Architectural shot of a dark glass-and-steel control-room wall with faint cyan reflected highlights.

Where ethical-hacking pros actually work in 2026

Thirty employers, three tiers, one decision.

Defense-industrial primes (Booz Allen, Palantir, Anduril, Helsing), commercial cyber leaders (Mandiant, CrowdStrike, Microsoft, SentinelOne, Palo Alto, Rapid7), mid-tier federal primes (Lockheed, Raytheon, Northrop, BAE Inc, SAIC, CACI, Leidos), and federal government employers (NSA, CISA, FBI, USCYBERCOM, DC3, DISA, IC components).

Every profile is sourced to public material — company expertise + careers pages, public DoD contract press releases, named-author journalism, public speeches. No insider speculation. The point of the page is industry-pro situational awareness, not a recruiter pitch.

Tier 1 · the defense-industrial primes you absolutely know

Three companies that define the field.

Booz Allen Hamilton

BAH · NYSE

Largest US federal cyber + AI prime by revenue. Self-described as Deltek 2025 #1 federal cybersecurity AND federal AI provider. ~2,350+ AI practitioners across ~200 active federal AI engagements at ~160 federal clients. The default first stop if you want a federal cyber career inside a private company.

::named products + platforms

· Vellox Reverser™ · autonomous malware reverse engineering + threat intelligence
· Vellox Ranger™ · AI-powered detection engineering
· Vellox Striker™ · red-team emulation tool
· Cyber Fusion Centers · commercial threat operation centers
· aiSSEMBLE · proprietary lean AI engineering framework for federal + commercial

::service lines + roles

· Zero Trust Solutions (#1 Federal Provider claim)
· Intelligent Cyber Defense — threat hunting + adversary response
· Cyber-Physical Defense Operations — critical infrastructure
· Weapon and Space Systems Cybersecurity
· Resilient Positioning, Navigation, and Timing (PNT) security
· AI for Cybersecurity — AI/ML automated threat detection
· Secure AI — building + certifying secure AI systems, adversarial-attack resistant
· Responsible AI — governance, risk measurement, compliance

Doctrine: "Cyberattacks move at AI speed. Cyber defense must too." Their public positioning is on the cybersecurity speed gap as primary strategic challenge — adversary tradecraft models trained by elite cyber operators to enable machine-speed automation.

How to apply: boozallen.com/expertise/cybersecurity · careers.boozallen.com · clearance typically required (Secret minimum, TS/SCI common). Strong intern + early-career pipeline. Government Affairs / Mission Services for non-cleared early career.

Sources: boozallen.com/expertise/cybersecurity (named products + service lines) · boozallen.com/expertise/artificial-intelligence (AI capabilities + practitioner count) · Booz Allen Hamilton 10-K SEC filings

Palantir Technologies

PLTR · NASDAQ

Most public-facing software-defense prime. Two original platforms — Gotham (intel/defense, in DoD use since the early Iraq war era) and Foundry (commercial enterprise data platform). AIP (Artificial Intelligence Platform, launched 2023) added an LLM integration layer to both. Maven Smart System prime contractor win (~$153M initial in 2024, expanded through 2024-2025). CEO Alex Karp publicly outspoken on the company's mission posture.

::named products + platforms

· Gotham · intelligence/defense data platform
· Foundry · commercial enterprise data platform
· AIP (Artificial Intelligence Platform) · LLM integration layer (2023)
· Maven Smart System · DoD program prime (2024, formerly Project Maven)
· Apollo · continuous-delivery infrastructure used internally + offered to customers

::service lines + roles

· Forward Deployed Engineer (FDE) — Palantir's signature role; engineers embedded with the customer to operationalize platform deployment
· Implementation + Operations · how Gotham/Foundry land at customer sites
· AI/ML research · published in blog.palantir.com and the company's Medium presence

Doctrine: Karp's public posture frames the company as a defender-of-the-West technology layer. His 2024 book 'The Technological Republic' (with co-author Nicholas Zamiska) lays out a public-intellectual frame for the company's mission. Notable for explicit refusal of certain commercial work + explicit pursuit of defense + IC work.

