Cybersecurity Career Roadmaps

Step-by-step paths from beginner to professional across 4 major cybersecurity roles. Each roadmap covers skills to build, certifications to earn, and tools to master — in order.

🛡
SOC Analyst
Security Operations Center analysts monitor networks, investigate alerts, and respond to incidents in real time. They are the frontline defenders against cyberthreats, working with SIEM platforms, threat intel, and IR playbooks.
Avg time to entry: 6–18 months
Salary range: $55K–$120K
Demand: Very High
Phase 1 — Foundations (Months 1–3)
1
Networking Fundamentals
Master the OSI model, TCP/IP stack, DNS, HTTP/HTTPS, DHCP, ARP, routing basics. Learn to read packet captures in Wireshark. Understand how data flows across networks — this is the foundation of everything.
TCP/IPWiresharkDNSHTTPCompTIA Network+
2
Operating Systems (Windows & Linux)
Learn Windows event logging, registry, Active Directory basics, and PowerShell. On Linux: file permissions, process management, systemd, bash scripting, and log locations (/var/log). Both OSes are critical in enterprise SOC.
PowerShellBashActive DirectoryLinux
3
Security Fundamentals
Study CIA triad, authentication models, cryptography basics (symmetric/asymmetric), common attack categories (phishing, malware, DoS, MITM). CompTIA Security+ covers all of this with a focus on SOC relevance.
CIA TriadCryptographyMalware TypesCompTIA Security+
Phase 2 — SOC Core Skills (Months 3–9)
4
SIEM Platforms
Learn to write queries, create dashboards, and configure alerts in Splunk or Microsoft Sentinel. Focus on correlation rules, log normalization, and alert tuning. Splunk Core Certified User is the most recognized entry-level SIEM cert.
Splunk SPLMicrosoft SentinelKQLElastic SIEMSplunk Core User
5
Threat Intelligence & IOCs
Learn IOC types (IPs, domains, hashes, URLs), how to defang and enrich them. Understand threat intelligence frameworks (MITRE ATT&CK, Diamond Model, Kill Chain). Use platforms like MISP, OTX, VirusTotal.
MITRE ATT&CKIOC EnrichmentMISPKill Chain
6
Alert Triage & Investigation
Practice triaging alerts: true positive vs false positive. Learn SOC investigation workflow — identify, contain, escalate. Study common attack patterns (phishing, lateral movement, credential dumping) in Windows event logs.
Event ID 4624Event ID 4688TriageTryHackMe SOC Level 1
7
Incident Response Basics
Study NIST SP 800-61 IR lifecycle: Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned. Write IR playbooks for phishing, ransomware, and account compromise scenarios.
NIST SP 800-61IR PlaybooksContainmentBTL1
Phase 3 — Advanced & Specialization (Months 9–18)
8
Threat Hunting
Move from reactive alerting to proactive hypothesis-driven hunting. Learn to write detection rules in Sigma, hunt for specific MITRE techniques in logs, and use behavioral analysis to find attacker TTPs hiding in noise.
Sigma RulesHypothesis-Driven HuntingVelociraptorTH Certification
9
SOAR & Automation
Learn security orchestration with tools like Palo Alto XSOAR, Shuffle, or Microsoft Sentinel Playbooks. Automate repetitive SOC tasks: IOC enrichment, alert deduplication, ticket creation, containment actions.
SOARPythonAPI IntegrationSentinel Playbooks
10
Target Certifications
SOC analysts commonly pursue: CySA+ for intermediate analysis, Microsoft SC-200 for Sentinel/Defender, GIAC GCIH for incident response at scale, and GIAC GCIA for network intrusion analysis.
