revenue growth for the largest players: 14% for Fortinet, 28% for Cloudflare, 23% for Zscaler, according to Google Finance aggregated data. Big tech companies with large cybersecurity divisions, such as Microsoft, Cisco, or Broadcom, also reported double-digit revenue growth.
“Despite rosy earnings reports and massive funding rounds, many cybersecurity companies have quietly paused hiring. Junior roles are evaporating. Mid-career pros are being told to ‘hang tight.’ And those ‘we’re always hiring’ LinkedIn posts? Often smoke and mirrors,” confirms Jay Bavisi, Co-Founder and President of EC-Council, a global leader in information security education, training, and certification.
While AI is a part of the explanation, it is not the wedge between company growth and job market stagnation. A bigger shift is happening in the cybersecurity market, which could be broadly described as “platformization.”
Companies are prioritizing subscriptions over staff
While cybersecurity budgets are growing, they’re also shifting: companies are now prioritizing outsourced services, automation, and AI-buzzworded platforms instead of increasing headcount. This trend is imploding the demand for entry-level cybersecurity positions.
“It’s not that AI is taking all the jobs, but it’s reshaping what the job is,” Bavisi explains,
“Companies no longer want someone who can just read logs or escalate alerts. They want strategic thinkers, people who can build frameworks, interpret high-level risk, and, increasingly, prompt AI to do the rest. In short: the bar’s been raised, and the ladder’s been pulled up.”
Eric O'Neill, National Security Strategist at NeXasure.ai and former FBI counter-terrorism and counterintelligence operative, explains that many entry-level cybersecurity positions have been absorbed by tools that now handle basic detection and response.
“Firms are spending more on cloud security, network tools, and managed service providers,” O'Neill said. “The headcount isn’t rising with that spend because companies are prioritizing tech over staffing.”
Corporate executives want to achieve “more with fewer employees,” prefer results over payroll, and the focus shifts toward managed services in cybersecurity. Ultimately, the money flows into the profit margins of providers offering technologies that promise scale.
“If external teams or software can deliver faster and cheaper, that’s where the funds go. Internal hiring is no longer viewed as the best investment, especially when tasks can be automated or outsourced,” O'Neill explains.
AI is clearly part of this trend. Even HR teams nowadays sort through “massive piles of resumes” using AI tools without much clarity on how the decisions are made. Traditional resumes don’t survive the filter, leaving qualified candidates wondering why they’re not hearing back.
Academia sees evidence that cybersecurity budgets are increasingly going toward third-party cybersecurity vendors and service providers.
“While this may solve immediate operational needs, it can limit the long-term development of internal cybersecurity talent, especially entry-level professionals looking for growth,” said Dr. Michelle Angelo-Rocha, cyber workforce researcher at Cyber Florida, the Florida Center for Cybersecurity at the University of South Florida.
Many companies are still in the process
The shift is not yet over: many companies are still in the process of deploying the evolving advanced technologies needed to thwart complex cyberthreats, such as EDR and XDR systems, according to Tony Anscombe, Chief Security Evangelist at ESET, a global cybersecurity vendor.
“If the company wants to accelerate their move into this environment, they may choose to use Managed Detection and Response (MDR), outsourcing a large operational element of their security needs. So, this is not directly spending money on people, but a managed service provision service includes people and technology,” Anscombe said.
With limited resources and vast quantities of EDR data, task automation is essential. AI now analyzes the data, spots bad activities, and sends alerts while ensuring speed and accuracy.
“While this may seem negative to the job market, it also makes the work environment more engaging with the more interesting tasks requiring human intervention,” Anscombe explained.
Cyber insurers and compliance are another driving factor, requiring companies to have experienced teams. Instead, companies may opt to outsource operations, reducing the need for less qualified analysts.
In any case, the move to managed services requires large budgets.
Some thinkers warn that this trend might become a huge subscription trap in the long run.
A stark warning: companies end up spending more for less
Internet pioneer Wes Kussmaul warns that cybersecurity is already a “$240 billion Wrinkle Treatment Industry.” Wes Kussmaul created the world’s first online encyclopedia in 1981 and founded Delphi Internet Services, which was sold to Rupert Murdoch's News Corporation in 1993. He currently serves as president of the Authenticity Alliance.
“What is the Wrinkle Treatment Industry? It’s an industry that thrives as long as its products don't actually solve the problem,” Kussmaul said.
