Before we get to the concrete steps I'm going to lay out in this article, we need to ask ourselves a few practical questions: why do I want a job in IT at all, and then in cybersecurity specifically? As with any other job, the first question is: am I here for the right reasons? Getting into IT is not a decision made overnight, and unfortunately, the job doesn't come overnight either.
Many people hear glowing stories about this industry and make their decision based on them. The big salary and the comfortable conditions of working from home are usually the first things mentioned. Swept up by those stories, they make hasty decisions without ever asking themselves whether they will actually enjoy the work.
Some of them pay serious money for a course and realize halfway through that it's not for them. Others push through to the end purely because they've already paid, knowing full well they will never work in the field. Education in this area is painful precisely for the kind of people who fell for the polished marketing stories, and some of them can't even install a program, let alone set up a virtual machine.
It's easy to do a job you don't love when it's slow-paced and undemanding, but a job in IT or cybersecurity is anything but. When you get stuck in a job that is extremely demanding and complex, and you don't love it, it creates a whole chain of problems. The consequences hit not only you, but the people around you as well.
The complexity of this work comes from the fact that technology advances incredibly fast and demands an enormous amount of focus. The work environment is usually fast-paced and full of critical systems that require high availability, with countless important processes and businesses depending on them. On top of that, you handle a huge amount of information and data on which, at times, human lives depend, so any mistake can cause serious problems.
You often come across confessions like: "I fell for an ad for a cybersecurity course and thought I could beat the job market, but I couldn't." They are followed by questions like: is it me or the industry, should I give up, and how am I supposed to gain experience if nobody wants to give me a chance? Reading stories like these, I conclude that the people writing them are exactly the ones who didn't get into this field for the right reasons.
If you are here for the right reasons, what follows is the brutal truth about how to land your first job in IT in general, and in cybersecurity in particular. The principle is exactly the same in both cases. The steps are always the same.
Once you finally decide to head in this direction, it doesn't really matter whether you choose self-study, formal education, or a course. Everyone picks the approach that suits them best. The most important thing is to stay true to yourself.
My recommendation, though, is to enroll in university, primarily because of the traditional approach and structure. Courses are fast, often cover only general topics, and last a very short time, so they're great for scratching the surface. University isn't necessarily better, but it offers a structure that courses simply don't have.
University does take more time, but in return you gain the virtue of patience, which is absolutely essential in this line of work. There's also the free dopamine of passing exams and solving assignments, almost like completing quests in a video game. The heavy dose of mathematics is also extremely important because it trains your brain to think analytically, and traditional education ultimately offers a broader, more general foundation.
But here's the key thing: if you don't plan to study on your own in your free time on top of all that, the whole effort is pointless. In that case, you're better off not pursuing this career at all. Self-study is not an option, it's the foundation.
Google is still your best friend, even in the age of artificial intelligence. Ask yourself: am I resourceful, do I enjoy searching and digging for answers? If you don't mind when a simple troubleshooting task turns into hours of exhaustive digging through documentation, forums, and logs, feel free to keep reading.
There are various virtual events where you can get vouchers for certifications, and many of them are completely free. It just takes a bit of research. Which brings us right back to resourcefulness as a core trait.
Think about your habits at home as well: do you fix technical problems yourself, do you run a virtual machine or two? How many times have you installed an operating system on your own, and how many times have you broken your own computer while experimenting? If you recognize yourself in this, there's a good chance you will genuinely love this industry.
There are plenty of platforms offering quality CV templates, so there's no need to reinvent the wheel. Your CV must fit on a single page, have a white background, and look tidy, not like a circus. The format should be PDF, and my recommendation is to leave your photo out of it, something you can research further on your own.
Conciseness, brevity, and simplicity are the rule. Use a formal, neutral font, state your full name, a short description in a few lines, and your completed education. Anything that doesn't serve the goal, cut it out.
In my own CV, I don't list all the jobs I've had before, because they simply aren't relevant to this industry. At interviews, that left the impression of a gap in my career and, predictably, raised questions. But when I was asked about it, I didn't take it negatively; instead, I used the question to deliver a great answer.
