RoadmapsCybersecurity Analyst roadmap

Cybersecurity Analyst Roadmap

A cybersecurity analyst, especially at the entry level in a Security Operations Center (SOC), spends most of their actual day watching alerts come in from tools like a SIEM, figuring out which ones are real threats versus noise, and either escalating or responding to the real ones. It's less about hacking in the movie sense and much more about pattern recognition, systematic investigation, and knowing your environment well enough to notice when something looks wrong.

The reason this is one of the more accessible entry points into tech security is that the core skills, networking, Linux, and log analysis, are learnable without a computer science background, and the field has a real, sustained hiring gap that isn't slowing down. What separates candidates who get hired from the ones who don't is usually not certifications alone, it's whether they can actually explain how they'd investigate a suspicious alert step by step, which requires the practical, hands-on grounding this roadmap is built around rather than memorized definitions.

This path goes from networking and Linux fundamentals, which almost every other security skill depends on, through the security frameworks that structure how real teams think about threats, into the SIEM tools, log analysis and incident response skills that make up the daily work of a SOC analyst, and finally into vulnerability scanning, penetration testing basics and cloud security that round out a well prepared entry-level candidate.

Drag or scroll to explore, click a node to learn more · 11 sections · 21 courses · free and self paced

How to use this roadmap

  1. Don't skip networking or Linux even if they seem unrelated to 'security' at first glance, nearly every later section assumes this foundation and investigating a real alert without it is guesswork.
  2. Go through sections in order, security frameworks like MITRE ATT&CK make far more sense once you understand networking and Linux well enough to picture what an actual attack technique is doing.
  3. Each course's concepts are short, standalone lessons, treat them as a checklist to work through rather than one long reading session.
  4. Set up a home lab as you go, a free-tier SIEM instance and some sample logs will teach you more about log analysis in an afternoon than reading about it for a week.
  5. The certifications context section is there to help you plan, not to gate your progress, you can build real skills through this roadmap in parallel with or ahead of any certification study.
1

Cybersecurity Landscape

What a SOC Analyst Actually Does beginner: The real day to day of the role: triaging alerts, investigating, and escalating, not hacking in the movie sense.

  • SOC Structure & Tiers: How security operations centers organize analysts by experience level.
  • Defensive vs Offensive Security: Monitoring and responding versus simulating attacks with permission.
  • The Alert Triage Workflow: The general process of assessing whether an alert is a real threat.

The CIA Triad & Threat Landscape beginner: The foundational model for what security is actually trying to protect, and who the common attackers are.

  • Confidentiality, Integrity, Availability: The three core properties security aims to protect.
  • Threat Actor Types: Different categories of attackers and their typical motivations.
  • Common Attack Vectors: The typical ways attackers gain initial access to a system.
2

Networking Fundamentals

Networking Core Concepts beginner: How data actually moves between systems, the foundation nearly every other security skill depends on.

  • TCP/IP Model: The layered structure that describes how network communication works.
  • IP Addressing & Subnetting: How devices are identified and grouped on a network.
  • Common Ports & Protocols: The standard doorways services use to communicate.
  • DNS: How domain names resolve to IP addresses, and how it's abused.

Network Devices & Traffic Analysis intermediate: Reading and understanding the actual traffic flowing across a network.

  • Firewalls & Routers: The devices that control and direct traffic between networks.
  • Packet Capture Basics: Capturing raw network traffic for inspection with tools like Wireshark.
  • Reading Packet Data: Interpreting captured traffic to understand what's actually happening.
3

Linux & Systems Fundamentals

Linux Fundamentals for Security beginner: The command line and system knowledge underlying most security tooling and a large share of monitored infrastructure.

  • File System & Permissions: How Linux organizes files and controls access to them.
  • Process & Service Management: Viewing and controlling what's actually running on a system.
  • Command Line Log Access: Finding and reading system logs directly from the terminal.

Windows Fundamentals for Security beginner: The Windows-specific knowledge most corporate SOC environments assume, alongside Linux.

