This post is for those starting out. We’re saying the quiet part out loud.
Years back, cybersecurity professionals could rely on traditional career paths, getting a degree or certification and applying for jobs on LinkedIn.
But in 2025, I can objectively say things are different.
The job market is tougher than ever (even for experienced folks). Companies are prioritizing automation, outsourcing different functions, and hiring mainly senior individuals.
There has actually been a decline in job postings for Security Engineers and Analysts.
Simply having a certification or degree is no longer enough to land a job.
If I were to start all over in Cybersecurity, I wouldn’t follow the traditional route that many still believe is necessary. Although, my path was far from traditional.
Instead, I would take a strategic, modern approach that leverages the latest tools, industry shifts, and personal intent to accelerate the journey.
If you’re on the path a career in cybersecurity, here’s a roadmap I would follow to ensure long-term success.
Get Clear on Your Goal
This is your guiding principle that will help you make career decisions, select the right skills to learn, and position yourself accordingly.
One of the biggest mistakes beginners make is diving into cybersecurity without a clear direction.
Cybersecurity is vast, with dozens of specialties: cloud security, identity and access management, penetration testing, governance and risk management, incident response, and more.
I would try to have a big picture view of where you want to be, and think in systems.
This previous post talked about this.
Why Security at Tech Companies is Hard
Before we start, I want to acknowledge the obvious. Security in general is hard.
If you don’t have a focus area, you’ll get lost or stay in tutorial land. Think long-term.
Instead of randomly chasing certifications, I would take time to research the field and identify a long-term career goal.
When I started, we had to rely on books, training (sometimes expensive), and experience to build knowledge.
Today, with AI, learning and researching is more accessible than in the past.
You can use tools like ChatGPT for bouncing off ideas, Google Gemini for research, or Claude for coding projects. You get the idea.
You can leverage AI tools for any of the following
Understand career paths
Generate specific study plans
Practice technical skills
Form better power statements for your resume
Keep in mind, this can help cut down the learning curve, but you still need to apply what you learn in real world scenarios.
Think of AI tools like a hammer, powerful, but if you don’t know what/how to hit then very little impact will be made.
Ask yourself the following questions before you get too far in your studies.
What kind of cybersecurity work excites me?
Do I want to be technical (like a security engineer), investigative (Threat Intel), or more strategic (like governance and risk)?
These questions will help frame your next moves.
Get Hands-On Experience
Certifications are great, but employers want proof that you can actually do the job.
If I were starting today, I would prioritize hands-on experience over simply collecting certs.
Here’s what I would do:
Set up a home lab: Use virtual machines and cloud platforms (AWS, Azure) to practice security concepts. These cloud providers can make it easy to get hands on skills, compared to spinning up hardware and multiple virtual machines
Participate in CTFs (Capture the Flag competitions): Platforms like Hack The Box, TryHackMe, or OverTheWire offer gamified learning that help you develop real world skills and deductive reasoning
Contribute to open-source projects: Resources like GitHub have security focused projects where you can contribute and gain experience
Find internships or apprenticeships: Even unpaid internships can give you invaluable hands-on experience that will boost your resume (This is how I started)
It all comes down to proof of work. If there is no hard hands-on experience, then you have to create it. Simple, but not easy here.
See this post if you want to know about this distinction
Build a Body Of Work
Your skills alone won’t make you stand out in cybersecurity. The job market is competitive, and those who actively build their brand have an advantage.
If I were starting out now, I’d establish a strong online presence by:
Posting regularly on <insert platform here>: Share insights about what you’re learning, industry trends, etc.
Engaging in online discussions: Join cybersecurity groups, Twitter, and Discord groups to interact with the community
Writing blog posts: Publish articles on Medium or Substack or your own website to showcase what you’re learning. I may be biased here, but writing really will help you think more clearly about what you want
A Body of Work: Have a place where you can show what you have worked on, this can be Github, or your own website.
This can lead to job opportunities, mentorship opportunities, and build a network. More on this later.
Earn Certifications That Matter (Don’t Overdo This One)
Many people believe Cybersecurity is all about certifications.
While they do help, they’re not a golden ticket to success.
If I were starting out today, I’d focus on obtaining certifications that align with my chosen specialty and career goals.
