I have been in this field for over two decades. I came up through the technical ranks, spent years building and running security programs, and I now serve as a CISO at a publicly traded manufacturing company. Along the way I have hired entry-level analysts, mentored career changers, and reviewed hundreds of resumes from people trying to break in. This guide is the honest, direct version of what I would tell someone today if they sat across from me and asked: “How do I get into InfoSec?”
The Honest Truth About Breaking In
There is no shortcut. Anyone selling you a “get hired in 30 days” boot camp or promising you a six-figure job after a weekend certification course is selling you something that does not exist. The field requires real competence, and hiring managers can tell the difference between someone who understands what they are doing and someone who memorized answers for a test.
That said, the field also genuinely needs people. The cybersecurity workforce gap is real and documented. Organizations across every industry are struggling to find qualified professionals at all levels. The U.S. Bureau of Labor Statistics projects information security analyst employment to grow significantly faster than average. In practical terms, that means a motivated person who builds genuine skills has a real shot — but “genuine skills” is the key phrase.
The other honest truth: you are going to have to invest time before you see returns. Building the foundation you need to be hireable takes months, not weeks. If you treat it like a side project you fit in when it is convenient, it will take much longer. If you treat it like a second job and put in consistent hours every week, you can be interview-ready in six to twelve months starting from zero. That timeline is real, and it is worth it.
Three Paths Into the Field
There is not one right way to break into InfoSec. The path you take depends on where you are starting from, what resources you have available, and how much time you can commit. Here are the three main routes, with honest assessments of each.
Path 1: The College Degree
A four-year degree in cybersecurity, computer science, or information technology provides comprehensive foundational coverage and opens doors with employers who have hard educational requirements. Government positions, defense contractors, and large enterprises often have degree requirements that are difficult to waive. A degree also gives you structured exposure to networking, systems, programming, and security concepts in a sequence that builds logically.
The downsides are time and cost. A four-year commitment is a significant investment, and a degree alone does not guarantee you will be hireable — you still need hands-on experience. The best outcome is a degree combined with internships, personal projects, and certifications. If you are early in your career and can make the investment, a degree from a solid program is worth considering. If you are a career changer in your thirties with financial obligations, there are faster and cheaper paths that work.
Path 2: Self-Taught and Bootcamp
A growing number of working InfoSec professionals came in through self-study, online platforms, and intensive bootcamps. This path is faster, cheaper, and increasingly accepted by employers who have shifted their focus to demonstrated skills over credentials. The tradeoff is that self-directed learning requires significant discipline, and you need to be intentional about covering the gaps a structured curriculum would fill automatically.
Platforms like TryHackMe, HackTheBox, and SANS Cyber Aces provide structured learning paths at low or no cost. A self-taught candidate who has a CompTIA Security+ certification, a documented home lab, and a portfolio of CTF write-ups is genuinely competitive for entry-level analyst roles. The key is proving the skills, not just claiming them. I will cover how to do that later in this guide.
Path 3: The IT-to-Security Pivot
This is the most underrated entry point, and it is one I have seen work consistently well. If you already work in IT — sysadmin, network engineer, help desk, desktop support, cloud infrastructure — you have a significant head start. You understand how systems work. You understand how organizations operate. You understand users, change management, and the pain points of real-world IT environments. That context is genuinely valuable in security work.
The pivot from IT to security typically requires building targeted security knowledge on top of your existing foundation: getting your Security+, learning about threat detection and incident response, and finding a role that bridges the two worlds — SOC analyst, security operations, or security engineering. If you are already in IT and curious about security, this is the path I would encourage you to take. You are already most of the way there.
The Foundation You Need Before Anything Else
Before you study for any security certification or sign up for a hacking platform, there is a minimum viable knowledge base you need to have. Security is the practice of defending systems from attack, and you cannot defend systems you do not understand. Trying to learn security concepts without this foundation is like trying to learn automotive repair without understanding how an engine works.
