Skip to main content
HonestMOS
InvestigationsHow EUCOM shelved a tax break for 9,000 troops in Poland — for five years.
Back to 17C Cyber Operations Specialist — overview, pay, training, civilian translation, reviews
17CE5

Cyber Operations Specialist

E-5 (Sergeant) · Army

E1–E3E-4E-5E-6E-7E8–E9
HEADS UP

Sergeant 17C is the rank where being a strong operator stops being enough. You are now an NCO on a CMF team — a crew lead or work role lead inside a CPT, NMT, CMT, or CST. Operators look to you for the technical call; the team chief looks to you for the truth about how the work is actually going; the cherries in your section need you to be both a competent technical mentor and a competent NCO writing real counselings. The 170A / 170B warrant officer conversation stops being hypothetical and starts being a packet you are either building or actively declining. The contractor sitting next to you now has a job number with your name on it and the salary delta is no longer abstract — it is the most concrete career-decision pressure in the entire Army enlisted cyber arc.

The Honest MOS Read
Sergeant 17C is the integration rank in the cyber enlisted track — military leadership, the cert stack, the work-role qualification depth, and the team-room judgment all converge into a single NCO seat. You pinned the rank through the semi-centralized AR 600-8-19 process: 36 months TIS / 8 months TIG (waivable), DA 3355 worksheet at max 800 points, monthly MOS-specific cutoff published by HRC, chain release. Basic Leader Course is complete (the STEP gate for SGT). The 17C promotion cutoff has historically been competitive given the MOS's accession and inventory pressure — operators who pin SGT on time at 17C are operators who maintained their cert stack, their work-role qualification, their physical readiness, and their chain recommendation in parallel through their entire E-4 zone. The seat you sit at E-5 in a CMF team is crew lead or work role lead inside a CPT, NMT, CMT, or CST under ARCYBER, the 780th MI Brigade, the Cyber Protection Brigade, a Joint Force Headquarters-Cyber element, USCYBERCOM, or an NSA detail. You lead a 3-5 operator element — a crew, a work role slice, or a defensive sub-team. You write the team's counselings on the 14th of the month (DA 4856, monthly per AR 623-3 for your soldiers). You sign off junior operators against their DoDM 8140 work-role tasks — and the signature has weight, because the audit at brigade level or the next CCRI / CORA inspection reads back to your sign-off. You run the daily standup and the after-mission read-out for your crew. You brief the team chief and the warrant officer in language they can pass up without translation. You sit pre-mission planning with the work role lead and a contractor analyst at the same table, and your crew's product has to read like the senior name on it. The leadership job content at SGT is materially heavier than the technical-only content at SPC. You own 3-5 soldiers' careers and personal lives in a way the SPC role does not require — marriage problems, debts, custody issues, off-post incidents, Article 15 risk, clearance concerns. The team chief expects you to surface these through the chain (the senior NCO, the team OIC, the warrant) inside the timelines AR 600-20 requires — SHARP reporting at 24 hours and 72 hours, EO complaints inside their own timelines, suicidal ideation indicators immediately. AR 600-20 chapter 7 (SHARP), chapter 4 (EO), and chapter 5 (anti-extremism) are the regulations you operate inside; you read them once your first month as SGT and re-read them when the unit's annual SHARP / EO refresher hits. The cert stack at SGT is where the senior credentials become career-defining. CompTIA CASP+ (Advanced Security Practitioner — DoD 8140-compliant for IAT-III roles), CCNP-Security (Cisco's senior security networking credential), the GIAC senior family (GCIH, GCIA, GCFA, GREM, GPEN — work-role-dependent), CISSP (the ISC2 apex security credential, DoD 8140-compliant for IAM II/III roles and increasingly mandatory for senior CMF billets), the OSCP (Offensive Security Certified Professional, the offensive operator's signal credential). An SGT 17C with TS/SCI, an active work-role-lead qualification, and a CASP+ / CCNP-Security / one senior GIAC stack is a $140-170K civilian cyber-operator role in the DC / NoVA / Maryland / Texas market on day one at ETS. The Army Credentialing Assistance program funds the exam vouchers and, for select roles, the SANS training that pairs with the GIAC certs; the published annual cap moves year over year and the Army has historically tightened it during budget cycles. Pull the current ACA MILPER before counting on funding. The 170A / 170B warrant officer packet conversation is the most consequential technical career fork in the cyber enlisted MOS, and the packet is approachable at SGT with the right cert stack, NCOER profile, and senior signal officer or cyber warrant officer endorsement. The 170A is the Cyber Operations Technician warrant — the operational warrant; the 170B is the Cyber Capabilities Development Technician warrant — the engineering and capabilities-development warrant. The packet (DA 61, command recommendation, board file) typically requires senior signal / cyber officer endorsement and a strong NCOER profile. Selection rates vary by cycle; pull the current HRC warrant officer accession board results. The school pipeline (Warrant Officer Candidate School at Fort Novosel