What's going on folks! This is a question I get asked all the time and honestly it's one of my favorites to answer. If I had to completely wipe the slate clean and start my cyber security career all over again in 2026, what would I actually do? No experience, no certifications, no connections, nothing. Just a person who wants to break into this industry and is willing to put in the work.
I've been in the cyber security space for a good amount of time now and I've had the privilege of not only working my way up from help desk all the way to managing an engineering team, but also sitting on the other side of the table conducting technical interviews for new hires. So I've seen what works, I've seen what doesn't, and I've also lived through the trial and error of my own journey which I've written about pretty extensively in my previous posts. With all of that context in mind, here is the exact roadmap I would follow if I had to do it all over again from absolute zero.
Start With The Google Cyber Security Professional Certificate
I know what you're thinking. Why not just jump straight into the CompTIA certifications? Well, hear me out. If I'm starting completely raw with no IT background and no cyber security knowledge whatsoever, I want to build a foundation first without breaking the bank. The Google Cyber Security Professional Certificate on Coursera is an absolute no brainer for this. You're looking at roughly $49 per month and you only pay for however long you actually use it. If you grind through it in a month, you're only out $49 which in the certification world is practically nothing.
The certificate itself is made up of eight courses that cover a pretty wide range of foundational cyber security topics. You'll get exposure to things like network security, Linux, SQL, and even automating tasks with Python. Now, is this going to make you an expert? Absolutely not. But that's not the goal here. The goal is to get your feet wet with the core concepts so that when you move onto the heavier certifications you're not going in completely blind. I cannot stress enough how valuable it is to have even a baseline understanding of these topics before you start diving into exam prep for something like the Security+. You'll thank yourself later.
Another bonus here is that once you complete the Google certificate, you also get a discount code for the CompTIA Security+ exam which is a nice little perk given that exam vouchers are not cheap. More on that in a second.
Get Your CompTIA Security+
If you've read any of my other articles you already know I'm a huge advocate for the CompTIA Security+. This certification is pretty much the gold standard for entry level cyber security and you will see it plastered on nearly every job posting out there, even internships. HR departments love it because it's a quick checkbox that says "this person at least understands the foundational concepts of cyber security." Is it the most exciting certification in the world? No. But it's arguably the most important one to have on your resume when you're trying to break through that initial HR barrier.
The Security+ covers a pretty wide range of topics at a surface level. You'll study things like threat analysis, risk management, cryptography, identity management, and a bunch of other core concepts. It's not going to go super deep into any one area, but that's sort of the point. It's an entry level certification designed to show that you have a baseline understanding of cyber security as a whole. For those of you who are completely new to this space, I passed this certification during my time in college and it was a huge factor in getting my foot in the door. I highly recommend stacking multiple study resources for this one. Grab a textbook, throw on an online course, and scour forums for practice exams and advice from people who have recently passed. The more angles you attack this from, the better off you'll be.
One thing I want to be straight up about though is that passing the Security+ alone is not going to land you a job. I know that might be a bit of a buzzkill but I promised from day one on this blog that I would keep it real with you all. The Security+ gets your resume through the door, but the rest of this roadmap is what's going to actually set you apart from the hundreds of other applicants who also have that same certification sitting on their resume.
Shore Up Your Networking Knowledge With Network+
After knocking out the Security+, my next move would be to go after the CompTIA Network+. Now I know some people prefer to get the Network+ first and then the Security+, and honestly it doesn't really matter what order you go in. It's personal preference at the end of the day. I went Security+ first and I turned out just fine.
The reason networking knowledge is so critical in cyber security cannot be overstated. A massive portion of your day to day as a security professional is going to involve analyzing network traffic, understanding how machines communicate with each other, dissecting logs, and investigating suspicious activity on the network. If you don't have a solid grasp on things like TCP/IP, DNS, ports, protocols, and how data actually flows across a network, you are going to have a really tough time when the rubber meets the road. I touched on this in my SOC Analyst article as well where I gave the example of needing to understand what port 445 is and what SMB traffic looks like in order to actually determine if network activity is normal or suspicious. Without that foundational networking knowledge, you're essentially flying blind.
