The Myth of the Four-Year Degree
Let's clear this up immediately: a CS (Computer Science) degree is one path into cybersecurity. It is not the only path, and in 2026, it is increasingly not the most common path among people actually working in the field.
Look at the practitioners around you if you attend any security conference or Slack community. You'll find people who came from law enforcement and brought investigative instincts into threat hunting. People who spent years in the military and brought discipline and operational thinking into incident response. Former retail managers who taught themselves networking at night and now work SOC (Security Operations Center) analyst jobs. Teachers, nurses, mechanics, and accountants who pivoted because they were curious enough to start and consistent enough to finish.
The honest reason the degree myth persists is that some employers still screen for it — particularly large corporations with bureaucratic HR (Human Resources) processes. But those same employers will typically waive the degree requirement for candidates who can demonstrate equivalent knowledge through certifications and portfolio work. And a growing majority of security employers, particularly in mid-sized companies and the contracting world, have completely dropped the degree requirement from job postings.
What hiring managers actually want to know is: can you do the work? A candidate who shows up with a CompTIA Security+ certification, a documented home lab, a GitHub full of CTF (Capture the Flag) writeups, and a coherent explanation of what they've learned is competitive. A candidate who shows up with a CS degree and nothing hands-on to show is not automatically more attractive. Capability is demonstrable. You don't need a degree to demonstrate it.
The Honest Roadmap (In Order)
The order of steps matters more than people realize. The most common mistake beginners make is jumping to the exciting parts — tools, hacking techniques, advanced certifications — before they have the foundation those things require. That leads to frustration, gaps in understanding, and a lot of re-learning.
The sequence that works: build your foundation first, then earn a baseline certification, then build hands-on experience through a home lab, then compete in CTF challenges while documenting everything, then make yourself visible to the hiring market through LinkedIn and your public portfolio. Each step builds on the previous one. Skipping ahead is possible but costs you more time in the long run.
Budget realistically. The good news is that almost every foundational resource is free — TryHackMe, Professor Messer, this blog, YouTube. Where money enters the picture is certifications. The CompTIA Security+ exam costs around $392. The Google Cybersecurity Certificate costs roughly $200 if you go month to month. Home lab hardware is optional — you can run everything virtually for free on any reasonably modern laptop. None of this requires taking out a loan. It requires consistent effort over months, not a large upfront investment.
Step 1 — Build Foundational Knowledge
Before you touch a certification study guide, you need a mental model of what you're actually dealing with. Cybersecurity is applied computer science and applied networking. If you don't understand what a network packet is, why encryption matters, or what an operating system does, the security concepts that come later won't stick.
Specifically, you need to understand: how networks communicate (TCP/IP — Transmission Control Protocol/Internet Protocol, DNS — Domain Name System, HTTP — Hypertext Transfer Protocol, what a firewall actually does and why); how operating systems work at a basic level (Windows and Linux, file systems, user accounts, processes); and what cybersecurity work actually involves in practice. That last one is important. Hollywood has done real damage to people's mental model of what this field looks like. Real security work is methodical analysis, pattern recognition, and systematic testing — not frantic typing while green code cascades down the screen.
TryHackMe's Pre-Security learning path is the best free starting point available. It walks you through networking fundamentals, web fundamentals, and Linux basics in a browser-based environment with no setup required. You don't need to install anything. You don't need a powerful computer. You just need a browser and a consistent hour each day.
Professor Messer's free CompTIA content on professormesser.com covers the same foundational ground from a slightly different angle, and many people use both in parallel. This blog is also written specifically for this stage — every post assumes you're starting fresh and builds from there.
Spend one to three months here. Don't rush. The time you invest in genuinely understanding the foundations pays back tenfold when you get to the certification material, the labs, and eventually the job.
Step 2 — Get Your First Certification (Security+ or Google)
Your first certification does two things: it forces you to study systematically across all the foundational domains, and it gives you a credential that signals baseline competence to employers. Both matter.
You have two realistic options for a first certification in 2026.
CompTIA Security+ (SY0-701) is the industry standard. It's recognized globally, required for many US DoD (Department of Defense) positions, and appears in more job postings than any other entry-level security certification. Passing score is 750 out of 900. The exam covers five domains including threats and vulnerabilities, security architecture, security operations, and security program management. Study resources are abundant and largely free. The exam costs approximately $392.
The Google Cybersecurity Certificate, delivered through Coursera, is the newer entrant. It's grown in recognition quickly because Google carries brand weight and the certificate includes hands-on labs in a virtual environment. It typically takes about six months to complete at a pace of a few hours per week, and costs around $200 at Coursera's monthly rate. It's a lower barrier to entry and is genuinely well-designed as an introductory curriculum.
