Every week someone asks me the same question: "I want to get into cybersecurity — where do I start?" And every week I see the same bad advice repeated online: get a CompTIA Security+, do a bootcamp, apply everywhere. That advice will get you a certificate. It probably won't get you a job — and it definitely won't build a career.
After 15+ years in this industry, this is the honest version of that roadmap.
First: Stop Treating Cybersecurity as One Thing
The biggest mistake career-changers make is thinking "cybersecurity" is a single job. It is not. It is a broad industry with dozens of distinct specialisations — and the skills, certifications, day-to-day work, and career trajectories vary enormously between them.
Before you study anything, you need to pick a direction. Not forever — but for the next two to three years. Trying to be a generalist at entry level makes you a weak candidate everywhere. Specialising makes you the obvious hire for a specific role.
The main career tracks in 2026:
- Application Security (AppSec) — securing code and software. Best for people with a development background.
- Penetration Testing / Red Team — offensive security, finding vulnerabilities in systems and applications. High ceiling, competitive to break into.
- Security Operations (SOC / Blue Team) — monitoring, detection, and incident response. High volume of roles, good entry point.
- Cloud Security — securing AWS, Azure, GCP environments. Fastest growing area, significant skills shortage.
- GRC (Governance, Risk & Compliance) — policies, audits, frameworks (ISO 27001, NIST, PCI-DSS). Less technical, more process-oriented.
- DevSecOps — embedding security into development pipelines. Requires both security and engineering knowledge.
- AI / LLM Security — emerging specialisation, high demand, very few practitioners.
Pick one track and go deep. The people who break in fastest are the ones who become genuinely knowledgeable in a specific area — not the ones who collect the most certifications across everything.
The Certification Landscape: What Actually Matters
Certifications are useful — but only the right ones, in the right order, for the right track. Here is a practical breakdown:
| Certification | Track | Level | Worth It? |
|---|---|---|---|
| CompTIA Security+ | General / SOC | Entry | Only if required for a specific job posting. Not a differentiator. |
| eJPT (eLearnSecurity) | Penetration Testing | Entry | Yes — practical, affordable, good first step into offensive security. |
| OSCP (OffSec) | Penetration Testing | Mid | The gold standard for pen testers. Hard, expensive, worth it. |
| CEH | General | Entry | Widely recognised in Middle East and Asia markets. Multiple choice only — less respected technically. |
| AWS Security Specialty | Cloud Security | Mid | Yes — strong signal for cloud security roles. Pair with AWS Solutions Architect first. |
| CISSP | GRC / Management | Senior | Yes — but only after 5+ years experience. Not an entry-level cert despite what recruiters say. |
| CISA | Audit / GRC | Mid | Strong for compliance and audit roles, especially in regulated industries. |
| GWAPT / GWEB | AppSec / Web Testing | Mid | Excellent for AppSec — GIAC certs are highly respected, expensive but practical. |
The Honest Roadmap — Step by Step
Build the foundation first
Networking (TCP/IP, DNS, HTTP), operating systems (Linux basics, Windows), and how web applications work. You cannot test or defend what you do not understand. TryHackMe's pre-security path is a good structured start. Budget 2–3 months.
Pick your track and go deep
Choose one of the tracks listed above and commit to it for at least 12 months. Follow a structured learning path for that track specifically. Generalist content at this stage is a distraction.
Get your hands dirty — labs, not videos
TryHackMe, HackTheBox, DVWA, VulnHub, PentesterLab. Watching videos teaches you concepts. Labs build skills. Employers hire skills. The ratio should be 30% learning, 70% practice.
Get your first relevant certification
After 3–6 months of hands-on practice, get the certification that fits your chosen track. Do not do this first — studying for a cert before you have practical context makes it much harder and less useful.
Build a portfolio you can show
Write up your HackTheBox and TryHackMe solutions. Document your lab work. If you do a bug bounty and find something, write it up. A GitHub with real technical writeups is worth more than most certifications at the application stage.
Target roles strategically
Apply for roles that specifically match your track. Do not apply to everything. A focused application for a SOC analyst role with relevant experience is far stronger than a broad application across 50 general "cybersecurity" roles.
The Fastest Entry Points in 2026
Based on current market demand, these are the three paths with the best chance of breaking in within 12 months:
1. Cloud Security (fastest growing demand)
Get AWS Cloud Practitioner → AWS Solutions Architect Associate → AWS Security Specialty. Pair with hands-on CloudGoat labs. Cloud security roles are numerous, well-paid, and have a significant skills shortage. Coming from a cloud infrastructure or DevOps background accelerates this significantly.
2. SOC Analyst (most entry-level roles available)
SOC roles have the highest volume of entry-level openings. The work is shift-based and detection-focused. Use it as a two-year foundation — learn how attacks actually look in the wild — then move into offensive security, AppSec, or cloud from a position of real experience.
3. AppSec (best for developers)
If you have a development background, application security is the highest-value transition available. You already understand the code — you just need to learn how to break it. PortSwigger Web Security Academy is free, world-class, and the single best resource for learning web application security hands-on.
What to avoid: Generic cybersecurity bootcamps that promise job placement in 12 weeks. They cost a lot, teach broad theory, and produce graduates who struggle to answer technical interview questions. Your money is better spent on platform subscriptions, lab time, and one good certification.
One More Honest Truth
The people who succeed in cybersecurity careers are not the ones with the most certifications — they are the ones who are genuinely curious about how systems work and how they break. That curiosity drives the continuous learning that this field demands.
If you are reading this because you think cybersecurity pays well and sounds impressive — that is fine, but it will not sustain you through the years of study and practice this career requires. If you are reading this because you genuinely want to understand how systems are attacked and defended, you are already thinking like a security professional.
The technical skills are learnable. The mindset is what matters most.
Not sure which direction is right for you?
We offer honest, one-on-one cybersecurity career counselling — no sales pitch, no generic advice. Just a direct conversation about where you are, where you want to go, and the most practical path to get there.
Book a Career Consultation →