People fear questions like that, yet psychologically, they can be turned to your advantage. An example answer: I decided to switch to this industry and didn't list jobs that aren't relevant to it, and besides, it bothered me that my CV spilled onto a second page, which wasn't aesthetically pleasing. And why is there a gap? Because I decided on a career pivot and was brave enough to head in the direction that has genuinely interested me my whole life.
After the CV, the cover letter is extremely important as well. When you're looking for your first job, your letter must be bold and direct. There's no room for lukewarm, generic phrases that an employer reads a hundred times a day.
I usually opened my letters with the sentence: "I don't know anything yet, but I'm interested in this and that, and in my free time I study the following." Everything else you write must, above all, be grounded in honesty. Always stay true to yourself, because doors are always open to individuals who embrace their uniqueness.
Let's be realistic: your first job will most likely mean working for a modest salary, or as we'd say, peanuts. Be patient and accept it, because it's your ticket into the industry. Don't think too much about the number at the beginning; instead, work hard and rack up hours of real practice.
Be prepared to be thrown into the fire from day one. Take on every challenge that comes your way until you become confident in yourself and your knowledge. That is the only way forward.
Cybersecurity is a field where you need to know a lot, so setting priorities wisely is crucial. My advice is to focus on networking fundamentals, because without them you simply can't move forward. By that I mean understanding the OSI and TCP/IP models, the difference between TCP and UDP, and how a packet actually travels from point A to point B.
Learn the essential ports and protocols by heart: 80 and 443 for HTTP and HTTPS, 22 for SSH, 53 for DNS, 25 for SMTP, 3389 for RDP, 445 for SMB. Along with that come HTTP status codes, because the difference between 200, 301, 403, 404, and 500 tells you a lot about what's happening on the web. Add to that a basic understanding of network devices: what a switch does, what a router does, and what a firewall does.
The next priority is operating systems and basic knowledge of processes, primarily Windows processes, since most business environments run on the Windows platform. Because people themselves are the biggest security risk, and they predominantly use Windows, it's important to know the processes that can easily be abused to compromise a system. You need to be able to recognize legitimate system processes like svchost.exe, lsass.exe, or explorer.exe, and understand why it's suspicious when such a process runs from the wrong path or with an unusual parent process.
That brings us to the process chain: who spawned whom, in what order, and with what arguments. When you see Word spawning PowerShell, and PowerShell downloading something from the internet, that's a story you must be able to tell at an interview. Learn where and how to find that information, for example in Windows event logs, because that is every analyst's daily bread.
Furthermore, you need to understand what hashes are and why they're useful to us. Algorithms like MD5, SHA-1, and SHA-256 are used for verifying file integrity, identifying malicious code, and storing passwords. When you can explain at an interview why the same malicious sample can always be recognized by its hash, and why MD5 is no longer a safe choice, you're already ahead of most candidates.
Then there's OSINT, the gathering of information from publicly available sources. It covers everything from advanced searches and public registries to tools for checking the reputation of domains, IP addresses, and files. The resourcefulness I wrote about earlier comes into full play here.
And finally, Linux: let this operating system be your daily prayer, because most security devices and systems run precisely on Linux or on Linux-based systems. Learn to navigate the terminal, read logs from the /var/log directory, handle commands like grep, cat, ps, and netstat, and understand file permissions. Operating systems are, I repeat, the foundation of everything, and above all of it stands one rule: be consistent.
If you'd like to know which CV template I recommend or which education I think is worth it, feel free to send me a message. I'll gladly share concrete recommendations from my own experience, and take a look at the links where I also offer my own courses. Good luck, and see you in the industry!
When people think of a home firewall, many still imagine a device that simply allows or blocks traffic between a local network and the internet. However, modern solutions have evolved far beyond that role.
Today's firewalls can analyze application traffic, perform SSL/TLS inspection, leverage threat intelligence sources, identify known attack patterns, and make security decisions based on far more than just IP addresses and ports.
As a result, technologies that were once reserved for enterprise environments are now available to anyone looking for greater visibility and control over their network, whether for learning, testing new technologies, or building a home lab.
