Cybersecurity analyst career: an ordered reading path to break in
This curriculum takes a complete beginner from zero cybersecurity knowledge to job-ready analyst skills across four tightly sequenced stages. Each stage builds on the last — first establishing networking and security fundamentals, then diving into threats and defense, then mastering SOC operations and blue-team tradecraft, and finally targeting the certifications (CompTIA Security+, CySA+) that employers expect from entry-level analysts.
Foundations: Networking & Security Basics
BeginnerUnderstand how networks function, how data moves, and what the core concepts of cybersecurity (CIA triad, attack surfaces, basic protocols) actually mean — the vocabulary every later book assumes.
▸ Study plan for this stage
Pace: 8–10 weeks, ~40–50 pages/day (Kurose first 4–5 weeks; Chapple 4–5 weeks)
- OSI and TCP/IP models: how data is layered and transmitted across networks
- DNS, HTTP/HTTPS, and TCP/UDP protocols: how applications communicate and why encryption matters
- IP addressing, subnetting, and routing: how packets find their destination
- The CIA triad (Confidentiality, Integrity, Availability): the foundational security objectives
- Attack surfaces and threat models: identifying what can be exploited and why
- Symmetric vs. asymmetric cryptography: how encryption protects data in transit and at rest
- Authentication, authorization, and access control: verifying identity and managing permissions
- Common vulnerabilities and attack vectors: SQL injection, phishing, malware, man-in-the-middle attacks
- Explain the difference between TCP and UDP, and describe a real-world scenario where you would use each protocol.
- Draw and label the OSI model layers, then map common protocols (HTTP, DNS, TCP, IP) to their respective layers.
- What is the CIA triad, and how does each component (Confidentiality, Integrity, Availability) apply to a web server storing customer data?
- Describe the difference between symmetric and asymmetric encryption, and explain why HTTPS uses both.
- What is an attack surface, and how would you identify potential attack surfaces in a small business network?
- Explain how subnetting works and why network segmentation improves security.
- Using Wireshark, capture and analyze live network traffic; identify HTTP, DNS, and TCP handshake packets and describe what each field means.
- Set up a simple home lab with VirtualBox: create two virtual machines, configure static IP addresses and subnetting, and verify connectivity with ping and traceroute.
- Perform a basic port scan on your lab network using nmap; document which ports are open and map them to services (HTTP, SSH, DNS).
- Create a threat model diagram for a hypothetical small business (e-commerce site): identify assets, threat actors, attack vectors, and map each to a CIA triad component.
- Configure a basic firewall rule set (using iptables or Windows Firewall) to allow only specific protocols and ports; document your reasoning for each rule.
- Decrypt a sample HTTPS session using Wireshark and a pre-shared key (or analyze a plaintext HTTP session); explain why HTTPS prevents eavesdropping.
Next up: Mastering these foundational concepts—how networks operate, how data moves, and what security really means—equips you to understand threat detection, incident response, and defensive strategies in the next stage.

The gold-standard networking textbook; reading it first ensures you truly understand TCP/IP, DNS, HTTP, and routing before you try to defend or attack them.

