CyberBreakers
v 1.0 / FREE GUIDE

// Cyber Breakers

From Psych to Security.

> How I broke into cybersecurity. And how you can too.

The field guide I hand to anyone who asks me how to get into cybersecurity.

// Purpose of this guide

Why this guide exists.

Countless friends and colleagues have asked me how to break into cybersecurity. I'd give them the same set of advice every time. This guide is that conversation, written down.

It reflects years working across personal security consulting, SOC analysis, GRC, security engineering, detection engineering, security sales engineering, and senior solutions architecture.

This is not the only way into the industry. It's what I've seen work for me and for the people I've helped get hired.

If you take one thing from this guide: fundamentals beat hype, curiosity beats credentials, and networking beats both.
// Take it with you

This guide is free and it stays free. Drop your email and I'll send you the file, plus a short series on the resume framing and break-in mistakes that didn't fit here. No spam, and your email stays with me.

Something went wrong. Try again in a moment.

// Chapter 01

How I got my break.

I didn't break into cybersecurity through a traditional path. I was in a psychology program, building computers, mind wandering as I screwed in motherboards.

I wanted to figure out how computers actually worked, not just the physical layer I was used to, but all of the layers.

I found a local IT recruiter who wanted to land me a new role. We talked about what interested me. At that point, my mind was made up: cybersecurity.

After a year of constant interviewing and resume tweaking, I landed a job as a networking associate at an ISP. Not cybersecurity, but networking fundamentals are crucial. I was happy to see progress.

Two days after my start date, the same recruiter called with an opportunity. A contracted personal security consultant role at a Managed Security Services Provider (MSSP). I had no idea what an MSSP was. But I knew this was the break.

It was a risk. I quit my brand-new ISP job to interview for it. I got it.

A few months in, the MSSP offered me a SOC analyst internship. After completing it, I was given a choice: night-shift SOC analyst, or GRC analyst plus continued consulting work.

Most practitioners I know would have taken the analyst role for the hands-on tooling. I chose the latter. I loved consulting. I did not love the idea of night shift.

As a GRC analyst, I shadowed the security engineers, asked a ton of questions, and eventually got pulled onto the engineering team. I learned the security tools, sat in on executive conversations, and led war rooms during incident response.

Then I started shadowing the VP of Sales — cold calls, sales agreements, pre-sales calls. My passion for pre-sales grew. I loved helping people find security solutions that genuinely protected them.

I pivoted to sales engineering at a new MSSP, grew into a senior sales engineering role, and continue to do that at an AI startup today.

// Chapter 02

What to learn first.

If I were starting over today, I'd focus heavily on the fundamentals of computing and networking. The exciting stuff in cyber gets attention. Fundamentals get you hired.

Fundamentals transfer across every role. They'll get you into the industry far sooner than chasing advanced or highly specialized topics (malware research, detection engineering, cloud architecting, bug bounty).

One approach: start with the Open Systems Interconnection (OSI) model. It helps visualize how communication between computing systems actually works.

The OSI layers

Layers 1–2 — Physical & Data Link

Less about hardware specifics, more about understanding that traffic has to move reliably from one place to another. Segmentation, VLANs, basic switching — these explain why some traffic is visible and why some isn't. Helps when troubleshooting blind spots in security tooling.

Layer 3 — IP and Routing

Understanding IP addressing, routing, and how traffic moves between networks is foundational. Recognizing internal vs. external traffic, interpreting subnets, identifying routing paths — this makes logs and alerts far easier to correlate.

Layer 4 — Transport (TCP / UDP)

How TCP and UDP behave is more valuable than memorizing port numbers (though 80, 443, and 22 — HTTP, HTTPS, SSH — are worth knowing). Knowing how sessions are established, how they fail, and what normal looks like helps you tell malicious activity from misconfig.

Layers 5–6 — Sessions, Encryption, Data Handling

These feel abstract but they show up in authentication flows, encrypted comms, and how data is formatted in transit. Supports identity systems, secure comms, and access troubleshooting.

Layer 7 — Applications and Services

Where security activity becomes most visible. How applications behave, how APIs communicate, how services generate logs. Most alerts originate here, even when the root cause is several layers below.

