Starting a career in cybersecurity isn't always straightforward. Sometimes it takes luck, but mostly it's about demonstrating what you can do and refusing to give up when doors seem closed. Oh, and taking notes. Seriously, take notes. I'll explain why I learned this the hard way.

The Gaming Gateway

My journey didn't begin in a classroom or with a computer science degree. It started in Azeroth, the virtual world of World of Warcraft. While others saw just a game, I saw a complex system begging to be understood. Hours spent crafting barely-functional LUA addons taught me more about problem-solving than any textbook could.

Then came the hackers in Call of Duty Modern Warfare 2 – players defying physics, reaching impossible locations, flying through maps. I never wanted to cheat, but I was fascinated by the creativity behind breaking systems. How did they do it? How could games be exploited? This curiosity led me down the rabbit hole of understanding vulnerabilities.

The Winding Road

When it came time to choose my educational path in the Netherlands (MBO, equivalent to vocational education in other countries), cybersecurity was my first choice. The irony? Not enough students enrolled, and the program was cancelled. With two weeks to decide, I pivoted to Game Development – close enough, right?

Wrong. I spent most of that program playing World of Warcraft instead of learning to build games. But here's the thing: failure isn't the end. It's data. I learned I was better at breaking things than building them, and that realization was invaluable.

From Retail to Root Access

Post-education reality hit hard. Retail jobs, cleaning airplanes – at 22, I felt like I was wasting my potential while convinced I wasn't good enough for IT. It took years to 'overcome' that imposter syndrome and land my first IT Support role in 2016.

IT Support wasn't glamorous. As a millennial who dreads phone calls, handling helpdesk tickets was my personal nightmare. But it was a foot in the door. Between password resets and printer issues, I devoured security books, conquered CTFs, and volunteered for any security-adjacent task that crossed my desk.

The Breakthrough

Years passed. Support roles came and went. Just when I was ready to give up, opportunity knocked. A new security team was forming, and the manager had noticed my HackTheBox activity and enthusiasm for security tasks. I became their first Junior Security Engineer.

Suddenly, I was building Microsoft Security environments, learning KQL from experts, and responding to real incidents. The learning curve was steep, but every challenge felt like leveling up in the best game ever.

Quick confession: Remember all those cool KQL queries, scripts and command lines I wrote? Yeah, I can't find half of them now. Past me thought future me would just remember everything. Past me was an idiot. TAKE. NOTES. SERIOUSLY.

My spare time filled with bug bounties, eventually earning me four "I hacked the Dutch government and all I got was this lousy t-shirt" shirts (yes, that's a real thing, and yes, I may have a problem). Seriously, if you see me wear it daily, remember I have four, okay?

Finding My Niche

Even dream jobs can feel limiting. After securing our environment, incidents became rare. I craved more action, more learning, more growth. That's when I joined an MSSP (Managed Security Service Provider) as a Tier 2 Analyst. Within three months, I earned promotion to Tier 3, where I am today – threat hunting, analyzing complex incidents, and protecting multiple organizations daily.

The Defender Who Studies Offense (Badly, But Enthusiastically)

Here's something people don't talk about enough: You can be a competent security professional and still get absolutely destroyed by "Easy" CTF boxes. I know because I'm living proof. While I spend my days hunting advanced threats and writing detection queries, I come home and get humbled by challenges that 14-year-olds on YouTube complete blindfolded. And that's exactly why everyone should keep doing it.

Learning offensive security as a hobby while working as a defender isn't just beneficial – it's transformative. Every failed exploit attempt teaches you what attackers might try. Every privilege escalation technique you fumble through (after googling it six times) shows you what to look for in your detection queries. When you finally crack a box after hours of frustration and possibly some tears, you immediately think: "How would I detect this in our environment?"

