It is one of the most common questions in cyber security, and it deserves a direct answer rather than a vague "it depends." The reality is that the timeline genuinely does vary, but not randomly. It varies based on where you are starting from, how many hours you can put in each week, and which role you are aiming at first. All of those are things you can assess right now.
This guide gives you the honest numbers for each starting point, what the milestones along the way look like, and what most people get wrong when they try to estimate their own timeline.
The Single Biggest Variable: Your Starting Point
The most consistent finding from people who track cyber security career transitions is that your existing background matters more than almost anything else. An IT professional with networking experience can be interview-ready in three to four months. Someone starting with no technical background at all typically needs nine to eighteen months of consistent effort.
That gap is not because cyber security is harder for some people. It is because the field builds on a foundation of networking, operating systems, and how systems communicate - and if you already have that foundation from a previous role or study, you skip a substantial part of the preparation journey.
The estimates below assume roughly ten to fifteen hours of study and practice per week. Full-time study (thirty or more hours a week) can compress these timelines meaningfully, while part-time study alongside full-time work will extend them.
Timeline by Starting Point
The table below maps four common profiles to realistic timeframes for landing a first entry-level role.
| Starting point | Realistic timeline | Key milestones | Most accessible first role |
|---|---|---|---|
| Complete beginner (no IT background) | 12–18 months | Networking & OS fundamentals → Security+ or equivalent → Hands-on labs → Portfolio → Job search | SOC Analyst Tier 1, IT Support with security focus |
| IT professional (help desk, sysadmin, networking) | 3–6 months | Security-specific study → One core security cert → Hands-on security labs → Job search | SOC Analyst Tier 1, Junior Security Analyst |
| University student (computing or related degree) | Alongside study (6–12 months of parallel skill-building) | Practical labs alongside coursework → Entry cert → CTF participation → Internship or placement | Graduate SOC Analyst, Junior Penetration Tester, Security Graduate schemes |
| Career changer (non-technical background) | 12–24 months | IT fundamentals → Security foundations → Certifications → Labs & portfolio → Targeted applications | GRC Analyst, SOC Analyst Tier 1, Security Awareness roles |
Timelines assume 10–15 hours of study and practice per week. Full-time study can compress these by 30–40%. Part-time study alongside full-time work will extend them accordingly.
What Each Phase of the Journey Actually Looks Like
Whatever your starting point, the path to a first role typically moves through four recognisable phases.
Phase 1: Building the foundation. This is where you develop the underlying knowledge that cyber security sits on top of — how networks communicate, how operating systems work, what happens when data moves from one machine to another. For people coming from IT backgrounds this phase is already behind them. For everyone else it is the most important investment in the whole journey, and rushing it causes problems later. The Cyber Security 101 path on TryHackMe covers this foundation in a hands-on environment rather than a passive reading exercise, which makes the knowledge stick faster.
Phase 2: Security-specific study and certification. Once you understand how systems work, you start learning how they fail, how they are attacked, and how defenders respond. This is where entry-level certifications like CompTIA Security+ become relevant, not because a certificate alone will get you hired, but because studying for one forces structured coverage of the domains employers expect entry-level candidates to know. Security+ typically takes three to six months to prepare for properly, assuming you are also doing hands-on practice in parallel, not just studying for the exam.
Phase 3: Hands-on practice and evidence-building. This is the phase most people underestimate and that separates candidates who interview well from those who actually get offers. Employers are increasingly testing practical ability, not just certification status. That means you need demonstrable experience: CTF challenges you can talk through, lab environments where you have investigated alerts or exploited vulnerabilities under controlled conditions, and ideally a writeup or portfolio that shows your process. This phase should overlap with Phase 2, not follow it.
Phase 4: Targeted job search. The job search itself takes time, and most career changers take longer than expected here because they apply too broadly rather than targeting the specific roles that match their demonstrated skill level. SOC Analyst Tier 1 is the most common first role for people without prior security experience, and it is worth treating that as the target rather than searching across all entry-level security job titles simultaneously.
The Most Common Reasons People Take Longer Than Expected
Understanding what delays the timeline is as useful as knowing what accelerates it.
Passive learning without practice. Watching videos and reading documentation without doing labs is the most common trap. Cyber security is a practical discipline. Reading about how to investigate a SIEM alert and actually doing it in a simulated environment are entirely different experiences, and employers can tell the difference in interviews.
Certification hoarding. Some people collect certifications instead of building the hands-on experience that actually gets them hired. One solid certification paired with genuine lab experience and a clear portfolio will outperform four certificates with nothing practical behind them almost every time.
Waiting until you feel ready. The "ready" feeling rarely arrives on schedule. Most entry-level positions expect you to learn on the job, and hiring managers are typically looking for a candidate who can demonstrate foundational ability and genuine curiosity — not someone who has already mastered everything the role requires. If you meet sixty to seventy percent of a job posting's requirements, applying is reasonable.
Studying without direction. Trying to learn "cyber security" as a general subject without targeting a specific first role tends to extend timelines significantly. Knowing whether you are aiming at a SOC analyst role, a GRC position, or a penetration testing path changes what you study, which certifications you pursue, and how you build your portfolio.
A Note for Students and Career Changers
If you are studying for a degree - whether in cyber security, computer science, or another discipline - the most useful thing you can do alongside your coursework is build practical evidence of ability that sits outside your academic record. Employers at graduate level consistently distinguish between candidates who have done the coursework and candidates who have also spent time in labs, entered CTFs, or worked through hands-on learning paths in their own time. A degree provides the foundation; practical experience is what makes it competitive.
For career changers, the timeline is longer but the transfer of existing skills is often underestimated. Legal, finance, and audit backgrounds map naturally to GRC roles. Project management and communication skills are genuinely valued in security teams that have no shortage of technical knowledge but frequent gaps in structured thinking and stakeholder communication. The cyber security-specific learning you need to do is real, but it builds on a professional foundation that has value.
Start Building Your Evidence Now
The most effective thing you can do regardless of your starting point is to begin accumulating hands-on experience from day one, not after you have finished studying. Every lab exercise, every CTF challenge, and every alert you investigate in a simulated environment is something you can talk about in an interview. That evidence compounds over time in a way that passive study does not.
TryHackMe is free to start and structured to take you from the foundations to job-ready skills in a practical, guided environment - whether you are building toward a SOC analyst role, a penetration testing career, or simply trying to understand whether cyber security is the right move.
Nick O'Grady