Career Roadmap
Cybersecurity Specialist: Zero to Hero
This roadmap covers the complete cybersecurity specialist path for 2026, structured around how careers actually develop rather than a flat list of certifications. It branches at the mid-career stage into four specialization tracks reflecting the most in-demand cybersecurity roles. Updated to reflect CySA+ V4 (June 2026), the ISC2 CC program conclusion, CompTIA SecurityX (CAS-005), SC-200, SC-500, PNPT, and the April 2026 CISSP AI security update. Use ExamOS practice quizzes at every step to build the applied reasoning these exams test.
Embark on your career roadmap by setting a target and staying accountable
Set targetStep 0 - IT and networking foundations
Build the technical foundation that every security concept depends on. Security is applied IT. Without these fundamentals, security concepts remain abstract rather than operational.
3-4 weeks3-4 weeks
Step 0 - IT and networking foundations
Build the technical foundation that every security concept depends on. Security is applied IT. Without these fundamentals, security concepts remain abstract rather than operational.
- Networking fundamentals — OSI model, TCP/IP stack, IP addressing, subnets, CIDR, DNS, DHCP, routing, switching
- Common protocols — HTTP/S, FTP, SSH, SMTP, LDAP, Kerberos, NTP and what each does and when it appears in security contexts
- Operating systems — Windows administration basics (Active Directory, Group Policy, registry, event logs), Linux fundamentals (file system, permissions, processes, services, bash)
- Virtualization — hypervisors, VMs, containers at a conceptual level
- Cloud basics — what cloud computing is, shared responsibility model, the major providers
- Cryptography foundations — symmetric versus asymmetric, hashing, digital signatures, PKI, TLS handshake
- Basic scripting — enough Python or PowerShell to read automation scripts and understand what they do
💡 CompTIA Network+ is worth considering for candidates who have minimal networking experience. It is not required but candidates who cannot reason through TCP/IP and DNS questions confidently will struggle with Security+ scenarios and every exam that follows it.
💡 Linux command line fluency is increasingly expected in cybersecurity roles. TryHackMe and HackTheBox have free Linux fundamentals rooms that provide hands-on practice alongside conceptual study.
Step 1 - Security fundamentals and first credential
Build foundational security knowledge and earn the first recognized cybersecurity credential. This step has two distinct starting points depending on background.
3-4 weeks3-4 weeks
Step 1 - Security fundamentals and first credential
Build foundational security knowledge and earn the first recognized cybersecurity credential. This step has two distinct starting points depending on background.
- CIA triad — confidentiality, integrity, and availability in real scenario contexts
- Authentication, authorization, and accounting (AAA) frameworks
- Common attack categories — phishing, malware, ransomware, social engineering, MITM, injection attacks
- Defense in depth and layered security principles
- Risk fundamentals — threats, vulnerabilities, likelihood, impact, risk appetite
- Security controls — preventive, detective, corrective, administrative, technical, physical
- Compliance and regulatory frameworks at an introductory level — GDPR, HIPAA, PCI-DSS, NIST CSF
- Basic incident response lifecycle — preparation, detection, containment, eradication, recovery, lessons learned
Certifications
💡 ISC2 Certified in Cybersecurity (CC) was free through the One Million Certified program which concluded May 20, 2026. The CC exam is now available for purchase at standard ISC2 pricing. It covers Security Principles (26%), Business Continuity and DR (10%), Access Controls (22%), Network Security (24%), and Security Operations (18%). 100-125 questions, 2 hours, 700 passing score. No experience required.
💡 CC is the right starting credential for candidates coming from outside IT or with minimal security exposure. Candidates with existing security or IT backgrounds can move directly to Security+ preparation.
💡 Use ExamOS quizzes to test foundational security reasoning before sitting CC or beginning Security+ preparation.
Step 2 - CompTIA Security+ (SY0-701)
Earn the most widely recognized vendor-neutral security baseline credential. Security+ is the primary filter for entry-level and junior security roles globally and satisfies DoD 8570/8140 IAT Level II requirements for government and defense roles.
6-8 weeks6-8 weeks
Step 2 - CompTIA Security+ (SY0-701)
Earn the most widely recognized vendor-neutral security baseline credential. Security+ is the primary filter for entry-level and junior security roles globally and satisfies DoD 8570/8140 IAT Level II requirements for government and defense roles.