Which one should you choose? If you have any IT background at all — help desk, networking, even just knowing your way around Windows and basic networking — start with Security+. The industry recognition is deeper and the DoD pathway is only available with approved certifications like Security+. If you are completely new to technology and the idea of networking concepts feels overwhelming, start with the Google certificate to build confidence and vocabulary, then move to Security+ as your second credential.
Either way, you're not choosing between them forever. Many people earn both. But pick one, commit to it, and finish it before moving on.
Step 3 — Build a Home Lab
A certification tells an employer that you understand concepts. A home lab tells an employer that you've actually done something. These are different things, and the best candidates have both.
The good news is that a free home lab requires nothing but a computer with enough RAM to run virtual machines. Download VirtualBox (free, from virtualbox.org) and use it to run Kali Linux (a security-focused Linux distribution used by professional penetration testers) and Metasploitable2 (a deliberately vulnerable virtual machine designed for practicing attacks against). These two machines talking to each other give you a legal, ethical, sandboxed environment where you can practice real techniques.
What you should actually do in your lab: use Nmap to scan the Metasploitable2 machine and map its open ports and services. Use Metasploit to find and exploit known vulnerabilities. Use Wireshark to capture and analyze the network traffic between the machines. Set up a simple web server and try basic web application testing techniques against it. Each of these activities maps directly to real work that security professionals do every day.
The critical habit to build alongside the lab itself is documentation. Keep a journal — a blog, a GitHub repository, a Notion page, anything public-facing — of what you do in your lab. Write down what you ran, what you expected to happen, what actually happened, what you learned. This documentation serves two purposes. First, it reinforces your own understanding — explaining something in writing forces you to actually understand it. Second, it becomes your portfolio. When an interviewer asks "tell me about something you've built or done," you have a concrete, specific, demonstrable answer with a URL attached.
Lab experience is what separates a paper-certified candidate from someone who can actually do the work. Both matter, but the lab is what makes you stand out.
Step 4 — Do CTFs and Document Everything
CTF stands for Capture the Flag, and it's exactly what it sounds like: structured hacking challenges where you're trying to find hidden flags (usually text strings) by exploiting vulnerabilities in intentionally designed targets. CTFs are legal, ethical, and one of the most effective ways to develop practical security skills quickly.
The main platforms are TryHackMe, which is the most beginner-friendly and has guided rooms with hints; HackTheBox, which is harder and more realistic; PicoCTF, which is a competition-style platform run by Carnegie Mellon University that's excellent for beginners; and CTFtime.org, which lists live CTF competitions running year-round worldwide. Many competitions are free to enter and run over a weekend.
The most important thing you can do alongside actually solving CTF challenges is write up your solutions. A CTF writeup explains the challenge, what vulnerability or technique you identified, the steps you took to exploit it, and what you found. Writing a good writeup forces you to articulate your thinking clearly — which is exactly what you'll need to do in technical interviews.
Post your writeups publicly. A GitHub repository works fine. A personal blog works even better because it shows up in search results and signals that you're engaged with the community. When a recruiter or hiring manager asks to see your work, you hand them a URL. That URL is your portfolio. It is more valuable than most people realize.
Don't worry about being the best. Solving beginner-level CTF challenges and writing them up clearly is still impressive at the entry level. Progress and effort are visible through consistent public documentation. Start where you are.
Step 5 — Build a LinkedIn Presence That Works
LinkedIn is where entry-level cybersecurity hiring happens. Recruiters actively search the platform for candidates with specific certifications, skills, and locations. If your LinkedIn profile is incomplete or missing, you are invisible to a significant portion of the hiring market.
Your headline should be specific and searchable. Something like "Cybersecurity Student | CompTIA Security+ | Home Lab Practitioner" tells a recruiter immediately what they need to know. "Aspiring cybersecurity professional looking for opportunities" tells them nothing and matches no search filters.
Your summary should tell your story in plain terms: where you came from, what you've been learning, what you're looking for, and what you can demonstrate. Keep it to three or four short paragraphs. Don't try to be impressive — try to be clear and specific.
List your certifications with the date earned and the certifying body. Add the actual credential links from Credly or CompTIA's verification portal — hiring managers sometimes check. Link your GitHub, your blog, or your TryHackMe profile in the Featured section or in your About section.
Post occasionally about what you're learning. Even a short post — "Finished the TryHackMe Linux Fundamentals rooms this week. Notes and key commands here: [link]" — shows engagement with the field. It also surfaces you in the feeds of people you're connected with, which includes recruiters. You don't need to post every day. Posting once a week or even twice a month is enough to stay visible.
Connect strategically. Send connection requests to security professionals whose content you've read and engaged with. Add a short note when you connect: "Your post about SIEM tuning was really useful — I'm working through some similar scenarios in my home lab." People respond to genuine, specific engagement.
What Entry-Level Roles Actually Look Like
It's worth being specific about what you're actually applying for, because the job titles in cybersecurity don't always make the day-to-day work obvious.