Identity fundamentals

Authentication vs. authorization. How SSO works. Why MFA matters. These show up early and often.

Identity decisions drive access, visibility, and the quality of your security telemetry. When identity is poorly understood, detections become noisier and investigations become harder.

Logs, telemetry, and correlation

One of the most important skills to develop early: understanding how logs fit together, and using telemetry for correlation.

Individual log entries rarely tell the full story. What matters is correlation. A single event might be benign — but combined with others, or enriched with telemetry, it can mean something serious.

Event A on its own looks normal. Event B is expected under certain conditions. Event C happens occasionally.
A + B + C — in a short window, from the same identity or host — can indicate malicious behavior.

Strong practitioners don't just look at alerts. They ask:

When something doesn't make sense, research it. Review documentation. Look up log fields. Validate assumptions. Curiosity and follow-through are what turn raw logs into meaningful, actionable alerts.

The CIA Triad

Confidentiality, Integrity, Availability. A useful mental model for grounding security decisions.

It's not academic. This framework helps explain why controls exist and what tradeoffs they introduce.

Identifying common attack paths

Understanding how attackers typically get in grounds everything you're learning. The threat landscape evolves, but certain patterns show up repeatedly in real incidents.

Ransomware — the early-days pattern

For years, this was the loudest threat. Attackers would:

This shaped a lot of early detection logic.

The current era — identity-first attacks

More recently, phishing and credential theft are the most prevalent initial access techniques. Attackers use:

Once credentials are compromised, attackers typically:

The current focus on identity and credential security makes authentication flows, MFA, and identity log anomaly detection more relevant than ever.

Knowing which attack paths are currently prevalent helps you in two ways:

  1. Research relevance. You're not just memorizing behavior — you're connecting it to real patterns of compromise.
  2. Defensive focus. Controls and monitoring are prioritized based on these common paths. Understanding the context tells you where to look, what to log, and how to interpret signals.

// Resources

// Chapter 03

Risk, from the business side.

Security decisions are almost always driven by how an organization understands and tolerates risk. Not by how cool a tool is.

Early on, it's easy to think of security in terms of vulnerabilities, tools, and alerts. Over time, you'll see that the real conversation is about risk tolerance.

At a basic level, risk is the relationship between:

It's effectively impossible for organizations to eliminate 100% of risk. Every security decision involves tradeoffs — cost, complexity, usability, operational impact.

Most organizations focus on:

As I explored security roles, I realized each part of the business owns some piece of risk. The human element will always be the greatest risk to an organization. Phishing. Credentials in public GitHub repos. Social engineering. Data theft by disgruntled employees. The user is at the core.

This helps explain things that confuse most early-career security folks:

Security teams are not the ultimate owners of risk. They're advisors. The business owns the data and decides how much risk it's willing to accept.

Understanding how risk is framed makes it easier to communicate findings to non-technical stakeholders, prioritize work without frustration, and understand why security tools get bought, implemented, and sometimes underutilized.

This perspective has been especially valuable in consulting, GRC, and presales roles — where success depends on aligning recommendations with business priorities, not technical ideals.

// Chapter 04

Skills that actually get hired.

Entry-level candidates succeed when they focus on skills that map directly to day-to-day security work.

High-ROI hard skills

These are the basis of every environment you'll work in. They consistently show up as the "why" behind security events and detections.

Security tools change constantly. Understanding why an alert exists and what behavior it represents matters far more than memorizing specific tool interfaces.

// Resources for hard skills

// Chapter 05

Credibility before the title.

Credibility is built before you land your first cybersecurity job. The work you do now decides what doors open later.

// Things that help

  • Documented labs you can explain
  • Transferable experience (IT, compliance, analyst)
  • Writing about what you're learning
  • A consistent, professional online presence
  • Home labs testing real security concepts
  • A relevant degree or certificate

// Things that don't

  • Certifications without application
  • Buzzwords you can't explain in plain language

I've reviewed dozens of resumes. The ones that stand out aren't the ones with the longest tool lists. They're the ones that say:

// Resume bullet that worked

"Built a home lab to simulate a Windows Active Directory environment. Configured Sysmon logging and forwarded events to a Splunk instance. Wrote basic detection rules for unauthorized access."