- Threats, vulnerabilities, and attack techniques — including social engineering, application attacks, network attacks, and cloud-specific threats
- Security architecture — enterprise architecture concepts, Zero Trust, cloud security models, network segmentation
- Implementation — cryptography, PKI, wireless security, application security, identity and access management
- Security operations — log monitoring, incident response procedures, digital forensics basics, vulnerability scanning
- Governance, risk, and compliance — risk management frameworks, data privacy regulations, security policies
- Performance-based question formats — firewall rule configuration, log analysis, network diagram interpretation
Certifications
💡 Security+ SY0-701 is the current exam version. 90 minutes, maximum 90 questions, 750/900 passing score. Approximately $392 USD.
💡 Performance-based questions (PBQs) appear at the start of the exam before multiple-choice. Candidates who have only practiced multiple-choice consistently underperform on PBQs. Practice applied scenario reasoning actively, not just definition recall.
💡 Security+ satisfies DoD 8570/8140 IAT Level II and IAM Level I requirements. For candidates targeting US federal, defense, or contractor roles, this is a hard requirement rather than a preference.
💡 Use ExamOS daily scenario practice to build the applied security reasoning Security+ tests — the ability to identify attack types from symptoms, select appropriate controls for described scenarios, and reason through governance decisions.
💡 After passing Security+, the roadmap branches into specialization tracks. The next step covers the second foundational layer before branching.
Step 3 - Cloud and identity security foundations
Build the cloud and identity security literacy that every 2026 specialization track requires. Cloud environments are where most enterprise security work happens. This knowledge is no longer optional regardless of specialization.
3-4 weeks3-4 weeks
Step 3 - Cloud and identity security foundations
Build the cloud and identity security literacy that every 2026 specialization track requires. Cloud environments are where most enterprise security work happens. This knowledge is no longer optional regardless of specialization.
- Cloud security fundamentals — shared responsibility model by service type (IaaS, PaaS, SaaS), cloud-native attack surface
- Identity as the primary security perimeter — why IAM misconfigurations are the leading cause of cloud breaches
- Microsoft Entra ID security basics — conditional access, MFA, identity protection, privileged access
- AWS IAM security basics — policies, roles, permission boundaries, SCPs
- Zero Trust architecture — principles and how they apply in cloud environments
- SIEM concepts — what a SIEM does, log ingestion, correlation rules, alert triage workflow
- Threat intelligence basics — indicators of compromise, MITRE ATT&CK framework at a conceptual level
- Vulnerability management lifecycle — scanning, prioritization, remediation tracking, reporting
💡 Microsoft Security, Compliance, and Identity Fundamentals (SC-900) is a practical credential for candidates entering Microsoft-centric security environments. 45 questions, 45 minutes, 700 passing score. It is not required but provides useful framing for candidates taking the blue team or cloud security track.
💡 MITRE ATT&CK is the industry-standard framework for describing adversary tactics and techniques. It appears in CySA+ V4, SC-200, and most SOC analyst job descriptions. Build familiarity with the framework structure (tactics, techniques, sub-techniques) before entering the specialization tracks.
💡 This step has no single certification attached because cloud security fundamentals are covered better within the specialization track credentials than in a standalone foundational exam.
Step 4 - Career specialization (choose your track)
The roadmap branches here into four distinct tracks based on the type of security work you want to do. Each track has its own certification sequence, tools, and target roles. Choose based on what energizes you, not just what pays well.
OngoingOngoing
Step 4 - Career specialization (choose your track)
The roadmap branches here into four distinct tracks based on the type of security work you want to do. Each track has its own certification sequence, tools, and target roles. Choose based on what energizes you, not just what pays well.
- Blue team and SOC track — threat detection, incident response, SIEM operations, threat hunting
- Red team and offensive security track — penetration testing, vulnerability assessment, ethical hacking
- Cloud security track — securing cloud infrastructure, DevSecOps, cloud architecture security
- Governance, risk, and compliance track — security management, audit, regulatory frameworks, enterprise risk
💡 The four tracks below (Steps 4A through 4D) represent parallel paths. Follow the one that matches your target role. Steps 5 and 6 converge back to shared senior-level credentials after specialization.
💡 Many security professionals eventually hold credentials from multiple tracks. The sequence matters. Build depth in one track before diversifying.
