How realistic is the remote route? remote jobs in cybersecurity specifically. is it actually possible to break in that way or is the competition just as rough there too?im a security analyst with 2 years of experience but since i left my last company i have not got any single interview calls even with rigorous applying for it. can anybody help me land one ???
Does experience with TryHackMe and a degree/ certification help one land an entry-level cyber job?
Hey everyone,
I recently completed my graduation and I’m currently trying to understand what the cybersecurity industry actually expects from freshers/junior professionals today, especially with AI changing workflows so quickly.
I’ve worked in multiple areas during college, internships and personal projects, including:
- VAPT / basic auditing
- DevSecOps
- security automation
- digital forensics
- SIEM/SOC concepts
- Burp Suite, Nmap, recon workflows
- and some tooling/research projects
I know I’m still early in the field and there’s a lot I need to improve, but right now I’m honestly trying to figure out what matters most moving forward.
What skills actually make someone valuable as a junior cybersecurity analyst/engineer in 2026?
Is the industry now expecting:
- cloud knowledge?
- automation?
- scripting?
- DevSecOps?
- AI integration?
- stronger networking fundamentals?
- deeper specialization?
- certifications?
- real projects?
- communication skills?
I’m also curious about how experienced people here see the impact of AI on entry-level cybersecurity roles.
What should I do to:
- stay relevant long term
- become genuinely useful in teams
- and avoid becoming “replaceable”
Would genuinely appreciate advice from people already working in the industry.
(Burner account, because, reasons.)
There is a never ending line of posts on here about “How do I get into (insert role here)” or “Will (insert certification here) be the best to land me a job?”
Rightly or wrongly, I feel like there is a number of responses to those type of threads that may **(**or may not) have alternative conflicting incentives, because some of it seems to contradict what both my counterparts in the industry and my staff across organizations have said over the years. I’ve wanted to write this post for a while, and finally found a few minutes to do so.
If there is only one thing you take from this post, it is “With the exception of Security+ should you want a DoD 8140-Compliant Role, NEVER, EVER PAY FOR ANY TRAINING OR CERTIFICATION OVER $150 USD FROM YOUR OWN POCKET UNLESS YOU ARE WELL INTO YOUR CAREER AND IT IS ALMOST GUARANTEED TO OPEN A VERY SPECIFIC OPPORTUNITY FOR YOU”. I will explain why later in the post.
Starting off with those who are either in-school or thinking about a cybersecurity degree:
(TL;DR for this section: With one exception which I will mention, the degree alone will open very few doors these days. Maximize engagement on cyber topics with others outside the classroom.)
A cybersecurity degree on it’s own carries much less value than it did, let’s say, a decade ago, when having such a degree gave you a walk-on role in at least a few organizations, regardless of actual skill. There are still institutions (both public and private) that pitch high salaries and sky high prospects right out of college. The question you should be asking these institutions is “Will you put your money where your marketing mouth is?”. Most won’t. Unless the institution is willing to provide a field-specific IBR (Income-Based Repayment), their marketing means next to nothing. Just like I can sell you a quit-claim deed to Ford Field in Detroit for example, I have no ownership interest in the building so your paper deed is worth effectively zero.
Where in-person educational programs provide value is not in the degree or the course material, but rather in the time you spend with like-minded individuals working on fun projects pushing the boundaries of cybersecurity. When you put together your resume or go into an interview, especially at a junior level, the unique thing you bring to the table is not that you paid for a piece of paper with your name on it, but rather your ability to actually speak to challenges in the cybersecurity space and the things you and others worked on to try solving them.
So what could you do?
Like I said earlier, there is one exception to most of what I wrote so far, and it’s not because I have any sort of vested interest in this option, but rather that it has a mostly proven track record in the industry and provides you the extras just by the very nature of the program itself. That would be the SANS undergraduate degree, after which you walk out with nine marketable GIAC certs for the cost of your degree program (If you were going to spend the money anyways; here you get more for it). They tell you that you need to transfer in with at least 70 college credits to start, but those do not need to be at an expensive institution. You can do those at a local community college, or if you hate wasting time and money, earn your base credits via CLEP (which everyone who is taking a degree in any field should be doing anyways in my opinion).
Now pivoting to those looking to shift career paths:
(TL;DR for this section: If your company isn’t paying for your certifications, don’t overpay for them yourself. There are many other options like vendor trainings to get skilled up.)
So you are in IT or another technology role and looking to get into cybersecurity. Many will say “take X,Y, and Z paid cert”. Don’t do it.
There are so many certifications out there that are from vendors and providers these days that unless your employer offers paid certification opportunities (which many, but not all, do if you ask) you should not be paying over $150 for any training or certification.