Networking Fundamentals
You need to understand how networks actually function. That means the OSI model — not just being able to name the seven layers, but understanding what happens at each one and why it matters. It means TCP/IP: how packets are structured, how TCP handshakes work, what UDP is and when it is used. It means DNS: how domain names resolve to IP addresses and why that process is such a common attack surface. It means DHCP: how devices get network addresses automatically and what the implications are. It means understanding firewalls, routing, subnets, and VLANs at a conceptual level.
The Professor Messer free Security+ study materials cover most of this. CompTIA Network+ study resources are another solid option. You do not need to be a network engineer, but you need to understand the protocols well enough to know what normal traffic looks like — because detecting attacks means recognizing when traffic is not normal.
Operating Systems
You need real familiarity with both Windows and Linux. Windows because it is the dominant enterprise operating system and the primary environment you will be defending in most corporate settings. Linux because most security tools run on it, most servers run it, and most attack techniques involve it. On the Windows side, understand Active Directory, Group Policy, the registry, Windows event logs, and how user and administrator accounts work. On the Linux side, get comfortable with the command line — file navigation, user management, permissions, processes, and network commands. You do not need to be a Linux developer, but you need to be comfortable enough that the terminal does not feel foreign.
How the Web Works
A huge proportion of modern attack surface is web-based, which means you need to understand how web applications function. That starts with HTTP and HTTPS: how requests and responses work, what headers contain, how authentication tokens are passed. It extends to APIs: what REST APIs are, how they communicate, and why API security has become such a significant concern. Understanding how a browser interacts with a web server, what happens when a form is submitted, and how cookies and sessions work will give you the context you need to understand most modern attack categories — SQL injection, cross-site scripting, authentication bypass, and API abuse all make far more sense when you understand the underlying mechanics.
Your First Certification: CompTIA Security+
CompTIA Security+ is the right first certification for almost everyone breaking into the field, and the reasons for that are practical rather than theoretical. It is vendor-neutral, which means it covers foundational concepts that apply regardless of what technology stack an employer uses. It is widely recognized — a very large percentage of InfoSec job postings at the entry and mid level either list it as required or as a preferred qualification. It is approved under the DoD 8570 directive, which matters for any role that touches government contracts or federal employment. And it provides a structured curriculum that covers the core domains of security work: threats, cryptography, identity management, network security, cloud and application security, incident response, and governance.
The Security+ exam is not easy, but it is passable with focused preparation. I recommend a study approach that combines three elements: Professor Messer’s free video course and practice exams (genuinely one of the best free resources available for any certification), the CompTIA CertMaster practice tool or similar question bank for drilling test-taking pattern recognition, and hands-on lab time to make the concepts concrete rather than abstract. Candidates who try to pass the Security+ by memorizing terms without understanding the underlying concepts tend to struggle. The exam is scenario-based, and the questions are designed to test whether you can apply knowledge — not just recall definitions.
Plan for sixty to ninety days of focused study if you are starting with a solid foundation. Plan for ninety to one hundred twenty days if you are still building that foundation simultaneously. Do not rush it. Understanding the material matters more than a quick pass date.
Building Your Home Lab
Hands-on practice matters more than any amount of reading or video watching. The security field is deeply practical, and the ability to demonstrate that you have actually done something is what separates competitive entry-level candidates from those who have only studied concepts. A home lab is how you get that practice without needing a job first.
The good news is that you do not need expensive hardware. A modern laptop or desktop with 16GB of RAM and a decent CPU can run a functional lab using free hypervisor software. VirtualBox from Oracle is completely free and works well for most lab purposes. VMware Workstation Player offers a free tier as well. Either one lets you run multiple virtual machines simultaneously on a single physical machine.
