Detailed roadmaps to go from zero to hired. No degree required.
🎯 Focus: Help Desk & Desktop Support roles — Your entry point into tech
Before you dive in, let's be real about what you're getting into. No sugarcoating — just facts so you can make an informed decision.
Think of it as Customer Service + Tech. You're the first person someone calls when their computer won't work. Your day looks like:
Let's talk numbers — real ones:
💡 The jump from Help Desk to Sysadmin is where the real money kicks in. Your goal is to get that first job, learn everything, then level up fast.
What to expect for work-life balance:
💡 Pro tip: Take an on-site or hybrid role for your first job. You learn 10x faster when you can tap a senior tech on the shoulder.
No degree? No problem. Certifications prove you know your stuff. These are the gold standard for entry-level IT — pick one based on your budget and timeline.
Industry standard. Two exams. ~$250 each. Most recognized by employers.
Self-paced on Coursera. Great for absolute beginners. ~$49/month.
A+ if you want the most recognized cert that'll get past HR filters. Google IT if you're brand new to computers and need hand-holding through the basics first. Many people do Google IT → then A+.
These YouTube channels have trained more IT pros than any bootcamp. Watch them in this order — they're all completely free.
Best for: Passing the A+ exam. Free video courses that follow the exam objectives exactly. Watch his entire A+ playlist.
Best for: Seeing what the job actually looks like. Real-world Active Directory, Office 365, and help desk labs. This is the practical stuff.
Best for: Resume strategy and career advice. Learn how to actually land the job after you have the skills. His resume tips are gold.
Best for: Getting excited about IT. High-energy, fun explanations of networking, Linux, and home labs. Great for motivation.
This is the project that separates "I watched some videos" from "I actually know how to do this." Every Help Desk job uses Active Directory. Build this lab, and you'll walk into interviews with confidence.
What you need: A computer with at least 8GB RAM (16GB preferred)
Goal: Turn your server into a Domain Controller
corp.local🎉 Congrats! You now have a Domain Controller. This is the heart of every corporate network.
Goal: Create and manage users like a real sysadmin
Goal: Join a workstation to your domain
corp.local → Use your admin credentials🎉 You just joined a computer to a domain — exactly what you'll do on Day 1 of Help Desk.
"Configured and managed Active Directory users, groups, and OUs in a Windows Server 2022 environment. Joined workstations to domain and implemented user account policies."
These questions come up in almost every Help Desk interview. Memorize these answers — they're what hiring managers want to hear.
net stop spooler → delete files in C:\Windows\System32\spool\PRINTERS → net start spoolerIP Address = Your mailing address. It can change when you move (DHCP assigns it). Example: 192.168.1.100
MAC Address = Your fingerprint. It's burned into your network card and never changes. Example: 00:1A:2B:3C:4D:5E
Easy memory trick: IP = Internet Protocol (logical, changes). MAC = Media Access Control (physical, permanent).
Use the STAR method: Situation, Task, Action, Result
Example: "A user was frustrated because their issue wasn't resolved after multiple calls. I listened without interrupting, apologized for their experience, took ownership of the ticket, and followed up every 2 hours until it was fixed. They later emailed my manager to thank me."
Most companies use Applicant Tracking Systems (ATS) that scan for keywords before a human ever sees your resume. Include these terms to get past the robots.
Copy the job posting into a document. Highlight every technical term. Make sure those exact words appear on your resume. If they say "ServiceNow," don't write "ticketing software" — write "ServiceNow."
🎯 Focus: SOC Analyst (Tier 1) & Security Administrator roles
Good news: Blue Team is where the JOBS are. Bad news: It's not as glamorous as hacking. Here's what you're signing up for.
90% of cybersecurity jobs are Blue Team.
You are the digital firefighter. When something catches fire (a breach, malware, suspicious activity), you're the first responder. Most of your day is:
Alert Fatigue is Real: You'll see hundreds of alerts per shift. 95% are false positives. Staying sharp for the 5% that matter is the hard part.
Shift Work: SOCs run 24/7/365. Entry-level often means nights and weekends. It's not forever — but expect it for year one.
💡 The upside: Clear promotion path. SOC Analyst → Senior Analyst → Security Engineer → Manager. Stick with it 2-3 years and you're making $90k+.
Blue Team pays well, especially for the stability:
Blue Team has great entry points — including a FREE certification that's actually respected.
FREE training AND FREE exam through their 1 Million Certified program. Legit cert, zero cost.
Industry standard. DoD 8570 approved. Required for many government jobs. ~$400 exam.
Most SOCs use Splunk. This cert shows you can actually use it. Free training available.
Start with (ISC)² CC (free) → then Security+ (opens government doors) → then Splunk (practical skills). You can do all three in 6 months.
This project separates you from everyone else. You'll build a mini Security Operations Center on your own computer and actually detect attacks.