CompTIA CySA+SC-200GCIHGCIAGDAT
Key Tools to Master
  • Splunk / Microsoft Sentinel / QRadar
  • Wireshark / Zeek / Suricata
  • VirusTotal / Any.run / Joe Sandbox
  • TheHive + Cortex (case management)
  • MISP (threat intelligence sharing)
  • Sysmon (enhanced Windows telemetry)
  • Velociraptor (DFIR & threat hunting)
  • CrowdStrike / SentinelOne (EDR)
Practice Platforms
  • TryHackMe — SOC Level 1 & 2 paths
  • LetsDefend — real SOC alert simulations
  • Cyberdefenders — DFIR/SOC challenges
  • BlueTeamLabs — Windows forensics
  • Splunk Boss of the SOC (BOTS)
  • Microsoft SC-200 learning path
  • Hack The Box — Blue Team labs
  • AttackIQ Academy — MITRE ATT&CK
Penetration Tester
Penetration testers (ethical hackers) simulate real-world attacks to find vulnerabilities before malicious actors do. They work across web applications, networks, Active Directory environments, and mobile apps — then write detailed reports with remediation guidance.
Avg time to entry: 1–3 years
Salary range: $70K–$160K
Demand: High
Phase 1 — Technical Foundations (Months 1–6)
1
Networking Deep Dive
Master TCP/IP at the packet level. Understand routing, NAT, firewalls, VPNs, and proxy chains. Learn protocol internals: how DNS works under the hood, how HTTP/HTTPS sessions establish, how SMB authentication works.
WiresharkTCP/IPSMBKerberosCompTIA Network+
2
Linux & Windows Mastery
On Linux: bash scripting, file permissions, privilege escalation paths (SUID, sudo misconfigs, cron jobs). On Windows: registry, services, scheduled tasks, Active Directory, PowerShell. Kali Linux is the primary pentester OS.
Kali LinuxPowerShellBashActive Directory
3
Programming for Hackers
Python is essential: write exploits, automate enumeration, build custom payloads. Learn Bash for one-liners. JavaScript for XSS payloads. Understanding C/Assembly helps for binary exploitation. SQL for injection attacks.
PythonBashJavaScriptSQLC (basics)
Phase 2 — Core Pentesting Skills (Months 6–18)
4
Web Application Pentesting
Master OWASP Top 10: SQLi, XSS, IDOR, SSRF, XXE, SSTI, broken auth, deserialization. Use Burp Suite Pro as your primary tool. Practice on DVWA, HackTheBox, PortSwigger Web Academy (free!).
Burp SuiteOWASP Top 10SQLMapFFUFeWPT
5
Network Pentesting
Learn external and internal network assessments: Nmap scanning, service enumeration, exploitation with Metasploit, password attacks (Hydra, CrackMapExec), post-exploitation with Meterpreter. Practice methodology: Recon → Scan → Exploit → Post-exploit → Report.
NmapMetasploitCrackMapExecRespondereJPT
6
Active Directory Attacks
Active Directory is in nearly every enterprise. Learn: Kerberoasting, AS-REP roasting, BloodHound/SharpHound for path discovery, Pass-the-Hash, DCSync, Golden/Silver Ticket, LDAP enumeration, and domain privilege escalation.
BloodHoundMimikatzImpacketKerbrutePtH
7
Report Writing
A pentest is worthless without a clear report. Learn to write: executive summaries for non-technical stakeholders, technical findings with CVSS scores, proof-of-concept screenshots, and actionable remediation steps. Reports are what clients pay for.
Executive SummaryCVSS ScoringRemediation GuidancePlexTrac
Phase 3 — Specialization & Certifications (Year 2+)
8
Advanced Techniques
Develop skills in: AV/EDR evasion, custom C2 frameworks (Cobalt Strike, Havoc, Sliver), red team operations, cloud pentesting (AWS/Azure), API security testing, and mobile app pentesting. Specialize in 1–2 areas to stand out.
