loading
Loading content
loading
66% of security professionals say the job is more stressful than five years ago, 4.8 million roles sit unfilled, and analyst tenure has fallen below 18 months. You cannot hire your way out of a structural problem. Automating the toil is the only exit.

Trickest · Engineering
66% of cybersecurity professionals say their job is more stressful than five years ago. 58% say their teams are understaffed. 55% have unfilled roles. 4.8 million unfilled cybersecurity positions sit open globally. This is not a hiring problem. It is a structural problem, and hiring more people cannot solve it.
Cybersecurity burnout has stopped being a well-being concern and become an operational risk.
71% of SOC analysts report burnout caused directly by alert fatigue, according to the Tines Voice of the SOC Report. Average analyst tenure has dropped below 18 months at most organizations. Replacing a single analyst costs between 50% and 200% of their annual salary once recruiting fees, onboarding time, and lost institutional knowledge are counted. For a twelve-person security team, annual churn adds $100,000 to $200,000 to the budget before the risk created by the empty seat is priced in.
The stress does not stay inside the SOC. ISACA's 2025 State of Cybersecurity survey of 3,800 professionals found that 66% say their job is more stressful than five years ago. 58% say their teams are understaffed. 47% cite high stress as the top reason for attrition. 65% report unfilled cybersecurity positions. ThreatConnect found 51% of cybersecurity professionals have been prescribed medication for mental health, a direct consequence of operational tempo. Cybermindz, polling 101 cyber professionals, found one in two experience burnout weekly or daily. 66% reported moderate or high emotional exhaustion. 54% showed two or more concurrent burnout indicators.
Gartner projected that nearly half of all cybersecurity leaders would change jobs by 2025 due to chronic stress, with 25% expected to leave the profession entirely. Fortinet's 2026 Global Cybersecurity Skills Gap Report found that 56% of IT leaders identify talent shortages as a top cause of security breaches for the third consecutive year, while 86% of organizations experienced at least one breach in the past twelve months.
The SANS 2026 Cybersecurity Workforce Research Report, surveying nearly 1,000 practitioners and leaders, documented a decisive shift: for the first time, skills gaps overtook headcount shortages as the industry's top workforce challenge. 60% of organizations identified skills gaps as the greater problem, up from a four-point margin a year ago to a twenty-point gap. 27% of organizations had experienced actual security breaches as a direct result of workforce capability gaps. The downstream consequences: 57% reported increased team burnout, 47% slower incident response, 42% inability to adopt new technologies. And the root cause: 60% of respondents cited lack of time due to workload as their single greatest training barrier.
The cycle is self-reinforcing. Teams are too busy to train. The skills gap widens. Incidents rise. Stress rises. People leave. The remaining team gets busier.
The global cybersecurity workforce numbers approximately 5.5 million people. There are 4.8 million unfilled positions. The workforce needs to increase by 87% to meet current demand, a gap that has widened more than 40% in two years, according to the ISC2 Cybersecurity Workforce Study. The U.S. alone has over 700,000 unfilled cybersecurity roles. Nearly half of all organizations take more than six months to fill a single cybersecurity vacancy.
Offensive security expertise sits at the scarce end of this gap. Penetration testers, red team operators, and offensive security engineers are among the hardest roles to fill. Training pipelines cannot produce offensive security talent fast enough to close a gap that has been widening for years. The Accenture/Fortune 2026 cyber workforce report found that average cybersecurity job tenure has fallen from 3.3 years to 1.8 years. Organizations are burning through people faster than they can replace them.
The economics make it worse. Replacing a senior security analyst costs an estimated $145,000 to $200,000 when recruitment, training, and lost productivity are counted. A Tines/Sapio Research survey of 1,813 IT and cybersecurity professionals, published February 2026, found that teams still spend an average of 44% of their time on manual or repetitive work, despite widespread AI and automation adoption. The tools exist. The automation is not being wired into actual workflows.
Organizations that try to scale security testing through hiring alone are competing for a talent pool that does not exist. The math will not close.
Burnout is not caused by threats being scary. It is caused by the composition of the workday.