Goal: Set up Splunk Free (or Elastic SIEM) as your central log collector.
http://localhost:8000Goal: Install Sysmon on a Windows VM to capture detailed security events.
sysmon -accepteula -i sysmonconfig.xml🔥 Sysmon captures EVERYTHING: process creation, network connections, file changes. This is gold for threat detection.
Goal: Connect your Windows VM to Splunk so logs flow automatically.
Goal: Simulate an attack and watch it appear in your SIEM.
index=* EventCode=4625 (failed logins)🎉 You just built detection for a brute-force attack. This is EXACTLY what SOC analysts do.
"Configured Splunk SIEM to ingest and analyze Sysmon logs, creating custom detection rules for brute-force authentication attacks with automated alerting."
These are the tools you'll use daily as a SOC analyst. Master them before your first interview.
What it does: Collects logs from EVERYTHING (firewalls, servers, endpoints), lets you search and correlate events, triggers alerts on suspicious activity.
Why it matters: Most enterprise SOCs run on Splunk. Knowing SPL (Splunk Processing Language) is a superpower.
Free Splunk Training →What it does: Captures and analyzes network traffic at the packet level. See every byte that crosses the wire.
Why it matters: When you need to know EXACTLY what happened during an incident, Wireshark shows you the truth.
Download Wireshark →What it does: Scans your network for known vulnerabilities. Tells you what's broken before attackers find it.
Why it matters: Vulnerability management is a core Blue Team function. Nessus is the industry standard.
Get Nessus Essentials (Free) →What it does: Upload suspicious files, URLs, or hashes. 70+ antivirus engines analyze it and tell you if it's malicious.
Why it matters: First stop when investigating suspicious artifacts. Bookmark it.
Use VirusTotal →SOC interviews focus on fundamentals and your incident response thought process. Know these cold.
The three pillars of information security:
Memory trick: "CIA protects secrets, keeps them honest, and keeps the lights on."
They want to hear a PROCESS, not a single action. Show you think systematically.
Bonus points: Mention that seeing sensitive data over port 80 is a red flag — credentials should NEVER travel unencrypted.
Evidence that a system may have been breached. Examples:
IoCs are shared between organizations via threat intelligence feeds. Checking your logs against known IoCs is a core SOC function.
Blue Team resumes need to show you understand both the tools AND the frameworks. Include these terms.
🎯 Focus: Penetration Testing & Ethical Hacking roles
Before you start dreaming about hoodies and green terminal text, let's get real about what this job actually is.
These are NOT the same job:
💡 Most entry-level jobs are Pentesting. Red Team roles typically require 3-5+ years experience.
Hard truth time:
"You cannot hack a system you don't understand."
💡 Complete Track 1 (General IT) first. Seriously. The best hackers are the best sysadmins.
NEVER scan, probe, or attack a network you don't own or have WRITTEN permission to test.
This isn't a suggestion — it's the law. Unauthorized access is a federal crime (CFAA). Even "just scanning" can land you in prison. Always get a signed Rules of Engagement (RoE) document.
These are the core tools every pentester uses daily. Install them, learn them, love them.
Why: Pre-loaded with 600+ security tools. It's purpose-built for hacking so you're not spending hours installing dependencies.
Install: Download the ISO, create a VM in VirtualBox, boot it up. That's it.
Download Kali →Why: Intercepts all traffic between your browser and a website. You can see, modify, and replay every request. Essential for finding web vulnerabilities.
Use for: SQL Injection, XSS, authentication bypasses, API testing.
Download (Free Community Edition) →Why: Maps networks. Discovers hosts, open ports, running services, and OS versions. This is always step one of any engagement.
Key command: nmap -sC -sV -oN scan.txt target.com
Why: Automated exploitation. Has modules for thousands of known vulnerabilities. Point, click, shell. (But understand what it's doing!)
Warning: Don't become a "script kiddie." Learn manual exploitation too.
Explore Metasploit →Metasploitable 2 is an intentionally vulnerable VM designed for practice. Set up Kali + Metasploitable in VirtualBox on the same network. Your mission: get root access using only Nmap and Metasploit.
Download Metasploitable 2 →Don't skip levels. Each platform builds on the last. This order matters.
What: Guided, hand-holding learning. Browser-based VMs so you don't need to set up anything.
Do these paths IN ORDER:
⏱️ ~2-3 months if you do 1-2 hours daily
What: The BEST free resource for web application hacking. Made by the creators of Burp Suite.
Topics covered:
This is where 80% of real-world pentests focus. Web apps are EVERYWHERE.
Start PortSwigger Academy →What: eLearnSecurity Junior Penetration Tester. Your first real certification.
Why eJPT:
💰 ~$250 for training + exam
Get eJPT →What: Realistic vulnerable machines with NO hand-holding. This is where you prove yourself.
