This post is the follow-up to Breaking Into Information Security: The Complete Guide for Beginners. That guide covered the foundational path. This one goes deeper: which certifications actually align with which career tracks, what your home lab needs to contain, what skills hiring managers are genuinely filtering on, and how to build a portfolio when you have no job history to point to.
The Certification Landscape by Career Track
Cybersecurity is not a single career. It is a collection of related disciplines that require meaningfully different skill sets and point toward different certification paths. Choosing certifications without first deciding which track you are building toward is one of the most common planning mistakes I see from people early in their InfoSec journey. Here is a map of the major tracks and the certifications that align with each.
Generalist / Security Operations
CompTIA Security+ (SY0-701): The starting point for almost everyone. Covers foundational security domains across threats, architecture, implementation, operations, and governance. Recognized by a broad range of employers, required or preferred on most entry-level postings, and DoD 8570 compliant for government-adjacent roles. Get this first. It establishes your baseline and gives you a recognized credential while you build toward the next step.
CompTIA CySA+ (CS0-003): The natural progression after Security+. Where Security+ is broad and foundational, CySA+ goes deeper on threat detection and response, log analysis, behavioral analytics, and security operations center (SOC) work. It is the right credential if you are building toward a SOC analyst or threat detection role. Expect to spend a few months in a real or simulated SOC environment before this cert fully makes sense — the concepts land better with operational context.
Penetration Testing / Offensive Security
CEH (Certified Ethical Hacker): Widely recognized, particularly in government and defense contracting environments, and often listed as a preferred qualification on penetration testing job postings. It is knowledge-focused rather than purely hands-on, which draws some criticism from practitioners. As a credential that gets your resume past automated filters and satisfies DoD 8570 requirements for IAT Level II and III roles, it serves a purpose. Think of it as a checkpoint, not a destination.
OSCP (Offensive Security Certified Professional): This is the certification that actually proves offensive security skill, and the industry knows it. The OSCP exam requires you to compromise a series of machines in a 24-hour proctored practical exam — no multiple choice, no memorized definitions, just real exploitation work. Passing it demonstrates that you can actually do the job, not just describe it. It requires significant preparation — completing the PWK course, extensive lab practice, and a comfort level with manual exploitation techniques that goes well beyond what most people have when they first encounter the field. Plan for six to twelve months of serious preparation. The effort is worth it for anyone committed to an offensive security career.
Cloud Security
AWS Certified Security — Specialty: Cloud environments are now the dominant infrastructure model for most organizations, and cloud security is one of the fastest-growing specializations in the field. The AWS Security Specialty certification validates deep knowledge of AWS security services, architecture, incident response in cloud environments, and compliance requirements. It requires meaningful AWS experience before it is approachable — AWS recommends at least two years of hands-on AWS experience. Build your cloud foundation with the AWS Certified Cloud Practitioner or Solutions Architect Associate first, then work toward the Security Specialty.
CCSP (Certified Cloud Security Professional): A vendor-neutral cloud security certification from (ISC)² that covers cloud concepts, architecture, data security, platform security, and legal and compliance considerations across cloud environments. It is more conceptual and governance-oriented than the AWS Specialty, which makes it a strong choice for cloud security roles that span multiple providers or sit more on the governance and risk side. Requires three years of IT experience and one year of cloud security experience to sit for the exam.
Governance, Risk, and Compliance (GRC)
CISA (Certified Information Systems Auditor): From ISACA, this certification is the standard credential for information security audit, assurance, and compliance roles. It covers the audit process, IT governance, systems acquisition and development, IT operations, and protection of information assets. If you are building toward a GRC, audit, or compliance role, CISA is the right certification to pursue. It requires five years of relevant work experience to certify (with some substitutions allowed), which makes it a mid-career credential rather than an entry point.
Leadership Track
CISM (Certified Information Security Manager): Also from ISACA, CISM is designed for security managers and leaders who are responsible for enterprise security programs. It covers information security governance, risk management, program development and management, and incident management. It is the right certification for someone building toward a security management or CISO track. Requires five years of information security management experience.
CISSP (Certified Information Systems Security Professional): More on this in the next section, because it deserves its own conversation.
CISSP: When It’s Worth It and When It Isn’t
The CISSP is probably the most misunderstood certification in the field. A significant number of people early in their InfoSec journey have been told — or have concluded on their own — that CISSP is the goal, the credential that signals “arrival” in the security field. That framing is wrong, and pursuing the CISSP at the wrong stage of your career is a waste of time and money.
Here is what the CISSP actually is: it is a management-track certification covering eight security domains at a strategic and conceptual level. It is designed for people who are managing security programs, not for people doing technical security work. The eight domains — security and risk management, asset security, security architecture, communication and network security, identity and access management, security assessment and testing, security operations, and software development security — are covered at breadth rather than depth. The exam tests whether you can think like a security manager, not whether you can perform a penetration test or analyze a packet capture.
