The US had over 750,000 unfilled cybersecurity jobs in 2025, yet hiring managers routinely reject candidates who've spent 12 months studying the wrong things. The gap isn't talent — it's direction. Most self-taught paths bounce between YouTube rabbit holes, bootcamp upsells, and cert prep courses that don't connect to actual job requirements.
This cybersecurity roadmap is built around one question: what sequence of skills, certifications, and hands-on practice actually gets you hired? It's organized by career stage so you can enter at the right point, not waste months on material you've already covered or that won't be tested in interviews.
How to Use This Cybersecurity Roadmap
Before diving into stages, two things worth establishing upfront:
Certs are not skills. CompTIA Security+ proves you can memorize cryptography concepts. It does not prove you can configure a firewall rule or read a packet capture. Employers know this. The roadmap below pairs every certification goal with the hands-on lab work that makes the cert meaningful in an interview.
The role you want changes the path. A SOC analyst role needs different skills than a penetration tester role, which needs different skills than a GRC (governance, risk, compliance) role. This guide covers the shared foundation first, then branches. Pick your branch by month six — don't try to learn everything.
Stage 1: The Foundation (Months 1–3)
Every cybersecurity role — offensive, defensive, or compliance — requires fluency in the same set of fundamentals. Skip these and you'll hit a wall the moment an interviewer asks you to explain how a TCP handshake works or why HTTPS doesn't prevent phishing.
Networking Basics
You need to understand the OSI model, IP addressing, subnetting, DNS, DHCP, HTTP/S, and common protocols (FTP, SSH, SMTP). Not lecture-level understanding — you should be able to explain what happens when you type a URL and hit Enter, at every layer. Professor Messer's free CompTIA Network+ notes are sufficient for this. Spend two to three weeks here, no more.
Operating Systems
Get comfortable in Linux. Most enterprise security tools run on Linux, and most CTF challenges and labs assume it. Learn the command line: file permissions, process management, network commands (netstat, ss, tcpdump), and basic scripting with bash. On the Windows side, understand Active Directory concepts — user accounts, group policy, domain vs. workgroup — because most enterprise environments run Windows AD and most attacks target it.
Security Concepts
CIA triad, authentication vs. authorization, common attack categories (phishing, SQL injection, buffer overflow, man-in-the-middle), and basic cryptography (symmetric vs. asymmetric, hashing, PKI). These aren't deep dives — they're vocabulary. You need them to follow any security conversation.
Recommended Course for Stage 1
Put It to Work: Prepare for Cybersecurity Jobs
This Coursera course (rated 9.7) is part of Google's cybersecurity certificate track and focuses specifically on translating foundational knowledge into job-ready skills — resume preparation, incident escalation procedures, and how SOC workflows actually function. More practically oriented than most intro courses.
A Practical Guide to Cybersecurity Operations Foundations
A Udemy course (rated 9.6) that covers the operational side of security — log analysis, alert triage, and basic threat hunting — which is exactly what entry-level SOC analysts do all day. Better preparation for the actual job than certification-only prep.
Stage 2: Your First Certification (Months 3–6)
CompTIA Security+ is still the standard first cert for most paths. It's DoD 8570 approved (required for US federal contractor roles), widely recognized, and covers enough breadth to open doors. It's not the most technical cert — that's a feature, not a bug, for entry-level hiring.
If your goal is specifically GRC or compliance work, consider jumping directly to the (ISC)² Certified in Cybersecurity (CC) instead of Security+. The CC is free to sit for, has lower pass rate anxiety for beginners, and is more directly relevant to risk and compliance roles than Security+.
For Security+ Candidates
CompTIA SecAI+ Fundamentals: AI Cybersecurity Basics CY0-001
Rated 9.6 on Udemy, this course addresses the AI-security intersection that CompTIA added to its updated exam domains — threat actors using AI, AI-powered defense tools, and risks specific to LLM deployments. Relevant for the 2026 exam version and increasingly relevant to real job requirements.
For (ISC)² CC Candidates
The Official (ISC)² CC Certified in Cybersecurity Exams (2026)
Rated 9.5 on Udemy, this course uses the official (ISC)² content domains and includes practice exams closely modeled on the real test format. If you're targeting the CC specifically, this is more aligned than generic security courses.
