How to Start a Cybersecurity Career: A Complete Beginner Roadmap

by

Getting your first cybersecurity job is hard because everyone wants experience, but you need a job to get experience. The solution is to build a portfolio of demonstrable skills before you apply — through home labs, certifications, CTF competitions, bug bounties, and open-source contributions. This guide gives you a concrete roadmap from zero to job-ready in cybersecurity.

The Cybersecurity Career Paths

Cybersecurity is not one job — it is dozens of different roles requiring very different skill sets:

  • SOC Analyst (L1/L2/L3): Monitor SIEM alerts, investigate incidents, escalate threats. Entry-level roles are abundant. Pays $55k-$110k.
  • Penetration Tester: Legally attack systems to find vulnerabilities. Requires strong technical skills + certifications. Pays $80k-$180k.
  • Security Engineer: Build security tools and infrastructure. Requires programming + cloud + security knowledge. Pays $120k-$200k+.
  • Threat Hunter: Proactively search for attackers in enterprise environments. Requires SIEM expertise + adversary knowledge. Pays $110k-$180k.
  • GRC Analyst: Governance, Risk, and Compliance. Audits, policies, frameworks. Less technical, more process-focused. Pays $65k-$120k.
  • Digital Forensics / IR: Investigate incidents and preserve evidence. Pays $75k-$150k.

Essential Free Learning Resources

TryHackMe — Best for Beginners

# TryHackMe: https://tryhackme.com
# Free tier includes many learning paths
# Recommended free learning paths:

# 1. Pre-Security (total beginner)
# Topics: Networking, Linux, Web fundamentals

# 2. SOC Level 1 (for SOC analyst career)
# Topics: Phishing analysis, SIEM, Wireshark, Splunk

# 3. Jr Penetration Tester
# Topics: Metasploit, privilege escalation, web app hacking, network exploitation

# 4. CompTIA Pentest+ (exam prep)
# Free rooms that map to Pentest+ objectives

# Complete at least 3 learning paths = solid foundation
# TryHackMe certifications look good on entry-level resumes

HackTheBox — Intermediate to Advanced

# HackTheBox: https://hackthebox.com
# Free tier: access to retired machines, Academy courses, Challenges

# HTB Academy: Structured courses (some free)
# - Introduction to Active Directory
# - Web Requests
# - Network Enumeration with Nmap
# - Linux Fundamentals

# Start with "Starting Point" machines (guided)
# Progress to easy machines: Lame, Blue, Legacy (all retired = free)

# Writeups for retired machines (how-to guides):
# https://0xdf.gitlab.io
# https://ippsec.rocks

# HTB rank progression shows employers your skill level:
# Noob -> Script Kiddie -> Hacker -> Pro Hacker -> Guru -> Elite Hacker

Building a Home Lab

# Minimum hardware: Laptop with 16GB RAM (dedicated PC preferred for 24/7 SIEM)
# Hypervisor: VirtualBox (free) or VMware Workstation Pro (now free for personal use)

# Essential VMs:
# 1. Kali Linux (attacker)
#    Download: kali.org/get-kali
#    Includes: Nmap, Metasploit, Burp Suite, Aircrack, Hashcat, John, SQLmap

# 2. Windows Server 2022 Evaluation (free 180-day trial)
#    Download: microsoft.com/en-us/evalcenter
#    Set up: Active Directory Domain Services, DNS, DHCP

# 3. Windows 10/11 (domain-joined workstation)
#    Download: microsoft.com developer VM

# 4. Metasploitable 3 (intentionally vulnerable target)
#    vagrant up ubuntu1404
#    vagrant up win2k8

# 5. Wazuh SIEM (Ubuntu server)
#    docker-compose up -d  # From wazuh-docker

# Home lab exercises:
# Week 1: Network discovery, port scanning, service enumeration
# Week 2: Exploit Metasploitable with Metasploit, practice post-exploitation
# Week 3: Set up SIEM, generate attacks, build detection rules
# Week 4: Active Directory attacks: Kerberoasting, BloodHound, Pass-the-Hash

Certifications: Which Ones Actually Matter

# ENTRY LEVEL (get these first):
# CompTIA Security+ ($392): Most widely recognized entry cert
#   - Required for many government/federal contractor jobs
#   - Covers fundamentals: threats, cryptography, network security
#   - Study resources: Professor Messer (free YouTube), Darril Gibson book

# CompTIA CySA+ ($392): SOC/Blue Team specific
#   - Perfect for SOC Analyst roles
#   - Covers: threat hunting, SIEM, incident response, vulnerability management

