Skip to main content
HonestMOS
InvestigationsCongress made VA disability claims free to file. An entire industry charges veterans anyway — and nobody can stop them.
Back to 25D Cyber Network Defender — overview, pay, training, civilian translation, reviews
25DE6

Cyber Network Defender

E-6 (Staff Sergeant) · Army

HEADS UP

SSG is the rank 25D was built around — where most soldiers actually award the MOS and where its center of gravity sits. ALC is done, the SLC packet is real, and the IAT-III cert (CASP+, CISSP, or a senior GIAC) is the analyst floor now. The contractor in the next chair does your job for double the pay; decide what you want before the next re-up window decides for you.

The Honest MOS Read
Staff Sergeant is the heart of 25D — the working Cyber Network Defender NCO, the rank the MOS was structured around. You did not enlist into this. You came up through 25B, 17C, or another signal/intel feeder, you spent four-plus years stacking real information-assurance experience and a Top Secret you never put a dent in, you sat the In-Service Screening Test, and you reclassed in through the Signal School at the Cyber Center of Excellence, Fort Eisenhower, GA. Everything before this was the entry fee. This is the job. The SSG seat is the senior enlisted technical voice on a defensive element. On a Cyber Protection Team under the Cyber Protection Brigade — or on a network-defense footprint inside an S6, a signal battalion, an INSCOM element, or a supported command — you run defensive cyberspace operations day to day. SIEM and IDS monitoring, host and network analysis, threat hunting, incident response mapped to the NIST SP 800-61 cycle, and security assessments that feed the Risk Management Framework and the unit's AR 25-2 posture. On a CPT you run a survey-secure-protect slice alongside a 170A warrant and a customer technical lead; on a network-defense seat you are the one who calls whether the network is clean or compromised, and the OIC believes you because you have shown the work. Your day splits three ways. First, the technical work: you own a piece of the tool stack as a designated admin, you tune the detections — Sigma rules, Splunk correlation searches, Elastic detections, all mapped to MITRE ATT&CK — so the section chases real alerts instead of noise, and you write the assessment the authorizing official's staff actually acts on. Second, you run the section as an Army NCO: counselings on the 14th, NCOER reviews for your two SGT crew leads, the work-role qualification pipeline that moves your juniors from IAT-II to IAT-III against the DoDM 8140 work-role catalog, and the SHARP / EO / suicide-prevention cadence a technical MOS does not get to skip. Third, your own development: the SLC packet, the next senior cert and its continuing-education clock, and the 170A (cyber operations technician) / 255S (information protection technician) warrant conversation that has stopped being theoretical. The contractor reality is the load-bearing recurring conversation at this rank, and pretending otherwise is dishonest. The cleared cyber market outside the wire pays senior defenders well above your E-6 base pay plus BAH — Booz Allen, Leidos, MITRE, CACI, ManTech, Peraton, and the commercial incident-response side (Mandiant, CrowdStrike, Palo Alto Unit 42, Microsoft DART) all want exactly your profile: a TS/SCI, a hands-on defensive cert stack, and proof you have done the work on a real network. The soldier sitting next to you in business casual, doing the same hunt you are doing, took home more last year than you will this year. That is not a reason to leave and it is not a reason to stay — it is a number you should know cold so the decision is yours and not a recruiter's. The honest pitch for staying is the work, the clearance the Army keeps current for free, the pension math under the Blended Retirement System, and the fact that at SSG you are still early enough that making SFC and running a team is a real, near play. The Army-side recurring conversations: the SLC slot timing (it is the SFC-to-MSG STEP gate, build the packet 12-18 months ahead), the warrant conversion you either pursue, mentor, or honestly decline with the reasoning documented, and the senior-cert continuing-education cadence so your CISSP CPEs and GIAC family recerts never lapse on the unit audit. The trap at SSG is deciding the work exempts you from being an NCO. It does not. The brigade CSM reads a 25D NCOER the same way he reads an 11B NCOER, and the slate is unforgiving to the technically brilliant soldier whose fitness slipped and whose counselings were verbal.
Career Arc
  • 01Reclassed and awarded 25D through the Signal School at the Cyber Center of Excellence, Fort Eisenhower; In-Service Screening Test passed; 36-month service-remaining commitment satisfied on award and tracked.
  • 02ALC graduate; SLC packet built and visible to the platoon sergeant and the senior warrant.
  • 03Section NCOIC of a defensive element on a Cyber Protection Team slice, an S6 network-defense cell, or a supported-command footprint.
  • 04Senior cert stack mature — IAT-III maintained (CASP+ or CISSP) plus one defensive specialty (GCIH, GCIA, or GCFA) appropriate to the section's mission; continuing-education clock tracked.
  • 05Two SGT crew leads under your NCOER profile; juniors moving from Security+ to CySA+ to a GIAC on a plan the OIC can brief.
  • 06170A / 255S warrant officer packet conversation — submitted, mentored to a candidate, or declined honestly with the reasoning on the record.
  • 07E-7 board competitiveness — SLC graduate, defensive metrics that survive scrutiny, work-role qualification breadth, NCOER profile defensible at brigade.
Common Screwups
  • ×DUI, Article 15, fraternization, or a financial spiral at this rank. The cleared cyber community is small; the read propagates inside the brigade within a month and the SSO is in the TS/SCI conversation within the quarter. Once the clearance is pulled or downgraded, 25D is over — you can finish the contract, but the work role is foreclosed and so is the contractor exit you were eyeing.
  • ×Skipping the SLC slot because 'the section needs me on mission.' The E-7 board reads SLC graduation as a STEP gate; the strong SSG who arrives without it watches his packet sit at the bottom of the pile. The platoon sergeant who lets you skip it is building a bench that cannot be promoted.
  • ×Phoning the warrant officer mentorship conversation with your two SGTs. The 170A / 255S accession is one of the highest-leverage moves in the Army for a technical NCO; the SSG who never walks his sharp junior through the option is the SSG whose junior leaves for the contractor market with the warrant door never opened.
  • ×OPSEC slip on social media — a LinkedIn title naming a CPT, a 'defensive cyber' job line, badge selfies near SCIF spaces, deployment hints during a detached mission. The CPB and the SSO are explicit on this; at SSG the consequence is a clearance review and an NCOER hit at minimum.
  • ×Deciding the work makes you exempt from Army basics. Fitness slippage, verbal-only counseling, thin NCOER bullets, missed required-training suspenses — the brigade CSM reads the 25D slide the same way he reads anyone's, and a profile gap there sinks an otherwise strong E-7 board.

