Skip to main content
HonestMOS
InvestigationsCongress made VA disability claims free to file. An entire industry charges veterans anyway — and nobody can stop them.
Back to 25D Cyber Network Defender — overview, pay, training, civilian translation, reviews
25DE5

Cyber Network Defender

E-5 (Sergeant) · Army

HEADS UP

This is the earliest you might actually wear 25D — and only where the window allows, because the floor is historically senior and only sometimes opens to SGT. Confirm the current HRC reclass MILPER before assuming you are eligible. If you are here, you are either still inbound (finishing the packet and the In-Service Screening Test) or a freshly reclassed Cyber Network Defender finding your footing on a defensive crew. Either way: the four years of experience that got you in is your floor, not your ceiling, and you are an NCO and an analyst at the same time.

The Honest MOS Read
If you are reading this as a 25D Sergeant, one of two things is true, and the current HRC reclass MILPER decides which. Either the window opened to senior SGT and you reclassed at this rank — making you one of the newest Cyber Network Defenders in a senior-NCO MOS — or you are an E-5 in a feeder MOS still inbound, finishing the packet and waiting on the rank-and-experience gate to align. The honest read covers both, because the line between them is a personnel message, not a permanent rule, and a smart SGT plans for the version he is in. If the window let you reclass as a SGT, you came through the Signal School at the Cyber Center of Excellence, Fort Eisenhower, GA, after passing the 25D In-Service Screening Test (ISST) and clearing the prerequisites: senior-NCO-track rank, a Top Secret with TS/SCI eligibility, roughly four years of verified IT/IA experience, an IAT-II baseline cert, and a 36-month service-remaining requirement that attached to you the day the reclass was awarded. Know exactly where you stand on that SRR clock — it came with the MOS, and it shapes every re-enlistment and assignment decision for the next three years. Now you are a working Cyber Network Defender doing the real job. You monitor and defend Army networks: running the SIEM, IDS, and endpoint tooling, triaging alerts to the unit playbook, and escalating the way the SOP says. You execute defensive cyberspace operations (DCO) tasks to standard — detect, analyze, contain, recover — and produce a usable timeline and finding at the end. You assess systems against the NIST SP 800-53 controls and the DISA STIGs as inputs to the Risk Management Framework, and you write those findings in language an authorizing official's staff can actually act on. You map activity to MITRE ATT&CK by technique ID and defend the call at the read-out, because at this rank the team expects you to own the assessment, not echo the senior analyst's version of it. If your unit is a Cyber Protection Team element, you are learning the survey-secure-protect rhythm under a more senior defender and a 170A warrant — the seat where the highest-end defensive work happens. Here is the part that catches reclassed soldiers off guard: 25D does not let you stop being an NCO. The Army did not hand you a senior-NCO MOS so you could disappear into the keyboard. You write a clean DA Form 4856 counseling with a real plan of action. You carry ACFT and fitness like anyone else — the CSM reads the slide the same for 25D as for 11B. And you mentor the feeder-MOS soldiers eyeing the reclass, because you just walked the path and you remember how little of it anyone explained cleanly. Tell them the truth about the rank floor, the experience clock, the ISST, and the clearance. The experience that got you here is your floor, not your ceiling. The four years of IT/IA time was the entry fee, not the finish line. The reclassed SGT who coasts on it becomes the analyst the team works around; the one who keeps sharpening — IAT-III in progress, the ALC packet built and visible to the platoon sergeant, detections he can tune and findings he can defend — becomes the SSG the OIC names when readiness gets briefed. And the contractor in the next chair, doing some version of the same defensive work for double the pay, already has your number. None of that changes today's job, which is to earn the trust the badge implies — clean findings, documented work, a spotless clearance, and a counseling discipline that proves you are both the defender and the NCO the chain reads.
Career Arc
  • 01Confirm against the current HRC reclass MILPER whether the window opens 25D to SGT — that single fact decides whether you are inbound or newly reclassed.
  • 02If reclassing at this rank: complete the Signal School / Cyber Center of Excellence reclass course at Fort Eisenhower after passing the In-Service Screening Test (ISST).
  • 03Satisfy and track the 36-month service-remaining requirement that attaches on award — it shapes every re-enlistment and assignment for three years.
  • 04Stand up as a working Cyber Network Defender — SIEM/IDS/endpoint monitoring, DCO tasks, RMF control assessments, ATT&CK-mapped findings — on a defensive crew or CPT element.
  • 05Keep IAT-II current and put IAT-III in progress (CySA+, CASP+, or a defensive GIAC) appropriate to your work role — the cert ladder does not stop at the gate.
  • 06BLC behind you, ALC packet built and visible to the platoon sergeant — the NCO professional military education has to keep pace with the senior MOS you just entered.
  • 07Mentor feeder-MOS soldiers into the reclass honestly, and start owning assessments instead of echoing them — the SSG-track read forms here.
Common Screwups
  • ×Coasting on the experience that got you in. The four years of IT/IA time was the entry fee; a 25D who stops sharpening becomes the analyst the team quietly works around, and the SSG board notices.
  • ×Treating the reclass as the finish line and neglecting the NCO track. ALC and counseling discipline are not optional in a senior-NCO MOS — a technically strong SGT who is rank-stalled goes nowhere from here.
  • ×Letting the 36-month SRR slip out of your tracking. The commitment came with the MOS; not knowing exactly where you stand on it leads to ugly surprises at the re-enlistment and assignment windows.
  • ×Any clearance, financial, foreign-contact, or social-media incident. You just spent years earning TS/SCI eligibility into a senior cyber MOS — one violation under AR 380-67 ends not just the assignment but the access the whole MOS depends on.
  • ×Chasing the contractor exit on impulse before honestly weighing it. The market is real and pays double, but bailing the moment you finish the reclass course wastes the Army's investment and your own — decide deliberately, pull the SRB MILPER, and do not let resentment make the call.