# AWS Security Specialty / Azure SC-900 (Free to $300):
#   - Essential if targeting cloud security roles

# INTERMEDIATE (after 1-2 years experience):
# CEH (Certified Ethical Hacker, $950-$1999): Popular but criticized for content
# PNPT (Practical Network Penetration Tester, $399): Best practical pentest cert
#   - Requires you to complete a real pentest and write a report
#   - Created by TCM Security, highly respected in the industry

# ADVANCED (requires real experience):
# OSCP (Offensive Security Certified Professional, $1499):
#   - 24-hour practical exam on a network of machines
#   - Gold standard for penetration testers
#   - Requires 3 months of prep minimum

# eJPT (free, Junior Penetration Tester by eLearnSecurity):
#   - Excellent free entry-level practical cert
#   - Great first cert before Security+

Bug Bounty: Get Paid While Learning

# Platforms:
# HackerOne: https://hackerone.com (many public programs)
# Bugcrowd: https://bugcrowd.com
# Intigriti: https://intigriti.com (European programs)
# Open Bug Bounty: https://openbugbounty.org (responsible disclosure)

# Start with programs that have:
# - Wide scope (lots of targets to test)
# - Clear rules
# - Good bounty history (they actually pay)

# Recommended first programs:
# - HackerOne public programs
# - Shopify (has excellent documentation for beginners)
# - GitLab (public self-managed program)

# Beginner bug bounty strategy:
# 1. Focus on one vulnerability type (start with XSS or IDOR)
# 2. Learn it deeply - read all writeups about that type
# 3. Pick programs with many subdomains (more attack surface)
# 4. Use Amass/Subfinder for subdomain enumeration

# Subdomain enumeration (expand your bug bounty scope)
subfinder -d target.com -o subs.txt
amass enum -d target.com -o amass_subs.txt
cat subs.txt amass_subs.txt | sort -u | httpx -silent -o live_hosts.txt
nuclei -l live_hosts.txt -t cves/ -o nuclei_results.txt

CTF Competitions: Build Skills Competitively

# CTF (Capture The Flag) competitions test specific skills in competitive format
# Find upcoming CTFs: https://ctftime.org

# CTF categories:
# - Web: SQL injection, XSS, IDOR, SSRF, deserialization
# - Pwn/Binary: Buffer overflow, format strings, ROP chains (advanced)
# - Reversing: Decompile and understand obfuscated code
# - Crypto: Break weak cryptographic implementations
# - Forensics: Disk, memory, network forensics
# - OSINT: Open source intelligence gathering

# Beginner-friendly CTFs:
# - PicoCTF (beginner, runs annually): picoctf.org
# - CTFLearn: ctflearn.com
# - OverTheWire: overthewire.org/wargames (Linux command line skills)
# - HackTheBox Challenges (free retired challenges)

# Useful CTF tools:
# CyberChef: Encode/decode/analyze data - gchq.github.io/CyberChef
# pwndbg: GDB plugin for binary exploitation
# pwntools: Python library for exploit development
# binwalk: Firmware analysis and file extraction
# steghide: Steganography (hidden data in images)

GitHub Portfolio: Show Your Work

# What to put on GitHub to impress employers:
# 1. Home lab documentation (Wazuh setup, detection rules)
# 2. CTF writeups (demonstrates methodology, not just results)
# 3. Custom scripts (Python security tools, automation)
# 4. Sigma/YARA/Snort rules you have written
# 5. Bug bounty writeups (disclosed/closed reports)

# Example: Document your home lab
mkdir security-home-lab && cd security-home-lab
git init
# Add README.md explaining your lab topology
# Add detection_rules/ with your Splunk/Wazuh rules
# Add scripts/ with your automation tools
git add . && git commit -m "Initial home lab documentation"
git push origin main

# Good README structure:
# - Lab topology diagram
# - Tools installed and purpose
# - Attacks you practiced
# - Detections you built
# - What you learned

LinkedIn and Networking

80% of jobs are filled through networking. Join these communities:

  • Cybersecurity Discord servers: TryHackMe Official, HackTheBox, TCM Security
  • Reddit: r/netsec, r/AskNetsec, r/cybersecurity
  • Twitter/X: Follow security researchers — they share real-world techniques and job leads
  • DEFCON/BSides groups: Local BSides conferences are free or low-cost, full of hiring managers

Document everything you do. Every CTF challenge you solve, every machine you root, every detection rule you write — document it on GitHub and write about it on LinkedIn. Employers are not just looking for skills. They are looking for people who are passionate enough to learn on their own time. A GitHub profile full of home lab documentation, CTF writeups, and custom security tools tells a hiring manager everything they need to know.