A Day in the Life

  • 0530PT formation. You are there early because the two SGTs and the junior operators need to see you there — a defensive cyber section that skips PT is a section the brigade CSM remembers for the wrong reason. Accountability, then unit or section PT.
  • 0630-0730Unit PT. Lift days, interval-run days, ruck when the standard demands. You run the warm-up or set the pace; your form is what the juniors copy. Cyber is still the Army and the ACFT is on the same slide as everyone's.
  • 0730-0900Hygiene, chow, change. Badge into the SCIF or the network-defense workspace; clear the personal electronics at the entry; check overnight handover from the night crew or the supported network's monitoring.
  • 0900-0930Section stand-up. Read the overnight SIEM/IDS picture, the open incidents, the detection deployments in flight, the work-role qualification milestones due. Brief the warrant and the OIC on where the section is and what it needs.
  • 0930-1130Mission work. Threat hunt against the supported environment, triage and analysis on the day's alerts, host and network forensics on an open incident, or a control/STIG assessment as an RMF input. You are on terrain as the senior enlisted analyst and spot-checking the SGTs' work as it lands.
  • 1130-1300Chow. Conversation drifts to certs, the SLC slot, and the contractor billet someone got offered last week — the retention conversation never fully closes at this rank.
  • 1300-1430Detection engineering and tuning. Write or refine Sigma rules, Splunk correlation searches, Elastic detections; update the ATT&CK coverage matrix; retire the stale rules that fire on noise. The warrant reviews the high-impact changes before they deploy.
  • 1430-1530NCO work. Counsel a SGT on his development objective, review an NCOER bullet, sign a junior's DoDM 8140 work-role evaluation alongside the warrant, push a BLC or cert-voucher packet through the training NCO. The Army-side admin does not write itself.
  • 1530-1630Finding write-up and brief prep. Draft the section's piece of the post-incident report or the assessment finding; rehearse the five-minute brief with the warrant so it goes straight to the OIC's slide without a rewrite.
  • 1630-1700Final accountability. Hand off open incidents to the night crew or set the monitoring posture; account for the section; lock the SCIF discipline — classified separation, destruction logs, two-person integrity where required.
  • 1700Released. Mostly. An active incident, a CPT mission rotation, or a major exercise (Cyber Flag / Cyber Guard family, a CTC cyber inject) collapses the clock — defensive cyber does not keep banker's hours when a network is contested.
  • 1800-2000Personal development. Study for the next senior cert or knock out CPEs, gym time, family if you have it. The disciplined SSG keeps the cert clock and the ACFT score where they need to be; the average one lets both drift and pays for it at the E-7 board.
  • Mission rotation / contested eventThe split disappears. On a real DCO mission or a contested-network event you run the section's IR cycle through the night in shifts — host triage, network telemetry, contemporaneous notes, hour-mark briefs to the warrant — and the post-incident report is due to the team's deadline regardless of how little anyone slept.

