Introductions
I'm going to guide you through the process of becoming a cybersecurity engineer, with a special focus on Defensive Security Operations Engineering, which includes high-demand roles like threat detection and incident response.
These roles are crucial in defending organizations from cyber threats and are highly technical and among the most demanded and well-compensated in the cybersecurity field.
About Me
If you’re new here, my name is Day, and I’m a Security Engineer at Amazon with a previous focus on Incident Response Engineering and a current focus on Proactive Security Operations covering Threat Hunting, Threat Intelligence, & Adversarial Emulation.
In the past, I’ve worked as a Detection Engineer at Datadog, where I focused on Cloud, Network, Endpoints, and SaaS Applications. And have also previously worked as a Tier 1/Tier 2 Analyst at various SOCs & MDRs.
With all of this experience, I will give you a step-by-step road map to get you to become a cyber security engineer even if you don't have a degree or any technical knowledge yet; as a matter of fact, this newsletter has no college education requirements.
I personally was able to break into cybersecurity as early as my freshman year of college. I’ve gotten several jobs and interviews prior to ever having a college degree, and I’ve helped thousands of people do the same on my various content channels and in my Discord Community.
Join a vibrant cybersecurity community of over 6,000 people who are constantly engaging in conversations and supporting one another—covering topics from cybersecurity and college to certifications, resume assistance, and various non-professional interests like fitness, finance, anime, and other exciting subjects.
Establishing a Foundation
When you’re getting started on your journey to becoming a Security Engineer, this journey can start from various points, whether you're currently in an IT role, such as a network engineer or a systems administrator, or even in a Security Role, like a SOC analyst, or entirely outside the tech industry, such as nursing or retail.
The critical first step you need to take is understanding the fundamental concepts of cybersecurity, which will form the backbone of your expertise in threat detection or incident response.
Educational Pathways and Certifications
To build a strong foundation in cybersecurity, I recommend pursuing certifications & training that provide a blend of theoretical knowledge and practical experience.
Cybersecurity Basics
Opt for industry-recognized certifications like Google’s cybersecurity certificate or Microsoft’s cybersecurity analyst certification.
These programs are specifically designed to equip you with essential skills and include hands-on labs, which are crucial for grasping the intricacies of security operations.
The great thing about the hands-on labs is you get to practice what you learn, so things make a lot more sense when you’re using those skills in the real world as a cybersecurity engineer.
The Google Cybersecurity Training includes labs that teach you Linux, which is a core skill for any cybersecurity engineer; MySQL, which will help you understand the basics of data analytics; and Python, which will be super important for scripting and automation - more on this later in the newsletter.
I also like that this program prepares you for CompTIA Security+, which is a staple foundational certification in the security industry.
My first impressions of the Google Cybersecurity Professional Certificate:
On the other hand, the Microsoft Cybersecurity Analyst Training will introduce you to the Microsoft Azure cloud and the Microsoft Sentinel platform - this is great because you get an introduction to a top cloud provider and, on the other hand, atop SIEM (Security Information & Event Management).
This program also prepares you for the Microsoft Security Operations Analyst Certification, which is also another great certification.
Is the Microsoft Cybersecurity Analyst Certificate Worth It?:
Computer Networking
Another foundational skill that you need to give significant consideration to and should never be overlooked if you want to become a proficient and effective cybersecurity engineer is an understanding of computer networking.
This skill is integral to cybersecurity as it provides the necessary knowledge to comprehend how data moves and communicates across systems.
You’ll need to understand the basics of IP addressing, Public & Private IP addresses, Network Address Translation or NAT, CIDR Notation, routing, network ports & protocols like HTTP, DNS, SSH, LDAP, etc.
You’ll also need to know the basics of Network Types & Topologies like peer-to-peer, client-to-server, Local Area Networks or LAN, Wide Area Networks or WAN, and so on.
All these can be learned from a good CompTIA Network+ course like the one from Professor Messer here on YouTube or paid ones on Udemy from Jason Dion.
Now, you don’t necessarily have to take this certification, but the knowledge you’ll gain from understanding how networks work will be extremely invaluable to your cybersecurity career.
I’ve landed several jobs, including my current job, just because of how I showed my strong understanding of networking during my interviews - do not overlook this skill at all.
Heck, dare I say you can not be a competent Cybersecurity Engineer without the basics of networking.
In this mini-course, we're going back to the basics. Many cybersecurity professionals don't fully understand how standard protocols and networking concepts work, largely because they've never interacted with these protocols beyond the theoretical level.
Think about it—have you ever seen how DHCP or ARP packets work? Do you genuinely understand packet encapsulation and decapsulation? Have you seen how TCP sessions end with reset packets or witnessed a TCP 3-way handshake? You'll find this mini-course valuable if you answered no to any of these questions.