💡 If you are genuinely uncertain which track to pursue, the blue team track is the most broadly applicable starting point. SOC analyst experience builds the operational foundation that every other security specialization benefits from.
Step 4A - Blue team and security operations track
Build the threat detection, SIEM operations, and incident response skills that SOC analyst, detection engineer, and threat hunter roles require.
8-12 weeks8-12 weeks
Step 4A - Blue team and security operations track
Build the threat detection, SIEM operations, and incident response skills that SOC analyst, detection engineer, and threat hunter roles require.
- SIEM operations — Microsoft Sentinel, Splunk, or IBM QRadar at an operational level
- KQL (Kusto Query Language) for Sentinel log analysis and threat hunting
- Microsoft Defender XDR — unified security operations, incident investigation, advanced hunting
- Threat hunting methodology — hypothesis-driven hunting, IOC and TTP-based approaches
- Digital forensics basics — memory analysis, disk forensics, network forensics, chain of custody
- Malware analysis fundamentals — static and dynamic analysis, sandbox environments
- MITRE ATT&CK applied — mapping detections to techniques, coverage gap analysis
- Security orchestration, automation, and response (SOAR) — playbook design, automated response patterns
Certifications
💡 CompTIA CySA+ V4 launches June 23, 2026, replacing CS0-003. The new version increases cloud and hybrid environment coverage and adds AI-driven threat detection content. If you are sitting before June 23, prepare for CS0-003. If you are starting preparation after that date, target V4 materials.
💡 CySA+ V4 is heavily PBQ-weighted — Domain 1 (Security Operations, 33%) and Domain 2 (Vulnerability Management, 30%) both include performance-based questions. Hands-on lab practice is not optional for this exam.
💡 Microsoft SC-200 (Security Operations Analyst Associate) covers Microsoft Sentinel (50-55%), Microsoft Defender for Cloud (20-25%), and Microsoft Defender XDR (25-30%). It is the strongest complement to CySA+ for candidates working in Microsoft environments and appears alongside CySA+ in most SOC analyst job postings. 700 passing score, $165 USD, annual renewal.
Step 4B - Red team and offensive security track
Build the penetration testing, vulnerability assessment, and ethical hacking skills that offensive security roles require. This track requires the most hands-on practice of any track.
12-16 weeks12-16 weeks
Step 4B - Red team and offensive security track
Build the penetration testing, vulnerability assessment, and ethical hacking skills that offensive security roles require. This track requires the most hands-on practice of any track.
- Penetration testing methodology — scoping, reconnaissance, exploitation, post-exploitation, reporting
- Network penetration testing — service enumeration, vulnerability exploitation, privilege escalation
- Web application security — OWASP Top 10, Burp Suite, SQLi, XSS, authentication bypass
- Active Directory attacks — Kerberoasting, Pass-the-Hash, BloodHound, lateral movement
- Cloud penetration testing — AWS and Azure-specific attack patterns, cloud misconfigurations
- Reporting and communication — professional pentest report writing, executive and technical sections
- Tools — Nmap, Metasploit, Burp Suite, BloodHound, Impacket, Cobalt Strike at a conceptual level
💡 TCM Security PNPT (Practical Network Penetration Tester) is the most respected practical penetration testing credential at the intermediate level in 2026. It is a fully hands-on 5-day assessment requiring a written report. $399 USD. No multiple-choice component. Employers increasingly weight it alongside or above OSCP for junior roles due to its practical format and lower cost.
💡 CompTIA PenTest+ (PT0-002, upgrading to PT0-003 in late 2026) is a multiple-choice and PBQ exam that satisfies DoD 8140 requirements for offense-oriented roles. More structured than PNPT. A common path is PenTest+ for compliance baseline, then PNPT for practical credibility, then OSCP for maximum market recognition.
💡 OSCP (OffSec Certified Professional) remains the gold standard for penetration testing credibility, particularly for senior roles and consulting. It is the hardest credential in this track, requires a 24-hour practical exam, and commands significant respect. Plan it as a 6-12 month commitment after building foundational offensive skills.
💡 eJPT (eLearnSecurity Junior Penetration Tester) is a good starting point before PNPT for candidates with no offensive security experience. $200 USD, fully online, beginner-friendly format.
💡 TryHackMe and HackTheBox are the primary hands-on lab platforms for this track. Daily lab time is as important as any certification preparation.
