In a series of blogs, we’ll be using NIST’s NICE Cyber Security Workforce Framework to define human requirements for jobs in cybersecurity. A range of organizations in the public, private and academic sectors now use this approach.



It’s been too easy in recent times to lay the recruitment struggles of the cybersecurity industry at the door of the so-called skills gap. The real challenge is more complex. Businesses looking to recruit staff, for example, maybe averse to paying top dollar for a self-taught ‘hacker’ with no college degree. The same applies to those aspiring to move into entry-level roles who may have taken useful and effective hands-on training but have no way of differentiating themselves when they lack formal experience. And the list of barriers for both businesses and applicants goes on. Put simply, the root of much of this is the speed at which cybersecurity as an industry has developed.


To address some of these issues, the US National Institute of Standards and Technology (NIST) has built the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. It can improve the way organizations identify, recruit, develop and nurture cybersecurity talent by helping them to interpret their workforce and identify skill gaps. In 2019, the Whitehouse encouraged US Federal Government agencies to adopt NICE in an Executive Order.


The framework shows cybersecurity leaders what abilities their team needs, enabling them to identify skill gaps, map career development, and understand the role of each member. For cybersecurity pros, it offers guidance towards achieving career progression or making the jump from one role to another. In this series we will help you understand the five most common of these work roles. Next up is Vulnerability Assessment Analyst.


Vulnerability Assessment Analyst




  • Vulnerability Assessor
  • Penetration Tester
  • Red Teamer


Category: Protect and Defend
Area: Vulnerability Assessment and Management


What is a Vulnerability Assessment Analyst?


Vulnerability Assessment Analysts are cybersecurity trouble-seekers; they scan applications, systems and networks looking for vulnerabilities and deviations from acceptable configurations, enclave policy or local policy. They must present their findings in a comprehensive list (the vulnerability assessment) which their clients can use to improve their security posture.

The Vulnerability Assessment Analyst role covers both vulnerability assessment and penetration testing and also extends to some elements of red teaming. Vulnerability assessments and penetration tests tend to be list-orientated activities, typically following a set methodology. Red teaming, on the other hand, follows a goal-orientated approach by mimicking real-world threats and simulating attacks.

The role ultimately involves picking systems apart, prioritizing issues, and presenting these findings in a report for the client.


Typical work duties


The end goal for a Vulnerability Assessment Analyst is the vulnerability assessment or penetration testing report. This report will address key security vulnerabilities and misconfigurations detected by the assessment, and detail the effectiveness of security measures and architectures (such as the defence-in-depth architecture). They get to this point by searching and analyzing applications, systems and networks; the analyst must be incredibly thorough and thus should have a genuine interest in unpicking such infrastructure.


Specifically, a Vulnerability Assessment Analyst will find themselves carrying out the following duties:


  • Identifying exploitable flaws in applications and systems
  • Conducting vulnerability assessments for networks, applications and OS
  • Conducting network security audits and scanning on a predetermined basis
  • Using automated tools to identify vulnerabilities and reduce time wastage
  • Testing methods manually to understand the environment and reduce false negatives


What skills do Vulnerability Assessment Analysts need?


This role demands various skills, the most important of which are shown below:


  • Penetration testing
  • Social engineering
  • Threat-behaviour mimicry
  • Intrusion detection
  • Network analysis
  • Event log interpretation
  • Security framework knowledge


What traits are required to succeed in this role?


Personality is as important as skill – and this is true of all cybersecurity roles. Dr. Ryne Sherman, chief science officer at Hogan Assessments, says, “Traditional recruiting practices often overlook personality and focus on education, experience and a set of hard skills. While these are important, it is crucial to remember that personality characteristics play a huge role. A candidate with the suitable personality can be easily trained into the right role. This is especially true in the cybersecurity world, where companies struggle to find the experienced individuals they need.”

Below are some personality traits that will help a Vulnerability Assessment Analyst succeed:


  • Curious
  • Creative
  • Adventurous
  • Imaginative
  • Attentive
  • Articulate


What qualifications are required?


The primary requirement here is a sincere interest in hacking and cybersecurity. Some employers will desire a Bachelor’s degree in a related field, such as Computer Science, but this is not essential. Even for those with little relevant education, this career path is accessible with the right work experience (often cited as 2–3 years for entry-level roles).


I want to know more


At Immersive Labs we’ve mapped 700 of our labs to over 50 NICE cybersecurity roles in the entry, intermediate and advanced levels. Find out why and learn how the framework can help your organization by downloading our free eBook today.


Download our eBook on the NICE Cyber Security Workforce Framework


Learn how aligning cyber skills to the NICE Cyber Security Workforce Framework can help us reframe the skills gap and find the best talent.



Check Out Immersive Labs in the News.


March 2, 2020




Immersive Labs