All the major Cloud Providers (AWS/Azure/GCP/OCI) offer their introductory certifications at no cost if you participate in one of their free training events, and for their higher level certifications, many of them offer you discounts to bring the cost down (AWS for example gives you a 50% off discount after every cert you achieve, bringing the cost under $150).
Next are the Product Vendors. Some of them charge sky-high prices for training and certification (which to me has always seemed counterintuitive), but others not only offer the certifications for free or low-cost, they also offer the training for free. For those that don’t, you are a Udemy (or equivalent) course away from landing that cert (and you shouldn’t be paying more than $30 there). Also, just because it’s a vendor doesn’t mean that all of their trainings are only about their products. Some vendors offer broader topics as well.
Then there are offerings like Pay-What-You-Can from Anti-Syphon Training. These are low-cost trainings to get in depth with a particular subject matter. The majority of these won’t buy you bonus points on your resume, but they will help you get more acclimated to a given topic.
As for getting the job itself, first thing you should do is look internally. I have brought on people from other parts of organizations over the years because the amount of time we may need to spend to skill up someone who is motivated to be in the role pales in comparison to the amount of time spent getting to know the in’s and out’s of the organization.
If there is nothing internally, connect with your network of friends and colleagues on LinkedIn. Odds are if people trust in the quality you bring to your day to day, some just might move mountains to see if there is a role out there in their connections, especially since you may be able to do the same for them in the future.
So what could you do?
To close out this post, I want to say that the most important thing you can do, regardless of degree or education, is making sure that the financial decisions you make have a high likelihood to actually provide you a meaningful return on your investment of both time and money. Way too many people are pursuing educational paths that will never provide this, and this is a very serious problem (but I won’t get into that topic due to how much it’s tied to politics, even when it really should not be). Lastly, don’t forget that there are other learning paths as well, such as Apprenticeships, Self-Learning, and Trade Schools. There is no “One size fits all” and what may be the right path for you may be very wrong for someone else.
I have a bachelors in computer science and a masters in cybersecurity. With two 6 month internships one after bachelors and one after masters. Generally I was told that usually you get a job and then companies sponsor the certifications considering they're so expensive. Since the job market is so bad now I'm gonna do Sec + in a couple months. Apparently you get the certificates only after you have at least a year of experience but I'm kinda at the end of the line. Spending hours and hours on applications only to get ghosted or rejected immediately is insane.
I wanted to do CEH and also finish a+ and network +. I don't mind paying and I like this field so I don't mind studying either. Im genuinely panicking and my last thought was to just stack up certificates. But then what's the point of I don't have work experience but I get no job to get a work experience😭. I know I'm whining but I'd really like some direction on whether this is a good choice.
I'm just wondering if even with the certifications it will still be hard to land a job and then I'd have just wasted money for nothing because the certifications expire in two years.
Degree don't really matter these days as much as I've seen or been told. I was wondering if these certifications will have ANY effect on the prospect of me getting a proper job? With the way things are going I won't be surprised if it didn't or if I land another internship even with all the certifications. This job market has left me with no expectations atp.
I wanna be able to wfh in a year or two after I get a job. Or a wfh job. But at this point I'd be grateful for just a job in my field that isn't intern level salary for an analyst role.
If anyone has any advice please help me out. Thanks!!
Been doing info sec work for about 15 years now. Next step for me would be CISO. But can't stand all of the bullshit and lies that happen at the C level. Everyone is so full of shit and would rather take the fines than actually implement security solutions. So sick of trying to teach ethics to boomers and try and convince people to do the right thing. Anyone else having this sort of issue?
So, I am kinda new to Cyber Security and I am still confused about what is better, doing a Master's course in Cyber Security (I looked for colleges, but only few colleges eg: IITs, IISc and NFSU have these courses) or go for certfications only or just make a job switch, FYI, I have recently obtained CompTIA Sec + certificate but still I am not getting a better career boost or a switch.
and also what are some good courses for master's (Both India and foreign) (p.s. I hate programming) and how to apply them, same goes for certifications.
Maybe, the way I am applying is wrong lol, but in any case please help me out on this:((
I’ve spent about five years in cyber, starting from basic IT work to operating in a SOC environment for a large-scale enterprise. Here are ten lessons that actually matter.
1. Cyber = risk, nothing else
Businesses don’t care about “security” — they care about money and risk. If security doesn’t clearly protect revenue or prevent loss, it’s seen as a cost. You have to explain security in financial terms, not technical ones.
2. Your stats don’t matter (unless they translate to money)
No one cares about firewall hits or alert counts. What matters is impact. If you can’t connect your metrics to money saved or risk reduced, they’re useless to leadership.
