How To Become a Cryptanalyst

hands on keyboard with stacks of encrypted code superimposed over

Cryptology is the study and art of writing and solving codes. In today's digital world, cryptology is an essential component of cyber security—encrypting sensitive information can help protect it against various cyber attacks. However, those same methods can be used by cyber criminals to commit cyber crime, which is where cryptanalysts come in.

Cryptanalysts decipher or "break" codes to unearth the information they are meant to obscure. Because of this, cryptanalysts are often employed by law enforcement, the military and other government entities to break codes that were made by cyber criminals, meaning their role in the cyber security ecosystem is essential for keeping precious data safe.

In This Article

What is a cryptanalyst?
What does a cryptanalyst do?
How to become a cryptanalyst
Bootcamps for cryptanalysts
Required Skills

Career paths and job outlook
Cryptanalysis techniques
Related Certifications
Getting started

What is a cryptanalyst?

Cryptology is the study of codes, while cryptography is the art of writing and solving them. This means these two terms are nearly identical and may be used interchangeably in some contexts.

The people who encode information through encryption, ciphers algorithms and more are called cryptographers. In other words, they create the codes. Those that decipher or break the codes are called cryptanalysts. Many cyber security professionals that are well versed in cryptology do both, while others may choose to specialize in one or the other.

"Cryptanalysis is the discipline more commonly known as codebreaking. Foreign countries and terrorists use cryptography to encrypt their communications and to control access to their computer networks," said a spokesperson for the National Security Agency (NSA). "Cryptanalysts at NSA find ways to get around those protections so that the United States has the information it needs for national security."

What does a cryptanalyst do?

A cryptanalyst's job may vary a bit depending on who they work for and the cryptologic goals of their employer. It's quite common for cryptanalyst positions to include cryptography as part of their job duties (making codes) instead of just working on cryptanalysis (breaking codes) since they are in many ways two sides of the same coin.

With that in mind, a cryptanalyst's job duties typically include the following:

Receive and analyze intelligence information

Research and test cryptologic methods and applications

Evaluate weaknesses in cryptologic security systems and design modifications

Develop and implement cryptographic algorithms to protect secure information

Remain up-to-date on trends in cryptography through continuing education

Many other high-level IT and/or cyber security positions may also include cryptanalysis or cryptography as a component of that job, such as security managers or security architects.

"Codebreaking is almost never straightforward, and cryptanalysts have to think creatively and consider a wide range of approaches," the NSA spokesperson said. Those approaches include:

"Finding mathematical weaknesses in an encryption algorithm."
"Discovering that a programmer who wrote encryption-code made a mistake."
"Collaborating with partners throughout the United States Government, and more."

"This work generally appeals to people who love to solve puzzles; in this case, the answers to the puzzles are vital to national security," the spokesperson said.

Cryptanalysis through history

Evidence of cryptography goes back as far as ancient Egypt. Ciphers—an algorithm for encrypting and decrypting information—are one of the oldest and most basic forms of cryptography. A cipher alphabet, for example, exchanges each letter in an alphabet for another, different letter. In addition to the evidence that they were used in ancient Egypt, ciphers were used by the Greeks and other ancient societies of the time.

Al Kindi was a ninth-century mathematician from Iraq, considered by many people to be the "Father of Cryptanalysis." He is remembered for being the first person to study the statistical frequency of letters in a text. This led him to conclude that you could break a cipher alphabet code simply by analyzing the frequency of certain letters in the code. A man from Queen Elizabeth I's secret service had knowledge of Al Kindi and his principles when he intercepted a letter from Mary, Queen of Scots, which exposed her participation in a plot to have Elizabeth assassinated and put her on the throne. This led to Mary's conviction and eventual execution in 1587, one of the most pivotal events of the medieval English monarchy.

Cryptography only advanced so far for most of its existence and didn't start to really evolve until the 19^th century and again in the 20th century with the rise of computer technology.

Perhaps one of the most well-known examples of cryptanalysis in history is the work done by Alan Turing during World War II, which later inspired the 2014 film, "The Imitation Game." During the war, the German military used an enciphering machine known as the Enigma to discreetly send messages. Cracking this code is perhaps Turing's biggest claim to fame—he created a machine known as the Bombe that could read the German code and which supplied the Allies with immense amounts of important military intelligence. Although there is no way to know for certain, many people speculate that if it weren't for Turing's cryptanalytic contributions to the war, the war may have gone on for several years longer with millions more lives lost.