For a starting lab build, I recommend the following free components. Download and install Kali Linux — it is the industry-standard offensive security distribution, and learning to use its tools (Nmap, Metasploit, Burp Suite, Wireshark) will serve you in any role. Set up DVWA (Damn Vulnerable Web Application), which is a deliberately insecure web application designed for practicing web attack techniques in a safe, legal environment. Deploy a Windows virtual machine and practice with Active Directory, event log analysis, and basic defensive configurations.
Beyond your local lab, TryHackMe and HackTheBox provide browser-accessible lab environments that require no local hardware setup at all. TryHackMe is more beginner-friendly and guided; HackTheBox is more challenging and realistic. Both are excellent, and both have free tiers that provide meaningful practice opportunities. Start with TryHackMe’s free learning paths and graduate to HackTheBox as your skills develop.
Getting Hired Without Experience
The entry-level InfoSec job market has a well-known catch-22: jobs require experience, but you need a job to get experience. The way through this is to demonstrate competence through means other than employment history. Here is how to do it.
Your Resume and LinkedIn
Your resume should lead with your certifications, your technical skills, and any relevant projects or lab work. Do not bury these at the bottom under an employment history that is in an unrelated field. A Security+ certification plus documented lab projects plus a TryHackMe profile is a stronger lead for an entry-level security role than a ten-year history in retail management. Structure your resume to front-load what matters for the role you are targeting.
Your LinkedIn profile should be optimized for the role you are pursuing, not the role you currently hold. Use your headline to describe where you are going, not where you are. “Aspiring SOC Analyst | CompTIA Security+ | TryHackMe Top 5%” tells a recruiter immediately what you are trying to do. Connect with people in the field, engage with security content, and make it clear that you are actively building toward a career change. Recruiters look at activity, not just credentials.
Your GitHub Portfolio
A GitHub profile with documented scripts, lab write-ups, and CTF solutions provides concrete evidence of technical capability that no resume bullet point can match. Even simple automation scripts — a Python script that parses log files, a Bash script that automates a lab task — demonstrate that you can write and use code. CTF write-ups demonstrate that you can work through a technical problem methodically and explain your process. Keep your repositories organized, write clear README files, and make sure your profile represents the quality of work you want to be judged on.
CTF Competitions
Capture the Flag competitions are deliberately designed security challenges that test specific skills in a legal, structured environment. They cover categories including web exploitation, cryptography, reverse engineering, forensics, and network analysis. CTFtime.org lists upcoming competitions, and many of them are free to enter. Completing CTF challenges and writing up your solutions is one of the best ways to build a portfolio demonstrating real technical skills. Many hiring managers look specifically for CTF participation when evaluating entry-level candidates.
Community and Networking
BSides events are community-organized security conferences that happen in cities around the world, typically at low or no cost. They are attended by everyone from students to CISOs, and they are one of the best places to make real connections in the field. OWASP chapter meetings, local ISACA and (ISC)² chapters, and security-focused meetups serve the same purpose. The InfoSec community is, on balance, welcoming to people who are genuinely trying to learn. Show up, introduce yourself honestly, and engage with the content. Relationships built at these events lead to job referrals, mentorship, and opportunities that never get posted publicly.
Getting Organizational Support for Your Career Pivot
If you are making a career change into InfoSec, you will need to explain it — to family members who are wondering why you are spending evenings studying, to your current employer if you want them to support your training, and eventually to hiring managers who will want to understand your trajectory. The way to handle all of these conversations is to make the business case, not just the personal one.
The demand numbers are real and compelling. The global shortage of cybersecurity professionals is measured in the millions. Entry-level InfoSec salaries consistently exceed the median household income in most U.S. markets. Mid-career and senior security professionals are among the most in-demand and well-compensated technical workers in the economy. This is not a speculative bet on an emerging field — it is a career move into one of the most structurally stable sectors in technology employment.
For your current employer: if you are in IT, make the case that security skills make you more valuable in your current role and reduce their risk. Many organizations have tuition reimbursement programs and training budgets specifically for professional development. The ROI argument is simple — paying for your Security+ certification and a year of TryHackMe costs less than one day of an external consultant’s time, and it builds organizational capability they retain. Frame it that way. Ask specifically about whether the organization reimburses certification exam fees.
