blogs
Getting Started in Cybersecurity: My Student Roadmap
My path from a Bachelor's in Computer Applications to an MS in Cybersecurity at BU -- and the roadmap I'd give any student starting out.
Getting Started in Cybersecurity: My Student Roadmap
If you had told me two years ago that I'd be studying for a Master's in Cybersecurity at Boston University, writing firmware for an embedded security chip, and hunting vulnerabilities with my own automated tools — I'd have laughed. But here I am. And I want to share exactly how I got here, and more importantly, how you can too.
Why Cybersecurity?
I started with a Bachelor's in Computer Applications at REVA University. We had an Ethical Hacking course in year two, and something clicked. I remember sitting in the lab, running my first Nmap scan on a controlled target and watching ports light up on the screen. It felt like reading a building's blueprint for the first time — you see every door, every window, every hidden entry. I was hooked.
But passion alone doesn't build a career. You need a structured path, real skills, and hands-on practice. Here's what I wish someone had told me when I started.
The Foundation: Understand What You're Protecting
Before you learn how to attack or defend systems, you need to understand what those systems are. This means:
- Networking basics: Learn TCP/IP, DNS, HTTP/HTTPS, and how packets travel across networks. A tool like Wireshark will make this tangible — you can literally watch traffic flow.
- Operating systems: Get comfortable in Linux. Most security tools run there, most servers run there, and most exploits target it. Spend time in the terminal every single day.
- Programming: Python is your best friend in this field. Automation, scripting exploits, writing parsers — Python handles all of it. I also recommend learning Bash scripting early.
I'd say spend the first three to six months just building this foundation. It feels slow, but it pays off enormously.
The CIA Triad: Your Security Compass
Every security decision you make will come back to three principles: Confidentiality, Integrity, and Availability. Known as the CIA Triad, these three pillars define what security actually means in practice.
- Confidentiality means only authorized people can access data.
- Integrity means data isn't altered without authorization.
- Availability means systems and data are accessible when needed.
When I'm analyzing a vulnerability or designing a defense, I always ask: which of these three does this impact? That question alone will sharpen your thinking significantly.
Certifications Worth Your Time
I've gone through several certifications, and not all are created equal. Here's my honest take:
Google Cybersecurity Professional Certificate — This is where I'd tell every beginner to start. It covers SIEM fundamentals, IDS/IPS, log analysis, and incident response in a hands-on, accessible way. You'll work with real tools like Splunk and Chronicle. It's free through Google's scholarship programs and absolutely worth the time.
Microsoft Cybersecurity Analyst — If you want to get into cloud security or enterprise environments, this one is invaluable. I gained real experience with Microsoft Defender, Azure AD, and threat analytics. The detection and response modules are especially practical.
AWS Cloud Solutions Architect — Cloud security is non-negotiable today. Almost every company runs on AWS, Azure, or GCP. Understanding VPCs, IAM roles, S3 bucket policies, and Lambda security controls is a baseline requirement for modern security roles.
CompTIA Security+ and CEH are commonly recommended, and they're solid — but I'd say build real skills before chasing certs. The certs confirm your knowledge; they don't substitute for it.
Practical Skills: What Actually Matters
Reading about cybersecurity is necessary. Doing cybersecurity is what builds intuition. Here's how I build practical skills:
CTF competitions — Capture The Flag competitions are the fastest way to get hands-on with real attack and defense scenarios. Platforms like HackTheBox, TryHackMe, and PicoCTF are where I spend a lot of my spare time. Each challenge teaches you something new, whether it's a web vulnerability, a binary exploitation technique, or a forensic analysis puzzle.
Home Lab — I run VMs in VirtualBox with intentionally vulnerable systems like DVWA (Damn Vulnerable Web Application) and Metasploitable. Having a safe environment to break things and understand why they break is invaluable. It's where textbook knowledge becomes muscle memory.
Build things — Don't just hack demos. Build your own security tools. My Bounty Hawk project — a penetration testing automation tool that runs OWASP Top 10 checks — taught me more about web vulnerabilities than any course. When you build a scanner, you have to understand what you're scanning for.
MITRE eCTF: My Biggest Learning Experience Yet
This year I joined the MITRE eCTF 2026 competition as part of the Northeastern University team. We were tasked with designing secure firmware on an Arm Cortex-M0+ processor — bare-metal embedded security. Think key derivation, cryptographic authentication, and secure communications, all implemented in C without an OS beneath you.
This competition pushed me harder than anything else I've done. Working with hardware security constraints — limited memory, no standard library, strict timing requirements — forces you to think about security in a completely different way. Every byte matters. Every function call has to be accounted for.
If you ever get the chance to participate in eCTF, do it. It's one of the most respected hardware security competitions in the country.
What's Next?
My current roadmap focuses on offensive security — specifically penetration testing and vulnerability research. I'm building toward roles in firmware security and application security. If that path sounds interesting to you, here are my recommendations:
- Build the foundation (networking, OS, Python)
- Get hands-on with CTFs and home labs
- Start with the Google Cybersecurity Certificate
- Learn one domain deeply — web app security, network security, or cloud security
- Build something — a scanner, a monitor, a detection script
- Connect with the community — Discord servers, local DEF CON chapters, open-source projects
The field is vast and constantly evolving. That's what makes it exciting. You'll never run out of things to learn.
Final Thoughts
Cybersecurity isn't just a career — it's a mindset. You're constantly questioning how things work, probing assumptions, and thinking like both the attacker and the defender. That dual perspective is what makes this field unlike any other.
If you're just starting out and feeling overwhelmed, know this: every expert you admire was once exactly where you are. The difference is they kept going. So keep going.
Pallavi Srinivasappa is an MS Cybersecurity student at Boston University with experience in penetration testing, SIEM operations, and embedded security. She is currently seeking security internship opportunities.
