Things have changed. See last week’s post where I discussed this.
So you've read the roadmap, and maybe even bookmarked it for "later.
The gap between knowing what to do and actually doing it is where most cybersecurity careers are made.
This post is about bridging that gap. It's about turning that roadmap into real, measurable progress.
Doing the work is the hard part. Let’s get into it.
Start With One Thing
Seriously, just one.
The biggest mistake I see people make on their journey is trying to do everything at once.
They sign up for three different certification courses, start five different CTF platforms, and attempt to build a home lab while simultaneously trying to talk with too many LinkedIn connections.
Two weeks later? Burnout and frustration.
If I were starting today, I'd pick one thing, one domain and focus on it for 2 weeks to a month.
Just one.
It could be setting up your first virtual machine and working through Bandit challenges on OverTheWire.
Maybe it's writing your first blog post about something you learned this week.
Maybe it's reaching out to someone in a similar role you see yourself in for a 15-minute informal conversation.
The specific choice matters less than the commitment to put in the work.
It won't be until there is deliberate focused work, where you’ll start seeing real progress.
Cybersecurity is a wide umbrella of domains, so this will render better results than learning multiple domains simultaneously.
Create Your Learning Sprint System
In a lot of companies, you work in a “Sprint” environment for example in scrum.
Where you allocate work for 2 weeks or some other period of time, and this is work towards a project.
Let’s take that same concept and apply it to forming a learning plan.
Here's how I would structure my learning as sprints if I were starting out:
Week 1: Foundation Building
Choose your focus area (cloud security, incident response, etc.)
Complete your first hands-on challenge (web based, or on your Terminal)
Week 2: Setup Your Tools
Set up your basic tool stack (VM, note-taking system, GitHub account)
There will be trial and error here, embrace it
Week 3-6: Document and Share
Write about what you learned in weeks 1-2
Share it somewhere (LinkedIn, Medium, Substack your own site)
Join one relevant community or Discord group
Get feedback from the community
Week 7-8: Connect and Apply
Reach out to 5+ professionals in your chosen area
Apply your learning to a new, slightly more complex challenge
Re-iterate
Then repeat. Each sprint builds on the last, creating momentum instead of scattered effort.
The beauty of this system is that it creates checkpoints. You're not grinding away for months without seeing much progress. Every two weeks, you have something concrete to show for your efforts.
Track Your Progress
Because what gets measured gets done.
Most people underestimate how much they're actually learning and accomplishing.
I would keep a simple weekly log tracking three things:
Technical Skills: What specific tool, command, or concept did I learn this week?
Community Engagement: Who did I connect with? What did I share?
Real-World Application: How did I apply my knowledge to solve an actual problem?
It doesn’t matter if you use Obsidian, Notion, or whatever the cool kids are using these days. This is more about creating visibility into your growth.
The goal is to maintain forward momentum even when enthusiasm wanes. Studies show it takes about 2-3 months to build a habit (66 days on average)
The three things to track also make it manageable.
The book Pick Three: You Can Have It All talks about this from an overall life perspective, (focusing on 3 big outcomes for the day) but we can apply it here to learning.
When you're six months in and wondering if you're making progress, you'll have concrete evidence to look back on of how far you've come.
If this seems like a long period of time just remember, this time will pass no matter what. It will pass by faster than you think
I wish I had done this from the beginning. In the long run, the learning compounds but because I wasn't tracking it, those early months/year felt like slow progress.
Navigate the Inevitable
Let's address an uncomfortable truth: you're going to hit walls.
The "Too Many Options" Wall
Analysis paralysis is real. When you're overwhelmed by choices, remember this. The specific path matters less than forward movement.
The "Nobody's Responding" Wall
Not everyone will respond to your outreach efforts. That's normal. The ones who do respond are the ones you want to connect with anyway.
The "Impostor Syndrome" Wall
You'll feel like a fraud. Everyone does at some point.
It might feel like everyone else knows more than you. They don't. They're just further along in their journey.
