Cybersecurity Career Roadmaps
Step-by-step paths from beginner to professional across 4 major cybersecurity roles. Each roadmap covers skills to build, certifications to earn, and tools to master — in order.
Phase 1 — Foundations (Months 1–3)
1
Networking Fundamentals
Master the OSI model, TCP/IP stack, DNS, HTTP/HTTPS, DHCP, ARP, routing basics. Learn to read packet captures in Wireshark. Understand how data flows across networks — this is the foundation of everything.
2
Operating Systems (Windows & Linux)
Learn Windows event logging, registry, Active Directory basics, and PowerShell. On Linux: file permissions, process management, systemd, bash scripting, and log locations (/var/log). Both OSes are critical in enterprise SOC.
3
Security Fundamentals
Study CIA triad, authentication models, cryptography basics (symmetric/asymmetric), common attack categories (phishing, malware, DoS, MITM). CompTIA Security+ covers all of this with a focus on SOC relevance.
Phase 2 — SOC Core Skills (Months 3–9)
4
SIEM Platforms
Learn to write queries, create dashboards, and configure alerts in Splunk or Microsoft Sentinel. Focus on correlation rules, log normalization, and alert tuning. Splunk Core Certified User is the most recognized entry-level SIEM cert.
5
Threat Intelligence & IOCs
Learn IOC types (IPs, domains, hashes, URLs), how to defang and enrich them. Understand threat intelligence frameworks (MITRE ATT&CK, Diamond Model, Kill Chain). Use platforms like MISP, OTX, VirusTotal.
6
Alert Triage & Investigation
Practice triaging alerts: true positive vs false positive. Learn SOC investigation workflow — identify, contain, escalate. Study common attack patterns (phishing, lateral movement, credential dumping) in Windows event logs.
7
Incident Response Basics
Study NIST SP 800-61 IR lifecycle: Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned. Write IR playbooks for phishing, ransomware, and account compromise scenarios.
Phase 3 — Advanced & Specialization (Months 9–18)
8
Threat Hunting
Move from reactive alerting to proactive hypothesis-driven hunting. Learn to write detection rules in Sigma, hunt for specific MITRE techniques in logs, and use behavioral analysis to find attacker TTPs hiding in noise.
9
SOAR & Automation
Learn security orchestration with tools like Palo Alto XSOAR, Shuffle, or Microsoft Sentinel Playbooks. Automate repetitive SOC tasks: IOC enrichment, alert deduplication, ticket creation, containment actions.
10
Target Certifications
SOC analysts commonly pursue: CySA+ for intermediate analysis, Microsoft SC-200 for Sentinel/Defender, GIAC GCIH for incident response at scale, and GIAC GCIA for network intrusion analysis.
Key Tools to Master
- Splunk / Microsoft Sentinel / QRadar
- Wireshark / Zeek / Suricata
- VirusTotal / Any.run / Joe Sandbox
- TheHive + Cortex (case management)
- MISP (threat intelligence sharing)
- Sysmon (enhanced Windows telemetry)
- Velociraptor (DFIR & threat hunting)
- CrowdStrike / SentinelOne (EDR)
Practice Platforms
- TryHackMe — SOC Level 1 & 2 paths
- LetsDefend — real SOC alert simulations
- Cyberdefenders — DFIR/SOC challenges
- BlueTeamLabs — Windows forensics
- Splunk Boss of the SOC (BOTS)
- Microsoft SC-200 learning path
- Hack The Box — Blue Team labs
- AttackIQ Academy — MITRE ATT&CK
Phase 1 — Technical Foundations (Months 1–6)
1
Networking Deep Dive
Master TCP/IP at the packet level. Understand routing, NAT, firewalls, VPNs, and proxy chains. Learn protocol internals: how DNS works under the hood, how HTTP/HTTPS sessions establish, how SMB authentication works.
2
Linux & Windows Mastery
On Linux: bash scripting, file permissions, privilege escalation paths (SUID, sudo misconfigs, cron jobs). On Windows: registry, services, scheduled tasks, Active Directory, PowerShell. Kali Linux is the primary pentester OS.