followed by the 170A/170B Warrant Officer Basic Course at the Cyber Center of Excellence) runs several months end-to-end. The honest test for the warrant decision: are you the operator who keeps asking why the architecture is built the way it is built, who reads vendor documentation cover to cover, who builds tools the team uses for a year after you leave? If yes, the warrant path is where you belong. Talk to the warrant officer in your team; the chain's read is the leading indicator of whether to package. The Advanced Leader Course (ALC) is the STEP gate for SSG (E-6). The 17C ALC runs at the Cyber Center of Excellence NCO Academy footprint at Fort Eisenhower; the course is roughly 31 academic days depending on cohort. Pull the slot through ATRRS / S1 / S3 coordination 12 months before zone-eligibility for SSG. Without ALC complete, no SSG pin-on regardless of points, cutoff, or team chief recommendation. ALC slot timing matters — operators who pull the slot late find themselves promotable but unpinnable. The contractor salary pressure is real at SGT in a way it was not at SPC. Cleared 17C operators with senior cert stacks and active work-role-lead qualifications are the single most-poached enlisted demographic in the contractor market. The big primes (Booz Allen, Leidos, ManTech, SAIC, CACI, Peraton, Northrop, Lockheed) and the specialty primes have recruiters who know the typical ETS pattern, who attend the cyber industry events, who track LinkedIn profile changes — and who will offer $140-170K+ with bonuses and benefits to an ETSing 17C SGT. The retention NCO and the senior signal NCO have the conversation with you about the SRB and the indefinite-status path; the math is rarely close on bonus alone, but the math on long-arc Army career (the warrant path, the SSG/SFC/MSG arc, retirement, the senior cyber NCO community at the 780th and ARCYBER) is real for the operators who genuinely want that career. The 17C SRB published in current HRC MILPER varies year over year. Talk to the chain. Talk to your spouse. Run the numbers twice. Do not sign anything in the first 30 days after pinning SGT — the team chief's first read on your SGT performance will tell you whether you are an indefinite-status operator or a six-year-and-out operator, and that read is worth knowing before you commit.
Career Arc
  • 01E-5 pin-on (post-BLC, post-cutoff, post-chain release, post-cert-stack visibility).
  • 02Crew lead / work role lead assignment — 3-5 operator element inside a CPT, NMT, CMT, or CST.
  • 03DoDM 8140 work-role-lead qualification — signing off junior operators against their work-role tasks.
  • 04Senior cert stack: CASP+ or CISSP, CCNP-Security, GIAC senior family (GCFA, GREM, GPEN, OSCP) — ACA-funded where eligible.
  • 05TS/SCI maintained with continuous evaluation; periodic reinvestigation cycle (Trusted Workforce 2.0) running in the background.
  • 06170A / 170B Warrant Officer packet decision window — packet built or actively declined with the chain's read documented.
  • 07ALC slot — Cyber Center of Excellence NCO Academy, the STEP gate for SSG.
  • 08Promotion to E-6: 96 mo TIS (varies) / 18 mo TIG (waivable) + ALC complete + cutoff + chain release.
Common Screwups
  • ×Verbal counseling instead of writing the DA 4856. AR 623-3 requires the counseling on file; the SJA's job on Article 15 day is to defend a counseling chain. The SGT who counsels verbally is the SGT whose CO cannot defend him when a soldier's lawyer argues the standard was never communicated. Two minutes typing the form equals twelve months of legal defense for you and the chain.
  • ×Letting a junior operator sit a billet they are not DoDM 8140-qualified for, 'just for this op.' The next CCRI / CORA inspection or unit-level workforce audit catches the gap; the failure is on you as the work-role lead who signed the soldier into the role. The clean-up is a counseling that lives in your file and a corrective-action plan submitted to brigade; the brigade-level workforce-qualification roll-up reads the gap.
  • ×DUI / drug pop / Article 15 / domestic violence inside the SGT zone. The propagation is worse than at SPC because the periodic reinvestigation cycle for TS/SCI catches more, the chain's expectation of an NCO is higher, and the visibility of the failure inside the team room is total. AR 380-67 governs clearance review; AR 635-200 chapter 14 governs separation. The cyber career ends.
  • ×Hiding a SHARP / EO / suicidal-ideation / insider-threat indicator from the chain. CMF teams live or die on trust; one buried indicator surfaces at the worst possible time. AR 600-20 chapter 7 (SHARP) requires reporting in defined 24-hour and 72-hour windows; hiding an incident to 'protect the soldier' violates the regulation, exposes the chain to negligent-supervision liability, and almost always ends with the soldier in worse shape and the SGT in front of the team OIC explaining the gap. The soldier is better served by the system than by your discretion.
  • ×Treating the 170A / 170B warrant officer conversation as someone else's career decision. The warrant path is the highest-leverage technical career fork in the cyber MOS and the chain is reading you for it whether you are reading yourself for it or not. The SGT who never engages the warrant officer conversation either signs an indefinite enlisted contract by default or ETSs to the contractor market by default — both can be right answers, but both should be deliberate choices, not defaults.