For family members: the career change requires time and possibly money in the short term, but the long-term trajectory is strong. Security professionals are not being automated out of jobs — the complexity of the threat landscape is increasing, not decreasing. Stability, demand, and compensation are all on the right side of this equation. That is a straightforward case to make.
For future hiring managers: be direct about your pivot story. “I have spent the last eight months building a foundation in network security, earned my Security+, and built a lab portfolio documenting the work I have done” is a confident, credible narrative. Own your transition as a deliberate choice, not an apology for a gap in your resume.
Key Points
InfoSec is genuinely accessible to career changers. No single background is required, and multiple entry paths work depending on your starting point and resources.
Build the foundation first. Networking, operating systems, and web fundamentals are prerequisites, not optional extras. Security concepts will not stick without them.
CompTIA Security+ is the right first certification. It is widely recognized, covers the core domains, and provides structure for your early learning.
Hands-on practice is non-negotiable. A home lab, TryHackMe, HackTheBox, and CTF competitions provide the practical experience you need to be hireable.
Your portfolio is your proof. GitHub write-ups, CTF solutions, and lab documentation demonstrate competence that a resume bullet point cannot.
Community matters. BSides, OWASP chapters, and online communities accelerate your learning and create opportunities that never get posted publicly.
Pro Tips
Set a specific weekly time commitment and treat it like a second job. Sixteen hours a week produces real momentum. Vague intentions do not.
Use free resources aggressively. Professor Messer, TryHackMe’s free tier, SANS Cyber Aces, and YouTube channels like NetworkChuck and John Hammond provide excellent content at no cost.
Document your lab work as you go. Write-ups reinforce your learning and build your portfolio simultaneously. Do not wait until you feel “ready” to start documenting.
Apply broadly and early. Start applying for entry-level roles before you feel fully ready. Interview experience is valuable learning, and you may be surprised by what your current skill level can get you through the door on.
Find a mentor. One person in the field who is willing to give you occasional honest feedback is worth more than a hundred LinkedIn posts about cybersecurity careers. Ask directly and respectfully.
Pitfalls to Avoid
Certification chasing without hands-on practice. A stack of certifications without demonstrable skills is transparent to experienced hiring managers. Balance study with doing.
Trying to specialize too early. The field is broad. Do not narrow to penetration testing or cloud security or GRC before you have a general foundation. Depth comes after breadth.
Treating the online community as your only source of advice. Reddit, Discord, and YouTube are full of strong opinions, including bad ones. Cross-reference advice against multiple sources and weight it against the credentials of the person giving it.
Expecting a fast track to a six-figure salary. The field pays well at mid and senior levels. Entry level is competitive but not exceptional. Build the foundation before optimizing for salary.
Stopping at one certification. The Security+ gets you in the door for entry-level roles. It is not a destination — it is a starting point. Plan your next step before you have finished your current one.
The security field needs more people, and it needs them to actually know what they are doing. If you are willing to put in the hours, build the foundation, get hands-on experience, and show up consistently — this career is available to you. It is not fast, and it is not easy, but the people who commit to it seriously find that the field rewards them with work that is genuinely interesting, a community that is unusually collaborative, and a career track that is as stable as any in technology. Start with the foundation. Get your Security+. Build your lab. Document the work. Show up at the local BSides. The path forward from there is clearer than you think.
If this guide is useful to you, share it with someone else who is trying to make the same move — the security field gets better when more qualified people enter it. And if you are ready to go deeper on certifications, home lab setup, and the skills that hiring managers are actually filtering on, the follow-up post — InfoSec Certifications, Home Labs, and the Skills That Actually Get You Hired — covers all of that in detail. Subscribe to InfoSec Made Easy so you do not miss it, and feel free to reach out with questions at infosecmadeeasy.com.