Career Switchers · Primly Community

software engineer switching to security: what certs actually matter and what the interview loop looks like

sec_sasha · 4 replies

made this move about three years ago. was a backend swe, now appsec. the swe-to-security track is genuinely one of the better switches in 2026 if you have the right background, and the interview process is pretty different from typical swe loops. here's what i know.

certs. everyone asks about this. security+ is a checkbox for some job postings but doesn't carry much weight in actual conversations. OSCP is the one that gets reactions, especially for pentest-adjacent or offensive-track roles. for appsec specifically, the cert that helped me most was actually just being able to talk about CVEs, OWASP top 10, and doing a few bug bounty writeups. concrete demonstrated experience beats paper qualifications pretty consistently.

what the interview loop looks like for appsec/product security roles at tech companies (not regulated enterprises): usually a phone screen with the recruiter, a technical screen that might be CTF-style challenge or whiteboard threat modeling, a panel with a mix of security and engineering stakeholders, and sometimes a separate behavioral round with the hiring manager. the technical content is more specific than swe loops. you'll get questions like 'walk me through how you'd find an SSRF vulnerability in this service' or 'what would you look for in a code review of this auth flow.'

the swe background is a genuine advantage because you understand the developer side and can explain vulnerabilities in terms of code, not just theory. the biggest gap for most swe-to-security switchers is the adversarial thinking. you have to actually enjoy asking 'how could this be broken' more than 'how do i build this correctly.' if you don't find that mode of thinking natural, appsec will grind you down.

comp. appsec at mid-to-large tech companies in SF/NYC 2026: senior range $220k-$310k TC depending on company and equity. it's broadly comparable to senior swe, sometimes slightly lower at FAANG but sometimes higher at companies where security is understaffed.

if you have a swe background and are thinking about this switch, happy to be more specific.

4 replies

ml_mike

the CTF route is underrated. i have a friend who made this exact transition primarily by doing CTFs consistently for about a year and being able to talk about specific writeups in interviews. no certs, just demonstrated competence. it's slower but it's real.

visa_vik

is the security job market actually better than swe right now? i've heard that because demand outpaces supply it's somewhat more resilient. wondering if anyone has data on that vs. just vibes.

sec_sasha

my impression is yes, though i'm not looking right now so i can't give you live data. the constraint is that entry-to-mid security roles want people who can hit the ground running, so the 'supply' issue is really a 'experienced supply' issue. juniors still struggle. but if you have solid appsec or cloud security background at 3+ years, it's notably faster to close offers than pure swe right now in my network's experience.

infra_ines

cloud security specifically seems to have a lot of demand right now. there's a lot of infra people i know who've shifted toward the security side of cloud/k8s work and it's going well for them. if you have an infra background the pivot is pretty natural.