Security practitioners do not sign up to spend their careers running tools manually, managing scan infrastructure, normalizing output formats, and writing the same report in five different templates. They sign up to find vulnerabilities, understand attack paths, design methodology, and break things creatively. The work that burns people out is the work between the actual security work.
Consider a typical offensive security engagement. A tester spends the first two days provisioning infrastructure, spinning up VMs, configuring proxies, dealing with rate limiting, troubleshooting tool dependencies. Days three through seven are the actual testing. Days eight through ten are output wrangling: stitching results from twelve tools into one coherent report, normalizing severity ratings, formatting findings for the client's template, cross-referencing with the scope document. The ratio varies by team and tooling, but the pattern is consistent: more than half the calendar is consumed by work that is not security analysis.
In detection and response, the math is starker. The average organization receives 960 security alerts per day. Most teams cover only 40% to 60% of them. Each false positive takes 10 to 15 minutes to clear manually. At 60% false positive rates, that is roughly 500 hours of analyst time needed to clear one day's queue. Nobody has 500 hours. The result: SOC teams routinely ignore or dismiss up to 30% of incoming alerts, not through negligence, but necessity. When every alert looks the same and context arrives fragmented across disconnected consoles, skilled analysts triage by instinct rather than evidence.
A LinkedIn analysis by BestDefense of security operations costs calculated that 77% of enterprises take over a week to deploy critical patches, that analysts spend 85% of their time chasing false positives, and that 76% of security professionals burn out from repetitive manual tasks. The same analysis pegged the total "manual tax" at roughly $4.7 million annually for a typical enterprise (patch delays, alert fatigue, turnover, and lost productivity) and found that automation cuts these costs by approximately 90%.
The toil tax is not a morale problem. It is a resource allocation problem with a precise dollar figure. Every hour a senior security engineer spends normalizing tool output is an hour they are not hunting an advanced threat, designing a new testing methodology, or training a junior team member. The organization is paying senior salaries for junior work, and the senior talent is leaving.
The automation conversation in security has been captured by a false premise: that automation replaces humans. The Cobalt/Omdia research published in June 2026 shows the opposite. 94% of organizations see the importance of keeping humans in the loop for offensive security programs. 60% expect analysts to shift from executing offensive security tasks to supervising autonomous workflows. The market is not asking for a robot pentester. It is asking for the repetitive 80% of the work to run itself so the humans can focus on the 20% that requires judgment.
This is not a prediction. The same research found that 88% of organizations plan to increase offensive security spending over the next twelve months, with 23% planning significant increases. The budget is there. The intent is there. What is missing is the operational model that connects automation to actual reduction in toil.
The Tines survey found that despite widespread AI adoption, teams still spend 44% of time on manual work. The tools exist; the integration does not. A Fortune 500 financial services company spent $1.8 million on a SOAR platform and six months later had analyst turnover at 40%, with automation used for less than 15% of daily incidents. The team had reverted to manual playbooks because the vendor-designed automation did not match how incidents actually unfolded in their environment.
The fix is not more tools. It is automation that maps to actual workflows, the specific sequences of steps a team actually executes, not the idealized playbook a vendor designed. When automation succeeds, the results are concrete:
The mechanism is not magic. It is removing the parts of the job that nobody signed up for: provisioning, tool execution, output normalization, report generation. The parts that can be encoded once and executed deterministically, on schedule, without human babysitting.
Trickest was built on a simple observation: security teams know exactly what to test. Their methodology is sound. It is the execution that does not scale.
A team's testing methodology typically lives in three places: a senior engineer's bash scripts, a Confluence page last updated eighteen months ago, and tribal knowledge that transfers verbally. When the senior engineer leaves, the methodology leaves with them. The scripts break because a dependency updated. The Confluence page drifts out of sync. The remaining team reverts to manual execution because nobody has time to rebuild the automation.
The alternative: encode the methodology as a deterministic workflow that runs on schedule, produces structured output, and surfaces only what changed since the last run.
