148 security roles across six months of HN Who's Hiring. What the 2026 CISO market actually looks like.

# 148 security-role posts across six months of HN Who's Hiring. What the 2026 CISO market actually looks like.

Every first of the month, an account called whoishiring posts an Ask HN thread titled "Ask HN: Who is hiring?" on Hacker News. By the end of the day the thread has 600 to 1,000 top-level comments, each one a company publicly advertising for engineers. The thread is old internet tradition at this point. Every post follows the same Company | Location | Terms | URL convention. Every post is explicitly opt-in to outreach.

It is also one of the most under-read labor-market datasets in technology. We built a scraper against the HN Firebase API, pulled the last six months of threads, filtered to posts mentioning security, appsec, infosec, detection, threat, compliance, or related roles, and walked the result. 148 security-adjacent hiring posts across November 2025 through April 2026. Here is what the data shows about who is actually hiring for security in 2026.

#The distribution by month

| Month | Security-role posts |

|-------|---------------------|

| November 2025 | 31 |

| December 2025 | 20 |

| January 2026 | 16 |

| February 2026 | 28 |

| March 2026 | 29 |

| April 2026 | 24 |

January is the dead month, because hiring freezes that start in Q4 haven't thawed yet. November and March are the active months, matching the "post-board-meeting budget unlocked" and "pre-summer-hiring-push" cycles. The April 2026 number is a partial-month count (the thread is still collecting posts as of publication).

148 security hiring posts across six months is about 25 per month. That number is, surprisingly, consistent. The signal-to-noise ratio for security-specific roles on HN hasn't changed materially in the last year. What has changed is what the roles are asking for.

#What the role titles actually look like

Role mentions per post (a single post can mention multiple roles):

• Compliance officer / auditor / GRC: 29 posts
• Threat detection / threat intel / threat engineering: 16 posts
• Security engineer (unspecified): 13 posts
• Fraud / abuse detection: 6 posts
• Cryptography engineer: 5 posts
• Security researcher (bug bounty or academic): 2 posts
• DevSecOps engineer: 1 post
• Detection engineer (dedicated): 1 post
• Pentester / offensive security: 1 post

The biggest category is compliance and GRC. That tracks with the 2025-2026 regulatory cycle (SEC Item 1.05 two years in, HIPAA Security Rule 2025 NPRM, SOC 2 and PCI DSS 4.0 audit pipelines heating up, NYDFS enforcement actions ramping). If you are a compliance professional reading this, the market for you is the best it has been in years.

The surprise is how few offensive-security roles appear on HN specifically. One post with a "pentester" or "offensive security" role mention across 148 security-adjacent posts. Penetration testing, bug bounty triage, and red-team work is not where HN hiring posts concentrate. Those roles live on specialized boards (Infosec Jobs, Red Team Village), referrals, and recruiter networks.

Threat engineering and detection engineering are the modal engineering-heavy security role on HN. That reflects where the non-compliance hiring demand is: companies with real production traffic building real detection pipelines. Sentry, Datadog, Snowflake, Sumo Logic, and the other observability-adjacent tickers have spawned an entire class of companies that want detection engineers.

#Location breakdown

We parsed the Location field of each post:

• Other / unspecified: 116 posts (78%)
• Remote: 21 posts (14%)
• San Francisco: 4 posts
• New York City: 2 posts
• Seattle, Austin, London, Boston, Hybrid: 1 post each

The enormous "Other / unspecified" bucket is because HN hiring posts are wildly inconsistent about location format. A post might write "SF Bay Area" or "San Francisco, CA (Hybrid)" or "US" or "Remote-friendly (Europe/US)" or just omit location entirely. The parser we used is a first-line regex; a smarter NER would recover more of those 116.

But the signal inside "Other" matches what is visible: most small HN-hiring companies are geographically-distributed remote or remote-friendly. The explicit "Remote" tag is undercounted because posts that are remote-by-default don't bother to say so. Our rough read is that ~50-60% of security HN hires in the last six months are remote or hybrid. For candidates that is great. For hiring managers in SF or NYC, that is a labor-market pressure they cannot wish away.

#Who posted contact information

Of 148 posts:

• 40 (27%) included an email contact directly in the post
• 30 (20%) included a Greenhouse or Lever or Ashby slug we could cross-reference
• 95 (64%) included at least a company domain

27% emailing directly is both a data-quality signal and a seniority signal. Posts that include the CTO's or head of engineering's direct email tend to come from earlier-stage companies where the hiring manager is still doing first-round filtering themselves. At Series B or later, the email is usually jobs@company.com or an ATS link instead.

The 20% with an ATS slug is useful for a different reason. Those slugs let you pull the full current opening list for a company, even after the HN post is buried. We built a cross-feed between our HN parser and a separate Greenhouse/Lever scraper so new slugs from HN feed the broader job-board scan on the next cycle. Small pipeline hack, large multiplier.

