The promise is compelling: a field with millions of unfilled jobs, six-figure salaries within a few years of entry, and the intellectually satisfying task of defending organisations against real adversaries. Cybersecurity has attracted enormous attention from career changers, recent graduates, and people escaping stagnant industries. ISC2's 2023 Cybersecurity Workforce Study found a global workforce gap of 4 million professionals — meaning unfilled demand for trained practitioners vastly exceeds supply in most markets.
But the gap between 'interested in cybersecurity' and 'employed in cybersecurity' is wider than bootcamp marketing implies. Navigating it without a plan leads to wasted money, circular credential accumulation, and demoralising rejection cycles. The cybersecurity hiring market wants people who can demonstrate hands-on technical skill, not people who have passed a series of multiple-choice exams. That distinction drives almost every practical recommendation in this guide.
This article is for people starting from genuine zero — no IT background, no security knowledge, no professional network in the field. It covers the realistic 18-month roadmap broken into monthly milestones, the correct sequence of certifications with cost and timeline, home lab setup using entirely free tools, how to build a credible portfolio without a job, bug bounty as an entry strategy, the entry-level roles to target, salary expectations by year of experience, and the common mistakes that slow people down. The advice is grounded in ISC2 workforce research, CompTIA hiring data, and patterns from career changers who have navigated this path successfully.
"The biggest mistake I see career changers make is trying to start in cybersecurity without any IT foundation. You need to understand what you are defending before you can defend it. Spend six months in IT support — it is the fastest education you can get." — David Bombal, network engineer and cybersecurity educator, CyberWire Podcast 2023
Key Definitions
SOC (Security Operations Center): The team responsible for monitoring an organisation's security posture around the clock. Tier 1 SOC Analyst is the most common first cybersecurity role for career changers and provides foundational experience in alert triage, SIEM tools, and incident escalation.
SIEM (Security Information and Event Management): Platforms that aggregate log and event data from across an organisation's infrastructure to enable security monitoring. Splunk and Microsoft Sentinel are the two most commonly required tools in SOC job listings.
CTF (Capture the Flag): Cybersecurity competitions where participants solve security challenges to earn points. CTF participation demonstrates hands-on skill to employers and is one of the most credible portfolio-building activities available to beginners.
Bug Bounty: Programs run by companies that pay researchers for responsibly disclosing security vulnerabilities. Platforms including HackerOne and Bugcrowd host programs ranging from beginner-accessible to expert-level. Any valid bug report is portfolio evidence.
Home Lab: A personal testing environment, typically virtualised using VirtualBox or VMware, used to practise security skills safely and legally. Running deliberately vulnerable machines forms the core of effective self-study.
Why 'Just Get Certified' Is Not a Strategy
The cybersecurity certification market generates billions of dollars annually, and a significant share is captured from career changers who purchase credentials before they have the experience to make those credentials meaningful to employers. A CompTIA Security+ alone will not get you an entry-level security job if you have never configured a router, set up a firewall rule, or understood how TCP/IP works. Employers listing Security+ as a requirement are filtering for professionals with foundational IT knowledge, not signalling that Security+ is sufficient on its own.
ISC2's 2023 Workforce Study found that 44% of cybersecurity professionals said their first security role required at least 1-2 years of prior IT experience. This creates a genuine barrier for newcomers, but it is navigable. The solution is to build that IT experience deliberately through help desk roles, structured IT foundation certifications, and practical home lab work — before focusing exclusively on security credentials.
