{"id":9757,"date":"2025-07-17T06:00:00","date_gmt":"2025-07-17T05:00:00","guid":{"rendered":"https:\/\/emtunc.org\/blog\/?p=9757"},"modified":"2026-02-08T20:29:05","modified_gmt":"2026-02-08T17:29:05","slug":"how-id-break-into-cyber-security-if-i-were-starting-today","status":"publish","type":"post","link":"https:\/\/emtunc.org\/blog\/07\/2025\/how-id-break-into-cyber-security-if-i-were-starting-today\/","title":{"rendered":"How I\u2019d Break Into Cyber Security If I Were Starting Today"},"content":{"rendered":"\n<p>I\u2019m often asked by students and those thinking about a move into cyber security: <em>&#8220;How do I break into the field?<\/em>&#8220;<\/p>\n\n\n\n<p>My answer hasn\u2019t really changed over the years, but I get asked often enough that I figured it\u2019s worth putting into a quick* blog post. I\u2019ll give you a sense of how I think about hiring, what I look for, and hopefully give you something more useful than some of the generic, unhelpful advice out there.<\/p>\n\n\n\n<p>Just to be super clear &#8211; everything here is 100% my personal opinion. This is what <em>I<\/em> look for when hiring for my own teams, regardless of seniority.<\/p>\n\n\n\n<p>This post is focused on the technical side of cyber security &#8211; engineering, architecture, offensive security, defensive security. I think it\u2019s a good foundation, even if you eventually end up specialising in a less technical field like governance, risk, or compliance.<\/p>\n\n\n\n<p class=\"has-small-font-size\"><em>* turns out this wasn\u2019t the \u201cquick post\u201d I thought it would be &#8211; it took me three weekends in a coffee shop to get this finished <\/em>\ud83d\ude43<\/p>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">The Most Common Question<\/h2>\n\n\n\n<p><em>&#8220;I want to get into cyber security but don\u2019t know where to start &#8211; what do you recommend?<\/em>&#8220;<\/p>\n\n\n\n<p>The brutal truth is that you\u2019ll be up against hundreds &#8211; sometimes thousands &#8211; of applicants for roles. The good news is that most of them won\u2019t be qualified, but the question is: how do you stand out amongst the crowd?<\/p>\n\n\n\n<p>Ask yourself &#8211; what have you done that actually shows you&#8217;re serious?<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Got a portfolio?<\/li>\n\n\n\n<li>Written anything useful &#8211; blogs, walkthroughs, tutorials?<\/li>\n\n\n\n<li>Are you in the top 1% on platforms like Hack The Box?<\/li>\n\n\n\n<li>Do you have a bug bounty profile with some published meaningful reports?<\/li>\n\n\n\n<li>Have you pushed through and earned an OSCP?<\/li>\n\n\n\n<li>What have you hacked, reverse engineered, patched?<\/li>\n<\/ul>\n\n\n\n<p>If you want to excel in cyber security, you need deep knowledge across a broad range of technical domains. The broader and deeper your expertise, the more valuable you\u2019ll be &#8211; and the more you can command in terms of salary.<\/p>\n\n\n\n<p>To put it in perspective:<\/p>\n\n\n\n<p>A good software engineer knows their codebase, their stack, and how to build reliable systems.<br>A good cloud engineer knows cloud architecture, networking, and how to secure and scale infrastructure.<br>A good IT engineer knows networking, endpoints, identity solutions and how to keep the organisation running smoothly and securely.<\/p>\n\n\n\n<p>A good security engineer needs to understand all of this &#8211; plus how attackers think, how systems fail, and how to break things before someone else does. That means having working knowledge across many domains: software, cloud, networking, identity, endpoints, authentication, cryptography, and more.<\/p>\n\n\n\n<p>You don\u2019t need to be an expert in all of them, but you need to understand how they fit together and where the risks live. It&#8217;s not easy.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Learn the Fundamentals<\/h2>\n\n\n\n<p>There\u2019s some foundational knowledge that I think everyone should build up early on in their journey &#8211; you may find some of it boring and that\u2019s okay. If you find yourself uninterested in all of it, ask yourself if this is really the right field for you.