The Network+ will give you that solid baseline understanding of networking concepts that will serve you well not just in your first cyber security role but throughout your entire career. Trust me on this one.
Cloud Certification: Pick Your Lane
Here is where 2026 is going to differ pretty significantly from even just a year or two ago. Cloud is everywhere at this point and it's not slowing down. If you look at pretty much any cyber security job posting right now, there's a solid chance you'll see some form of cloud experience or cloud certification mentioned. Whether it's AWS, Azure, or GCP, companies are running their infrastructure in the cloud and they need security people who understand how to protect it.
If I'm starting from scratch in 2026, I'm going after an entry level cloud certification right after my Network+. The two main options here are the AWS Cloud Practitioner or the Microsoft AZ 900 (Azure Fundamentals). Both are entry level, both are going to teach you the basics of cloud computing, and both will look great on your resume.
Personally, I would lean towards the AZ 900 in 2026 and here's why. Microsoft's ecosystem is absolutely dominant in the enterprise space right now. Between Azure, Microsoft 365, Defender, Sentinel, and Entra ID (formerly Azure AD), so many organizations are running their entire security stack through Microsoft. Having that Azure foundation will give you a leg up when it comes to understanding the environment you'll likely be working in. That said, if you're seeing more AWS focused roles in your area or in the types of jobs you're targeting, go AWS. You really can't go wrong with either one.
The point here is that showing up to an interview in 2026 with zero cloud knowledge is going to put you at a pretty significant disadvantage. Even at the entry level, employers want to see that you at least understand the basics of how cloud infrastructure works and why it matters from a security perspective.
Start Building Projects and Getting Your Hands Dirty
Alright so at this point in the roadmap you've got the Google certificate, the Security+, the Network+, and a cloud certification under your belt. That's a pretty solid foundation on paper. But here's the thing, certifications alone are not going to cut it. I've written about this before and I will continue to beat this drum because it's that important. You need hands on experience, even if it's self taught.
This is where personal projects come in. If you do a quick Google search you will find hundreds upon hundreds of beginner friendly walk throughs for cyber security projects you can build in your own virtual lab. AWS and Azure both offer free tiers that allow you to spin up virtual machines and play around for practically nothing (just remember to turn them off when you're done using them or you'll get a surprise bill).
To give you a real example from my own journey, before I landed my first security role I was super interested in threat intelligence. I found a beginner friendly guide online that walked me through setting up a MISP (which is a free threat intelligence platform) feed in AWS. It cost me maybe 10 bucks total and I was able to throw it on my resume under projects. Sure enough, during my interview I got asked about it and I was able to give a legit technical breakdown of what I built and how it worked. That's the kind of stuff that makes you stand out.
In 2026, I would suggest looking into projects like setting up a home SIEM using something like Elastic or even Microsoft Sentinel if you went the Azure route. You could also set up a honeypot to capture and analyze real attack traffic, build a phishing email analysis pipeline, or even just document your lab setups and write about what you learned. The possibilities are pretty much endless and the best part is that you get to tailor these projects to whatever niche in cyber security interests you the most.
Start Applying and Don't Be Afraid of Help Desk
Now this is the part where I need to keep it real with you all again. I know nobody wants to hear this but I would be doing you a disservice if I didn't say it. Getting a pure cyber security role right out of the gate with no professional IT experience is tough. It's not impossible, but it's tough. A really high percentage of people who work in cyber security, myself included, came from some sort of IT background first. Whether that was help desk, IT support, junior system administration, or something similar.
I started as a help desk intern and I'll be the first to tell you that I learned more about the foundational technology in my first two weeks on that job than I did in any of my college courses. Working with Active Directory, troubleshooting real issues, understanding how an enterprise environment actually functions from the inside out, that stuff is invaluable. And the truth is, a lot of these foundational skills translate directly into cyber security work. Reviewing event logs, understanding user permissions, analyzing phishing emails at the front line, all of that is stuff I did during my help desk and system administration days that directly helped me when I made the jump into security.