For example:
If I wanted to work in cloud security: AWS Security Specialty, or Azure Security Engineer
If I wanted to be a penetration tester: OSCP
If I wanted a broad security foundation: Security+, Security Blue Team BTL1, etc
Certifications should complement your hands-on experience, not attempt to replace it.
I wouldn’t waste time chasing multiple certs without applying the knowledge in real world settings.
If you’re curious on this, I wrote more about this topic here.
Network
In 2025, the best opportunities won’t come from job applications; they’ll come from networking.
Reach out to people through LinkedIn, Twitter, or wherever else you are connected.
This can help learn from others and find mentors.
A mentor can help you:
Get career advice tailored to your goals
Avoid common mistakes
Learn specific skills faster
Some ways to find people to connect with are LinkedIn, Discord groups, Slack groups, you get the point.
The thing is most people are genuinely willing to guide newcomers.
If I were starting today, I’d reach out to cybersecurity professionals I’ve seen with a simple message:
“Hey [Name], I’m starting my cybersecurity career and saw your expertise on [something specific] . I’m currently learning about [write what you’ve been learning]
If you have time in the next few weeks, I’d love to learn from your experience. Any advice would be greatly appreciated!”
Most experienced professionals are happy to help, and if you show genuine curiosity and respect for their time.
This will be a numbers game, reach out to 10, 5 will get back to you, and so forth.
I would also try and attend cybersecurity conferences and meet the people you have connected with. This is a long term game, but so are most things in life.
“The best things in life are often waiting for you at the exit ramp of your comfort zone.”
Karen Salmansohn
If attending in person isn’t possible, many offer virtual sessions and you can always go back to the above suggestions.
What I Read This Week
APT Down - The North Korea Files
More on the state backed APT that has been making waves. This time, suffering a breach themselves
The dump has various logs including phishing kits, browsing history, bash history, password lists, and more
The full data dump can be accessed from the first page of the pdf link or at https://ddosecrets.com/article/apt-down-the-north-korea-files
Linux-Based Lenovo Webcams' Flaw Can Be Remotely Exploited for BadUSB Attacks
Presented at DEF CON, research showing a vulnerability at the firmware level allowing for the repurposing of this model of Lenovo webcam, into a malicious USB, wild stuff
In a theoretical scenario, the attacker mails victim a free webcam and they’re on your way
In is an interesting threat model in the physical attack space, as an attacker could attach it to a victim computer, assuming physical access
The security principles guiding 1Password’s approach to AI
Some principles the blog post discussed are: Authorization must be deterministic, not probabilistic, logging agent actions, and encrypting secrets always.
At plain sight, these seem like obvious ones, but yet in practice are not always done
It’s also just interesting to see how other companies are tackling these industry wide challenges
TCP #97: 5 Takeaways From Black Hat x DEF CON 2025
The “agentic AI replacing humans" narrative is BS, and finally the masses have realized it
Trust networks FTW: Peer recommendations now matter more than vendor websites in how security tools actually get bought
Breaches
Lots of them. But wanted to keep it more positive this week and include this good news.
DEF CON hackers plug security holes in US water systems amid tsunami of threats
This effort provides No-Cost Cybersecurity Assistance to US Water Utilities
DEF CON Franklin is a collaborative effort with, the National Rural Water Association, and the University of Chicago
Final Thoughts
The cybersecurity job market has changed, we have to change with it.
Those who adapt, take initiative, and actively showcase their skills will have a massive advantage.
If you’re thinking about starting in cybersecurity, the best time to begin was yesterday, the second best time is now.
Follow this outline, stay persistent, and you’ll be on your way to a successful and rewarding career.
See you in the next one
Solid read. I think what I'm missing here is an acknowledgement of uncertainty. When you're just starting out, it's extremely hard to map out all the different types of security roles that can exist, let alone what a typical day job might look like.
I started out as 100% wanting to be a pentester. Then I figured that I enjoyed detection engineering, because it has a building/DevOps-ish aspect to it. Then I gained exposure to incident response. Then security engineering, etc.
I guess my message would be "strong opinions, weakly held" about what your career goal is. It's totally normal to pivot, and it tends to create amazing profiles, such as a security engineer who's done some pentesting before and has been a software engineer too.