Why Every Defender Should Think Like an Attacker (Even a Bad One)

• You can't defend against what you don't understand – Reading about attacks is one thing, faceplanting through them is enlightening

• Offensive knowledge makes better detections – My KQL queries improved dramatically after understanding (struggling with) exploitation techniques

• It keeps you humble – Nothing cures security hubris like spending 42 hours on an "Easy" box only to realize you were in the wrong directory the whole time

• It's genuinely fun – After a day of incident response, there's something therapeutic about being the attacker (legally, and poorly!)

  
  

I'm nowhere near expert level at CTFs. I still google "how to use gobuster" every single time. But every small victory – every shell popped, every flag captured – adds another layer to defensive thinking. The journey continues, and that's the whole point.

Your Path Forward: Practical Advice

0. Choose Your Fighter (But Don't Stress About It)

Here's something crucial: cybersecurity isn't one field – it's a dozen fields wearing a trench coat. The path of a Microsoft Security ninja (like where I ended up) is vastly different from someone wrestling with Splunk SPL queries or building detections in Elastic.

Common blue-team paths include:

• Microsoft Security Stack – Azure Sentinel, Defender suite, KQL mastery (my world)

• Splunk Environments – SPL queries, different apps, often more bare-bones

• Open Source/Elastic Stack – ELK, Sigma rules, more DIY approach

• Cloud-Native Security – AWS GuardDuty, GCP Chronicle, cloud-specific tools

• Traditional SIEM – QRadar, ArcSight, legacy but still prevalent
  

Red Team paths are a whole different beast:

• Penetration Testing – Web apps, networks, physical security (lockpicking is real)

• Red Team Operations – Full adversary simulation, C2 frameworks, living off the land

• Exploit Development – Buffer overflows, reverse engineering, making calculators pop

• Bug Bounty Hunting – Freelance hacking, platform-based or direct programs

• Cloud Penetration Testing – AWS/Azure/GCP specific attacks, different ball game

• Mobile/IoT Security – Android/iOS reversing, embedded device hacking
  

Some folks even go purple team (combining both), or specialize in areas like:

• Malware Analysis – Reversing malicious code, sandboxing, threat intelligence

• Forensics/Incident Response – Digital detective work, memory analysis, "what happened?"

• Security Architecture – Designing secure systems from the ground up

• Compliance/GRC – Making sure everyone follows the rules (someone has to)

Don't panic about choosing "wrong." I fell into Microsoft security because that's what my company used. You might end up in a Splunk shop or building everything from scratch. The fundamentals transfer – understanding logs, thinking like an attacker, and (I cannot stress this enough) TAKING NOTES. Also keep in mind a lot of these things are combined in your daily job usually. I am a Microsoft Security-based analyst but I also do some malware analysis.

1. Start Where You Are

• You don't need a degree in computer science

• IT Support, though unglamorous for some, provides foundational knowledge

• Every role teaches something valuable – even cleaning planes taught me to.... deal with stress? It taught me attention to detail! Yes that.

  
  

2. Build Your Proof of Work (Not Proof of Wishful Thinking)

• For Blue Team: Follow the TryHackMe Blue Team Path and get hands-on with free Microsoft Learn resources, pursue the SC-200 certification as Microsoft-based companies will gladly accept you with open arms after this one.

• For Red Team: Maintain an active HackTheBox/TryHackMe profile (even if you're failing spectacularly like I still do)

• Create a blog documenting your learning journey (trust me, future you will thank present you). Using something like Notion to keep your notes is fine too!

• Contribute to open-source security projects

• Document EVERYTHING – That genius detection rule you wrote at 2 AM? You won't remember it next week. I speak from painful experience.

  
  

3. Master the Fundamentals

• Networking is non-negotiable – understand TCP/IP, DNS, HTTP/HTTPS

• Learn at least one scripting language (Python, PowerShell, or Bash)

• Understand both Windows and Linux systems

• Query languages depend on your stack:

  • Microsoft = KQL is your best friend

  • Splunk = SPL (Splunk Processing Language)

  • Elastic = Elasticsearch Query DSL or Lucene

  • Don't worry, they're all just different ways to ask "show me the bad stuff"

  
  

4. Develop the Mindset

• Think like an attacker to defend effectively

• Question everything: "How would I break this?"

