Getting your first cybersecurity job will undoubtedly be the hardest of all the cybersecurity jobs you will get throughout your career.
I've applied to hundreds, if not thousands, of jobs so far, and I certainly didn't get most of them; in fact, I was rejected from most of them, which is entirely normal.
Most of the jobs I’ve had have been obtained through referrals and my network, rather than through applications, but that’s a topic for another day.
The thing is this: with each rejection, I learned something new, like an area of interviewing that I could improve upon or a skill set that I was missing, and with each application, I became a better and better candidate, landing various jobs, including my current one as a Security Engineer at Amazon.
About Me
If you're new here, I'm Day, a Cybersecurity Engineer at Amazon. With five years in cybersecurity, my experience covers Detection Engineering, Cloud Security, Incident Response, Threat Hunting, and most recently, Threat Intelligence.
Before Amazon, I worked at Datadog as a cloud threat detection engineer, where I researched cloud threats and built detections for various cloud providers and SaaS applications.
I've worked my way up from various SOC analyst roles, investigating everything from endpoint threats to building detection systems for cloud-based abuse, so I know exactly what it takes to break into this field and make career advancements.
I started, just like many of you, learning from scratch, asking questions, and figuring it out one step at a time. And now, I'm here to help you do the same.
If you want to stay up-to-date on the cybersecurity industry and everything technical and career-related, be sure to like and subscribe to the newsletter for more content like this.
Join a vibrant cybersecurity community of over 6,000 people who are constantly engaging in conversations and supporting one another, covering topics from cybersecurity and college to certifications, resume assistance, and various non-professional interests like fitness, finance, anime, and other exciting subjects.
My Personal Experience and Advice
I'd like to start by sharing with you my experience of applying to a bunch of jobs, combined with my years of experience working in the cybersecurity industry and exposure to lots of colleagues, recruiters, and hiring managers, so that I can give you my take on how you should apply for cybersecurity jobs, depending on how much relevant experience you have.
For each stage, I'll focus solely on the most critical aspects, such as having a strong resume, an irresistible portfolio, the right technical and problem-solving skills, and an optimized LinkedIn profile, as these will serve as a good baseline to start from.
That’s when your career starts to gain direction.
Please note that I use 'Stage' and 'Level' interchangeably for the remainder of this newsletter.
Level One: No Relevant Experience and No University Degree
Let's start with Stage One, where you have no relevant experience, no university degree, and no cybersecurity certification.
I'm not going to lie; this is a very challenging starting position, but if you're truly determined to become a cybersecurity professional, there are several steps you can take to achieve your goal.
Your number one priority should be to gain hands-on, relevant experience.
Depending on your age, I recommend pursuing different activities.
Say, if you're in high school, and you don't want to go to or cannot go to college for whatever reason, you could apply for apprenticeships or training programs available at your school.
These programs are typically designed for students nearing the end of high school, such as those in 11th or 12th grade, or for those who have recently graduated from high school. Most large corporations offer similar programs.
The names of these programs might differ by country, state, or the program itself; they might be called apprenticeships or training programs, but the idea is the same:
To allow you to develop your skills
Get real-life experience
Get paid enough at the same time
Even if you don't go for a specific cybersecurity apprenticeship program, as long as you work with technology, systems, or networks as part of the role, you should be fine.
You could use these programs as a stepping stone to accelerate your journey to become a full-time cybersecurity professional at a very young age.
Now, if you're not in high school and you've been stuck in another job that you don't like and are super interested in data analytics, I'd recommend focusing on
Learning the technical skills required
Getting well-known and knowledge-dense certifications
Building a strong portfolio to showcase your skills
Writing a great resume
Optimizing your LinkedIn profile (more on this later in the newsletter).
I’ve already created video guides on how to optimize your LinkedIn profile and write a resume, as well as various cybersecurity portfolio projects, where I go through everything in detail.
However, as a quick summary, I'd start by learning the basics through the CompTIA Trifecta curriculum, then pursue a program like the Google Cybersecurity Certificate or Microsoft Cybersecurity Certificate, and finally decide on the path you want to take.