Step 4C - Cloud security specialist track
Specialize in securing cloud environments, cloud-native architectures, and DevSecOps pipelines. The fastest-growing security specialization in terms of demand and compensation.
8-12 weeks8-12 weeks
Step 4C - Cloud security specialist track
Specialize in securing cloud environments, cloud-native architectures, and DevSecOps pipelines. The fastest-growing security specialization in terms of demand and compensation.
- Cloud security architecture — AWS and Azure security services at depth
- Identity and access management in cloud — IAM policies, SCPs, permission boundaries, workload identity
- Infrastructure as code security — Checkov, tfsec, Terrascan for scanning Terraform and CloudFormation
- Container and Kubernetes security — image scanning, pod security standards, network policies, runtime security
- DevSecOps pipeline security — SAST, DAST, SCA tool integration, secret scanning, supply chain security
- Cloud compliance — FedRAMP, SOC 2, ISO 27001 implementation in cloud environments
- CSPM and CIEM — cloud security posture management, cloud infrastructure entitlement management tools
Certifications
💡 AWS Security Specialty (SCS-C02) is the most recognized cloud security credential for AWS-centric environments. SC-500 (Cloud and AI Security Engineer, GA July 2026) is the equivalent for Azure environments and replaces AZ-500.
💡 CKS (Certified Kubernetes Security Specialist) is the hands-on Kubernetes security credential. It requires passing CKA first. Essential for candidates targeting platform security or DevSecOps roles.
💡 CCSP (ISC2 Certified Cloud Security Professional) is the vendor-neutral senior cloud security credential and the natural follow-on for candidates who want breadth across providers.
Step 4D - Governance, risk, and compliance track
Build the security governance, risk management, and compliance skills that GRC analyst, security manager, and audit roles require.
8-12 weeks8-12 weeks
Step 4D - Governance, risk, and compliance track
Build the security governance, risk management, and compliance skills that GRC analyst, security manager, and audit roles require.
- Risk management frameworks — NIST CSF, NIST SP 800-53, ISO 27001, CIS Controls
- Security audit methodology — audit planning, evidence collection, control testing, finding documentation
- Compliance program management — mapping controls to multiple frameworks, compliance automation
- Business continuity and disaster recovery — BIA, RTO, RPO, BC planning, DR testing
- Third-party and vendor risk management — vendor assessment frameworks, contract security requirements
- Data privacy regulations — GDPR, CCPA, HIPAA and how they translate to organizational controls
- Security policy development — policy hierarchy, writing effective policies, exception management
Certifications
💡 ISACA CISA (Certified Information Systems Auditor) is the primary credential for security audit and assurance roles. It requires 5 years of relevant work experience (with substitutions available). 150 questions, 4 hours, 450/800 passing score.
💡 Candidates without the CISA experience requirement should consider CompTIA SecurityX (CAS-005) as an intermediate credential that bridges technical security and governance without the experience gate.
💡 NIST AI RMF is now a core GRC competency in 2026. The EU AI Act has created new compliance obligations for organizations deploying AI systems. GRC professionals who understand AI governance are disproportionately valuable.
Step 5 - Advanced practitioner credentials
Move from mid-level practitioner to senior security professional. These credentials validate the depth and breadth of security knowledge that senior and architect-level roles require.
12-16 weeks12-16 weeks
Step 5 - Advanced practitioner credentials
Move from mid-level practitioner to senior security professional. These credentials validate the depth and breadth of security knowledge that senior and architect-level roles require.
- CompTIA SecurityX (CAS-005) — advanced security architecture, engineering, and operations
- ISACA CISM (Certified Information Security Manager) — security governance and program management
- ISC2 SSCP (Systems Security Certified Practitioner) — practitioner-level bridge before CISSP
- SC-100 (Microsoft Cybersecurity Architect Expert) — Microsoft security architecture at the expert level
Certifications
💡 CompTIA SecurityX (CAS-005) is the renamed and updated CASP+. It is the advanced CompTIA credential for senior practitioners who want to remain hands-on rather than moving into management. 165 minutes, approximately $494 USD. Recommended 10 years IT experience with 5 in security.
💡 ISC2 SSCP is the practitioner-level ISC2 credential that bridges CC and CISSP. One year of experience required (waived with relevant degree). Good option for candidates building toward CISSP who want an intermediate ISC2 credential.