For this comparison, I focused on three solutions that are frequently mentioned among network administrators and enthusiasts: Sophos Firewall Home Edition, OPNsense, and pfSense.
While all three products can easily handle core functions such as routing, NAT, VPN connectivity, and network segmentation, the differences become apparent when evaluating security capabilities, integrations, administration, and overall design philosophy.
Sophos Firewall Home Edition is built on the same platform used in enterprise environments. As a result, users gain access to a wide range of capabilities typically found in significantly more expensive commercial solutions.
In addition to standard traffic filtering rules, it includes IPS, web filtering, application control, SSL/TLS inspection, geo-IP filtering, protection against various network attacks, and advanced threat detection capabilities.
One particularly interesting feature is Extended Threat Feeds. Through API integrations, administrators can automatically import IOCs such as malicious IP addresses, domains, and URLs from external sources. This allows the firewall to consume data from threat intelligence platforms, custom IOC feeds, or other security systems and automatically make decisions about blocking or flagging traffic.
For users interested in automation, integrations, and modern defensive strategies, this is a highly valuable capability that is rarely seen in free home editions.
What stands out most to me is how much functionality is integrated directly into the platform. There is no need to install multiple add-ons or combine several separate components to achieve advanced security functionality.
Deployment is relatively straightforward, the administrative interface is easy to navigate, and a large number of features are available immediately after installation. Because of this, Sophos feels like a very complete solution that successfully combines ease of use with advanced security capabilities.
OPNsense represents a different philosophy.
As an open-source project, it offers users a very high level of flexibility and control. Rather than following a predefined approach, administrators decide which components they want to use and how they want to implement them.
One of OPNsense's greatest strengths is its extensive ecosystem of plugins. Tools such as Suricata, WireGuard, Zenarmor, HAProxy, and many others can be integrated into an existing environment with relative ease.
This approach enables the creation of highly customized and powerful environments tailored to specific requirements. At the same time, it requires additional time for configuration, maintenance, and understanding the various components involved.
For administrators who prefer complete control over every aspect of their infrastructure, this is often OPNsense's biggest advantage.
pfSense has long been one of the most recognizable names in the home and small business firewall space.
Its greatest strengths are platform maturity, a large user community, and extensive documentation. Almost any issue you encounter has likely been documented or solved by someone before.
From a functionality standpoint, pfSense remains a highly capable solution that can satisfy the needs of most users. It is stable, proven, and well known throughout the networking community.
That said, in recent years part of the community has gradually shifted toward OPNsense, primarily due to its more open development model and faster adoption of certain features.
When comparing security products, one question inevitably comes up: which one is the most secure?
In reality, the answer is not that simple.
Sophos has experienced several serious vulnerabilities that allowed remote code execution and other forms of system compromise. Due to its significant presence in enterprise environments, such issues often receive considerable attention from the security community.
On the other hand, both OPNsense and pfSense regularly release security updates addressing newly discovered vulnerabilities. The mere existence of CVEs says very little about the quality of a product. What matters far more is how quickly vendors respond, how transparently they communicate issues, and how easily users can apply available patches.
Another concept worth discussing is technological diversity.
When designing security architecture, the goal is not always to find a single solution capable of doing everything. Depending on requirements and available resources, there can be value in using multiple security technologies.
The reason is not only functionality but also risk reduction. If an entire infrastructure relies on a single vendor, a critical vulnerability may have a much greater impact than in an environment built on multiple technologies.
Different vendors use different development teams, security controls, and defensive approaches. A vulnerability affecting one product will not necessarily exist in another.
From an attacker's perspective, homogeneous environments are often more predictable. More diverse environments typically require additional research, adaptation, and resources to compromise successfully.
Of course, introducing additional technologies also increases operational complexity, so finding the right balance between security and manageability remains important.
All three products have their place and their audience.
OPNsense will likely appeal most to users seeking maximum flexibility and openness. pfSense remains a stable and proven platform backed by a large community and extensive documentation.