<\/p>\n\n\n\n<p>Here are some foundations to really get your head into:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How networks actually work (IP, routing, DNS, ports, etc)<\/li>\n\n\n\n<li>How operating systems work (especially <a href=\"https:\/\/nostarch.com\/howlinuxworks3\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> and Windows internals)<\/li>\n\n\n\n<li>What happens when you open a browser and type in a URL<\/li>\n\n\n\n<li>Cloud computing. This is a big one so I will split this into multiple bullet points\n<ul class=\"wp-block-list\">\n<li>The three main ones I would focus on in order of importance are AWS, GCP and Azure. Get accounts on all of them and start tinkering and playing. They all offer free credit so there\u2019s really no reason you shouldn\u2019t be building, deploying and breaking stuff in these environments<\/li>\n\n\n\n<li>Learn\/play with <a href=\"https:\/\/kubernetes.io\/docs\/tutorials\/kubernetes-basics\/\" target=\"_blank\" rel=\"noreferrer noopener\">Kubernetes<\/a> and containerisation technology<\/li>\n\n\n\n<li>Learn the basics of Git &#8211; create an account on GitHub if you don\u2019t already have one and learn how to use it via an Integrated Development Environment (IDE) like <a href=\"https:\/\/code.visualstudio.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">VS Code<\/a><\/li>\n\n\n\n<li>Deploy a basic web application in a container and deploy it via GitOps (it doesn\u2019t need to be in a Kubernetes cluster &#8211; that\u2019s probably overkill but if you\u2019re feeling adventurous, fill your boots!)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Get your hands on the community edition of <a href=\"https:\/\/portswigger.net\/burp\/communitydownload\" target=\"_blank\" rel=\"noreferrer noopener\">Burp Suite<\/a> and see how modern web applications work. Learn how the proxy and certificate works, learn how to use the repeater to manipulate the traffic. See what breaks. Then fix it. Get your hands dirty.<\/p>\n\n\n\n<p>A lot of the technical depth you need can be picked up from <a href=\"https:\/\/nostarch.com\/catalog\/general-computing\" target=\"_blank\" rel=\"noreferrer noopener\">books<\/a>. No Starch Press is an excellent resource and they\u2019ve got solid material on so many topics. Pick up a couple that you like the look of. Note down concepts you\u2019re unfamiliar with and research\/learn them.<\/p>\n\n\n\n<p>You\u2019ll also find amazing resources on YouTube like <a href=\"https:\/\/www.youtube.com\/channel\/UCa6eh7gCkpPo5XXUDfygQQA\" target=\"_blank\" rel=\"noreferrer noopener\">IppSec<\/a> &#8211; this will teach you how attacks work and there\u2019s something to learn in <em>every<\/em> video. Watch, pause, rewind, take notes, and research the stuff you don\u2019t get. By the end of this portion of learning, you should know what a &#8220;SQL Injection&#8221; attack and \u201cXSS\u201d is and how to protect against them. IppSec has an <a href=\"https:\/\/ippsec.rocks\/\" target=\"_blank\" rel=\"noreferrer noopener\">awesome search<\/a> feature to help you learn the different categories and types of attack &#8211; use it.<\/p>\n\n\n\n<p>It\u2019s not super important which books, videos, courses, etc you choose. What matters is that you actually take the time to learn, build, and test things yourself. Reading is great &#8211; but setting up your own development environments and playgrounds, running packet captures, breaking stuff and fixing it &#8211; that\u2019s where the real learning comes from.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Learn Some Scripting<\/h2>\n\n\n\n<p>Some personal context: I avoided the programming-heavy path in university because I really disliked Java. But later in my career I realised how useful scripting would be, so I picked up Python using the <a href=\"https:\/\/nostarch.com\/python-crash-course-3rd-edition\" target=\"_blank\" rel=\"noreferrer noopener\">Python Crash Course<\/a> book from No Starch Press &#8211; I know I already mentioned above but they are an excellent publisher!<br>Not long after, I wrote my first offensive tool, <a href=\"https:\/\/github.com\/emtunc\/SlackPirate\" target=\"_blank\" rel=\"noreferrer noopener\">SlackPirate<\/a>. It\u2019s now got over 700 stars on GitHub and is used by red teams all over the world. It still catches me off guard when someone casually mentions it and I tell them I\u2019m the author.<\/p>\n\n\n\n<p>It doesn\u2019t need to be hardcore programming and you don\u2019t need to come out the other side writing full applications or designing complex systems but something like Python will help you massively in this field &#8211; from automating recon, parsing logs, building quick tools and generally just saving a whole bunch of time.<\/p>\n\n\n\n<p><strong>Special note on AI<\/strong>: Yes, AI can help you write code faster &#8211; but it\u2019s absolutely critical that you understand the fundamentals yourself. AI tools and LLMs are excellent accelerators, but without a solid foundation, you won\u2019t be able to tell good solutions from bad ones. I don\u2019t need people who can copy-paste from ChatGPT &#8211; I can do that myself. I need people who understand how to wield these tools to build excellent solutions faster, not ship clunky garbage.