Welcome to the Cybersecurity Roadmap! 🎉 This guide is designed to help you navigate your journey into the exciting and ever-evolving field of cybersecurity, covering everything from foundational knowledge to practical experience and career tips. Whether you're a complete beginner, a career switcher, or an IT professional pivoting into security, this roadmap will help you build a structured path forward. Let's dive in and build a secure world together! 🌐🔐
What's new in 2026: AI-driven attacks and defenses, Zero Trust Architecture, identity-first security, post-quantum cryptography readiness, and cloud-native security are reshaping the field. This roadmap reflects those shifts.
- 🚀 Foundation
- 🔎 Fundamentals
- 💻 Programming & Scripting
- 🌐 Specialization Tracks
- 🤖 Emerging Areas (2026 Focus)
- 🧪 Practical Experience & Labs
- 📚 Continuous Learning
- 📺 YouTube Channels
- 💼 Job Roles & Salaries
- 🔐 Improving Your Skills
- 💼 Finding a Job
- 📜 Certifications
- 📅 6-Month Roadmap
- 📈 Tips for Success
- 📚 Recommended Books
- 🤝 Communities
Before you can defend systems, you need to understand how they work. These foundational skills — networking, operating systems, and core IT concepts — are non-negotiable. Hiring managers consistently cite weak fundamentals as the biggest gap in entry-level candidates.
-
Networking Basics 🌐 Learn how devices share data and connect through networks.
-
Operating System Fundamentals 🖥️ Understand how Windows and Linux internals work — process management, memory, permissions, the boot process.
-
Linux Essentials 🐧 Most security tools (and most servers) run on Linux. Command-line fluency is mandatory.
-
TCP/IP Networking 🌐 Understand the protocol stack the entire internet runs on.
-
Introduction to Cybersecurity 🔒 Start with the why and the big picture.
- ISC2 Certified in Cybersecurity (CC) — FREE training & exam (note: free program ends May 20, 2026, but the cert remains available for purchase)
- Introduction to Cyber Security Specialization — Coursera
-
CompTIA Network+ 📜 The industry-recognized credential validating your networking knowledge.
-
Virtualization Basics 🌪️ You'll spin up virtual labs constantly in this field.
With the basics in place, dive into core security concepts and the tools security teams use every day.
-
Security Fundamentals
-
The CIA Triad & Core Principles Confidentiality, Integrity, Availability — the bedrock of every security decision.
-
Common Vulnerabilities
⚠️ -
Threat Modeling & Attacker Mindset
- MITRE ATT&CK Framework — the standard map of how real attackers operate. Learn it cold.
- MITRE D3FEND — defensive countermeasures companion to ATT&CK.
-
Cybersecurity Frameworks 📏
-
Incident Response Fundamentals 🚨
-
Introduction to Malware Analysis 🦠
-
Phishing and Social Engineering Awareness 📧
-
Cryptography Basics 🔐
-
Data Privacy & Compliance 🔒
You don't need to be a software engineer, but you do need to read and write code. Automation, tooling, and analysis all live here.
-
Python 🐍 — the lingua franca of security tooling.
-
Bash & Shell Scripting 🐚
-
PowerShell 💠 — essential for Windows / Active Directory work.
-
Understanding Code You'll See in the Wild
- JavaScript (web exploitation, XSS)
- SQL (injection attacks, database hardening)
- C / C++ (memory corruption, malware analysis at depth)
-
Regular Expressions
After fundamentals, pick a track. Specialists out-earn generalists significantly, and most roles in 2026 expect depth, not just breadth. Below are the major tracks with the certifications that signal expertise in each.
You'll do: Monitor SIEM alerts, investigate incidents, respond to threats.
You'll do: Simulate attacks to find weaknesses before real adversaries do.
- CompTIA PenTest+
- eLearnSecurity eJPT (great entry-level practical)
- Certified Ethical Hacker (CEH)
- OffSec PEN-200 → OSCP / OSCP+ — the gold standard hands-on cert (formerly Offensive Security; rebranded to OffSec)
You'll do: Investigate breaches, recover evidence, write up what happened.
You'll do: Map controls to frameworks, manage audits, translate security to business.