How to apply: palantir.com/careers · Forward Deployed Engineer is the canonical entry path for technical undergrads (heavy interview loop, on-site implementation work). Software Engineering + Operations also enter the company. US person required for most defense work; some commercial Foundry roles do not require it.

Sources: palantir.com (product taxonomy) · palantir.com/careers · blog.palantir.com (engineering blog) · Maven Smart System DoD press releases 2024 · Karp public speeches at CNAS + other defense forums · 'The Technological Republic' 2024 book

Anduril Industries

Private · Series F at $14B+ valuation (2024 public reporting)

Founded 2017 by Palmer Luckey (Oculus founder) after departure from Facebook. Vertically integrated defense product company — software platform (Lattice OS) + hardware (drones, autonomous vehicles, towers, counter-UAS). Public philosophy: "build the products, then sell them" rather than cost-plus contract model. Won the US Air Force Collaborative Combat Aircraft (CCA) program with General Atomics in 2024.

::named products + platforms

· Lattice OS · AI-driven command + control software platform — the company's spine
· Ghost · autonomous surveillance UAV
· ALTIUS · loitering munition family
· Bolt · handheld kamikaze drone
· Roadrunner · VTOL counter-UAS interceptor
· Sentry Tower · autonomous surveillance tower (border + base perimeter)
· Dive-LD · autonomous underwater vehicle
· Fury · CCA (Collaborative Combat Aircraft) candidate
· ALTIUS-700M · larger loitering munition class

::service lines + roles

· Software engineering on Lattice + autonomy stack
· Hardware engineering across the drone + maritime + ground vehicle product lines
· Manufacturing engineering — vertically-integrated production
· Security engineering — clearance pipeline for defense-cleared work
· Forward operating teams — work alongside US + allied military customers

Doctrine: Luckey's stated thesis: the US defense industrial base lost the ability to ship competitive products at competitive prices because the cost-plus contract model rewards delivery delays. Anduril sells products to DoD the same way Apple sells phones — fixed-price, productized, refresh cycles. Public posture is unapologetically political — Luckey speaks publicly about the West-vs-authoritarian frame.

How to apply: anduril.com/careers · US person required for most defense work. Heavy software + hardware engineering hiring. Notable for hiring senior engineers from frontier-tech companies who want to work on national-security problems. Lattice + autonomy teams are the public flagship; manufacturing engineering is the hidden scale story.

Sources: anduril.com (product taxonomy) · anduril.com/careers · DoD CCA program press releases 2024 · Palmer Luckey public interviews (Wired, NYT, Bloomberg) · Anduril press releases on Lattice + product launches

Tier 2 · commercial cyber leaders

Eight platforms shipping at scale.

Mandiant (Google Cloud)

Acquired by Google for $5.4B in 2022. The single most-cited threat-intel + IR firm in named-actor attribution. Authored or co-authored the public attribution of APT1 (PLA Unit 61398 in 2013), SolarWinds discovery (2020), and major nation-state campaign reporting since.

Products: Mandiant Threat Intelligence · Advantage · Managed Defense · Consulting + IR · Validation (continuous testing)

Apply: cloud.google.com/security/mandiant · careers via Google Cloud security org · Threat Intel + IR are the two flagship career paths

CrowdStrike

Falcon platform is the dominant EDR/XDR product in commercial cyber. Pioneered named-adversary tradecraft cataloguing (Bear/Panda/Kitten/Spider naming convention). CrowdStrike Intelligence is one of the three most-cited private threat-intel teams alongside Mandiant + Microsoft.