Ethical considerations in cryptanalysis and cryptography

Breaking a code meant to protect certain information, just as one might pick a lock on a safe, raises certain ethical questions about the balance between privacy and protection. Encryption can be used for good to protect personal information, but the inverse is also true: it can be used by criminals and perhaps hinder law enforcement efforts. Some people, therefore, see this sacrifice of overall security to be too great, while others may argue that it's worth it to uphold our individual right to privacy.

Encryption can be used for good to protect personal information, but the inverse is also true: it can be used by criminals and perhaps hinder law enforcement efforts.

The moral and ethical implications in the field of cryptography don't end there, however. Phil Rogaway, an esteemed cryptographer and professor at the University of California, Davis, discussed this topic in great detail as the 2015 International Association for Cryptologic Research (IACR) Distinguished Lecturer.

In the abstract of his paper which the lecture was based on, he wrote, "Cryptography rearranges power: it configures who can do what, from what. This makes cryptography an inherently political tool, and it confers on the field an intrinsically moral dimension… I call for a community-wide effort to develop more effective means to resist mass surveillance. I plead for a reinvention of our disciplinary culture to attend not only to puzzles and math, but, also, to the societal implications of our work."

How to become a cryptanalyst

There's no singular path that leads to a career as a cryptanalyst. To become a cryptanalyst, you'll need a combination of relevant cyber security education and training which can be supplemented with various credentials and certifications.

Educational requirements

You'd be hard-pressed to find someone who learned cryptanalysis on their own, which is why education is so vital to building a foundation for a cryptanalysis career. Most cryptanalysts need at least a bachelor's degree in mathematics, computer science, or a closely related field such as cyber security, information technology or computer engineering. Some schools offer cryptography as a specialization or concentration within another major, such as a mathematics degree with a cryptography focus, but it is not an undergraduate major on its own.

"A degree in mathematics, engineering, computer science, data science, statistics or a related field is required for most cryptanalysis positions. Related fields may be considered relevant if the programs contain specific coursework," the NSA spokesperson said.

A job in cryptanalysis isn't usually an entry-level position, so you may need an advanced degree to land a cryptanalyst job or progress in the field. A cyber security related graduate degree has the added bonus of allowing students to specialize more, and it's at this level that you can find graduate cryptography programs such as a master's degree in cryptography. A master's degree in computer science or any of the subjects mentioned above can also benefit cryptanalysts.

If you wish to take your education to the very top—and if you want to truly be a master in your field—a doctoral degree in cryptography or computer science may be a good choice. This education level may even be necessary to access some of the most advanced positions, especially within government entities such as the NSA.

Cryptanalysis training

On-the-job training and the experience you accrue in various roles over time may be the most important aspect of becoming a cryptanalyst, but there are a few other ways to get trained outside of a traditional degree program:

Government training programs:: There are several government-sponsored training programs to prepare you for a career in cryptanalysis or cryptology in general, such as the ones offered by the National Security Agency (NSA). These programs are several years long and directly prepare you for full-time positions within the agency.
Online cryptography courses:: Online learning providers such as Coursera, edX and more offer courses in cryptography and cryptanalysis. These can give you a foundational understanding of cryptography and may award you a certificate of completion, but these are not usually considered sufficient substitutes for a traditional education. Rather, these may be best for those who wish to complement their degree with additional skills.
Cryptography conferences and workshops:: Organizations like the International Association for Cryptologic Research (IACR) put on several conferences per year. Attending events like these are a great way to network with professionals, gain exposure to the field and learn about other continuing education offerings they may have, such as workshops and other courses.

"The Cryptanalysis Development Program (CADP) is looking to hire people with degrees in STEM, for example math, computer science, statistics, physics, engineering or a related degree who have an aptitude for and an interest in solving challenging problems. It is a great program for those who love puzzles and love to learn!" the NSA spokesperson said. "In the CADP, employees will learn cryptanalysis on-the-job, working mission problems in a series of cryptanalysis offices, supported by technical mentors. They will also learn cryptanalysis through more formal two- to three-week in-house courses, which teach the tools and tradecraft of cryptanalysis. Throughout the program, employees are encouraged to build their professional networks within CADP and in their mission offices."