3. Not everyone thinks like you
Cyber is broad. Being good at one area doesn’t mean others understand it. Explain your thinking clearly and don’t assume people see what you see. At the same time, don’t hesitate to ask others to explain theirs.
4. Too many playbooks will slow you down
Playbooks are useful, but overdoing them kills efficiency. You don’t need one for every variation. Keep them practical and flexible, not overly detailed or hyper-specific.
5. Stay ahead of the news
If something hits mainstream news, you should already know about it. Even if it doesn’t affect your environment, be ready to explain why. Otherwise, you lose credibility and create unnecessary panic.
6. Most conference hype doesn’t apply to you
A lot of high-level research and exploits sound scary but aren’t relevant to most environments. Focus on real, practical threats — not edge-case scenarios.
7. Know your data sources
Good analysts understand where logs come from and what each system can (and can’t) show. Tools help, but knowing your environment is what actually makes investigations effective.
8. Most “threat intelligence” is surface-level
Looking up IPs and hashes isn’t real intelligence. That should be automated. Real threat intel is understanding attackers, mapping behavior, and predicting risks based on your environment.
9. Write so you can’t be misunderstood
Reports shouldn’t assume knowledge. Be clear, specific, and precise. Anyone — even non-technical leadership — should understand the risk without guessing.
10. Work with marketing, not against them
Clear communication wins. A simple visual can do more than a long technical report. If leadership doesn’t understand your message, it doesn’t matter how correct you are.
Conclusion
Cybersecurity in the real world isn’t clean or textbook-perfect. It’s messy, business-driven, and context-heavy. The people who succeed aren’t just technical — they understand risk, communication, and how real environments actually operate.
Salve, sono un CISO, 30 anni, full certifications, magistrale in cybersecurity. Lavoro in azienda finance piccola ma global, full remote. 85k + 10k bonus. Nessun altro grande benefit a parte i buoni pasto.
Come pianificare e proseguire con un altro big step di carriera ma soprattutto salary? Non ho problemi a lavorare tanto, ma non faccio sconti sul full remote. Al massimo una trasferta al mese.
Per chi si domanda come ci si arrivi a guadagnare così a 30 anni. 10 anni di lavoro serio. Studio continuo. Certificazioni ogni 3 mesi per 10 anni.
Hello everyone!
I'm building my career in cybersecurity. I'm currently a Junior and approaching 3 years of experience, so I hope to make the leap to MID soon. In the meantime, I'm trying to train as much as possible: every year I try to earn new certifications or specializations, both to grow professionally and to stay up-to-date with the market.
What I'm most looking forward to, however, is one day being able to work fully remotely. I live and work in Italy, currently in Rome, so I wanted to ask those already in the sector: how realistic do you think it is to achieve this goal here in Italy? Is it something that comes primarily with seniority, or does networking and finding the right company matter more?
I'm also curious about working in the sector in a more "human" way: during your 8-hour days, how much time are you truly focused on? Do you manage to find time to unwind, or is it a constant grind throughout the entire shift?
Wanted to hear from cybersecurity workers who actually WFH! Thanks
I’m a CISO, certified CISSP, CCSP, CISM, ISO 27001 lead auditor and even more. 10 years of experience in this field. Applying for months, not even a call.
The resume is good, I double checked with HR people. It just seems you can hit only entry level or mid position. No head, ciso or even just manager.
What u think? It’s just me?
Just moved to the usa and I want to go back to school but not sure of which field to choose. Most of my friends are advising me to get certificates online like in cyber security to get a job. They tell me within 6 months i can land a job with just 3 months training online. I really want to go back to school and get a degree, i am so confused.
Hi everyone,
I’m trying to transition into cybersecurity and get my first SOC Analyst role from a non-IT background.
So far, I have:
- Completed cybersecurity certifications
- Built a few SOC/home lab projects
- Practiced log analysis, SIEM monitoring, networking, and incident response basics
Even after learning and doing hands-on practice, getting the first opportunity still feels challenging for freshers from non-IT backgrounds.
I’d like to ask professionals and recruiters here:
- What helps a fresher stand out for entry-level SOC roles?
- What skills are companies actually expecting?
- Are home lab projects valuable during interviews?
- What should I improve to increase interview calls?
I’m continuously learning and improving my practical skills, and I’d really appreciate guidance from this community.
Thank you!
Note - I’m in appsec, and I can’t speak to all security disciplines. But people seem to apply the narrative to all security disciplines. I think this type of thinking is extremely outdated. THIS DOES NOT PERTAIN to the job market - I’m not arguing HOW TO get a job, or what is needed to get a job.