In this comparison, Sophos Firewall Home Edition stood out the most to me. The amount of functionality available immediately after deployment, ease of implementation, integrated security capabilities, and the ability to leverage threat intelligence data without additional tools left a very positive impression.
Of course, this is far from the final list of technologies I plan to explore.
One of the reasons I maintain a home lab is the opportunity to test different technologies, compare approaches from different vendors, and gain hands-on experience outside production environments.
That brings me to a question for the wider community.
What solution should I implement next in my home lab? Are there any firewalls, IDS/IPS platforms, networking tools, or security products that you believe deserve more attention than they currently receive?
Feel free to leave your suggestions in the comments. One of them might become the subject of a future technical review.
In cybersecurity, the focus is almost always on technology. Organizations invest significant resources into defensive systems, advanced firewalls, EDR platforms, threat detection systems, network segmentation, and multi factor authentication. Security assessments are performed, patches are regularly applied, and strict security policies are defined.
Despite all of this, sometimes a single click is enough.
One link. One fake login page. One attachment opened at the wrong moment.
In that moment, months of security work and significant financial investments in protection systems can be undone.
This does not mean that security technologies are ineffective. On the contrary. Their proper implementation is the foundation of any serious security strategy. The issue is that most security solutions protect infrastructure, while attackers very often target the people who operate and use that infrastructure.
Attackers use different methods to reach their objective. Sometimes they exploit technical vulnerabilities, sometimes misconfigurations, and sometimes they attempt to deceive the user.
Social engineering is a separate approach that relies on manipulating human decisions rather than exploiting technical weaknesses in systems.
In an environment where technical defenses are becoming stronger, attention is increasingly shifting toward the human element.
Why invest time in breaking into systems when it is possible to trick a user into approving access or voluntarily providing credentials.
For this reason, the human factor becomes a key entry point for attackers.
It is often assumed that users are careless or insufficiently trained. This explanation oversimplifies the real problem.
Most employees do not come to work with the intention of harming the organization. Their primary focus is performing their assigned tasks.
Accountants process invoices. Sales representatives communicate with clients. Project managers manage projects. None of them are hired to analyze technical email headers or verify sender domains.
Security teams often forget that security is their primary responsibility, but not the responsibility of most employees.
When a person receives a message that appears to come from a manager, supplier, or colleague, the decision is made within seconds. A large portion of successful attacks relies on this speed of decision making.
After an incident, the same sentence often remains.
But I thought I was talking to the CEO.
Many organizations can present records of completed security training. Employees attended presentations, confirmed participation, and completed mandatory tests.
The real question remains the same. Are they actually more capable of recognizing an attack afterwards.
The quality of training is not measured by the number of sessions delivered, but by changes in behavior in real situations.
A particular issue arises with phishing simulations. Instead of serving as a realistic assessment, they often become a tool to demonstrate that no real problem exists.
If the results are poor, explanations are sought. If click rates are high, the simulation is declared unrealistic. In some cases, campaigns are stopped early to make the results appear more acceptable.
Such an approach does not improve security. It only creates an illusion of control.
An organization that does not accept its real state does not solve the problem. It only delays the moment when an actual attacker will expose it.
One of the most common misconceptions in the industry is the belief that it is possible to build a system that cannot be compromised.
Such a system does not exist.
Every technology has limitations. Every process has exceptions. Every human can make mistakes.
Organizational maturity is not measured by whether incidents can be fully prevented, but by how quickly they are detected and how effectively they are handled.
This is precisely why security tools provide real value.
EDR is not implemented to make systems unbreachable. SIEM is not introduced to eliminate all threats. Multi factor authentication is not a guarantee of complete protection.
There is no universal solution in cybersecurity.
These systems exist to provide better visibility, higher quality data, and stronger response capabilities when incidents occur.
Security is not a state. Security is a process.
The most advanced security system will not independently analyze the context of an incident. It will not understand business impact. It will not make decisions.
Technology generates data. People turn that data into decisions.
For this reason, the human factor is both the greatest risk and the most important element of defense.
The same user who can become an entry point for compromise can also be the one who first notices suspicious activity and responds in time.