The Complete Certified in Cybersecurity CC ISC2 2026
Also rated 9.4 on Udemy and covers all five CC domains with a heavier emphasis on understanding over memorization, which maps better to the scenario-based questions (ISC)² uses on the actual exam.
Stage 3: Hands-On Labs (Months 4–8, Running Parallel to Cert Prep)
This is where most self-taught paths fall apart. Candidates finish a cert, apply to jobs, then fail technical screens because they've never actually configured anything. Labs fix this. Run them in parallel with certification study, not after.
Build a Home Lab
You don't need expensive hardware. A laptop with 16GB RAM running VirtualBox or VMware can host two or three VMs — enough for a basic attack/defend lab. You want: one Kali Linux attacker machine, one Windows Server target (evaluation licenses are free from Microsoft), and one Ubuntu machine for running defensive tools.
Building and Configuring Your Cybersecurity Attack Lab
Rated 9.6 on Udemy, this course walks through the exact setup process for a home attack lab — VM configuration, network isolation, tool installation, and running your first attacks in a legal sandbox environment. A practical complement to any cert prep course.
Practice Platforms
Once your lab is up, complement it with structured practice environments:
- TryHackMe — guided, gamified paths for beginners. Start with "Pre-Security" and "Jr Penetration Tester" paths.
- Hack The Box — less guided, higher difficulty, more representative of real pentest work. Good after TryHackMe.
- Blue Team Labs Online — specifically for defensive/SOC skills: log analysis, SIEM querying, malware triage.
- CyberDefenders — scenario-based forensics and incident response challenges. Hiring managers at MSSPs know this platform.
Document everything you do in a portfolio. GitHub repos, writeups, blog posts — anything that shows you've done the work, not just watched it.
Stage 4: Specialization and Mid-Level Certs (Months 7–18)
By month six or seven, you should be applying to entry-level roles (SOC Analyst Tier 1, IT Security Analyst, junior GRC analyst) while continuing to build skills. The following branches represent the three most distinct career tracks in the field.
Track A: Defensive / Blue Team
Target roles: SOC Analyst (Tiers 1–3), Threat Intelligence Analyst, Security Engineer, Incident Responder.
Cert path after Security+: CompTIA CySA+ (analyst-focused, intermediate), then Splunk Core Certified User (SIEM is a daily tool in most SOC environments), then optionally GCIH (GIAC Certified Incident Handler) for senior roles.
Skills that matter: SIEM query writing (Splunk SPL or Microsoft KQL), EDR triage, network traffic analysis, log correlation, threat hunting with MITRE ATT&CK.
Track B: Offensive / Red Team
Target roles: Penetration Tester, Red Team Operator, Bug Bounty Hunter, AppSec Engineer.
Cert path: eJPT (eLearnSecurity Junior Penetration Tester) as a stepping stone, then OSCP (Offensive Security Certified Professional) — the industry standard for pentest roles. The OSCP is hard and the prep takes months, but it's the cert hiring managers at security consultancies actually require.
Skills that matter: web application testing (OWASP Top 10, Burp Suite), network exploitation, Active Directory attacks (Kerberoasting, Pass-the-Hash, BloodHound), report writing.
Track C: GRC / Compliance
Target roles: Compliance Analyst, Risk Analyst, Information Security Manager, CISO (long term).
Cert path: (ISC)² CC → CISM (Certified Information Security Manager) or CRISC (Certified in Risk and Information Systems Control) for mid-level → CISSP for senior. Governance roles are less technically intensive but require understanding frameworks: NIST CSF, ISO 27001, SOC 2, HIPAA, GDPR.
Skills that matter: policy writing, risk register management, vendor risk assessment, audit preparation, control mapping.
What Experienced Practitioners Wish Someone Had Told Them
Unspoken Rules of Cybersecurity: A CISO's 20-Year Playbook
Rated 9.5 on Udemy, this course covers the organizational and political realities of security work that no cert teaches — how to communicate risk to executives, why security programs fail, and how experienced practitioners actually make decisions under pressure. Worth reading before your first mid-level interview.
