roadmaps / cybersecurity
How to become a cybersecurity analyst
A practical, stage-by-stage path from beginner to hireable in cybersecurity — the fundamentals, hands-on hacking labs, and the certs that open doors. Free resources at every step.
› Work the stages in order — you can't secure systems you don't understand, so foundations come first.
› Every resource is free. The hands-on labs matter most: security is a skill you build by doing.
› Only ever test systems you own or are explicitly authorized to assess. The labs here are legal by design.
Cybersecurity is one of the most in-demand, best-paid fields in tech, with a huge talent shortage and a clear path in that doesn't require a degree — it's judged on skills. The mindset is what matters: assume everything can be attacked, then learn how. The fastest way in is a mix of fundamentals and hands-on practice in safe, legal environments built for exactly that. These eight stages take you from "what's a firewall?" to landing your first security role.
STAGE 01 / 08
IT & networking foundations
You can't defend what you don't understand. Start with core IT and networking: how computers, servers, and the internet actually work — DNS, HTTP(S), TCP/IP, ports, routing, and firewalls. Understanding how a request travels the network is the mental model behind almost every attack and defense.
This is the single most important foundation in security. Give it real time before moving on.
- roadmap.sh — Cyber Security ↗An interactive visual map of cybersecurity skills — a great big-picture companion to this page.roadmap.sh
- Cisco Networking Academy ↗Free introductory networking and cybersecurity courses with badges — from the authority on how networks work.netacad.com
- → Our Systems & networking coursesFree university courses on networking and operating systems.studylistsvault.com
STAGE 02 / 08
Linux & the command line
Security work happens on the command line, and most tools and servers run Linux. Get fluent: the file system, permissions, processes, users, and the everyday commands. Learn a little Bash scripting too — automating tasks is a core security skill.
The best way to learn is by playing. OverTheWire's Bandit teaches Linux and SSH through a legal, addictive set of challenges.
STAGE 03 / 08
Security fundamentals
Now the security concepts themselves: the CIA triad (confidentiality, integrity, availability), common threats and attack types, cryptography basics, authentication, and how defenders think. A structured course ties it all together and gives you the vocabulary every security role assumes.
The Google Cybersecurity Certificate is an excellent, beginner-friendly on-ramp that covers the whole landscape.
STAGE 04 / 08
Hands-on hacking labs
Theory only gets you so far — security is learned by doing. Thankfully there's a whole ecosystem of free, legal environments built to be attacked. TryHackMe is the friendliest on-ramp with guided rooms; picoCTF offers self-paced capture-the-flag challenges. This is where it clicks.
Practice consistently here — the hands-on skill you build is exactly what employers and certifications test.
STAGE 05 / 08
Web application security
The web is the biggest attack surface there is, making web security one of the most valuable specialties. Learn the standard risks — SQL injection, XSS, broken access control — via the OWASP Top 10, then practice exploiting and fixing them in the world-class (and free) PortSwigger Web Security Academy.
This skill alone can land a job; it's in demand everywhere software is built.
STAGE 06 / 08
Network security & tools
Get fluent with the tools every practitioner uses daily. Wireshark lets you inspect network traffic packet by packet; Nmap discovers and maps hosts and services. Learn to read traffic, spot what shouldn't be there, and understand how attackers probe a network.
These are the instruments of the trade — being comfortable with them is expected in any security role.
STAGE 07 / 08
Certifications
Cybersecurity is a certification-heavy field, and the right cert gets you past résumé filters. CompTIA Security+ is the standard entry-level credential that many analyst jobs list by name. As you specialize, credentials like the CEH or offensive-security certs signal deeper skill.
You don't need many — one well-chosen cert plus hands-on lab experience is a strong combination for a first role.
STAGE 08 / 08
Specialize & land the job
Security is broad — pick a direction as you go deeper. Blue team (defense, SOC analyst, incident response), red team (offensive, penetration testing), application security, cloud security, or governance and compliance. A focus makes you memorable and gives your learning a goal.
Then land it: keep a public record of your lab work and write-ups, build a presence in the community, and prepare for interviews. Entry roles like SOC analyst are common first jobs. You're ready when you can explain how an attack works — and how you'd stop it.