That's specific. That's explainable. That shows you can learn.

Helpful platforms

// Chapter 06

Certifications, used well.

Certifications are strategic signals, not automatic requirements. Most teams I've worked with pay for the advanced certs once you've already proven value on the job.

General guidance

Two paths I've actually seen

// Path A

Person gets Security+ as their only cert. Struggles to find an entry-level analyst role. Spends months sending applications into the void.

// Path B

Person gains hands-on experience with a home lab, joins LinkedIn and Discord groups, researches entry-level SOC positions, promises to get Security+ during onboarding. Gets hired.

The second person understood: certifications are tools, not substitutes for understanding. Cybersecurity isn't just knowing concepts — it's demonstrating and applying them to prove you can be trusted with sensitive data.

As one wise practitioner put it: soft skills get you the job. Hard skills help you keep it.

Resources

Pro tip. If you're early in your career, one good foundational cert is better than three mediocre ones.
// Get the rest by email

This guide is free and it stays free. Drop your email and I'll send you the file, plus a short series on the resume framing and break-in mistakes that didn't fit here. No spam, and your email stays with me.

Something went wrong. Try again in a moment.

// Chapter 07

Resumes that work.

Strong resumes act as risk-reduction documents. They tell hiring managers: this person communicates clearly, can be trusted with sensitive data, and reduces overall risk.

// Resumes that perform

  • Focus on outcomes, not task lists
  • Clearly communicate scope and impact

// Resumes that struggle

  • Tool dumping without context
  • Vague or inflated claims

Real example

// Weak

"Responsible for managing IT tickets."

// Strong

"Supported business objectives of reducing risk exposure by hardening systems by 40% and documenting changes in the ticketing system."

The second is clear, measurable, and shows impact.

If you don't have security experience yet

Pull from adjacent experience:

I've helped people get hired from each of these backgrounds and many more. What mattered: interest, ability to think critically, and willingness to learn quickly.

Where to get feedback

// Chapter 08

Interviews and recruiters.

Interviews are rarely about trivia. They're about how you think and how you communicate.

What strong candidates do

When you don't know something

Say so. Clearly. Then show your thought process. Humility and curiosity beat fake confidence every time.

Mock interviews help

Working with recruiters

Recruiters are valuable allies when the relationship is professional and transparent.

What helps:

Early in my career, I treated recruiters transactionally — only reaching out when I needed a job. That was a mistake.

The recruiters who helped me most were the ones I built relationships with over time. I'd check in every few months, even when I wasn't job hunting. I'd ask about market trends. I'd refer candidates to them.

When I was ready to move, they had roles for me before they hit job boards.

Pro tips

// Chapter 09

Soft skills are the multiplier.

Soft skills consistently influenced long-term success more than any technical skill across all the roles I've had.

What mattered most

When communication made the difference

A team I knew wanted new security tooling but couldn't find budget. After a security assessment, we identified gaps and mapped them to the new tool's coverage. They had two options:

  1. Send a technical email explaining the issue in depth.
  2. Explain the business impact first. Then the technical details.

They went with option 2. Scheduled a call with the CFO and CISO. Said:

"Right now, if we do nothing, the business impact is X. If we get funding for this tool, our risk of breach lowers by Y."

The CFO understood immediately. They got budget approval that day.

What I learned: technical accuracy matters. But if you can't translate it into business impact, it doesn't move forward.

Staying calm under pressure

During a ransomware incident response at an MSSP client, I watched a senior analyst get flustered when the client's CEO kept interrupting. The call turned chaotic.

I learned from that. In later incidents, I structured updates like this:

  1. What we know right now (facts only)
  2. What we're doing about it (active response)
  3. What we need from you (clear asks)
  4. When you'll hear from us next (sets expectations)
Clear communication under pressure is a force multiplier in security operations.

// Books that shaped how I work

// Chapter 10

Curiosity, motivation, fit.

Strong security practitioners are driven more by curiosity than credentials. The ones who go furthest are usually the ones who can't help being curious.

Many people benefit from exploring multiple areas (SOC analyst, detection engineer, compliance, cloud engineer, app sec engineer) before finding what fits.

