选择你当前的职位

选择角色和级别——我们会展示成长路径、技能和差距分析。

发展路径

Junior

0-2 years

当前

职责: Выполнение задач под руководством старших коллег. Изучение кодовой базы, стандартов и процессов команды. Написание кода по спецификациям, исправление простых багов, написание тестов.

关键技能:

JWT / OAuth2 / OIDC 需要
OWASP & Application Security 需要
RBAC / ABAC Authorization 需要
SAST/DAST 需要
Kubernetes Security 需要
Cloud Security 需要
Threat Modeling 需要
Digital Forensics Basics 需要
Secure Coding Practices 需要
Incident Response Process 需要
Network Security 需要
Dependency Vulnerability Scanning 需要
Vulnerability Management 需要

Middle

2-5 years

下一个

职责: Самостоятельная разработка фич от декомпозиции до деплоя. Участие в code review. Оптимизация производительности. Менторинг junior-разработчиков. Участие в архитектурных обсуждениях.

关键技能:

JWT / OAuth2 / OIDC 需要
OWASP & Application Security 需要
RBAC / ABAC Authorization 需要
SAST/DAST 需要
Kubernetes Security 需要
Cloud Security 需要
Threat Modeling 需要
Digital Forensics Basics 需要
Secure Coding Practices 需要
Incident Response Process 需要
Network Security 需要
Dependency Vulnerability Scanning 需要
Vulnerability Management 需要

Senior

5-8 years

职责: Проектирование архитектуры компонентов и сервисов. Решение сложных технических проблем. Ведение технического долга. Code review как gatekeeper качества. Менторинг middle-разработчиков. Выбор технологий для новых задач.

关键技能:

Code Review 需要
Docker 需要
ELK Stack 需要
Git Advanced 需要
GitHub Copilot 需要
GraphQL Design 需要
JWT / OAuth2 / OIDC 需要
OWASP & Application Security 需要
Rate Limiting & Throttling 需要
RBAC / ABAC Authorization 需要
REST API Design 需要
Runbook & Playbook Writing 需要
SAST/DAST 需要
Security Testing 需要
VPN & Network Isolation 需要
Algorithms & Complexity 需要
Async Programming 需要
Kubernetes Security 需要
Cloud Security 需要
Code Quality & Refactoring 需要
Multithreading 需要
Threat Modeling 需要
Network Fundamentals 需要
Digital Forensics Basics 需要
Secure Coding Practices 需要
OOP & SOLID Principles 需要
WebSocket API Design 需要
Incident Response Process 需要
Network Security 需要
Container Security Scanning 需要
Dependency Vulnerability Scanning 需要
Structured Logging 需要
Data Structures 需要
API Testing 需要
Vulnerability Management 需要

Lead / Staff

7-12 years

职责: Техническое лидерство команды или направления. Проектирование системной архитектуры. Координация с другими командами. Формирование стандартов и best practices. Участие в найме. Планирование технического roadmap.

关键技能:

Code Review 需要
Docker 需要
ELK Stack 需要
Git Advanced 需要
GitHub Copilot 需要
GraphQL Design 需要
JWT / OAuth2 / OIDC 需要
OWASP & Application Security 需要
Rate Limiting & Throttling 需要
RBAC / ABAC Authorization 需要
REST API Design 需要
Runbook & Playbook Writing 需要
SAST/DAST 需要
Security Testing 需要
VPN & Network Isolation 需要
Algorithms & Complexity 需要
Async Programming 需要
Kubernetes Security 需要
Cloud Security 需要
Code Quality & Refactoring 需要
Multithreading 需要
Threat Modeling 需要
Network Fundamentals 需要
Digital Forensics Basics 需要
Secure Coding Practices 需要
OOP & SOLID Principles 需要
WebSocket API Design 需要
Incident Response Process 需要
Network Security 需要
Container Security Scanning 需要
Dependency Vulnerability Scanning 需要
Structured Logging 需要
Data Structures 需要
API Testing 需要
Vulnerability Management 需要

Principal

10+ years

职责: Техническая стратегия на уровне компании или домена. Кросс-организационное влияние. Решение системных проблем бизнеса через технологии. Менторинг lead-инженеров. Публичное представление компании.