A Day in the Life

  • 0500Wake. Coffee. Phone check for any overnight crew emergencies — soldier in jail (off-post incident), family deathgram, missed accountability, clearance issue surfaced overnight. None? Good. PT uniform on.
  • 0530PT formation in the company / squadron / detachment area. Take accountability for your crew (3-5 soldiers), report to the team senior NCO. The crew you brought to formation is the crew the brigade sees. Missing soldier equals your problem first.
  • 0545-0700Section / team PT. As crew lead you set the team's PT plan when the section breaks out — rotate cardio, strength, recovery, and targeted work for soldiers in your crew's diagnostic-ACFT range. The crew runs at your pace; the SGT who out-runs his crew has a crew that respects the PT plan, the SGT who emails his crew about PT has a crew that runs without him.
  • 0700-0830Hygiene, DFAC or barracks breakfast, change into OCPs or civilian polo-and-khakis depending on team OIC policy. Walk to the SCIF; sergeants typically arrive 15 minutes before first formation to clear the inbox and check overnight tickets / alerts. Badge in, secure personal electronics in the locker.
  • 0830Morning stand-up inside the SCIF. The team chief or work role lead walks the day's priorities. You brief your crew's status — open ticket queue, mission-write-up status, IAVA / vulnerability progress, detection-engineering pipeline, junior operator qualification progress, any incidents. The team chief will assign new work directly to you for the crew.
  • 0845-1130Work block one. You are running the crew's daily project work — supervising the analytic and tool-admin tasks, covering the harder tickets the SPCs and cherries escalate, running the mission planning for any upcoming contested-operation rotation, drafting mission write-ups on closed engagements. The cherries and specialists do the hands-on work; you supervise, escalate, and produce the work product that goes upstairs.
  • 1130-1230Lunch. You leave the SCIF, badge out, retrieve your personal phone, eat with the other SGTs and the work role lead — the senior NCO rule that the SGT does not sit at the cherry's table holds in CMF the same way it holds in line BCT. The informal communication among the senior NCOs happens at the lunch table; the OPSEC posture holds — cleared specifics stay in the SCIF.
  • 1230-1500Afternoon work block. Counseling sessions if you have monthly DA 4856s due on your crew (block 30 minutes per soldier, take it seriously, take it in your office with the door closed). NCOER input cycles. Promotion-points worksheet reviews with crew soldiers. School-packet review for soldiers you are sending to BLC or beyond. Project work continues; detection-engineering reviews; tool-admin coordination with the senior tool admin.
  • 1500-1700Final work block. Documentation closeout, ticket updates, end-of-shift hand-off notes for the next shift if the team runs 24/7 ops. Mission write-up final pass before it goes upstairs. The senior operator on the next shift reads your notes — if your notes are clean, the hand-off takes 5 minutes; if your notes are messy, the next shift's SGT stays late and the read on you takes a hit.
  • 1700-1730Final accountability. Classified material secured per AR 380-5, workstations locked, SCIF closed out by the senior NCO on duty. Badge out, retrieve personal electronics, walk out. Final formation if the unit runs one; sensitive items checked in at the unit arms room or comm cage.
  • 1730-2000Personal time. If you are married, family time — BAH-with-dependents at SGT typically puts you off-post in moderate-cost markets, on-post in higher-cost markets. If you are single in the barracks, gym, study (the senior cert stack — CASP+ / CISSP / GIAC senior family — is the off-duty hours work at SGT), maybe a beer at the on-post club or with team peers off-post. If you are chasing the 170A / 170B warrant packet, packet preparation time.
  • 2000-2200If a soldier in your crew called you with a problem — financial, marital, legal, behavioral-health, clearance concern — you are on the phone or routing them to the right office. The SGT's after-hours job at this rank is real; you route, you do not solve. ACS for financial, MFLC for behavioral health, SJA for legal, the SSO for clearance concerns. Document the conversation in your counseling notes for the next monthly DA 4856.
  • 2200Lights out. Tomorrow starts at 0500.
  • Contested operations / mission rotationWhen the team is in a contested operations posture, you are the crew lead at the keyboard — not the operator being watched, not the cherry being trained. Shifts compress to 12-hour or 24/7 rotations; sleep is in shifts; the team chief and the warrant officer read your crew's accuracy, fatigue management, and decision quality at hour 14 of a 16-hour shift. The mission write-ups go upstairs faster during contested ops; the read on your crew's work compounds inside the rotation. The senior NCO who runs a clean crew through a 7-day contested op is the senior NCO whose work-role-lead expansion conversation happens immediately after recovery.
  • Cyber Flag / Cyber Guard / joint exerciseMulti-week exercises run periodically across CMF. As crew lead you are running your element through the exercise scenarios alongside operators from other services and partner nations; the team chief and the team OIC are watching how your crew performs in front of the joint partners. Exercise performance feeds the next work-role assignment, the next contested-operation rotation slot, and the team chief's next slate. Use the exercise; do not just survive it.

Weekly Cadence

The week at SGT in a CMF team runs on three integrated tracks: the operational work on the mission, the leadership work on the crew, and the senior cert / warrant-packet work on yourself. Monday is the heaviest planning day — the team chief or work role lead briefs the week's priorities at stand-up, you brief any crew-level items in your lane, and you walk your crew through their week's tasks. The work role lead will hand you the harder engagement work, the detection-engineering project, or the tool-admin upgrade window; you delegate the routine work to the SPCs and cherries while you cover the engagements that exceed their authority. Tuesday through Thursday are the work-heavy days. You supervise the crew's daily project work — mission engagement execution, detection development, host triage, tool admin work, mission write-up drafting. You take one counseling session per day on the calendar so the monthly DA 4856 cadence does not pile up at the end of the month — Tuesday and Thursday are typical days for crew counselings because Monday is planning-heavy and Friday is administrative-heavy. NCOER input cycles run quarterly; the team chief expects your bullets to read in measurable deliverables, not filler. School-packet reviews, promotion-points worksheet updates, professional development planning conversations with your crew happen on the afternoon work blocks. The senior NCO who keeps his soldier admin clean is the senior NCO who has a team chief that actually listens when he asks for the next high-visibility engagement or the next school slot for a crew soldier. The week's other rhythm at SGT is the personal professional development load — the senior cert stack push, the 170A / 170B warrant packet preparation, the ALC packet finalization, the NCOER cycle on your soldiers. CASP+ is a 3-6 month study commitment; CCNP-Security is 6-9 months; CISSP is a longer arc (9-12 months for many soldiers); the GIAC senior family (GCFA, GREM, GPEN, OSCP) is intensive and the SANS training that pairs with each requires both time and ACA funding. The 170A / 170B warrant packet is a months-long preparation — the senior signal officer endorsement, the chain recommendation, the board file. The ALC slot is the STEP gate for SSG and runs roughly 31 academic days at the Cyber CoE NCO Academy. Contested-operation rotations and exercise cycles (Cyber Flag, Cyber Guard, joint training, supported-combatant-command rotations) collapse the entire weekly rhythm — when the team is in a rotation, garrison-time admin gets deferred, SCIF time extends, and family time becomes the conversation you have with your spouse about why you were not home for dinner three nights this week. The married SGT who has not negotiated the contested-operation tempo with his spouse before the rotation starts is the SGT who learns the hard way that the spouse's patience has a finite reservoir.

