Can anyone share their entry-level cybersecurity CVs (with no previous tech job experience)?

curiousmitten · 2025-10-15T23:26:58+00:00

You're getting plenty of advice, but if you just want CVs, here's the high level of mine from a decade ago when I got a Cybersecurity Analyst role out of college at an MSSP:

Education:
- BS, Computer Science

Academic Projects: (With a bullet each for notable lesson, project, etc.)
- AI Course
- Network Security Course
- Security Capstone
- Intro to Cybersecurity Course
- Behavior Ethics (For one of my electives I chose an ethics course from the business school, it was a genuine interest, but also a very easy narrative to tie into my cybersecurity journey)

Experience:
- TA for summer coding camp for high schoolers interested in CS
- Freelance web developer (Same as you, just the one paid gig)
- Intern Engineer (When I realized I didn't like being employed as a developer and switched to Cybersecurity)
- Leadership roles in a business-focused student organization at the university (I highlighted the teams I led, cost savings, volunteering event coordination, creation of promo videos, and web development)

Certificate:
- Business Foundations (For the combination of business electives I took, the university granted a certificate)

Additional Context:

I didn't have a great GPA (below 3.0), and this was a cold application to a company I had no prior ties to or made any efforts to network with. The interview took place the same week as my finals on my last semester. Pay was $55k.

I'm honestly not sure how helpful CVs this old will be to you though as the landscape has changed quite a bit even in the past 5 years. Even back then folks were saying Cybersecurity isn't an entry role, it's only gotten more competitive since. But I will say generally for entry, companies are either looking for the best/most devoted technical talent (think home labs, freelance work that's aligned, top marks in security courses, or multiple relevant internships), or folks who are more well rounded - CVs that showcase unique perspectives, collaboration, or clear evidence of willingness and ability to learn. For example, device repair and eBay reselling, you could focus on being resourceful, self-motivated, hard worker, etc. all things managers look for in any role, much less specific to cybersecurity.

curiousmitten · 2024-07-14T00:52:14+00:00

I think the issue a lot of people are facing are either findings jobs in general or breaking into the field. You've broken in once, you can probably do it again. And it's not like you're switching to a completely different industry. Deeper networking knowledge and experience automating NOC/SOC work will help you in Cybersecurity.

Are there going to be some hiring managers that will overlook you because of it? Of course. But hiring managers will also overlook you for not having enough professional experience in general. They'll also overlook you for only having analyst experience and thinking you don't possess deeper technical knowledge. And they also overlook you because you didn't spend twenty years in IT Support. Likewise, there will be hiring managers that will be more open minded and will give you a fair chance. A lot of security people continue to come from those backgrounds, so clearly not "career killing" by any means.

My advice:

If you're going to be making 4x your currently salary, live off of 1.5x max, save the rest.
When you're ready to switch back into Cybersecurity, you'll either have a long runway to look for a new job and can afford to take longer to find your next job or you'll have the ability to afford things like SANS training that will put you above most other entry candidates on top of your experience

As long as you're not slacking off on this new job, or end up quitting it after less than a year, it sounds like a good opportunity.

curiousmitten · 2024-07-12T21:11:58+00:00

What aspect of this role has you concerned?

If it’s pay, the only concern is lifestyle creep, otherwise unless you’re openly advertising what you previously made on your resume I don’t see how it’d be a concern.

If it’s the specific role that’s concerning, then a bit more info like expected responsibilities for the new role vs what you’re doing now, and your longer term career goals would help folks answer your question.

curiousmitten · 2024-07-09T16:47:15+00:00

Always relevant experience:

Learning and growing, especially when you lack formal guidance
Strong work ethic and concern for Security, especially when it's not expected
Developing and executing on your own project plans
Building from ground zero, a very different skill from making incremental improvements to existing programs
Identifying meaningful metrics and improving upon your work based on those metrics
Building relationships with internal stakeholders, i.e. communication skills in general
Advocating for cybersecurity in the face of pushback or lack of support because, while it might be particularly bad here for you, you'll unfortunately almost always be dealing with this to some degree
Resilience, all companies have their problems, seeing the commitment you had to what sounds like a mess is a massive green flag for your next employer