Weekly Cadence

The Mon-Fri rhythm at SSG level is dictated by the section's mission posture and the OIC's training calendar. Monday is the heaviest planning day — you read the weekend monitoring handover, the overnight SIEM picture, the warrant's notes, and any ARCYBER / CIO-G6 FRAGOs or workforce-policy publications that landed. By mid-morning the week is aligned: which operators are on which work-role qualification milestones, which detection deployments are in flight, which assessments are open, which NCOERs and counselings are due. Tuesday through Thursday are the weight of the week — mission execution against the supported environment, threat hunting, incident response, control assessments, and the detection-engineering cycle. You walk the workspace, spot-check the two SGTs, run the work-role signoffs with the warrant, and keep the finding write-ups moving so nothing piles up for Friday. Friday is the lighter administrative day — required training cycles (SHARP, EO, OPSEC, suicide prevention), the weekly readiness roll-up to the OIC, cert-study time built into the calendar, and the company-level events the brigade still runs for a cyber formation. The week's second rhythm is the NCO-development cadence layered underneath all of it: quarterly NCOER and counseling cycles, the BLC/ALC slot conversations for your juniors, the cert-voucher pipeline through Army Credentialing Assistance, and the work-role qualification tracking the OIC reads monthly. What changes the whole rhythm is a CPT mission rotation, a major exercise, or a real contested-network event. A Cyber Flag or Cyber Guard event, a CTC cyber inject, or a supported-command operation collapses the garrison schedule into shift work — the section runs the survey-secure-protect or the IR cycle around the clock, and the after-action is where the OIC and the brigade figure out what the section actually learned. The SSG who runs a clean rotation and produces the section's piece of the AAR on time is the SSG who gets the next high-visibility mission; the one whose notes are gappy gets the maintenance billet next.