Key Skills — How to Drill Each

  1. 01
    Run a crew-level mission element through the full NIST 800-61 cycle on a contested host or network — detection through lessons-learned — with a usable timeline at the end.
    The NIST 800-61 four-phase framework (preparation, detection and analysis, containment / eradication / recovery, post-incident activity) is the spine of every CMF defensive engagement. As crew lead you own the crew's execution against the framework — you brief the team on the engagement plan at the start, you supervise the analytic and tool-admin work through the detection and analysis phase, you make the containment-vs-monitor call with the work role lead and warrant officer, you run the eradication and recovery playbook, and you write the post-incident report. The timeline at the end is the most important deliverable — every action with a UTC timestamp, every indicator with a source, every containment step with the operator who executed it. ARCYBER, USCYBERCOM, and the supported customer read the timeline; the team chief and the team OIC defend the engagement based on what the timeline shows.
  2. 02
    Lead a Cyber Protection Team sub-element through a survey, secure, protect mission to the team's SOP — including handoff to the supported network owner.
    CPT missions follow the survey-secure-protect-sustain framework. Survey is the discovery and assessment phase — what the supported network looks like, what controls are in place, what gaps exist against NIST 800-53 / 800-171 / NIST CSF. Secure is the configuration-hardening phase — STIG remediation, control implementation, gap closure. Protect is the active-defense phase — sensor placement, detection coverage, IR readiness. Sustain is the long-term handoff to the supported network owner. As crew lead you sequence the crew's work across the phases, you brief the supported customer's technical lead at the phase transitions, and you write the closeout report that hands the network back. The supported customer's CISO reads the closeout; the team chief defends the engagement to ARCYBER based on what the closeout shows.
  3. 03
    Build and defend an ATT&CK-mapped detection set — Sigma rules, Splunk correlation searches, Elastic detections — that produces actionable alerts and not noise.
    Detection engineering at SGT moves from tactical (writing single rules) to architectural (curating a coherent detection set). Sigma is the platform-agnostic detection rule format the broader CMF community uses; the SigmaHQ repository on GitHub is the open-source reference. Map every detection to MITRE ATT&CK technique IDs explicitly. Track false-positive rates and tune; a detection that fires too often becomes noise the analyst ignores. Document the detection set in the team's detection repository with rule logic, ATT&CK mapping, data source dependencies, and known false-positive patterns. The team chief and the warrant officer review the detection set at the team's quarterly detection-engineering review; your defense of the rule logic is what closes the review.
  4. 04
    Write a clean DA 4856 counseling with a Plan of Action that names the certification, work-role, or behavior gap and the steps to close it.
    Counseling is the NCO's contract with the soldier. Write the Plan of Action in second person ('You will complete CompTIA Security+ by [date]; you will close DoDM 8140 work-role qualification tasks 3, 4, 5 by [date]; you will be present at section PT at 0530 on [days]'). Specific, measurable, time-bound. Sign the counseling, have the soldier sign it before they leave your office, file the original per AR 623-3 and the unit SOP, email yourself a copy. The Army's electronic counseling templates help; ink-on-paper still gets signed in front of you. The SJA's job on the day an Article 15 packet comes across the desk is to defend a counseling chain — make their job easy.
  5. 05
    Brief a CMF mission read-out — what the team did, what it found, what it recommends — in five slides without the team chief rewriting them.
    Five slides, no filler. Slide 1: mission context and objective. Slide 2: what was observed (technique, indicators, scope). Slide 3: what the analysis concluded. Slide 4: what was done (containment, eradication, recovery actions). Slide 5: what recommendations stand and what next-step authorities are needed. The team chief and the team OIC will brief out of your slide deck to ARCYBER, the supported customer, or USCYBERCOM staff; the cleaner your deck, the faster they brief without rewording. Build the template once and reuse it. Rehearse the brief with the work role lead before you take it to the team chief. The senior NCO who can brief in language the team chief repeats without rewording is the senior NCO who takes the team's read-outs upstairs at the next contested-operation rotation.
  6. 06
    Mentor junior operators into their next certification and work-role qualification on a schedule that the work role lead can sign off.
    At SGT you are responsible for the bench, not just the immediate mission. The cherries and SPCs in your crew need a 6-month and 12-month certification and qualification plan that you build with them and review monthly during the DA 4856 counseling. Track the plan in the team's training platform (sometimes Bullhorn, sometimes ATRRS, sometimes a unit-internal tracker). Coordinate with the senior tool admin for hands-on training time on the team's stack; coordinate with the work role lead for qualification sign-offs as the cherry closes tasks. The team chief reads bench depth as the SGT's leadership signal; the warrant officer reads bench depth as the warrant officer mentorship signal. Operators who develop their bench produce SGTs who can pin SSG; operators who hoard knowledge or skip the development work produce a crew that collapses when the SGT goes to ALC for 31 days.

Manuals & References — What Chapters Matter

  • ATP 3-12 — Cyberspace Operations; JP 3-12 — Cyberspace Operations (joint)
    ATP 3-12 is the Army's top-of-the-stack cyberspace operations doctrine; JP 3-12 is the joint doctrinal parent. At SGT you are now leading a crew inside the framework the doctrine describes — offensive cyberspace operations, defensive cyberspace operations, DODIN operations. The team chief and the warrant officer think inside the doctrine; an SGT who can speak the doctrine's language fluently is an SGT the chain trusts with the harder engagements.
  • NIST SP 800-61 — Incident Handling; NIST CSF — Cybersecurity Framework
    NIST SP 800-61 is the four-phase IR playbook every CPT defensive engagement maps to (preparation, detection and analysis, containment / eradication / recovery, post-incident activity). The NIST Cybersecurity Framework (CSF) — Identify, Protect, Detect, Respond, Recover — is the language the supported customer's CISO will use back at you during a CPT engagement. Read both cover to cover; quote them naturally in mission write-ups and read-outs.
  • NIST SP 800-53 — Security and Privacy Controls; NIST SP 800-171 — CUI Protection
    NIST 800-53 is the control catalog the CMF community assesses supported networks against during survey-and-secure missions; NIST 800-171 is the controls framework for protecting Controlled Unclassified Information (CUI). Read the control families that align with your crew's typical engagement scope; the supported customer's compliance posture is often measured against these controls and your engagement findings are the evidence the customer uses to close gaps.
  • DoDI 8530.01 — Cybersecurity Activities Support to DoD Information Network Operations; DoDI 8500.01 — Cybersecurity; DoDI 8510.01 — RMF for DoD IT
    DoDI 8530.01 is the DoD instruction governing the joint cyber-defense apparatus including CMF mission structure. DoDI 8500.01 is the cybersecurity policy parent that AR 25-2 and the rest of the Army cyber policy stack flow from. DoDI 8510.01 is the Risk Management Framework instruction for DoD IT. At SGT you are signing off on work that operates inside these authorities; you read them once your first quarter as SGT and re-read them when the team's authorities are renewed or modified.
  • DoDM 8140 — Cyberspace Workforce Qualification (you are signing soldiers off against this now)
    At SGT you are signing junior operators off against their DoDM 8140 work-role tasks. The signature has weight — the next CCRI / CORA inspection or unit-level workforce audit reads back to your sign-off, and a soldier signed off without meeting the task standards is a counseling that lives in your file. Re-read the work-role-lead qualification framework for your role; understand the task statements you are signing against and document the evidence base for each sign-off.
  • AR 600-20 — Army Command Policy; AR 623-3 — Evaluation Reporting; AR 600-8-19 — Enlisted Promotions and Reductions
    AR 600-20 (Command Policy) covers SHARP (ch.7), EO (ch.4), anti-extremism (ch.5), and the mandatory reporting timelines that govern incidents in your crew. AR 623-3 (Evaluation Reporting) governs counseling cadence (monthly DA 4856 for your soldiers) and NCOER input. AR 600-8-19 (Enlisted Promotions) governs the DA 3355 worksheet your soldiers will sign — and your signature carries weight on their packets. You are an NCO in an Army MOS, not just a cyber operator; these are non-negotiable reading at SGT.