3
Programming for Hackers
Python is essential: write exploits, automate enumeration, build custom payloads. Learn Bash for one-liners. JavaScript for XSS payloads. Understanding C/Assembly helps for binary exploitation. SQL for injection attacks.
Phase 2 — Core Pentesting Skills (Months 6–18)
4
Web Application Pentesting
Master OWASP Top 10: SQLi, XSS, IDOR, SSRF, XXE, SSTI, broken auth, deserialization. Use Burp Suite Pro as your primary tool. Practice on DVWA, HackTheBox, PortSwigger Web Academy (free!).
5
Network Pentesting
Learn external and internal network assessments: Nmap scanning, service enumeration, exploitation with Metasploit, password attacks (Hydra, CrackMapExec), post-exploitation with Meterpreter. Practice methodology: Recon → Scan → Exploit → Post-exploit → Report.
6
Active Directory Attacks
Active Directory is in nearly every enterprise. Learn: Kerberoasting, AS-REP roasting, BloodHound/SharpHound for path discovery, Pass-the-Hash, DCSync, Golden/Silver Ticket, LDAP enumeration, and domain privilege escalation.
7
Report Writing
A pentest is worthless without a clear report. Learn to write: executive summaries for non-technical stakeholders, technical findings with CVSS scores, proof-of-concept screenshots, and actionable remediation steps. Reports are what clients pay for.
Phase 3 — Specialization & Certifications (Year 2+)
8
Advanced Techniques
Develop skills in: AV/EDR evasion, custom C2 frameworks (Cobalt Strike, Havoc, Sliver), red team operations, cloud pentesting (AWS/Azure), API security testing, and mobile app pentesting. Specialize in 1–2 areas to stand out.
9
Certifications Roadmap
The certification hierarchy: eJPT (beginner) → PNPT or OSCP (intermediate, widely recognized) → CRTO for red teaming → OSEP for advanced exploitation → OSED for exploit development. OSCP is the gold standard for employment.
Essential Tools
- Burp Suite Pro (web app testing)
- Nmap + NSE scripts (network scanning)
- Metasploit Framework
- BloodHound (AD attack path mapping)
- Impacket suite (Windows protocol attacks)
- Responder + NTLMRelayX
- Chisel / Ligolo-ng (tunneling)
- Cobalt Strike / Havoc C2
Practice Labs
- Hack The Box (Pro Labs for realistic AD)
- TryHackMe — Jr Penetration Tester path
- PortSwigger Web Security Academy (free)
- PentesterLab — web app focus
- VulnHub — offline VMs
- GOAD — Game of Active Directory lab
- PwnTillDawn
- TCM Security courses
Phase 1 — Forensics Foundations (Months 1–6)
1
Digital Forensics Fundamentals
Learn forensic principles: evidence preservation, chain of custody, write-blocking, disk imaging (dd, FTK Imager). Study file systems (NTFS, ext4, FAT32), MFT, USN journal, and metadata. Forensics starts with preserving evidence correctly.
2
Windows Forensics
Master Windows forensic artifacts: $MFT, Prefetch, Shimcache, Amcache, LNK files, Jump Lists, Registry hives (NTUSER.DAT, SAM, SYSTEM), EVTX logs, browser history, and shellbags. Timeline everything.
3
Memory Forensics
RAM contains what disk doesn't: running processes, network connections, encryption keys, credentials in plaintext. Learn Volatility 3 for process analysis, network artifacts, malfind, dumpfiles, and detecting code injection in memory.
Phase 2 — Incident Response (Months 6–18)
4
Network Forensics
Analyze PCAP files for C2 traffic, data exfiltration, lateral movement. Use Zeek to generate log files, Suricata for IDS rules, NetworkMiner for session reconstruction. Learn to identify malicious patterns in DNS, HTTP, SMTP traffic.
5
Malware Analysis
Learn static analysis (YARA rules, strings, PE headers, imports) and dynamic analysis (sandboxes, procmon, API Monitor, x64dbg). Understand common malware families: RATs, ransomware, stealers, loaders, rootkits.
