You're looking at job boards and a pattern keeps jumping out: six figures, remote-friendly, “experience preferred but not required.” Cybersecurity jobs have been hard to fill for years, and the gap keeps widening. There are currently more than 514,000 open cybersecurity positions in the United States alone, with roughly one in four of them sitting vacant at any given time.
The field has a reputation for demanding computer science degrees, years of experience, and a stack of expensive certifications. Some of that is real. Some of it is gatekeeping that the industry itself is starting to push back on, because the shortage is too serious to wait for four-year graduates to fill it.
If you're considering a career change, a retraining, or just a serious income upgrade, here's what it actually takes, the costs, the timeline, the credentials that open doors, and the ones that don't.
Why this field can't be replaced by AI
Before committing to any retraining investment, it's worth asking the obvious question: will AI eliminate this field in five years? The short answer is no, and the reasoning matters.
AI is genuinely useful in cybersecurity. It can scan logs, flag anomalies, and triage alerts far faster than a human. But AI-generated threats are simultaneously driving a surge in demand for human defenders. Attackers are using the same tools. Phishing attacks are now generated at scale, ransomware is more sophisticated, and nation-state actors are deploying AI to automate intrusion campaigns. The attack surface is growing faster than any automated defense can cover it.
The tasks that AI handles well, pattern matching in massive datasets, alerting on known signatures, are also the most repetitive parts of entry-level work. That does change what entry-level looks like. Junior SOC analyst roles that involved mostly watching dashboards are evolving into roles that require more judgment, communication, and decision-making. That's actually good news for career-changers who are bringing real-world problem-solving experience from other fields.
The strategic parts of cybersecurity such as incident response decisions, risk management, communicating a breach to leadership, building a security culture inside an organization, require human judgment that AI cannot replicate. Employment of information security analysts is projected to grow 29% from 2024 to 2034, which is roughly seven times faster than the average for all occupations. That projection accounts for AI's growing presence in the field.
What the job market actually pays
The salary numbers are real and worth understanding before you invest in training. The median annual wage for information security analysts was $124,910 in May 2024, according to the Bureau of Labor Statistics. That's the midpoint as half earn more, half earn less.
Entry-level is lower. A SOC analyst or junior security analyst coming out of a bootcamp or certification program is typically looking at $65,000 to $85,000 to start, depending on location. That climbs fast. With two to three years of experience and a second certification, it's common to hit six figures. Senior roles in cloud security, penetration testing, or security architecture routinely reach $150,000 to $200,000.
The highest salaries cluster in Washington D.C. (driven by government contractor demand), California, New York, and Maryland. But remote work has genuinely opened the field. A lot of SOC work and security analyst work is fully remote, which means you can capture higher-market salaries without relocating to a high-cost city.
The honest picture on entry-level hiring
The job shortage is real. So is the entry-level paradox: many companies say they can't find enough cybersecurity workers while simultaneously requiring years of experience for roles labeled “junior.” This isn't unique to cybersecurity, but it's particularly pronounced here.
A few things help explain it. Some organizations define “cybersecurity role” very broadly, counting positions that have some security component rather than dedicated analyst jobs. Others are genuinely risk-averse about who monitors their networks and aren't willing to hire people with no track record. And some employers don't want to train, they want to hire someone who already knows the tools.
That last point is why the path into the field typically starts with either help desk or IT support experience (which gives you real system exposure before pivoting to security) or a deliberate combination of certifications plus a home lab plus portfolio projects that demonstrate you already know the tools. The people who break in with no prior IT experience at all are not impossible to find, but they've done the work to compensate for it. Showing up with just a certificate and no hands-on projects is a much harder sell.
The certifications that actually open doors
Cybersecurity certifications are the primary hiring signal in this field, especially for people without a degree or direct work experience. Employers, and particularly government contractors, use certifications as a shortcut for evaluating whether candidates know the fundamentals. Here's what matters most and roughly what it costs.