In just over an hour, you'll level up your networking and protocol knowledge. My goal is to transform your theoretical knowledge from CompTIA Network+ or Security+ into practical understanding by showing you how to interact with these protocols and demystifying the complexities of computer networking.
ANY.RUN Security Training Lab
Gain practical knowledge, examine real-life scenarios, and become a cyber defense specialist with ANY.RUN's malware analysis course.
Specialized Learning in Threat Detection
Now, let’s talk about specializing in Threat Detection Engineering or Incident Response Engineering.
If your interest lies in any of these roles, you’ll typically be told that it's super important to become proficient in using monitoring and detection tools like Splunk or Crowdstrike, and while I think that is somewhat right, it is a half-truth.
All monitoring tools or detection tools are built on the foundation of native telemetry already provided by the system, be it cloud or Linux Windows - whatever the case is.
If you do not understand how these systems work or the threat against them, it does not matter how great you are at Splunk; you’ll never be able to detect anything.
This is precisely why I recommend understanding how a system works before trying to learn how to detect threats to it.
Let me give you a real-life example.
I was very new to the cloud when I first got my last job at Datadog. I had never done cloud detection engineering, but I had worked on some cloud security investigations in my previous roles as a SOC analyst.
However, in order to build detection rules and mechanisms for cloud threats, I first had to understand how the cloud worked.
One of my main projects was expanding our detection ruleset for Google Cloud, but I had never worked with Google Cloud in my life, so what did I do?
I dove into the documentation of Google Cloud, how IAM works, how the projects and organizations work, how resources are configured, service accounts, and several other things.
And you know how that helped me? In a matter of weeks, I was able to start building and testing detections for Google Cloud; I co-wrote an article on Google Cloud threat detection and even gave multiple talks on Google Cloud Threat Detection.
The moral of the story here is to replace Google Cloud with anything here - it could be Linux, windows, IOT, heck, it could be iPhones or Androids; the point I’m trying to get across is you need to understand the system, its intended use, and its weaknesses before you can detect any threats against it.
After this, you can then start learning tools like Splunk or Crowdstrike. The great thing about Splunk is that they offer free training that can take you from knowing nothing about it to becoming pretty decent at it.
You can also go through various tryhackme rooms that help guide you on Splunk and investigating with it. You can even deploy your own Splunk instance and ingest logs into it, as I’ve outlined in my cybersecurity home lab project.
I’ve made some videos on this, which you can find in my SecOps & Investigations playlist here.
A combination of strong system understanding and Splunk (or other SIEM tool) engineering will make you very suitable for detection engineering or threat detection roles.
The same thing applies to incident response. This specialization requires a thorough understanding of response processes and recovery strategies, and learning to manage and respond to security incidents effectively is key, but you’ll still need to understand the underlying system.
Deciding between Threat Detection and Incident Response:
Transitioning between Threat Detection & Incident Response:
Advanced Training in Incident Response
Now, how do you begin to build the core skills for these roles? This in itself is a whole breakdown, which I’ve covered in a previous video, covering several certifications and training to consider for various skills you might be looking to learn.
Everything from the BTL1 to the CDSA, BTL2, CCD and others.
In regards to training providers like Constructing Defense,13 Cubed, TCM Security DFIR DIVA, Purple Labs, XINTRA, and several others.
I highly suggest watching the video:
Hands-on practice and continuous learning
Now let’s talk about practice and labbing.
It is crucial to master the tools specific to your chosen specialization—whether threat detection systems like SIEM for detecting attacks or incident response techniques for mitigating them.
Each tool and technique requires a deep understanding of specific aspects of cybersecurity, such as network traffic analysis or log analysis for threat detection or forensics and crisis management for incident response.
So here are some platforms to help you practice these skills:
ACE Defender
BTLO
THM
Pwned Labs
HackTheBox Sherlocks
LetsDefend
Cyber Defenders
RangeForce
Applying your knowledge through these real-world simulations and practical labs is essential.
Start with foundational training on platforms like TryHackMe, which covers everything from basic security principles to complex system and application security tasks.
Then, advance to more specialized modules that focus on the intricacies of network and system security, malware analysis, incident management, etc.
Building Scripting and Automation Skills
The next thing you need to build on is your scripting and automation skills. In threat detection and incident response, having scripting and automation skills is very important.
You’ll need to automate redundant processes or make things more efficient, and scripting helps with this.
One of the best languages to start with is Python due to its simplicity and powerful capabilities.
Python is widely used in cybersecurity for automating repetitive tasks, parsing large amounts of data, and developing software tools.
With Python, you can automate boring or repetitive tasks and focus more on the strategic aspects of your job, such as threat analysis and incident response.
Starting with the basics, there are many online resources available to learn Python. I personally recommend learning Python the hard way through Zed Shaw, Code with Mosh’s Python course, and Code Crafters.
