Back to Blog
Career10 min read

Breaking Into Cybersecurity: A Career Changer's Guide

U

UNDRSTDY Team

Career Research

Breaking Into Cybersecurity: A Career Changer's Guide

Every week, someone posts in r/cybersecurity asking: "How do I break into this field with no experience?"

The answers are usually vague ("just network!") or discouraging ("you need a CS degree").

Neither is helpful. Here's the realistic path for career changers—what actually works, what's a waste of time, and how to stand out in a competitive field.

The Good News and the Bad News

The Good News

  • Cybersecurity has a massive skills shortage—3.4 million unfilled positions globally
  • Many successful security professionals came from non-traditional backgrounds
  • Certifications can fast-track your entry (they're valued more here than in other tech fields)
  • Entry-level salaries are strong: $60-80K is typical, with rapid growth potential

The Bad News

  • "Entry-level" often requires 1-3 years of experience (catch-22)
  • Competition for true entry-level roles is fierce
  • You need to demonstrate actual skills, not just certifications
  • It takes time—expect 6-18 months of serious effort before landing your first role
Reality check: You can break into cybersecurity without a CS degree or prior IT experience. But it requires focused effort, smart positioning, and patience. Anyone promising you'll be a security engineer in 30 days is lying.

The Path That Actually Works

Phase 1: Build Your Foundation (1-3 months)

Before jumping into security, you need basic IT knowledge. Security is about protecting systems—you need to understand those systems first.

What to learn:

  • Networking fundamentals (TCP/IP, DNS, DHCP, firewalls)
  • Operating systems basics (Windows and Linux)
  • Command line proficiency (PowerShell, Bash)
  • Basic system administration concepts

How to learn:

  • Professor Messer's free CompTIA Network+ videos
  • Set up a home lab with VirtualBox (free)
  • Install Linux, break it, fix it, repeat

Certification to target: CompTIA A+ or Network+ (optional but helpful for resume)

Phase 2: Get Your Security Foundation (2-4 months)

Now you're ready for security-specific knowledge.

Target certification: CompTIA Security+

Security+ is the industry standard entry-level certification. It's DoD-approved (required for many government roles), widely recognized, and covers broad security concepts.

What you'll learn:

  • Threat landscape and attack types
  • Network security architecture
  • Identity and access management
  • Cryptography basics
  • Security operations and incident response

Take this seriously. Study for 8-12 weeks minimum. Use practice exams until you're consistently scoring 80%+.

Phase 3: Build Hands-On Skills (Ongoing)

Here's where most career changers fail: they collect certifications but can't demonstrate actual skills.

Ways to build real skills:

Home Lab Projects

  • Set up a SIEM (Security Onion, Splunk free tier)
  • Configure a firewall (pfSense)
  • Build a vulnerable VM and practice attacking/defending it
  • Implement network monitoring

Capture The Flag (CTF) Platforms

  • TryHackMe — Guided learning paths, beginner-friendly
  • Hack The Box — More challenging, great resume material
  • PicoCTF — Good for absolute beginners

Bug Bounties

Once you have basics down, try finding real vulnerabilities on platforms like HackerOne or Bugcrowd. Even one small finding is impressive on a resume.

Phase 4: Get Experience (The Hardest Part)

Here's the catch-22: you need experience to get hired, but you need to be hired to get experience.

Ways to break the cycle:

Start in Adjacent Roles

These roles are easier to get and give you relevant experience:

  • Help desk / IT support — Teaches troubleshooting and user interaction
  • System administrator — Teaches the systems you'll be securing
  • Network administrator — Teaches the infrastructure you'll be protecting

Yes, this means "starting over" if you're changing careers. But 1-2 years in IT support, combined with security certifications, makes you a strong candidate for junior security roles.

Internships

Not just for college students anymore. Many companies offer security internships for career changers. They're competitive but worth pursuing.

Volunteer Work

Non-profits need security help and can't afford to pay for it. Volunteer to do security assessments, help with awareness training, or review their practices. Real experience you can reference.

Entry-Level Roles to Target

Don't aim for "Security Engineer" right away. These roles are more realistic entry points:

Security Operations Center (SOC) Analyst

Monitor security alerts, investigate potential incidents, escalate issues. This is the most common entry point.

What they want: Security+, basic networking knowledge, analytical mindset

IT Security Analyst

Help implement security policies, assist with compliance, support security tools.

What they want: Security+, some IT experience, attention to detail

Junior Penetration Tester

Test systems for vulnerabilities. More competitive but possible with strong CTF experience.

What they want: Demonstrated hacking skills (CTF rankings, bug bounties), certifications like Security+ or eJPT

GRC Analyst (Governance, Risk, Compliance)

Help organizations meet security requirements. Good fit if you have business/compliance background.

What they want: Security+, understanding of frameworks (NIST, ISO 27001), documentation skills

The Resume Problem (And How to Solve It)

Your resume for a security role needs to show:

  1. Relevant certifications — Security+ minimum, others as you advance
  2. Technical skills — List specific tools and technologies you've used
  3. Projects — Home lab work, CTF accomplishments, any hands-on experience
  4. Transferable skills — From your previous career (problem-solving, communication, analysis)

What to Include From Past Career

Your previous experience isn't worthless. Frame it in security terms:

  • Healthcare background? "Understanding of HIPAA compliance requirements"
  • Finance background? "Experience with SOX compliance and audit processes"
  • Customer service? "Strong communication skills for incident response coordination"
  • Military/law enforcement? "Security clearance, threat assessment experience"

Networking (The Human Kind)

"Network" is vague advice. Here's what actually helps:

Local Security Groups

Find BSides conferences, OWASP chapters, ISSA meetings in your area. Show up. Talk to people. This is how many jobs are found.

Online Communities

Join Discord servers for TryHackMe, Hack The Box, security certification communities. Be helpful. Build reputation.

LinkedIn

Connect with security professionals. Engage meaningfully with their posts. Share your learning journey.

Informational Interviews

Ask security professionals for 20-minute calls to learn about their path. Most will say yes. These often lead to opportunities.

Realistic Timeline

For a dedicated career changer:

  • Months 1-3: IT fundamentals, home lab setup
  • Months 4-6: Security+ certification, hands-on practice
  • Months 6-12: Build projects, CTF practice, apply for roles
  • Months 12-18: Land first security role (or adjacent role that leads to security)

This assumes 10-15 hours per week of dedicated study and practice. More time = faster progress.

What Not to Do

  • Don't collect certifications without skills — CISSP with no experience looks desperate
  • Don't only apply online — Most jobs are filled through connections
  • Don't wait until you feel "ready" — Apply when you meet 60% of requirements
  • Don't ignore soft skills — Communication matters as much as technical ability
  • Don't expect your first role to be perfect — Get your foot in the door, then navigate
Breaking into cybersecurity is hard but absolutely possible. Focus on building real skills, getting that first security certification, and connecting with the community.

Studying for Security+? Join the UNDRSTDY waitlist for AI-powered practice questions and study plans.

Get Early Access

Join the waitlist and be the first to try UNDRSTDY.