Starting a Career in CyberSecurity-101
I thought I was going to write a small blog with good pics, but I ended up writing a lengthy blog with too many memes-VoidBender (2025)
Due to a lot of requests ,from fellow colleagues , juniors and other curious minds . I have finally decided to type down this blog (pun intended).It address a lot of Hows? and FAQs I have been asked. If youre reading this because its probably because you’ve found it on Linkedin or just want you to understand the entire path (without me lecturing you for long hours).This isn’t a cool blog and you’ll find plenty of these if you Google, but my primary objective is to keep you on track and make sure you don’t waste time on unnecessary things. This is a very lengthy sloppy blog .
This blog is primarily targeting people (Primarily red teaming aspirants) who want to actually pursue the career, rather than ones asking would it be easy or difficult [It is difficult :) ].
Cybersecurity in itself is not a good start point as a career , since its way vast and consists a plethora of categories. I am however streamlining this blog down to only Red-Teaming path , where someone who wants to essentially start finding flaws in webapps/systems using just a laptop [I donot have advice for Hardware red Teamers :( ].
I have classified the blog into the Learning Path and Starting Career Advice parts.
Learning Path:
Do not use AI rant part:
I do not want to keep emphasizing on don’t use AI again and again ,so I shall rant it off before the introduction , Note that these are my thoughts in the learning process:
AI is a support tool, that you’re supposed to use as a SUPPORT TOOL to summarize stuff. Do not use it to automate everything , it only means you’re replaceable. [However this isn’t the case if you’ve built the AI you’re using which in case you know how the AI does the exploitation].
A Google search is not the same search as an AI search since you’ll never understand the context of the flaw , how its implemented works and other potentially chained vulnerabilities that you would recognize.
Using AI when you feel really dumb is valid ,but parroting out every scenario to find out a flaw will get you Bounties and answers however the odds are low [I’ve seen people do this as their workflow , it works but wait until that 1 in a trillion odds run out].
Automation and AI aren’t the same , learn how to script and try automating most of the tasks , this will help you understand how different parts of exploitation cycles work . Asking Ai to debug your non working scripts is completely fine but don’t ask it to automate your flow you’ll end up losing all the experience you would gain.
Try completely deleting your AI account while you’re going through your foundational skills , try actually communicating with people around you asking for hints or advices since it will probably stick with you longer and may give you better insights.
Using AI in real world scenario is fair, but a 4 hour search will level you up exponentially compared to narrowed down learning which obviously isn’t the real world scenario.
I will start off by categorizing this blog into a chronologically followable order to make it as easy as possible to learn exponentially fast [Note that this will save you a lot of time ,however wont guarantee that you will be good at it ,since nothing can promise you complete security unless you’ve plugged off your system ] .
Before this you need to learn :
1.Linux Commands and basics: Basic file traversal , word formatting , user groups in Linux , privilege escalation and linux kernel Architecture.
2.Networking Basics: Understand how browsers work(basic authentication ,cookies, sessions etc) , understand how modern protocols like TCP/UDP, HTTP/HTTPS work.
3.Learn how to write simple scripts: Client server scripts or anything that helps you send modified GET/POST requests.
You cant hack what you don’t understand.
Most of the educational platforms generally have a path to address these . I primarily recommend TryHackMe , for this since its pretty slow to make you understand this .
It is pretty much the same for Windows [no its not ] but different in the sense where you’ll be dealing with a different kernel structure. But this sufficient to start [TryHackMe has a Windows path too].However , Hack The Box has a better academy module structure (requires subscription) to teach active directory and other concepts in depth.
1.Start playing Capture The Flag Events (CTFs):
Yes you’ve heard it plenty of times ,because it is actually important and starts teaching you how to think .
The quickest way is to start off with Cryptography since it has a better reward curve and much easier to comprehend as a beginner (along with OSINT).Solve any easy questions you can and attempt every other question .
Start attempting Web /Pwn/Reversing too because each of these are individually enough to contribute to a finding a flaw . Being a specialist in one is good ,but knowing all of them will get you higher odds of exploitation in real-world scenarios. Chaining exploits are often partially discovered or left alone since most exploiters decided to quit midway.
The important part here, isn’t just to solve the question but to also be curious enough to go back and read the writeup and find out where you went wrong and write-down whatever new stuff you just learned .