The difference:
Your HTB rank matters. Recruiters look at it. "Pro Hacker" rank and above gets attention.
Join HackTheBox →This is how you get hired without a degree. Write-ups prove you can hack AND communicate findings — both critical for the job.
A blog post explaining exactly how you compromised a specific machine. It documents your methodology, shows your thought process, and demonstrates you can explain technical concepts clearly.
2-3 sentences a non-technical boss can understand. "I compromised the server by exploiting an outdated Apache version to gain initial access, then escalated privileges via a misconfigured sudo rule."
Step-by-step with screenshots and commands. Show your Nmap output, the exploit you used, every command you ran. Make it reproducible.
How to fix it. "Update Apache to version X.X.X. Remove user from sudoers group. Implement network segmentation." This shows you understand defense too.
Start a blog TODAY. Options:
Goal: Post 1 write-up per week. By the time you're job hunting, you'll have 20+ examples of your work.
Pentesting interviews are TECHNICAL. Expect to whiteboard, explain methodologies, and maybe even do a live CTF challenge. Memorize these.
Bonus: Mention "Rules of Engagement" and "scoping" before step 1. Shows you understand the business side.
Parameterized queries (Prepared Statements).
Instead of building SQL strings with user input, use placeholders that the database treats as data, not code.
❌ Bad: "SELECT * FROM users WHERE id = " + userInput
✅ Good: "SELECT * FROM users WHERE id = ?" (with parameterized input)
Also mention: Input validation, WAF (Web Application Firewall), least privilege database accounts.
Memory trick: Encoding = format change. Encryption = lock with key. Hashing = fingerprint.
A list of the 10 most critical web application security risks, updated every few years by OWASP (Open Web Application Security Project).
Know at least these by heart:
ATS systems scan for specific terms. Include these to get past the robots and into human hands.
🎯 Focus: AI Operations & Automation Engineer (No-Code/Low-Code)
Let's clear up the biggest misconception about AI jobs right now.
"You aren't building new AI models. That requires a PhD. You're CONNECTING AI to business tools to save time."
Think of yourself as a translator between:
You wire them together. That's the job.
"Every company wants AI but doesn't know how. You are the bridge."
The demand is INSANE right now because:
💡 This is a ground-floor opportunity. The "AI Automation Specialist" job title barely existed 2 years ago.
This field is still being defined, but ranges are emerging:
💡 Freelancing is huge here. Small businesses will pay well for someone to "make AI work" for them.
Master these tools and you can build almost any automation a business needs.
What it does: Connects apps together. "When X happens in App A, do Y in App B." No coding required.
Example: New email arrives → Extract invoice data → Add row to spreadsheet → Send Slack notification.
Start with Make.com (Better for complex flows) →What to learn:
Why you MUST learn this: Every API speaks JSON. If you can't read it, you can't automate anything.
It looks like this:
{ "name": "Invoice", "amount": 150.00, "vendor": "Acme Corp" }
What it does: Like Make.com but open source and self-hostable. More powerful, steeper learning curve.
Why it matters: For clients who want their automations to run on THEIR servers (data privacy).
Explore n8n →This project demonstrates REAL business value. Every company deals with invoices. Automate their processing and you're immediately useful.
You are an invoice parser. Extract the following from the email and return ONLY valid JSON:
- invoice_date
- amount (number only)
- vendor_name
Example output: {"invoice_date": "2024-01-15", "amount": 250.00, "vendor_name": "Acme Corp"}
🎉 You just built an AI-powered financial workflow. Invoices now auto-populate your spreadsheet.
"Built automated financial workflows using LLMs (OpenAI API) and Make.com to extract invoice data from emails, reducing manual data entry by 100% and saving 5+ hours per week."
AI/Automation interviews test whether you understand the technology AND its limitations. Know these concepts.
When the AI confidently generates false information.
The model doesn't "know" facts — it predicts likely text. Sometimes it invents citations, statistics, or events that never happened, but presents them with complete confidence.
Mitigation: Always verify AI outputs. Use retrieval-augmented generation (RAG) to ground responses in real data. Set lower temperature for factual tasks.
.env files that are git-ignoredIf you've ever pushed a key to GitHub, assume it's compromised. Rotate it immediately.
The art of instructing AI to get the output you want. A good prompt includes:
The difference between a bad prompt and a good prompt can be the difference between useless output and production-ready automation.
Example: API = "Give me my emails." Webhook = "Ping me whenever a new email arrives."
This field is new, so keywords matter even more. These terms signal you actually understand AI/Automation.
Once you've built the invoice parser, keep learning with these free resources.
Free DeepLearning.AI course. Learn systematic prompting techniques.
When you need more control than no-code provides. Free certificate.
Official Make.com training. From beginner to advanced scenarios.
Read the docs. Understand models, tokens, parameters. Be the expert.