Cybersecurity is not a fight against users. It is a process in which human behavior is shaped to become part of the defensive mechanism rather than its weakness.
Technology is necessary. Processes are necessary. But at the end of every infrastructure stands a human being.
For this reason, the human factor remains one of the key challenges of modern cybersecurity.
I recently came across a program that gives you a 100% discount voucher for Microsoft certification exams, and I think more people should know about it.
👉 https://skillupwithlevelup.com/courses
Personally, I completed three courses and received two vouchers — so my best guess is that the limit is two vouchers per person. Choose your courses wisely.
This is a legitimate opportunity to get certified without spending money, as long as you're prepared and move quickly.
Have you tried this already? Drop a comment — would love to hear which certifications people are going for.
📌 Always check the prerequisites. All expert-level certifications require at least one associate-level certification before you can earn them. For example, to achieve the SC-100 (Cybersecurity Architect Expert), you must first hold SC-200, SC-300, or AZ-500. Make sure you double-check the requirements for your target certification before you enroll in the course.
Wazuh is an open-source SIEM and XDR platform that provides centralized collection, analysis, and correlation of security events from endpoints, network devices, and cloud services. Thanks to its modular architecture and combined agent-based and agentless approach, it is ideal for home labs, education, and smaller production environments.
Setting up a home SIEM is an excellent way to understand real security processes: log collection, event correlation, anomaly detection, and incident response. This guide walks through the entire process — from preparing the virtual machine to ingesting logs from endpoints and firewalls.
For the Wazuh server, a Linux distribution such as Ubuntu Server or Debian is recommended. A minimal configuration for a home lab includes:
According to Wazuh documentation, resource consumption scales linearly with the number of agents. Each agent generates its own volume of events including authentication logs, system changes, FIM entries, processes, and network activity. This means CPU, RAM, and disk requirements increase depending on the number of endpoints.
A small home lab with a few agents can run on 2–4 GB RAM, while environments with ten or more agents require additional resources to keep indexing and event processing stable.
After creating the VM in VirtualBox, VMware, or Proxmox, install the operating system and assign a static IP address so the Wazuh server is easily reachable by other devices.
Wazuh provides a simple installation script that automatically deploys Elasticsearch, Kibana, and the Wazuh server. This is the fastest and most stable method for home use.
On a fresh OS installation, run:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a
The installation takes a few minutes.
Once complete, the Wazuh dashboard is available in your browser, typically at:
https://IP-address:5601
Log in using the initial credentials generated by the installation script.
Wazuh agents collect logs from Windows, Linux, and macOS systems. On Windows, the agent is installed via an MSI installer, while Linux systems use the package manager.
In the Wazuh dashboard, open: Agents → Deploy new agent
Choose the operating system and follow the instructions.
Key parameters include:
Once installed, the agent registers automatically and begins sending logs including system events, authentications, file changes, processes, and network activity.
Wazuh can receive Syslog events from any firewall capable of sending logs to a remote Syslog server. Since Wazuh includes a built-in Syslog listener, the firewall can send logs directly to Wazuh without requiring an intermediate server.
When the firewall sends events, Wazuh stores them in:
/var/ossec/logs/archives/archives.log
The logs are stored in raw form under agent ID 000 because this is an agentless source.
If logs do not appear, enable log archiving in:
ossec.conf
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>Then restart the manager:
sudo systemctl restart wazuh-manager
If logs appear in archives.log but not in the dashboard, Wazuh needs a decoder to interpret the firewall event structure.
Add a decoder to:
/var/ossec/etc/decoders/local_decoder.xmlExample generic decoder:
<decoder name="Firewall_Generic">
<type>syslog</type>
<prematch>device_name="</prematch>
</decoder>
<decoder name="Firewall_Generic_child">
<parent>Firewall_Generic</parent>
<regex>device_name="(\S+)" timestamp="([^"]+)" log_type="([^"]+)" src_ip="([^"]+)" dst_ip="([^"]+)" protocol="([^"]+)" src_port=(\d+) dst_port=(\d+)"</regex>
<order>device_name,timestamp,log_type,src_ip,dst_ip,protocol,src_port,dst_port</order>
</decoder>Rules are added to:
/var/ossec/etc/rules/local_rules.xmlExample:
<group name="custom_firewall">
<rule id="100040" level="3">
<decoded_as>Firewall_Generic</decoded_as>
<description>Firewall Log Event</description>
</rule>
</group>Wazuh includes a built-in tool for testing decoders and rules. It is important to verify that all fields appear correctly and that the alert triggers successfully.