A Day in the Life

  • 0500Wake. PT clothes on. 25D is still the Army — the day starts on the same clock as any sergeant's. You are at formation early because the junior defenders and feeder-MOS soldiers see how you carry the NCO basics.
  • 0530PT formation in the company / detachment area. Cyber and signal units run PT to the Army standard; the CSM reads ACFT pass rates off the slide the same for 25D as for any MOS. Take accountability, report, fall in.
  • 0545-0700Unit PT. You may run a slightly more individualized plan than a line BCT, but the floor is still a solid ACFT and the section pass rate is on the slide. You are setting the example for the juniors now, not just keeping your own score up.
  • 0700-0830Hygiene, change, breakfast. Cert study or work-role reading over coffee — IAT-III objectives, an ATT&CK technique you want to understand cold before the next read-out.
  • 0830-0900Turnover / shift brief. The off-going crew or the team lead walks through what fired overnight, what is still open, and what the day's priorities are. You take notes; you ask the questions during turnover, not during the incident.
  • 0900-1130On mission. SIEM and IDS monitoring, host and network analysis, working an open incident through the DCO cycle, or running a control assessment against the STIGs and 800-53 as an RMF input. On a CPT element you are working a survey-secure-protect slice under a senior defender and a 170A warrant.
  • 1130-1230Chow. Conversation is the open incident, the cert someone just passed, the reclass MILPER for a soldier in the shop, and the contractor a buddy left for. You are mentoring as much as eating — the feeder-MOS soldiers want your path.
  • 1230-1500Back on mission. Finish the incident timeline and finding, tune a detection that has been firing on noise, write up a control assessment in language the AO's staff can act on, or brief a finding to the OIC or warrant. The expectation is you own the assessment, not echo it.
  • 1500-1600NCO time. Write a DA 4856 counseling on a junior, follow up on a soldier's cert or ALC packet, handle the Army admin a senior MOS does not exempt you from. The chain reads your leadership alongside your defensive output.
  • 1600-1630End-of-day turnover. Brief the on-coming crew or the team lead on what is open and what needs eyes overnight. Account for any sensitive items and devices — clearance-holder discipline is constant.
  • 1630Released, mission permitting. An active incident or an exercise can extend the day or flip you to a night shift without notice — defensive operations do not keep banker's hours.
  • 1700-2000Personal time. Gym for the ACFT, IAT-III cert study, work-role reading, and the home lab for skills the mission does not schedule. The reclassed SGT who keeps sharpening here becomes the SSG the OIC names; the one who coasts on the four years that got him in does not.
  • 2000-2200Cert study, ALC packet prep, or family time. You are building the next rung — IAT-III, ALC, measurable defensive output for the NCOER — one ordinary evening at a time.
  • Exercise / contested eventDuring a Cyber Flag / Cyber Guard-family exercise, a CTC cyber inject, or a real contested-network event, the clock collapses. You run your crew slice through the DCO cycle under time pressure, shift work becomes the norm, and the after-action is where the OIC and warrant form their read of whether you can carry the load.