Key Skills — How to Drill Each

  1. 01
    Run a defensive cyberspace operation as the senior enlisted analyst — detect through recovery — and brief a finding the OIC or 170A can pass to a customer without rewriting it.
    The IR cycle frames it: detection and analysis, containment, eradication, recovery, post-incident activity, per NIST SP 800-61. As section NCOIC you are the senior technical voice on who runs host triage, who owns network telemetry, who keeps the contemporaneous notes, and who briefs the warrant at the hour-marks. Build the brief down to five minutes — what you found, how, what it means, recommended action, residual risk — and rehearse it with the senior warrant so it goes straight to the OIC's slide. The SSG whose findings need the warrant's rewrite every time is the SSG whose high-visibility taskings dry up.
  2. 02
    Own and tune the detection set so the alerts the section chases are real, not noise — every rule mapped to a MITRE ATT&CK technique by ID.
    ATT&CK is the language the whole defensive community speaks. Maintain a coverage matrix the warrant and the OIC can read: which techniques your Sigma rules, Splunk correlation searches, and Elastic detections cover, which gaps remain, what false-positive rate you are accepting on existing rules. The SSG who can name the coverage gaps and the rules that still need writing is the SSG whose detection engineering survives an inspection. Stale rules that fire on noise train the section to ignore alerts — and the one that mattered gets ignored with them.
  3. 03
    Conduct a security assessment against the NIST SP 800-53 controls and the DISA STIGs as an RMF input, and defend the result to an authorizing official's staff.
    Your finding is not paperwork — it is an input to a system's authorization under DoDI 8510.01 and the NIST SP 800-37 RMF. Quote the specific control families when the AAR runs; tie every STIG finding to a control and a real risk, not a checkbox. The SSG who lets a control assessment go soft to keep a timeline either grounds a network that was fine or signs off a real vulnerability — and both land on his name in the package.
  4. 04
    Lead a Cyber Protection Team sub-element through survey, secure, and protect, and the handoff to the supported network owner, to the team SOP.
    The CPT rhythm is survey-secure-protect: map the supported environment, harden it against the threat you are hunting, and hand it back to the owner with documentation he can sustain. As the section NCOIC you run the enlisted half — who is on terrain, who is documenting, who briefs the handoff. The 170A engineers the technical approach; you make sure the soldiers execute it and the customer can repeat what you did after you leave. The handoff package is the deliverable the supported commander remembers you by.
  5. 05
    Build a section training and certification plan that moves juniors from IAT-II to IAT-III and into real DoDM 8140 work roles on a schedule the OIC can brief.
    Map each operator to a primary and secondary work role under the DoDM 8140 catalog; track the prerequisites — cert, training, on-the-job qualification, the signed work-role evaluation. Drive the cert ladder per the section's demand: Security+ to CySA+ to a defensive GIAC, funded through Army Credentialing Assistance with study time built into the training calendar. The SSG who arrives at the OIC's quarterly review with a green section roll-up and a credible 90-day plan for the gaps is the SSG whose section gets tasked first.
  6. 06
    Translate cyber risk to a non-technical commander or CISO in language they will repeat correctly to a one-star.
    Build an analogy library that converts technical depth into a sentence a supported commander will carry up his chain without mangling it. The test is not whether the commander understands the packet capture — it is whether he can tell his boss what the risk is and what you recommend. Practice this on the BCT S6 and the supported staff; the SSG whose risk briefs the commander repeats accurately is the SSG the OIC sends into the room when the audience is senior.

Manuals & References — What Chapters Matter

  • AR 25-2 — Army Cybersecurity.
    The policy floor your unit's cyber posture is measured against — and at SSG you own a piece of that posture, you do not just read it. Re-read it annually; it changes, and you sign compliance reports against it. When the audit catches a gap, the finding has your name on it.
  • NIST SP 800-61 (Incident Handling), 800-53 / 800-171 (Controls), 800-37 (RMF); DoDI 8510.01 (RMF for DoD IT).
    The IR playbook and the RMF backbone every defensive mission maps to. SP 800-61 is the incident cycle you run a section through; 800-53 and 800-171 are the control catalogs you assess against on a protect mission; 800-37 and DoDI 8510.01 drive the supported customer's authorization posture. Quote the specific control families at the AAR — that is the difference between an analyst and a section NCOIC.
  • DoDM 8140 — Cyberspace Workforce Qualification and Management.
    The institutional gate that drives every cert, every work-role qualification, and every NCOER bullet at this rank. You are signing soldiers off against work-role tasks line by line and auditing the section's roll-up to the OIC. Read the published work-role catalog cover to cover; know the specific tasks for the roles your section owns.
  • MITRE ATT&CK; DISA STIGs (public.cyber.mil).
    The framework and the engineering standards your section defends to. ATT&CK is the coverage map you maintain for detection engineering; the STIGs are the configuration baselines you assess hosts against. The OIC and the warrant read your ATT&CK coverage matrix at the quarterly review — keep it clean and you are the section named in the read-out.
  • AR 380-67 — Personnel Security Program; AR 380-5 — Information Security Program.
    AR 380-67 is the reg behind the TS/SCI you have to protect to even hold 25D; AR 380-5 governs classified handling and SCIF operation. As section NCOIC you enforce the discipline — personal-electronics control at the SCIF entry, classified-vs-unclassified separation, destruction logs. One security incident, even a low-severity one, carries into your next NCOER and the OIC's mental model of your reliability.
  • AR 623-3 (Evaluation Reporting); AR 600-8-19 (Enlisted Promotions); AR 600-20 (Command Policy).
    You are an NCO in an Army MOS, not just a defender. AR 623-3 governs the NCOER process you now execute on two SGTs; AR 600-8-19 governs the promotion math you and your juniors compete inside; AR 600-20 governs the SHARP / EO / command-climate work the brigade CSM grades you on. Know the counseling-to-NCOER chain cold — chapter 3 of AR 623-3 is where bullet quality is defended.