People who succeed long-term genuinely enjoy the work. If you don't find yourself reading security blogs for fun, or thinking "I wonder how that attack worked" when you see a breach in the news, that's okay. Not everyone needs to be obsessed. But the people who go furthest are usually the ones who are.

How to explore

// Curiosity fuel

// Chapter 11

Someone taking a chance on you.

Many cybersecurity careers begin because one person was willing to take a chance. Mine was one of them.

A COO at a small MSSP saw potential in me and gave me the space to work hard and prove my value. As I gained experience, I was given more responsibility, allowed to explore different aspects of cyber, and ultimately ended up where I wanted to be.

I networked. I chose mentors who helped me on my journey. I made friends with customers and fellow employees who went to bat for me in meetings I wasn't privy to. That led to promotions, raises, and career moves until I was satisfied with my path.

I'm incredibly motivated to do this for others, because so many did it for me.

The cybersecurity community is mostly welcoming. Most professionals enjoy helping newcomers. There are gatekeepers — folks who feel that since their journey was hard, it should be hard for all. I disagree. People can be taught and mentored to become great if given the opportunity.

Why mentorship matters

Once I was working in the field, I made a point to reach out to people doing work I found interesting — detection engineers, SOC managers, threat hunters.

Most people said yes to a 20-minute chat. Some became short-term mentors. Others became close friends.

One detection engineer mentored me with everything he knew, gave me feedback on detection logic I was writing, and eventually referred me to a role at a different company. We're still friends today.

What tends to work

Networking is rarely transactional. It's relational.

// Chapter 12

Mistakes I've seen.

Three patterns I've watched derail otherwise capable people. Avoid them and you're ahead of most candidates.

Chasing certifications without context

I've seen people spend $3,000 on an advanced/niche certification before they had their first security job. Then they couldn't explain in interviews why that cert mattered or what problems it would help them solve.

Certifications are signals, not substitutes for understanding. If you can't explain why a security control exists or what problem a technology solves, the badge won't help you.

Burning out before you even start

I've watched people try to:

Then they burn out and quit before landing their first role. Focus on fundamentals, then depth in a few areas. Surface-level knowledge of everything beats nothing.

Ignoring transferable skills

People tell me "I don't have cybersecurity experience" while they've spent years:

Those are cybersecurity skills. Don't dismiss them. Nurture them.

// Chapter 13

Your first 90 days.

You will feel overwhelmed. That's normal. Here's how to make the most of the period where everything feels like drinking from a fire hose.

In my first SOC role, I barely understood half of what people were saying in meetings. SIEM queries. Detection logic. Threat intel feeds. It all felt like an avalanche.

That's expected. No one expects you to know everything on day one.

What helped me

Focus on these early wins

  1. Learn the tools. Get comfortable applying computing and networking concepts. The security tooling, the ticketing system, what the network looks like. Shadow other practitioners.
  2. Understand the environment. What's normal for this org? Where are the crown jewels (data and/or systems)?
  3. Build relationships. Who do you escalate to? Who's good at malware analysis? Network forensics? Communication? These relationships will skyrocket your learning.
Don't try to reinvent processes or suggest major changes in your first few months. Observe. Learn. Contribute.

When to ask for help

// Ask when

  • You've been stuck for 30+ minutes
  • You're unsure if something is a real threat
  • You're about to make a change that could impact production

// Don't ask when

  • You haven't tried basic troubleshooting
  • The answer is clearly documented
  • You're asking the same question without writing it down

Good judgment about when to escalate is one of the most valuable skills in security operations.

// Final thoughts

You don't need to be perfect.

You need to be honest, persistent, and willing to grow. The cybersecurity community needs more people like that.

I hope this guide was helpful. This was my lived experience. I want to give back to the community that gave me so much. My work in cybersecurity is interesting, fulfilling, and a joyful part of my life.

Focus on fundamentals.
Communicate clearly.
Stay curious.
Build relationships.
Keep learning.
// Get the rest by email

This guide is free and it stays free. Drop your email and I'll send you the file, plus a short series on the resume framing and break-in mistakes that didn't fit here. No spam, and your email stays with me.