Standards — How to Hit Each

  • BLC graduate; ALC packet built and visible to your platoon sergeant.
    BLC is the prerequisite to pin SGT — no exceptions; you have it. ALC is the next gate. Once pinned, immediately start the ALC packet (DA 4187 / ATRRS coordination with your S1/S3). ALC slot windows depend on MOS, region, and cohort coordination — pull a slot 12 months out to lock in the school date for E-6 promotion timing. 17C ALC runs at the Cyber Center of Excellence NCO Academy footprint; the course is roughly 31 academic days. Slot availability has historically been competitive given the MOS's growth trajectory; do not wait for the perfect window.
  • IAT-III or comparable maintained (CCNP-Security, CASP+, GIAC senior family) — DoDM 8140-compliant for SGT-tier work roles.
    IAT-III is the senior IT certification floor for SGT-tier cyber roles. DoD 8140-compliant credentials include CCNP-Security, CASP+, CISSP, and GIAC senior family equivalents (GCED, GCIA, GCIH variants depending on work role). The 8140 chart in the unit S6 SOP lists the specific certs that map to your work role. Recertification timelines vary — CCNP is 3 years with CEU options; CASP+ is 3 years with CE; CISSP requires annual CPE submission; GIAC requires 4-year CMU renewal. Track the expiration in the unit's cyber workforce tracker and renew before lapse — a lapsed cert removes you from the IAT-III billet, removes you from the work the work role lead was about to assign.
  • Fully qualified on the DoDM 8140 work role you lead, and signing off at least two junior operators per cycle.
    Work-role-lead qualification depth at SGT is the read on whether you have moved from operator to NCO. The work role lead's signature on a junior operator's qualification carries weight — the audit at brigade level or the next CCRI / CORA inspection reads back to your sign-off. Track the work-role-task evidence base for each junior you sign off; do not sign-by-trust, sign-by-evidence. The team chief expects you to produce at least two qualified juniors per cycle out of your crew — the bench depth signal is what feeds the team's readiness reporting upstairs and the SGT-to-SSG promotion file for your next board look.
  • Crew throughput and detection quality measurable in the team's metrics — not 'demonstrated outstanding performance' filler on the NCOER.
    NCOER bullets at SGT need to read in measurable deliverables — 'led 14 contested-operation engagements with zero authority violations,' 'mentored 3 specialists through CySA+ certification with 100% first-sit pass rate,' 'deployed 28 ATT&CK-mapped detection rules with documented false-positive rates under 5%,' 'closed 7 junior operator DoDM 8140 work-role qualifications inside the team's standard cycle.' The senior rater calls you for clarification on bullets that describe what you did, not on bullets that read like a yearbook. Specific bullets pick up promotion points and feed the SSG board file; generic bullets do not.
  • ACFT 540+. Cyber is still an Army MOS; the CSM reads the slide the same way for 17C as for 11B.
    ACFT 540+ requires roughly 240+ on three events plus 60+ on the others. The 2-mile run is the score-killer — pull your time below 17:00 and you can afford to score moderately on the lift. Run section PT 2-3 days per week as the crew lead; identify the soldiers in your crew in the diagnostic ACFT score range who need targeted work; pair them with strong-PT operators in the section for accountability runs. The cyber brigade CSM reads ACFT pass rate by section — the SGT whose crew is below the brigade average is the SGT who gets pulled into the senior NCO's office for the conversation. The soldiers run with the SGT who out-runs them, not the SGT who emails them about PT plans.