#What kinds of companies

Eyeballing the 95 domains we got:

• Early-stage YC / newly-incorporated SaaS: the plurality, ~35% of posts.
• Deep-tech / research-lab spinouts: AI model labs, quantum-cryptography startups, crypto hardware vendors, ~15%.
• Mid-market B2B SaaS on their first security hire: ~15%.
• Cybersecurity vendors hiring for their own platform: ~15%.
• Defense industrial base / national security adjacent: ~8%.
• Fintech and crypto exchange: ~5%.
• Healthcare and medical device: ~3%.
• Everything else (consumer, media, marketplace, dev tools): the remainder.

The defense-industrial-base cluster is larger than it looks. Several posts are from CMMC-regulated small contractors hiring their first dedicated security person. These are exactly the target profile for CMMC 2.0 Level 2 readiness work. The companies are aware they need security staffing but do not yet have the budget for a dedicated senior hire, which is why fractional vCISO retainers and fixed-fee readiness assessments work well for them.

Fintech and crypto is smaller than the general-tech-press narrative suggests. Everyone thinks fintech is where the security hiring is. On HN specifically it's not. The big banks and large exchanges hire through their own recruiting channels, not by writing a paragraph in a Hacker News thread.

#What this data says about the 2026 security hiring market

Three takeaways for practitioners.

#1. Compliance hiring is the largest single slice

If you are a compliance-track security professional (SOC 2 analyst, PCI QSA-track, HIPAA privacy officer, CMMC assessor), the market is unusually friendly. One in five security-role HN posts is a compliance role. Rate compression is minimal because the mid-market is desperate for in-house compliance staff who can own the Drata/Vanta/Secureframe portal plus the manual control work those platforms can't automate.

#2. The offensive-security hiring market is elsewhere

The data confirms what anyone in offensive security already knows. HN is not where pentest hiring happens. If you are a pentester or bug bounty triage professional looking for a role, the canonical channels are Infosec Jobs, Bugcrowd, HackerOne, TrustedSec, Offensive Security alumni networks, and cold-pitching firms directly. Saving your HN browsing time for other research.

#3. First-security-hire companies are the most fertile ground for fractional work

A lot of the early-stage, ~50-person companies posting on HN for their "first security engineer" are also not ready for a full-time senior hire. They want SOC 2 or ISO 27001 by end of year, they want a pentest before their enterprise customer audit, they want their AWS or Supabase RLS reviewed. What they actually need for the next 12 to 24 months is fractional security leadership plus a few fixed-fee project engagements, not a $250K+ security hire they will burn out in nine months.

That is the sweet spot for security consulting firms. It is also the sweet spot for experienced security practitioners who would rather do four-to-six concurrent engagements than commute into one full-time job.

#If you are posting on HN Who's Hiring for a security role

Three practical suggestions based on reading 148 of them.

Include your direct email, not a jobs@ inbox. The 27% who include a direct email get meaningfully more response from senior candidates. Senior candidates do not send resumes through generic ATS portals; they email a named person.

Put your Greenhouse or Lever slug in the post. It lets tooling like our scraper surface your other openings alongside the one you wrote the post about. Many candidates read an HN post for role A but end up applying for role B from the same company.

Say the geography explicitly. The "Other / unspecified" bucket is where decent candidates walk away because they can't tell if remote is on the table. A single line saying "Remote OK in US/EU" or "On-site in Austin, TX" is the difference between 50 applications and 15.

#The raw tool

We open-sourced the HN hiring parser we used for this analysis as sec-item-1-05-tracker's sibling project (coming soon), and the same scraper that produced this dataset powers our outreach pipeline. If you want to replicate the analysis, the Firebase API is at https://hacker-news.firebaseio.com/v0/user/whoishiring.json → submitted[] → walk each /item/.json. Parse the first line on the conventional separator. Filter on your own keyword list.

Total tool size: about 380 lines of Python, zero external dependencies.

#How Valtik fits

We work with the "first security hire" category directly. Fractional vCISO retainers at $1.5K-$3.5K/month, fixed-fee penetration testing at $3.5K-$25K per engagement, compliance readiness for SOC 2, HIPAA, PCI DSS 4.0, CMMC 2.0, NYDFS Part 500 at scoped-price ranges. We are based in Connecticut, serve Dallas-Fort Worth directly, and work remotely for the rest of the US.

If your company is about to post on HN for its first security engineer and you'd like to talk about fractional options before committing to a full-time hire, see our retainer page for the menu or email tre@valtikstudios.com.

---

Methodology note. This analysis is based on 148 top-level comments across six monthly HN Who's Hiring threads (November 2025 through mid-April 2026), filtered to posts whose body text matched a 17-keyword security-adjacent term list. Our full toolchain is sec-item-1-05-tracker (SEC filings) and an internal HN scraper (planned for open-sourcing). Raw category counts are approximate; we did eyeball review, not structured labeling. The "role types" and "company types" buckets are non-mutually-exclusive (a post can appear in multiple categories).