DEV Community

Cover image for Cybersecurity Roadmap for Myself (And Anyone Starting Fresh)
Elvin Seyidov
Elvin Seyidov

Posted on

Cybersecurity Roadmap for Myself (And Anyone Starting Fresh)

#cybersecurity #roadmap

I recently started learning cybersecurity. I am a full stack developer with more than five years of experience, but before that I actually studied medical university. Even during my medical studies, I always had passion for technology. When I decided to switch to tech, I tried to learn everything at the same time. I studied PHP, Java, C Sharp, frontend, backend, networks, and even Arduino robotics. Later I understood that this was a mistake. You cannot learn everything. You must choose one direction and stay with it. You learn side technologies only to support your main skill.

For many years I also wanted to start cybersecurity, but I did not take the risk. In my country Azerbaijan, cybersecurity was not very famous, and finding a job in this field was very hard. Because of this, I decided to become a backend heavy full stack developer. Now, after five years of experience, I finally feel ready to start cybersecurity.

My past mistakes will help me now. I already have light knowledge in many areas related to cybersecurity, so I believe it will not be too difficult to move deeper. But after many days of reading and searching, I also understood something important. Cybersecurity changed a lot. Now you need stronger skills in cloud, web security, servers, networks, and not only simple tools.

Right now I still do not know which area of cybersecurity I want to choose. For now I want to start learning, and later, when I get some real experience, I will decide. At the beginning I will focus on networking, how the internet works, basic security terms, Linux and security tools, and deeper server knowledge. Even though I know these from development, I want to make my understanding stronger.

So this article is my personal roadmap for becoming skilled in cybersecurity, and I hope it helps other beginners too. It’s not a super-advanced expert guide, it’s simple, practical, and focused on understanding the essentials step by step.

Phase 1: Core Fundamentals (Your Foundation)

Before trying hacking tools, exploitation, or attacking machines, you must understand how the internet, computers, and data actually work.

These are the fundamentals:

1. Networking Basics

Cybersecurity is impossible without networking knowledge.

Learn:

  • IP addresses (IPv4/IPv6)
  • Ports & protocols
  • TCP vs UDP
  • Subnetting (just basics)
  • DNS, DHCP, NAT, Routing
  • HTTP vs HTTPS

Why it matters:
Attackers use network weaknesses. Defenders monitor network traffic. Everything in cybersecurity touches networking.

2. Linux Fundamentals

Cybersecurity = Linux.
Kali, Parrot OS, Ubuntu - everything is Linux-based.

Learn:

  • Terminal basics (ls, cd, cat, grep, cp, mv)
  • User permissions (chmod, chown, sudo)
  • Processes (ps, top)
  • Networking commands (ip, ifconfig, netstat, ss)
  • File system structure

Why it matters:
Most tools run on Linux and most servers are Linux.

3. Security Mindset

Learn how attackers think:

  • Find weak points
  • Test assumptions
  • Abuse misconfigurations
  • Chain small issues into big exploits Learning “the mindset” is as important as tools.

Phase 2: Cryptography Essentials (Not Math, Just Understanding)

You don’t need deep math - only practical understanding.

Learn:

  • Hashing (SHA-256, SHA-1 weaknesses)
  • Encryption (AES, RSA, ECC)
  • Encoding (Base64)
  • HMAC
  • Salting & Password hashing (bcrypt, PBKDF2, Argon2)
  • Certificates & PKI
  • TLS/SSL basics

Why it matters:
Passwords, logins, HTTPS, VPNs, JWT tokens - everything uses cryptography.

Phase 3: Tools & Practical Skills

Now you can start touching the tools.

1. Network Scanning

  • Nmap
  • Masscan

Use these to discover hosts, ports, and services.

2. Traffic Analysis

  • Wireshark
  • Tcpdump

Learn to capture and analyze packets.

3. Web Pentesting Tools

  • Burp Suite
  • OWASP ZAP
  • Nikto
  • Gobuster

These help you find vulnerabilities in web apps.

4. Password Attacks

  • Hashcat
  • John the Ripper

Understand password cracking speeds, hashing types, and why strong passwords matter.

Phase 4: Web Security (OWASP Top 10)

Web is the biggest attack surface today.

Master these 10 vulnerability classes:

  • Injection (SQLi)
  • Broken Authentication
  • Sensitive Data Exposure
  • XSS (Cross-Site Scripting)
  • XXE
  • Broken Access Control
  • Security Misconfiguration
  • CSRF
  • Server-Side Request Forgery (SSRF)
  • Using Components with Known Vulnerabilities

Why it matters:
Most cybersecurity jobs involve defending or testing web apps.

Phase 5: Operating Systems, Processes & Hardening

Learn how systems work internally:

  • Windows internals
  • Linux internals
  • Logging & monitoring
  • Firewalls (iptables, ufw)
  • System hardening basics

This helps you understand how attackers escalate privileges or hide in systems.

Phase 6: Threat Detection & Monitoring (Blue Team Skills)

Blue Team skills are becoming extremely valuable.

Focus on:

  • SIEM (Security Information & Event Management)
  • Log analysis
  • Incident response steps
  • Alerts, detections, rules
  • MITRE ATT&CK framework
  • Basic forensics (memory, disk)

Phase 7: Offensive Security (Ethical Hacking)

Once you understand defenses, start learning offensive strategies.

Topics:

  • Reconnaissance & information gathering
  • Vulnerability scanning
  • Exploitation frameworks (Metasploit)
  • Password attacks
  • WiFi attacks
  • Privilege escalation
  • Pivoting & lateral movement
  • Covering tracks (only for learning, not abuse)

Practice on:

  • HackTheBox
  • TryHackMe
  • VulnHub
  • PortSwigger Labs

Phase 8: Cloud Security (AWS, Azure, GCP)

Modern companies run on the cloud.

Learn:

  • IAM (Identity & Access Management)
  • Permissions & roles
  • S3 bucket security
  • VPC networks
  • Cloud monitoring
  • Common cloud misconfigurations

Even basic cloud security knowledge boosts your value.

Phase 9: Pick Your Specialization

After gaining general skills, choose one direction:

  • Offensive:
  • Pentesting
  • Red Team
  • Malware analysis
  • Bug bounty
  • Defensive:
  • Blue Team
  • SOC Analyst
  • Incident responder
  • Threat hunter
  • Forensics
  • Security engineering:
  • Application security
  • Cloud security engineer
  • DevSecOps
  • Security automation

You don’t need to choose immediately - explore first.

Phase 10: Certifications (Optional but Helpful)

Not required, but good for jobs:

  • CompTIA Security+ (best beginner cert)
  • CompTIA Network+ (if networking is weak)
  • CEH (not very respected, but popular)
  • eJPT (good for beginners in offensive security)
  • OSCP (advanced ethical hacking certificate)

Conclusion

Cybersecurity is a long journey, but if you stay consistent and always stay curious, you will grow much faster than you expect.

This roadmap is not “perfect”, it’s simply my plan, and if you’re a beginner, it might help you too.

I’ll keep writing notes as I learn.
If you want to follow my journey, stay tuned for more posts.

Top comments (0)