TL;DR
- The near-universal entry role is SOC Analyst. Pen testing and AppSec come after, not before.
- Non-tech entrants (operations, IT support, compliance, business roles): 9-18 months to a first role with consistent effort. Cert ladder: CompTIA IT Fundamentals+ (optional) → Security+ → CySA+.
- In-tech entrants (DevOps, SWE, SRE): 3-9 months with targeted certs. Skip foundations; focus on specialisation.
- Every track requires lab evidence - a documented incident response exercise or portfolio artifact is what closes the offer, not the cert alone.
- A mentor's job isn't to teach you what's in the study guide. It's to tell you which cert to do next given your specific background, and whether your portfolio artifact will actually get you interviews.
What kind of transition are you making?
Cybersecurity roles vary widely - SOC Analyst, IAM Engineer, GRC Analyst, AppSec Engineer, Pen Tester. The transition depends almost entirely on starting point. Non-tech and in-tech paths to the same destination look different in foundational requirements, cert ladders, and timelines. Before the roadmap gets specific, you need to identify your starting point.
For non-tech readers transitioning into cybersecurity
If you're coming from operations, IT support, compliance, or a business role, the path into cybersecurity isn't starting from scratch - it's repositioning skills you already have. The three entry-level sub-specialties most accessible to non-tech entrants are GRC Analyst, SOC Analyst (Tier 1), and IAM Support Analyst. The mistake I see most often is people assuming they need to become developers before they become security analysts. They don't.
In recent MentorCruise applications, cybersecurity is one of the most-requested domains - and career changers are a major sub-group. The patterns I keep seeing: IT support professionals moving into IAM roles, business operations managers moving into GRC, and tech-adjacent people like QA engineers looking for a structured path into security. What these transitions have in common is that the people who succeed don't start from zero - they start from where they are and build the technical layer on top.
The most important thing to know about Security+ - the standard entry cert for SOC Analyst roles - is that it doesn't require a programming background. The foundational networking layer (TCP/IP, DNS, firewalls, basic OS knowledge) is what you're building first. That's learnable in weeks, not years. Find an information security mentor who can help you map your specific background to the right sub-specialty before you commit to a cert sequence.
For in-tech readers moving laterally into cybersecurity
If you're already in tech - DevOps, SWE, SRE, systems engineering - you're not starting from zero on fundamentals. Networking, scripting, Linux, and systems knowledge transfer directly. The move is a specialisation, not starting over - your existing systems knowledge is the foundation security thinking builds on. The three natural mapping paths are: DevOps into SecOps or cloud security, SWE into AppSec, and SRE into security engineering.
The in-tech mistake I see consistently is trying to break into pen testing before getting SOC experience. The market signal is Blue Team first. In recent MentorCruise applications, one pattern keeps coming up: in-tech professionals who have genuinely relevant experience but don't know how to position it for a security hiring manager. The skills are there. The framing isn't. Connect with a DevOps mentor if your current stack sits in that lane and you want help mapping the transition.
| Current background | Natural move | Entry role target |
|---|---|---|
| DevOps / platform engineering | SecOps, cloud security | Cloud Security Analyst, SecOps Engineer |
| SWE / software engineering | AppSec | Application Security Engineer |
| SRE / reliability engineering | Security engineering | Security Engineer |
| IT support / helpdesk | SOC, IAM | SOC Analyst Tier 1, IAM Support Analyst |
The skills you actually need (and what transfers)
Every cybersecurity analyst role - SOC, GRC, AppSec, IAM - shares a foundational layer: networking fundamentals, OS knowledge (Windows and Linux), threat detection basics, and incident documentation. The divergence is in what you build on top of that layer, and how much of it you already have from your prior role. This section maps what transfers and what you need to build.
For non-tech readers: skills that transfer into cybersecurity
If you've worked in operations, finance, legal, compliance, or IT support, you already have the foundation for GRC and SOC roles. Process documentation, risk awareness, regulatory language, and systematic thinking all transfer directly. What you're building is the technical layer on top. The sequence is: networking fundamentals → OS basics → your first cert.
You don't need to code before you start. The most common misconception I see among non-tech career changers is the assumption that writing code is a prerequisite. GRC Analyst and SOC Tier 1 roles don't require it. What they require is the networking layer - and that's buildable in weeks, not years.
| Transferable skill from prior role | Sub-specialty it feeds |
|---|---|
| Process documentation | GRC Analyst |
| Risk awareness, regulatory language | Risk/Compliance Analyst |
| Communication, escalation handling | SOC Tier 1 |
| Operational workflows, ticketing | IAM Support Analyst |
| Data analysis, reporting | Threat Intelligence Analyst (mid-level) |
For in-tech readers: what transfers and what gaps bite
If you're coming from DevOps or SWE, you already know how systems break. That's the foundation of security thinking. What you're missing is the adversarial framing - explicitly thinking about how an attacker would move through the system you just built. The fastest gap to close is incident detection and response, not scripting or networking. You already have those.