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">It\u2019s Okay to Be a Generalist<\/h2>\n\n\n\n<p>Don\u2019t stress too much about specialising straight away. Early in your career, it\u2019s totally fine to try different areas &#8211; pentesting, red teaming, reverse engineering, malware analysis, cloudsec, appsec, identity, governance, etc.<\/p>\n\n\n\n<p>Eventually, you\u2019ll naturally lean toward an area that suits you. I personally stayed a generalist and still am to this day &#8211; and I love it. I get to strategise across all of cyber security and deep-dive into the details when I need to.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What I Look For When Hiring Juniors<\/h2>\n\n\n\n<p>You might be surprised, but the bar isn\u2019t as high as you think. The number one thing I look for? Real passion. That raw curiosity.<\/p>\n\n\n\n<p>That passion can show up in all sorts of ways:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Home\/cloud labs and creative setups<\/li>\n\n\n\n<li>Decent HTB or similar profiles (not the generic \u201cjust started\u201d ones)<\/li>\n\n\n\n<li>GitHub projects with depth &#8211; not test repos with one commit<\/li>\n\n\n\n<li>Technical blogs where you walk through what you\u2019ve learnt<\/li>\n\n\n\n<li>Tough certs like OSCP, ARTE, GRTE, etc &#8211; shows you can push through and self-teach something challenging<\/li>\n\n\n\n<li>Conference talks, even local ones<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Do You Need a Degree?<\/h2>\n\n\n\n<p>This shouldn&#8217;t be controversial in 2025 but the presence of a degree doesn&#8217;t play much of a role when I am short listing candidates and I think more and more companies are waking up to that. If you don\u2019t have a degree, I\u2019ll expect to see a bit more effort elsewhere: projects, blogs, a cert or two, speaking gigs, something.<\/p>\n\n\n\n<p>If you give me two candidates: one with a degree but no practical experience and one without a degree but with solid published projects and\/or work; all else being equal, I\u2019ll probably lean towards the latter.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts<\/h2>\n\n\n\n<p>The vast majority &#8211; if I had to guess, probably &gt;90% &#8211; will not have the passion, hunger or desire and that\u2019s going to show on their CV\u2019s and interviews. It\u2019s like in most fields &#8211; if you don\u2019t have the passion, you\u2019ll probably end up being mediocre in your field. The ones that have the drive are the ones who typically exceed and progress much faster.<\/p>\n\n\n\n<p>If you\u2019re willing to graft, build stuff, learn in public, and show your progress, you\u2019ll get noticed. You don\u2019t need a fancy title or letters after your name &#8211; just prove you\u2019re hungry, capable, and willing to learn.<\/p>\n\n\n\n<p>And don\u2019t get caught up in the noise about &#8220;AI taking all the junior jobs.&#8221; It\u2019s no different to thinking a chef\u2019s knife will prepare and cook the meal. You don\u2019t hire the knife &#8211; you hire the chef who knows how to wield it properly. In my opinion, AI is the same: a powerful tool in the hands of those who understand the fundamentals, but useless (or dangerous) in the hands of someone who doesn\u2019t.<\/p>\n\n\n\n<p>I hope this has been helpful. And if you\u2019re early in your journey &#8211; keep pushing. You\u2019ve got this.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I\u2019m often asked by students and those thinking about a move into cyber security: &#8220;How do I break into the field?&#8220; My answer hasn\u2019t really changed over the years, but I get asked often enough that I figured it\u2019s worth putting into a quick* blog post. I\u2019ll give you a sense of how I think [&hellip;]<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"templates\/template-full-width.php","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9757","post","type-post","status-publish","format-standard","hentry","category-tech"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1trTO-2xn","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/9757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/comments?post=9757"}],"version-history":[{"count":26,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/9757\/revisions"}],"predecessor-version":[{"id":10097,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/9757\/revisions\/10097"}],"wp:attachment":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/media?parent=9757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/categories?post=9757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/tags?post=9757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}