The 18-Month Roadmap: Month-by-Month Milestones
| Period | Focus | Milestones | Estimated Cost |
|---|---|---|---|
| Months 1-2 | IT foundations: hardware, OS, networking basics | Start CompTIA A+ study; set up home lab (VirtualBox + Kali); complete TryHackMe Pre-Security path | $0-$100 (free resources + exam fee later) |
| Months 3-4 | IT foundations continued | Pass CompTIA A+ Core 1 exam; apply for IT helpdesk or desktop support roles | $253 per exam ($506 total) |
| Months 5-6 | Networking deep-dive | Complete Network+ study; pass Network+ exam; set up basic home lab network with pfSense | $358 |
| Months 7-9 | Security fundamentals | Complete Security+ study; set up Metasploitable target in home lab; begin TryHackMe SOC Level 1 path | $404 |
| Month 10 | Security+ exam and Python basics | Pass Security+ exam; complete 40-hour Python basics course; write 3 simple security scripts | $0 (Python is free) |
| Months 11-12 | Hands-on practice and portfolio building | Complete TryHackMe SOC Level 1; write up 5 lab exercises on GitHub or blog; attempt first CTF | $0-$14/month (TryHackMe premium) |
| Months 13-15 | Active job application campaign | Apply to 10+ SOC Tier 1 roles per week; register on HackerOne/Bugcrowd; attempt first bug bounty targets | $0 |
| Months 16-18 | Interview preparation and first role | Practise SIEM scenarios (Splunk Boss of the SOC); mock interviews; accept first offer | $0 |
For someone with 1-2 years of prior IT experience (help desk, networking, sysadmin), compress this timeline to 8-12 months by skipping the A+ phase and accelerating Security+ preparation.
The Certification Path in Detail
| Certification | Issuer | Purpose | Cost | Study Time | When to Pursue |
|---|---|---|---|---|---|
| CompTIA A+ | CompTIA | Hardware, OS, basic networking | $253/exam x 2 | 6-10 weeks | Month 1-4 |
| CompTIA Network+ | CompTIA | TCP/IP, routing, switching, wireless | $358 | 6-8 weeks | Month 5-6 |
| CompTIA Security+ | CompTIA | Security fundamentals, DoD 8570 compliant | $404 | 6-10 weeks | Month 7-10 |
| eJPT | eLearnSecurity | Beginner practical penetration testing | $200 | 4-6 weeks | Month 10-12 (optional) |
| CompTIA CySA+ | CompTIA | Threat analysis, SOC skills, blue team | $404 | 8-12 weeks | After 12 months of SOC experience |
| OSCP | Offensive Security | Advanced practical pen testing | $1,499 | 3-6 months | After 2+ years of experience |
CompTIA A+ covers hardware diagnostics, Windows and Linux operating systems, mobile devices, cloud fundamentals, and troubleshooting. It is the standard baseline for anyone entering IT. Professor Messer's free A+ study guides and videos at professormesser.com are the most widely recommended free resource.
CompTIA Network+ is the most important foundational certification for cybersecurity because almost all attacks travel over networks and almost all defences are network-based. Understanding subnetting, routing protocols, firewalls, and the TCP/IP stack is not optional — it is the shared language of the profession. Cost: $358. Timeline after A+: 6-8 weeks of study.
CompTIA Security+ is the gateway certification for cybersecurity careers. It is DoD 8570/DoD 8140 compliant (required for many US government and defence contractor roles), costs $404, and covers threats, attacks, cryptography, identity and access management, and risk management. It is the single most impactful entry-level credential for hiring. After passing Security+, you are technically qualified to apply for Tier 1 SOC analyst roles.
eJPT (eLearnSecurity Junior Penetration Tester) is an optional addition for candidates interested in offensive security. It is a practical lab-based exam that tests basic penetration testing skills and is a good bridge toward OSCP.
CySA+ (Cybersecurity Analyst) is the next step after gaining 6-12 months of SOC experience. It covers threat intelligence, incident response, and security monitoring in depth, and aligns well with Tier 2 SOC and security analyst roles.
OSCP is the gold standard for penetration testing and should be a long-term target for candidates interested in offensive work. It requires a 24-hour exam in a lab environment and submission of a professional report. Realistic timeline to attempt: 2-4 years after entry into the field.
Home Lab Setup: Free Tools and Configuration
A home lab demonstrates hands-on skill in a way that certifications alone cannot. The entire setup described below costs $0 in software.
