r/SecurityCareerAdvice

The degree requirement in cybersecurity is mostly fiction.

It describes the path of people who entered the field 15 years ago — before Security+, before TryHackMe, before structured entry paths existed. Most of them needed IT experience because that was the only path.

That’s not the world you’re applying in.

Here are 5 roles that hire based on what you can demonstrate:

SOC Analyst

Monitor alerts, investigate incidents, triage threats. Highest volume of entry-level openings in the field.

Security+ is the universal hiring signal. A home lab and documented TryHackMe practice beats a diploma in most hiring conversations. Timeline from zero: 6–9 months.

GRC Analyst

Governance, Risk, Compliance. Less technical than most people expect.

Security+ opens the door. Written communication matters more here than in technical tracks. Demand is consistently higher than supply — most people overlook it because it doesn’t sound exciting. That’s your advantage. Timeline: 6–10 months.

Junior Pen Tester

Break systems legally. Find vulnerabilities before attackers do.

Harder to land cold. CTF results, a home lab, and eJPT change the equation. Portfolio carries more weight than any cert here. Don’t start here if you need income fast — start with SOC and pivot. Timeline: 9–14 months.

Cloud Security Analyst

Protect AWS, Azure, or GCP infrastructure. Growing faster than the talent pipeline.

A cloud cert paired with Security+ puts you ahead of most applicants. Fewer qualified candidates than traditional security roles. Timeline: 8–12 months.

IT Security Analyst

Broad scope — access management, endpoint protection, policy, incident response. Standard bridge role before specialization.

Security+ is the signal. Strong entry point if you’re coming from a general IT background or want breadth before depth. Timeline: 6–9 months.

What all five have in common: they care about what you can demonstrate. Not where you studied. Not how long you waited.

A cert, a home lab, documented practice. That’s the hiring signal.

Happy to answer questions on any of these

I’m prepping for CISA and was burning out on giant PDFs and question banks.

I learn better with stories, simple illustrations, mnemonics, and quick recall questions, so I turned the whole CISA outline into a free online picture book.

It’s just my personal study project, no paywall, no signup:
https://www.steadycert.com/cisa.html

If you’re also studying and try it, I’d love any honest feedback on what helps or sucks.

If you're also interested in building better study materials for any subject, let's get in touch and exchange pointers!

How to get hired as an ethical hacker? So far worked in web development

How to get hired as an ethical hacker in Europe?

Where to study this online for free?

What is the recruitment process for this job in 2026?

What is the salary for a junior (minimum and maximum amount)?

Pero nose de que forma, que me recomiendan.

Quiero trabajar medio tiempo de eso para pagar unos medicamentos para mí mamá.

Hey everyone, I’ve been seeing a ton of posts lately claiming the job market is at an absolute standstill and that landing a role in cyber is basically impossible right now. At the same time, I keep hearing about the massive talent gap and the desperate need for professionals.

I’m right on the brink of being ready to apply, and honestly, these extreme posts are starting to get in my head. I’ve put a massive amount of time, patience, and energy into this journey. Is it actually as bleak as people are making it out to be, or are we just seeing the loudest voices? Would love some "boots on the ground" perspective from people actually hiring or recently hired.

I’m a 2nd year CSE student from India (graduating in 2028) and currently focusing on cybersecurity. I’ve been learning web security through PortSwigger Academy and have already completed topics like access control, authentication, and web cache deception.

I’m comfortable with basics of Linux, networking, and tools like Burp Suite, and I’m planning to continue deeper into web vulnerabilities.

My main question is:

• Is it worth investing significant time into bug bounty at this stage?
• Or would it be better to focus on a more structured path like penetration testing or cloud security for long-term career stability?

With AI evolving quickly, I’m also unsure how valuable bug bounty skills will be by the time I graduate in 2028.

I’d really appreciate guidance on what path would be the smartest to focus on right now.

I have nearly 9YoE in cybersecurity, primarily supporting product teams across application security and DSO initiatives.

I've built the security champions program in previous 2 companies, given internal training on secure coding methods. I've helped the teams integrate & manage security pipelines (SAST, DAST, SCA) into their existing workflows & also created workflows for them. Now I'm working closely with engineering teams on remediations and security improvements.