Products: Falcon (EDR/XDR core), Falcon Identity Protection, Falcon Cloud Security, Falcon LogScale, Falcon for IT, Charlotte AI (LLM SOC assistant)

Apply: crowdstrike.com/careers · Threat Intel (CrowdStrike Intelligence), Detection Engineering, Falcon Complete (managed SOC), and Services (consulting + IR) are the named career tracks

Microsoft Security

Microsoft Defender + Sentinel + Entra + Purview is the most broadly deployed security product family on Earth by install base. Microsoft Threat Intelligence Center (MSTIC) is one of the top three private CTI shops. Charlie Bell leads as EVP of Security.

Products: Defender (XDR), Sentinel (SIEM/SOAR), Entra (identity), Purview (compliance/DLP), Security Copilot, MSTIC threat reports

Apply: careers.microsoft.com · Security Engineer, Threat Intelligence, Detection Engineering, Security Researcher (MSTIC) are the named tracks. Heavy US-person + clearance presence on the federal side

SentinelOne

Public competitor to CrowdStrike on Falcon turf. Singularity XDR platform. Pioneered fully-autonomous response (no analyst-in-loop for known-bad). Purple AI LLM SOC assistant.

Products: Singularity XDR, Singularity Identity, Singularity Cloud Security, PurpleAI

Apply: sentinelone.com/careers · Detection engineering + Threat research + Solutions architecture

Palo Alto Networks

Cortex platform (XDR/XSIAM), Prisma (cloud security), and Strata (network security) cover the three biggest commercial cyber categories. Unit 42 is their threat intel + IR consulting arm — one of the most-cited in named-incident reporting.

Products: Cortex XSIAM, Prisma Cloud, Strata firewalls, Unit 42 IR + consulting

Apply: paloaltonetworks.com/company/careers · Unit 42 is the most prestige career-track for IR + threat intel. Cortex engineering is the SaaS path

Rapid7

InsightIDR (SIEM), InsightAppSec, InsightVM, Metasploit (open-source pentest framework). Metasploit alone makes Rapid7 a name every pentester knows. AttackerKB their public knowledge base of named vulnerability + exploit data.

Products: InsightIDR, InsightAppSec, InsightVM, Metasploit Framework, AttackerKB

Apply: rapid7.com/careers · Threat Intelligence, Research, Detection Engineering, MDR (managed detection)

Sophos · Trellix · Trend Micro · Bitdefender · ESET

The endpoint security incumbents. Each one has a regional + segment strength. Sophos strong in SMB managed services. Trellix (FireEye + McAfee merger) on federal. Trend Micro globally on enterprise. Bitdefender + ESET on European mid-market.

Products: Each ships an EDR/XDR + cloud + email + network security suite under their brand

Apply: Career pages on each. These are often the right early-career stop for someone who wants commercial product cyber engineering with less prestige tax than CrowdStrike/Palo

Helsing (Europe)

German + UK headquartered. AI defense software. €4.95B Series C valuation (2024 public reporting). Backed by Spotify founder Daniel Ek's Prima Materia. Publicly supplied AI software to Ukraine. Released Centaur (AI software paired with Eurofighter Typhoon) + HX-2 strike drones 2024.

Products: Centaur (AI software for crewed combat aircraft), HX-2 strike drone, general AI defense platform

Apply: helsing.ai/careers · European entry path for AI-defense engineers. EU work authorization typically required

Tier 3 · mid-tier federal primes

Ten contractors with cyber lines.

Less prestige than Tier 1, more federal exposure than Tier 2, often the right early-career stop for cleared work + breadth of contract experience.