  • Windows Event Logs: The built-in logging system Windows uses to record system activity.
  • Active Directory Basics: How Windows environments manage users and permissions centrally.
4

Security Frameworks

NIST Cybersecurity Framework intermediate: The widely referenced structure organizations use to organize their overall security posture.

  • Identify, Protect, Detect, Respond, Recover: The five core functions the NIST framework is built around.
  • Risk Management Basics: How organizations prioritize which security gaps to address first.

MITRE ATT&CK Framework intermediate: The shared language for describing real attacker behavior that SOC analysts are expected to be fluent in.

  • Tactics & Techniques: The what and how of attacker behavior in the ATT&CK matrix.
  • Mapping Detections to ATT&CK: Connecting a specific alert to a known attack technique.
  • Using ATT&CK for Threat Hunting: Proactively searching for signs of known attack techniques.
5

Log Analysis

Log Analysis Fundamentals intermediate: Reading raw logs closely enough to spot what's normal versus what's actually suspicious.

  • Log Sources & Formats: Where security-relevant logs come from and how they're structured.
  • Normal vs Anomalous Activity: Establishing a baseline to recognize what actually looks wrong.
  • Correlating Multiple Log Sources: Connecting events across different systems to see the full picture.
6

SIEM Tools

SIEM Fundamentals intermediate: How security information and event management platforms centralize and correlate security data.

  • Log Aggregation: Collecting logs from many sources into one searchable platform.
  • Correlation Rules: Automated logic that flags combinations of events as suspicious.
  • Dashboards & Alerts: Visualizing security data and surfacing what needs attention.

Splunk Hands-On intermediate: Practical, query-level fluency in one of the most widely deployed SIEM platforms.

  • SPL (Search Processing Language): Splunk's query language for searching and analyzing log data.
  • Building Splunk Dashboards: Creating visualizations of security data for ongoing monitoring.

Microsoft Sentinel Hands-On intermediate: The cloud-native SIEM increasingly common in Azure-based environments.

  • KQL (Kusto Query Language): Sentinel's query language for searching security data.
  • Sentinel Analytics Rules: Automated detections configured to trigger alerts in Sentinel.
7

Threat Detection & Incident Response

Threat Detection Fundamentals intermediate: Turning raw alerts and logs into a confident judgment about whether something is a real threat.

  • Indicators of Compromise: Specific evidence that a system has been breached or compromised.
  • False Positive Triage: Efficiently ruling out alerts that aren't actually threats.
  • Alert Prioritization: Deciding which of many alerts needs attention first.

Incident Response Process advanced: The structured steps a team follows once a real security incident is confirmed.

  • IR Lifecycle: The standard phases from preparation through recovery and lessons learned.
  • Containment Strategies: Stopping an active threat from spreading further.
  • Evidence Preservation: Handling systems and data in a way that keeps evidence usable later.
8

Vulnerability Scanning & Penetration Testing Basics

Vulnerability Scanning Fundamentals intermediate: Finding known weaknesses in systems before an attacker does.

  • CVE & CVSS Scoring: How known vulnerabilities are identified and rated by severity.
  • Scanning Tools Overview: Common tools used to automatically detect known vulnerabilities.
  • Patch Management Basics: How organizations track and apply fixes for known issues.

Penetration Testing Basics advanced: Enough offensive security understanding to think like the attackers you're defending against.

  • Reconnaissance: Gathering information about a target before attempting access.
  • Exploitation Basics: How a discovered vulnerability is actually used to gain access.
  • Reporting Findings: Documenting discovered vulnerabilities clearly for remediation.
9

Cloud Security Fundamentals

Cloud Security Fundamentals intermediate: The security concerns specific to AWS, Azure and GCP that most organizations now rely on.

  • Shared Responsibility Model: What the cloud provider secures versus what the customer must secure.
  • Common Cloud Misconfigurations: The frequent, damaging security mistakes in cloud setups.
  • Cloud Identity & Access Management: Controlling who and what can access cloud resources.