- ISACA CISA — Certified Information Systems Auditor
- ISACA CRISC — Risk and Information Systems Control
- ISO/IEC 27001 Lead Auditor
You'll do: Design enterprise security, make build-vs-buy calls, run programs.
The fastest-growing specialization. Almost every org runs hybrid/multi-cloud now.
- ISC2 CCSP
- AWS Certified Security – Specialty
- Microsoft SC-100: Cybersecurity Architect Expert
- Google Cloud Professional Cloud Security Engineer
- GIAC Web Application Penetration Tester (GWAPT)
- OffSec WEB-200 → OSWA
- Certified DevSecOps Professional (CDP)
Identity is the new perimeter in 2026.
These aren't fringe topics anymore — they're now in mainstream job descriptions. Building familiarity here will set you apart.
-
AI Security & Adversarial ML 🧠 How attackers exploit AI systems (prompt injection, data poisoning, model extraction) and how defenders use AI for detection.
-
Zero Trust Architecture 🚧 "Never trust, always verify." The replacement for perimeter-based security.
-
Post-Quantum Cryptography 🔮 Quantum-resistant algorithms are now NIST-standardized. "Harvest now, decrypt later" attacks make this urgent.
-
Supply Chain & Software Bill of Materials (SBOM)
-
Container & Kubernetes Security
-
OT / ICS Security ⚙️ Securing industrial control systems and critical infrastructure — a high-paying specialization with massive talent gaps.
Certifications open doors; hands-on skills get you hired. Hiring managers consistently say practical experience matters more than credentials alone.
-
TryHackMe 🔐 — guided, beginner-friendly rooms https://tryhackme.com/
-
Hack The Box 🕵️ — more advanced, CTF-style https://www.hackthebox.com/
-
OverTheWire ⚔️ — classic wargames, great for Linux fundamentals https://overthewire.org/wargames/
-
VulnHub 🏴☠️ — downloadable vulnerable VMs https://www.vulnhub.com/
-
PortSwigger Web Security Academy 🌐 — best free web app security training, by the makers of Burp Suite https://portswigger.net/web-security
-
PicoCTF 🚩 — free CTF platform, beginner-friendly https://picoctf.org/
-
CTFtime 📅 — calendar of running CTF competitions worldwide https://ctftime.org/
-
Blue Team Labs Online 🔵 — defender-focused challenges https://blueteamlabs.online/
-
LetsDefend — SOC analyst simulation https://letsdefend.io/
-
Proving Grounds (OffSec) — OSCP-like practice https://www.offsec.com/labs/individual/
-
RangeForce — interactive defense labs https://www.rangeforce.com/
-
SANS Cyber Aces 🎓 https://www.sans.org/cyberaces/
A home lab is one of the best portfolio builders. Common setups:
- Active Directory lab — domain controller + a couple of Windows clients + a Kali attacker
- Detection lab (DetectionLab project) — pre-built Splunk + Velociraptor + Sysmon environment
- SOC-in-a-box — Security Onion, ELK Stack, or Wazuh
Cybersecurity changes faster than any other IT discipline. Staying current is part of the job.
- The Hacker News 👨💻 — https://thehackernews.com/
- BleepingComputer 💻 — https://www.bleepingcomputer.com/
- Krebs on Security 🔍 — https://krebsonsecurity.com/
- Dark Reading 📰 — https://www.darkreading.com/
- CyberScoop 🌐 — https://cyberscoop.com/
- Risky Business 🎙️ (podcast) — https://risky.biz/
- SANS Internet Storm Center 🌪️ — https://isc.sans.edu/
- CISA Alerts 🚨 — https://www.cisa.gov/news-events/cybersecurity-advisories
- Schneier on Security 🔐 — https://www.schneier.com/
- Brian Krebs (@briankrebs)
- Bruce Schneier (@schneierblog)
- SwiftOnSecurity
- Marcus Hutchins (@MalwareTechBlog)
- Katie Nickels (@likethecoins) — threat intel
- John Hammond (@_JohnHammond)
- John Hammond — CTFs, malware analysis, practical projects
- NetworkChuck — networking, Linux, cloud, fun and accessible
- Professor Messer — complete free CompTIA training
- The Cyber Mentor (TCM Security) — ethical hacking and pentesting
- IppSec — Hack The Box walkthroughs (gold standard)
- LiveOverflow — deep technical hacking content
- HackerSploit — penetration testing tutorials
- David Bombal — networking, security, career advice
- Hak5 — hacking gear and techniques
- STÖK — bug bounty hunting
- InsiderPhD — bug bounty and API security
- LowLevelLearning — low-level systems and security
- Cybrary — broad IT and security training
The salary ranges below are 2025–2026 estimates and vary widely by experience, location, industry, and certifications held. Always cross-check with current sources.