Something went wrong. Try again in a moment.

Ready for the next step?

If this guide helped, the next step is built for exactly what you'd do next. Everything lives at cyberbreakers.com.

// For career changers

Breaking Into Cybersecurity: The First 90-Days Blueprint

The complete 90-day system. Fundamentals that get you hired, the home lab that gets interviews, the full resume system, recruiter relationships, and interview preparation built on reasoning. Week-by-week checklist included.

// The resume fix

Cyber Breakers Resume Template

The résumé is not a biography. It is a risk-reduction document. The framing, the rules, the weak vs. strong rewrites, and the fill-in template itself. Six years in the seat distilled into one page.

Let's connect

LinkedIn: linkedin.com/in/nicholasgibsonprofile

Site: cyberbreakers.com

// About the author

Nicholas Gibson.

M.S. Cybersecurity Management. Six years across SOC operations, detection engineering, GRC, personal security consulting, presales solutions engineering, and enterprise security architecture.

Specializes in helping organizations design detection strategies, implement security programs, and build effective security operations. Currently Senior Sales Engineer at Anvilogic, where he's influenced over $15M in pipeline.

Transitioned into cybersecurity from a background in psychology — bringing a unique perspective on how people learn, communicate, and build careers in technical fields. Passionate about mentoring newcomers and making cybersecurity more accessible to anyone willing to learn.

M.S.Cyber Management
$15MPipeline influenced
100sPeople helped

// Reference

Glossary.

Every acronym, tool, and concept used in this guide. Bookmark it.

Technical terms & acronyms

API
Application Programming Interface. Protocols and tools that let different software applications communicate.
CIA Triad
Confidentiality, Integrity, Availability. The foundational model for security decisions.
CVE
Common Vulnerabilities and Exposures. A standardized identifier for publicly known vulnerabilities.
GRC
Governance, Risk, and Compliance. A cyber role focused on regulation, risk management, and policy.
HTTP / HTTPS
Hypertext Transfer Protocol (port 80) and its encrypted version (port 443).
IP
Internet Protocol. Handles addressing and routing of data packets across networks.
ISP
Internet Service Provider.
MFA
Multi-Factor Authentication. Two or more verification factors to gain access.
MSSP
Managed Security Services Provider. Outsourced security monitoring and management.
NIST CSF
National Institute of Standards and Technology Cybersecurity Framework.
OSI Model
Seven-layer conceptual framework for communication functions in computing systems.
RDP
Remote Desktop Protocol. Microsoft protocol for remote system access.
SIEM
Security Incident and Event Management. Collects, analyzes, and correlates log data for threat detection.
SOC
Security Operations Center. The team that monitors, detects, analyzes, and responds to incidents.
SSH
Secure Shell. Encrypted protocol for remote login (port 22).
SSO
Single Sign-On. Access multiple applications with one set of credentials.
Sysmon
Windows system service that logs detailed activity to detect malicious behavior.
TCP / UDP
Transmission Control Protocol (reliable, ordered) and User Datagram Protocol (connectionless, fast).
TI
Threat Intelligence. Information about current or potential threats.
VLAN
Virtual Local Area Network. Method of segmenting networks for performance and security.

Tools & frameworks

Active Directory
Microsoft's directory service for Windows domain networks. Authentication and authorization.
AWS
Amazon Web Services. Amazon's cloud computing platform.
MITRE ATT&CK
Globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Sigma HQ
Open-source generic signature format for SIEM systems. Write detection rules once, convert for any platform.
Splunk
Popular SIEM platform for searching, monitoring, and analyzing machine-generated data.

Security concepts

Detection Engineering
The practice of creating and tuning security monitoring rules to identify malicious activity.
Password Spraying
An attack technique trying a few common passwords against many user accounts.
Phishing
Social engineering attack where attackers impersonate legitimate entities to steal credentials.
Telemetry
Data collected from systems and apps that provides visibility into behavior and security state.
War Room
An emergency meeting or command center established during a security incident to coordinate response.
CyberBreakers
End of guide

// Thank you for reading

Now go get the break.

If this guide changed how you think about getting into cyber, share it. That's how this community grows.