Weekly Cadence

The week for a 25D SGT runs on two clocks at once — the defensive-operations clock and the NCO clock — and the good ones never let either one slide. The operations rhythm is shift-and-mission driven: turnover briefs that frame what fired and what is open, monitoring blocks on the SIEM and IDS, incidents worked through the full DCO cycle, control assessments written as RMF inputs, and detections tuned so the section chases real alerts instead of noise. Some weeks are quiet monitoring and assessment grind; some weeks an incident or an exercise flips the whole section to shift work and the rhythm disappears entirely. The newly reclassed SGT earns trust across these weeks by triaging to the playbook cleanly and producing findings the team lead can pass up without rewriting. Underneath the mission runs the NCO cadence the MOS does not let you skip. PT to the Army standard with the section pass rate on the slide, counselings written on time with real plans of action, juniors mentored — including the feeder-MOS soldiers in the shop asking how to build the reclass packet you just walked. The chain reads both halves: a brilliant analyst who cannot run a counseling or keep an ACFT stalls in a senior-NCO MOS, and a strong NCO who stopped sharpening technically gets routed around by the crew. Balancing the two is the actual skill at this rank. The third, slower rhythm is your own progression. IAT-III in progress, the ALC packet built and visible to the platoon sergeant, the 36-month SRR tracked, measurable defensive output captured for the NCOER, and the certs that also command the civilian salary the contractor next to you already earns. None of it is dramatic in any given week, but it compounds toward SSG — the rank the MOS was built around — and toward the honest first re-enlistment decision the contractor market makes unavoidable. The SGT who manages his own ladder like a project hits that decision with options; the one who waits to be carried hits it with regret.

Key Skills — How to Drill Each

  1. 01
    Monitor and defend an Army network as a primary duty — run the SIEM, IDS, and endpoint tooling, triage alerts to the unit playbook, and escalate the way the SOP says.
    Learn your unit's standing playbook cold — what each alert class means, what the triage steps are, and what the escalation threshold is — so you are not inventing the response under pressure. The newly reclassed SGT earns trust by triaging to the SOP cleanly and consistently, not by freelancing; the freelancing comes later, after the team knows your judgment is sound.
  2. 02
    Execute a defensive cyberspace operation (DCO) task to standard — detect, analyze, contain, recover — and produce a usable timeline and finding at the end.
    Work every incident through the full cycle and write it up so a teammate could reconstruct exactly what happened from your notes alone. Have a senior defender red-pen your early findings. The deliverable that marks a real DCO operator is a timeline and finding the team lead can pass up without rewriting — that is the standard to chase from your first crew shift.
  3. 03
    Assess a system against the NIST SP 800-53 controls and the DISA STIGs as an RMF input, and write the finding in language an authorizing official's staff can act on.
    Tie every finding back to the control it implements and state the risk plainly, not in jargon. Remember that your assessment is an input to a real system authorization — write it so the AO's staff can make a decision from it. Sit with the unit's RMF lead to see how your findings get used downstream; that context sharpens how you write them.
  4. 04
    Map activity to MITRE ATT&CK by technique ID and defend the call at the read-out — at this rank the team expects you to own the assessment, not echo it.
    When you brief, name the tactic and technique by ID and be ready to justify it against the matrix when challenged. Invite the challenge — a mapping you can defend under questioning is worth more than one you assert. Owning the call, including the uncertainty where it exists, is what moves you from new-defender to trusted analyst.
  5. 05
    Write a clean DA Form 4856 counseling with a real plan of action — you are a 25D and an NCO at the same time, and the chain reads both.
    Counsel in writing, on time, with an actual plan of action the soldier can execute and you can follow up on. Verbal counseling is the same as no counseling. The chain reads your NCO discipline alongside your technical output; a brilliant analyst who cannot run a counseling stalls in a senior-NCO MOS, so treat the leadership paperwork with the same rigor as a defensive finding.
  6. 06
    Mentor the 25B/17C soldiers eyeing the reclass — tell them the truth about the rank floor, the experience clock, the ISST, and the clearance.
    You just walked the path, so you are the most credible source in the shop. Pull the current reclass MILPER with them, walk them through documenting experience and stacking certs, and be honest that the rank floor moves and the clearance is the whole game. Mentoring the bench is not a side task in this MOS — it is how a thin, hard-to-man field stays manned, and the chain reads you on it.

