Who this is for

This is aimed at UK job seekers targeting roles like:

• SOC Analyst, Detection Analyst, Threat Hunter

• Incident Responder, DFIR Analyst

• Cloud Security Engineer, Security Engineer, Platform Security

• Application Security Engineer, Security Tester, Security Consultant

• IAM Analyst, Security Analyst, GRC Analyst with a technical leaning

If you are targeting deep cryptography research or specialised reverse engineering research you will likely need more maths later. You can still start here and build a strong foundation first.

Why maths matters in cyber security

Security decisions are almost always decisions under uncertainty. You rarely get perfect evidence. You get logs, alerts, partial context, noisy signals & time pressure.

Maths helps you do five things employers care about:

1. Avoid false confidence by understanding uncertainty & limits

2. Reduce false positives so detections are operational not just “technically correct”

3. Reason about risk using likelihood, impact & control effectiveness

4. Read standards & guidance without getting lost in terminology

5. Communicate decisions with defensible incident notes & recommendations

Modern incident response guidance from NIST frames incident response recommendations as part of an organisation’s wider cyber risk management activities which reinforces that security work is about practical decisions not perfect certainty. NIST Computer Security Resource Center

The only maths topics you actually need

1) Number systems you will use constantly (binary, hex, bitwise)

This is the “quiet maths” of cyber security. It shows up everywhere even if the job advert never mentions it.

What you actually need

• Binary & hexadecimal conversion at a practical level

• Bits vs bytes, KB/MB/GB conversions

• Bitwise operations conceptually (AND, OR, XOR, shifts)

• Representation awareness: “this looks different” does not always mean “this is different”

Where it shows up in real jobs

• Reading hashes, keys, IVs, signatures & artefacts (hex is everywhere)

• Spotting flags & bitmasks in logs

• Understanding permissions, settings & encodings

• Debugging “why does this token or value look wrong” issues

Mini exercises

1. Take a short hex string and convert it to bytes then represent the same bytes in base64 then convert back. Write one paragraph explaining what changed (representation) & what did not (the underlying bytes).

2. Take a bitmask value from a public log example and decode which flags are set.

3. Write a short note explaining why “32 bytes” is not “32 characters”.

2) Modular arithmetic essentials (enough to understand crypto in practice)

You do not need to invent cryptography for most cyber security jobs. You do need to understand what cryptographic claims mean & what breaks them.

Modular arithmetic is a foundation of many public key systems. If you understand “maths mod p” plus inverses at a practical level most crypto explanations stop feeling like magic.

What you actually need

• Modulo operation conceptually (remainders)

• Modular multiplication & modular exponentiation at a high level

• GCD intuition & modular inverse conceptually

• Finite field intuition: why “division” behaves differently in modular arithmetic

Where it shows up

• Understanding why key sizes matter

• Understanding why randomness matters (nonces, IVs, salts)

• Interpreting signature workflows & verification steps

• Avoiding misconceptions like “encryption proves identity”

Mini exercises

1. Write a tiny script that computes (a ** b) % n for large b then compare it with a faster approach using built-in modular exponentiation and explain why it matters.

2. Demonstrate a modular inverse for a small prime modulus and explain why inverses do not always exist in some modular systems.

3. Write a short explanation of why nonce reuse is dangerous in some schemes.

Resources

• Khan Academy’s modular arithmetic explainer is aligned with what security learners need. khanacademy.org

• Crypto 101 is a practical book aimed at engineers and developers and is a solid reference for applied cryptography concepts. crypto101.io

3) Probability & statistics for detection, triage & risk

If you want to stand out in cyber security get good at probability. It shows up in alert triage, anomaly detection, phishing analysis, threat hunting, vulnerability prioritisation & any role that touches monitoring.

What you actually need

• Basic probability language: events, conditional probability, independence

• Base rates & why they dominate outcomes when attacks are rare

• Confusion matrix thinking: true positive, false positive, true negative, false negative

• Precision & recall intuition for SOC and detection roles

• Distributions that are useful in practice: binomial intuition for repeated trials & Poisson intuition for event counts over time

• Confidence in proportions: “we saw 3 failures out of 1,000” what does that mean operationally

Why base rates matter

Many security events are rare. When something is rare even a “good” detector can generate lots of false positives. This is the engine behind alert fatigue.

