Somewhere in the last five years, cybersecurity became the field that every career coach, bootcamp, and LinkedIn influencer promises you can break into in 90 days — no experience required, six-figure salary guaranteed. The pitch is relentless and it is mostly wrong.
That does not mean the field is closed to career changers. It is not. People make this transition every year from backgrounds that have nothing obvious to do with security. But the ones who succeed are almost never the ones who followed the 90-day bootcamp plan. They are the ones who spent a year or two building real, demonstrable skills, found an entry point that matched their existing background, and got in front of hiring managers through something other than a cold application.
This guide is the version of the conversation that a security hiring manager would actually have with you — not the version designed to sell you a course.
The Realistic Timeline
If you are starting from scratch — no IT background, no networking knowledge, no security experience — expect 12 to 24 months of serious, consistent effort before your first security job. That means studying most days, building a home lab, completing hands-on platforms, earning at least one relevant certification, and actively working your network.
That timeline can compress if you already work in IT support, networking, or software development. It can extend if you are working full-time in an unrelated field and can only study on evenings and weekends. What it almost never does is fit into a 12-week bootcamp.
The 90-day promise works as marketing because it is technically possible in an extremely narrow set of circumstances: you have a strong IT background already, you study full-time, you live in a major market with a lot of MSSP hiring, and you get lucky with timing. For most career changers, none of those conditions apply simultaneously.
Understanding the real timeline matters because it changes how you plan. If you think it will take 90 days and it takes 18 months, you will burn out and quit. If you budget 18 months from the start and treat this like a genuine professional development investment, you will stay consistent long enough to get results.
Entry Points That Actually Have Demand
Not all security roles are equally accessible at the entry level. “Ethical hacker” or “penetration tester” — the roles that get the most attention in bootcamp marketing — are among the least accessible. Most organizations hiring penetration testers want people with several years of security operations experience first. The entry-level pentesting market is real but small and genuinely competitive, and flooding it with underprepared candidates has made hiring managers cautious.
The entry points with consistent demand and realistic barriers in 2026 are:
SOC Analyst (Tier 1): Security operations center work is the most common entry point in the industry. Tier 1 SOC analysts monitor alerts, triage events, escalate true positives, and document everything. The work is repetitive, the pay at the low end is modest, and the alert volume can be exhausting. It is also one of the few security roles where employers routinely hire people with limited direct security experience, because the skills — reading logs, following runbooks, staying calm under pressure — can be developed on the job. MSSPs (managed security service providers) are particularly active entry-level employers.
IT Security Support: Many organizations have internal security teams that need generalist support — helping with vulnerability scanning, patch management, access provisioning, policy documentation, and security tool administration. These roles sit at the boundary between IT and security and are often a natural first step for people coming out of IT support or desktop work.
GRC/Compliance Analyst: Governance, risk, and compliance work requires less technical depth than SOC or engineering roles and more skill in documentation, process analysis, and communication. GRC analysts help organizations maintain compliance with frameworks like SOC 2, ISO 27001, HIPAA, and PCI DSS. They conduct risk assessments, manage audit evidence, write policies, and track remediation. The role is in steady demand because compliance obligations keep growing, and it is one of the most accessible entry points for people coming from legal, audit, accounting, or policy backgrounds.
Privacy Analyst: Data privacy has matured into its own discipline, driven by GDPR, CCPA, and a growing stack of state-level privacy laws. Privacy analyst roles focus on data inventory, privacy impact assessments, vendor assessments, and regulatory compliance. The role overlaps significantly with GRC and is particularly well-suited to people with legal or regulatory backgrounds.
These are not the most glamorous security titles. They are the ones that are actually hiring at the entry level in 2026.
Self-Study Paths That Produce Results
The platforms and resources that actually move the needle for career changers are the ones that emphasize hands-on practice over passive content consumption.
TryHackMe is the most approachable starting point for people with limited technical backgrounds. The learning paths are structured, the browser-based labs remove the setup friction that stops a lot of beginners, and the SOC Level 1 and Pre-Security paths are specifically designed to build foundational knowledge. If you are just starting, begin here.
HackTheBox is harder and more rewarding once you have the basics. HTB machines require real problem-solving, and completing even a handful of beginner-rated boxes gives you something concrete to document and discuss in interviews. The HTB Academy has good structured content if you want guided learning alongside the challenge machines.
SANS Free Resources: SANS courses are expensive, but the organization publishes a significant amount of free material — webcasts, white papers, posters, and reading room content. The SANS Internet Stormcast is a short daily briefing that helps you stay current. For GRC-focused learners, the SANS Policy Project offers downloadable security policy templates that are useful for understanding what mature security programs look like.
NIST Publications: For anyone pursuing GRC or compliance, reading NIST is essential and free. NIST SP 800-53 (security controls), NIST SP 800-37 (risk management framework), and the NIST Cybersecurity Framework are the foundational documents that most enterprise security programs reference. Understanding these is not optional for GRC work — it is the job.