Bootcamps for aspiring cryptanalysts

Cyber security bootcamps are becoming an increasingly popular way for people to learn the knowledge and skills necessary to gain entry-level access to the field of cyber security. Most bootcamps are offered by academic providers (colleges and universities) or independent providers (skills academies and training companies). They typically take anywhere from three to nine months to complete, though some are shorter or longer.

Cryptography and cryptanalysis themselves are not really offered as the sole subject of a bootcamp, but most beginner-friendly cyber security bootcamps include coursework in both. This can still be an excellent way to break into the field.

Benefits of attending a bootcamp

Bootcamps provide a different learning experience compared to traditional degree programs. These differences come with their own unique benefits worth considering for anyone interested in a cyber security career:

Shorter times to complete means they typically cost less and can get you into the workforce sooner
Full-time and part-time options allow the flexibility to work with your schedule
Fully online, hybrid or in-person learning formats mean there's a program to meet any learning style
With a curriculum concentrated solely on cyber security, you'll gain exactly the knowledge and skills you need to succeed

Popular cryptanalysis bootcamps to consider

Here is a sample of some popular bootcamps you may consider to help prepare you for a cryptanalysis career:

Provider: Evolve Academy
Bootcamp name: Cybersecurity Bootcamp
Time to complete: 20 weeks
Cryptanalysis content: Includes coursework on cryptography, such as the core concepts of encryption, how to implement and manage encryption policies and how to use hacking tools to crack passwords

Provider: Flatiron School
Bootcamp name: Cybersecurity Engineering
Time to complete: 15 weeks (full-time) or 40 weeks (part-time)
Cryptanalysis content: Includes a nine-week course on applied cryptography which provides hands-on experience on configuring a web server with SSL/TLS, and interfacing with Certificate Authorities, issuing certificates, configuring SSH securely, and sending/receiving encrypted and signed email

Provider: Springboard
Bootcamp name: Cybersecurity Career Track
Time to complete: Six months
Cryptanalysis content: Encryption and hashing concepts are covered in their Security Operations (SecOps) unit

Skills for cryptanalysts

Cryptanalysis requires a fair amount of technical, "hard" knowledge, but as with practically any job, technical skills may only get you so far. If you want to work in cryptanalysis, consider these skills which you may need to master to be successful:

Hard skills	Soft skills
Understanding of multiple programming languages (Java, Python, etc.)	Ability to work under pressure
Advanced comprehension of mathematics	Critical thinking and analysis
Competency in known cryptanalysis techniques	Fine attention to detail
Comprehensive understanding of computer science and cyber security	Ability to communicate effectively and collaborate with others

The spokesperson for the NSA also listed the following as important skills for cryptanalysts:

"An aptitude for and an interest in solving challenging problems."
"An interest in using programming and other computational tools to solve real-world problems – there is not a requirement for any particular programming background, but applicants need to be comfortable with the idea of learning and using computational tools."
"A willingness to grow and apply technical communication skills, documenting and presenting progress and results."
"The ability and willingness to work as part of a team to tackle challenging problems."

Career paths and job outlook

Cryptanalysts, like many other cyber security roles, typically have the option to work in one of two settings: in the public sector for government agencies or in the private sector for private companies and businesses.

Public sector government agencies include local law enforcement and state or federal agencies such as the NSA. In these roles, a cryptanalyst is usually focused on protecting the digital integrity of highly sensitive government information, from military intelligence to personally identifiable information (PII). Most cryptanalysis jobs are found in the public sector.

"The NSA's current cryptanalysis population works in a number of different organizations and across the extended enterprise (including Texas, Georgia, Hawaii and Colorado). The majority of the Agency's cryptanalysts are in The Cryptanalysis and Signals Analysis organization, which is responsible for delivering cryptanalytic and signals analytic results that yield the highest impact and security outcomes for NSA and the Nation," the NSA spokesperson said.

Cryptanalysts may work for private companies, however, or contract their services to a combination of the two. When working for a private company, a cryptanalyst is focused on decrypting and addressing cyber security attacks or threats to that particular company. Since their job scope is focused solely on that company, it's more likely that their job duties include cryptography and other cyber security tasks as well.

Cryptanalyst salary and job outlook

While the U.S. Bureau of Labor Statistics (BLS) does not track data for cryptanalysts specifically, it does report salary and job growth projection data for information security analysts. This position can encompass many different cyber security-related roles, including cryptographers and cryptanalysis. Read our guide to cyber security salaries to get an idea of the various industry roles and their associated wages.