If you can explain this clearly you will sound senior quickly because you can move discussions from “turn on everything” to “turn on what is sustainable and what actually improves outcomes”.

Where it shows up

• Tuning SIEM detections & reducing noise

• Explaining why a detection needs context enrichment

• Threat hunting: deciding whether a pattern is meaningful

• Incident response: deciding how confident you are before escalating

• IAM & fraud: balancing false rejects vs false accepts

Mini exercises

1. Build a simple confusion matrix from a toy dataset then compute precision and recall.

2. Create a base rate example: 0.1% of logins are malicious. Explore what happens when a detector has a strong true positive rate but a modest false positive rate. Write a paragraph explaining why you still get a flood.

3. Simulate event counts per hour with a simple Poisson assumption then pick an alert threshold that reduces noise while still catching spikes.

Resource

TryHackMe’s SOC Level 1 path is built around defensive topics and real-world analysis scenarios and is a strong hands-on practice option for job seekers. TryHackMe

4) Discrete maths for logic, sets, graphs & complexity

A lot of cyber security maths is discrete rather than continuous. It is about rules, relationships & structure.

What you actually need

Logic & Boolean reasoning

• AND, OR, NOT logic used in detections, queries & access rules

• De Morgan’s laws at an intuitive level for query tuning

Sets

• Membership, union, intersection

• Why set thinking helps with allowlists, blocklists & indicator matching

Graphs

• Nodes & edges thinking for attack paths, identity relationships & lateral movement

• Basic traversal intuition: “what can reach what”

Complexity awareness

• Big O intuition: what scales badly

• Why “this query scans everything” becomes an outage risk

Where it shows up

• Writing SIEM queries that are correct & efficient

• Understanding attack paths & identity relationships

• Modelling “who has access to what” in cloud environments

• Application security: reasoning about conditions, edge cases & state transitions

Mini exercises

1. Write a detection rule in plain English then translate it into a query while keeping grouping correct.

2. Build a small graph of users, roles & resources then answer “who can reach the crown jewels” and “what single control breaks the risky path”.

3. Take two IOC sets and compute overlap then explain what enrichment adds value.

5) Security maths habits that unlock job readiness fast

These are not “topics” but they are what hiring managers notice.

A) Estimation under pressure

Be able to estimate:

• how many alerts per day a detection will generate

• how much log volume a new data source will add per day

• how long a brute force attempt would take under rate limits

• how long it will take to triage 500 alerts with current staffing

Rough estimates with clear assumptions beat guessing.

B) Evidence-led language

Write conclusions like:

• “We observed X across Y hosts over Z hours”

• “This is consistent with A but could also be B”

• “Confidence: medium because C evidence is missing”That is maths-driven communication.

C) Avoiding metric traps

Averages hide pain. Ratios matter. Base rates matter. Always ask:

• what is the distribution

• what is the base rate

• what is the false positive cost

• what is the operational impact if this fires at scale

The 6-week maths plan for cyber security jobs

Aim for 4–5 sessions per week of 30–60 minutes. Each week produces one portfolio output you can publish.

Week 1: Number systems & “security arithmetic”

Learn

• Binary, hex, bits vs bytes, representationBuild

• A notebook that converts between hex, bytes & base64

• A one-page cheat sheet of common sizes (128-bit, 256-bit, 32 bytes)Output

• Repo: cyber-security-number-systems with examples & explanations

Week 2: Modular arithmetic & crypto foundations

Learn

• Modular arithmetic, inverses, why randomness mattersBuild

• A notebook demonstrating mod arithmetic, modular exponentiation & modular inverses

• A short written note explaining what hashing, encryption & signatures do and do not doOutput

• Repo: cyber-security-crypto-maths-basicsResources

• Khan Academy modular arithmetic khanacademy.org

• Crypto 101 crypto101.io

Week 3: Probability for detections (confusion matrix & base rates)

