The number was always big enough to be its own argument.
Three and a half million. That was the figure — three and a half million unfilled cybersecurity jobs worldwide — and for years it moved through the industry with the force of settled fact, recycled at conferences and in congressional testimony, printed on university recruitment pages and stitched into the marketing copy of certification vendors, cited so often and by so many that questioning it felt almost ungrateful, like doubting the existence of opportunity itself. Sometimes the number was 4.8 million. Sometimes ISACA put it at 2.8 million. The precise figure didn't matter. What mattered was the message buried inside it: that the demand was bottomless, the industry desperate, and anyone willing to learn the craft would find a seat at the table.
And so they came — tens of thousands, then hundreds of thousands, then millions. Young people and career changers, veterans and self-taught hobbyists, all drawn by the promise that the cybersecurity industry needed them, was waiting for them, that all they had to do was grind hard enough and the doors would open.
The doors did not open.
I. The Umbrella
To understand why, you have to understand what the number actually measures. And what it doesn't.
The ISC2's 2025 Cybersecurity Workforce Study surveyed more than 16,000 professionals across the globe and confirmed that 67% of organizations report staffing shortages, 36% experienced budget cuts, and 39% had implemented hiring freezes. Real numbers. Real pain. The cybersecurity workforce gap is not a fabrication. But the word cybersecurity, as it gets used in these reports and in the headlines they spawn, is not a job title. It's a category — a sprawling, ungainly umbrella stretched over disciplines so different from one another they share little beyond a vague proximity to the idea of digital defense. The governance analyst drafting risk frameworks at a hospital and the red team operator writing custom C2 implants at a bank don't occupy the same labor market. They aren't competing for the same jobs. They don't face the same odds.
When someone says there are millions of unfilled cybersecurity positions, they're describing the entire umbrella. But the young person on TryHackMe at two in the morning, teaching herself to exploit Active Directory misconfigurations — she's not aiming for the umbrella. She's aiming for one narrow, brutally competitive corner of it.
And in that corner, the numbers tell a different story entirely.
II. Counting
In February 2026, a survey of the major American job boards turns up roughly 700 to 1,500 dedicated penetration testing and red team positions across the entire country. Portland, Maine, to Portland, Oregon. Not 700,000. Not 70,000. Seven hundred to fifteen hundred.
The boards show for penetration testers:
- Indeed: ~718 "Penetration Tester" jobs nationwide
- ZipRecruiter: ~691 "Penetration Tester" results
- Glassdoor: ~127 "Penetration Tester" jobs
Red teaming — the more specialized discipline, simulating real adversaries against real enterprise defenses — is thinner still:
- Indeed: ~480 "Red Team" jobs, many requiring TS/SCI clearances
- LinkedIn: ~846 "Red Teaming" jobs nationwide
- Indeed: ~127 "Red Team Operator" results, concentrated so heavily in the Washington–Northern Virginia defense corridor — Fort Belvoir, Chantilly, McLean, Beltsville, Norfolk — that the map looks less like a national labor market than a commuter route along the Dulles Toll Road
Expand the search to adjacent titles — "Offensive Security Engineer," "Application Security Consultant," roles where pentesting is one duty among several — and the count stretches to maybe 6,000 or 23,000, depending on how generous you're feeling with the category. But the dedicated, titled offensive security role? Cyberseek recorded 4,666 job postings for "Penetration & Vulnerability Tester" across a full twelve-month window, May 2024 to April 2025.
Four thousand six hundred and sixty-six. In twelve months. The entire United States.
For context: the Bureau of Labor Statistics projects 124,200 annual openings for accountants and auditors — a profession nobody has ever called exciting. Robert Half tallied 819,300 finance and accounting job postings in 2025 alone, with 231,000 in general accounting. The entire annual output of pentest job postings in America wouldn't fill a mid-sized accounting firm's hiring pipeline for a quarter.
Now consider who's competing for them.
III. The Flood
TryHackMe — the beginner-friendly platform where most people take their first steps into offensive security — crossed four million users in December 2024 and hit six million by October 2025. Six million accounts on one platform, with the Jr Penetration Tester and Offensive Pentesting learning paths among the most popular tracks.
HackTheBox, the harder platform that serious practitioners gravitate toward, passed two million users in mid-2023. It had grown from 700,000 in May 2021 to a million by that November to two million by June 2023, and it raised $55 million in venture capital in early 2023. Its CPTS and CBBH certifications have become standard fixtures on aspiring pentesters' resumes. And if you want a single image that captures the state of this market more honestly than any workforce study ever has, go visit HackTheBox's own job board. As of February 2026, it lists sixteen penetration testing positions — many of them three and four years old, from companies like r-tec IT Security GmbH and AWS, scattered across Germany and Italy and the United States, stale postings on a dead page. This is the job board of the platform that trained two million people to hack. Sixteen listings. Most of them dead.