Covers every foundational security domain (cryptography, identity, risk, threats) in plain language — read it as a structured primer, not just exam prep, to build a complete mental map of the field.
Threats & Attacker Mindset
BeginnerLearn how attackers think, what common attack techniques look like end-to-end, and why understanding the offensive side is essential for effective defense.
▸ Study plan for this stage
Pace: 8–10 weeks, ~40–50 pages/day (mix of dense technical content and practical examples; allow extra time for re-reading complex sections and running exercises)
- HTTP request/response cycle and how web applications communicate—the foundation for identifying where attacks occur
- Common web vulnerabilities (SQL injection, XSS, CSRF, broken authentication, insecure deserialization) and their real-world exploitation chains
- Attacker reconnaissance and enumeration techniques—how adversaries map targets before launching attacks
- Low-level memory exploitation concepts (buffer overflows, shellcode, return-oriented programming) and why they matter in modern systems
- The attacker's workflow: reconnaissance → scanning → exploitation → post-exploitation → maintaining access
- Defense evasion techniques attackers use (obfuscation, encoding, polymorphism) and why they're effective
- Why understanding offensive techniques is non-negotiable for building robust defenses and threat modeling
- Walk through a complete SQL injection attack: how would an attacker identify the vulnerability, craft the payload, and extract data? What defenses would stop it?
- Explain the difference between reflected and stored XSS attacks. Why is stored XSS more dangerous, and how would you test for both?
- Describe the reconnaissance phase an attacker would perform before targeting a web application. What information are they gathering and why?
- What is a buffer overflow, and why can it lead to arbitrary code execution? How does ASLR or stack canaries mitigate this?
- How would you explain the attacker's mindset and workflow to a non-technical stakeholder? Why does understanding offense improve defense?
- Compare two different web vulnerabilities from the handbook (e.g., CSRF vs. broken authentication). How would you test for each in a real application?
- Set up a deliberately vulnerable web application (DVWA or WebGoat) and perform a complete SQL injection attack end-to-end: identify the parameter, craft payloads, extract data, then document the attack chain
- Practice XSS exploitation: inject payloads into a vulnerable form, steal session cookies, and demonstrate impact; then implement input validation and output encoding to fix it
- Conduct active reconnaissance on a test target (with permission): use tools like nmap, whois, DNS enumeration, and web crawling to map the attack surface, documenting what an attacker would discover
- Write a simple C program with a buffer overflow vulnerability, exploit it locally to achieve code execution, then recompile with protections (stack canaries, ASLR) and explain why exploitation becomes harder
- Analyze a real CVE from the handbook or Hacking (e.g., a famous web vulnerability or memory exploit): trace the vulnerability from discovery through exploitation, then propose a fix
- Create a threat model for a simple web application: identify potential attackers, their goals, and likely attack vectors based on techniques from both books; prioritize defenses accordingly
Next up: This stage establishes the attacker's perspective and common exploitation techniques, providing the threat context and vulnerability knowledge needed to move into the next stage—defensive analysis, secure coding, and building detection/response capabilities.

Web attacks are the most common threat analysts encounter; this book methodically explains injection, authentication flaws, and session attacks so you can recognize and triage them in alerts.

Goes deeper into how exploits actually work at a technical level — reading this after the web book gives you attacker intuition that makes log analysis and incident triage far more meaningful.
Blue Team & SOC Operations
IntermediateDevelop practical analyst skills: log analysis, SIEM use, threat detection, incident response workflows, and the day-to-day reality of working in a Security Operations Center.
▸ Study plan for this stage
Pace: 12–14 weeks, ~40–50 pages/day with 2–3 days per week for hands-on labs and exercises
- Network security monitoring (NSM) as a continuous defensive discipline: collection, analysis, and escalation workflows
- SIEM architecture, log ingestion, normalization, and correlation rules for detecting multi-stage attacks
- Threat hunting methodologies: hypothesis-driven investigation, baselining normal behavior, and identifying anomalies
- Incident response frameworks: detection, containment, eradication, recovery, and post-incident analysis
- Log analysis techniques: parsing, filtering, pivoting on indicators of compromise (IoCs), and timeline reconstruction
- Computer forensics fundamentals: evidence preservation, chain of custody, artifact analysis, and timeline construction
- SOC operations reality: alert fatigue, triage workflows, escalation procedures, and cross-team communication
- Practical threat intelligence integration: using indicators and TTPs to tune detection and prioritize investigations
- What are the three core functions of network security monitoring, and how do they differ from traditional IDS/IPS approaches?
- How does a SIEM normalize and correlate logs from disparate sources, and what are common pitfalls in rule tuning that lead to alert fatigue?
- Walk through a complete incident response workflow from detection to post-incident review—what are the key decision points and handoffs?
- Describe the process of threat hunting: how do you form a hypothesis, baseline normal behavior, and validate findings without false positives?
- What are the critical forensic principles (chain of custody, evidence preservation, volatile data collection) and why does order of volatility matter?
- Given a sample log dataset, how would you identify a lateral movement attack, extract the timeline, and document findings for legal/compliance purposes?
- Set up a SIEM lab (Splunk, ELK, or open-source alternative) and ingest logs from a test network; create at least 3 correlation rules to detect common attack patterns (brute force, data exfiltration, privilege escalation)
- Perform log analysis on a provided pcap or raw log file: identify suspicious IPs, domains, and user accounts; create a timeline of events and document findings in an incident report
- Conduct a threat hunt using publicly available threat intelligence (MITRE ATT&CK, AlienVault OTX): select a TTP, search your lab environment for evidence, and document your hypothesis and results
- Simulate a live incident response scenario: receive an alert, perform triage, collect forensic artifacts (memory dump, filesystem timeline, network connections), and present findings to a mock incident commander
- Build a forensic timeline from raw artifacts (Windows Event Logs, file system metadata, network logs) and reconstruct the sequence of attacker actions
- Document a complete incident from detection through post-incident review: write the executive summary, technical analysis, root cause, remediation steps, and lessons learned
Next up: This stage transforms you from a security fundamentals learner into a hands-on analyst who can detect, investigate, and respond to real attacks—preparing you for advanced specialization in either threat hunting, forensics, or security architecture in the next stage.