Never once have I felt like I need to know how to/ been asked to set up firewall, set up access for a new employee in our AD, set up local accounts on end devices, configure a network switch, set up wifi in our offices, etc. In my opinion, if you are doing both - you’re doing the job of two people. That’s not a security career problem, but a company one. With the exception of application level firewall - but I’d say that most likely it’s a shared responsibility of the network team and the appsec team, the appsec people would drive the application level blocking o! signatures, headers replacement etc - and knowing where the gaps are ON the application level. The point is that security is shared responsibility, and to say u need to know how to set things up/having worked the IT support persona isn’t always helpful or true.
Depending on the maturity of the company, I have either 1. Not care about anything else but the code/design/app/resource configurations in aws/azure to the lesser mature 2. More holistic view of appsec all app entry point (CICD/WAF/runtime/egress etc), ISMS, SDLC etc. Even when I was at a 3 man shop, we had a network guy that sets things up - and I was very comfortable not learning those things and only focusing on appsec.
But still i do not need to know how our wifi is setup at the office, how our printers are connected to the wifi and network, and how to setup/maintain our AD, and how to provision access for a new user is our AD. I certainly do not need to know the cli to close a port in our switch 💀I know we have gaps there - and yes we are probably vulnerable. But it’s not my battle - and I can’t spend time on investigating every possible gap I see. These risks should be raised and owned by the network/IT people. Whether they are doing their job is a different question.
The biggest thing is understanding risks - for every security professional. Example - I don’t need to know how to disable local admin/how to set AD up for our env to know what risks it has; and how to communicate that to business exec. I should know how AD works in principle, what is it etc, and know enough to know how to read a pentest report on our AD (and what questions to ask the pentesters and write the scoping doc) and calibrate the risks to our env/business requirements, but I don’t need to know how to setup AD. And I’m comfortable in telling my manager that no I don’t feel comfortable doing the pentest myself because that’s not my specialty.
If you do not know enough to know how to calibrate risks and to know if the pentest report actually has good coverage - then it becomes an issue. BUT you do not need to know how to set things up to know that. This applies to a lot of things.
For appsec, I need to know how to setup our CICD to secure it yes. But it’s a domain knowledge. If your security domain does not require you to know how to set AD, switch, routers up, don’t feel the pressure to learn it. But do know enough to know what they do - think Network+ compTIA knowledge.
Even when I worked at AWS, I knew how to talk to our devs about whatever resources they choose to use in the design and ask the right questions and come up with controls - but I didn’t know how to set up a VM etc in aws.
This whole narrative is especially true with the increased cloud adoption and usage. I’d rather you learn cloud instead of how to do a cat 5e Ethernet cable 💀.
The only exception I can think of is forensics and incident response - they need to be familiar with the cli etc and time precision. But for the other security disciplines - I really don’t think this “help desk first and IT exp first” matters that much. I don’t know about network security, so I can’t speak to that. But i don’t need to know how to setup routers and switches and VLANs to know and ask 1. Can this service reach this? 2. Also in cloud, a lot of this is abstracted to cloud concepts. 3. For on prem networks, this again is a domain responsibility that should be owned by the network team, so I (as an appsec person) don’t and have never felt the need to know the technical details on implementation.
So yea, if u want to insist on the narritive that one needs IT exp or having worked help desk - pls accompany it with the type of job u are talking about within security.
Been working as a Security analyst for over 1.5 years now. I want to know what path do i choose next? I was thinking to aim for Security Engineer but I'm not sure if the experience I have would be enough. With the current experience plus certifications or learnings can I aim for Security Engineer in the next few months? I am not sure if wanna pursue as Analyst itself for longer periods of time. What certifications would be better to earn when aiming for Security Engineer? Any tips or suggestions?
If not, what might be any other path?
Any advice would be helpful.
Thank you!!!
How difficult is it to get a steady position in the cybersecurity field nowadays? I’m interested in getting into cybersecurity, but I keep hearing mixed things about the job market. Is it realistically possible to land a stable, long-term role without years of experience, or is the field becoming oversaturated at the entry level? I’d especially like to hear from people currently working in the industry about how competitive hiring actually is, what roles are most attainable starting out, and what helped you break in.
I don't normally use reddit, but I'm making this post because this site is one of the first that you'll see when googling this company. I need to make this known because people need to know about what they are up against when looking at this company. I don't believe that they are a scam or anything, but they were completely unprofessional and they completely wasted my time with a false promise and near zero communication.