Between just these two platforms — leaving aside every university cybersecurity program, every SANS course, every OffSec cert, every bootcamp, the entire military-to-cyber pipeline — eight million people have registered to train. Not all are job-seeking. Not all are American. A lot of them are students, hobbyists, IT people dabbling. But even the most conservative estimate — one in ten seriously pursuing an offensive security career — gives you 800,000 aspirants chasing fewer than 5,000 annual openings.
The arithmetic is merciless. It has always been merciless. Nobody in the industry wanted to talk about it.
IV. The Jobs That Actually Exist
Here is what makes the arithmetic not just discouraging but, if you look at it from a certain angle, dishonest: the vast majority of cybersecurity jobs — the ones that actually make up those millions of unfilled positions in the headline — have nothing to do with offensive security. Nothing whatsoever.
Platforms like HackTheBox and TryHackMe and OffSec built their brands, and their revenue, around the romance of penetration testing, red teaming, capture-the-flag competition. That's what draws subscribers. That's what fills Discord servers. That's what makes cybersecurity feel exciting and dangerous and worth giving up your evenings and weekends and dropping money on exam fees. But the cybersecurity labor market — the real one, with tens of thousands of open positions and genuine chronic understaffing — is dominated by work most aspiring hackers haven't considered and wouldn't find glamorous.
Governance, risk, and compliance analysts. Third-party vendor risk managers. Data loss prevention engineers. IAM administrators. SOC analysts pulling the night shift, triaging alerts. Compliance officers mapping controls to SOC 2, ISO 27001, HIPAA, PCI-DSS — acronyms that don't carry the poetry of "red team."
ISC2 recently surveyed GRC professionals and found organizations consider these roles "more strategic and valuable" than ever, driven by tightening regulations, expanding cloud adoption, and the metastasizing complexity of supply chain risk — supply chain breaches went from 4% in 2020 to 15% in 2024, spawning an entire category of third-party risk management work that barely existed ten years ago. Search LinkedIn for "GRC cybersecurity" or "third party risk" and the results number in the tens of thousands. GRC specialists pull a median of $95,000 to $153,000 depending on seniority. The positions exist in every major metro and increasingly remote. And they are chronically understaffed — because everyone who got into cybersecurity through a hacking platform wants to be a pentester, not the person reviewing vendor security questionnaires.
The irony isn't subtle. The training pipeline that funnels people toward the thinnest slice of the job market is itself making the shortage worse in the roles where actual demand exists.
And here's the trap that closes on the aspiring pentester from both sides: those adjacent roles aren't actually adjacent. Not in practice. The well-meaning advice — "just apply for Security Engineer or AppSec Consultant positions, the skills transfer" — falls apart on contact with reality. The person who spent two years mastering AD exploitation, writing custom Cobalt Strike malleable C2 profiles, chaining together privesc techniques on HackTheBox — they've built a genuinely impressive skill set. But it's a narrow one, and the roles everyone tells them to pivot toward demand something completely different.
The Security Engineer posting wants SIEM experience — Splunk, Sentinel, Chronicle — platforms the offensive specialist has never administered. It wants network architecture knowledge: segmentation, firewall rule sets, proxy configs, DNS security, zero-trust design. The pentester knows how to abuse these systems. Building and maintaining them is a different job. The AppSec Consultant role needs familiarity with secure SDLC, SAST/DAST pipelines, threat modeling like STRIDE and PASTA, and the ability to sit in a developer's sprint planning meeting and explain why their auth flow is broken — not by exploiting it, but by reading the code and the architecture diagrams. The SOC Analyst position means shift work triaging alerts from EDR and IDS platforms the offensive professional has only ever tried to evade.
These aren't trivial gaps. In most cases they represent years of professional experience you can't fake with a TryHackMe badge or a weekend home lab. The offensive security professional and the defensive security engineer have spent years looking at the same systems from opposite sides of the glass, and crossing over isn't a lateral step — it's closer to a second apprenticeship. The aspiring pentester discovers, eventually, that the broader cybersecurity job market — the one with all those tens of thousands of openings — isn't actually open to them. Not without starting over. Not without building, from scratch, the operational knowledge that comes from years of defending production environments instead of attacking simulated ones.
