Evidence rules and criteria per GOV.UK — Global Talent (Digital Technology), verified 5 July 2026. Since 4 August 2025 there is a single GOV.UK Stage 1 endorsement form; Tech Nation remains the endorsing body.
Can a cybersecurity professional get the Global Talent Visa?
Yes. Cybersecurity is core digital-technology work, and the endorsement does not turn on your job title — it turns on whether you can evidence the mandatory criterion plus at least two of the four optional criteria. Vulnerability researchers, penetration testers, red-teamers, detection and response engineers, threat-intelligence analysts, cryptography and application-security specialists, and security engineering leaders all sit inside the route. The practical question is never "does security count?" — it is "can you attribute your individual technical impact in a way an assessor can verify independently?" For a cybersecurity professional that is both the opportunity and the trap, because the strongest artefacts in this field are public, dated and externally credited, while much day-to-day security work is confidential and delivered as a team.
What counts as evidence for a cybersecurity professional?
Below is a criterion-by-criterion matrix. For each, the artefact types a cybersecurity professional actually holds, an anonymised worked example of a strong item, and the common failure mode that gets that item discounted. Nothing here is a keyword swap from a generic role — a credited CVE and a coordinated-disclosure timeline are true for a security researcher and for almost no other applicant.
| Criterion | Your real artefacts | Worked example (anonymised) | Common failure mode |
|---|---|---|---|
| Mandatory Criterion — recognised as a leading or emerging talent | A body of credited CVEs; vendor advisories naming you; a widely adopted open-source security tool; keynote or main-track talks; documented industry-wide impact of your research | A CVE in a mass-market VPN client with a CVSS score, the vendor advisory crediting you by name, and download telemetry showing the patch reached millions of endpoints — evidencing impact beyond your employer | Leading a security programme inside one company, described as strategy, with no external artefact showing the wider field recognised the work |
| OC1 — recognition for work beyond the applicant's occupation | Conference talks (invited, not employer-organised); CVE credits and Hall-of-Fame listings; being cited or referenced by other researchers; media coverage of your disclosure; community awards | An invited talk at an independent security conference, with the published agenda naming you as speaker, the recorded session, and third-party write-ups referencing your technique by name | A talk your employer paid to sponsor or arranged internally; a "webinar" hosted on the company's own site — read as employer promotion, not external recognition |
| OC2 — technical/commercial/entrepreneurial contribution as a security expert | Authored open-source security tooling; upstream commits to detection frameworks, fuzzers, SIEM rules or exploit-mitigation projects; a security product or feature you led; patents in security | A detection-engineering tool you authored, with the public repository, the commit history under your handle, star and fork counts, and issues from external users adopting it in production | Internal tooling that never left the company, evidenced only by a self-written description with no independent trace of adoption or authorship |
| OC3 — significant contribution to the field outside your day job | Coordinated/responsible disclosure work; running or maintaining a security community, CTF, or open dataset; mentoring outside your employer; bug-bounty leaderboard standing; standards or working-group participation | A responsible-disclosure timeline for a flaw in a widely used library — your initial report, the coordinated-disclosure correspondence, the assigned CVE and the public advisory — showing contribution to collective security beyond any one employer | Internal-only mentoring, or a bug reported privately and settled under NDA with no CVE, advisory, or any independently checkable trace |
| OC4 — academic contribution through published research | Peer-reviewed security papers; a conference proceedings paper; a well-cited technical write-up or whitepaper; a novel technique documented and referenced by peers | A peer-reviewed paper at an academic security venue with your authorship, the DOI, and citation records from later work building on your method | A company blog post published shortly before applying, generic in content, with no citation, peer review, or evidence anyone in the field engaged with it |
Criteria wording and the two-of-four requirement per GOV.UK, verified 5 July 2026. The optional-criteria labels above are working shorthand — always read the current official definitions before mapping your evidence.
Which optional criteria does a cybersecurity professional most credibly hit?
You need two of the four, and most credible security portfolios land on OC1 and OC3. OC1 is carried by external recognition — invited talks and CVE credits are recognition by definition, since a third party chose to platform or credit you. OC3 is carried by contribution beyond the day job — responsible disclosure is the archetypal example, because the work benefits the whole ecosystem rather than one employer. OC2 is strong if you have authored adopted tooling; treat it as your primary pillar if your open-source footprint is larger than your speaking record. OC4 is the hardest for most practitioners, because it needs genuine peer-reviewed or well-cited output — reach for it only if you actually have published research, and never dress a pre-application blog post up as academic work. The safest default for a working security professional is to lead with OC1 and OC3, then add OC2 if the tooling is real.
Not sure your CVEs and talks clear the bar?
A £200 Fit Assessment scores your evidence against the mandatory criterion and each OC, tells you Talent or Promise, and maps your ten documents. It includes a live 45-minute walkthrough and is credited to any package within 14 days.
What does a strong 10-document pack look like for a cybersecurity professional?
