Loading...
Engineering Roadmap
Cybersecurity Engineer Roadmap
Modern cybersecurity is less about firewalls and more about identity, supply chain, cloud configuration, and incident response. This roadmap covers the path from fundamentals to production-grade security engineering.
8 stages 6-12 months Intermediate Engineers transitioning into security, or builders who want to ship secure systems
By the end you’ll be able to
- 1Spot OWASP Top 10 issues in code review
- 2Configure cloud IAM securely
- 3Run a credible incident response
- 4Audit a supply chain (SBOMs, signed artifacts)
- 5Use AI for security work without making it worse
01
Stage 1 4-6 weeks
Foundations
Networking, OS, cryptography
Understand what you're protecting. TCP/IP, DNS, TLS, OAuth, hashing, symmetric vs asymmetric crypto. You don't need to implement crypto, but you must know when it's broken.
Skills to develop
TCP/IP & TLS basicsSymmetric & asymmetric cryptoOAuth, OIDC, JWTHashing & password storage
02
Stage 2 4-6 weeks
Application Security
OWASP Top 10 deeply
Most breaches still come from web app bugs. Master injection, XSS, SSRF, broken access control, deserialization, and the rest. Read the OWASP Top 10 and re-read it every year.
Skills to develop
SQL injection & prepared statementsXSS, CSRF, SSRFBroken access controlInsecure deserializationServer-side request forgery
03
Stage 3 3-4 weeks
Identity & Access
The new perimeter
Identity is the modern security boundary. Master IAM in your cloud of choice, least privilege, RBAC, MFA, and how to scope tokens.
Skills to develop
AWS / GCP / Azure IAMRBAC & ABACMFA & passkeysToken scoping & rotation
04
Stage 4 3-5 weeks
Cloud Security
Configuration is the enemy
Most cloud breaches are misconfigurations. Learn to use CSPM tools (Wiz, Prowler, ScoutSuite), secure cloud networking, and lock down storage.
Skills to develop
S3/GCS/Blob hardeningVPC designCSPM toolingSecrets management
05
Stage 5 3-4 weeks
Detection & Response
Logs, alerts, runbooks
If you can't see it, you can't stop it. Centralized logging, behaviour analytics, and a runbook for the top 5 incidents. Practice with tabletops.
Skills to develop
SIEM basics (Splunk, Datadog, Panther)EDR conceptsIncident response playbooksTabletop exercises
06
Stage 6 2-3 weeks
Supply Chain
Trust, but verify
SBOMs, signed artifacts, dependency scanning. The xz incident reminded everyone this matters. Use Sigstore, Snyk, Trivy, and similar.
Skills to develop
SBOM generation & consumptionSigstore / cosignDependency scanning (Snyk, Trivy)Reproducible builds
07
Stage 7 Ongoing
Offensive Skills
Think like the attacker
Even defenders benefit from offensive practice. Set up labs, run CTFs, and learn to use the tools attackers use (Burp, Nmap, Metasploit in legal labs only).
Skills to develop
Burp Suite for webNmap, WiresharkCTF practice (HTB, TryHackMe)Bug bounty etiquette
08
Stage 8 2-4 weeks
AI in Security
Both sides of the line
Attackers use AI for phishing, defenders use AI for triage. Learn the new threat model (prompt injection, data exfiltration via LLMs) and the new defenses (LLM-assisted SOC, AI-powered code review).
Skills to develop
Prompt injection defenseAI-assisted code reviewLLM SOC tooling
Resources
Ready to build with what you've learned?
We pair these roadmaps with hands-on engagements pair-programming, code review, and architecture support.