Cloud Logging & Monitoring advanced: Extending the log analysis and SIEM skills you've built into a cloud environment.

  • CloudTrail & Cloud-Native Logging: How cloud providers log account and resource activity.
  • Cloud SIEM Integration: Feeding cloud logs into a SIEM for centralized monitoring.
10

Scripting for Security

Bash Scripting for Security Tasks intermediate: Automating repetitive log parsing and investigation tasks directly from the Linux command line.

  • Text Processing (grep, awk, sed): Filtering and extracting data from large log files quickly.
  • Writing Simple Automation Scripts: Turning a repeated manual task into a reusable script.

Python for Security Automation intermediate: Handling security tasks too complex for a shell one-liner, like parsing structured data at scale.

  • Parsing Log Files with Python: Programmatically extracting and analyzing data from logs.
  • Using Security APIs: Pulling threat intelligence or scan data from external services.
11

Certifications & Career Path

Certification Landscape Context beginner: Understanding where certifications like Security+ actually fit, without treating them as mandatory gates.

  • CompTIA Security+: A widely recognized entry-level general security certification.
  • Certifications vs Hands-On Skill: Why real lab experience matters alongside, not instead of, certs.

Not satisfied with the roadmap? Create your own!

Sage

Frequently asked questions

Not strictly required everywhere, but it's commonly listed as preferred or required in entry-level SOC job postings and is one of the most recognized credentials for this exact role. Building real hands-on skills through this roadmap matters more for actually doing the job well, but Security+ often gets your resume past an initial filter, so most people pursue both together.

Splunk has the longer market history and broader existing job demand, so it's a reasonable default to learn first, and Splunk offers a free trial suitable for learning. Microsoft Sentinel is growing quickly alongside broader Azure adoption, so learning it second, once Splunk's core SIEM concepts are comfortable, covers a wide range of employers without starting from scratch.

Yes, Linux knowledge is expected even in Windows-heavy SOC environments because a large share of the security tooling itself, SIEMs, scanning tools, and many servers being monitored, runs on Linux. Understanding both operating systems, not just the one end users see, is part of what makes an analyst effective at investigating an alert end to end.

A SOC analyst works defensively, monitoring for and responding to real attacks against an organization's systems on an ongoing basis. A penetration tester works offensively, but with permission, simulating attacks to find vulnerabilities before real attackers do. Most cybersecurity analysts start on the defensive SOC side, which this roadmap centers, with penetration testing basics included as useful context for understanding attacker behavior.

Most IT-adjacent beginners following this roadmap consistently reach a job ready level, including a home lab project and foundational certification study, in 4 to 7 months. Someone already coming from a help desk or general IT support background often moves faster on networking and systems fundamentals and can focus more time on the security-specific tools and frameworks.

You don't need to be a software developer, but basic scripting in Python and Bash is expected for automating repetitive log analysis tasks and parsing large volumes of security data quickly. It's a smaller, more targeted skill set than full software development, focused on practical automation rather than building applications.

MITRE ATT&CK is a structured, publicly maintained knowledge base of real attacker tactics and techniques observed in the wild, organized so defenders can map detections and alerts to known attack behavior. It's become close to a shared language across the industry for describing and detecting threats, which is why SOC analysts are expected to be fluent in reading and referencing it.

Cloud security fundamentals are increasingly expected of general SOC analysts, not reserved for a separate specialist role, since most organizations now run at least part of their infrastructure on AWS, Azure or GCP. You don't need deep cloud architecture expertise as an entry-level analyst, but understanding cloud-specific misconfigurations and logging is a common interview topic.

Entry-level SOC hiring rewards candidates who can walk through how they'd actually investigate a suspicious alert step by step, not the ones who can only recite definitions from a study guide. Working through this roadmap in order, and building a home lab where you practice detecting and investigating real attack patterns, is what turns this list of tools and frameworks into the practical instinct that gets you hired and effective on day one.