According to the 2023 Occupational Employment and Wage Statistics from the BLS, the median annual salary for information security analysts is $120,360, with the top 10% earning upwards of $182,370. The bottom 10% earn $69,210, which is still higher than the annual mean wage across all occupations. The metropolitan areas of Washington D.C., San Jose, San Francisco and New York have some of the highest wages and employment numbers of this profession.

The BLS estimates that the employment of information security analysts will grow a staggering 31.5% through 2032

The BLS estimates that the employment of information security analysts will grow a staggering 31.5% through 2032, much faster than the average across all occupations. Unsurprisingly, they attribute this demand to the need for cyber security professionals to address increasing cyber security attacks and the need to secure new technologies from external threats.

Information Security Analysts

National data

Median Salary: $120,360

Projected job growth: 31.5%

10th Percentile: $69,210

25th Percentile: $90,050

75th Percentile: $153,550

90th Percentile: $182,370

Projected job growth: 31.5%

State data

State	Median Salary	Bottom 10%	Top 10%
Alabama	$105,460	$58,130	$164,790
Alaska	$104,480	$83,240	$137,060
Arizona	$108,440	$65,040	$167,260
Arkansas	$91,480	$56,310	$126,590
California	$135,250	$63,860	$212,650
Colorado	$123,590	$80,150	$181,890
Connecticut	$127,390	$84,320	$171,710
Delaware	$134,560	$91,240	$167,620
District of Columbia	$132,470	$81,880	$181,430
Florida	$104,110	$67,410	$165,990
Georgia	$117,360	$68,760	$174,680
Hawaii	$106,980	$61,880	$171,750
Idaho	$101,780	$55,850	$160,920
Illinois	$116,800	$67,460	$172,120
Indiana	$95,640	$62,910	$160,840
Iowa	$117,520	$65,760	N/A
Kansas	$101,430	$47,820	$163,580
Kentucky	$92,580	$51,020	$149,520
Louisiana	$90,090	$60,010	$132,000
Maine	$85,490	$63,570	$139,590
Maryland	$134,130	$78,600	$204,530
Massachusetts	$124,920	$78,220	$178,190
Michigan	$103,580	$61,910	$163,480
Minnesota	$124,380	$77,440	$168,120
Mississippi	$87,940	$54,200	$131,440
Missouri	$96,800	$58,510	$144,500
Montana	$92,500	$66,460	$106,390
Nebraska	$103,280	$60,010	$158,910
Nevada	$93,950	$64,770	$158,750
New Hampshire	$135,050	$91,380	$191,270
New Jersey	$131,340	$89,570	$182,630
New Mexico	$130,070	$81,500	$173,900
New York	$129,790	$79,020	$211,880
North Carolina	$125,930	$72,940	$182,090
North Dakota	$107,930	$62,400	$126,600
Ohio	$106,460	$68,660	$164,980
Oklahoma	$99,870	$53,840	$144,860
Oregon	$100,260	$76,780	$153,460
Pennsylvania	$110,290	$59,750	$171,030
Rhode Island	$106,150	$78,310	$162,450
South Carolina	$103,410	$66,040	$196,530
South Dakota	$102,050	$72,580	$133,990
Tennessee	$98,470	$63,880	$172,040
Texas	$115,040	$72,870	$167,540
Utah	$105,460	$61,670	$161,960
Vermont	$84,860	$53,940	$135,110
Virginia	$133,520	$80,090	$196,520
Washington	$142,940	$84,330	$209,270
West Virginia	$87,420	$55,120	$134,530
Wisconsin	$103,570	$65,770	$158,350
Wyoming	N/A	N/A	N/A

Source: U.S. Bureau of Labor Statistics (BLS) 2023 median salary; projected job growth through 2032. Actual salaries vary depending on location, level of education, years of experience, work environment, and other factors. Salaries may differ even more for those who are self-employed or work part time.