If someone were to start a hobby before you picked it up, they would probably be further along in that hobby. Same principle here. Keep building.
The "Information Overload" Wall
The cybersecurity field moves fast. New vulnerabilities, new tools, new frameworks. You can't learn everything, and you don't need to. Focus on fundamentals first, then expand.
Each of these walls is normal and expected. The people who succeed aren't the ones who avoid these obstacles, they're the ones who push through them.
Build Your Personal Advisory Board
As you start connecting with people, you'll naturally gravitate toward a few who really resonate with your goals and approach.
Cultivate these relationships intentionally.
I would aim to build relationships with:
A Technical Mentor: Someone who can guide your skill development
A Career Strategist: Someone who understands the landscape and can help with positioning
A Peer Group: Others at a similar stage who can share the journey with you
Having something remotely close to the above will be a game changer. No, not using people. It's more about building genuine, mutually beneficial relationships in the cybersecurity community.
The key word here is "genuine." Don't approach networking as a transaction. Approach it as relationship building. Offer value first.
For example
Share what you're learning
Ask thoughtful questions
Be specific in your interests
Measure Success Differently
Traditional job hunting advice focuses on metrics like applications submitted or interviews.
In today's market, I would track different success metrics:
Conversations had with industry professionals
Technical projects completed and documented
Community contributions made
These are leading indicators that matter more in the long run than lagging indicators like job interviews.
Think of it this way: interviews, and then offers are the outcome. These building blocks are what create the conditions for job offers to happen.
90-Day Challenge
Here's what I would commit to if I were starting today:
By day 90, you will have:
Completed at least 10 hands-on technical challenges
Published 5 pieces of content about my learning journey
Had meaningful conversations with 10 cybersecurity professionals
Built one project I can demonstrate to potential employers
Not 9 certifications. Not 100 job applications.
Real, demonstrable progress that proves I can do the work.
This timeline forces you to prioritize activities that create real value rather than busy work.
Document Everything (Even the Failures)
Here's something I wish someone had told me early on: document your failures as much as your successes. I knew to keep a list of things I worked on over time, to be able to look back on, but a “things that failed” doc?
I now have a running doc for “things failing”, and add to it as I work though those issues with workarounds and solutions.
The blog post about the CTF that had you ripping your hair out teaches as much as the one about your successful one.
The time you accidentally pushed a secret to github? Teaches how you handled the cleanup.
The project that didn't work as expected shows problem-solving skills.
The certification exam you failed (and retook) demonstrates persistence.
People want to see how you handle challenges, not just what went well.
Now, before you finish this post, decide on your one thing for the next 30 days.
Write it down.
Then start.
What I Read This Week
Compromised npm package threatens developer projects
This is a trend I'm not liking, but makes too much sense from an attackers perspective
Malicious version of eslint-config-prettier was reported by the research team at Socket.dev
LLM chatbots trivial to weaponize for data theft
A study was conducted by King's College London based on system prompts designed to encourage personal information disclosure
“Our study shows the huge gap between users' awareness of the privacy risks and how they then share information.”
It’s still amazing how many people think purely from a productivity standpoint and not from a privacy one (Input vs Output)
The full paper from the study is at the Kings College Research Portal
How XProtect’s detection rules have changed 2019-25
Goes over the uptick in macOS XProtect.yara file
I kid you not, this was the last file I had on “Finder Go to Folder” command (Command-Shift-G), so I was able to get to it quickly upon reading this
Breaches
HR giant Workday discloses data breach after Salesforce attack
Through a social engineering campaign targeting Salesforce instances, attackers accessed data from the compromised CRM systems
This campaign has impacted many other high-profile companies. (Will probably write a full post on this one)
Wrapping Up
Starting and building a Cybersecurity career isn't easy, but it's possible.
It means you need to be more strategic, more focused, and more intentional about how you approach the journey.
The previous post gave you “the what”. This post focused on “the how”.
Now comes the most important part: the doing.
See you in the next one.