Cobalt StrikeC2AV EvasionCloud Pentesting
9
Certifications Roadmap
The certification hierarchy: eJPT (beginner) → PNPT or OSCP (intermediate, widely recognized) → CRTO for red teaming → OSEP for advanced exploitation → OSED for exploit development. OSCP is the gold standard for employment.
eJPTPNPTOSCPCRTOOSEP
Essential Tools
  • Burp Suite Pro (web app testing)
  • Nmap + NSE scripts (network scanning)
  • Metasploit Framework
  • BloodHound (AD attack path mapping)
  • Impacket suite (Windows protocol attacks)
  • Responder + NTLMRelayX
  • Chisel / Ligolo-ng (tunneling)
  • Cobalt Strike / Havoc C2
Practice Labs
  • Hack The Box (Pro Labs for realistic AD)
  • TryHackMe — Jr Penetration Tester path
  • PortSwigger Web Security Academy (free)
  • PentesterLab — web app focus
  • VulnHub — offline VMs
  • GOAD — Game of Active Directory lab
  • PwnTillDawn
  • TCM Security courses
🔬
DFIR Analyst
Digital Forensics and Incident Response analysts investigate security incidents after they occur. They collect and preserve evidence, reconstruct attack timelines, attribute threat actors, and produce forensic reports for legal and business use.
Avg time to entry: 1–3 years
Salary range: $65K–$140K
Demand: High (growing)
Phase 1 — Forensics Foundations (Months 1–6)
1
Digital Forensics Fundamentals
Learn forensic principles: evidence preservation, chain of custody, write-blocking, disk imaging (dd, FTK Imager). Study file systems (NTFS, ext4, FAT32), MFT, USN journal, and metadata. Forensics starts with preserving evidence correctly.
FTK ImagerddNTFSChain of CustodyWrite Blocker
2
Windows Forensics
Master Windows forensic artifacts: $MFT, Prefetch, Shimcache, Amcache, LNK files, Jump Lists, Registry hives (NTUSER.DAT, SAM, SYSTEM), EVTX logs, browser history, and shellbags. Timeline everything.
AutopsyVolatilityRegRipperTimeline ExplorerMFTECmd
3
Memory Forensics
RAM contains what disk doesn't: running processes, network connections, encryption keys, credentials in plaintext. Learn Volatility 3 for process analysis, network artifacts, malfind, dumpfiles, and detecting code injection in memory.
Volatility 3WinPmemLiMEprocess dumpmalfind
Phase 2 — Incident Response (Months 6–18)
4
Network Forensics
Analyze PCAP files for C2 traffic, data exfiltration, lateral movement. Use Zeek to generate log files, Suricata for IDS rules, NetworkMiner for session reconstruction. Learn to identify malicious patterns in DNS, HTTP, SMTP traffic.
WiresharkZeekSuricataNetworkMinerRITA
5
Malware Analysis
Learn static analysis (YARA rules, strings, PE headers, imports) and dynamic analysis (sandboxes, procmon, API Monitor, x64dbg). Understand common malware families: RATs, ransomware, stealers, loaders, rootkits.
YARAx64dbgGhidraPE BearAny.run
6
Enterprise IR at Scale
Learn to respond to incidents across hundreds of endpoints: use Velociraptor or KAPE for rapid triage, EDR telemetry for hunting, and automated collection with PowerShell or Python. Write IR reports covering attack timeline, IOCs, and recommendations.
VelociraptorKAPECrowdStrikeIR ReportGCFE
DFIR Toolkit
  • Autopsy / Sleuth Kit (disk forensics)
  • Volatility 3 (memory forensics)
  • Eric Zimmerman's Tools (MFT, LNK, etc.)
  • Velociraptor (remote live forensics)
  • KAPE (forensic artifact collection)
  • Ghidra / Cutter (reverse engineering)
  • Wireshark + Zeek (network forensics)
  • TheHive (case management)
Key Certifications
  • BTL1 — Blue Team Labs (hands-on IR)
  • GCFE — GIAC Certified Forensic Examiner
  • GCFA — GIAC Certified Forensic Analyst
  • GCIH — GIAC Certified Incident Handler
  • FOR508 — SANS Advanced IR (gold standard)
  • CHFI — EC-Council Computer Hacking Forensics
  • Microsoft SC-200 (cloud IR)
Cloud Security Engineer
Cloud Security Engineers protect cloud infrastructure (AWS, Azure, GCP) from misconfiguration, identity attacks, and data breaches. They design secure architectures, manage IAM policies, implement security controls, and respond to cloud incidents.