Professor Messer’s Security+ Materials: Free and well-organized, his study guides and practice questions are the standard recommendation for Security+ preparation.
The pattern across all of these is active engagement. Reading about security or watching videos does not build a hiring record. Completing labs, writing up what you learned, and building things that you can show to a hiring manager does.
What a Competitive Entry-Level Resume Actually Looks Like
Entry-level security resumes fail most often in one of two ways: they are a list of soft skills and generic job duties with no evidence of technical capability, or they are a collection of certifications with nothing to show the candidate has actually applied what the certifications covered.
A competitive entry-level security resume in 2026 has:
A home lab section: This does not mean you built a SIEM that Fortune 500 companies use. It means you set up a virtualized environment — using VirtualBox or VMware Workstation, which are both free — ran a SIEM like Wazuh or the free tier of Elastic Security, generated some log data, wrote detection rules, and documented what you built and why. A paragraph describing your home lab with specific tools named is more valuable than three additional certifications.
A project: One concrete project documented in enough detail that someone could ask you questions about it. A phishing simulation you ran on yourself and analyzed. A network traffic capture you walked through and annotated. A risk assessment you wrote for a fictional or real (with permission) small organization. Something that demonstrates you can apply skills, not just name them.
One relevant certification: CompTIA Security+ for technical roles; a combination of Security+ and a GRC-specific certification (ISACA’s CSX-P or the entry-level CISA pathway) for compliance roles. The certification shows you understand the vocabulary and fundamentals. It is a floor, not a credential that gets you hired by itself.
Relevant experience framed correctly: If your prior work touches anything related to security — access management, incident response in any capacity, auditing, regulatory compliance, network administration — it belongs on your resume framed in security terms. If it does not, a volunteer project or documented home lab fills that gap better than leaving the experience section thin.
What does not belong on a competitive security resume: bullet points about being a “team player” and “detail-oriented,” a list of operating systems you have used, and ten certifications with no project work to accompany them.
The Experience Paradox and How to Address It
Every career changer in security eventually runs into the same wall: entry-level jobs require experience, and you cannot get experience without a job. The paradox is real but it is not unbreakable.
Bug bounty programs: Platforms like HackerOne and Bugcrowd allow anyone to legally test the security of participating organizations. You do not need to find a critical vulnerability — one documented finding, even a low-severity one, is something you can discuss in an interview and reference on your resume. The key word is “documented.” Write up what you found, how you found it, and what the impact was. That writeup is the asset, not the bounty amount.
Home lab documentation: A GitHub repository or personal blog that documents your lab environment, your experiments, and your findings is a portfolio. It does not need to be polished or comprehensive. It needs to show that you are actively practicing skills outside of guided platforms. Hiring managers for technical roles frequently look at GitHub profiles.
Volunteer work: Nonprofits, small local governments, and community organizations often have real security needs and no security staff. Offering to help with a risk assessment, a security policy review, or a basic security audit gives you real-world experience with actual organizational constraints. Document what you did and what recommendations you made.
Open source contribution: Contributing to open source security tools — even documentation contributions or bug reports with reproduction steps — demonstrates engagement with the security community. Projects like Wazuh, OpenVAS, or OWASP projects are good starting points.
Internal movement: If you currently work in IT support, desktop administration, or any adjacent role at an organization with a security team, you are closer to a security job than almost any external candidate. Express interest in security projects. Ask to assist with vulnerability scanning or policy reviews. Shadow the security team if you can. Internal transfers bypass most of the external hiring friction.
CompTIA Security+: A Floor, Not a Ceiling
Security+ is the right first certification for most career changers pursuing technical roles. It demonstrates foundational knowledge, it satisfies the DoD 8570/8140 baseline requirement that opens government contractor roles, and it is broadly recognized by hiring managers. It is worth pursuing.
It is not worth pursuing as your primary credential without anything else to show. Candidates who list Security+ as their headline qualification and have no lab work, no projects, and no hands-on experience are not significantly more competitive than candidates with no certification at all. The certification signals that you can study for a test. The project work signals that you can do the job.
For GRC and compliance roles, consider adding CompTIA’s CySA+ as a next step, or look at ISACA’s entry pathway and the (ISC)2 Certified in Cybersecurity (CC), which is free to obtain and specifically designed as an entry credential. Neither substitutes for demonstrated experience, but they signal investment in the field.
Which Backgrounds Transfer Well and How to Frame Them
Your existing career is not a liability. Depending on what you have done, it may be one of your strongest assets.
IT support and help desk: This is the most direct path to a SOC analyst role. You already understand endpoints, ticketing systems, escalation procedures, and user behavior. Frame your experience around log analysis if you have any exposure, incident documentation, and systems troubleshooting. The conceptual gap to security operations is smaller than it looks.
Networking and systems administration: People with Cisco, Juniper, or similar networking backgrounds have a natural path to security engineering — firewall administration, network segmentation, intrusion detection. Sysadmins with Linux experience are strong candidates for security engineering roles at organizations running Linux-heavy infrastructure. Frame your experience around access control, hardening, and any security tooling you touched.