So my honest advice if I'm restarting in 2026? Start applying for everything. Internships, entry level cyber security roles, help desk positions, IT support, whatever is available. If a cyber security role comes through, amazing, take it and run. But if the only bites you're getting are from help desk or IT support positions, take those too. Don't let your ego get in the way. Use that position as a launchpad to continue getting certifications, building projects, and working your way into security tasks at your company. Be the pest that volunteers for security related work. Offer to help the security team. Make it known that you're interested in moving into that space. I did exactly this and it worked out pretty well for me.
Advanced Certifications: Pick Your Niche
While you're applying for jobs and hopefully landing something, this is a great time to start looking into more advanced certifications that align with where you actually want to go in cyber security. The Security+ and Network+ give you the breadth, but now it's time to go a bit deeper into a specific area.
If you're interested in becoming a SOC Analyst or working in a security operations center, the Blue Team Level 1 (BTL1) certification is an incredible option. I've talked about this certification before and I genuinely think it's the best bang for your buck out there from a learning standpoint. Unlike the CompTIA exams which are largely theory based multiple choice, the BTL1 is almost entirely hands on. You'll work through virtual labs using industry standard tools and perform tasks that mirror what you'd actually be doing as a SOC analyst on a day to day basis. If it had the same level of name recognition on HR job postings as the Security+, I'd put it at the top of the list without hesitation.
On the flip side, if you're more interested in the offensive side of things like penetration testing or red teaming, take a look at the PJPT offered by TCM Security. It's essentially the red team equivalent of the BTL1 and it comes from a really reputable company. Both of these certifications are going to give you a much deeper understanding of their respective sides of the house and will look great on your resume for the specific roles they apply to.
The key here is to not just collect certifications for the sake of collecting them. I've seen people rack up 10+ certifications and still struggle to get hired because they can't actually demonstrate the skills behind those certificates. Make sure you are genuinely learning the material, absorbing the concepts, and building real skills along the way. Certifications get you through the door. Skills are what keep you employed.
Immerse Yourself in The Community
This is something I've preached in pretty much every article I've written and I'm going to keep saying it because it matters. You need to immerse yourself in the cyber security community. Whether that's reading posts on r/CyberSecurity, joining Discord study groups, following security professionals on Twitter/X, or even starting your own blog or newsletter, getting involved in the community is one of the best things you can do for your career.
I actually mentioned in one of my previous articles that a recent hire at my company got an interview partially because they had a cyber security blog where they posted their own personal how to videos and reactions to cyber security news. It wasn't anything super professional or polished, but the fact that they showed that level of initiative and genuine interest in the space made them stand out. Keep in mind this was an intern who hadn't even started their college courses yet. That's the kind of effort that gets noticed.
In 2026, LinkedIn is also a pretty powerful tool for building your online presence in the cyber security space. React to posts, share interesting articles, post about your learning journey, whatever feels natural to you. The goal is to show that you're actively engaged and interested in this field beyond just checking boxes on your resume.
The Reality Check
I want to wrap this up with the same honesty I bring to all of my posts. Breaking into cyber security is not easy. It's going to take time, effort, and a good amount of patience. There will be stretches where you're sending out applications and hearing nothing back. There will be interviews where you bomb a technical question and feel like the world is ending. Trust me, I've been there. I bombed an interview so badly once that I cringe just thinking about it, but I also learned from it and came back stronger the next time around.
The roadmap I laid out here is not a guaranteed golden ticket. There is no such thing. But what it does give you is a realistic and well rounded plan of attack that covers the bases most employers are looking for in 2026. Certifications, hands on projects, foundational IT experience, and a genuine passion for the space. If you can demonstrate those four things, you are going to give yourself the best shot possible.
Don't get discouraged, don't compare your timeline to anyone else's, and most importantly, don't stop learning. The cyber security industry is massive and it's only getting bigger. There is room for you here, it's just a matter of putting in the work to earn your spot.
If you're interested in more specific guidance, make sure to check out my other articles on SOC Analyst interview prep, analyzing phishing emails, and my full journey into landing my first cyber security job.
Good luck out there folks. You've got this.