You can choose either the Offensive or Defensive side of Cybersecurity. Then, I recommend completing labs, projects, and certifications to reinforce this.
You can also learn a programming language of your choice. I'd personally recommend Python.
In terms of certifications, I can primarily speak to defensive ones, so you can opt for well-known ones, such as the BTL1 from Security Blue Team, the CCD from CyberDefenders, or the CDSA from HackTheBox.
I’ve made several videos about these certifications on my channel.
For offensive security, based on a conversation with my friend Tadi, who’s an Offensive Security Engineer, you can go for certifications like the eJPT from eLearn Security, the PNPT from TCM Security, or the OSCP from Offensive Security.
You can watch more about how he got into offensive security, just like me, without a college degree.
I have already put together a cybersecurity learning framework that you can review at the end of this newsletter.
I've personally gone through everything at this stage because I got into cybersecurity as a college freshman without a degree, so I can relate to this, and I believe others can too. If you're currently teaching yourself cybersecurity while in college or another situation, feel free to share your feedback in the comments below.
I'm sure we'd all appreciate hearing your thoughts and insights.
Level Two: No Relevant Experience, But Have a University Degree
Moving on to stage two, where you still lack relevant experience but have a college degree. Here, depending on whether you just graduated, are about to graduate, or graduated over three years ago, I would approach applying for jobs differently.
If you're about to graduate or are a recent graduate, focus on applying to graduate job programs designed for those in their final year of higher education or recent graduates.
While you probably won't find a cybersecurity-specific graduate program, getting into a program that helps you develop technical skills would be ideal.
I know several people who transitioned into cybersecurity this way; it often makes the process easier.
Graduate job programs are beneficial because they typically involve placements lasting six to twelve months and include rotations that provide valuable experience. This allows you to work in various teams and departments, helping you determine what you want to do by learning what you don't want to do.
If you graduated a while ago, pursued something else, traveled, or life led you in a different direction, and now you want to pursue a career in cybersecurity, I recommend focusing on the cybersecurity roadmap, your resume, portfolio, and certifications outlined in Stage One.
Also, highlight your degree, especially if you studied relevant fields such as computer science, cybersecurity, IT, or Information Systems, or took courses related to cybersecurity.
Level Three: Some Relevant Experience
Let's move on to stage three, where you have some relevant job experience.
For example, in your current role, you handle Identity and Access Management and work with endpoints or vulnerability scanners daily, or you might be involved in governance, compliance, or similar areas.
You may not be performing advanced cybersecurity tasks, but you're actively working within the security field.
For instance, if you're a systems administrator managing user access controls, your duties may differ from those of a cybersecurity analyst; however, you still utilize tools to manage user privileges and create reports for IT meetings and presentations.
This is valuable experience to highlight at the top of your resume.
However, since you're applying for a cybersecurity role, emphasize the security aspects of your work that support system integrity rather than just your general IT skills.
Network management skills are essential and necessary in cybersecurity; however, since they are not the primary focus for recruiters and hiring managers, don't place them at the top of your resume.
Instead, showcase how well you understand the security implications of user permissions and how effectively you can communicate security threats using data to a non-technical audience, rather than your overall communication skills or IT reporting abilities.
Level Four: Plenty of Relevant Experience
Finally, level four, where you have substantial relevant experience and are looking to transition into cybersecurity by applying the skills you've gained throughout your career.
Let's use a specific scenario, based on personal experience, to demonstrate how you can apply your existing skills to cybersecurity. I
I have coached someone who worked as a systems administrator, managing various systems, networks, and security protocols daily.
Their focus was on identifying potential vulnerabilities in the network, managing access controls, ensuring security protocols were in place, and reviewing network packet captures using Wireshark for analysis.
Although the role was not explicitly cybersecurity-named, the skills they developed over the years were highly applicable to cybersecurity tasks, such as reviewing system logs for anomalies or intrusions, implementing security measures, and developing strategies to mitigate threats.