Software development: Developers have a clear path to application security (AppSec) and DevSecOps. The ability to read code — in any language — and understand how applications are built is genuinely rare among security professionals. Frame your experience around any security-relevant work: input validation, authentication implementation, dependency management, code review. If you have never engaged with OWASP’s Top 10, start there immediately.
Legal and audit: Compliance-heavy backgrounds are strong for GRC and privacy roles. Frame your experience around risk assessment, regulatory interpretation, evidence documentation, and vendor management. If you have worked with contracts, data processing agreements, or regulatory filings, that experience translates directly to privacy and GRC work. The security vocabulary is learnable; the analytical and documentation skills you already have are harder to teach.
Accounting and finance: Risk quantification, internal audit, and controls testing are skills that map directly to security risk management and audit roles. GRC teams at large organizations frequently work alongside finance and audit functions. Frame your experience around controls frameworks, testing procedures, and documentation standards.
What Does Not Work
This section deserves directness.
Sending 500 generic applications: Volume without targeting does not work in security hiring. A cold application from a career changer with no security experience lands at the bottom of the stack every time, regardless of how many you send. The effort spent on 400 generic applications is better spent on 20 tailored applications to organizations you have actually researched, plus networking activity.
Collecting certifications without projects: A resume with Security+, CySA+, CEH, and SSCP and no lab documentation, no projects, and no hands-on experience is less competitive than a resume with Security+ and a well-documented home lab. Certifications are easy to verify and easy to fake by memorizing dumps. Projects are harder to fake and show actual skill.
Bootcamp certificates as a substitute for demonstrated skill: Bootcamp completion certificates are not credentials in any meaningful hiring sense. Some bootcamps provide good structure and community. None of them substitute for the hands-on practice, certification, and project work that hiring managers actually screen for. If you attend a bootcamp, treat it as a study environment, not a credential.
Targeting penetration testing as your entry point: If ethical hacking is your ultimate goal, the path runs through security operations first for most people. Plan to spend two to three years in SOC or security engineering work before actively pursuing penetration testing roles. There are exceptions, but building a direct path from no experience to penetration testing in 2026 is genuinely difficult and the competition from experienced candidates is significant.
The Job Search Reality
Most entry-level security hires do not come through cold applications to job postings. They come through internal referrals, MSSP recruiting pipelines, and staffing firms that specialize in security placements.
MSSPs — companies like Secureworks, Trustwave, Arctic Wolf, and dozens of smaller regional providers — are among the most active entry-level employers in the industry. They hire SOC analysts in volume and are more willing than enterprise security teams to take on people with limited direct experience who show the right aptitude. Many security professionals who have moved into enterprise roles started at MSSPs.
Staffing firms that specialize in IT security placements are worth engaging. Firms like Solutionz, CyberSN, and others focused on security placements have relationships with employers that career changers cannot easily replicate through cold applications.
LinkedIn connections with security professionals who work at your target organizations, attendance at local security meetups (BSides events, ISSA chapter meetings, ISACA chapter meetings), and engagement in security communities on Discord and Reddit all produce more actual interviews than most job board activity. This is not unique to security — it is how most hiring works — but it is worth stating plainly because the bootcamp pitch implies that a credential alone will open doors.
Salary Expectations
Entry-level security salaries in most US markets in 2026 are in the range of $50,000 to $75,000. Major metros (San Francisco, New York, DC) run higher — $65,000 to $90,000 is common for first security roles in those markets. Smaller markets and remote roles from rural areas tend to land at the lower end of the range.
SOC Tier 1 roles at MSSPs often start at $50,000 to $60,000. GRC analyst roles at mid-size companies tend to start slightly higher, often $60,000 to $75,000, because the pool of candidates with strong documentation and analytical backgrounds is somewhat smaller.
The six-figure security salary exists and is attainable — but it is typically three to five years and at least one or two role transitions away from your first security job. Planning your finances around that timeline, rather than the salary projections in bootcamp marketing materials, is the more realistic approach.
Starting Points by Week One
If you are reading this and deciding whether to pursue this path, the first week of serious effort looks like:
Create a free TryHackMe account and start the Pre-Security learning path. Set up a free VirtualBox installation on whatever computer you have. Read the NIST Cybersecurity Framework introduction document, which is publicly available at nist.gov and is thirty pages. Create a GitHub account and start a repository called “home-lab” or similar, even if it is empty. Find the nearest BSides event or local ISACA/ISSA chapter meeting and put it on your calendar.
None of those steps cost money. All of them put you further along than reading more blog posts about whether it is possible.
The field is real. The demand is real. The path is longer than the marketing says, and it requires more work than a certification alone. The people who make this transition successfully are not necessarily the most technical people in the room — they are the ones who stayed consistent long enough to build something demonstrable and then found their way in front of the right people.
That is the actual job.
This article is provided for informational purposes only. Salary data and market conditions change; verify figures with current industry surveys before making career decisions.