A concrete example. A security team runs external reconnaissance across 15,000 subdomains. The workflow: asset inventory → subdomain enumeration → port scanning → service identification → vulnerability scanning → AI-assisted triage → prioritized report. Running this manually takes a team of three approximately two weeks per cycle. Running it on Trickest (500,000 machines, 30-second spin-up, parallel execution across 300 runners) takes approximately 30 minutes. The methodology does not change between runs. The output does. The team compares this week's results against last week's and sees exactly what is new.
The time reclaimed is not theoretical. One AppSec team increased monthly application assessments from 8 to 30 without adding headcount. Another team operating across 500,000 subdomains applied consistent methodology everywhere instead of sampling. An enterprise reduced time to operationalize a new security workflow from three weeks to less than one day.
These numbers are not projections. They are measured outcomes from existing Trickest deployments. The common thread: the work that was automated was not the creative, judgment-intensive part of security testing. It was the provisioning, execution, normalization, and reporting, the parts that burn people out.
The SANS 2026 report found that unclear career progression tripled as a hiring obstacle, surging from 9% to 32% year over year, and ranked as the third-largest retention obstacle at 31%. Yet only 24% of organizations provide well-defined cybersecurity career paths. Accenture's analysis of 550,000 cybersecurity job postings found that 59% of open roles now require business acumen, strategic leadership, and cross-functional communication, but only 40% of the current workforce fits that profile.
The talent the industry needs (people who can translate risk into business terms, design methodology, brief a board) cannot develop those skills if they spend 44% of their time running tools manually and normalizing CSV output. The path to retention is not free lunch and mindfulness apps. It is removing the toil so people can do the work that advances their careers.
When a team's methodology is encoded as executable workflows, several things change at once:
Onboarding accelerates. A new team member does not spend six weeks learning which scripts to run and in what order. They run the existing workflows, study the output, and understand the methodology from the artifact. The bus factor drops from one to zero.
Training becomes possible. The SANS report's top barrier to training, lack of time due to workload, cited by 60% of respondents, recedes when the baseline operational tempo is handled by automation. The team has space to learn.
Institutional memory survives attrition. When an engineer leaves, their methodology does not. The workflows they encoded continue executing on schedule. The knowledge is institutional, not individual.
The work becomes what people signed up for. Security professionals entered this field to find vulnerabilities, understand attack chains, and defend systems, not to provision VMs, debug tool dependencies, and format reports. Automation removes the parts nobody wanted, and leaves the parts they did.
This is not a soft argument about happiness. It is a hard argument about capability. A burned-out team misses threats. A team with headspace catches them. The difference shows up in MTTD, MTTR, and breach impact, measurable security outcomes with measurable dollar values.
The cybersecurity industry has a structural problem it cannot hire its way out of. There are not enough people. The people who exist are leaving. The work that drives them out is the work that can be automated.
Automation that works, that actually removes toil instead of adding another console, requires encoding the team's actual methodology, not a vendor's idealized playbook. It requires deterministic execution that produces structured, comparable output over time. It requires the ability to run the same methodology across any scope, on any schedule, without a human provisioning infrastructure or normalizing results.
The teams that make this transition do not stop doing security work. They stop doing the work around the security work. Their senior engineers design methodology and investigate novel threats. Their junior engineers run existing workflows and learn from the output. Their managers report coverage trends instead of activity logs. Their CISOs brief boards with dwell time and remediation velocity instead of pentest counts.
The alternative is the current trajectory: rising stress, falling tenure, widening skills gaps, and 27% of organizations experiencing breaches directly caused by workforce capability shortfalls. The math on that trajectory does not improve on its own.
The exit exists. It requires treating toil as a security control problem, a risk to be mitigated, measured, and reduced, rather than a cultural issue to be managed with wellness programs. The organizations that remove the toil retain the talent. The organizations that do not will continue losing people into a talent market that has no replacements.
The 4.8 million unfilled roles are not the crisis. They are the symptom. The crisis is that the people already on the team are spending their careers on work that machines should be doing. Fix that, and the rest of the numbers start moving in the right direction.
Get a personalized demo
A 30-minute walkthrough. We map the platform to your stack and answer pricing and deployment questions for your environment.