6
Enterprise IR at Scale
Learn to respond to incidents across hundreds of endpoints: use Velociraptor or KAPE for rapid triage, EDR telemetry for hunting, and automated collection with PowerShell or Python. Write IR reports covering attack timeline, IOCs, and recommendations.
DFIR Toolkit
- Autopsy / Sleuth Kit (disk forensics)
- Volatility 3 (memory forensics)
- Eric Zimmerman's Tools (MFT, LNK, etc.)
- Velociraptor (remote live forensics)
- KAPE (forensic artifact collection)
- Ghidra / Cutter (reverse engineering)
- Wireshark + Zeek (network forensics)
- TheHive (case management)
Key Certifications
- BTL1 — Blue Team Labs (hands-on IR)
- GCFE — GIAC Certified Forensic Examiner
- GCFA — GIAC Certified Forensic Analyst
- GCIH — GIAC Certified Incident Handler
- FOR508 — SANS Advanced IR (gold standard)
- CHFI — EC-Council Computer Hacking Forensics
- Microsoft SC-200 (cloud IR)
Phase 1 — Cloud & Security Basics (Months 1–6)
1
Cloud Fundamentals
Pick one cloud first (AWS is largest market share). Learn core services: IAM, EC2, S3, VPC, RDS, Lambda, CloudTrail. Understand the shared responsibility model — what the cloud provider secures vs what you secure. Get your first cloud cert.
2
Identity & Access Management Security
IAM misconfigurations are the #1 cause of cloud breaches. Learn: least privilege, MFA enforcement, role assumption, service account risks, resource-based vs identity-based policies, and federation (SAML, OIDC). Practice in AWS IAM Access Analyzer.
3
Infrastructure as Code & Security
Learn Terraform (most universal) or CloudFormation. Use static analysis tools (Checkov, tfsec, KICS) to find misconfigurations before deployment. Secure CI/CD pipelines. Secrets management with Vault or AWS Secrets Manager.
Phase 2 — Cloud Security Specialization (Months 6–18)
4
Cloud Threat Detection & Monitoring
Learn cloud-native logging: AWS CloudTrail, GuardDuty, SecurityHub, Config. Azure Defender for Cloud, Sentinel. GCP Security Command Center. Build detection rules for common attacks: metadata SSRF, role escalation, data exfiltration to S3.
5
Container & Kubernetes Security
Containers are the new perimeter. Learn Docker security (non-root users, read-only filesystems, image scanning). Kubernetes: RBAC, network policies, pod security standards, secrets management, admission controllers (Kyverno, OPA Gatekeeper).
6
Cloud Attack Techniques
Understand how attackers abuse cloud: SSRF for IMDS credential theft, S3 bucket enumeration, EC2 instance metadata attacks, lateral movement via role chaining, lambda privilege escalation. Use Pacu, CloudFox, and ScoutSuite for offensive cloud assessments.
7
Certifications Path
Cloud security certifications layer on top of cloud practitioner certs: AWS Security Specialty is the gold standard for AWS. AZ-500 for Azure. CCSP for multi-cloud at architect level. KCSA/CKS for Kubernetes security.
Cloud Security Tools
- AWS SecurityHub / Azure Defender (CSPM)
- Prowler / ScoutSuite (cloud auditing)
- Checkov / tfsec (IaC scanning)
- Trivy / Grype (container image scanning)
- Falco (runtime container security)
- OPA / Kyverno (policy enforcement)
- Pacu / CloudFox (cloud pentesting)
- Steampipe (cloud compliance queries)
Learning Resources
- flaws.cloud / flaws2.cloud (free AWS labs)
- CloudGoat (vulnerable AWS lab by Rhino Security)
- PwnedLabs (cloud attack labs)
- AWS Well-Architected Security Pillar
- HackTricks Cloud (offensive techniques)
- Wiz Academy (free cloud security courses)
- Cloud Security Alliance (CSA) publications