The adversarial mindset check: before investing in certs, ask whether you can trace how an attacker would move laterally through the last system you built. If the answer is vague, that's the gap the cert and evidence phase addresses. It's a framing gap, not a skills gap - and it's the fastest gap to close. Thinking like an analyst means modelling attacker behaviour, not just hardening your own systems.
Four gaps I see in-tech applicants underestimate:
- SIEM fluency - if you've never worked in a dedicated SOC tool, the operational rhythm is different from what most engineers expect
- Blue team mindset - most engineers think about building and hardening; SOC work is about detection and response, which is a different orientation
- Documentation for audit context - security documentation isn't like an engineering runbook; it's written for compliance reviewers, not your teammates
- Regulatory context for GRC paths - if the goal is compliance or governance, this entire layer is genuinely new territory
Your certification roadmap
The cert landscape in cybersecurity is crowded and expensive. The most common mistake is collecting certs in the wrong order, or spending six months on a cert that doesn't move your specific application forward. The ladders below are sequenced by starting point - non-tech and in-tech entrants follow different paths to the same hiring bar.
For non-tech readers: the CompTIA path into SOC
If you're transitioning from a non-tech background, the cert sequence I'd follow is: CompTIA IT Fundamentals+ (optional, for true zero-tech baselines) → CompTIA Security+ → CompTIA CySA+. Per CompTIA's published cert pathway, Security+ is the gate to SOC Analyst roles - most postings list it as preferred or required. CySA+ builds the analyst layer on top. Security+ is the gate, not the finish line. It gets you to interview. Lab evidence closes the offer.
Per cert, here's what you're looking at:
- CompTIA IT Fundamentals+ (optional) - 4-6 weeks of study from a zero baseline, approximately $130. Gets you to Security+ study-ready if networking and OS concepts are genuinely unfamiliar.
- CompTIA Security+ - 8-12 weeks of consistent study. Approximately $400. The cert most SOC Analyst job postings list as required or preferred. Unlocks the majority of entry-level applications.
- CompTIA CySA+ - 8-10 weeks after Security+. Approximately $400. Analyst-specific: threat detection, vulnerability management, incident response. Moves your application further.
Cert-gate checkpoint: Security+ passed means Pearson VUE exam completed with a passing score. That's the verifiable milestone. Not "I've been studying for two months." The certificate exists.
For in-tech readers: skip the ladder, pick your specialisation
If you're already in tech, you can often pass Security+ without a study course - test yourself before paying for one. The actual cert investment is in the specialisation layer. Per CompTIA's published cert pathway and industry role requirements, the fork is: where does your current tech stack point? That's your cert target.
- CySA+ for SOC/Blue Team - if your goal is defensive security operations and threat detection
- AWS Security Specialty or Azure Security Engineer for cloud security - if your background is cloud or DevOps
- OSCP if pen testing is the long-term goal - but this is an advanced track, two to three years of SOC or adjacent experience first
The hardest decision isn't which cert to study - it's whether your application narrative connects your existing experience to the security role. A study guide can't run that analysis. That's the review a mentor runs.
Specialisation milestone: the verifiable checkpoint is a completed mentor gap-analysis session, a selected cert with a target exam date, and a documented study plan. "I'm thinking about CySA+" isn't a milestone. A booked exam date is.
| Current background | Recommended cert | Entry role target |
|---|---|---|
| DevOps / cloud | AWS Security Specialty or CySA+ | SecOps / Cloud Security Analyst |
| SWE / software engineering | Security+ + GWAPT or OWASP training | AppSec Engineer |
| SRE / reliability | Security+ + cloud security cert | Security Engineer |
| IT support | Security+ → CySA+ | SOC Analyst Tier 1, IAM Support |
One hard note for in-tech readers: pen testing is not a first role. The market signal on OSCP is that it's an advanced-track cert for people who have already spent time in SOC or Blue Team roles. Applying to pen testing positions as a first security role almost never works. The path runs through SOC first.
Building your evidence layer (labs, projects, portfolio)
The cert tells hiring managers you studied. The lab tells them you can do the work. Every cybersecurity analyst application that converts at offer stage has at least one documented artifact - a write-up of an incident response exercise, a SIEM detection rule, or a vulnerability assessment. The cert gets you the interview. The artifact closes the offer.