You may submit a maximum of ten documents, each up to three sides of A4; the CV and the three recommendation letters sit outside that count. The layout below is a worked pack for a mid-to-senior security researcher, showing which criterion each document is doing the work for. A good pack proves impact from several independent directions rather than repeating the same claim, and every item should be externally verifiable rather than self-asserted.
| # | Document | Works for | Why it lands |
|---|---|---|---|
| 1 | Highest-impact CVE record + vendor advisory crediting you | MC · OC1 | Third-party identifier, dated, individually attributed |
| 2 | Coordinated-disclosure timeline for that CVE (report → advisory) | OC3 | Shows contribution to the wider ecosystem, not one employer |
| 3 | Second and third CVE credits, consolidated on one sheet | MC · OC1 | Pattern of recognition, not a single lucky find |
| 4 | Open-source security tool: repo page, authorship, adoption metrics | OC2 | Independent proof you built something the field uses |
| 5 | Invited conference talk: agenda naming you + recording link | OC1 | External platform chose you — recognition by definition |
| 6 | Third-party write-ups / citations referencing your technique | OC1 · OC4 | Peers engaged with and built on your work |
| 7 | Media coverage of a disclosure or research finding | OC1 | Recognition reaching beyond the security community |
| 8 | Bug-bounty standing or Hall-of-Fame listings (named) | OC1 · OC3 | Externally maintained, verifiable, individually attributed |
| 9 | Peer-reviewed paper or well-cited whitepaper (if held) | OC4 | Genuine published contribution, not a pre-application blog |
| 10 | Evidence of tool adoption in production (issues, dependents) | OC2 | Impact measured by others' use, not your description |
Ten-document maximum, three-page limit, and CV-plus-three-letters-outside-the-count are current GOV.UK rules verified 5 July 2026. Confirm before you submit at GOV.UK.
Talent or Promise for a cybersecurity professional?
Route choice follows the depth of your track record, not a fixed number of years. A researcher with a sustained body of credited CVEs, main-track talks, adopted tooling and citations built over a long career typically applies as Exceptional Talent, which reaches settlement after three years. A security professional roughly three to five years in, with early but real external recognition — a first CVE or two, a community talk, a growing open-source project — usually applies as Exceptional Promise, which reaches settlement after five years. Do not treat "five-plus years means Talent" as a rule; it is not one. The honest way to choose is to lay your actual evidence against each criterion and see which route your portfolio genuinely supports, which is exactly what the assessment does.
What is the most common reason cybersecurity applicants are refused?
Two recurring patterns, reported by applicants and advisers, dominate — and both are specific to how security work is done. The first is recognition that exists only inside the employer: an applicant leads a strong internal security programme but submits no artefact showing the wider field noticed, so the assessor sees employer value rather than field recognition. The second is impact stated at team level: security is collaborative and often confidential, so applicants write "we identified", "our team remediated", "the SOC detected" — and the individual contribution the criteria demand disappears into the collective. The fix is the same in both cases: externally attributable artefacts. A CVE credits a person, not a team. An advisory names an author. A repository has a commit history. Where the work is genuinely under NDA and cannot be shown, it cannot carry the application — so build the pack from the public, credited work, and describe confidential work only as supporting context. A third, avoidable, pattern is OC evidence rejected on technicalities: an employer-organised talk read as promotion, or a generic write-up published just before applying. Choose independent platforms and dated, substantive artefacts instead.
How does the £200 assessment help a cybersecurity professional?
The Fit Assessment is built for exactly this diagnosis. You upload what you have — CVE records, advisories, repositories, talk agendas, papers — before any payment, and receive a free preliminary read. The paid £200 report then scores your evidence out of twenty with a component-by-component breakdown across the mandatory criterion, OC1–OC4, your letters and documentation, recommends Talent or Promise from your actual portfolio, sets out your ten-document plan, and flags where a talk or a blog post is likely to be read as promotion rather than recognition. It includes a live 45-minute walkthrough call, arrives as a branded PDF plus an XLSX tracker via secure download links, and is credited in full to any package within fourteen days. For a security professional the single most valuable output is usually the honest map of which two optional criteria your public, credited work actually clears — before you risk the £766 in government fees. Law firms charge £4,500–£9,000 +VAT for full-service help; the assessment is the £200 that tells you whether you need it.
Frequently asked questions
Yes. Cybersecurity work sits squarely within the Digital Technology route. Security researchers, penetration testers, detection engineers, threat-intelligence analysts and security leaders all qualify if they can evidence the mandatory criterion plus at least two of the four optional criteria. The route is not job-title-based; it is evidence-based. Verify the current criteria on GOV.UK.
Yes, and they are among the strongest artefacts a cybersecurity professional can hold, because a published CVE with your name attributed is externally verifiable recognition outside your own employer. A CVE record, the vendor advisory that credits you and the coordinated-disclosure timeline together evidence individual technical contribution. Present the CVE, not just a claim that you found it. Verify criteria on GOV.UK.
It depends on the depth of your track record, not on a fixed number of years. A researcher with a body of credited CVEs, conference talks and adopted tooling built over many years typically applies as Exceptional Talent; someone three to five years in with early external recognition applies as Exceptional Promise. The £200 Fit Assessment recommends a route from your actual evidence rather than a rule of thumb. Verify on GOV.UK.
Recognition that exists only inside the employer, and impact stated at team level. Security work is often confidential and collaborative, so applicants describe programmes their team ran rather than the specific vulnerability they personally found or the tool they personally authored. The fix is external, attributable artefacts: credited CVEs, public advisories, open-source commits and named conference talks. Verify criteria on GOV.UK.
A maximum of ten documents, each up to three sides of A4, plus a CV and three recommendation letters which sit outside that count. For a cybersecurity professional the ten typically span credited CVEs, a public advisory, an open-source security tool, a named conference talk, and evidence of adoption or media coverage. Verify the current evidence rules on GOV.UK.
Related role pages: for AI/ML engineers, for data scientists and for technical founders. Evidence guides: the endorsement criteria, the 10-document evidence pack and recommendation letters. And start with the pain points hub if you are not sure where you stand.
Last updated: 5 July 2026. Facts on this page were verified against GOV.UK on 5 July 2026 — always re-verify before applying.