Cybersecurity Roadmap

Level: Intermediate

How to follow this roadmap

  1. Lock in IT and networking fundamentals first — TCP/IP, DNS, HTTP, subnetting, the OSI model. Without these, every later topic feels like magic.
  2. Get comfortable with Linux and the command line. Most security tools and most servers you'll attack or defend run Linux. Spin up a VM, break things, fix them.
  3. Learn the OWASP Top 10 web vulnerabilities and exploit each one in a deliberate practice environment (PortSwigger Web Security Academy). Reading isn't enough — you have to actually exploit.
  4. Choose a side: red team (offensive — pentesting, exploit dev, red team ops) or blue team (defensive — SOC analysis, incident response, threat hunting). Many engineers eventually do both, but go deep on one first.
  5. Layer on cloud security (AWS / Azure / GCP), application security if you came from dev, and certifications appropriate to your target role — Security+ to start, then OSCP for offensive or CISSP/GCIA for defensive.

When to choose this path

Choose this roadmap if you want a career protecting (or controlled-attacking) systems — one of the highest-demand, highest-paying, and longest-lived skillsets in tech. It's a strong fit for IT professionals moving up, system admins, network engineers, and developers who want to specialize. If your goal is purely application development, the Frontend or Python roadmaps are better fits. If you want to build systems first and learn to secure them later, start with the System Design or Cloud Engineer roadmaps.

What you’ll learn

Recommended resources

Frequently asked questions

Do I need a CS degree to be a cybersecurity engineer?
No. Cybersecurity is one of the most degree-flexible fields in tech. Certifications (Security+, OSCP, CISSP), a strong home lab, and CTF or HackTheBox track records often beat a generic CS degree in hiring. Many security engineers come from IT, sysadmin, or networking backgrounds.
Red team vs blue team — which should I pick first?
Blue team for stability, breadth, and long-term career runway — most security jobs are defensive. Red team for thrill, depth, and direct attack-side skill, but expect a smaller market and higher entry bar. Pick blue first if you're early in your career; switch later if the offensive side calls.
Is Security+ worth it in 2026?
Yes — for getting your first cybersecurity job. CompTIA Security+ is the canonical entry-level cert that recruiters and HR filter on. Beyond entry level it loses signal, so progress to OSCP, CISSP, or specialized certs once you have a year of experience.
OSCP vs CEH — which pentesting cert?
OSCP without question. It's hands-on, respected by employers, and unforgiving — pass it and you have proof you can actually pentest. CEH is multiple-choice, less respected technically, and primarily useful for HR-required boxes.
How long does it take to land a junior cybersecurity role?
12-18 months from scratch with a focused effort, 6-12 months if you come from IT or development. The biggest accelerators are a home lab, public CTF write-ups, and a Security+ cert. SOC analyst is often the fastest entry path.
Do I need to know how to code for cybersecurity?
Yes — at minimum Python for scripting, plus enough JavaScript or one backend language to read and exploit code. You don't need to be a software engineer, but you need to read source confidently. Application security roles require deeper code skill than SOC roles.
What's the difference between cybersecurity and InfoSec?
InfoSec (information security) is the umbrella term covering policy, governance, risk, and compliance alongside technical security. Cybersecurity usually emphasizes the technical side — pentesting, defense, incident response, secure architecture. Job postings often use them interchangeably.

Related roadmaps

Last updated: 2026-04-27