Technical Mistakes — Concrete Consequences

  • Verbal counseling instead of writing the DA 4856 — telling a soldier his standard verbally and trusting him to remember.
    When a soldier loses a court-martial appeal, files an IG complaint, or the team chief has to defend an Article 15 packet, the chain's first move is to pull every counseling on file. A verbal counseling you swear you gave is invisible in the legal file; the soldier's lawyer will use the gap to argue you fabricated the standard after the fact. Two minutes typing a DA 4856 equals twelve months of legal defense for you and the team chief. The SJA's whole job on Article 15 day is to defend the counseling chain — make their job easy.
  • Letting a junior operator sit a billet they are not DoDM 8140-qualified for, 'just for this op' or 'we need the seat covered.'
    The next CCRI / CORA inspection or unit-level workforce audit catches the uncertified operator sitting in a qualified-required billet, and the failure is on you as the work-role lead who allowed it. The cleanup is a counseling that lives in your file, a corrective-action plan submitted to brigade S3, and the soldier off the billet until the qualification is closed. The brigade-level workforce-qualification roll-up reads the gap; the team chief defends the gap at the next brigade readiness review with your name on it.
  • Treating mission write-ups as paperwork — turning in drafts that need substantial rework before they can go upstairs.
    The customer reads the write-ups. ARCYBER and USCYBERCOM staff read the write-ups. The supported combatant command reads the write-ups. The team's work is judged outside the SCIF by what the write-ups show, not by what the team chief verbally tells the senior leaders. An SGT whose write-ups need rework on every cycle is an SGT whose work role lead and team chief have to spend their time editing instead of mentoring the next bench. The trust calculus on the next high-visibility engagement does not bend toward an SGT who cannot write a clean read-out.
  • Hiding a real OPSEC, SHARP, EO, or insider-threat indicator from the chain — 'protecting the soldier' or 'handling it internally.'
    CMF teams live or die on trust; one buried indicator surfaces at the worst possible time and the cascade is severe. AR 600-20 chapter 7 requires SHARP reporting in defined 24-hour and 72-hour windows; hiding an incident violates the regulation, exposes the chain to negligent-supervision liability, and almost always ends with the soldier in worse shape and the SGT in front of the team OIC and the brigade JAG explaining the gap. The soldier is better served by the system (SHARP victim advocate, EO advisor, behavioral health, the SSO for insider-threat indicators) than by an NCO's discretionary judgment. The reporting timelines are non-negotiable.
  • Skipping the BLC / ALC slot, the cert push, or the warrant officer conversation because 'the unit needs me on mission right now.'
    The board does not care that the unit needed you on mission. The SFC list will not have you on it; the SSG board look will be after your peers'; the warrant officer accession window will close while you are sitting on the team without packaging. Operators who let the chain over-task them into missing professional development are operators who learn at the next board look that the chain's read of them did not survive their absence from PME. The chain says yes to the mission and lets the soldier figure out the PME timing — the soldier who lets the chain decide the PME timing is the soldier who falls behind their year-group cohort.

Career Decisions at This Rank

  • Warrant Officer (170A Cyber Operations Technician / 170B Cyber Capabilities Development Technician) packet
    The 170A / 170B warrant officer paths are the highest-leverage technical career forks in the cyber MOS — the technical-track alternative to the senior NCO arc. The 170A is the operations-focused warrant; the 170B is the capabilities-development-focused warrant. The packet (DA 61, command recommendation, senior signal / cyber officer endorsement, board file) is approachable at SGT with the right cert stack, work-role-qualification depth, and NCOER profile. Selection rates vary by cycle per the published HRC warrant officer accession board results; some cohorts run sub-50%, which means the packet is competitive but not lottery-grade. The school pipeline (WOCS at Fort Novosel followed by WOBC at the Cyber Center of Excellence) runs several months end-to-end. The honest test: are you the operator who keeps asking why the architecture is built the way it is built, who reads vendor documentation cover to cover, who builds tools the team uses for a year after you leave, who would rather engineer the team's capability than lead its soldiers? If yes, the warrant path is where you belong. Operators who love being NCOs make average warrants; operators who love building systems make excellent warrants. Talk to the warrant officer in your team; the chain's read is the leading indicator of whether to package.
  • Re-enlistment / RETAIN / indefinite-status decision against the contractor market
    The contractor salary pressure at SGT is the most concrete career-decision pressure in the entire Army enlisted cyber arc. Cleared 17C SGTs with senior cert stacks and active work-role-lead qualifications are the single most-poached enlisted demographic in the contractor market. The big primes (Booz Allen, Leidos, ManTech, SAIC, CACI, Peraton, Northrop, Lockheed) and the specialty primes offer $140-170K+ with bonuses and benefits to an ETSing 17C SGT. The current 17C SRB (Selective Retention Bonus) is published in the HRC SRB MILPER message and varies year over year by zone, contract length, and any MOS-specific incentives; indefinite-status enlistment under AR 601-280 becomes available for soldiers planning to make 20 years. The honest math: the soldier who plans a 20-year career takes indefinite status when offered; the soldier who is unsure takes the 6-year option with the bonus and revisits at the next ETS; the soldier who is going to the contractor market ETSs cleanly and works with the retention NCO to manage the IRR period. None of the answers is wrong, but the answer should be deliberate.
  • ALC slot timing — early vs late in the E-5 zone
    ALC is the STEP gate for SSG (E-6) — no SSG pin-on without it. 17C ALC runs at the Cyber Center of Excellence NCO Academy footprint at Fort Eisenhower; the course is roughly 31 academic days depending on cohort. Slot availability tightens as the year-group moves into the SSG promotion zone; submit through ATRRS / S1 / S3 12 months before zone-eligibility. The trade-off is missing the slot you wanted because the team chief wanted you on a mission rotation or a project. Talk to the team chief and the work role lead about the chain's preferred timing; the answer is usually 12-18 months before you go board-eligible for SSG. The 17C MOS has had historical capacity constraints on ALC slots given the MOS's growth trajectory; do not wait for the perfect window.
  • Special-duty / Cyber NCO instructor at Fort Eisenhower / Drill Sergeant / Recruiter
    TRADOC special-duty assignments are typically 3-year tours that age you fast, pay an SDA bonus, and visibly differentiate your career profile on the senior-NCO slate. Cyber NCO instructor at the Cyber Center of Excellence at Fort Eisenhower is the 17C-specific TRADOC tour — teaching the next generation of cyber soldiers at the schoolhouse you came through. The Drill Sergeant identifier (X4 ASI) is a known check at the E-7 board; the Recruiter identifier (4 ASI 79R / 79S) is a different career signal. The cost: family quality-of-life is brutal during a Drill Sergeant tour (16-hour days, weekend duty); Recruiter tours move you to a small civilian community where you are the Army to your neighbors. Some careers are made by SDA tours; some marriages are broken by them. Cyber instructor tours are typically gentler than Drill Sergeant tours on family quality-of-life. Talk to NCOs who have done the tour before you volunteer.
  • Work-role-lead specialization vs work-role-lead breadth at SGT
    At SGT the team chief decides whether to deepen you in your current work-role-lead role (specialize you toward the SSG-tier section-NCOIC position in the same work-role lane) or rotate you across work-role-lead roles to build breadth before pinning SSG. Specialization produces deeper expertise and a clearer warrant officer packet narrative; breadth produces broader operational exposure and a more flexible long-arc senior-NCO profile. Neither is wrong; the choice depends on the SGT's strengths, the team's needs, and the long-arc career intent (warrant officer specialization vs senior NCO breadth). Talk to the work role lead and the senior NCO about which path the chain is reading you for; align your senior cert stack push and your professional-development conversations accordingly.

