I have been in technology for 20 years and in cybersecurity for almost 10. I did not start in security. I started in network engineering and systems administration — the same place most people who are now asking how to get into cybersecurity are standing right now.
I did not go back to school. I did not do a bootcamp. I made a lateral move within the same company, leveraged the infrastructure knowledge I already had, and built the security-specific skills on top of it. That path is still the fastest and most effective route into the field in 2026 — and almost nobody talks about it honestly.
This guide is what I wish someone had handed me. No course upsells. No exaggerated salary claims. No generic advice you have already read a hundred times. Just the real picture from someone who is in it.
The state of the cybersecurity job market in 2026
There are currently more open cybersecurity positions globally than there are qualified people to fill them. Estimates put the global shortage at 3.5 million unfilled roles. That number has been growing for a decade and shows no sign of reversing.
This matters because it means the field is genuinely accessible to people coming from adjacent technical backgrounds. Employers are not turning away competent candidates over missing credentials — they are struggling to find anyone who can actually do the work.
AI is accelerating this. The threat landscape is expanding faster than the security workforce is growing. Organizations that used to get away with minimal security investment are now getting compromised and discovering they needed a security team three years ago. Demand is not slowing down.
"The skills gap is your opportunity. There are more open seats than qualified people to fill them. The question is not whether you can get in — it is how fast you can get ready."
Who this guide is for
This guide is written for three types of people. First, IT professionals — network engineers, sysadmins, help desk staff — who want to move into security. You have the strongest foundation and the clearest path. Second, people from adjacent technical fields — developers, cloud engineers, data professionals — who want to pivot. Your skills transfer more than you think. Third, complete career changers who are starting from scratch. The path is longer but it is walkable.
If you are in the first group, this guide will save you a significant amount of time and money. The lateral move is real, it works, and most of what you need to know you already know.
Why your IT background is your biggest asset
Security is fundamentally applied IT. You cannot secure what you do not understand. A security professional who does not understand how networks route traffic, how operating systems manage processes, or how applications communicate cannot effectively protect any of those things.
This is why the lateral move from IT to security works so well. Network engineers already understand the protocols that attackers exploit. Sysadmins already understand the systems that defenders need to protect. The security-specific knowledge sits on top of that foundation — it does not replace it.
When I made the move, I did not have to learn how TCP/IP worked, how Active Directory functioned, or how DNS could be abused. I already knew those things. What I had to learn was how attackers think, what they target, and how to detect and respond to their activity. That learning curve is significantly shorter than starting from nothing.
If you are currently in IT, you are not starting from zero. You are starting from somewhere around step three on a ten-step path. That matters.
The honest path — step by step
Certifications — what actually matters
The certification landscape is confusing and expensive. The training industry has every incentive to make you believe you need more certifications than you do. Here is the honest picture.
| Certification | Who it's for | Worth it? |
|---|---|---|
| CompTIA Security+ | Everyone starting out | Yes — do this first |
| CompTIA Network+ | Those without networking background | Yes — if you need it |
| Google Cybersecurity Cert | Complete beginners | Yes — good foundation |
| CEH | Pen testers | Debatable — OSCP is more respected |
| OSCP | Offensive security specialists | Yes — if pen testing is your goal |
| CISSP | Senior professionals moving to management | Yes — but not until you have 5+ years |
| Random vendor certs | Specific tool users | Only if your employer uses that tool |
The single biggest mistake I see people make is buying expensive certification courses before they have any hands-on experience. Certifications test knowledge. Experience builds knowledge. Do the lab work first. The certification follows naturally.
Hands-on learning resources that actually work
The best learning resources in cybersecurity are mostly free or very cheap. The expensive bootcamps are largely unnecessary for people coming from IT backgrounds.
TryHackMe is where most people should start. It has structured learning paths for beginners, guided rooms that walk you through specific techniques, and a progression system that keeps you moving forward. The free tier covers a significant amount of content. The paid subscription is around $14 per month and worth it if you are actively studying.
Hack The Box is the next step after TryHackMe. Less guided, more realistic, more challenging. This is where you go once you have the fundamentals and want to test yourself against real-world scenarios.
Professor Messer offers completely free Security+ study materials on YouTube. His course is genuinely excellent and used by a large portion of people who pass the exam. There is no reason to pay hundreds of dollars for a Security+ prep course when this exists.
The home lab — why it matters more than anything else
Every hiring manager I have spoken to over the past decade says the same thing: candidates who have built and broken things in a home lab stand out immediately. Not because the lab itself is impressive, but because the mindset it demonstrates is.