Hardware requirement: Any modern laptop or desktop with at least 8GB RAM (16GB preferred) and 100GB free disk space can run a useful virtualised lab. A second-hand desktop running Windows 10 or 11 costing $150-300 is sufficient.
Step 1 — Install VirtualBox: Free virtualisation platform from Oracle. Download from virtualbox.org. This runs multiple operating systems simultaneously on your hardware.
Step 2 — Install Kali Linux as your attack platform: The standard penetration testing distribution, pre-loaded with hundreds of security tools. Available as a ready-to-import VirtualBox image at kali.org/get-kali. Import the image, start the VM, and you have a full security toolset.
Step 3 — Install Metasploitable 2 as your first target: A deliberately vulnerable Linux machine distributed by Rapid7 specifically for security practice. Download from SourceForge. Import to VirtualBox, set the network to 'host-only' (so it is only accessible from your host machine and Kali VM, not the internet), and begin practising.
Step 4 — Install Windows Server 2019 Evaluation (free 180-day licence from Microsoft): Configure it as a basic Active Directory domain controller. Active Directory is the target in the majority of real-world internal penetration tests and SOC incidents.
Step 5 — Deploy DVWA (Damn Vulnerable Web Application): A PHP/MySQL web application intentionally built with common web vulnerabilities. Run it on your Kali VM or as a separate target. Use it to practice SQL injection, XSS, file upload vulnerabilities, and command injection.
Step 6 — Register on TryHackMe (tryhackme.com): Provides structured guided learning paths with pre-configured vulnerable machines accessible through a browser. The SOC Level 1 path is directly aligned with entry-level SOC analyst skills. Free tier is sufficient to start; premium ($14/month) unlocks additional rooms.
Step 7 — Register on Hack The Box (hackthebox.com): More challenging than TryHackMe, community-driven machines without guided instructions. Starting Point machines provide a structured entry point. Active machine completions with published writeups are strong portfolio evidence.
Building a Portfolio Without Job Experience
Employers hire based on demonstrated skill, not potential. The following activities create verifiable evidence of technical capability:
GitHub repository of security scripts: Write and publish scripts demonstrating practical skills — a Python log parser, a basic port scanner, a script that checks an IP against threat intelligence APIs, a tool that parses Nmap XML output. Documented, commented code on a public GitHub profile is portfolio evidence that interviewers can review before a phone screen.
CTF writeups on a blog: After completing TryHackMe rooms or public CTF competitions, write up your methodology: what tools you used, what you discovered, how you got from initial access to the flag. CTFtime.org lists active competitions. A Google Site, GitHub Pages blog, or WordPress site costs nothing and creates a searchable professional presence.
TryHackMe and Hack The Box profiles: Both platforms provide public profiles showing completed machines and ranking. A TryHackMe profile in the top 10% of users combined with Security+ is a competitive entry-level application.
Lab exercise documentation: Every Metasploitable exploit, every BloodHound Active Directory analysis in your home lab — document it. Screenshots, commands used, what worked and what did not. This documentation builds both your technical reference library and your portfolio.
Bug Bounty as Portfolio Evidence
Bug bounty programmes provide a legally defined context for real-world security research and are one of the most underutilised portfolio-building strategies for entry-level candidates.
A single valid bug report submitted through HackerOne or Bugcrowd demonstrates real-world application of security knowledge that no certification can replicate. HackerOne's 2023 Hacker Report found that the median time for a first valid report was 30 days of active testing for new users — meaning you do not need to be an expert to find your first bug.
