I had planned to write this up since the start of the job search, since it has always felt labor solidarity focused when others have done it, so here’s my contribution. Even outside of that, the most common conversation I’ve had with colleagues past and present over the last few months has been about the state of the job market in cybersecurity. It comes up constantly, especially with other federal employees who are similarly weighing their options and thinking about making a move. The uncertainty, the volume of applications, and the lack of feedback are nearly universal themes.
Because of that, I decided to write this post. Over the past six months, I tracked my own job search in detail: every application, every rejection, every interview. From mid-January when I started applying in earnest, to late July, when I finally received an offer, I submitted 339 applications. What happened to all of them tells a story not just about my own search, but about the hiring landscape that so many of us are facing right now. This post is specifically geared towards folks working in cyber, located in the United States, and particularly cyber professionals working in or in support of the federal government as a means of contextualizing the cyber job market in 2025 and what you might be experiencing yourself, or what you have to look forward to.
Background
I left the federal government earlier this year after five years at DHS and a prior 10 years of mixed federal service and contracting within DoD. My first applications were sent January 20th (Inauguration Day, lol). This was purposeful. Following the election, not only did this feel like the moral and ethical decision to make, but I also had the self-serving concern that the longer I stayed, I feared that the more toxic my background might appear to potential employers. I felt it necessary to demonstrate on my resume that I left so I would not implicitly appear complacent or supporting of whatever was to come. This ended up being pretty prescient (though it wouldn’t have taken a clairvoyant to predict it). Illegal usage of the Alien Enemies Act without due process, deportation and illegal arrest of US citizens, detention based on physical appearance, literally resurrecting the remains of Japanese internment for usage as modern concentration camps. Anyway..
On January 28th 2025, the questionably created DOGE sent its first “Fork in the Road” email, announcing the Deferred Resignation Program (DRP). I pursued it heavily, as at this point I was going to leave – deal or no deal. At first, I was told I would not be eligible as mission-critical, but that eventually changed. Maybe not enough people were taking it, maybe somebody upstairs pushed some paper for me. I was unceremoniously kicked out February 28th. By then I had already applied to 138 jobs.
The Data
I should start by illustrating the initial dataset. With 15 years of SOC experience, an MBA and master’s in cybersecurity, and a PhD in cyber defense, I was extremely picky. I focused only on roles that matched my background and career stage. That meant senior or principal-level positions that required technical chops, leadership experience, or some combination of both. I was also only interested in remote work, which narrowed the field even further. So while the number of applications looks high, each one was deliberate. I was targeting roles I could realistically see myself in, not just sending resumes into the void. I set hard limits on salary range and would withdraw immediately if the pay communicated to me was lower than said range. Anecdotally, I think this probably put me at a disadvantage. Remote roles had me competing against applicants in geographic areas with lower costs of living. I live in a pretty high one. I suspect this limited me further.
I think it’s also worth noting that accepting the DRP, with its pay through the end of September, also enabled this approach. I’ll touch on this further later, but this is not something very many can afford to do. In fact, 6 or 7 stage interview pipelines are arguably impossible for many working in secure facilities – but I digress. Let’s get into the data.
| The Big Sankey |
The Numbers
The Sankey basically speaks for itself. It shows the full funnel, from submission to outcome.
Here’s how the 339 applications broke down:
- 237 auto-rejected (~70%)
Most applications never reached a person. This reflects the reality of Applicant Tracking Systems (ATS) and automated screening filters. Even with a strong resume, the majority of submissions were stopped at the gate. - 80 ghosted (~24%)
Nearly one in four applications ended without a response. No rejection, no feedback, just silence. This became so common that I started to expect it, but it doesn’t make it any less discouraging. - 26 first-round interviews (~7.7%)
About one in every thirteen applications resulted in an initial conversation. From there, the funnel narrowed quickly:- 19 second-rounds
- 7 third-rounds
- 6 fourth-rounds
- 5 fifth-rounds
- 3 sixth-rounds
- 3 withdrawals
In a few cases I stepped back myself, but I should note this was explicitly after I had accepted the one job offer. - 18 rejections
Explicit “no’s” after one or more rounds of interviews. - 1 offer
After 186 days of searching, one application turned into a job.