关键技能:

Code Review 需要
Docker 需要
ELK Stack 需要
Git Advanced 需要
GitHub Copilot 需要
GraphQL Design 需要
JWT / OAuth2 / OIDC 需要
OWASP & Application Security 需要
Rate Limiting & Throttling 需要
RBAC / ABAC Authorization 需要
REST API Design 需要
Runbook & Playbook Writing 需要
SAST/DAST 需要
Security Testing 需要
VPN & Network Isolation 需要
Algorithms & Complexity 需要
Async Programming 需要
Kubernetes Security 需要
Cloud Security 需要
Code Quality & Refactoring 需要
Multithreading 需要
Threat Modeling 需要
Network Fundamentals 需要
Digital Forensics Basics 需要
Secure Coding Practices 需要
OOP & SOLID Principles 需要
WebSocket API Design 需要
Incident Response Process 需要
Network Security 需要
Container Security Scanning 需要
Dependency Vulnerability Scanning 需要
Structured Logging 需要
Data Structures 需要
API Testing 需要
Vulnerability Management 需要

差距分析:待发展的技能

要达到下一级别,你需要发展:

JWT / OAuth2 / OIDC

Conducts security testing of JWT/OAuth2 implementations: exploits JWT algorithm vulnerabilities, tests OAuth2 flows for CSRF and code interception, and identifies token leakage through side channels. Uses specialized tools (jwt_tool, OWASP ZAP) for automated authentication testing. Creates proof-of-concept exploits for identified vulnerabilities.

OWASP & Application Security

Applies OWASP Testing Guide methodology for web application penetration testing. Conducts security assessments identifying OWASP Top 10 vulnerabilities with manual exploitation techniques. Uses specialized tools (Burp Suite Professional, sqlmap, custom scripts) for deep vulnerability validation and proof-of-concept development.

RBAC / ABAC Authorization

Tests RBAC and ABAC implementations for privilege escalation and authorization bypass. Conducts penetration testing of access control mechanisms across application layers. Uses specialized tools to enumerate roles, permissions, and detect misconfigurations.

SAST/DAST

Uses DAST tools alongside manual penetration testing to discover runtime vulnerabilities. Validates SAST findings through exploitation to confirm real attack vectors. Integrates dynamic scanning into penetration testing workflows to maximize coverage of web application attack surfaces.

Kubernetes Security

Performs security assessments of Kubernetes clusters identifying misconfigurations in RBAC, network policies, and pod security. Uses tools like kube-hunter and kubeaudit to discover vulnerabilities. Tests container escape scenarios and lateral movement paths within cluster environments.

Cloud Security

Performs cloud penetration testing across AWS, Azure, and GCP environments. Conducts security reviews targeting IAM misconfigurations and exposed services. Uses cloud-specific exploitation tools and techniques to identify privilege escalation paths and data exfiltration vectors.

Threat Modeling

Independently applies threat modeling to identify attack surfaces before penetration testing engagements. Maps MITRE ATT&CK techniques to system components. Understands trade-offs between different attack paths and prioritizes testing efforts. Creates threat-informed test plans covering network, application, and social engineering vectors.

Digital Forensics Basics

Uses digital forensics fundamentals to document exploitation evidence during penetration tests. Captures system artifacts, file hashes, and timeline data to support findings. Analyzes disk images and memory snapshots to identify indicators of compromise and validate attack paths.

Secure Coding Practices

Applies secure coding knowledge in penetration testing — reviews source code to identify exploitation vectors, maps code weaknesses to MITRE ATT&CK techniques, and develops proof-of-concept exploits from code analysis. Uses SAST tools alongside manual code review to prioritize penetration testing targets.

Incident Response Process

Supports incident response by providing offensive security expertise during active incidents. Validates attack vectors and helps determine scope of compromise. Documents exploitation paths for post-incident analysis and contributes to lessons-learned reviews with remediation recommendations.

Network Security

Independently performs network penetration testing: conducts host discovery, service enumeration, and vulnerability scanning across subnets. Exploits misconfigured firewalls, weak VPN setups, and unpatched network services. Writes clear findings on network segmentation gaps and proposes remediation for IDS/IPS evasion techniques discovered during engagements.

Dependency Vulnerability Scanning

Uses dependency scanning results from Snyk, Grype, or OWASP Dependency-Check to identify attack vectors during penetration tests. Maps known CVEs in third-party libraries to practical exploit scenarios. Understands the difference between reachable and unreachable vulnerable code paths when prioritizing findings. Validates whether dependency vulnerabilities are exploitable in the application's specific deployment context.

Vulnerability Management

Discovers and validates vulnerabilities through penetration testing and exploitation. Assesses vulnerability severity using CVSS scoring and real-world exploitability analysis. Uses vulnerability management platforms to track findings and verify remediation effectiveness across tested systems.