What the Cybersecurity Roadmap Looks Like by Month
- Month 1–2: Networking fundamentals, Linux command line, security vocabulary
- Month 2–3: Windows/AD basics, cryptography concepts, set up home lab VMs
- Month 3–5: CompTIA Security+ or (ISC)² CC study + practice exams; TryHackMe beginner paths in parallel
- Month 5–6: Sit for your first cert; start applying to Tier 1 SOC or junior analyst roles
- Month 6–12: Pick your track (blue/red/GRC); deepen hands-on skills specific to that track
- Month 12–18: Mid-level cert (CySA+, eJPT, or CISM); build a visible portfolio; target Tier 2 or specialized roles
- Month 18+: Senior cert prep (OSCP, CISSP, CISM) while working; mentor junior practitioners to accelerate your own learning
AI and Cybersecurity in 2026: What's Changed
Threat actors are now using AI to automate phishing content generation, accelerate vulnerability scanning, and write polymorphic malware. This is real and happening at scale. On the defensive side, SIEM vendors (Splunk, Microsoft Sentinel, CrowdStrike) have embedded AI-assisted detection and summarization into their products.
What this means for your roadmap: understanding AI threats is no longer optional even for entry-level roles. The CompTIA SecAI+ course listed above directly addresses this. Expect "AI security" to appear in job postings and interview questions regardless of which track you pursue.
What it doesn't mean: AI will not replace security analysts in the near term. Automated tools generate enormous volumes of alerts; human judgment is required to triage, investigate, and respond. The SOC analyst role is more valuable now, not less.
FAQ
How long does it take to get a job in cybersecurity from scratch?
Realistically, six to twelve months to land a Tier 1 SOC analyst or junior security analyst role if you study consistently (10–15 hours per week) and combine cert prep with hands-on practice. Roles with higher technical bars — penetration tester, incident responder — typically take 18–24 months from zero. People who only do cert prep and skip labs consistently take longer because they can't pass technical interviews.
Do I need a degree for a cybersecurity career?
No, but it helps for certain paths. Federal government positions and defense contractors often have degree requirements or security clearance prerequisites. Private sector employers — particularly MSSPs, consultancies, and tech companies — routinely hire based on certs and demonstrable skills. A portfolio of TryHackMe/HTB writeups and a home lab can outweigh a CS degree in many hiring contexts.
Which cybersecurity certification should I get first?
CompTIA Security+ for most people — it's the broadest entry-level cert, recognized across industries, and DoD-approved for federal roles. If you're specifically targeting GRC or compliance work, the (ISC)² CC is free to sit for and more directly relevant. If you already have a networking background (CCNA or equivalent), you can skip Security+ and go straight to CySA+ or a more specialized cert.
Is coding required for cybersecurity?
It depends on the role. SOC analysts and GRC professionals can get by with minimal coding — basic bash scripting and the ability to read Python are usually sufficient. Penetration testers and AppSec engineers need stronger programming skills: Python for tooling and automation, and enough web dev knowledge to understand what they're attacking. Security engineers who build tools and integrations need to code. Start with Python scripting and add more only if your target role requires it.
What's the difference between CompTIA Security+ and CISSP?
Security+ is an entry-level cert covering broad security concepts — appropriate for your first job. CISSP is a senior-level cert covering security management, architecture, and policy — it requires five years of professional experience to certify and is typically held by security managers and architects. They're not alternatives; they're six to ten years apart on the same career path.
Can I learn cybersecurity online, or do I need in-person training?
Online is fully viable. Most working security professionals learned online, through a combination of courses, hands-on platforms (TryHackMe, HTB), and self-directed lab work. In-person bootcamps are expensive and rarely provide value proportional to their cost. The exception is SANS courses — they're expensive but technically rigorous and respected by senior practitioners, worth it once you're mid-career.
Bottom Line
The cybersecurity roadmap most people follow — watch some YouTube, get Security+, apply to jobs, wonder why they're not getting interviews — fails because it skips the hands-on component. Hiring managers at MSSPs and enterprise security teams see hundreds of Security+ holders. What separates the ones who get hired is a home lab, documented practice, and the ability to answer "walk me through how you'd investigate a phishing alert" with specific tool names and steps.
Start with fundamentals and your first cert. Run labs in parallel, not after. Pick a track by month six. Build a visible portfolio before you need it. The field has genuine demand and real career progression — the path exists, it just requires more specificity than most guides admit.
If you're deciding where to start today, the Put It to Work: Prepare for Cybersecurity Jobs course on Coursera is the most job-focused entry point in the list above. If you want to understand what the job actually looks like before committing the time, Unspoken Rules of Cybersecurity is worth a weekend read first.