If you're in a similar position where your skills are transferable to cybersecurity, I would highlight this relevant work experience at the top of your resume.
Concluding Advice and Encouragement
Now, this is probably the most crucial advice, whether you have no experience or a lot, it's not to give up.
It may sound cliché, but the difference between successful and less successful people isn't really their ability to succeed; it's their ability to bounce back from defeat, failures, and rejections, to work hard, and to improve and grow.
I’ve been rejected over a hundred times, maybe even over a thousand, and the first rejection really hurt, so did the second, the tenth, and the hundredth.
Of course, these rejections affected me; it was a sad, frustrating, and discouraging experience.
I thought, "This is not fair; I'm clearly doing my best as an entry-level candidate. I've got the certificates, the projects, everything," but that was definitely the wrong mindset.
The moment I stopped dwelling on the rejections and started analyzing why I was rejected and how I could improve so it wouldn't happen again, everything changed.
I focused, pushed through, and worked tirelessly. It's this work ethic, the countless hours of learning, the days spent alone in my room, forgoing pleasures, building and sharpening my skills, that landed me my job and helped me grow quickly.
Don't dwell on the past; live in the present, and focus on the future. Another thing I’ve learned is to stop comparing myself to others; I'm just trying to do my absolute best and be a good person.
Everything I've achieved since leaving Nigeria at age 14 has come through my hard work and the grace of my Lord and Savior, Jesus Christ, and I am truly proud of it.
I hope you can take inspiration from my experience and continue moving forward.
Remember, it's not success that defines you. It's your ability to bounce back from failures that truly shapes who you are.
Recent Content
A few publications I’ve released recently.
Building A Cyber Threat Intelligence Career with Nigel Boston | EP 26
Chatting with Nigel Boston, who is a Senior Cyber Threat Intelligence Professional. Nigel has built and led threat intelligence programs that reduce incident response times, operationalize threat intelligence, and automate workflows to help teams focus on what matters: staying ahead of the threat curve.
In this episode, we discuss how Nigel discovered cyber threat intelligence and carved a path into the field, what core security skills make a difference in Cyber Threat Intelligence, and how threat intelligence intersects with detection engineering, cloud security, and even AI.
We also dive into the future of threat intelligence, the rise of actionable intelligence, and his new course, Cyber Threat Intelligence Fundamentals, with Ellington Cyber Academy (ECA), which is a game-changer for anyone looking to break into the space.
We’ve also had Kenneth, the founder of ECA, in EP 10, so definitely be sure to check that out.
Whether you're new to cybersecurity or looking to elevate your threat intelligence, this conversation is packed with clarity, strategy, and real-world wisdom.
Quick side note: This episode was filmed in November 2024, so you can expect to see me with shorter hair.
Detection-In-Depth
A guest post on THOR Collective Dispatch!
Also featured on the tl;dr sec newsletter issue #282 under the blue team section, and as a Detection Engineering Gem in issue #112 of the Detection Engineering Weekly Newsletter!
I explore the mindset of detection-in-depth, which is first a play on the existing “defense-in-depth” concept, outlining a strategy where defenders aim to catch adversaries across every stage of their attack, not just during initial access.
It walks through:
- Why detection-in-depth means catching adversaries at every stage, not just the first or somewhere in the middle.
- The importance of tuning OOTB rules for the context and uniqueness of your environment
- How precision and not just coverage make alerts more effective
This one’s for security engineers, IR folks, and anyone who’s ever looked at an alert and thought, “This could be better.”
Career Quest: Cybersecurity Careers with Day Johnson
I had the pleasure of sitting with students from my Alma mater (WGU) and sharing with them about Cybersecurity career pathways.
Getting Your First CYBERSECURITY Job - College, Certifications & Work Experience
The YouTube version of this post!
Closing
Once again, you made it this far :)
Feel free to reply, share your thoughts, or pass this on to someone who needs it.
Thanks for reading. If you'd like, you can subscribe and restack - it helps spread the word and encourages me to continue writing content. If not, I’ll see you around…somewhere on the internet!
Share this post