Avg time to entry: 1–2 years with cloud experience
Salary range: $90K–$180K
Demand: Extremely High
Phase 1 — Cloud & Security Basics (Months 1–6)
1
Cloud Fundamentals
Pick one cloud first (AWS is largest market share). Learn core services: IAM, EC2, S3, VPC, RDS, Lambda, CloudTrail. Understand the shared responsibility model — what the cloud provider secures vs what you secure. Get your first cloud cert.
AWSIAMVPCS3AWS Cloud PractitionerAZ-900
2
Identity & Access Management Security
IAM misconfigurations are the #1 cause of cloud breaches. Learn: least privilege, MFA enforcement, role assumption, service account risks, resource-based vs identity-based policies, and federation (SAML, OIDC). Practice in AWS IAM Access Analyzer.
IAM PoliciesRBACMFARole AssumptionABAC
3
Infrastructure as Code & Security
Learn Terraform (most universal) or CloudFormation. Use static analysis tools (Checkov, tfsec, KICS) to find misconfigurations before deployment. Secure CI/CD pipelines. Secrets management with Vault or AWS Secrets Manager.
TerraformCheckovtfsecHashiCorp VaultGitHub Actions
Phase 2 — Cloud Security Specialization (Months 6–18)
4
Cloud Threat Detection & Monitoring
Learn cloud-native logging: AWS CloudTrail, GuardDuty, SecurityHub, Config. Azure Defender for Cloud, Sentinel. GCP Security Command Center. Build detection rules for common attacks: metadata SSRF, role escalation, data exfiltration to S3.
CloudTrailGuardDutyAzure SentinelCSPMCloud SIEM
5
Container & Kubernetes Security
Containers are the new perimeter. Learn Docker security (non-root users, read-only filesystems, image scanning). Kubernetes: RBAC, network policies, pod security standards, secrets management, admission controllers (Kyverno, OPA Gatekeeper).
DockerKubernetesTrivyFalcokube-bench
6
Cloud Attack Techniques
Understand how attackers abuse cloud: SSRF for IMDS credential theft, S3 bucket enumeration, EC2 instance metadata attacks, lateral movement via role chaining, lambda privilege escalation. Use Pacu, CloudFox, and ScoutSuite for offensive cloud assessments.
PacuCloudFoxScoutSuitePwnedLabsIMDS v2
7
Certifications Path
Cloud security certifications layer on top of cloud practitioner certs: AWS Security Specialty is the gold standard for AWS. AZ-500 for Azure. CCSP for multi-cloud at architect level. KCSA/CKS for Kubernetes security.
AWS Security SpecialtyAZ-500CCSPCKSGCP PCSE
Cloud Security Tools
  • AWS SecurityHub / Azure Defender (CSPM)
  • Prowler / ScoutSuite (cloud auditing)
  • Checkov / tfsec (IaC scanning)
  • Trivy / Grype (container image scanning)
  • Falco (runtime container security)
  • OPA / Kyverno (policy enforcement)
  • Pacu / CloudFox (cloud pentesting)
  • Steampipe (cloud compliance queries)
Learning Resources
  • flaws.cloud / flaws2.cloud (free AWS labs)
  • CloudGoat (vulnerable AWS lab by Rhino Security)
  • PwnedLabs (cloud attack labs)
  • AWS Well-Architected Security Pillar
  • HackTricks Cloud (offensive techniques)
  • Wiz Academy (free cloud security courses)
  • Cloud Security Alliance (CSA) publications