I know this because it happened to me. I came into my first offensive security role with what I thought was a solid foundation in web application testing. I'd put in the hours. I'd done the labs. I could find my way around Burp Suite with my eyes closed. And then I got feedback from management that forced me to sit with something uncomfortable: my web app hacking skills, the thing I'd spent all that time sharpening, were niche. Genuinely niche. The team needed someone who could also think about network segmentation, cloud misconfigurations, Active Directory attack paths, detection engineering — the whole sprawling landscape of enterprise security that doesn't fit inside a Burp Suite window. I had to go back and learn things I'd skipped over because the training pipeline had told me, implicitly, that hacking web apps was the destination. It wasn't. It was one room in a very large building, and I'd walked in thinking it was the whole house.
My current role demands that breadth. It demands the stuff nobody puts on a TryHackMe learning path — understanding how a SOC triages the alerts your attack generates, knowing what a detection engineer sees when you run your tooling, being able to sit in a purple team debrief and talk about both sides of the engagement. I got lucky. I landed somewhere that gave me the time and space to grow into it. A lot of people don't get that chance.
V. The Number Disappears
In December 2025, something quietly remarkable happened. ISC2 — the organization behind the CISSP, the most widely recognized certification in the field, and the publisher of the annual workforce study that had for years supplied the industry's most-cited shortage figures — stopped publishing its workforce gap number. First time in the study's history. The gap just vanished from the report.
The explanation, buried in the methodology, was revealing. Respondents, ISC2 said, had "highlighted that the need for critical skills within the workforce is outweighing the need to increase headcount." Organizations weren't saying we need more people anymore. They were saying we need different skills from the people we already have. The problem had shifted — from a hiring crisis to a training and retention problem — and the old number, however useful it had been for fundraising and marketing and testimony before congressional committees, could no longer be defended with a straight face.
CISA's own Klint Walker had already said the quiet part aloud. The worker shortage, he told an audience in Atlanta, was "largely a myth fed by multiple factors, including inadequate salaries, undesirable job locations, and the demands of some jobs." Organizations posted roles asking for five-plus years of experience, a tower of certifications, clearance eligibility, willingness to relocate to some place nobody wants to live — then offered $95,000 in a market where comparable technical skills pull $150,000 or more in software engineering. When nobody applied, they reported the position as "unfilled." And the unfilled position became part of the workforce gap statistic. And the statistic became part of the pitch. And the pitch became the reason another hundred thousand people signed up for TryHackMe.
The real shortage, as one industry analyst observed, was for cybersecurity unicorns — people with a degree and every certification and years of experience who'd accept less than they were worth. Those people were in short supply.
They always would be.
VI. Three Forces Eating from Below
Beneath even this shrunken market, three structural forces were steadily consuming what remained.
The first was Penetration Testing as a Service. Platforms like Cobalt, BreachLock, Bugcrowd, HackerOne, and Synack had built marketplace models where a relatively small pool of testers, spread across the globe, could serve a huge number of clients. A traditional consulting firm might put two pentesters on a single client for two weeks. A PTaaS platform distributed the same work across freelancers in a dozen countries, usually at dramatically lower cost. BreachLock offered annual PTaaS starting at $2,500 to $5,000. A traditional American boutique firm charged $75,000 to $200,000 or more for comparable scope. The compliance-driven pentest — highest-volume engagement type, done to satisfy an auditor rather than find real adversaries — was turning into a subscription product. The platforms drew heavily on testers in developing countries; one well-known vendor acknowledged that 70% of its crowdsourced pentesters worked day jobs elsewhere.
The second force was plain offshoring. India alone had dozens of established pentest firms marketing aggressively to American clients at prices 80% below domestic rates. Some US-based vendors quietly subcontracted offshore without telling the client during the sales process. The work that went overseas first — routine, methodology-driven compliance assessments — was precisely the work that used to serve as the on-ramp for junior American pentesters. The entry-level engagement where you learned your trade.
The third was automation. AI-enhanced DAST tools and automated recon platforms were getting steadily better at catching the low-hanging vulnerabilities that once justified billable hours. Nobody was replacing a skilled human pentester with a scanner — not yet. But the scanners were compressing how much human time each engagement required. Fewer hours billed. Fewer testers needed. Fewer jobs.
The net effect: the bottom tier of pentest work — rote compliance assessments, quarterly external scans, the annual PCI pentest — was getting pulled out from under the domestic labor market entirely. What survived were roles that couldn't be offshored, automated, or crowdsourced: internal red teams at major enterprises, adversary simulation, purple teaming, custom exploit development, physical security testing, and client-facing senior consulting where you had to stand in front of a board of directors and explain what you found.