Run:
/var/ossec/bin/wazuh-logtestPaste a firewall log, for example:
device_name="FW" timestamp="2024-01-01T12:00:00+0100" log_type="Firewall" src_ip="1.2.3.4" dst_ip="5.6.7.8" protocol="TCP" src_port=1234 dst_port=443If everything is configured correctly:
Restart the manager afterward:
sudo systemctl restart wazuh-managerFirewall logs should now appear in the Wazuh dashboard.
A home SIEM is not just an educational project — it provides real visibility into security events occurring within your network. Wazuh is powerful enough for professional environments while remaining accessible for home labs and learning purposes.
Throughout this series, we will explore additional Wazuh configuration topics and other security products to build a sustainable and understandable security ecosystem.
Security cannot be bought in a box. Yet many organizations behave as if it can. Security software is often sold as an instant solution, but without expert handling it becomes little more than expensive shelfware.
In today’s cybersecurity landscape, tool sprawl is increasingly common — an obsessive race to buy more and more security solutions under the assumption that quantity equals protection.
Vendors present flashy dashboards and catchy acronyms, resellers promise perfect layered defenses, and executives with limited technical oversight approve purchases without understanding operational impact.
The reality is much simpler: without proper integration, skilled experts, management, and strategy, more tools frequently create less security.
Every security tool introduces additional agents, rules, logs, and alerts. Multiply that by dozens of systems and organizations often create chaos instead of visibility.
Many tools overlap in functionality, conflict with each other, or operate in complete isolation without sharing context.
In some environments, tools actively interfere with one another. Firewalls block legitimate traffic flagged elsewhere, DLP systems collide with backup solutions, and SIEM platforms fail to correlate events due to incompatible formats.
The result is reduced visibility, missed alerts, slower incident response, frustrated teams, and sometimes a dangerous false sense of security.
Security vendors frequently rely on fear, uncertainty, and doubt to drive purchases. Breach statistics and expensive “silver bullet” products are used to convince organizations that another purchase automatically means stronger protection.
This sales model works because many organizations lack strong technical leadership and trusted security advisors capable of evaluating whether tools are actually necessary or sustainable.
It is not uncommon for companies to spend hundreds of thousands of euros on products that remain unused or only partially implemented.
Cybersecurity functions as a chain where every component must communicate and support the others. If one component is misconfigured or disconnected, the entire chain weakens.
More tools mean more integrations, more maintenance, more patching, and more opportunities for misconfiguration.
Instead of coordinated defense, many organizations create fragmented and noisy environments where attackers exploit gaps between disconnected systems.
Another frequently ignored element is the end user. Security exists to protect people, yet many strategies overlook usability completely.
If tools are invasive, confusing, or poorly explained, users eventually bypass them, disable them, or unintentionally create additional risk.
Security tools are expensive for legitimate reasons including development, maintenance, and support costs. Vendors deserve profit, but profit should not outweigh responsibility.
Security should focus on education, realistic risk assessment, and alignment between technology, processes, and people.
Trusted advisors — whether internal security architects or external consultants — play a critical role in evaluating actual organizational needs and preventing unnecessary complexity.
Before purchasing another “silver bullet,” organizations should first improve the fundamentals:
Most breaches happen because of exposed systems, stolen credentials, or misconfigurations — not because the newest tool was missing.
Security starts with hygiene, not hype.
Security is not about accumulating tools. It is about making technology work together through strategy, expertise, and operational discipline.
Cyber defense is not a shopping list. More tools do not automatically mean stronger protection. Sometimes they simply create more confusion, cost, and vulnerability.
Organizations should shift their mindset from endless spending toward integration, hardening, and sustainability. That is where effective security actually begins.