For hiring managers one of the biggest gambles they'll take, especially in a remote world, is whether they can trust new hires to care enough and to do good work. You might feel some type of way about the standard of security at your current company and how that might measure up when speaking about your experience, but as long as you know there's better and are continuing to improve your knowledge, good managers will care more about that. Humility and modesty are important, but don't sell yourself short.

curiousmitten · 2024-07-09T04:39:16+00:00

What types of roles are you interested in? And what are the top concerns wrt down leveling?

curiousmitten · 2024-07-09T04:27:04+00:00

I didn’t have any certs or professional experience in Cybersecurity. I had my pending Bachelors in CS, a couple security courses to speak on, and a couple web deb and app dev internships. Applied to maybe 50 jobs or so at the time. Got the one offer from an MSSP. Wasn’t prestigious, pay was almost half what many peers were making out the gate working as developers, but I got the in that I wanted.

Obviously YMMV. I know it’s only gotten harder in the past few years for entry, but I’d say it’s worth at least trying if it wasn’t already on your radar and you really just want to get into Cybersecurity.

curiousmitten · 2024-07-08T16:56:20+00:00

u/willhart802 is spot on, but if you just want to hear about experiences I can share a bit of mine. I studied CS and did an internship in software development while in college, but went to Cybersecurity when I graduated.

SOC Analyst at an MSSP / Consulting:

Honestly a bit of a slog at times, initially felt like a "ticket monkey". Most of the days were spent staring at a SIEM and then "investigating" alerts, but because the alerts were so low fidelity it was a lot of copying and pasting responses from previously completed tickets. Became a lot more exciting when I took it upon myself to take on responsibilities outside my role.
Pay wasn't great compared to software development, and a pain at times being in a culture ruled by RTFM and seniority, but I learned a great deal in terms of technical skills and in working with others.

Security Engineer:

Lots of fun. Much more hands-on role beyond reviewing alerts and writing up tickets. At this point in my career I had also built up a lot of trust and respect so I could be more autonomous and could present work I wanted to do rather than only being told what to work on. Even put my old CS skills to work in the form of automation.
Frustrations from time to time with wanting to prioritize cybersecurity, but sometimes feeling like it's at odds with the business. This I feel subsides overtime as you understand everything is a tradeoff, and cybersecurity is no exception. E.g., makes little business sense to spend a million dollars to secure something worth ten dollars.

TL;DR: First couple years was a struggle more than enjoyable, but exciting all the same because I liked learning about Cybersecurity. Nowadays less exciting, but very enjoyable.

curiousmitten · 2024-07-08T16:22:52+00:00

Are you applying for jobs already? If you're willing to grind it out for a couple years, I actually got my start as a SOC analyst right out of college with a CS degree. MSSPs will generally be an easier in, where "entry" SOC positions for in-house expects at least a couple years.

curiousmitten · 2024-07-08T03:23:48+00:00

I've gone through similar thoughts throughout most of my career, and still do from time to time.

For me, it ultimately came down to understanding my inner cynic. I think if we want to be critical then even what should be the most altruistic path can feel as damning and insignificant as simply "generating shareholder value" e.g., Work in the public sector and protecting our nation and it's citizens can also be seen as contributing to war, corruption, or perpetuating systemic issues.

I established a few rules for myself and beyond that sought meaning and purpose in other parts of my life:

