How to Apply for Jobs Strategically in Cybersecurity
TCM Security's free course breaks down the job application process for cybersecurity roles—from job boards and Google Alerts to OSINT worksheets and cover letters.
Written by AI. Vanessa Torres

Photo: AI. Ren Takahashi
TCM Security recently released a free module on job applications as part of their Soft Skills for the Job Market course—put together by Zach Hill (known on YouTube as IT Career Questions) and available on both the TCM Academy free tier and YouTube. Module Three runs nearly 47 minutes and covers the mechanics of actually applying for jobs: where to look, how to track applications, what job descriptions are really telling you, and why the word "banana" once eliminated more than half the applicants for a social media manager role.
That last point is worth sitting with before we get to anything else.
The Banana Problem Is Really an Attention Problem
In a 2022 job posting for a social media manager position, TCM Security buried a single instruction in the fine print: include the word "banana" in your email. Out of 50-plus applicants, at least half missed it. Some of those candidates were, by every other measure, genuinely strong. They got cut anyway.
"There were a few applicants that we got that were really, really good," the presenter explains, "and because they didn't have the word banana in them, we left them out of the consideration completely."
The person who got the job opened with: "Hi there. I know this might be bananas, but I'd like to apply for your social media manager position."
This story does a lot of work in a short space. On one level it's a reminder to read job descriptions carefully—word for word, not just for the gist. On another level, it's a window into how elimination actually functions in hiring. Hiring managers aren't always looking for the best candidate in the pool; they're often first filtering for candidates who follow directions. It's a proxy—an imperfect one—for conscientiousness and attention to detail. Whether that's fair depends on how carefully the job description is actually written, and not all of them are. But the dynamic itself is real, and worth understanding before you apply to anything.
Job Descriptions Are Wish Lists (Which Changes the Math)
The course is emphatic on this point, and it's probably the most useful reframe in the whole module: every line of a job description is aspirational, not mandatory.
"It is very, very rare—and I cannot emphasize enough how rare it is—to find a unicorn," Zach explains. "And to define a unicorn would be a person who literally matches every single thing that they have listed on a job description."
The argument is simple: organizations list every qualification they'd want in an ideal hire. Most candidates will match 50–70% of those requirements. If you're in that range, you're competitive—apply. The alternative, self-selecting out because you don't have every line item, benefits no one except the other applicants who didn't talk themselves out of it.
There's a tension here worth naming: this advice is broadly accurate for soft requirements like years of experience with a specific tool, but less accurate for hard gates like security clearances or specific degree requirements. The course acknowledges this—"sometimes there's no way of getting around a degree requirement or a certification requirement"—without fully dwelling on it. That distinction matters. Knowing which requirements are genuinely non-negotiable versus which ones are aspirational padding is itself a skill, one that develops with industry familiarity.
Where to Actually Look
The course covers the usual suspects—Indeed for volume, LinkedIn for networking and search, USAJobs for government roles, FlexJobs for remote-specific positions—and adds a couple of less obvious recommendations.
NinjaJobs (ninjajobs.org) comes up as a cybersecurity-specific board with a structural advantage: applications often route directly to hiring managers rather than HR. That routing matters more than it might seem. At large companies in particular, resumes submitted through LinkedIn or Indeed typically land with non-technical HR screeners first—people who are, fairly or not, looking for keyword matches rather than evaluating competence. Getting a resume in front of the person who actually understands the role skips a meaningful filter.
Google Alerts gets its own segment, with a use case that's easy to overlook: setting an alert for a specific company's careers page URL means you find out about new postings before they propagate to the aggregator boards. Early applicants, especially in competitive technical fields, sometimes have a genuine timing advantage. Whether that advantage is large or marginal probably varies by company, but it costs nothing to set up.