The definitive guide to NSM — teaches you how to collect, analyze, and act on network traffic and logs, which is the core daily task of a SOC analyst.

A concise, practical field reference for SOC workflows, SIEM queries, and escalation procedures; read after Bejtlich to translate concepts into repeatable analyst processes.

Closes the loop on the incident lifecycle — from detection through containment, eradication, and lessons learned — giving you the full picture of what happens after an alert fires.
Advanced Analysis & Certification Mastery
ExpertSharpen threat-hunting and malware-analysis skills, and consolidate everything into targeted preparation for the CompTIA CySA+ (the analyst-specific certification most employers require).
▸ Study plan for this stage
Pace: 12–14 weeks, ~40–50 pages/day (Practical Malware Analysis: 6–7 weeks; CompTIA CySA+ Study Guide: 5–7 weeks)
- Static and dynamic malware analysis techniques: disassembly, debugging, behavioral observation, and sandbox execution
- Reverse engineering fundamentals: assembly language, PE file structure, API calls, and control flow analysis
- Threat hunting methodology: indicator of compromise (IoC) generation, log analysis, and attack pattern recognition
- Incident response and threat analysis workflows: triage, containment, eradication, and post-incident review
- CySA+ exam domains: threat management, vulnerability management, incident response, and security tools/technologies
- Practical malware families and real-world attack scenarios: understanding motivations, delivery mechanisms, and persistence techniques
- Security monitoring and SIEM integration: log correlation, alerting, and forensic artifact interpretation
- Compliance and reporting: communicating findings to stakeholders and documenting analysis for legal/regulatory purposes
- What are the key differences between static and dynamic malware analysis, and when would you use each approach?
- How do you identify and extract indicators of compromise (IoCs) from a malware sample, and how would you use them in threat hunting?
- Walk through the steps of reverse engineering a simple malware binary: what tools would you use, and what artifacts would you examine?
- Describe the incident response lifecycle and explain how malware analysis findings feed into containment and eradication decisions.
- What are the five CySA+ exam domains, and how do threat hunting and malware analysis skills apply to each?
- How would you design a threat hunt based on a known malware family or attack pattern, and what data sources would you prioritize?
- Complete 3–5 hands-on malware analysis labs from Practical Malware Analysis (Chapters 9–18): use IDA Pro/Ghidra, debuggers, and sandboxes to analyze real samples; document your findings in a structured report
- Perform static analysis on a provided PE binary: identify imports, strings, sections, and suspicious characteristics without executing it
- Set up a controlled malware analysis lab environment (VM, network isolation, monitoring tools) and execute a benign malware sample dynamically; capture process behavior, network traffic, and registry changes
- Generate a comprehensive IoC list from a malware sample (file hashes, domains, IPs, registry keys, file paths) and practice querying threat intelligence platforms
- Conduct a simulated threat hunt: given a set of logs (firewall, DNS, proxy, endpoint), identify suspicious patterns, correlate events, and write an executive summary of findings
- Work through 5–10 CySA+ practice exam questions per week, focusing on scenario-based questions about incident response, threat analysis, and tool usage
- Create a malware analysis report template and document 2–3 samples in professional format, including technical details, IoCs, and recommended mitigations
Next up: This stage transforms you from a defensive analyst into a proactive threat hunter and certified CySA+ professional, positioning you to lead incident investigations, design detection strategies, and mentor junior analysts in the next stage of your career.

Teaches you to reverse-engineer and understand malicious code — a skill that separates junior analysts from senior ones and is increasingly expected even at Tier 1/2 SOC roles.

Directly maps to the CySA+ exam objectives (threat intelligence, vulnerability management, incident response) and serves as a structured review of everything learned in earlier stages, with exam-focused reinforcement.
Discussion
Keep reading
Paths that share books, cover the same subject, or open a related topic.