How the Seat Varies by Unit Type

  • ARCYBER subordinate unit — line CMF team crew lead at E-5
    The most common E-5 17C assignment. As an SGT in a line CMF team under ARCYBER, you lead a 3-5 operator crew inside a CPT, NMT, CMT, or CST. The daily rhythm is operational — mission engagement execution, training cycles, exercise rotations. The team chief and the work role lead are the senior NCOs reading you; the team OIC is the officer in the team room. ARCYBER line CMF crew leads produce the senior NCOs and warrants that staff the rest of the cyber community.
  • 780th Military Intelligence Brigade (Cyber) — Fort Meade / Fort Eisenhower
    The 780th's premier cyberspace operations brigade context, with strong NSA partnership and high-end mission profiles. SGT 17Cs in the 780th lead crews on NMT and specialty billets; the work is high-end, the clearance is universally TS/SCI with additional SCI compartments, the technical standards are exacting, and the unit-level professional development is among the best in the Army cyber community. Selection into a 780th crew-lead slot at E-5 is competitive; the chain's recommendation, the cert stack, and the work-role-qualification depth are the leading indicators.
  • Cyber Protection Brigade (CPB) — Fort Eisenhower footprint
    The CPB's Cyber Protection Teams — defensive cyberspace operations focused on survey-secure-protect-sustain against supported networks. SGT 17Cs in a CPT crew-lead role under the CPB run defensive engagements as their primary mission; the rotational cycle (garrison train-up, supported deployment, recovery) is pronounced. The defensive specialty career arc is the CPB's lane; many senior CPB NCOs and warrants stay in the defensive lane for the full career, and the SGT-tier work-role-lead position in a CPT is the foundation of that arc.
  • Joint Force Headquarters-Cyber / combatant command J-cyber elements
    JFHQ-Cyber elements support combatant commands (CENTCOM, EUCOM, INDOPACOM, AFRICOM, NORTHCOM, SOUTHCOM, USSOCOM) with cyberspace operations integration. SGT 17C in a JFHQ-Cyber crew-lead position places the soldier inside a joint staff context with higher visibility to O-4s, O-5s, senior warrants, and joint partners than line CMF teams provide. Joint duty exposure compounds for promotion and assignment competitiveness later — the SFC and MSG boards weight joint time, and getting it as an E-5 puts the SGT ahead of the standard timeline.
  • NSA detail / USCYBERCOM joint billet (advanced specialty path)
    Uncommon at E-5 but possible for SGTs with specialty work roles aligned to joint or IC missions, with strong cert stacks and chain endorsement. NSA details place the SGT inside the broader IC technical workforce; the work standards, the technical environment, and the cleared community are different from a line ARCYBER team. USCYBERCOM joint billets place the SGT inside the COCOM staff context. Both compound early career capital but require multi-year buildup of the technical and leadership profile — these are not first-tour assignments at E-5 for most SGTs.

What Good Looks Like at This Rank

The good SGT 17C runs a crew the team chief and the warrant officer name in the slide when they brief readiness — DoDM 8140 work-role qualifications green, detection set producing real alerts, junior operators on a real cert and qualification plan, mission write-ups going out without rework. He has BLC done from his SPC days, ALC pending in the next 12 months with the slot already pulled through ATRRS, and CompTIA CASP+ (or CCNP-Security or CISSP, depending on his work role's emphasis) on the wall as the IAT-III-compliant credential. The 170A warrant officer packet is on the warrant officer's table if he wants it — built, reviewed, with senior signal officer endorsement secured — or it is actively declined with the chain's read documented and his career path explicitly enlisted-NCO long-arc. The contractor sitting next to him on rotation has a job number waiting at ETS and a salary band quoted; the SGT has not said yes, but he has not said no, and the next 12-18 months of SGT performance will set the answer. In the SCIF his crew's work product reads like the senior name on it. Mission write-ups land upstairs with maybe a paragraph of editorial polish from the work role lead and otherwise unchanged. The detection rules his crew has deployed survive the QA reviews and produce alerts the team's analytic chain trusts — the false-positive rates are documented, the ATT&CK mappings are defensible, and the rule logic survives the warrant officer's quarterly detection-engineering review. The cherries and SPCs in his crew are on the 6- and 12-month plan he built with them at their monthly DA 4856 counselings; two of them are closing their first GIAC inside the year, one of them is closing CCNA, and all of them are visibly working toward their next-tier work-role qualification under his sign-off. The team chief reads bench depth as the SGT's leadership signal; the SGT's bench is read favorably. His clearance hygiene is invisible the right way: bills paid on autopay and on time, foreign contacts disclosed proactively to the SSO when they arise, no personal devices in the SCIF, social-media footprint scrubbed of unit identifiers, no public-facing engagement on cyber topics outside explicit unit clearance. The continuous-evaluation cycle under Trusted Workforce 2.0 has surfaced nothing on him in his time at the unit; his credit profile is clean, his foreign-contact disclosures are documented and reviewed, his personal conduct profile is unremarkable in the favorable sense. The SSO knows his name in the favorable space — he has handled the boring administrative parts of his clearance correctly over a multi-year arc. His counseling discipline is the heaviest single load and he carries it. The monthly DA 4856 cadence runs on the 14th of every month; he blocks the calendar, takes each session in his office for 30 minutes with the door closed, writes the Plan of Action in second person with specific deliverables and dates, signs the counseling, has the soldier sign before they leave, files the original per AR 623-3 and the unit SOP, and emails himself a copy. His soldiers know what their standard is, what their certification and qualification plan is, what their professional development plan is, and what their next promotion-points worksheet target is. When a soldier has a problem — financial, marital, legal, behavioral-health — he routes to the right office (ACS for financial counseling, MFLC for behavioral health, SJA for legal, the SSO for clearance concerns) and documents the routing in the counseling record. He does not try to solve problems outside his lane; he gets the soldier to the office that can. The chain reads him as the NCO who handles problems through the system, not around it. The team chief's read on his SSG potential is set by month 12 as SGT. The ALC packet is pulled and scheduled. The senior cert stack is moving toward CISSP or the next GIAC. The NCOER profile reads in measurable deliverables. The warrant officer packet is either submitted or declined with the chain's read documented. The bench has produced one or more soldiers who closed work-role qualifications inside the team's standard cycle. The senior signal NCO and the team chief have started referring to him as the next SSG slate's likely picks. That trust is the differentiator between an SGT who pins SSG on time at 17C and an SGT who sits in zone on the SSG board cycle.