A few additional ways to look at the data:
- Applications per month: ~56
- Applications per week: ~13–14 (nearly a part-time job just applying)
- Interview-to-offer conversion: 1 out of 26 → ~3.8%
- Application-to-offer conversion: 1 out of 339 → ~0.3%
- Time spent: Given an average of 1 hour per interview, this cost me 66 hours of interviewing time. I averaged about 14.67 minutes per application. Round that up to 15 minutes and the 339 applications took ~84.75 hours. Application is a bit more of a wriggly statistic, as once you create the account and apply once in a given portal, subsequent applications are much quicker.
I also graphed my day-to-day application and rejection load, but this turned out to be less useful than I would have liked. I thought I might be able to track individual application time to rejection, but lack of unique ID and piles of rejections from the same companies mean I’d have to try to do that manually. I don’t care to try to do that manually.
| Day by Day Applications vs Rejections, colored by org |
Analysis
Looking back at the numbers, a few clear patterns stand out that say as much about the hiring process as they do about my own search.
ATS filters are ruthless.
Seventy percent of my applications were stopped at the first step by automated systems. Even with senior-level experience and advanced degrees, most resumes never made it to a human. With the notable caveat that remote roles explicitly put me in the mix against hundreds of candidates rather than perhaps a few dozen, this was still pretty wild to me. I don’t have an explanation for this – other than maybe my resume was poorly written/optimized.
Ghosting has become normal.
One in four applications simply disappeared into silence. This wasn’t just after applying, but in a select few instances, ghosting happened after multiple rounds of interviews. It’s disheartening, but it reflects a broader cultural shift in hiring. I’ve read rumors as I’m sure many others have that some of these job listings aren’t even real. I have no data one way or the other.
The interview funnel is brutally narrow.
Out of 339 applications, 26 turned into first-round interviews. That’s about 8%. From there, each stage cut the field in half or more until just one remained. This “survival of the fittest” funnel isn’t surprising, but seeing it laid out shows how much persistence it takes to get to the finish line.
An important detail worth mentioning here is that no interview pipelines for me resulted in a simple stacked “pass one to get to the next” model. Generally speaking, if you made it past the first two interviews, you can expect 3-5 more after. This panel approach, essentially across the board, involves the recruiter screen, hiring manager, and then a panel of various others. This is a lot of time and effort.
This is stupid.
Here’s some more stats not covered in the Sankey –
I apparently created 63 different Workday accounts… probably more! This was just a manual count of companies that had Workday login portals showing up in their email communications.
I created 16 different ICIMS accounts.
And - I applied to 18 different jobs through LinkedIn. Zero interviews via this mechanism.
Thoughts
1. Um.. This is pretty brutal?
I simply can’t see how someone with fulltime employment can manage this. The best candidates for these more senior positions tend to already be gainfully employed and generally pretty busy. I say that, yet – I can’t argue with ending up with a single offer. Clearly others with similar or better qualifications are finding the same amount of time I did. It is undeniable that the privilege of steady pay throughout this process enabled the selectivity, and subsequently the length and breadth – of said search.
2. The marathon 6 interview panel process is objectively crazy, but I would undeniably appreciate being on the other side of it.
These were obviously a grind, and predictably all over the map as far as competencies. I got fuzzy theoretical questions about fixing business process challenges. I was asked to craft a Splunk query off the top of my head. I got OSI Model questions. I got threat modeling questions. I was asked about Python libraries. I crafted a sample intel report from raw data. I was asked about approaches to briefing non-technical executive leadership. If you’re looking for advice, I frankly don’t have any.
But that said, I can’t help but appreciate the value of gaining multiple perspectives from multiple experts on the team. I admittedly would like the approach as a hiring manager. I absolutely am not a fan of going through it over two dozen times.
3. I think it is hugely valuable for the hiring managers to reach out to the final round rejects and provide the feedback. I think it’s classy, personal and professional.
I remember the name and company of every hirer that extended me the courtesy of why I was not selected after getting through the pipeline. I think there’s something to be said for that. I’d be looking for wherever they are first in the future if I start this process up again.
Anyways, Happy Labor Day 2025