Standards — How to Hit Each

  • IAT-III maintained (CASP+, CISSP, or a senior defensive GIAC like GCIH / GCIA / GCFA) appropriate to the section's mission — the analyst floor at this rank.
    CASP+ or CISSP is the IAT-III / IAM-II floor; one defensive specialty on top is the section-NCOIC credential the OIC expects. Fund it through Army Credentialing Assistance; build the study block into the section's training calendar so the certs do not compete with mission on your own time. Then track the continuing-education clock — CISSP CPEs and the GIAC family recert never lapse on the unit audit, because the lapse is the finding.
  • ALC graduate; SLC packet built 12-18 months ahead of the slot — required to stay competitive for E-7 in a senior-NCO MOS.
    SLC for 17/25-series senior NCOs runs through the schoolhouse at the Cyber Center of Excellence, Fort Eisenhower. The packet compounds: institutional credentials, NCOER profile, work-role qualification breadth, and senior-rater commentary all build over time. Get on the slate before your platoon sergeant has to fight for it, and pick a quarter that does not overlap a CPT mission rotation.
  • Section DoDM 8140 work-role qualification rate at or above mission demand — green on the OIC's slide, and you signed it honestly.
    Track the section's work-role posture in a matrix the OIC reads monthly: each operator's primary role, secondary role, and qualification status — qualified, in pipeline with named milestones, or not started. Drive the pipeline yourself; the warrant signs the evaluation; the OIC reads the roll-up. Green that you signed honestly beats green that collapses at the next inspection.
  • Defensive metrics that hold up — detections deployed, findings closed, assessments completed — reflected in NCOERs the senior rater can defend at brigade.
    Write the work into the NCOER in numbers, not 'demonstrated outstanding performance' filler. Detections deployed and tuned, findings closed by deadline, control assessments completed, juniors moved up the cert ladder — those are bullets the senior rater can defend at the brigade-level read. The senior NCO whose rated SGTs pin SSG on schedule is the senior NCO named in the SFC slate.
  • TS/SCI clean and current; ACFT 540+ — cyber is still the Army, and the CSM reads the slide the same for 25D as for 11B.
    Clearance maintenance at this rank is binary: disclose foreign contacts, report financial changes before the CO has to counsel you, and keep social media inside the SAEDA / OPSEC guidance the SSO publishes. For the ACFT, train holistic per FM 7-22 — lift three days, run intervals two, ruck when the standard demands it. The cyber soldier's fitness is one of the few cross-MOS comparison points the brigade CSM has at the senior NCO board, so let the score keep your technical work credible instead of undercutting it.

Technical Mistakes — Concrete Consequences

  • Confusing being a strong individual analyst with being a strong section NCO — staying the only one who can find the intrusion.
    The section that can only succeed when you are on terrain is a section that fails the week you are at SLC or on leave. The OIC notices the single point of failure; the senior rater writes 'failed to build the bench,' and your SFC board reads a leader who hoarded the work instead of growing defenders. The fix is the job: empower the operators sharper than you on a specific tool and qualify the section deep, not one-deep.
  • Letting a control assessment or RMF input go soft to keep a timeline.
    You either ground a network that was actually fine or you authorize a real vulnerability into an accredited system — and both land on your signature in the package. When the soft finding surfaces at the next assessment or a contested-network event, the OIC briefs 'we missed it' to higher, and the credibility you built one clean assessment at a time evaporates in one rushed one.
  • Letting a junior sit a work role they are not DoDM 8140-qualified for 'just for this assessment.'
    The next inspection finds the unqualified operator on the role, and you signed the gap. The team's authority to run the section unsupervised gets pulled until the qualification posture is fixed, the junior's pipeline resets, and your work-role roll-up — the thing the OIC trusts you for — is now suspect across the board.
  • Closing a finding or marking an alert 'no impact' without a senior defender or the warrant eyeballing it on a high-visibility event.
    The miss surfaces at the read-out — the supported customer asks the question your section did not run down, the warrant has to own it to the OIC, and the section gets the maintenance billet on the next event instead of the mission. The fix is process: two-person review before close on high-visibility findings, the warrant signs the disposition, the OIC reads it in the morning brief.
  • Burying a real OPSEC, SHARP, EO, or insider-threat indicator because the team is 'too technical to deal with that.'
    It surfaces at the worst possible time — a 15-6, a command-directed investigation, a cleared-personnel incident — and the trust the section runs on is gone. A defensive cyber section is not exempt from AR 600-20; the SSG who sits on an indicator is the SSG the 1SG can no longer leave a section with.