If you're coming from non-tech: start with a cloud-based lab - TryHackMe or HackTheBox's beginner track. No hardware required. Both run in a browser. Three completed rooms gives you enough experience to write your first artifact.
If you're already in tech: extend your existing environment with dedicated security tooling - Splunk free tier, ELK Stack, or a dedicated SIEM VM. You're not starting from scratch; you're adding a security layer to infrastructure you already understand.
Three portfolio artifact types that move applications:
- An incident response write-up - document a simulated alert-to-escalation exercise. Walk through severity triage, affected systems, what you did and why. This is the artifact most SOC Analyst interviews ask to see.
- A detection rule documented in your SIEM - a Splunk alert rule or an ELK detection with the logic explained. Shows you can operationalise threat detection, not just study it.
- A vulnerability assessment report on a test environment - using a tool like Nessus or OpenVAS on a home lab VM. Shows you can identify, document, and prioritise vulnerabilities.
Put these on GitHub. The URL is the evidence. "I've done this work" without a public artifact is invisible. The most common reason applications stall after the first cert is candidates who have studied but can't point to anything they've built.
Two milestones: (1) lab running - at least three TryHackMe/HackTheBox rooms completed (non-tech track) or a dedicated SIEM in your existing environment (in-tech track); (2) one public GitHub artifact reviewed by a mentor for hire-readiness.
The entry role - what it actually looks like
SOC Analyst is the near-universal first hired role in cybersecurity. The day-to-day reality is alert triage, log analysis, and escalation - not the cinematic version where you're stopping live attacks in real time. It's methodical, detail-oriented work with a steep learning curve in the first six months.
Here's an ordinary sequence from a typical shift: an alert arrives in the SIEM, you triage severity and identify affected systems, you either escalate to Tier 2 or close and document as a false positive, then write the incident report. Repeat.
On compensation, per US Bureau of Labor Statistics salary data and current industry surveys: entry-level SOC Analyst in the US runs $60,000-$80,000. Mid-level runs $90,000-$120,000. UK equivalents: approximately £35,000-£55,000 at entry, £55,000-£80,000 at mid-level. The investment in the cert-and-lab sequence pays back quickly once you're in the role.
What the role isn't: it's not pen testing from day one. It's not guaranteed remote - some SOC roles, particularly in finance and government, are on-site. It's not slow-paced. The first six months in a SOC role will teach you more about threat detection than a year of self-study.
If you're coming from non-tech: the realistic timeline to a first SOC Analyst role is 9-18 months with consistent weekly effort. That means the cert sequence, the lab work, and the application process all running in sequence, not in parallel.
If you're already in tech: 3-9 months is achievable with focused cert and portfolio work. The foundational layer is already there; you're adding the security-specific layer on top.
On application positioning:
If you're coming from non-tech: your application emphasises cert progression and lab artifacts - the evidence that you built the technical layer deliberately.
If you're already in tech: your application emphasises transferable experience and specialisation - connecting your existing systems knowledge to the security role, not hiding it.
Common roadblocks (and where a mentor changes the equation)
The most common reason cybersecurity transitions stall isn't a skills gap - it's cert-chasing without a portfolio, and applying before the evidence layer is hire-ready. The people who break through are almost always the ones who had someone reviewing their progress at the checkpoints, not just at the end.
Four named roadblocks:
- Cert-chasing without portfolio artifacts - accumulating Security+, Network+, and CySA+ without a single public artifact to show for it. Certs signal study. Artifacts signal application. Hiring managers want both.
- Applying too early - submitting before the portfolio is hire-ready. In my experience, applications with a documented GitHub artifact get further than applications without one. Hiring managers at the SOC Analyst level are screening for evidence of application, not just evidence of study.
- Wrong sub-specialty targeting - aiming for pen testing as a first role. The market signal is Blue Team/SOC first. This is the single most common mismatch I see in cybersecurity applications.
- Imposter syndrome disguised as "I need one more cert" - the loop that keeps people in study mode indefinitely rather than building and applying. More study is sometimes the right answer. Often it isn't.
If you're coming from non-tech: the hidden roadblock is usually the foundational networking layer. It feels basic, but it's what Tier 1 SOC interviews test hardest. The candidates who stall are almost always the ones who skipped it.
If you're already in tech: the roadblock is usually positioning. Your application doesn't connect your existing experience to the security role clearly enough. The skills are there. The narrative isn't.
If you're looking for a path that doesn't require hands-on lab work, cybersecurity analyst roles aren't it. Every hiring manager at the SOC Analyst level expects to see lab evidence. Certs without artifacts signal study without application.