Getting started with bug bounty:
- Register on HackerOne (hackerone.com) and Bugcrowd (bugcrowd.com)
- Filter programs by 'beginner-friendly' or 'low/medium complexity'
- Focus on web application vulnerabilities: XSS, IDOR (Insecure Direct Object Reference), information disclosure, open redirects, subdomain takeover
- Read Bugcrowd's VRT (Vulnerability Rating Taxonomy) to understand severity expectations
- Document your testing methodology for every target even when you find nothing — the habit builds report-writing skill
- Google Dorking (using advanced search operators to find exposed admin panels, backup files, etc.) is a zero-tool recon technique many beginners overlook
A Hall of Fame listing on a company's bug bounty program — which many companies award even for low-severity finds — is a compelling resume item. A HackerOne profile with three accepted reports carries more weight than a second CompTIA certification.
Entry-Level Role Titles to Target
Not all 'entry-level' cybersecurity postings are genuinely entry-level. Many listings titled 'junior security analyst' require 3-5 years of experience. Target the following roles specifically:
| Role Title | Where to Find It | What It Involves | Salary Range (US) |
|---|---|---|---|
| IT Help Desk / Desktop Support | Small-medium businesses | Hardware support, password resets, basic networking | $40K-$55K |
| IT Support Technician | MSPs (Managed Service Providers) | Broad IT support, exposure to networking/security | $45K-$60K |
| SOC Analyst Tier 1 | MSSPs, large enterprises | Alert triage, SIEM monitoring, incident escalation | $50K-$75K |
| Junior Security Analyst | Small companies, startups | Broad security support, some SOC work | $55K-$80K |
| Security Operations Analyst | Government, financial services | Focused SIEM/EDR monitoring | $55K-$80K |
| Information Security Associate | Regulated industries | Compliance support, basic security monitoring | $55K-$75K |
MSSPs (Managed Security Service Providers) are the best employers for first security roles. They operate outsourced SOC services for dozens or hundreds of clients simultaneously, which means Tier 1 analysts get exposed to a huge variety of environments, tools, and incident types. The learning rate at an MSSP in year one often exceeds what in-house SOC roles at single organisations can provide.
Target companies including: Arctic Wolf, Optiv, Trustwave, Secureworks, CrowdStrike (for MDR roles), Rapid7 (for MDR roles).
Salary Expectations by Year of Experience
| Experience Level | Role | Typical Total Comp (US) | Notes |
|---|---|---|---|
| Year 0-1 (pre-security) | IT Help Desk | $40K-$55K | Building foundations |
| Year 1-2 (entry security) | SOC Analyst Tier 1 | $55K-$75K | First security role |
| Year 2-4 (junior) | SOC Analyst Tier 2 / Junior Pen Tester | $75K-$100K | With Security+ and CySA+ or eJPT |
| Year 4-7 (mid-level) | Security Engineer / Pen Tester | $100K-$140K | With OSCP or equivalent practical cert |
| Year 7+ (senior) | Senior Security Engineer / Senior Pen Tester | $140K-$190K+ | Specialist expertise, leadership |
Notes: Figures from CompTIA IT Industry Outlook 2024 and ISC2 Cybersecurity Workforce Study 2023. Government and cleared roles (requiring active security clearance) often pay 10-20% above private sector for equivalent experience. Remote work has compressed geographic salary variation since 2020.
Common Mistakes That Slow People Down
Certification hoarding without applying: The most common trap. Accumulating A+, Network+, Security+, CySA+, CEH, and PenTest+ simultaneously without submitting job applications. Each additional certification has diminishing returns without accompanying practical experience. Apply to SOC roles after Security+ — the interview feedback will tell you exactly what to study next.
Targeting the wrong roles: Job postings for 'junior security analyst' that list 3-5 years of experience are not genuinely entry-level positions. Filter by: 'Tier 1 SOC,' 'IT Security Support,' and MSSP-employer filters. Do not measure yourself against mid-level job requirements.
Neglecting documentation: Every lab exercise completed without a writeup is wasted portfolio time. Documentation takes 30-45 minutes per exercise. Over 18 months that is 30-40 documented pieces of evidence that interviewers can review. This differentiates candidates dramatically.