Preview — The Next Rank

Staff Sergeant 17C (E-6) is the next gate, and it is the rank where the technical work product, the leadership profile, and the senior cert stack all integrate into a section-NCOIC-equivalent seat on a CMF team. You are now the senior enlisted technical voice on a CMF team element — 8-15 operators, multiple work roles, often split across a deployed and a garrison footprint. The team chief and the 170A / 170B warrant trust your call on whether the work is real; the customer hears your finding through the warrant's mouth. The promotion math to E-6 runs through the same semi-centralized AR 600-8-19 system: 96 months TIS (varies) / 18 months TIG (waivable in limited cases), DA 3355 worksheet at max 800 points, monthly MOS-specific cutoff published by HRC, chain release. The Advanced Leader Course (ALC) is the STEP gate — without ALC complete, no pin-on. The 17C SSG cutoff has historically moved with the MOS's retention math and the senior-NCO inventory pressure; pull the current HRC cutoff message monthly. The differentiator at the SSG board for 17C is the senior cert stack you built at E-5 (CASP+ or CISSP, the GIAC senior family, CCNP-Security where work-role-appropriate, possibly OSCP for offensive operators), the work-role-lead qualification depth, the chain recommendation, and the visible team-leader performance in your first 18 months as SGT. The job content at SSG is section NCOIC. You build the section's training and certification plan, you own the section's tool stack at the configuration-baseline level, you sit at planning tables with the team OIC, the 170A/170B warrant, and supported-customer leadership. You write four-to-five NCOERs per cycle that will pick the next SSGs and SFCs on the brigade slate. You sit on the brigade-level cyber readiness governance board. The 170A / 170B warrant officer accession is the senior decision point that intensifies at SSG; the SLC packet (for E-7) starts the moment you pin SSG. The CCRI / CORA inspection cycle becomes your direct responsibility at SSG — your section's findings are your bullets on the NCOER. Plan the SLC packet 6-12 months before zone-eligibility for SFC; plan the warrant packet whenever the chain says you are ready, but no later than your second SSG year if you are going to package.
FAQ

17C E5 — Frequently Asked Questions

Q01What does a E5 17C (Cyber Operations Specialist) actually do?
You lead a 3-5 operator element inside a Cyber Protection Team, National Mission Team, Combat Mission Team, or Cyber Support Team — a crew, a work role slice, or a defensive sub-team.
Q02What's the most important thing to know as a E5 17C?
Sergeant 17C is the rank where being a strong operator stops being enough.
Q03What does a typical day look like for a E5 17C?
Time-blocked day at the E5 17C rank tier: 0500 Wake. Coffee. Phone check for any overnight crew emergencies — soldier in jail (off-post incident), family deathgram, missed accountability, clearance issue surfaced overnight. None? Good. PT uniform on, 0530 PT formation in the company / squadron / detachment area. Take accountability for your crew (3-5 soldiers), report to the team senior NCO. The crew you brought to formation is the crew the brigade sees. Missing soldier equals your problem first, 0545-0700 Section / team PT.…
Q04What mistakes get E5 17C soldiers fired or relieved?
Verbal counseling instead of writing the DA 4856. AR 623-3 requires the counseling on file; the SJA's job on Article 15 day is to defend a counseling chain. The SGT who counsels verbally is the SGT whose CO cannot defend him when a soldier's lawyer argues the standard was never communicated. Two minutes typing the form equals twelve months of legal defense for you and the chain; Letting a junior operator sit a billet they are not DoDM 8140-qualified for,…
Q05What career decisions matter most at the E5 17C rank tier?
Warrant Officer (170A Cyber Operations Technician / 170B Cyber Capabilities Development Technician) packet — The 170A / 170B warrant officer paths are the highest-leverage technical career forks in the cyber MOS — the technical-track alternative to the senior NCO arc. The 170A is the operations-focused warrant; the 170B is the capabilities-development-focused warrant. The packet (DA 61, command recommendation, senior signal / cyber officer endorsement, board file) is approachable at SGT with the right cert stack, work-role-qualification depth, and NCOER profile.…
Q06What's next after E5 for a 17C (Cyber Operations Specialist) in the Army?
Staff Sergeant 17C (E-6) is the next gate, and it is the rank where the technical work product, the leadership profile, and the senior cert stack all integrate into a section-NCOIC-equivalent seat on a CMF team.
Q07What manuals and regulations does a E5 17C need to know cold?
ATP 3-12 — Cyberspace Operations; JP 3-12 — Cyberspace Operations.; NIST SP 800-61 — Incident Handling; NIST CSF — the language the supported customer's CISO will use back at you.; NIST SP 800-53 / 800-171 — Controls (you assess against them on protect missions).

This playbook has no tips yet. Be the first to share what you know.

Published by the Honest MOS Editorial DeskVerified against DoD/.gov sourcesUpdated May 2026Editorial standards