| Job Role | Average Salary (PHP) | Average Salary (USD) | Average Salary (AUD) |
|---|---|---|---|
| SOC Analyst (Tier 1) | ₱600,000 | $55,000–$75,000 | AU$70,000 |
| Security Analyst | ₱850,000 | $75,000–$95,000 | AU$95,000 |
| Network Security Engineer | ₱1,200,000 | $95,000–$120,000 | AU$110,000 |
| Penetration Tester | ₱1,100,000 | $90,000–$130,000 | AU$115,000 |
| Incident Responder | ₱1,300,000 | $100,000–$140,000 | AU$125,000 |
| Forensic Analyst | ₱1,150,000 | $85,000–$115,000 | AU$105,000 |
| Malware Analyst | ₱1,400,000 | $100,000–$140,000 | AU$120,000 |
| Cloud Security Engineer | ₱1,500,000 | $120,000–$160,000 | AU$140,000 |
| Security Consultant | ₱1,600,000 | $110,000–$160,000 | AU$130,000 |
| GRC Analyst | ₱1,000,000 | $85,000–$115,000 | AU$105,000 |
| Security Architect | ₱2,200,000 | $140,000–$200,000 | AU$170,000 |
| CISO | ₱4,000,000+ | $200,000–$400,000+ | AU$250,000+ |
- Philippines: JobStreet, PayScale Philippines, Kalibrr
- United States: BLS Occupational Outlook Handbook, Glassdoor, Levels.fyi
- Australia: Seek Salary Guide, Hays Salary Guide
Note: The global cybersecurity workforce gap is still around 4+ million unfilled positions. Demand is strong, but entry-level competition has tightened — hands-on skills and a visible portfolio matter more than ever.
-
Practice Secure Online Behavior 🕵️
- Use unique passwords with a password manager (Bitwarden, 1Password)
- Enable multi-factor authentication everywhere — prefer hardware keys (YubiKey) or authenticator apps over SMS
- Be cautious about oversharing personal info online
-
Regular Software Updates 🔄
- Auto-update OS, browser, antivirus, and applications
- Subscribe to vendor security advisories for tools you rely on
-
Network Security at Home 🛡️
- Use WPA3 where possible; change default router credentials
- Segment IoT devices onto a guest network
- Enable router firewall; consider pfSense / OPNsense for serious labs
-
Educate Yourself Daily 📚
- 15 minutes of news, one TryHackMe room per day adds up fast
-
Use Security Tools 🔧
- VPN on untrusted networks
- Reputable EDR/antivirus
- Password manager (mandatory, not optional)
- DNS filtering (NextDNS, Cloudflare 1.1.1.1 for Families)
-
Hands-On Practice 💻
- CTFs, home labs, write-ups
- Document everything in GitHub — your portfolio is your proof
-
Join Communities 🌐
- Discord servers, Reddit, local DEF CON groups, OWASP chapters, ISC2 chapters
-
Regular Self-Audit 🔍
- Review your own digital footprint quarterly
- Run Have I Been Pwned checks
A resume tells; a portfolio shows. At minimum:
- A clean GitHub with write-ups of labs and CTFs
- A blog (Medium, Hashnode, or self-hosted) with technical posts
- Documented home-lab projects
- Use keywords from the job description (ATS systems screen aggressively)
- Quantify wins ("Reduced false-positive alerts by 30%")
- Include relevant certs prominently
You won't land Senior Pentester as your first job. Realistic entry points:
- SOC Analyst Tier 1
- Junior Security Analyst
- IT Support → Security pivot
- Help Desk → SOC pivot
- GRC Analyst (often easier entry for non-tech backgrounds)
- Internships and apprenticeships
- Indeed
- Glassdoor
- CyberSecJobs
- InfoSec Jobs
- JobStreet (PH/SEA)
- Kalibrr (PH)
- Wellfound (formerly AngelList) for startups
- Attend conferences (DEF CON, BSides, RSA, ROOTCON in PH)
- Local meetups and OWASP chapter events
- Engage on LinkedIn — comment thoughtfully, don't just spam connect
- Common technical topics: networking (OSI/TCP), the kill chain, MITRE ATT&CK, common attacks (XSS, SQLi, phishing), incident response basics
- Behavioral: "Tell me about a time you handled a difficult problem"
- Practical: many companies use scenario-based interviews or take-home labs
- Track applications in a spreadsheet
- Ask for feedback on rejections (you'll rarely get it, but sometimes you will)
- Keep learning while applying — every week without a job is a week to upskill
Certifications can boost credibility, validate knowledge, and unlock job filters — but they don't replace experience. Be strategic about which ones you pursue.
