On the attack side, AI has lowered the bar significantly. Phishing that used to take days to craft gets generated at scale now. Reconnaissance that needed manual hours gets automated. If you’re on defense and you don’t understand how those campaigns are put together, you’re already a step behind.
Cybersecurity is not one job. Most people getting started treat it like it is, and that’s where the confusion begins. The field covers dozens of roles that have almost nothing in common — a SOC analyst and a reverse engineer both work in “cybersecurity” the same way a GP and a surgeon both work in “medicine.”
What the Field Actually Contains
None of it sounds exciting. But practitioners who’ve actually internalized this stuff have a permanent advantage. When something unfamiliar shows up — a new technique, a new platform — they can reason about it. Everyone else is waiting for a tutorial.
If you’re entering cybersecurity right now, AI isn’t just a threat you’ll defend against — it’s changing what the job actually looks like day to day.
Take Nmap as a concrete example. Most people learn it as a command to run. The ones who go further understand what it’s actually doing — what packets it sends, how it interprets silence, what it can and can’t infer about a target. That depth, built around something as fundamental as network enumeration, is what separates practitioners who adapt from those who stay permanently dependent on someone else’s cheat sheet.
Start With Foundations That Don’t Expire
One last thing: this field never lets you stop learning. Attackers are always looking for new angles. The people who last are the ones who find that interesting rather than exhausting.
Start with the fundamentals — and actually learn them, not just skim past them to get to the interesting stuff. Networking, operating systems, basic application security. The goal isn’t to pass a test. It’s to understand what’s actually happening so that when something behaves unexpectedly, you can reason through it instead of Googling for a fix.
Networking is non-negotiable. How TCP/IP works, how DNS resolves, how traffic routes between networks. Not the theory — the actual behavior. What happens when a packet hits a firewall. Why some ports respond and others don’t. Operating systems too: how Windows and Linux manage processes, memory, access controls, and authentication. And application security basics — how web apps handle sessions and user input, and what breaks when those mechanisms are rushed or misconfigured.
Cloud security certs from AWS, Azure, and GCP are increasingly relevant too. Most cloud infrastructure lives on AWS, Azure, or GCP now, and the misconfigurations that turn into breaches — overly permissive IAM roles, forgotten storage buckets, trust relationships nobody looked at in three years — are specific enough to each platform that knowing your way around them actually matters. A portfolio of real work beats a cert list every single time in a technical interview. A cert tells someone you passed a test. A write-up of a lab you actually broke into shows them how your brain works.
Certifications: What They Signal and What They Don’t
Then there’s cloud and AI security, which has grown fast enough to become its own discipline. IAM misconfigurations, SaaS integration risks, AI agent governance — these are real specializations now, not just buzzwords. Most people don’t stay in one lane forever, and that’s fine. The ones who grow quickly are usually curious enough to poke at things outside their main area — not to become generalists, just to know enough to not be blind.
Knowledge-based certs — Security+, CISSP, CEH — test familiarity with concepts through multiple choice. Useful early on, especially for governance or compliance roles. But they don’t prove you can actually do anything. Performance-based certifications are different. The OSCP puts you in front of real machines and gives you 24 hours. No hints, no multiple choice — you either compromise the targets or you don’t, and then you write a report explaining exactly how. Passing it means something because it can’t be faked. For technical roles, it carries more weight than almost anything else on a CV.
The cybersecurity industry has a hiring problem that isn’t getting better. ISC2’s latest Cybersecurity Workforce Study puts the global shortfall at 4.8 million unfilled positions — up 19 percent year over year, even as active hiring stalled. ISACA found that 55 percent of security teams are currently understaffed and 38 percent take three to six months to fill a role even at entry level. Meanwhile, IBM found that 87 percent of organizations reported an AI-driven cyberattack in the past year. The defenders are outnumbered, and the gap keeps widening.
How AI Is Reshaping the Field
The broad split is between offensive and defensive. Defensive security — blue team — is detection, protection, response. SOC analyst, threat hunter, incident responder. Reactive by definition, but the good ones think like attackers. You can’t find what someone left behind if you’ve never thought about how they got in. Offensive security — penetration testing, red teaming — is the opposite. You’re paid to break things before someone else does. Under contract, with a scope, and then you write a report explaining exactly what you found and how. It pays well because people who can actually do it, not just talk about it, are rare.
Build a lab. A cheap laptop running virtual machines is enough. Break things, figure out why they broke, fix them, break them differently. Platforms like HackTheBox and TryHackMe give you structured targets when you don’t know where to start.
And then there’s AI security as a job in itself. Who’s testing whether your LLM can be manipulated into leaking data? Who’s checking whether your AI agent has access it shouldn’t? Who’s thinking about what happens when that agent makes a bad call at 3am with no human in the loop? Two years ago these weren’t real job titles. Now they’re some of the more interesting roles in the field.
Pick a direction and actually commit to it. Go deep enough to be useful, not just familiar. Then stay curious about the stuff around it — not to become a generalist, just to avoid having obvious blind spots.
What replaces the ticket-clicking work isn’t nothing — it’s harder work. Detection engineers who design the policies that tell the AI what matters. Analysts who look at what the system flagged and decide whether it’s actually real. People who understand how these tools fail and know when not to trust them. The floor is moving up, which makes the fundamentals even more important, not less.
What a Realistic Path Forward Looks Like
Get involved with the community. Post your lab notes. Enter CTFs. Write about what you figured out, even if the writing isn’t polished. Security is a field where showing your work matters — not for the CV points, but because it demonstrates you can actually work through a problem and explain it.
So why is it still so hard to break in? Partly because the field is poorly mapped for people trying to enter it. The question “how do I get into cybersecurity” gets asked constantly and answered inconsistently. This is an attempt at something more useful — an honest look at what the field actually contains, where the paths lead, and what kind of work builds skills that compound over time.
The most counterproductive pattern in cybersecurity education is teaching tools before concepts. Tools change. The principles underneath them don’t.
The Tier 1 SOC analyst role is under real pressure. Log review, alert triage, playbook execution — exactly the kind of repetitive work AI handles well. 52% of security professionals already expect AI to cut demand for those positions, and 64% of 2026 security job listings now require AI or automation skills. That’s not a forecast. It’s already in the job descriptions.
Certifications exist because hiring managers need some signal when there’s no degree to look at and no work history to review. They fill that gap. Up to a point.
By Canio Campaniello