Building a home lab tells an interviewer that you are curious enough about security to pursue it outside of work hours. That you learn by doing, not just by studying. That you have already encountered the kinds of problems that come up in real security work and have thought through how to solve them.
The lab does not need to be expensive. A single machine running Proxmox or VirtualBox running two or three virtual machines is enough to get started. Set up a Windows Active Directory environment. Run a vulnerable Linux machine from VulnHub. Practice the attacks you are learning about on TryHackMe in your own controlled environment.
"The lab is where theory becomes skill. A certification tells an employer you know the material. A lab tells them you have actually used it."
AI and cybersecurity careers in 2026
The most common question I get from people considering a security career right now is whether AI is going to eliminate the jobs before they can get established. The short answer is no. The longer answer is more interesting.
AI is changing what security professionals do, not whether they are needed. Repetitive, rules-based tasks — log parsing, basic alert triage, signature-based detection — are being automated. That is freeing security professionals to do the work that actually requires human judgment: threat hunting, incident response, adversary emulation, strategic risk assessment.
The skills that are becoming more valuable as AI handles the routine work are exactly the skills that come from experience and genuine understanding — the ability to think like an attacker, to recognize patterns that do not fit known signatures, to make judgment calls under pressure. Those are not skills AI replaces. They are skills AI makes more valuable by eliminating the competition from less capable humans doing routine work.
If you are getting into security in 2026, learn to work with AI tools rather than around them. The professionals who will thrive are the ones who use AI to multiply their capabilities, not the ones who resist it.
What the job market actually pays
Cybersecurity salaries vary significantly by role, location, experience, and specialization. The numbers that get cited in marketing materials for bootcamps are typically the top end of the range, not the median. Here is a more realistic picture for the US market in 2026.
- SOC Analyst (Level 1): $55,000 — $75,000. Entry level, heavily process-driven, good place to start learning.
- SOC Analyst (Level 2/3): $75,000 — $110,000. More investigation, more judgment required.
- Security Engineer: $95,000 — $145,000. Building and maintaining security infrastructure.
- Penetration Tester: $90,000 — $150,000. Offensive security specialist.
- Security Architect: $130,000 — $180,000. Senior design and strategy role.
- CISO: $175,000 — $350,000+. Executive leadership, typically requires 15+ years.
The lateral move from IT into a junior security role typically involves a modest pay increase or a lateral salary move with significantly better long-term trajectory. Within two to three years of focused development in a security role, compensation typically increases substantially.
The mistakes people make getting into security
After almost a decade in the field and having hired security professionals at multiple levels, these are the mistakes I see most consistently from people trying to break in.
Collecting certifications without hands-on experience. A resume full of certifications and no evidence of practical application is immediately recognizable and immediately discounted. Build the lab. Do the CTFs. Have something concrete to show for your time.
Targeting the wrong first role. Penetration testing is what most people imagine when they think about cybersecurity careers. It is also one of the hardest specializations to enter without significant prior experience. SOC analyst, junior security engineer, and security operations roles are more accessible entry points that build the foundation for specialization later.
Skipping the fundamentals. Security is applied IT. If you are weak on networking, operating systems, or application architecture, address those gaps before focusing on security-specific knowledge. The fundamentals are not glamorous but they are what separates competent security professionals from people who have learned to talk about security without actually understanding the systems they are protecting.
Underestimating how transferable their existing skills are. This is the one I see most often from IT professionals. If you have spent years managing Windows environments, you understand Active Directory better than many junior security analysts. If you have spent years running network infrastructure, you understand routing and switching at a level that most security courses skim. Do not discount what you already know.
Where to start today
If you are reading this and wondering what to actually do next, here is the short version.
If you are in IT already: spend the next 30 days on TryHackMe working through the Pre-Security and SOC Level 1 paths. Then register for the Security+ exam with a date 60 days out. The deadline will focus your studying. In parallel, set up a home lab with whatever hardware you have access to. Start applying for internal security opportunities at your current company or lateral security roles at similar companies.
If you are starting from scratch: begin with the Google Cybersecurity Certificate on Coursera, which provides a solid foundation. Then follow the same path above. Budget 12 to 18 months for the full transition rather than the 3 to 6 months that bootcamps will tell you.
The field is genuinely accessible. The demand is real. The path is not as mysterious as the training industry wants you to believe. Put in the work, build real skills, and the opportunities will be there.