You’ll learn how to use a bunch of tools and learn how to write scripts if when needed. Try creating your own CTF challenges [I also plant to write a blog on this later if I feel like it].
DONT Learn SQLi , IDOR , XSS all at once .Start with one and learn it completely . Start with IDOR since its much more easier to understand and exploit alike.
Don’t just run tools, learn how to use them. Anyone can run Nmap with flags or Nuclei.
But do you know what they’re really doing?
📌 Why am I doing subdomain enumeration?
📌 Why should I fuzz this endpoint?
Focus on methodology not just the tool:
I have seen terrible approach, where people just run tons of scans and tell me “It will surely find bugs”.
Your approach should be :Understand how the application works → Recognize attack surface → Find exploit → Use tool to exploit it (speed up at least).
My recommended flow would be PicoGym → HackTheBox-Challenges → OWASP DVWA → CTF TIme Events .
2.Start solving Boot to Root machines:
These involving pwning actual machines and simulating all the processes involved in hacking a machine .
It is not easy to get started on this , but it is very rewarding if you get the gist of it . Start off by reading writeups and actually copy pasting retired machines . YES I SAID IT, solve machines by copy pasting exact exploits word to word and shell commands you see on people’s writeups . This is primarily to make understand the flow of things however whenever you copy a command make sure to read what the said line does .
A primary mistake that people (including me initially) do in the beginning is that they perform recon and directly use the CVE to exploit the machine . This makes you a Script Kiddie and doesn’t help your grow. You need to understand what the exploit does and why it is significant .
Writing writeups here is very important ,since it’ll teach you reporting skills that will be essential in the future . Remember that a good report, is significantly important for blue teamers to triage the vulnerability. It also serves as a testimony that you have solved the machine and helps other people recognize your skills.
Active machines can sometimes be too hard solve , try solving it until the point of insanity after which try asking for hints in discord (if permitted ) or try asking for hints from people who have solved it . The important part here is not to get the whole answer but a slight nudge towards the goal . Remember not everyone is perfect and everyone eventually needs help :) .
A major mistake here is solving TryHackMe machines for far too long . TryHackMe has a tendency to hand hold a lot , they are good in initial stages to learn how exploitation works and teaches a lot of informative stuff . However , this is almost never the case . A realistic goal would be Top 20% in THM after which I recommend abandoning it.
HackTheBox comes close to realistic standards in that aspect since it makes it reasonably hard to attain root flag in each machine and tends to make you scramble for answers. It teaches you way more and tells you how to google better or spot anomalies faster.
HackMyVM : This will teach you skills that are often neglected ,but will level you up significantly .
This will however be absolute torment .
My recommended chronology in solving Boot to Root is as follows:
TryHackMe ( Top 20% is enough) → HackTheBox ( Try reaching <100 , but realistically <500 is enough) → HackMyVM.
3.Start solving professional labs :
These are not conventional labs and focus specific ways of attacks . They are similar to the other two but very much streamlined . The reason I do not recommend doing this first is because it simply removes all the other necessary “soft skills” required to excel in red teaming.
These teach advanced methods that professionals use in real world scenarios.
I recommended going with the flow : PortSwigger Web Academy → OWASP Juice Shop .
Make sure to concurrently do these if possible . If you are under confident 1 → 2 is still sufficient . The primary thing to remember is that you will not excel at anything but be exceptionally good at everything [Get used to sentences like these].
Document all of these because they do serve as a source of experience.
Watch walkthroughs by ippsec / John Hammond to see thinking patterns but donot copy.
This is enough to get you into the field provided you learn thoroughly .
Starting a career :
If you are reading this part, I assume you have enough knowledge about Red-Teaming.This is “How-to-start-a-career-actually” not “How-to-get-a-j*b”[Censorship is necessary :( -but if you can, please offer me one pls pls ಥ﹏ಥ]. This section primarily covers mistakes you shouldn’t do while pursuing a career in cybersecurity or advice in how to start one.
1. Create a good amount of useful projects:
My recommendation is to make 6 good projects two of each category (Secops,Blue team and red team). Since this would increase your chances of getting hired . In addition to this, keep a premier project that can highlight your work in the field and nudges you towards the team you prefer (assuming red team here).
Make sure to also showcase your scripts . These show that you know how to cut down unnecessary tasks involved as well as your knowledge in the field.
Documenting these projects, are equally important and make sure to break tons of stuff before you get it right because, breaking stuff is the way it is supposed to be done.