Career Decisions at This Rank

  • Stay 25D and chase SFC, or take the contractor exit.
    This is the conversation that never fully closes at SSG. The cleared market — Booz Allen, Leidos, MITRE, CACI, ManTech, Peraton, and the commercial IR shops — will pay a TS/SCI defender with your cert stack well above your base plus BAH, and the recruiters know your profile. The honest math: the contractor money is real and immediate; the Army side is the pension under BRS, the clearance kept current for free, the SLC-then-SFC ladder that is genuinely close at this rank, and a defined-benefit retirement the contractor billet does not match. Run the numbers yourself before you re-up or ETS — do not let a recruiter or a re-enlistment NCO run them for you. The right answer is different for the soldier two years from a 20-year retirement than for the soldier at the end of his first reclass contract.
  • 170A / 255S warrant officer packet — pursue it, mentor it, or decline it on the record.
    The warrant path is one of the highest-leverage moves a technical NCO can make: 170A (cyber operations technician) and 255S (information protection technician) are senior technical careers with their own slate, more time on the keyboard, and a pay and longevity profile that beats the senior-NCO track for the right soldier. The trade is that you stop being on the NCO leadership ladder. If you are technically sharp and want depth over formation command, build the packet now while the experience is fresh. If you would rather run a team and a formation, decline it — but decline it deliberately, document the reasoning, and then go walk one of your sharp SGTs through the option so the brigade keeps producing candidates.
  • SLC slot timing against the mission calendar.
    SLC is the SFC-to-MSG STEP gate and the E-7 board reads it as non-negotiable. The decision is whether to push for the earliest slot — gets you board-competitive fast but risks colliding with a CPT mission rotation or a deployment — or wait for a quieter quarter that does not pull you off terrain at the worst time. Talk to the platoon sergeant about the unit's mission cycle before locking the date, and build the packet 12-18 months out regardless, because the institutional credentials and senior-rater commentary compound over time, not overnight.
  • Specialize the cert stack defensive-deep, or broaden toward architecture and management.
    At SSG your cert stack forks. You can go defensive-deep — GCIH, GCIA, GCFA, the hands-on incident-response and forensics credentials that keep you the section's senior hunter and translate directly to a commercial IR billet. Or you can broaden toward CISSP-plus-cloud-architecture and the IAM track, which positions you for the section-lead and management seats and the federal-civilian GS ladder later. Defensive-deep keeps you on the keyboard and valuable to a CPT; broad-and-managerial sets up the SFC-and-beyond leadership seat and a wider post-service market. Pick on purpose, fund it through Credentialing Assistance, and do not let the stack go stale either way.
  • Re-enlistment timing and the service-remaining math.
    Your reclass came with a 36-month service-remaining commitment, and the next re-up window opens 12-18 months before contract end. Reenlistment bonuses for cyber MOS have moved through wide ranges depending on the Army's manning math — pull the current HRC SRB MILPER instead of planning on a barracks number. The trap is signing the re-up reflexively without running the contractor-vs-pension comparison, or signing it before a SFC pin changes the zone math. Talk to the career counselor, know exactly where your service-remaining clock stands, and time the decision so it is yours and not the calendar's.