Lockheed Martin
Cyber Solutions inside the Rotary + Mission Systems business. Cyber Mission Force support contracts. Significant federal CTI + IR work.
Raytheon (RTX)
Raytheon Intelligence + Space (RIS) houses cyber. Heavy DoD + IC contractor presence. Forcepoint was a Raytheon spinoff (now sold).
Northrop Grumman
Mission Systems cyber + electronic warfare. ICE-T (Integrated Cyber + Electronic Warfare) framework. National-scale signals + cyber work.
BAE Systems Inc (US arm)
Federal cyber contractor. Bridgehead between UK BAE + US federal cyber. Strong electronic warfare adjacency.
SAIC
Federal IT + cyber prime. ~$8B+ annual revenue. Heavy DoD + IC presence. Strong contracts in defensive cyber for civilian agencies.
CACI International
Federal IT + cyber + intelligence systems. Strong presence in IC cyber programs. Recent expansion in cleared cyber workforce.
Leidos
Largest IT services federal contractor by revenue. Cyber + intelligence + civilian + defense. Often the prime on multi-vendor federal cyber programs.
ManTech (Carlyle PE-owned)
Mid-tier federal cyber + IT. Pure-play federal focus. Often subcontractor to BAH/Leidos but increasingly prime on smaller cyber programs.
Peraton
Created from L3 Technologies' federal IT spinoff + later acquisitions. Significant IC + DoD cyber work.
ECS Federal
Cyber + cloud + data analytics for federal. Often unprompted recommended by federal hiring managers as 'good first contractor stop.'

Federal public-sector

Seven government employers where the work is national.

National Security Agency (NSA) — Cybersecurity Directorate
Fort Meade. SIGINT + cyber. Highest concentration of senior cyber talent in US government. NSA Cyber publishes some of the most-cited public advisories (cyber.gov).
Cybersecurity and Infrastructure Security Agency (CISA)
DHS sub-agency. Civilian federal cybersecurity. Recent expansion under 2023 National Cybersecurity Strategy. Strong public-facing posture, lower clearance bar than NSA.
FBI Cyber Division
Federal LE on cyber crime + state-actor disruption. Special Agent (Cyber) + Computer Scientist paths. ~10 Cyber Field Office expansion + regional Cyber Action Teams.
United States Cyber Command (USCYBERCOM)
Combatant command at Fort Meade. Joint cyber operations. Service-component cyber forces (Army Cyber, Navy Fleet Cyber, etc.) feed into USCYBERCOM.
DoD Cyber Crime Center (DC3)
DoD digital forensics + insider threat + DIB cyber. Significant intern + entry-level program.
Defense Information Systems Agency (DISA)
DoD enterprise IT + JFHQ-DODIN cyber defense. Foundational defensive cyber for the DoD network.
Intelligence Community elements (CIA, NSA, NRO, NGA, DIA)
Each runs cyber-adjacent programs. CIA Directorate of Digital Innovation (DDI) is the explicit cyber+digital posture. NRO + NGA have growing OT/cyber programs for space + imagery systems.

The apply doctrine

Five things every hiring manager wishes you knew.

01
Clearance is the gate. Many of the best jobs require Secret minimum, TS/SCI common, with full-scope polygraph for IC roles. The clearance process takes 6-18 months. If you have a clearance, lean on it. If you don't, the federal contractor path with sponsored clearance is the cleanest route in.
02
Internships are the cleanest entry path. Booz Allen, Palantir, Anduril, Mandiant, CrowdStrike, NSA, CISA, FBI, USCYBERCOM, and the IC components all run named internship programs targeting undergrad + early-career. The federal CyberCorps Scholarship for Service program funds undergrad/grad in exchange for federal service commitment.
03
Public proof of competence matters more than degree. A HackerOne reputation, a published CVE, an open-source contribution to a CTI/RE/detection-engineering project, a CTF placement in DEF CON/PicoCTF — all measurable + recognizable to hiring managers across this list. A masters degree from a name-brand school is nice but not the gate.
04
Mission-fit is the unfakeable signal. Every employer on this list has a stated mission. Apply only where the mission aligns with what you actually believe in. The recruiters can tell when you're just looking for a paycheck — and the senior engineers definitely can.
05
The ladder is real. Booz Allen → Palantir/Anduril, or Booz Allen → NSA → CrowdStrike/Mandiant is a common progression. Government experience opens doors at private firms. Big-prime experience opens doors at startups. Startup experience opens doors at scale-ups. Plan the 10-year arc, not just the first job.

Military + federal paths →The platforms they ship →Named researchers →← cyber index