There Isn't One Path — There Are Six
"Cybersecurity" is not a job — it's a category. The six tracks that hire most consistently:
- SOC analyst / threat detection — alert triage, SIEM, IR. Strong entry path.
- AppSec / product security — code reviews, threat modeling, vulnerability remediation. Best for people with software engineering background.
- Cloud security — IAM, configuration, container hardening. Strong demand, fast-growing.
- Offensive security — penetration testing, red teaming, bug bounty. Hardest to break into; most romanticized.
- GRC (governance, risk, compliance) — policy, audit, framework work. Often overlooked, very hireable.
- Detection & response engineering — building the pipelines and detections that SOC analysts use. The fastest-growing track.
Pick one to start. You can move laterally later — the field rewards generalists, but you need depth somewhere first.
Which Certifications Are Actually Worth It?
Certs help with HR filters and visa applications, less so with hiring managers who can read a GitHub. The shortlist that meaningfully helps:
- Security+ (CompTIA) — broad foundation. Decent first cert.
- OSCP (Offensive Security) — hands-on offensive cert that hiring managers respect.
- CISSP (ISC²) — required for many senior roles, especially government/finance. Demands 5 years of experience.
- AWS / Azure / GCP security specialty — cloud-native employers care about these.
- Certified Kubernetes Security Specialist (CKS) — niche but valued.
"Five years in, your certs matter a lot less than your last three projects."