SOC Analyst Tier 1 is the most common entry-level security role. You are sitting in front of a SIEM (Security Information and Event Management) dashboard — a platform that aggregates log data from across an organization's systems and generates alerts when something looks suspicious. Your job is to triage those alerts: is this a real threat or a false positive? If it looks real, you escalate to a senior analyst. You're not stopping attacks on your own at Tier 1. You're being the first set of eyes and making sure the right people know about the right things. The skill that matters most here is being systematic, not being a hacker.
Help Desk with Security Focus roles are often overlooked but are genuinely useful starting points. You're handling user account management, responding to phishing reports, monitoring endpoints. You're building exposure to real organizational security policies and tools. Many Security+ holders start here.
Junior Penetration Tester roles are the most sought-after entry-level positions and also the hardest to get. They typically require either one to two years of prior IT or security experience, a strong CTF portfolio, or a certification like OSCP (Offensive Security Certified Professional) that demonstrates hands-on offensive capability. Don't rule this out as a long-term goal, but be realistic about the timeline — it's usually not the first job.
Security Analyst roles involve log analysis, vulnerability scanning, report writing, and helping an organization understand its security posture. These vary significantly by employer — at a small company you might be doing everything; at a large company you'll be a specialist.
Salary reality check: entry-level security roles pay roughly $45,000 to $75,000 depending on location, with significant variation based on cost of living. Remote roles exist and are competitive. Six-figure salaries happen after three to five years and with demonstrated expertise. Go in with realistic expectations and a plan for the first two to three years.
Common Mistakes That Slow People Down
People who struggle to break into cybersecurity usually make one of a small number of common, avoidable mistakes. Knowing what they are in advance saves you months of wasted effort.
Trying to learn everything at once is the most common trap. The field is enormous — offensive security, defensive security, cloud security, forensics, malware analysis, application security, network security. You cannot learn all of it before you're job-ready. Pick a track, go deep, and get hired. You can broaden later. Most people starting out should choose between offensive (penetration testing, red team) or defensive (SOC analysis, incident response) and commit to one.
Skipping the fundamentals is closely related. If you don't understand how networking works, you can't understand how network attacks work. If you don't understand operating system permissions, you can't understand privilege escalation. Jumping to advanced techniques without the foundation means you're memorizing steps rather than understanding concepts. The foundation is not optional.
Collecting certifications without building labs is a well-documented trap. A candidate with four certifications and no hands-on experience is less interesting to technical interviewers than a candidate with one certification and a detailed home lab portfolio. Certifications open doors. Skills keep you employed. Build both.
Not networking — the human kind — is an underappreciated obstacle. Most job opportunities in this field, especially at the entry level, come through people, not job boards. Engage with the security community on LinkedIn, attend local BSides security conferences (many are free or low-cost), join Discord servers for TryHackMe or specific security communities. When you're job hunting, people who know you are far more helpful than applications into the void.
Waiting until you feel ready is perhaps the most insidious mistake of all. You will never feel ready. Apply when you're 70% there. Get the interview. Learn from the rejection. Apply again. The people who break in fastest are the ones who start applying early and use the feedback to calibrate.
You're Ready to Start
Everything in this post is actionable today, right now, with no money and no prior experience.
Open TryHackMe at tryhackme.com and create a free account. Navigate to the Pre-Security learning path. Read the first room tonight. That's it. That's the beginning.
You don't need permission. You don't need a specific educational background. You don't need to wait until you've read more about the field or made a plan or found the perfect study schedule. The field is accessible, the entry points are free, and the community of people who want to see new learners succeed is large and genuinely welcoming.
The certification comes after the foundation. The lab comes after the certification. The CTFs come alongside the lab. The job comes after all of that. The whole journey is probably twelve to eighteen months of consistent effort. Not years and years. Twelve to eighteen months of one to two hours a day, and you're competitive for real jobs in one of the fastest-growing fields in technology.
Start today.
References
- TryHackMe Pre-Security Learning Path — Free, browser-based path covering networking, web, and Linux fundamentals
- Professor Messer's Free CompTIA Security+ Course — The best free resource for Security+ preparation
- Google Cybersecurity Certificate on Coursera — Six-month beginner certificate with hands-on labs
- VirtualBox — Free Virtualization Software — Free tool for running virtual machines on your home computer
- Kali Linux Download — Free security-focused Linux distribution used in home labs
- Metasploitable2 — Free intentionally vulnerable virtual machine for home lab practice
- HackTheBox — Intermediate-to-advanced hands-on hacking platform
- PicoCTF — Beginner-friendly Capture the Flag platform from Carnegie Mellon University
- CTFtime.org — Calendar of live CTF competitions worldwide
- BSides Security Conferences — Community-organized, often free security conferences held in cities worldwide