The experience requirement reflects this. (ISC)² requires five years of paid work experience in two or more of the eight CISSP domains before you can certify. That is not a waivable guideline — it is a hard requirement. There is an Associate of (ISC)² path for candidates who pass the exam before meeting the experience requirement, but the full certification requires the experience.
The practical implication: if you are in your first three years in the field, the CISSP is not on your critical path. Focus on the technical skills and certifications that make you good at the practitioner-level work you will be doing for the next several years. The CISSP is a valuable and legitimately respected credential for security managers and CISO-track professionals with real program management experience. Pursue it when you have the experience to make it meaningful — and when you are genuinely moving into a management or leadership role where the domain coverage aligns with your actual responsibilities.
What a Home Lab Actually Needs
The home lab conversation often gets derailed by hardware discussions. People worry about whether they have the right equipment before they start, then delay getting started while they research the perfect setup. Here is the honest reality: almost any reasonably modern hardware can run a functional lab, and waiting for ideal hardware means delaying the hands-on practice that actually builds skill.
Hardware Options
An old laptop or desktop with 8GB to 16GB of RAM is enough to run a meaningful lab with two or three virtual machines simultaneously. If you want to invest modestly in dedicated lab hardware, mini PCs from manufacturers like Intel (NUC series) and Beelink offer significant processing power and RAM capacity in a small, power-efficient form factor for a few hundred dollars. For those who prefer not to invest in any hardware at all, cloud free tiers — AWS Free Tier, Google Cloud free tier, and Azure free account — provide virtual machines you can use for lab work at no cost, with some usage limits.
Hypervisors
VirtualBox from Oracle is free, well-documented, and works on Windows, macOS, and Linux. VMware Workstation Player has a free personal-use tier. Either one is a solid choice for most home lab purposes. If you are on an Apple Silicon Mac, UTM is a free virtualization option that runs well on M-series hardware.
Key Virtual Machines to Run
Windows Active Directory lab: Set up a Windows Server VM configured as a domain controller with one or two Windows workstation VMs joined to the domain. This gives you a realistic enterprise environment to practice with: user and group management, Group Policy, event log analysis, and attack-then-defend exercises. A huge proportion of real-world security work involves Active Directory environments, and having hands-on experience with AD before your first job is a meaningful differentiator.
Kali Linux: The standard offensive security distribution, maintained by Offensive Security. Comes pre-loaded with Nmap, Metasploit, Burp Suite, Wireshark, Hydra, and hundreds of other tools. Use it to practice reconnaissance, exploitation, and post-exploitation techniques against your vulnerable target VMs in a controlled, legal environment.
Metasploitable: A deliberately vulnerable Linux VM designed for practicing exploitation techniques. It runs multiple intentionally insecure services and is safe to attack in a local lab environment. Pair it with Kali and follow structured learning paths to practice specific attack categories.
DVWA (Damn Vulnerable Web Application): A PHP/MySQL web application with intentionally insecure code, designed for practicing web application attack techniques: SQL injection, XSS, command injection, file upload vulnerabilities, and more. Run it in a VM or Docker container in your local lab.
Free Platform Resources
TryHackMe: Browser-based learning paths with guided rooms covering beginner through advanced topics. The free tier provides access to a significant amount of content. Start with the “Pre-Security” and “SOC Level 1” paths if you are newer to the field.
HackTheBox: More challenging, less guided, and closer to what real penetration testing engagements look like. The free tier includes a rotating set of retired machines. Once you have built a foundation on TryHackMe, graduating to HackTheBox machines develops a meaningfully higher level of problem-solving independence.
SANS Holiday Hack Challenge (SANS HHC): SANS runs a free annual CTF-style challenge each December with a range of difficulty levels. The write-ups and community around it are excellent, and completing it gives you concrete CTF experience to point to.
Cybersecurity Blue Team Labs: Blue Team Labs Online provides defender-focused exercises covering incident response, log analysis, threat hunting, and forensics. These are particularly valuable for anyone building toward a SOC or IR role, where the work is defense-oriented rather than offensive.
The Skills Hiring Managers Actually Filter On
The skills that appear on InfoSec job descriptions and the skills that actually differentiate candidates in the interview process are not always the same list. Here is what actually matters, based on what I and other hiring managers look for when evaluating entry-level and early-career candidates.
Scripting and Automation
You do not need to be a software developer. You need to be able to write basic scripts that automate repetitive tasks, parse data, and interact with APIs and command-line tools. Python is the most directly useful language for security work: it is what most security tooling is built on, it is what you will use to automate analysis tasks and write custom tools, and it is what CTF solutions are typically written in. PowerShell is essential for anyone working in Windows environments, which is most enterprise security work. Bash is the command-line scripting language for Linux and is used heavily in both offensive and defensive tooling.
