Role Definition
| Field | Value |
|---|---|
| Job Title | Cyber Security Analyst |
| Seniority Level | Mid-Level (2-5 years) |
| Primary Function | The generalist defensive security role — monitors SIEM alerts, runs vulnerability scans, reviews compliance posture, handles basic incident response, manages firewall rules, and delivers user awareness training. The "security person" on a small-to-medium team who does a bit of everything rather than specialising. 28,834 US job openings — the highest-volume cybersecurity title. |
| What This Role Is NOT | Not a SOC Analyst (dedicated to a SOC with tiered escalation — scored separately at T1: 1.55, T2: 3.35). Not a GRC/Compliance Analyst (dedicated to compliance frameworks — scored 2.05). Not a Threat Intelligence Analyst (dedicated to threat research — scored 2.70). Not a Security Engineer (builds/implements security systems rather than monitoring them). This is the generalist who touches all of those domains without specialising in any. |
| Typical Experience | 2-5 years. Certifications: Security+, GSEC, CySA+, sometimes CISSP. Bachelor's degree preferred (73% of postings). Previous roles: help desk, junior analyst, IT support. |
Seniority note: Junior/entry-level analysts doing primarily alert triage would score Red (closer to SOC T1 at 1.55). Senior analysts who have specialised into threat hunting, architecture, or management escape to Yellow-Green territory (3.0-3.35).
Protective Principles + AI Growth Correlation
| Principle | Score (0-3) | Rationale |
|---|---|---|
| Embodied Physicality | 0 | Fully remote-capable. No physical component. |
| Deep Interpersonal Connection | 1 | Some user interaction — security awareness training, answering ad-hoc queries from business teams, occasional vendor calls. But not relationship-driven. |
| Goal-Setting & Moral Judgment | 1 | Makes escalation and prioritisation decisions within established frameworks. Decides whether to escalate alerts, which vulnerabilities to prioritise. But these are structured decisions, not novel judgment calls. |
| Protective Total | 2/9 | |
| AI Growth Correlation | 0 | AI adoption increases the attack surface (more systems to protect) but simultaneously automates the generalist's core tasks (SIEM triage, vuln scanning, compliance mapping). Net wash — demand grows but the role's task mix is exactly what AI tools target. |
Quick screen result: Protective 2 + Correlation 0 = Yellow signal (low human protection, no AI demand uplift).
Task Decomposition (Agentic AI Scoring)
| Task | Time % | Score (1-5) | Weighted | Aug/Disp | Rationale |
|---|---|---|---|---|---|
| Vulnerability scanning & management | 20% | 5 | 1.00 | DISPLACEMENT | Tenable, Qualys, CrowdStrike Falcon Exposure Management — fully automated scanning, prioritisation, and remediation ticketing. AI generates risk-ranked reports end-to-end. The output IS the deliverable. Human adds nothing to the scan-and-prioritise cycle. |
| SIEM monitoring & alert triage | 15% | 4 | 0.60 | DISPLACEMENT | Microsoft Copilot for Security, Splunk AI Assistant, Google SecOps AI — AI correlates alerts, triages false positives, and generates investigation summaries. The generalist doing L1+L2 triage is directly displaced. Gartner projects 50% reduction in entry-level triage needs by 2028. |
| Incident response (basic) | 10% | 3 | 0.30 | AUGMENTATION | Playbook-driven IR (containment, notification, documentation) is partially automated by SOAR platforms. But judgment calls during live incidents — when to escalate, when to invoke business continuity, how to communicate with stakeholders — remain human. Score 3: routine response automated, judgment-intensive response human. |
| Policy & compliance reviews | 10% | 3 | 0.30 | DISPLACEMENT | AI maps controls to frameworks (ISO 27001, NIST CSF, SOC 2), identifies gaps, drafts remediation plans. The routine compliance check cycle is automated. Human reviews AI output for context-specific exceptions. Displacement dominant for the mapping; human for the exceptions. |
| Firewall/network security management | 10% | 3 | 0.30 | AUGMENTATION | AI analyses firewall rules, identifies redundancies, flags risky configurations. But changes to production network security require human approval and context understanding. Augmentation: AI recommends, human decides and implements. |
| Reporting & security metrics | 10% | 4 | 0.40 | DISPLACEMENT | Monthly security reports, KPI dashboards, executive summaries — AI generates 80%+ from SIEM/vuln data. The analyst adds narrative context but the data aggregation and visualisation is fully automated. |
| Security assessments & risk reviews | 10% | 2 | 0.20 | AUGMENTATION | Evaluating new systems, vendor questionnaires, control assessments. Requires understanding business context, asking probing questions, making risk judgments. AI assists with checklists and benchmarks; human drives the assessment. |
| User security awareness | 5% | 2 | 0.10 | AUGMENTATION | Phishing simulation programs, awareness campaigns, ad-hoc user guidance. Human interaction component. AI generates phishing content; human manages the program and handles face-to-face training. |
| Vendor & third-party risk | 5% | 2 | 0.10 | AUGMENTATION | Reviewing vendor security postures, SLA compliance, risk questionnaires. Relationship management and contextual judgment. AI pre-fills assessments; human validates and negotiates. |
| Ad-hoc security guidance | 5% | 1 | 0.05 | NOT INVOLVED | Answering team queries, advising on security decisions, being the "go-to security person." Human interaction, trust, institutional knowledge. |
| Total | 100% | 3.35 |
Task Resistance Score: 6.00 - 3.35 = 2.65/5.0
Displacement/Augmentation split: 55% displacement, 40% augmentation, 5% not involved.
