From Talent Shortage to Cybersecurity Talent Pipeline

Cybersecurity leaders often warn of a global talent shortage with a 2024 ISC2 workforce study estimating a global shortfall of 4.8 million cybersecurity professionals. Yet, countless graduates and aspiring practitioners struggle to land even an entry-level role in offensive security. There’s a disconnect between the narrative of scarcity and the reality that many fresh, capable candidates can’t get a foot in the door. This paradox is holding our industry back.

In this blog, I’ll explore why this gap exists and how we can bridge it through mentorship, realistic hiring, and early-career programs. The goal: build a sustainable offensive security talent pipeline.

The Paradox of the Cybersecurity Talent Shortage

On paper, the talent gap looms large. Industry reports consistently cite unfilled roles across information security. In the U.S. alone, there are hundreds of thousands of open cybersecurity jobs, and the demand for skills like penetration testing and Red Teaming is higher than ever.

But hiring patterns tell a different story. Instead of cultivating new talent, many organizations focus on hiring already-seasoned experts. Nearly 33% of security teams have no entry-level practitioners at all, and 62% of hiring managers prioritize mid- and senior-level roles over junior ones. This leaves a gaping hole where a talent pipeline should be and intensifies competition for a limited pool of experienced professionals.

Meanwhile, interest in cybersecurity careers is surging with U.S. cybersecurity graduates having more than doubled from 10k to 24k in five years. Beyond formal degrees, there’s a boom in bootcamps, certifications, capture-the-flag (CTF) competitions, and self-taught hackers eager to join the ranks. In offensive security especially, many demonstrate serious dedication through self-practice in labs and CTFs. The next generation is ready to hack – so why aren’t we giving them more opportunities?

Entry-Level Barriers in Offensive Security

Entry-level opportunities in offensive security (penetration testing, Red Teaming, assessments) remain scarce. Postings for “Junior Penetration Tester” or “Associate Security Consultant” often ask for 3–5 years of experience, multiple certifications, or skills only a seasoned pro would have. It’s a catch-22 for newcomers: they’ve trained and studied but can’t meet unrealistic requirements.

Why set the bar so high? Partly because mentoring a junior requires time. Offensive work is high stakes, touching critical systems, requiring creativity and judgment. Many teams feel they lack the bandwidth to train someone new. There’s also fear that a trained junior will soon leave for a better-paying role. For smaller orgs, it may seem safer to hire veterans who can hit the ground running.

However, these concerns have led to an industry-wide hesitance to hire fresh talent at all – a trend that is unsustainable. By only hiring already-seasoned experts, organizations are drawing from a finite pool and neglecting to cultivate new talent. As one industry observer put it, “there are no entry-level positions [because few are] willing to take on the risk of reducing their core team’s capacity to mentor.” This mindset reinforces high barriers of entry and leaves many capable newcomers on the sidelines.

The result: a persistent shortage of seniors, and juniors who can’t become seniors because no one gave them a start.

Mentorship and Realistic Hiring: Bridging the Gap

To break this cycle, we must rethink how people enter the field. It starts with mentorship and realistic expectations in hiring. Security teams should be built with varying experience levels, where senior mentors guide junior practitioners. When processes are structured (not reliant on “hero” experts), juniors can take on foundational tasks and grow, while seniors focus on higher-level challenges and coaching.

This apprentice-style model is common in other fields from engineering to medicine. Security can adopt the same. It may require cultural change: valuing teaching ability in senior hires and rewarding those who build talent, not just putting out fires.

Crucially, entry-level job descriptions should reflect reality. Instead of listing every tool or cert, focus on foundational knowledge (basic programming, networking, a hacker mindset) and a drive to learn. Define roles by potential, not years of experience. A positive trend is that some industry initiatives now explicitly encourage this. The latest ISC2 workforce study urges organizations to “expand cyber workforce opportunities and focus on skills development,” highlighting on-the-job training as essential for developing a skilled workforce.

Mentorship programs can formalize this. Pair junior hires with experienced staff, set goals, hold check-ins. Yes, training takes time, but it pays off. Junior team members ramp faster and become loyal, long-term contributors. Many of us owe our careers to a mentor who believed in us. Now it’s our turn to pay it forward.

A culture of teaching doesn’t just benefit juniors, but it energizes mentors and sharpens the whole team’s knowledge. After all, teaching is one of the best ways to learn.

Investing in Early-Career Talent Programs

Beyond individual hires, companies should prioritize early-career development as a strategy. Internships, apprenticeships, and in-house academies can bridge the academic-to-industry gap and create a reliable pipeline of talent aligned with organizational needs.

At Bishop Fox, we’ve invested in internship and apprenticeship programs to grow the next generation of offensive security professionals. Our 24-week internship includes 12 weeks of training (on tools like Burp Suite and our attack surface management service) followed by 12 weeks on real client projects. Interns are never “lone foxes;” they’re mentored every step of the way by our Delivery team.

This approach transforms raw talent into contributing team members in months, while reinforcing our learning-first culture. A well-designed program gives aspiring pros the chance to prove themselves and gives organizations fresh perspectives and homegrown talent fluent in their tools and methodologies.

As one Bishop Fox leader noted, we have incredible veteran talent, “but we also know that emerging talent brings new ideas, techniques, and perspectives… fundamental to… the next levels of success.” Nurturing early careers isn’t charity or only a feel-good effort; it’s a strategic advantage.

More companies are catching on by launching apprenticeships, university partnerships, and junior rotational roles. These efforts, scaled broadly, could dramatically strengthen our security posture over time.

A Call to Build the Offensive Security Pipeline

We urge our clients and peers to play the long game. Embracing early-career talent is an investment in resilience. Yes, it takes patience: mentors must be allocated, junior mistakes accepted. But the payoff is a sustainable talent pipeline and a team that grows with you.

You won’t be perpetually stuck fighting over the same few resumes of senior operators. Instead, you’ll be cultivating your own “farm team” of offensive security practitioners who develop loyalty and deep institutional knowledge.

Here’s how to start: 

• Revaluate job requirements: Focus on core competencies, not excessive experience or certs.
• Build mentorship into your culture: Give senior staff dedicated time for coaching.
• Offer internships/apprenticeships: Treat them as long-term investments with real deliverables.
• Collaborate and share: Partner with universities, contribute to open-source training, support CTFs.

By embracing these practices, organizations can turn the talent shortage into a talent pipeline. It’s a shift from expecting “job-ready” experts to growing your own experts.

Let’s invest in the future and build the cybersecurity workforce we need, one entry-level opportunity at a time.