Manuals & References — What Chapters Matter

  • AR 25-2 — Army Cybersecurity.
    The posture you now help defend, not just read. As a working 25D your assessments and detections ladder up to this reg's requirements; knowing it lets you connect a single STIG finding to the unit's overall cybersecurity standing when you brief.
  • NIST SP 800-61 — Incident Handling; NIST SP 800-53 — Security and Privacy Controls.
    The incident-response cycle and the control set your defensive work maps to every day. The 800-61 phases structure your DCO write-ups; the 800-53 controls are what your RMF assessments are scored against. Live in both — they are the spine of the job at this rank.
  • NIST SP 800-37 — Risk Management Framework.
    The process every network accreditation rides on, and you produce inputs to it now. Understanding the RMF steps tells you why your control assessment matters and how a soft or wrong finding can either ground a healthy network or authorize a real gap — both of which land on you.
  • DoDM 8140 — Cyberspace Workforce Qualification.
    You maintain your own IAT-II/III standing against it and, as you season, may begin signing juniors against their work roles. Read your work role's tasks so you know precisely what the standard expects of the billet you sit, and so you sign nothing you cannot defend.
  • MITRE ATT&CK.
    The defensive language your findings are written in. At SGT you are expected to map and defend behaviors by technique ID at the read-out, so fluency in the matrix is no longer optional — it is the shared vocabulary the OIC, the warrant, and the supported customer all use.
  • AR 600-20 — Army Command Policy; AR 623-3 — Evaluation Reporting System.
    You are an NCO in an Army MOS, not just a cyber analyst. AR 600-20 governs the command climate and SHARP/EO responsibilities you cannot wave off as 'too technical,' and AR 623-3 is the system your counselings and NCOERs live in. The chain reads your leadership against these the same as for any sergeant.

Standards — How to Hit Each

  • IAT-II maintained, IAT-III in progress (CySA+, CASP+, or a defensive GIAC family cert) appropriate to your work role.
    Keep the baseline current and schedule the next cert deliberately on Army Credentialing Assistance, study to the published objectives, and choose the IAT-III cert that fits your section's mission. The cert ladder does not stop at the reclass gate — at SGT you are expected to be climbing it, and the same certs that make you mission-qualified also command the civilian salary the contractor next to you already earns.
  • BLC graduate; ALC packet built and visible to your platoon sergeant.
    BLC is behind you, so make sure your ALC packet is assembled and on the platoon sergeant's radar — you reclassed into a senior MOS and the NCO professional military education has to keep pace with the technical track. Falling behind on PME is how a strong analyst stops being competitive for the rank the MOS actually lives at.
  • 36-month service-remaining requirement satisfied on award and tracked.
    Know your exact SRR date and factor it into every re-enlistment and assignment conversation. The reclass came with the commitment; treat the date like a deployment date — fixed, known, and planned around — rather than a surprise that surfaces when you try to make a move you are not yet eligible for.
  • Defensive work product measurable in the unit's metrics — analyses produced, findings closed, detections tuned — not filler on the NCOER.
    Track your own output: incidents worked, findings written and closed, detections you helped tune. When the NCOER feeder comes due, you want concrete, countable defensive accomplishments, not 'demonstrated outstanding performance.' Measurable work is what the senior rater can defend at the board and what separates the contributing SGT from the passenger.
  • Top Secret / TS/SCI clean and current; ACFT to standard.
    Maintain the clearance with the same discipline that earned it — clean finances, proactive reporting, quiet social media — and keep the ACFT solid, because cyber is still the Army and the CSM reads the same fitness slide for 25D as for any MOS. The defensive badge does not buy you out of either standard; letting one slip undercuts everything the technical work built.