“Despite the increased annual revenue generated by cybersecurity companies, breaches and attacks continue to rise.
Kussmaul warns that cybersecurity vendors continue selling the “new shiny object” to customers under the illusion that it will solve their security problems. The companies end up spending more for less, while vendors keep generating profits.
“The cybersecurity industry has conditioned organizations to believe that higher spending on cybersecurity products equates to stronger security. As a result, companies place disproportionate trust in vendors, which contributes to job market stagnation even while vendor revenues grow,” Kussmaul believes.
“AI plays little to no role in reducing hiring needs. Instead, it is used as a tool to deepen the illusion of complete security.”
Access to expensive tools and platforms might give companies a false sense of protection and keep them trapped in an endless cycle of upgrading and reinvesting to “stay secure,” often without materially improving their security posture.
“For example, Google’s new Google Unified Security (GUS) platform was projected to blend Mandiant’s threat intelligence with AI-driven tools and promises a comprehensive solution (securing data and detecting threats across organizations). Yet, GUS is another complex ‘Catch the Bad Guys’ solution that increases costs and tool sprawl without addressing the fundamental issues of security failures,” Kussmaul said.
The expert believes that cybersecurity, instead of a $240 billion industry, could be a $24 billion industry, “if cybersecurity uses the set of assumptions that we use in buildings, accountability-based assumptions.”
Ben Goodman, CEO and founder at CyRisk, has already noticed buyer’s remorse.
“Companies spend lots of $$ on security solutions and they're still getting breached. There is no standard measure for the efficacy (quality) of any given security solution. After years of spending with no clear ROI, many companies have reined in their overall security budgets,” Goodman writes.
“They've learned that just throwing money at the problem isn't going to make it go away. They're still spending, just being slower and more judicious.”
What can cyber pros benefit from a dry market?
Cybernews asked experts to share their insights on how cyber pros can pivot to meet market realities.
“If your role is built on repeatable tasks, it’s time to learn something new. The people getting hired are the ones who can work with modern tools, build automated systems, or bridge gaps between tech and strategy,” O'Neill from NeXasure.ai said.
“If you’re still manually digging through tickets and logs, you’re on the wrong track. Look ahead two years. Then start training like you’re already competing for that future role—because you are.”
However, a degree in Cybersecurity won’t be enough. Anscombe from ESET assures that many companies require industry-recognized certifications such as CISSP.
“If this requires taking a less prestigious position, it will reap benefits in the longer term,” the expert said.
Unfortunately, certifications are also not enough. Currently, there are over half a million open cybersecurity positions across the US, according to CyberSeek. Yet many job seekers remain underemployed due to unrealistic hiring expectations, Dr. Michelle Angelo-Rocha from Cyber Florida explains.
“Many organizations still rely on ‘experience-based gatekeeping,’ requiring 3–5 years of experience even for entry-level roles. As a result, candidates with certifications, education, and potential are often excluded because they haven’t yet had the opportunity for real-world, hands-on experience,” Angelo-Rocha said.
That might not be enough. Now, cyber professionals are expected to juggle multiple disciplines simultaneously, adapt quickly, have strong communication skills, and possess insights into human behavior – essentially, to be unicorns, mythological creatures that no one has ever seen in existence.
“Right now, we’re tracking just over 120 ‘cool’ jobs across the industry. These are legit, high-quality openings – mostly senior-level roles. What’s missing is scale and volume, especially for early-career folks,” Chris Camacho, COO and Co-founder at Abstract Security and CoolJobs.ai, added.
Bavisi from EC-Council acknowledges that there’s no cybersecurity talent shortage – we have a skill mismatch.
“Here’s the good news: there’s still money in the system. Just because it’s not flowing through traditional channels doesn’t mean that professionals can’t benefit. But it does require a mindset shift,” Bavisi said.
“The challenge now is not just to protect the network, but to protect your place in the network.”
While upskilling and specialization are some options, Bavisi encourages cyber pros to think like vendors.
“Build a Brand: Hiring may be frozen, but contracting is red hot. Those who position themselves as a subject matter expert through thought leadership, open-source contributions, and speaking engagements, thrive,” Bavisi said.
“Security roles within startups, product security, and customer success engineering are growing, even if traditional roles are not.”
Your email address will not be published. Required fields are markedmarked