-
ISC2 Certified in Cybersecurity (CC) — https://www.isc2.org/certifications/cc Vendor-neutral, foundational. The free program ends May 20, 2026 but the cert remains available.
-
Google Cybersecurity Professional Certificate — Coursera Great for career switchers; budget-friendly with hands-on labs.
-
CompTIA Security+ (SY0-701) — https://www.comptia.org/certifications/security Appears in roughly 70% of entry-level postings; satisfies DoD 8140 baseline. The most universally useful first cert.
-
CompTIA Network+ — https://www.comptia.org/certifications/network Networking foundation. Strongly recommended before Security+ if you lack networking background.
-
CompTIA CySA+ — https://www.comptia.org/certifications/cybersecurity-analyst Best second cert for SOC analyst / blue team careers.
-
CompTIA PenTest+ — https://www.comptia.org/certifications/pentest Bridge to offensive security before tackling OSCP.
-
CompTIA CASP+ / SecurityX — https://www.comptia.org/certifications/comptia-advanced-security-practitioner Vendor-neutral advanced practitioner cert.
-
Certified Ethical Hacker (CEH) — https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/ HR-friendly but criticized as theory-heavy; often required for government roles.
-
eJPT (eLearnSecurity Junior Penetration Tester) — https://security.ine.com/certifications/ejpt-certification/ Affordable, practical entry to pentesting.
-
OSCP / OSCP+ (OffSec) — https://www.offsec.com/courses/pen-200/ Gold standard for hands-on penetration testing. OSCP is lifetime; OSCP+ is the new 3-year-validity variant introduced November 2024.
-
GIAC GCIH (Incident Handler) — https://www.giac.org/certifications/certified-incident-handler-gcih/
-
GIAC GSEC, GCFA, GPEN, GWAPT — https://www.giac.org/certifications/ Industry-respected but expensive (often $7,000–$8,500 with SANS training).
-
ISC2 CISSP — https://www.isc2.org/certifications/cissp The leadership/architecture gold standard. Requires 5 years' experience.
-
ISC2 CCSP — https://www.isc2.org/certifications/ccsp Cloud security expert. Note: exam outline updates August 1, 2026.
-
ISACA CISA — https://www.isaca.org/credentialing/cisa Auditor's cert; gold standard for GRC.
-
ISACA CISM — https://www.isaca.org/credentialing/cism Security management focus.
-
ISACA CRISC — https://www.isaca.org/credentialing/crisc Risk-focused; great pair with CISA.
-
AWS Certified Security – Specialty — https://aws.amazon.com/certification/certified-security-specialty/
-
Microsoft SC-100 Cybersecurity Architect Expert — https://learn.microsoft.com/en-us/credentials/certifications/cybersecurity-architect-expert/
Practical certification path for most beginners: Google Cybersecurity Cert → Security+ → CySA+ (or PenTest+) → CISSP (after 5 years exp.) or specialized cert in your chosen track
A realistic plan. Adjust the pace to fit your schedule — full-time learners can compress this; people studying nights/weekends may stretch to 9–12 months.