💡 SC-100 (Microsoft Cybersecurity Architect Expert) is the senior Microsoft security architecture credential. Requires holding at least one Associate-level Microsoft security exam. Updated April 27, 2026 with new domain weights.
💡 This step is where the specialization tracks converge. Choose the credential that best matches your career direction.
Step 6 - CISSP and senior leadership credentials
Earn the most recognized senior security credential globally. CISSP is the long-term target for security professionals moving into senior engineering, architecture, and leadership roles.
16-20 weeks16-20 weeks
Step 6 - CISSP and senior leadership credentials
Earn the most recognized senior security credential globally. CISSP is the long-term target for security professionals moving into senior engineering, architecture, and leadership roles.
- Security and Risk Management (15-16%) — governance, compliance, legal, professional ethics
- Asset Security (10%) — data classification, handling, privacy protection
- Security Architecture and Engineering (13%) — security models, cryptography, site and facility security
- Communication and Network Security (13%) — network protocols, components, attacks, secure design
- Identity and Access Management (13%) — physical and logical access, authentication, federated identity
- Security Assessment and Testing (12%) — audit strategies, vulnerability testing, log review
- Security Operations (13%) — investigations, incident management, disaster recovery
- Software Development Security (11%) — SDLC, application security controls, code review
💡 CISSP requires 5 years of paid work experience in two or more of the eight domains (4 years with a relevant degree). Candidates without the experience can earn the Associate of ISC2 designation after passing the exam and fulfill the experience requirement later.
💡 The April 2026 CISSP update added AI security content across all eight domains. Candidates using materials from before mid-2025 should supplement with the ISC2 Exam Guidance for Artificial Intelligence document published April 2, 2026.
💡 The CISSP is not a technical exam. It tests managerial security judgment. The most common failure mode for experienced technical practitioners is defaulting to technically correct answers rather than the governance-aware, risk-balanced, managerially defensible answers the exam rewards.
💡 CCSP (ISC2 Certified Cloud Security Professional) is the natural follow-on for CISSP holders in cloud-heavy environments. Active CISSP holders can substitute the full CCSP experience requirement.
Final step - Validation, specialization, and staying current
Cybersecurity is the domain where knowledge has the shortest half-life. Exam content changes annually, attack techniques evolve continuously, and the regulatory landscape shifts faster than certification syllabi can track. Build the daily practice habit before your first exam and maintain it after your last. Use ExamOS scenario practice across Security+, CySA+, CISSP, CISM, and cloud security domains to keep your reasoning sharp between certification cycles, not just during exam preparation sprints. The professionals who build durable careers in cybersecurity are the ones who treat learning as a permanent operating mode rather than a pre-exam activity.
Final step - Validation, specialization, and staying current
Cybersecurity is the domain where knowledge has the shortest half-life. Exam content changes annually, attack techniques evolve continuously, and the regulatory landscape shifts faster than certification syllabi can track. Build the daily practice habit before your first exam and maintain it after your last. Use ExamOS scenario practice across Security+, CySA+, CISSP, CISM, and cloud security domains to keep your reasoning sharp between certification cycles, not just during exam preparation sprints. The professionals who build durable careers in cybersecurity are the ones who treat learning as a permanent operating mode rather than a pre-exam activity.
Certifications
Realistic timeline
- Foundation to Security+ (Steps 0-2): approximately 3-4 months at 2 hours per day
- Security+ to specialization track completion (Steps 3-4): approximately 4-6 months depending on track
- Specialization to CISSP (Steps 5-6): 12-24 months depending on experience accumulation requirements
- Full path from zero to CISSP: 18-36 months is realistic for most candidates accounting for experience requirements
- CySA+ recommends 4 years of hands-on experience. Candidates sitting it earlier will find it harder but it is not blocked
- CISA requires 5 years of audit/assurance experience. Plan around this gate early
- CISSP requires 5 years of paid security experience. The Associate of ISC2 pathway allows passing the exam first
- Hands-on lab time across TryHackMe, HackTheBox, and cloud free tiers compounds throughout the entire path and should be treated as a daily practice alongside certification preparation
- Use ExamOS scenario practice across Security+, CySA+, CISSP, CISM, and cloud security domains to keep your reasoning sharp between certification cycles
Embark on your career roadmap by setting a target and staying accountable
Set target