The entry-level on-ramp was collapsing. The training pipeline was flooding. Both at the same time.
VII. Who Benefits
It's worth asking — you always have to ask, when a statistic gets repeated enough to become a slogan — who benefits from the repetition.
Certification vendors sell more exams when people believe a guaranteed job sits at the end of the study guide. The workforce study producing the "millions unfilled" headline? Published by ISC2, the same organization selling the CISSP. The training platforms grow their user bases on career outcome promises; when your platform has six million users and the annual job postings in the target field number in the low thousands, what you've got isn't a pipeline. It's a funnel with no bottom. Universities and bootcamps launched hundreds of cybersecurity programs over the past decade, all citing the workforce gap. The government cites the gap to justify CISA and NICE funding — even as the Trump administration, in 2025, drove roughly 1,000 employees out of CISA, including about 200 from its Cybersecurity Division, through buyouts and early retirements and layoffs.
None of these actors is lying, exactly. Each one is telling the portion of the truth that serves its purposes.
VIII. The Uncomfortable Center
So here we are, at the uncomfortable center of the thing.
There is genuine demand for senior offensive security professionals — people with five-plus years of hands-on experience, meaningful findings on their record, the ability to build custom tooling, the communication skills to translate technical risk into language a board can act on. That demand has, if anything, grown as the commodity work migrates offshore. But for entry-level and junior pentesting roles? The market isn't just competitive. By any honest accounting, it's saturated.
The OSCP — once the gold standard that set you apart — has become a baseline. A minimum filter. It gets your resume past the automated screening. It won't differentiate you from the other two hundred applicants who hold the same cert. To land even an interview, you now need a technical blog with original research, meaningful open-source contributions on GitHub, published CVEs, not one but a whole stack of certifications — OSCP, CPTS, CRTO, PNPT, the alphabet growing every year — and ideally a YouTube channel or conference talks proving you can communicate.
Think about what that list of requirements actually tells you.
In what field suffering a genuine labor shortage do candidates need to build a personal brand just to get a phone screen? What industry with millions of unfilled positions demands a public portfolio of original research, a GitHub profile showing tool development chops, published vulnerability discoveries, a social media presence — all before the candidate has held their first professional role? That isn't what a talent shortage looks like. That's a buyer's market — one where employers hold every advantage because the supply of willing labor so massively exceeds available positions that being picky costs them nothing.
If millions of offensive security jobs were really going begging, companies would hire people with a Security+ and train them. Instead they're filtering out applicants holding multiple advanced certs because those applicants lack "three to five years of professional pentesting experience." The credential inflation — this steadily rising tower of qualifications demanded for jobs that didn't exist fifteen years ago — tells you everything about the real supply-and-demand picture in offensive security.
When ISC2 respondents say they need skills, they mean AI security, cloud security, incident response, risk management. Penetration testing and red teaming together make up a sliver of the total cybersecurity workforce — CyberSeek counts roughly 4,600 pentest openings and a few hundred dedicated red team roles against more than 514,000 total cybersecurity job postings nationwide. Less than 1%, combined. The gap is in defenders, architects, engineers. Not attackers.
The 2025 ISC2 study found 26% of respondents predicted more layoffs in the coming year. Thirty-three percent said their organizations simply didn't have the budget to hire. The global cybersecurity workforce had flatlined at 5.5 million — 0.1% growth since 2023. This was not the profile of an industry desperate to hire anyone with a pulse and a Security+.
IX. Open Eyes
There are cybersecurity jobs. There are even penetration testing jobs. But "4.8 million unfilled positions" and "you'll get hired as a pentester if you finish these courses" are two entirely different claims, and the industry has been allowed to blur them together for years — allowed because the blurring serves so many interests at once, because no single actor bears full responsibility, because the people absorbing the message are in no position to check it against the data until they've already sunk the time and the money and the hope.
If you're going to pursue offensive security — and it is a genuinely rewarding career, work that's intellectually demanding and creatively satisfying in ways few other jobs can match — then go in with your eyes open. Know you're entering one of the most competitive niches in an already competitive field. Know that the training platforms have millions of users and the job postings number in the low thousands. Know that the geography is concentrated, that clearance requirements will lock you out of big chunks of the market, that the experience bar keeps rising even as the entry-level paths narrow.
And know that when someone tells you there are millions of unfilled cybersecurity jobs, they're talking about a category so broad it's practically meaningless — and the specific, exacting slice you're actually targeting is far smaller than anyone with something to sell you wants to admit.
Derek Martin is a Red Team Analyst at a major global financial institution and holds the OSCP+, CISSP, and CPTS certifications. The views expressed here are his own.