Technical Mistakes — Concrete Consequences

  • Coasting on the experience that got you in.
    The four years of IT/IA time was the entry fee, not the finish line. A 25D who stops sharpening becomes the analyst the team routes around, and that read shows up in the NCOER and at the SSG board. The MOS rewards continued depth — IAT-III, tuned detections, defensible findings — not a resume frozen at the moment of reclass.
  • Closing a defensive finding or marking an alert 'no impact' without a senior defender eyeballing it.
    As the newest analyst, a miss you sign off surfaces at the next assessment or rotation — and the team lead is the one who has to brief it up. Until the team knows your judgment is sound, get a senior set of eyes on the close-out; the trust to call it solo is earned by getting the early ones right.
  • Treating an RMF / control assessment as paperwork to grind through.
    Your finding is an input to a real system's authorization. Get it wrong and you either ground a network that was fine or sign off a genuine vulnerability that an authorizing official then accepts on your word. Either outcome lands on you — the assessment is a defensive act, not an administrative one.
  • Running an unauthorized tool or freelancing on an operational network.
    At 25D that is an incident inquiry and a clearance flag, not a quiet counseling. You spent years earning the access; one unauthorized action on a live network can suspend it and end the assignment. Learn and experiment in an authorized lab — on the operational network you operate strictly within your authorization.
  • Verbal counseling instead of written.
    If it is not in writing, the soldier did not know it, the commander cannot defend you, and your NCO bench shows it at the next board. A 25D is an NCO first in the eyes of the chain; skipping the counseling discipline because the job is 'too technical' is exactly the gap that stalls a technically strong sergeant.

Career Decisions at This Rank

  • Reclass now (if the window allows) versus finishing one more thing on the feeder side first.
    If the current MILPER opens 25D to senior SGT and you meet the gates, the case for reclassing now is the SRR clock and the seat: you start the 36-month commitment, but you also start logging real 25D time and stop being an almost-defender. The case for waiting a beat is narrow — usually only if you are months from a cert, a degree, or an experience milestone that materially strengthens you and the window will still be open. Pull the live MILPER, confirm eligibility, and decide on facts, not on a rumor that the window is closing or staying open forever.
  • Push IAT-III aggressively or stabilize as a solid IAT-II analyst first.
    The cert ladder does not stop at the gate, and IAT-III (CySA+, CASP+, or a defensive GIAC) is both a mission-qualification step and a civilian-salary multiplier. The argument for pushing now is that the newly reclassed SGT who is climbing is the one the OIC marks for SSG; the argument for stabilizing first is that mastering your current work role and earning the team's trust matters more than a cert nobody has asked you to hold yet. The right move for most is to do both in sequence — own your IAT-II work role cold, then open IAT-III deliberately on Credentialing Assistance rather than collecting certs you cannot yet apply.
  • First re-enlistment as a 25D — stay for the career or exit to the contractor market.
    The contractor next to you is doing some version of your defensive job for double the pay and already has your number. The honest test is the same one from the feeder side, now with real numbers: are you in 25D for the mission and the senior-NCO career, or for the credentials and the exit? Your 36-month SRR may make the timing decision for you in the near term — know your date. Pull the current HRC SRB MILPER before signing anything, weigh the bonus against a six-figure cleared-civilian offer, and decide deliberately. Re-enlisting on autopilot and resenting it, or bailing on impulse the week you finish the reclass course, are both the wrong way to make this call.
  • Stay enlisted toward SSG or start the warrant officer conversation (170A / 255S).
    The defensive cyber warrant paths — 170A (Cyber Operations Technician) and 255S (Information Protection Technician) — are the deep-technical leadership lanes, and a sharp 25D SGT is exactly who the warrants in the room start recruiting. The enlisted track keeps you on the NCO ladder toward the core SSG defender role and eventually section leadership; the warrant track trades the NCO path for a narrower, deeper technical-officer role. Talk to a 170A or 255S in your formation about what the day-to-day and the career actually look like before you commit — the decision is which kind of senior defender you want to be, and there is no wrong answer, only an unexamined one.
  • Invest in mentoring the reclass bench or focus narrowly on your own progression.
    25D is a thin, hard-to-man MOS that lives or dies on reclassing the right senior feeder-MOS soldiers in. As the person who most recently walked the path, you are the most credible mentor in the shop — and the chain reads how you build the bench, not just your own output. The narrow-focus argument is that your own certs and ALC packet are what get you to SSG; the bench-building argument is that senior-NCO MOS evaluations increasingly reward the leaders who develop others. The strongest SGTs do both: progress their own ladder and pull two or three feeder-MOS soldiers up behind them, because that is literally how the MOS stays manned.