| Month | Focus Area | Activities | Resources |
|---|---|---|---|
| Month 1 | Networking + Linux Fundamentals | Set up a home lab with VirtualBox; install Ubuntu and Kali; complete networking basics; practice Linux on the command line | Cisco Networking Academy, Linux Journey, OverTheWire Bandit |
| Month 2 | Security Fundamentals + CIA Triad | Begin Security+ study; learn the CIA triad, AAA, common threats; start NIST CSF overview | Professor Messer's Security+ course, NIST CSF |
| Month 3 | Threats, Vulnerabilities & MITRE | Study OWASP Top 10, MITRE ATT&CK; analyze recent breach case studies; learn about ransomware, phishing, supply-chain attacks | OWASP Top 10, MITRE ATT&CK, Krebs on Security |
| Month 4 | Hands-On Tools | Wireshark, Nmap, Burp Suite, Metasploit, basic Splunk/ELK; start TryHackMe complete-beginner path | TryHackMe, Wireshark, PortSwigger Academy |
| Month 5 | Practical Skills + Mini-Projects | Take Security+ exam; build out home lab (AD lab or SOC lab); complete first CTFs; document everything on GitHub | Security+ exam, DetectionLab, PicoCTF, CTFtime |
| Month 6 | Specialize + Network | Pick a track (SOC, pentest, cloud, GRC); attend a virtual conference or local meetup; polish LinkedIn; start applying to entry-level roles | BSides events, LinkedIn, r/cybersecurity |
-
Build a Portfolio GitHub repo with documented labs, CTF write-ups, and tools you've written. This often beats certifications in technical interviews.
-
Stay Updated 🔄 Cybersecurity moves fast. Subscribe to 2–3 newsletters max (avoid information overload). Risky Business, TLDR Sec, and Bleeping Computer are great starts.
-
Master Core Tools 🔧 Get fluent in Wireshark, Nmap, Burp Suite, Metasploit, Splunk, Linux command line, basic SIEM querying. These appear in nearly every job description.
-
Develop Soft Skills Communication is what separates the senior people from the technicians. Practice writing clear reports and explaining technical concepts to non-technical stakeholders.
-
Find a Mentor ISC2 chapters, local meetups, LinkedIn outreach. Most professionals are happy to give 30 minutes to someone making genuine effort.
-
Engage in CTFs 🚩 Pick one CTF per month from CTFtime. Even failing teaches a lot.
-
Ethical Foundation Never use skills on systems you don't have permission to test. One unethical act can permanently end a security career.
-
Contribute to Open Source 🛠️ Open-source security tools always need help — bug reports, docs, small fixes. Great resume material.
-
Embrace the "Try Harder" Mindset Persistence over genius. Most senior security pros got there by being stubborn, not brilliant.
- The Web Application Hacker's Handbook — Dafydd Stuttard & Marcus Pinto
- Hacking: The Art of Exploitation — Jon Erickson
- The Tangled Web — Michał Zalewski
- Practical Malware Analysis — Sikorski & Honig
- Cybersecurity Essentials — Charles J. Brooks et al. (great intro)
- Sandworm — Andy Greenberg (narrative; understand nation-state threats)
- Countdown to Zero Day — Kim Zetter (Stuxnet story)
- The Cuckoo's Egg — Cliff Stoll (classic; how the field started)
- Permanent Record — Edward Snowden
- Click Here to Kill Everybody — Bruce Schneier
- Blue Team Handbook — Don Murdoch
- Red Team Field Manual (RTFM) and Blue Team Field Manual (BTFM) — Ben Clark / Alan White (cheat-sheet style)
- OWASP — open web application security; local chapters worldwide
- DEF CON Groups — local hacker meetups
- BSides — community-driven conferences globally
- ISC2 Chapters
- ISACA Chapters
- Philippines: ROOTCON — the premier PH hacking conference; DEF CON Group Manila; PISO (Philippine Information Security Organization)
- Discord: TCM Security, The Cyber Mentor, John Hammond, NetworkChuck, Hack The Box official
- GitHub: carlcastanas
- LinkedIn: Carl Andrew Castañas
- Email: cacastanas@gmail.com
- Timezone: Philippine Standard Time (PHT) — UTC+8
- Last Updated: May 14, 2026
- Version: 2.0 — 2026 Edition
Contributions welcome! If you spot a broken link or have suggestions, open a PR on GitHub.
Happy learning, and stay safe online! 🎉🔐