The LinkedIn section is the most detailed, and the practical tip here is search strategy: rather than starting with a job title (which returns noisy results—"30,000 penetration tester results" that quickly bleed into unrelated roles), start with certifications you actually hold. Searching by certification surfaces postings where you have an explicit credential advantage over other applicants. It's not a ceiling; it's a starting point.
The OSINT Approach to Company Research
Here's where the course gets distinctly cybersecurity-inflected, and it's genuinely interesting.
The pre-application research process is framed as OSINT—open-source intelligence gathering—applied to employers. The recommended worksheet includes: company website review, Glassdoor for employee sentiment, social media presence and engagement patterns, and LinkedIn profiles of people in the target department. The goal isn't just to prep for "what do you know about us?" interview questions. It's to identify whether you actually want to work there.
One example from the course: if you notice the company's website runs WordPress and nobody seems to be actively maintaining it, that's worth asking about in an interview. Who's responsible for securing that? It signals that you were paying attention, that you care about security posture, and that you're already thinking like someone who works there.
The course is deliberate about where this research should stop: look at LinkedIn profiles and public GitHub repositories for people in the relevant department, understand what technologies they work with, gauge how long people tend to stay. Don't cold-message employees trying to get an edge. The line between smart prep and weird overstep is worth keeping in view.
The worksheet framework also solves a practical problem most job seekers eventually hit: applying to enough positions that you lose track of what each one actually said. When a company calls back six weeks later, the job posting is often gone. A screenshot in a spreadsheet—clunky as the Google Sheets implementation is—is a real backup.
Cover Letters in the ChatGPT Era
The course's take on cover letters is honest in a way that a lot of career advice isn't: most hiring managers don't read them unless the resume already passed the initial screen, and requiring them is increasingly old-fashioned. But when a job does ask for one, not submitting it functions the same way as missing the banana—it's an elimination event.
The recommended workflow: paste the job description into ChatGPT, generate a draft, then edit it to reflect your actual background. "It's not going to be perfect. It's not going to cover your background," the presenter notes. "But what this is doing is writing us a fantastic starting letter."
This is pragmatic rather than inspired. The argument for it is efficiency—cover letters take time, most don't get read, using AI to handle the boilerplate so you can focus on personalization is a reasonable allocation of effort. The argument against it, which the course doesn't raise, is that a cover letter generated from a job description and lightly edited might accurately describe the role while saying almost nothing true about you. Whether that matters depends on whether anyone reads it carefully—and by the course's own admission, they usually don't.
The honest position is probably this: cover letters are a ritual that most parties know is largely performative, but the ritual still has rules, and breaking the rules still has consequences.
The underlying logic of everything in this module is that job searching is a system with documented rules, and knowing those rules changes your outcomes. The banana story makes this concrete in a way that most career advice doesn't bother to: the barrier isn't always skill or experience. Sometimes it's just whether you read to the end.
— Vanessa Torres
We Watch Tech YouTube So You Don't Have To
Get the week's best tech insights, summarized and delivered to your inbox. No fluff, no spam.
More Like This
Microplastics: The Unseen Invaders in Our Lives
Explore the hidden world of microplastics in our daily lives and what you can do to minimize exposure.
Why Real Spies Aren't James Bond
Unpacking the myth: Why real espionage thrives on anonymity over allure.
Jeremy Qualls on Leadership: Lessons from Fire and Post-its
Jeremy Qualls shares leadership lessons from personal adversity, emphasizing empowerment and resilience.
Are Your Goals Arbitrary? Ali Abdaal Thinks So
Ali Abdaal's God of War moment raises a real question: what if treating work like a video game—arbitrary, playful—is actually the smarter approach?
Rethinking Mentorship: Lessons Beyond Traditional Models
Explore Robert Herjavec's insights on mentorship myths and how to find growth by learning from diverse sources.
Could Space be the Future for AI Deployment?
Elon Musk predicts AI deployment in space within 36 months, but is this vision realistic?
RAG·vector embedding
2026-07-11This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.