How the Seat Varies by Unit Type

  • Cyber Protection Team (Cyber Protection Brigade, Fort Eisenhower with elements across the force)
    The purest 25D seat. The CPT does defensive cyberspace operations against friendly networks under attack — survey, secure, protect, hand off. Mission rotations send the team to a supported customer's environment for weeks, and the section runs the IR or hardening cycle alongside a 170A warrant and the customer's technical lead. The work-role demand is high and specific, the exercise calendar (Cyber Flag / Cyber Guard family) is real, and the post-service market is the most direct — a CPT defender's resume reads straight across to a commercial incident-response or threat-hunt billet.
  • Signal battalion / BCT S6 network defense
    Here you are the senior enlisted technical voice on whether the unit's controls hold — STIG compliance, RMF inputs, the AR 25-2 posture that keeps the network accreditable, and the day-to-day SIEM monitoring on the unit's own terrain. Less mission-rotation tempo than a CPT, more sustained defense of a single environment and more direct interface with the commander and the authorizing official's staff. The risk-translation skill matters most here because your audience is a non-technical BCT commander, not a customer agency.
  • INSCOM / 780th MI Brigade-adjacent defensive footprint
    On an intelligence-aligned defensive seat the clearance and SCIF discipline are even more load-bearing, the tasking is closer to the IC, and the work-role catalog you qualify against may lean toward threat/warning and forensics. The cert demand skews to the senior defensive GIAC family, the OPSEC posture is strict, and the joint-duty and NSA-detail forks that open at the senior NCO level are more visible from this footprint than from a conventional S6.
  • Reserve Component / National Guard cyber (CPTs and defensive cyber elements)
    Many of the strongest defenders in the force sit on the RC/NG side, because the soldier works cyber as a civilian — often for one of the same contractors — and brings that depth to drill. The 25D work is the same defensive mission, but the rhythm is drill weekends, annual training, and mobilization cycles rather than daily garrison. The advantage is a civilian cyber career running in parallel; the challenge is keeping certs, clearance, and work-role currency green on a part-time cadence the DoDM 8140 catalog still measures full-time.
  • Schoolhouse / institutional cadre (Signal School, Cyber Center of Excellence, Fort Eisenhower)
    An instructor or cadre tour at the CCoE puts you in front of every inbound 25D and 25-series soldier and shapes the MOS at the source. The technical edge dulls a little off the keyboard, but the institutional credit, the broadening, and the visibility to the proponent are real, and a strong cadre NCOER reads well at the E-7 board. The honest trade: you trade mission currency for institutional influence, so plan a return to an operational seat to keep the defensive skills sharp.

What Good Looks Like at This Rank

The good SSG 25D is the defender the OIC and the 170A name when readiness gets briefed. His detections are tuned and producing real alerts mapped to ATT&CK; his control assessments survive the authorizing official's scrutiny; his findings go out without rework; and his section's DoDM 8140 work-role roll-up is sustained green because he signed it honestly and chased the gaps with a real plan. He has CISSP or CASP+ on the wall plus a defensive GIAC, ALC done and the SLC packet built and visible, and a continuing-education clock he tracks so nothing lapses on the audit. On a CPT rotation he runs a clean section-level survey-secure-protect or IR cycle, produces the section's piece of the post-incident report on the team's deadline, and the supported owner can actually sustain the hardening he handed back. He does not try to be the only operator who can find the intrusion — he qualifies the section deep, not one-deep, so the mission does not stall the week he is at SLC. His two SGT crew leads are getting counseled on the 14th with development objectives tied to the next slate, his junior SPCs are moving Security+ to CySA+ to a GIAC on a timeline the OIC can brief, and at least one of them has had the honest 170A / 255S warrant conversation walked through end to end. When a feeder-MOS soldier in the S6 asks how to build a 25D reclass packet, he tells the truth about the rank floor, the four-year experience clock, the In-Service Screening Test, and the clearance — because nobody told him cleanly either. His ACFT is on the brigade slide where it needs to be, because he knows the CSM reads a cyber NCOER on the same axes as an infantry one and he will not give the work a reason to be discounted. And he knows the contractor number cold. The cleared cyber recruiter has already opened a billet that pays well above his base plus BAH, and he turns it down — not because he did not do the math, but because he did, and he still wants to make SFC and run a team. That is the read the OIC, the warrant, and the brigade CSM all share: a senior defender who is staying on purpose, building a bench that can carry the mission without him, and writing NCOERs the senior rater can defend bullet for bullet.