The bar for “scripting basics” is not high at the entry level, but it is real. Being able to write a Python script that reads a log file, extracts IP addresses, and checks them against a threat intelligence feed is the kind of practical skill that stands out. Automate Yourself Out of Tasks by Christian Burkhart (free online) and Python for Everybody (free on Coursera) are solid starting points.
Log Analysis
A significant proportion of real security work involves reading logs: Windows event logs, firewall logs, web server access logs, authentication logs, and endpoint telemetry. The ability to take a raw log export, identify what is normal, and flag what is anomalous is a core SOC skill. Practice this with the logs your lab generates — Windows Security event logs are particularly information-dense and worth studying in detail. Understanding what a successful authentication looks like, what a failed authentication looks like, what lateral movement indicators appear in logs, and how to correlate events across multiple log sources is the practical foundation of threat detection work.
Network Traffic Analysis
Wireshark is the standard tool for packet-level network analysis, and comfort with it is a genuine differentiator. Most entry-level candidates have heard of it; far fewer have actually used it to analyze real or realistic traffic. Practice capturing traffic from your lab, filtering by protocol, following TCP streams, extracting files from packet captures, and identifying anomalous traffic patterns. The Wireshark display filter syntax is worth learning specifically — being able to quickly isolate the traffic you care about from a large capture is a skill that saves significant time in real incident response situations.
SIEM Basics
Security Information and Event Management systems are the primary tool for log aggregation, correlation, and alert management in most enterprise SOC environments. Splunk is the most widely deployed enterprise SIEM, and Splunk offers a free tier (Splunk Free / Splunk Developer License) that gives you a real Splunk environment to work in. Practice ingesting log data, writing SPL (Splunk Processing Language) searches, building dashboards, and creating basic correlation rules. The TryHackMe Splunk learning path covers the fundamentals well. Microsoft Sentinel, IBM QRadar, and Elastic SIEM are other platforms worth familiarizing yourself with — all have free or low-cost learning options.
Written Communication
This one surprises some people, but I will say it directly: the ability to communicate your findings clearly in writing is one of the most differentiating skills an entry-level candidate can demonstrate, and it is one of the most consistently underdeveloped. Security work produces outputs: incident reports, vulnerability findings, risk assessments, executive summaries. All of those require clear, precise writing that translates technical observations into business-relevant conclusions. Your lab write-ups, CTF solutions, and blog posts are your proof that you can do this. Invest in them accordingly.
Building a Portfolio When You Have No Job History
The lack of employment history in InfoSec is a real obstacle, and the way through it is a portfolio that demonstrates competence directly rather than relying on job titles to imply it.
GitHub as Your Portfolio Hub
Create a GitHub profile and treat it as your professional portfolio. Populate it with the work you actually do: Python scripts you have written for lab automation or log parsing, Bash or PowerShell tools you have built for your home lab, notes and write-ups from completed TryHackMe rooms or HackTheBox machines, CTF solution write-ups, and documentation of your lab projects. For each repository, write a clear README that explains what the project does, why you built it, and what you learned. Quality matters more than quantity — five well-documented, clean repositories are more compelling than twenty disorganized ones.
CTF Write-Ups on a Blog
Starting a technical blog specifically for CTF write-ups serves two purposes simultaneously. It documents your work in a publicly accessible format that hiring managers can read and evaluate. And it forces you to explain your methodology clearly enough that someone else could follow it — which reinforces your own understanding in a way that simply solving the challenge does not. Medium, GitHub Pages, and WordPress all work for this. The platform matters less than consistency.
TryHackMe and HackTheBox Profile Links
Both TryHackMe and HackTheBox provide public profile pages showing your completion statistics, ranking, and activity. Your TryHackMe profile shows what learning paths you have completed and your standing relative to other users. Your HackTheBox profile shows which machines you have compromised. These are concrete, third-party verified evidence of practical work. Include direct links to both profiles on your resume and LinkedIn.
Documented Home Lab Projects
Build and document at least two or three lab projects that demonstrate specific skills. A documented Active Directory attack-and-defend lab write-up that walks through an attack path and then shows the defensive controls you implemented to detect and block it is worth more on a resume than a list of tools you have used. A Splunk home lab write-up showing log ingestion, a custom dashboard, and a simple detection rule demonstrates SIEM competence concretely. Document the process, the outcome, and the lessons learned. Put it on GitHub or your blog. Reference it in your resume and be prepared to walk through it in an interview.
Getting Organizational Support for Your Training
Certifications and training cost money, and for many people pursuing a career transition, that cost is a genuine constraint. The good news is that many employers — including employers outside the security field — will pay for training that makes you more valuable to the organization. The key is making the business case clearly and specifically.