Skipping professional networking: LinkedIn, local BSides security conferences (often free or low-cost), ISACA and ISC2 chapter meetings, and Discord communities (TryHackMe, TCM Security) provide referrals and hiring leads that formal applications rarely surface. The cybersecurity community is unusually generous with mentorship for people who approach it professionally.
Underestimating the helpdesk year: Spending 6-12 months in IT support is not a detour — it is the fastest technical education available. You encounter real configurations, real problems, and real systems in ways that no lab fully replicates. Candidates who have done genuine IT support work stand out in SOC interviews.
Paying for bootcamps before certifications: $5,000-$15,000 cybersecurity bootcamps do not reliably outperform the self-study path described here, which costs under $2,000 in certification fees and delivers the same or better outcomes. The TryHackMe + free Professor Messer + certification exam path is well-validated by community outcomes data.
References
- ISC2 Cybersecurity Workforce Study 2023. isc2.org/research/workforce-study
- CompTIA State of the Tech Workforce 2024. comptia.org/content/research/state-of-the-tech-workforce
- CompTIA IT Industry Outlook 2024. comptia.org
- CompTIA Certification Roadmap 2024. comptia.org/certifications
- TryHackMe Learning Paths. tryhackme.com/paths
- HackerOne 2023 Hacker Report. hackerone.com/resources/hacker-report
- Bugcrowd Vulnerability Rating Taxonomy. bugcrowd.com/vulnerability-rating-taxonomy
- Professor Messer Free Study Materials. professormesser.com
- SANS Cyber Aces (free foundations course). cyberaces.org
- Cybrary Free Security Courses. cybrary.it
- OverTheWire Wargames. overthewire.org
- VulnHub Vulnerable Machines. vulnhub.com
- TCM Security Free Ethical Hacking Course. tcm-sec.com
- DVWA (Damn Vulnerable Web Application). dvwa.co.uk
- Rapid7 Metasploitable 2. docs.rapid7.com
- Hack The Box. hackthebox.com
Frequently Asked Questions
What is the correct order of certifications for entering cybersecurity?
CompTIA A+ first (hardware and OS fundamentals), then Network+ (networking is the foundation of all security work), then Security+ (the standard gateway cert for security roles). After your first SOC job, add CySA+ for blue team depth or eJPT for offensive basics. OSCP is a long-term target for pen testers with 2+ years of experience.
How do I build a home lab for cybersecurity practice for free?
Install VirtualBox (free), then add Kali Linux as your attack platform, Metasploitable 2 as a vulnerable Linux target, Windows Server 2019 Evaluation as an Active Directory target, and DVWA for web application practice. Set all machines to host-only networking so they cannot reach the internet. Register on TryHackMe for guided structured exercises alongside your local lab.
What entry-level cybersecurity roles should I target first?
Tier 1 SOC Analyst at an MSSP (Managed Security Service Provider) is the most accessible first security role and provides the fastest skill development through exposure to diverse client environments. Also target: IT Security Support, Junior Security Analyst at small companies, and Information Security Associate at regulated businesses. Avoid applying to 'junior' roles that list 3-5 years of experience requirements.
How long does it realistically take to get a cybersecurity job from zero?
12-18 months with consistent daily effort for most people starting from zero IT knowledge, following the helpdesk-to-SOC pipeline. With 1-2 years of prior IT experience (help desk, networking, sysadmin), compress to 8-12 months. The timeline assumes spending 2-3 hours daily on study and lab work alongside a day job. Setting 3-month expectations leads to poor preparation and demoralising rejection cycles.
Is a cybersecurity bootcamp worth the cost?
Rarely. Most bootcamps cost \(5,000-\)15,000 and do not consistently outperform the self-study path of CompTIA certifications plus TryHackMe plus home lab, which costs under $2,000 total. The self-study path also produces stronger portfolio evidence (a documented GitHub lab, CTF writeups, bug bounty reports) than bootcamp projects. Spend the bootcamp budget on certifications, a better lab machine, and conference attendance instead.