How the Seat Varies by Unit Type

  • Cyber Protection Team (CPT) element under the Cyber Protection Brigade
    The center of gravity for defensive 25D work. On a CPT you run a survey-secure-protect slice alongside a 170A warrant and a customer technical lead, doing mission-assurance work on supported networks. The OPTEMPO comes in deployment-and-rotation waves, the standards are high, and a newly reclassed SGT here gets the best defensive education in the Army — under the most senior eyes.
  • ARCYBER / network-defense staff footprint
    A defensive section on an Army Cyber Command or signal staff, where you are the senior enlisted technical voice on whether the controls hold. The work leans toward sustained monitoring, RMF assessments, and posture reporting rather than expeditionary CPT missions. Highly documentable, integrated up through USCYBERCOM, and a strong seat to build the SSG-track NCOER from.
  • Signal brigade / NETCOM network-defense element
    Enterprise-network defense in a garrison footprint — larger systems, formal change management, and the day-to-day grind of keeping a fixed network accreditable. The mission is steadier and the rhythm more predictable than a CPT, which suits a newly reclassed SGT still earning trust: you get reps on assessments and incident response without the expeditionary tempo.
  • Still inbound — E-5 in a feeder MOS awaiting the reclass window
    If the current MILPER has the floor at SSG and you are an E-5, you are not 25D yet — you are finishing the packet: experience documented, IAT-III climbing, the ISST passed, the clearance spotless, and the rank window watched. Your 'unit' is still the feeder S6 or shop, and your job is to be the defender that shop trusts while you wait for the gate to align.
  • Joint / supported-command billet (rarer at this rank)
    Some 25D seats support a joint headquarters or a combatant command's defensive mission. The work is integrated with joint partners and the standards are set above the Army; a SGT here is usually a strong performer placed deliberately. The exposure is excellent for a career, but the NCO and clearance discipline expectations are, if anything, higher in a joint environment.

What Good Looks Like at This Rank

The good SGT 25D — whether the window let him reclass at this rank or he is the newest defender on the team — is the one the senior analyst hands the contested host to and gets back a clean, ATT&CK-mapped, control-referenced finding by the next morning. He triages to the unit playbook without being walked through it, writes a DCO timeline a teammate could reconstruct the incident from, and ties every RMF finding back to the control and the risk in language the authorizing official's staff can act on. He owns his assessments at the read-out — names the technique by ID, defends the call when challenged, and is honest about the uncertainty — instead of echoing the senior analyst's version. The team is starting to trust his judgment, which is the whole currency at this rank. What makes him more than a sharp analyst is that he never stopped being an NCO. His counselings are in writing, on time, with real plans of action. His ACFT is solid and his Top Secret is spotless, because he knows the CSM reads those slides for 25D exactly as for 11B. His IAT-III packet is open, his ALC slot is set, and he tracks his 36-month service-remaining requirement like a date that matters. And he mentors the feeder-MOS soldiers in the S6 who have started asking him how to build the reclass packet he just walked through — he pulls the current MILPER with them and tells them the truth about the rank floor, the experience clock, the ISST, and the clearance, because nobody told him cleanly either. The tell that he is doing it right: the senior analyst and the warrant trust him with the contested host, the platoon sergeant has him visibly on the ALC track, and the contractor in the next chair has already pitched him a billet that pays double — which he turns down, for now, because he wants to make SSG and become the core Cyber Network Defender the MOS was built around. He is earning the badge he wears instead of resting on the four years that got it for him.