Reinstatement check (Acemoglu): Marginal. Some new tasks emerge — managing AI security tools, tuning AI detection models, validating AI-generated security recommendations — but these are adaptations of existing tasks, not genuinely new work. The generalist becomes an "AI tool manager" rather than a hands-on analyst, which is transformation rather than reinstatement.
Evidence Score
| Dimension | Score (-2 to 2) | Evidence |
|---|---|---|
| Job Posting Trends | 0 | BLS projects 33% growth for "information security analysts" through 2033 — but this covers the entire category including specialists. The generalist title "cybersecurity analyst" remains high-volume (28,834 US openings) but increasingly restructured into specialist roles. Stable volume masks compositional shift. |
| Company Actions | -1 | Enterprises consolidating generalist teams into specialist functions (dedicated SOC, GRC, engineering). SMBs adopting MSSPs (Managed Security Service Providers) that reduce in-house generalist headcount. The "security team of generalists" model is being replaced by "fewer specialists + AI tools + MSSP." |
| Wage Trends | 0 | Robert Half 2026: $122,250 midpoint for cybersecurity analyst. Stable but growing slower than specialist roles (security architect $157K, security engineer $144K). Security+ holders face supply-side pressure — abundant candidates at the generalist level. |
| AI Tool Maturity | -2 | Every major tool in the generalist's stack now has AI automation: Microsoft Copilot for Security (SIEM+IR), Splunk AI Assistant (log analysis), Tenable AI (vuln management), Vanta/Drata (compliance automation). The convergence of SIEM + SOAR + vulnerability management + compliance automation targets exactly this role's task mix. Most mature AI tooling in defensive security. |
| Expert Consensus | -1 | Broad agreement that the generalist blue-team analyst is the most vulnerable defensive security role. Gartner projects 50% reduction in entry-level needs by 2028. Solutions Review, DarkReading, and industry analysts position the generalist as transitioning to "decision supervisor" for AI outputs — a fundamentally different and smaller role. |
| Total | -4 |
Barrier Assessment
Reframed question: What prevents AI execution even when programmatically possible?
| Barrier | Score (0-2) | Rationale |
|---|---|---|
| Regulatory/Licensing | 1 | PCI DSS, SOX, HIPAA, and GDPR require designated security personnel for specific functions. Some compliance frameworks mandate human review. But the generalist analyst isn't usually the designated compliance officer — that's a separate role (Compliance Manager, 3.70 Green). Weak regulatory protection. |
| Physical Presence | 0 | Fully remote-capable. No physical component. |
| Union/Collective Bargaining | 0 | Tech sector, at-will employment. |
| Liability/Accountability | 1 | Incident response decisions carry accountability — containment, escalation, breach notification triggers. But mid-level analysts escalate to management for consequential decisions. The accountability sits with the CISO/security manager, not the analyst. Partial protection. |
| Cultural/Ethical | 1 | Companies — especially SMBs — want "a security person" they can talk to. The human security advisor is culturally valued. But MSSPs and AI dashboards are eroding this preference. Weakening barrier. |
| Total | 3/10 |
AI Growth Correlation Check
Confirmed at 0 (Neutral). AI drives demand for security (more systems, more threats, more compliance requirements) but simultaneously automates the generalist's core tasks. The net effect is neutral: security spending grows, but spending on generalist analysts does not grow proportionally. Investment shifts to AI tools, specialist roles, and MSSPs.