However, Codecademy, Coursera, and edX offer beginner-friendly courses that teach you Python programming fundamentals.
The key thing here is to pick a course and stick with it long enough to build your Python skills.
Once you have a good grasp of the basics, you can start exploring modules and libraries used explicitly in cybersecurity, such as Scapy for network analysis, pandas for data analysis, JSON for parsing JSON files, requests for making web requests, or BeautifulSoup for web scraping.
Also, various platforms provide cybersecurity-focused Python challenges that allow you to apply your newly acquired skills in practical scenarios.
For example, HackInScience’s Python challenges or Programming Hero’s 100-plus Python coding challenges are great resources for learning and practicing Python in cybersecurity.
Remember, the goal is not to become a software developer but to use Python to enhance your threat detection and incident response capabilities.
Therefore, focus on practical applications of Python in cybersecurity, such as automating data analysis, building simple tools, or integrating different security solutions using APIs.
Some other languages to consider will be Golang & Javascript, as they also help in various cybersecurity automation and integration workflows.
For scripting, Powershell for Windows and Bash for Linux.
Auxiliary Skills - Cloud & IaC
In addition to learning a programming language, understanding cloud and Infrastructure-as-Code is a crucial auxiliary skill for cybersecurity engineers focused on threat detection or incident response.
Cloud knowledge is essential because many organizations are shifting their operations and data storage to cloud-based solutions.
Therefore, cybersecurity engineers need to understand how to deploy and build security tools in the cloud, secure cloud-based infrastructure, how the data flow is managed, and how access controls work in a cloud environment.
They should be familiar with platforms such as AWS, Google Cloud, or Azure.
In addition to this, Infrastructure-as-Code (IaC) is a key concept in modern IT operations. It involves managing and provisioning computing infrastructure through machine-readable scripts rather than manual processes.
For a cybersecurity engineer, understanding IaC can help in automating security controls and policies.
It allows them to integrate security earlier in the development lifecycle, enabling a 'shift-left' in security that results in more secure and scalable systems.
Tools commonly used for IaC include Terraform, Ansible, Chef, Puppet, and many others.
Projects
In order to bring everything together, working on a few personal projects relating to cybersecurity can be an excellent way to strengthen and solidify these skills.
This can involve utilizing a range of tools such as Security Information and Event Management systems (SIEMs), Cloud technologies, Python programming, and Infrastructure as Code (IaC).
By actively building out these projects, you are able to gain hands-on experience and a deeper understanding of the intricacies involved in these various cybersecurity tools and how they work together.
Furthermore, these projects can serve as tangible evidence of your skills and knowledge, which can be outlined on your resume, and this not only enhances your professional profile but also provides you with concrete examples and experiences to draw upon during job interviews.
Ultimately, these personal projects can significantly boost your confidence and competence as a cybersecurity engineer.
Choosing a Pathway in Security Operations Engineering
Now, once you’ve established a solid foundation and gained some hands-on experience, it's time to choose a specific pathway within Security Operations Engineering.
Whether you decide to focus on threat detection or incident response, your path should be guided by both your interests and the specific needs of the job market.
Bear in mind that Cybersecurity is a field defined by rapid evolution and constant change.
Continuing your professional development through ongoing education, staying updated on the latest threats, and continually refining your practical skills are going to be necessary for your growth as a cybersecurity engineer.
Cyberwox Resources
Resources for your career
🔹Join the Cyberwox Academy Discord!!
🔷 Check out the episodes of the Cyberstories Podcast on your favorite platform
🔹Cyberwox Cybersecurity Notion Templates for planning your career
🔹Cyberwox Best Entry-Level Cybersecurity Resume Template
🔹Learn AWS Threat Detection with my LinkedIn Learning Course
Recent Content
A few publications I’ve released recently.
The Cybersecurity Bootcamp Industry & Level Effect w/ Anthony Bendas | Cyber Stories Podcast EP 23
A conversation with Anthony Bendas - Co-Founder at Level Effect, where he designs and delivers cutting-edge cybersecurity training programs, including the Cyber Defense Analyst Program. With over a decade of experience spanning penetration testing, security consulting, and engineering, he has built a reputation for translating complex security concepts into practical, real-world applications.
Building a DNS Server with Python - 1 (Repo & UDP Server Setup)
Starting a series on building a DNS Server with Python - guided by Code Crafters.
The Truth About The TryHackMe SAL1 Certification (Complete Review)
A breakdown of TryHackMe’s new SAL1 Certification.
Fastest Way To Become a Cybersecurity Engineer in 2025
The YouTube version of this post!
Closing
Once again, you made it this far :)
Thanks for reading. If you so desire, subscribe and restack - it helps spread the word and keeps me writing content. If not, I’ll see you around…somewhere on the internet!
Share this post