I come from a C# background, but I haven’t really built production-grade applications end-to-end myself.

While I understand core web fundamentals (HTTP, CSP, CORS, etc.) and security concepts in depth, I haven’t had the opportunity to operate fully as a security engineer embedded within a development lifecycle. I’m now looking to transition deeper into Security Engineering roles (product-focused) and am currently considering:

• Working on my DSA and problem-solving skills
• Understanding system design from a security-first perspective
• Building hands-on projects to bridge the “builder gap”

My question for those already working in security engineering:

• What skills or experiences made the biggest difference for you?
• How important is DSA vs. practical system building in this transition?
• Any specific projects or learning paths that helped you stand out?

Appreciate any guidance.

P.S. Asked ChatGPT to refine my post. TIA

Hey everyone! I am currently studying at university and feel that it's high time I start choosing my career path. I am studying software engineering, but am realising that coding might not be the right fit for me. That's when I discovered Governance, Risk, and Compliance (GRC). I've been researching GRC and trying to find out which courses or certifications would be beneficial for entering this field. I came across a course by "Unix Guy," which looks promising, but it costs nearly $500. I'm wondering if it's worth the investment or if it would be a waste of money. I would also greatly appreciate any guidance on what steps to take next, as well as suggestions for projects I could work on and the skills I should develop. Thank you!

# Ethical Hacking Learning Report

Name: Rajiv Kumar

Class: 12th

Field: Cyber Security / Ethical Hacking

---

## 🔹 Introduction

Ethical Hacking refers to the practice of legally testing computer systems, networks, and applications to identify security vulnerabilities and fix them before malicious hackers can exploit them.

This report summarizes the concepts, tools, and practical knowledge I have gained during my learning journey.

---

## 🔹 Topics Covered

### 1. Linux Basics

* Linux is a powerful operating system widely used in cybersecurity

* Understood directory structure: /, /home, /etc, /var

* Learned basic commands:

* ls → List files and directories

* cd → Change directory

* sudo → Execute commands with administrative privileges

* su → Switch user

---

### 2. Advanced Linux Commands

* history -c → Clear command history

* apt → Install, update, and remove packages

* apt reinstall → Reinstall a package

---

### 3. Networking Basics

* Learned about IP addresses

* Understood network interfaces like wlan0

* Learned networking differences in VirtualBox environments

---

### 4. Information Gathering Tools

* whois → Retrieve domain information

* nslookup → Check DNS records

* theHarvester → Collect emails and related data

---

### 5. Scanning Tools

* nmap → Scan networks and identify open ports

---

### 6. Kali Linux Setup

* Installed Kali Linux

* Explored built-in tools

* Troubleshooted setup issues

---

### 7. Metasploitable Setup

* Learned that Metasploitable is a vulnerable machine used for practice

* Installed it on VirtualBox

* Connected it with Kali Linux for testing

---

### 8. Phases of Ethical Hacking

1. Reconnaissance (Information Gathering)

2. Scanning

3. Gaining Access

4. Maintaining Access

5. Covering Tracks

---

### 9. Wireshark

* Used for analyzing network traffic

* Captures and inspects data packets

---

## 🔹 Practical Work

* Installed Kali Linux successfully

* Set up Metasploitable

* Practiced Linux commands

* Used scanning tools

---

## 🔹 Conclusion

I have successfully understood the basic concepts of ethical hacking and practiced essential tools.

I am motivated to continue learning advanced topics like penetration testing and real-world security practices.

---

## 🔹 Future Goals

* Learn advanced cybersecurity tools

* Start bug bounty hunting

* Build a career in cybersecurity

---

Currently a USAF Cyber Officer playing in both roles of 17D and 17S. Looking into the Navy Interservice Transfer program. Has anyone done this and what was your experience like? I am interested in new experiences and am a prior Active (both Enlisted and Officer) Senior O-3.

Hey everyone, I’m working as a Technical Support Engineer with around 2 years of experience. I mainly deal with Active Directory, building VMs on Hyper-V, general infra stuff and user support.

Lately I’ve been feeling kind of stuck and don’t see much growth where I am. I’ve been thinking about switching to either cybersecurity (maybe cloud security) or cloud engineering, but I’m not sure which direction to take.