A good project could be as simple as a very fast recon tool to an auto vulnerability detector and exploiter .As long as you have built it from scratch.
2.Stay wary of certifications:
If you are from India most HRs look for CEH (Certified Ethical Hacker) , however I have rarely seen eJPT being accepted too. A common dilemma is on which to go after. Note that not all certificates are useful . Here’s what I recommend:
Certifications are very expensive so I recommend narrowing it down based on the technology you plan to use (for example if you deal with cloud security you might need Azure security related certification).
If you can afford it ,CEH +ComptiaSec+ and eJPT should easily get you an entry role if not try CEH + ComptiaSec+ .
Different organizations require different certifications which make it difficult . But in addition to these, if I had a beginners start again , I would opt for CCNA because it allows you to apply for networking roles too and help you understand .
Try checking out or mailing your desired workspace for the certification before making a decision since most beginner certifications are easily obtainable by studying/practicing for a few months.
CEH/ComptiaSecurity+(I recommend the latter) → eJPT →CBBH/CWSA/BSCP →CPTS/OSCP(having both would almost certainly land you a job in my opinion )
NOT ALL FAMOUS CERTIFICATIONS ARE THE RIGHT CERTIFICATIONS.
3. Say yes to that networking related job:
CyberSecurity is not an entry level job and it would only make sense to have very few job roles for it. Networking roles (although considered Blue Team) are the closest experience you could get to being a cybersecurity professionally . It would also add to your experience . If you are sure that you cant land a cybersec role this is the easiest way to gather a lot experience.
This not a direct no to Developer roles ,however transitioning is way harder and therefore not recommended . However project knowledge could help you exploit the same program better.
The primary though process ,of most organizations (primarily ones that are new or lack funds )is that cybersecurity people are unnecessary since devs are trained to leave no flaws. The only way to make sure they offer you a role ,is to accidentally find a bug and reporting it to them as a responsible disclosure policy.
4.Start Bug Hunting:
Start Bug Bounty hunting and performing VDP (Vulnerability Disclosure Programmes), latter is preffered first for new beginners . This is essentially freelancing and helps you also pay for the expensive certificates . Enjoy the process since you’ll be using a lot of methods you have practiced earlier . This is isnt easy but is the most rewarding part.
Use hall of fames and badges that you obtain as an achievement since it is practically the best way to showcase your talent in the field.
Try Sites like BugCrowd , HackerOne .
5.Choose your specialization carefully :
It is easy to choose a specialization once you are proficient however the specific your field the lower the resources you find . However certain category specializations, can help you excel pretty quickly : for example if you are good at linux ,good at java and had a tech stack that previously involved AndroidSDK , Android Penetration testingis much easier . These also have high payouts but not easy to understand. Another such example would be Block Chain Security , these are much more friendlier to be transitioned into for working professionals or cross domain cybersecurity enthusiasts.
6.Try creating POCs and your own CVEs for your finds:
It is meaningless to be a red teamer ,if you do not know how to code .
This will help you get a lot of professional clout since it highlights your ability to research bugs as well as create a legacy within the Cybersecurity Community.
These involve extensive research and understanding system architecture in depth and therefore heavily valuable to both the researcher and the community.
This isn’t something that you just do after waking up one day ,it requires solid fundamentals and rigorous efforts.
7. Participate/Attend community events:
Go to all the meetups and events that are CyberSecurity related , Bsides to Defcon all of these help you meet professionals who have worked within the field and are probably interested in the same thing as you . Try talking to professional interests and ask them if roles are open.
Remember communication is the primary skill you need to survive . Always mention youre “pursuing a career” not “interested in a career “ . Because their meanings are worlds apart , ask them for help and review where you lack professionally .
Few events that I recommend attending are: BlackHat /Defcon,NullCon,BSides. These also show you new vulnerabilities and interesting stuff that you wouldn’t know of otherwise.
In a conclusive note , remember that this a “bone-dryingly “ frustrating career choice and you will face more defeats than wins (sometimes no wins at all) but is worth it .It requires sacrifice …a lot of it but hopefully it will all end up alright :) .
Drop your opinions (keep it constructive if you have criticism, it is gladly welcome).I have a few ideas lined up for upcoming blogs (hint : Transport Layer Security that protects you from malicious servers!!).
Until next time ,thank you for reading !!!!