JobZone Composite Score (AIJRI)
| Input | Value |
|---|---|
| Task Resistance Score | 2.65/5.0 |
| Evidence Modifier | 1.0 + (-4 × 0.04) = 0.84 |
| Barrier Modifier | 1.0 + (3 × 0.02) = 1.06 |
| Growth Modifier | 1.0 + (0 × 0.05) = 1.00 |
Raw: 2.65 × 0.84 × 1.06 × 1.00 = 2.3596
JobZone Score: (2.3596 - 0.54) / 7.93 × 100 = 22.9/100
Zone: RED (Green ≥48, Yellow 25-47, Red <25)
Sub-Label Determination
| Metric | Value |
|---|---|
| % of task time scoring 3+ | 75% |
| AI Growth Correlation | 0 |
| Sub-label | Red — Does not meet all three Imminent conditions |
Assessor override: None — formula score accepted.
Assessor Commentary
Score vs Reality Check
The 2.65 places Cyber Security Analyst between Frontend Developer (2.35) and Cloud Engineer (2.60)/Truck Driver (2.70) — which is well-calibrated. The evidence score (-4) is the most negative in the cybersecurity cohort, reflecting that this generalist role sits at the intersection of every AI automation trend in defensive security. The low barriers (3/10) provide minimal structural protection. This is the weakest role in the cybersecurity cohort — now classified Red, which the low barriers and negative evidence confirm.
What the Numbers Don't Capture
- The small-team survival effect. A solo security practitioner at an SMB (50-500 employees) is harder to replace than the score suggests. They're the institutional memory, the trusted advisor, the person who knows where the bodies are buried. AI can't replace that organisational context. But this is a sub-population effect — on larger teams, generalists are displaced.
- The MSSP compression. MSSPs offering 24/7 AI-augmented monitoring for $5K-$15K/month directly compete with in-house generalist analysts earning $100K+. This economic pressure accelerates displacement independent of AI capability — it's the delivery model, not just the technology.
- The "cybersecurity analyst" title problem. 28,834 US job openings masks enormous variation. Some "cybersecurity analyst" postings are really SOC analysts, some are GRC analysts, some are junior security engineers. The title is so broad that market data is unreliable for this specific generalist definition.
Who Should Worry (and Who Shouldn't)
Safer than the score suggests: The sole security practitioner on a small team who combines technical monitoring with business advisory, user training, and vendor management. Your breadth IS your protection — no single AI tool replaces the whole package, and your company can't afford specialists. Lean into the advisory and relationship aspects.
More at risk than the score suggests: The generalist on a 5+ person security team at a mid-to-large enterprise. Your team is being restructured into specialist functions. The tasks you do "a bit of" are each being done better by AI + a specialist. You need to pick a lane and specialise — fast.
The single biggest separator: whether you manage AI tools or compete with them. The analyst who becomes the "AI security operations manager" — tuning Copilot for Security, validating AI recommendations, designing AI-augmented workflows — survives. The analyst still manually triaging alerts and running scans is doing work the tools already do better.
What This Means
The role in 2028: The "cybersecurity analyst" title persists but describes a fundamentally different job. On small teams, it becomes the AI-augmented security generalist — managing a portfolio of AI tools, validating their outputs, and providing human judgment for escalation and business context. On large teams, the title disappears into specialist roles (SOC analyst, GRC analyst, security engineer) each augmented by AI.
Survival strategy:
- Specialise or become the AI operations layer. Pick one domain (threat hunting, cloud security, compliance automation) and go deep, or become the person who manages and optimises the AI security stack. The middle ground — generalist who touches everything manually — is being eliminated.
- Build business advisory skills. The surviving generalist is the one who translates security into business risk for non-technical stakeholders. CySA+/CISSP + communication skills > Security+ + more technical tools.
- Learn AI security tooling hands-on. Microsoft Copilot for Security, Splunk AI, automated compliance platforms (Vanta, Drata). The tools replacing your manual work are the same tools that define your next role.
Where to look next. If you're considering a career shift, these Green Zone roles share transferable skills with this role:
- Digital Forensics Analyst (AIJRI 61.1) — Investigation methodology and evidence analysis skills transfer directly to digital forensics
- Malware Analyst / Reverse Engineer (AIJRI 54.4) — Threat analysis and incident investigation experience map to dedicated malware reverse engineering
- SOC Manager (AIJRI 61.8) — Security monitoring experience and analyst perspective inform SOC leadership and operations management
Browse all scored roles at jobzonerisk.com to find the right fit for your skills and interests.
Timeline: 2-4 years. The fastest transformation timeline in the cybersecurity cohort. AI tool maturity is already here — the displacement is happening now, not theoretically.