Preview — The Next Rank

At SFC (E-7) the seat changes from section NCOIC to element senior NCO. As an SSG you run a section of operators inside the team; as an SFC you run the senior enlisted line across a Cyber Protection Team element or a network-defense section — the OIC commands, the senior warrant engineers, and you make sure the defenders, the readiness posture, and the work product are real. You stop being the senior analyst on terrain and become the senior NCO who owns whether the whole element is ready on day one of a contested-network event. The load shifts from individual technical excellence to building and defending a pipeline. You own the element's DoDM 8140 work-role readiness roll-up and sign it at brigade; you write four to five senior NCOERs a period that pick the next SSGs and SFCs on the slate; you mentor 170A / 255S warrant candidates from interest through packet through the selection board; and you run the 25D reclass screen for inbound feeder-MOS soldiers, because the MOS lives or dies on bringing the right senior soldiers in. The exercise and mission tempo gets bigger too — you lead the element's senior-enlisted half through the Cyber Flag / Cyber Guard family, CTC cyber injects, and supported-command operations, and you run the senior side of the brigade-level after-action. The institutional gates move up a notch: SLC graduate becomes the floor, the MLC packet becomes the next STEP gate, and the First Sergeant diamond conversation with the brigade CSM starts before you sit MLC. The retention fight intensifies — the contractor market at the SFC profile pays even more — and managing that fight for your defenders becomes one of your load-bearing institutional contributions. The senior-NCO basics get less forgiving, not more: the brigade reads your NCOER profile as the bench the cyber community is producing, and a thin one shows. Start the SFC habits now — sign honest readiness, build the bench deep, and write NCOERs you can defend bullet for bullet.
FAQ

25D E6 — Frequently Asked Questions

Q01What does a E6 25D (Cyber Network Defender) actually do?
You are the core CND analyst NCO — historically the rank where most soldiers actually award 25D and the center of gravity of the whole MOS.
Q02What's the most important thing to know as a E6 25D?
SSG is the rank 25D was built around — where most soldiers actually award the MOS and where its center of gravity sits.
Q03What does a typical day look like for a E6 25D?
Time-blocked day at the E6 25D rank tier: 0530 PT formation. You are there early because the two SGTs and the junior operators need to see you there — a defensive cyber section that skips PT is a section the brigade CSM remembers for the wrong reason. Accountability, then unit or section PT, 0630-0730 Unit PT. Lift days, interval-run days, ruck when the standard demands. You run the warm-up or set the pace; your form is what the juniors copy. Cyber is still the Army and the ACFT is on the same slide as everyone's, 0730-0900 Hygiene, chow, change.…
Q04What mistakes get E6 25D soldiers fired or relieved?
DUI, Article 15, fraternization, or a financial spiral at this rank. The cleared cyber community is small; the read propagates inside the brigade within a month and the SSO is in the TS/SCI conversation within the quarter. Once the clearance is pulled or downgraded, 25D is over — you can finish the contract, but the work role is foreclosed and so is the contractor exit you were eyeing;…
Q05What career decisions matter most at the E6 25D rank tier?
Stay 25D and chase SFC, or take the contractor exit — This is the conversation that never fully closes at SSG. The cleared market — Booz Allen, Leidos, MITRE, CACI, ManTech, Peraton, and the commercial IR shops — will pay a TS/SCI defender with your cert stack well above your base plus BAH, and the recruiters know your profile. The honest math: the contractor money is real and immediate; the Army side is the pension under BRS, the clearance kept current for free, the SLC-then-SFC ladder that is genuinely close at this rank,…
Q06What's next after E6 for a 25D (Cyber Network Defender) in the Army?
At SFC (E-7) the seat changes from section NCOIC to element senior NCO.
Q07What manuals and regulations does a E6 25D need to know cold?
AR 25-2 — Army Cybersecurity (you own the unit posture now, not just read it).; NIST SP 800-61 — Incident Handling; NIST SP 800-53 / 800-171 — Controls (you assess against these on defensive missions).; NIST SP 800-37 — Risk Management Framework; DoDI 8510.01 — RMF for DoD IT (the accreditation backbone your assessments feed).

This playbook has no tips yet. Be the first to share what you know.

Published by the Honest MOS Editorial DeskVerified against DoD/.gov sourcesUpdated May 2026Editorial standards