Getting cybersecurity coaching from someone who's made the transition isn't about being taught what's in the study guide - I've seen too many people pay for exactly that and get nowhere. It's about having someone review your portfolio artifact and tell you it's hire-ready before you apply, and tell you which cert to skip because it won't move your specific application. We accept fewer than 5% of mentor applicants at MentorCruise, so every mentor on the platform has cleared that bar.
Tools, mentors, and next steps
The tools aren't the bottleneck. What most transitions lack is a human checkpoint - someone who reviews where you are in the sequence, tells you what the hiring bar actually looks like from the inside, and confirms your portfolio is ready before you apply.
Here's what you actually need:
Lab platforms:
- TryHackMe - browser-based, no hardware required. Start here if you're coming from non-tech.
- HackTheBox - more advanced, structured tracks for in-tech readers who want depth faster.
SIEM exposure:
- Splunk free tier - standard in industry; worth learning SPL before you're in a role.
- ELK Stack (Elasticsearch, Logstash, Kibana) - open source alternative, widely used in cloud-native environments.
Cert prep:
- CompTIA CertMaster (official) - the study resource for Security+ and CySA+.
- Professor Messer's Security+ course - free, thorough, the most-cited free resource.
- TryHackMe SOC path - combines lab work and conceptual grounding in a structured track.
If you're transitioning into a cybersecurity role, finding a mentor who's already done the jump cuts years off the curve. The hardest part isn't the certs - it's knowing which cert to do next given your specific background, and whether your portfolio artifacts are actually hire-ready. Browse cybersecurity mentors on MentorCruise - we accept fewer than 5% of mentor applicants, so every mentor on the list has cleared the bar. 97% of mentees say the experience was worth it. There's a 7-day free trial if you're not sure.
For deeper coverage: the DevOps Engineer career change guide covers the DevOps-to-SecOps overlap in more detail, and the Cloud Engineer (AWS) guide maps the cert and role landscape for cloud security specifically. In the meantime, Career Transition coaching on MentorCruise is worth a look if you're still mapping out your path.
FAQs
How long does it take to become a cybersecurity analyst?
Non-tech entrants should plan for 9-18 months with consistent weekly effort. In-tech entrants (DevOps, SWE, SRE) can get there in 3-9 months with focused cert and portfolio work. "Done" in both cases means Security+ passed, a lab environment running, at least one documented portfolio artifact on GitHub, and an application that a hiring manager would actually call back. Consistent effort means 8-10 hours per week minimum - not the occasional evening.
What certifications do I need to become a cybersecurity analyst without a tech background?
Per CompTIA's published cert pathway, the sequence for non-tech entrants is: CompTIA IT Fundamentals+ (optional, for true zero-tech baselines) → CompTIA Security+ → CompTIA CySA+. Security+ is the gate to SOC Analyst applications - most job postings list it as preferred or required. Study time runs approximately 8-12 weeks per cert with consistent effort. IT Fundamentals+ isn't required if you already have some networking or OS familiarity.
Can I get into cybersecurity from a completely non-technical background?
Yes. GRC Analyst and SOC Analyst Tier 1 are the most accessible entry roles, and neither requires a programming background. The foundational networking layer - TCP/IP, DNS, firewalls - is required, but you can build it in a few weeks of focused study. Skills that transfer directly: process documentation maps to GRC Analyst work, risk thinking maps to compliance roles, and communication and escalation handling maps to SOC Tier 1. The technical layer is what you're building - not replacing the experience you already have.
What's the difference between a SOC Analyst and a penetration tester - and which should I aim for first?
SOC Analyst is the entry role. It's defensive security - alert triage, log analysis, incident documentation. Penetration testing is advanced-track, typically requiring 2-3 years of SOC or adjacent experience first. If pen testing is the long-term goal, the path runs through SOC first - that's where you build the understanding of what you're actually testing against. Applying to pen testing roles as a first security role almost never works. Most job postings require prior SOC or Blue Team experience.
Do I need a computer science degree to become a cybersecurity analyst?
No. The cert pathway (Security+ and CySA+) functions as the credential signal in lieu of a degree for most SOC Analyst roles. Some enterprise and government roles list a degree as preferred, but lab evidence, certs, and demonstrated hands-on experience offset this in most hiring contexts. The portfolio artifact is doing the work a degree would otherwise do: it proves you can apply what you've learned, not just that you studied it.
How does a cybersecurity mentor help compared to a self-study course?
A study course teaches you what's in the cert guide. A mentor reviews your specific situation - your background, your portfolio artifacts, your application narrative - and tells you what to do differently. The most common outcome I see is someone who was about to take the wrong cert, or apply to the wrong role, and a single mentor session redirected them. You can't get that from a study guide.