Cryptanalysis techniques and tools

Cryptanalysts utilize numerous techniques to break codes and decrypt information. In other words, the goal is to unearth the plaintext that is being hidden or coded. The plaintext can be words written in English or another language or in a programming language such as Java. Here are a few examples of some of those techniques:

Statistical frequency analysis:: Pioneered by Al Kindi in the ninth century, this basic form of cryptanalysis looks at ciphertext by analyzing the statistical frequency of certain letters in a language. By understanding which letters are statistically likely to be used in a message, the cryptanalyst may be able to crack the cipher alphabet.
Known-plaintext-attack:: In this type of cryptanalysis, the cryptanalyst is already aware of some of the plaintext-ciphertext pairs. Analyzing these pairs can help the cryptanalyst deduce the encryption key to "unlock" the rest of the plaintext.
Ciphertext-only-attack:: In this scenario, the cryptanalyst only has access to some of the encrypted messages. In other words, they have the ciphertext but they don't know any of the corresponding plaintext or the encryption key used to obscure the plaintext. The cryptanalyst must rely on other known information, such as the language the plaintext is written or statistical frequency analysis, to break the code and reveal the plaintext.
Chosen-plaintext-attack:: Cryptanalysts in this scenario have access to the encryption device or whatever the means of creating the ciphertext may be. They can input plaintext, analyze what ciphertext it spits out, and work backward to determine the encryption key.
Brute force attack:: This method is simple trial and error. The cryptanalyst guesses possible passwords and solutions to try to discover the plaintext.

Newer cryptanalysis trends

As encryption methods evolve, so do the means of decrypting information. Quantum cryptanalysis, for example, is an emerging field. PQSecure Technologies, a security solutions company that specializes in quantum-safe cryptographic solutions, defines quantum cryptanalysis as "the study and evaluation of cryptographic algorithms in the presence of a quantum-enabled adversary." Although quantum cryptanalysis (and quantum computing in general) is still in its relative infancy, quantum cryptanalysis could change the field dramatically if quantum computing continues to advance.

Blockchain encryption methods are also relatively new. Blockchains—chains of chronological groups of information known as blocks—are used for data storage, particularly for transactional data such as cryptocurrency. Encrypting blockchain data provides additional security measures and will be necessary as blockchain continues to evolve, especially with the rise of new virtual currencies.

Cryptanalysis certifications

Certifications are an essential component of IT, cyber security and related fields. Certifications validate an individual's skills and competencies, which is why so many IT and cyber security roles prefer or require candidates to possess certain certifications. They may also lead to better jobs and higher salaries. Here are a few information security certifications that any cryptanalyst may consider pursuing:

Certified Encryption Specialist (CES) from EC-Council
Certified Information Systems Security Professional (CISSP) from (IC2)²
Security+ from CompTIA
Certified Ethical Hacker (CEH) from EC-Council

In addition to certifications themselves, there are a few organizations and associations that emerging or current cryptanalysts should be aware of. Organizations may offer relevant certifications, member benefits, continuing education programs and more. Joining a professional association, if they offer membership, is also a great way to stay up to date on industry developments and trends. Check out the following organizations to see how they may be able to help your cryptanalyst career:

International Association for Cryptologic Research (IACR): This is the leading professional association in the field whose goal is to further cryptologic research. Members can join to access exclusive benefits which include access to all their publications, including the Journal of Cryptology. The IACR also hosts several international cryptologic conferences each year.

National Security Agency's Central Security Service (CSS): Their website states that the "Central Security Service (CSS) provides timely and accurate cryptologic support, knowledge, and assistance to the military cryptologic community." The CSS offers several entry-level cryptanalysis development programs which, upon completion, may lead to a full-time paid position in the NSA.

American Cryptogram Association (ACA): This nonprofit organization is dedicated to promoting the art and hobby of cryptanalysis. Members have access to their bi-monthly publication "The Cryptogram," in addition to several other benefits.

Are you ready for a career in cryptanalysis?

Cryptanalysis and cryptography are just two branches of the ever-expanding field of cyber security. As technology itself continues to evolve, as do the ways cyber criminals can commit crime, the need for competent cyber security professionals like cryptanalysts has seldom been greater.

A bachelor's degree in cyber security or mathematics is a good place to start, and there are other training programs out there to supplement a formal education, such as bootcamps, certifications or development programs from the NSA. If you aren't sure where to start, consider using our search feature to find relevant training programs for a cyber security career to last a lifetime.

Updated: October 25, 2023

Written and reported by:

Kendall Upton

Staff Writer

With professional insights from:

Spokesperson for the National Security Agency (NSA)