• Document everything: your future self will thank you

• Stay curious and never stop learning

  
  

5. Network (The Human Kind)

• Join local security meetups and online communities

• Engage on security Twitter/X and LinkedIn

• Attend conferences (many offer student/beginner discounts)

• Find mentors – most professionals love helping newcomers

  
  

The Reality Check: Imposter Syndrome is Everyone's Companion

Let me share something that might help: Even experienced analysts feel small. I'm surrounded by Microsoft MVPs, security researchers with CVEs to their name, and professionals who seem to breathe KQL. Every day, that voice whispers: "You don't belong here." And you know what? That voice is full of it.

Here's the secret nobody tells newcomers: Everyone feels this way. That MVP you admire? They probably feel inadequate compared to the researcher who discovered the latest zero-day. That researcher? They're intimidated by the person who wrote the security tool they use daily. It's imposter syndrome all the way up.

Why Cybersecurity Amplifies Imposter Syndrome

1. The field is impossibly vast – Nobody knows everything about security. Not even close.

2. Threats evolve daily – Yesterday's expert knowledge is today's outdated information.

3. Public mistakes are visible – Miss something in a KQL query? Everyone on the team might see it.

4. The stakes feel high – We're defending against real adversaries. The pressure is real.

   
   

Turning Imposter Syndrome into Fuel

Instead of letting imposter syndrome paralyze you, use it. That discomfort you feel? It's your brain recognizing there's more to learn. Stay greedy for knowledge. The day you think you know everything is the day you become vulnerable.

I cope by:

• Documenting my wins (no matter how small)

• Asking "stupid" questions – they're usually not stupid

• Remembering that being surrounded by experts means I'm in the right room

• Celebrating when I learn something new instead of feeling bad for not knowing it already

  
  

Cybersecurity isn't just about technical skills. It's about persistence, creativity, and maintaining humility while building confidence. You'll face rejection and systems that seem impossibly complex. That's not just normal – it's the job.

My path took six years from first IT role to security position. Yours might be faster or slower – that's okay. What matters is moving forward, even when progress feels glacial, and remembering that feeling small in a room full of giants means you're exactly where you need to be to grow.

Cybersecurity Myths That Nearly Stopped Me

- "You need to be a math genius" (I still use a calculator for percentages)

- "You must know 5 programming languages" (I mainly just abuse PowerShell and cry, and it's 2025 so we have ChatGPT now!)

- "Entry level means 5 years experience" (It doesn't, keep applying anyway)

- "You need a home lab worth $10k" (VirtualBox and determination go far)

Start Today

The best time to start was yesterday. The second best time is now. Pick one thing:

• Sign up for a CTF platform (and don't be discouraged when "Easy" isn't easy, I would strongly advise to start with TryHackMe)

• Start the Microsoft Security fundamentals path

• Write your first blog post about something you learned, even if it's not public.

• Apply for that IT Support role you think you're not qualified for

  
  

Remember: I went from a World of Warcraft addict who failed at game development to a Tier 3 SOC Analyst at an MSSP who still struggles with "Easy" CTF challenges but keeps learning anyway. If I can do it, so can you.

The cybersecurity industry needs diverse perspectives and unconventional thinkers. Your unique background isn't a weakness – it's your superpower. Whether you're coming from retail, gaming, or any other field, you bring something valuable to the table.

And please, for the love of all that is holy, take notes. Document your journey. Your future self (and possibly your blog readers) will thank you.

Starting your cybersecurity journey? Hit me up – I love hearing about different paths into this field. Just don't ask me for my old KQL queries. I honestly have no idea where they went..

Resources to Get Started:

• Microsoft Learn Security Paths

• HackTheBox

• TryHackMe

• Professor Messer (Free Security+ Content)

• KQL Cafe

• Security Certification Roadmap - Paul Jerimy Media