CompTIA Security+ is the baseline. It's the most requested certification in cybersecurity job postings and a requirement for most Department of Defense contractor roles under the DoD 8570 directive. The exam costs $425, and you'll realistically spend another $100 to $300 on study materials. Most people spend six to twelve weeks preparing if they already have some IT background; a bit longer if they're starting from scratch. Before tackling Security+, consider starting with CompTIA Network+ ($338), which gives you the networking foundation that Security+ builds on.
CompTIA CySA+ is the next rung after Security+. It focuses on behavioral analytics and threat detection, closer to actual analyst work, and is worth pursuing once you're in your first role. It signals that you're serious about advancing and opens doors to Tier 2 SOC analyst positions.
CISSP (Certified Information Systems Security Professional) is the gold standard for senior roles and security leadership. It requires five years of work experience in at least two of the eight security domains, so it's not a starting point but it's a destination. But it's worth knowing it exists because it's a clear target to work toward, and employers weight it heavily for leadership and architecture roles.
The Google Cybersecurity Professional Certificate on Coursera is a legitimate starting point if you're brand new and want to build foundational knowledge before tackling Security+. It requires no degree or prior experience and covers real tools like Splunk. At $59 per month through Coursera, you can complete it in three to six months for a few hundred dollars total. It won't replace Security+ in job applications, but it builds the baseline knowledge you need to pass Security+ and it's a better introduction than jumping straight into exam prep guides.
Bootcamps: when they're worth it and when they aren't
Cybersecurity bootcamps have proliferated quickly, and the quality varies enormously. The promise is consistent: get job-ready in 12 to 26 weeks, often with Security+ prep included, without a college degree. The reality is more nuanced.
Bootcamp costs typically run from $8,000 to $20,000, with the average around $10,000 to $12,000. Some programs offer income share agreements or deferred payment options. Job placement rates quoted by bootcamps are often optimistic and methodologically inconsistent, so treat them skeptically. A realistic figure from solid programs is 60% to 70% of graduates landing relevant work within six to ten months, but that number drops significantly for people who don't keep building skills after graduating.
Bootcamps that are worth considering include programs with NSA-validated curricula, those that include real SOC simulation environments (not just slideshow learning), and programs that pair you with working cybersecurity professionals as mentors. Programs like Level Effect's Cyber Defense Analyst program (~$5,000) are notably more affordable and focused on actual SOC Tier 1 and Tier 2 work. Per Scholas offers a tuition-free 15-week program for income-eligible adults that includes CySA+ exam vouchers at no cost which is worth investigating if you qualify.
The graduates who do best from bootcamps are the ones who build a home lab on the side, contribute to capture-the-flag competitions, document everything on GitHub, and treat the bootcamp as a structure, not a destination. The people who struggle are the ones who assume the credential does the work for them.
The self-study path: slower, cheaper, just as viable
You don't need a bootcamp to get into this field. Plenty of people do it through self-study, and the total cost is dramatically lower, roughly $1,000 to $1,500 for certifications and materials if you're disciplined about it.
A realistic self-study roadmap looks like this: Start with the Google Cybersecurity Certificate or free resources on TryHackMe and Hack The Box to build fundamentals. Move into CompTIA Network+ to solidify networking knowledge. Then prepare for and pass Security+. While studying, build a home lab, a cheap used computer running virtual machines, practicing log analysis, setting up a firewall, simulating incident response scenarios. That home lab is what gives you something concrete to discuss in interviews.
Timeline on this path is typically nine to fourteen months from zero to first job application, assuming consistent effort. It requires self-discipline that a structured bootcamp provides automatically. For people who can hold themselves accountable to a study schedule without external structure, it's genuinely the better financial decision. For people who know they'll drift without deadlines and accountability, a bootcamp may be worth the cost.
The IT help desk bridge: underrated and highly effective
One of the most reliable paths into cybersecurity doesn't start with cybersecurity. It starts with IT support.