Would really appreciate any advice from people in these fields- how did you decide, and what should I start focusing on?

Hey all, I was talking to people at a few local mixers/events this past week. While I've been watching AI tools rip through my friends and connections in the software engineering world, it feels like every AI tool adds ~3 new tasks to my plate. In some ways, despite the broader economy, I feel pretty confident in my job security and staying in demand.

I know this question is broad, but for the mid-level folks on this sub, how are you feeling? Obviously unemployment looms in the back of our heads, but are you feeling relatively secure in your position over the next year or two? Next five?

Im a 2026 graduate and currently unemployed. Im very interested in web application penetration testing.

Ranked in top 3% on TryHackMe

Practicing labs regularly

knowledge of OWASP Top 10

I want to know what kind of projects or portfolio work companies actually value for entry-level pentesting roles.

Should I focus on:

Bug bounty reports

Building vulnerable apps

GitHub tools/scripts

Any advice or roadmap would really help.

I'm a college student studying cybersecurity. I'm currently considering what kind of hacking field to find a job in... It should be very interesting, fun, and most importantly profitable for me. I wonder if there's a field like that! But the most important thing should be the area of hacking where you end up with experience, where you can work as a freelancer... Web, Fournable, Reversing, Web3, Cryptography, Forensics, etc. What are there?

To give some brief context, I started in cyber less than a year ago and start learning the basics and in do the CompTIA Security+, after this a choice came to me, since I'm learning on my own I needed a new path to focus on, so I decided to focus on SOC Analyst, learning to build SIEM labs, interpretation alerts, logs, creating custom rules, also created some IDS labs, VLAN labs, an so on, but I make this choice based on the 'market' since this it was the supposed role every organization was locking for.

The problem is this, I don't really like much this field. To be honest the three major specialization that I would like to deep in are Pentesting, Reverse Engineering, and Digital Forensic.

My question is, should I keep focus on SOC until I hit a job? Or should just do the things I like more? And can you give me advice on how to approach this three fields? Since the all three are different's.

I keep seeing programs like H2K Infosys offering cybersecurity training with placement support. Has anyone here actually taken one of these?

Did it help you land a job?

How hands-on was the training?

Would you recommend it for beginners?

I'm a 57 year-old retired software engineer with a strong background in safety critical development, mainly in the aerospace, defence and power generation industries. I'm beginning to get into infosec, really for the fun and challenge of it but it would potentially be useful if I could monetise this at least to some degree at some stage.

I've done a bit of research and laid out the bones of a plan along the lines of setting up a home lab to run projects and sysadmin experiments on, Security+, Network+, running CTFs, bug bounties etc. Broad strokes entry level prep with a view to a SOC position en-route to some kind of freelance network security consulting type role.

I live a quiet settled life out in the middle of nowhere in Wales and don't really want to do the big city/office 9-5 thing. The question is, am I utterly deluded to think this is a viable path, particularly at my age and in the current market (obviously it'll be a while before I'm ready to start looking for work though)? My intention is to pretty much do all the stuff I mentioned regardless, but if there's no realistic possibility of work for an old-fart-newbie like me, the approach I would take to it would be more personal interest led rather than focused on an efficient path to career development.

SOC Analyst here with three years experience (5 years total of IT experience). I work for a smaller MSSP. My employer announced that they are working in implementing AI into the SOC. How they plan to do it, is the AI can look at typically low-tier alerts, have an automated work flow and close them if they are benign and even send out emails to consumers, if they feel they are malicious. Sounds good in theory and it's being touted as making the SOC less noisy. But if AI can take over those lower tier alerts, how long before 90% of the SOC can be fully automated? Before AI can be trained to handle everything. Including looking into EDRs.

I work for a smaller MSSP. I make less than six figures. I've been trying to move into IR with not much luck. But hearing what we can do with AI and how it will be implemented in the coming weeks does spook me. If my company can implement this, what are the bigger guys doing? What are the large companies, the larger MSSPs, FAANG and others working on? Is this the beginning of end of the SOC as a career?

Like a lot of people in the career field. The job market seems awful. I've been continuing to upscale and gain more certs but it's been slow. I'm just worried that I am going to get laid off due to AI before I find something better.

What are you guys seeing at your employers?