Most medium and large organizations have tuition reimbursement or professional development budgets. These budgets exist specifically to fund employee skill development, and they are frequently underutilized because employees do not ask for them or do not know they exist. The first step is simply asking your HR department what is available. Certification exam fees, training course subscriptions, and conference attendance are commonly covered categories.
When making the case to your manager or employer, frame it in terms of organizational benefit, not personal career development. “I would like to pursue my CompTIA Security+ certification because it will improve my ability to support our IT security operations and reduce our reliance on external consultants for security assessments” is a stronger argument than “I want to transition into security and need the certification for my resume.” Both may be true, but only one makes the case from the employer’s perspective.
The ROI argument is genuinely strong. A CompTIA Security+ exam voucher costs approximately $400. A year of TryHackMe subscription costs less than $200. A single day of external security consulting typically costs $1,500 to $3,000. An employee who develops real security competence provides ongoing value that is not available on a day-rate basis, is retained by the organization, and does not require an RFP process. These numbers are real, and they are the kind of argument that budget owners respond to.
If your current employer is not in a position to support your training, look at organizations where security training support is more directly aligned with the business: technology companies, financial services firms, healthcare organizations with strong compliance requirements, and defense contractors all have strong incentives to develop internal security talent. Some offer formal security apprenticeship or development programs specifically designed to build entry-level security staff.
Key Points
Certifications should follow a track, not a vague ambition. Map your certification path to the specific role type you are targeting and build from the evidence in job postings.
CISSP is a management credential. It is not the universal goal for security professionals. Pursue it when you have the experience and are moving into a program leadership role. Not before.
Your home lab does not require expensive hardware. An old laptop with VirtualBox, a Kali VM, and a Windows AD lab is enough to build real skills. Start now with what you have.
The skills that differentiate candidates are practical, not theoretical. Scripting basics, log analysis, Wireshark proficiency, SIEM fundamentals, and clear written communication are what hiring managers are actually looking for.
Your portfolio is your proof of concept. GitHub, CTF write-ups, TryHackMe profile, and documented lab projects are concrete evidence of competence that no resume bullet point can substitute for.
Training support is available if you ask for it. Most organizations have professional development budgets. Make the business case clearly and specifically, and ask for it directly.
Pro Tips
Look at twenty job postings before you choose your next certification. The market tells you what it values. Frequency of appearance in job requirements is the most reliable signal available.
Build your AD lab before you need it. Windows Active Directory is the environment you will be working in for most of your career. Hands-on familiarity with it before your first job is a genuine advantage.
Learn SPL (Splunk Processing Language) specifically. Splunk is the most widely deployed enterprise SIEM. Being able to write effective searches is a practical skill that transfers directly to the job.
Write up every CTF you complete. Even if you only partially solved the challenge. The discipline of writing up your process builds communication skills and creates portfolio content simultaneously.
Ask for training support explicitly. Your employer’s professional development budget often goes unspent because nobody asked. Ask directly, with a clear business case, and you may be surprised by the answer.
Pitfalls to Avoid
Collecting certifications without hands-on practice. A resume with five certifications and no portfolio will lose to a resume with two certifications and documented lab work. Certifications validate knowledge; portfolios prove skill.
Chasing CISSP before you are ready for it. The experience requirement exists for a reason. A CISSP from someone with two years of experience signals a misunderstanding of the credential, not advancement.
Skipping the AD lab. More enterprise security work touches Active Directory than any other single technology. Candidates who have never worked with AD hands-on before starting their first job are at a measurable disadvantage.
Using TryHackMe as your only practice environment. TryHackMe is excellent for guided learning, but the real security world is not guided. Graduate to HackTheBox and unstructured lab work before you start interviewing.
Writing lab documentation only for yourself. If your write-ups assume the reader has full context and skip over your reasoning, they are not portfolio material. Write as if a hiring manager who has never seen your lab is reading it. That standard forces clarity and depth.
The candidates who get hired in this field are not the ones who have the most certifications or the most impressive homework. They are the ones who can demonstrate that they understand how systems work, have actually practiced attacking and defending them, and can explain what they found clearly enough that a non-technical stakeholder understands why it matters. Build the skills, document the work, and make the business case for everything you do. That combination — competence plus communication plus business context — is what the field is actually hiring for.
If you are just starting out, go back and read the companion post — Breaking Into Information Security: The Complete Guide for Beginners — for the foundational path before diving into the certification and lab depth covered here. And if these guides are useful to you, share them with someone else who is working through the same questions. Subscribe to InfoSec Made Easy at infosecmadeeasy.com for more practical, no-hype security content from someone who has been doing this work for over twenty years.