Learn

• Precision, recall, false positives, base ratesBuild

• A simulation notebook showing why rare events create alert fatigue

• A tuning note: what you would change & what impact you expectOutput

• Repo: cyber-security-detection-probability

Week 4: Discrete maths for queries & attack paths

Learn

• Boolean logic, sets, graphs, basic complexityBuild

• A pack of detection rules: plain English → query

• A simple identity attack path graph example: user → role → permission → resourceOutput

• Repo: cyber-security-logic-graphs

Week 5: Pick a track & apply it

If you want application security

• Work through web vulnerability labs & focus on logic errors, authentication flows & input handling

• Use OWASP Top 10 as a risk map and PortSwigger labs for practice owasp.org

If you want SOC

• Work through hands-on defensive scenarios & write short triage notes

• TryHackMe SOC Level 1 is designed for defensive analysis practice TryHackMe

Output

• A short portfolio note: 3 detections or controls you would deploy first plus why

Week 6: Incident response maths in practice (triage, confidence, timelines)

Learn

• How incident response fits into cyber risk management

• How to document decisions & confidenceNIST SP 800-61 Rev 3 provides incident response recommendations & considerations in the context of broader cyber risk management activities. NIST Computer Security Resource CenterNIST also maintains an Incident Response project page that links to additional resources. NIST Computer Security Resource Center

Build

• A mock incident report with:

  • a timeline of events

  • counts & rates (affected users, hosts, failed logins, unusual processes)

  • confidence statements & next actionsOutput

• Repo: cyber-security-incident-report-template with a polished example

Portfolio projects that prove the maths on your CV

These projects are defensive and ethical. They are designed to map to common interview conversations.

Project 1: Detection tuning using base rates

What you build

• A notebook that models base rates & false positive volume

• A tuning proposal with threshold changes & expected alert volumeSkills shown

• probability, operational thinking, stakeholder clarity

Project 2: SIEM-style query logic pack

What you build

• 10 detection rules written in plain English plus query versions

• Each includes edge cases & false positive notesSkills shown

• logic, precision, practical SOC value

Project 3: IAM relationship graph mini audit

What you build

• A small graph model of identities, roles & resources

• A short report identifying risky paths & proposing one least-privilege changeSkills shown

• graph thinking, access reasoning, risk framing

Project 4: Web risk mapping note using OWASP Top 10

What you build

• A short document mapping a sample app’s risks to OWASP Top 10 categories

• A prioritised fix list with justificationSkills shown

• structured reasoning, prioritisation, communicationResources

• OWASP Top 10 2025 is the current released version on OWASP’s Top Ten project page and includes the 2025 content set. owasp.org

• PortSwigger Web Security Academy provides free training materials & interactive labs for web security learning. portswigger.net

How to write this on your CV

Replace “good with maths” with evidence like:

• Built a base-rate simulation to estimate false positive volume & produced a detection tuning proposal to reduce noise while maintaining coverage

• Created a logic-first detection pack translating analyst hypotheses into efficient queries with documented edge cases

• Modelled identity-to-resource relationships as a graph to identify high-risk access paths & recommended least-privilege controls

• Produced an incident report template with clear counts, rates, confidence statements & next actions aligned with modern incident response guidance NIST Computer Security Resource Center

Resources & learning pathways

Incident response & SOC practice

• NIST SP 800-61 Rev 3 Incident Response Recommendations & Considerations for Cyber Risk Management (official). NIST Computer Security Resource Center

• NIST Incident Response project page with additional resources. NIST Computer Security Resource Center

• TryHackMe SOC Level 1 path for defensive topics & analysis scenarios. TryHackMe

Application security

• PortSwigger Web Security Academy (free learning centre with labs). portswigger.net

• OWASP Top 10 2025 web application security risks. owasp.org

Identity & authentication

• NIST SP 800-63-4 Digital Identity Guidelines suite (current guidance). pages.nist.gov

Cryptography foundations for practitioners

• Khan Academy modular arithmetic for cryptography learners. khanacademy.org

• Crypto 101 (practical cryptography reference). crypto101.io

Next steps

Pick one target track (SOC, application security, cloud security or IAM) then run the 6-week plan while applying for roles. Publish your outputs with READMEs that state assumptions, show calculations & explain decisions.

In UK cyber security hiring the people who can quantify trade-offs & explain uncertainty calmly are often the people trusted fastest.