Preview — The Next Rank

The next rank is Staff Sergeant — E-6 — and it is the heart of the MOS, the rank 25D was built around. Most soldiers actually award and live 25D at SSG; it is the historical floor and the center of gravity for the whole field. So where SGT is the newly reclassed defender finding his footing, SSG is the core Cyber Network Defender NCO — the one who actually monitors, hunts, assesses, and defends, and the one the section trusts to call whether a network is clean or compromised. Everything you build at SGT is aimed at being ready for that seat. The job content deepens. As an SSG you run defensive cyberspace operations day to day and you own a piece of the tool stack as a designated admin — tuning detections so they produce signal instead of noise, conducting security assessments against the 800-53 controls that survive an authorizing official's scrutiny, and writing the assessment the AO's staff acts on. On a Cyber Protection Team you run a survey-secure-protect slice alongside a 170A warrant and a customer technical lead. But the harder shift is from being a strong individual analyst to being a strong section NCO: the section needs you to build the bench, sign juniors against their DoDM 8140 work roles, and develop SGTs — not to be the only one who can find the intrusion. The IAT-III floor becomes real at this rank (CASP+, CISSP, or a senior defensive GIAC), with ALC done and SLC pending. The other thing that arrives at SSG is the full weight of the contractor market and the leadership identity that has to withstand it. With CISSP or CASP+ on the wall and a real work-role qualification, the civilian offer next door is genuinely double the pay, and the recruiters know your name whether you answer or not. The SSGs who stay are the ones who decided they want to make SFC and run a team more than they want the immediate raise — and who can translate cyber risk to a non-technical commander in language he will repeat correctly to a one-star. The work between SGT and SSG is earning the trust that lets the OIC and the warrant name you when readiness gets briefed. Earn it the same way you are earning the badge now: clean findings, documented work, a spotless clearance, and a bench you are already starting to build.
FAQ

25D E5 — Frequently Asked Questions

Q01What does a E5 25D (Cyber Network Defender) actually do?
If the current window let you reclass as a SGT, you came through the Signal School at the Cyber Center of Excellence, Fort Eisenhower, GA, after passing the 25D In-Service Screening Test and clearing the prerequisites — senior-NCO-track rank, a Top Secret with TS/SCI eligibility, roughly four years of verified IT/IA experience, an IAT-II baseline cert, and a 36-month service-remaining commitment on award.
Q02What's the most important thing to know as a E5 25D?
This is the earliest you might actually wear 25D — and only where the window allows, because the floor is historically senior and only sometimes opens to SGT. Confirm the current HRC reclass MILPER before assuming you are eligible.
Q03What does a typical day look like for a E5 25D?
Time-blocked day at the E5 25D rank tier: 0500 Wake. PT clothes on. 25D is still the Army — the day starts on the same clock as any sergeant's. You are at formation early because the junior defenders and feeder-MOS soldiers see how you carry the NCO basics, 0530 PT formation in the company / detachment area. Cyber and signal units run PT to the Army standard; the CSM reads ACFT pass rates off the slide the same for 25D as for any MOS. Take accountability, report, fall in, 0545-0700 Unit PT. You may run a slightly more individualized plan than a line BCT,…
Q04What mistakes get E5 25D soldiers fired or relieved?
Coasting on the experience that got you in. The four years of IT/IA time was the entry fee; a 25D who stops sharpening becomes the analyst the team quietly works around, and the SSG board notices; Treating the reclass as the finish line and neglecting the NCO track. ALC and counseling discipline are not optional in a senior-NCO MOS — a technically strong SGT who is rank-stalled goes nowhere from here; Letting the 36-month SRR slip out of your tracking. The commitment came with the MOS;…
Q05What career decisions matter most at the E5 25D rank tier?
Reclass now (if the window allows) versus finishing one more thing on the feeder side first — If the current MILPER opens 25D to senior SGT and you meet the gates, the case for reclassing now is the SRR clock and the seat: you start the 36-month commitment, but you also start logging real 25D time and stop being an almost-defender. The case for waiting a beat is narrow — usually only if you are months from a cert, a degree, or an experience milestone that materially strengthens you and the window will still be open. Pull the live MILPER, confirm eligibility, and decide on facts,…
Q06What's next after E5 for a 25D (Cyber Network Defender) in the Army?
The next rank is Staff Sergeant — E-6 — and it is the heart of the MOS, the rank 25D was built around.
Q07What manuals and regulations does a E5 25D need to know cold?
AR 25-2 — Army Cybersecurity (the posture you now help defend, not just read).; NIST SP 800-61 — Incident Handling; NIST SP 800-53 — Controls (the IR cycle and control set your defensive work maps to).; NIST SP 800-37 — Risk Management Framework (the process every network accreditation rides on; you produce inputs to it now).

This playbook has no tips yet. Be the first to share what you know.

Published by the Honest MOS Editorial DeskVerified against DoD/.gov sourcesUpdated May 2026Editorial standards