Some context:
Nukudo is a cybersecurity company in Texas that is supposed to train people for cybersecurity roles and get them ready to work for a 3 year placement job. The pay is supposedly not the best in comparison to some full fledged positions, but for someone trying to get started in their career, I feel like it's most likely worth it. I found the job listing looking for people in San Antonio, so I applied.
Application process:
The process included multiple online tests. One test was a pseudo-code type of test, 2 others involved a lot of questions utilizing Wireshark. There was a personality test that I'm pretty sure was the standard Wonderlic one. After taking these tests, they scheduled an interview at their office in San Antonio which turned out to be a Zoom call which was kind of weird but whatever. It was very clear with the discussions that this program will be a full time job. I was in school at the time, so I understood that I would need to put my education on hold if I were to accept this job. This all happened in November.
The complete lack of professionalism:
In the beginning of December, I was given an email that stated congratulations I completed the process and i quote, "In the coming weeks, you'll receive your offer letter and agreement." The supposed start date it stated was the first quarter of 2026. I was pretty excited as I finally got a job after long time of fruitless job searching.
It was at this time, they went completely radio silent. I received no emails, no phone calls, or any bit of communication from Nukudo. In January about a month later, I sent an email for any bit of information or that offer letter that was stated before. The response only said that the start date will be first quarter of 2026 with nothing else. I figured it'll just start late first quarter and decided to wait patiently. During this time, my school semester ended and I decided not to continue the next semester because I assumed that I would now need to concentrate on this job that I was accepted in. I also stopped looking for other jobs as hey I had this new job that I'm waiting for.
Halfway through March about 2.5 months later, I get an email that the cohort will now take place in Dallas and that I now need to do another interview. I'm confused because I thought I already was accepted so I asked about that, but they assured me in the email, "your acceptance has not changed". I figured it was fine because I was luckily able to relocate to Dallas, and that my acceptance was supposedly still intact.
It took them an extra month to schedule the interview. I literally had to send an email asking when it was going to happen. A couple days later I did the interview about halfway through April.
For another straight month, they went completely radio silent. I got no information out of them. I sent an email, resent that same email in case it got lost or something, then left a voicemail asking for information. It wasn't until a month later again that I managed to be able to call them where they just basically stated, "nah, we got someone else. fuck off"
This whole process wasted about 5 months of my life with an empty promise of a job. In hindsight, I guess I shouldn't have committed to something unless I physically started the job, but I seriously thought that them telling me that I got the job would mean that I got the job.
TLDR: While Nukudo might be a decent opportunity for what it offers, be very careful about their lack of professionalism. Do not accept them at any of their words as they will easily go back on it and lie to your face.
Hey everyone,
I have an interview coming up for Information Security Intern (CMMC) role.
The role involves:
Security monitoring and alert review
Assisting with investigations/incident response
Vulnerability management & patching
Working with ITS Operations and enterprise systems
Learning cybersecurity operations in a professional environment
Background: I’m currently pursuing an M.S. in Information Science with hands-on experience in Splunk, OpenVAS/Nessus, networking, IT support, and security labs.
For anyone who interviewed with similar security internships:
What technical questions did they ask?
Was it more behavioral or technical?
Any focus on networking, Windows, SIEM, troubleshooting, or compliance/CMMC concepts?
What should I prepare most for?
Any tips or experiences would really help. Thanks!
hey guys, fresh student here about to start college, planning to go into cybersecurity but kinda stressed about the job market.
from what i understand junior roles like SOC analyst are getting hit hard by AI and honestly even without AI getting hired as a fresher into SOC is already super competitive. so by 2030 if the seats are shrinking i feel like fighting for those entry level spots is gonna be even harder.
so what should my stepping stone be? like what job do i target first that naturally leads into cybersecurity mid level roles without me having to grind through positions AI is slowly eating up?
and is getting security+ oscp3 ez like veryone will eventually get it if they study average
I’m currently a Sophomore entering my junior year of college as a Medical Laboratory Science Major. Recently I be realized that idk if that’s something I really want to do due to what I’ve heard about the limited pay. Because of this I spoke to my dad who is in cybersecurity and he recommended I do that instead. I’m just unsure what to do and need advice. How hard is cybersecurity really? Is the lid of MLS pay and moving ranks real? Should I maybe die cyber security and have a health major?Please help I have to have a decision by 11:59
Update: Ok guys after unregistering and registering myself I have decided to stick with the MLS program. It is something that I really really love and interests me. My only fear was not being paid that well but that’s not the most important thing and that may change by the time I enter the field. Additionally, someone recommended that I obtain certificates and get experience when I can in cybersecurity if I really wanted to enter the field while pursuing MLS, which is super smart! Thank you all for the help!!!