Help desk and IT support roles give you real exposure to how networks work, what systems administrators deal with, how security incidents actually surface in day-to-day operations, and what it's like to troubleshoot under pressure. Many hiring managers in cybersecurity actively prefer candidates who have done a year or two of IT support over candidates who have only done coursework. You understand the environment you're defending.
Entry-level IT support roles typically pay $40,000 to $55,000. That's lower than the cybersecurity roles you're aiming for, but the path is shorter than you might expect. Spend six to twelve months in IT support while earning your Security+, build your home lab on evenings and weekends, and apply to SOC analyst and junior security analyst roles. Many companies also promote internally from IT support to security teams, that internal track sidesteps the credential-versus-experience paradox entirely.
This path is especially useful if you're currently employed somewhere with an IT department. Transitioning into the IT team first, even informally, gives you something no bootcamp can manufacture: documented real-world experience in a professional environment.
What backgrounds translate well
Computer science degrees are not the only relevant background, and in some cases, non-technical backgrounds are a genuine asset. Employers are increasingly explicit that they need people who can communicate risk to non-technical leaders, write clear incident reports, and think about security as a business problem, not just a technical one.
Backgrounds that translate well include: military service, particularly intelligence, signals, or IT roles, which often come with security clearances that make you immediately valuable to government contractors; law enforcement and investigations, which brings analytical thinking and report-writing skills directly applicable to incident response and forensics; finance, accounting, or compliance, which maps naturally into security audit, risk management, and GRC (governance, risk, compliance) roles; and nursing or healthcare administration, which brings familiarity with HIPAA requirements and the high-stakes data environment that healthcare cybersecurity demands.
If you have any of those backgrounds, lean into them when framing your transition. You're not starting over, you're adding a technical layer to domain expertise that most purely technical candidates don't have.
Specializations worth targeting early
Not all cybersecurity roles are the same, and targeting a specialization from the start makes your job search much more focused and your skills development more efficient. A few areas with strong entry-level demand and reasonable paths in:
SOC analyst is the most common entry point. You're monitoring security events, triaging alerts, and escalating incidents. It's largely shift work, it can be repetitive at Tier 1, but it builds foundational experience fast and gives you a clear promotion path to Tier 2 and Tier 3 analyst roles.
Cloud security is where much of the growth is concentrated. As organizations move infrastructure to AWS, Azure, and Google Cloud, demand for people who understand cloud security architecture has surged. A Google Cloud Cybersecurity certificate pairs well with a Security+ for this track, and cloud-specific certs from AWS or Azure add significant value.
GRC (governance, risk, compliance) is heavily analytical and writing-intensive. It suits people transitioning from compliance, legal, finance, or policy backgrounds. It's less technically hands-on than SOC work but pays comparably and is genuinely undersupplied.
Penetration testing is the most technically demanding and competitive entry point. It's not a realistic first role without significant hands-on skill development. But if you're building a home lab and enjoying capture-the-flag competitions, it's a clear long-term direction to work toward after getting established in a foundational role.
What a realistic 12-month plan looks like
Month one through three: Choose your starting point (Google Cybersecurity Certificate, TryHackMe free tier, or Network+ prep) and start building foundational knowledge. Set up a basic home lab. Research whether the IT help desk bridge makes sense for your current situation.
Month three through seven: Study for and pass CompTIA Security+. Continue hands-on practice. Document projects and skills on a GitHub profile or simple portfolio website. If you're pursuing the bootcamp path, complete it during this window.
Month seven through twelve: Begin applying for SOC analyst, junior security analyst, or IT support roles with security focus. Attend local or virtual security meetups. Target employers who explicitly hire for entry level, smaller security firms, managed security service providers (MSSPs), and healthcare or financial organizations with active hiring pipelines. Expect a long application process; most cybersecurity hiring takes two to four months even for junior roles.
The path is real. The timeline is honest, not optimistic. People do this in less time with more intensity, and more time with less. What it consistently requires is hands-on practice, not just credential collecting. A portfolio of actual work beats a stack of certificates that don't demonstrate you've used the skills.
The field genuinely needs more people. That demand isn't going away.