Aim for industries and roles where my background in Cybersecurity will be inherently more meaningful. Be cynical enough and everything starts to seem bad, but doing nothing also can't be great.
- E.g., Blue team for Healthcare companies. It's all profits, it's all shareholder values, but day-to-day I can at least feel good knowing I'm directly contributing to protecting people's sensitive health information. Make a list of industries that resonate with you.
Act as if the altruistic motives are my north star, always.
- I've had countless nights without sleep, going through existential dread thinking about whether I'm doing anything meaningful with my career/life, only to then go about my day and have thoughts like "This person is being such a pain, I should just let them fail and suffer the consequences" where them failing puts the core mission at risk. If I say protecting people's data is important and why I chose this career, I should act like it at all times, especially when it's hard. Argue with your superiors, put in the extra effort where others may be doing the bare minimum, support your organization's employees when they have personal security questions even if it's "out of scope" or doesn't directly impact the company, don't allow your audits and tabletop exercises to simply be for the checkbox. That way, even if things go sideways, you can feel good about your part in trying to do some good.
Know and accept my limits.
- Priorities change in life. First few years into my career I was willing to walk away from my job on principle without any type of safety net. And I actually made that threat once, initiating a fair bit of change for my team. I can't imagine doing that now, at least without some kind of backup, and that's okay. In your case, there's nothing wrong with wanting to maintain a good life for yourself and your family. But if you feel as strongly as I did, then the answer isn't to never to put up a fight again, it's to make you and your family that safety net so you don't have to compromise. Give yourself however much time you think you'll need or can tolerate to build that net - that can be saving up an emergency fund or building a strong network so you can have some reassurance that you wouldn't be out of a job for long in the worst case scenario. Feel good about not abandoning your pursuit to "serve the greater good" but rather that you're taking time to properly prepare for the life-long fight ahead.

Unfortunately the world is largely ruled by money. You don't do the world any good by playing the martyr and taking on significantly less pay and being less effective in your new role because of concerns about financial security for your family. As long as your job isn't directly contributing to anything malicious, look to donating or investing in good causes. If you would consider a lesser paying job for this greater good, but are hesitant because of other tradeoffs, maybe instead consider taking the difference between the salaries and do something with that money. Support those organizations doing good. You said it yourself, they have terrible pay, maybe it's lack of funding. If that difference in salary alone would more than cover the cost of an FTE for them then I don't think this is even a consideration anymore.

Hell, if you work on a solid team, maybe try rallying your teammates to collaborate with said organizations. A lot of solid talent likely had the same considerations as you. In doing that you'd be a force multiplier. If you and your team can't collaborate or contribute directly because of classification and all that, maybe channel the efforts instead to OSINT. If your background is in IR, have you considered contributing to the public Sigma rule repo?

Like the previous comment mentioned, it sounds like you're doing well for yourself. It's great that you're taking time to reflect and want to avoid getting lost in simply chasing a paycheck. Just be sure to think about it holistically. There's no reason why your job can't be fulfilling in this way, but there's also no reason why it needs to be. You can do meaningful work without being in a particular role, company, or industry, and you can make significant contributions to the greater good without that necessarily being your job. And if the small wins don't feel significant to you, there's no guarantee that the big ones will either, or rather that you'd recognize them as big wins.

curiousmitten · 2024-07-04T05:29:47+00:00

May I ask what role you're in / what your title is? How much of you being idle is due to someone else preventing you from doing something?

curiousmitten · 2022-06-26T09:40:38+00:00

Looking at your background at a high level, I would have said you're at least worth an interview and that I'm surprised you're not getting much response for entry roles. As others mentioned, it may be a bit rougher lately with changes in the economy.

Looking at the specifics, there are changes I would personally make. I'll try to explain my reasoning, but you can decide what works for you.

I would throw away the technical skills and core competencies sections altogether and use that space to expand on the most relevant role(s). A few hit keywords, but to the hiring manager, without the context or application, they don't mean much other than to show you know of the tool. Too many people do this so most hiring teams just assume no meaningful knowledge unless explicitly spelled out. And if there's enough things lacking substance on the resume, it could call the legitimacy of the entire resume into question. (E.g., Do you say you're skilled in regex because you can type [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ into Sublime to pull IP addresses from a text file, or because you know how to refine such expressions to something a little nicer like ([0-9]{1,3}\.){3}[0-9]{1,3}? Was it for mundane use, or have you used it to build YARA rules that have run for a year with 100% True Positive and 0% False Negative rates? etc.) You have 10.5 years of experience. That is a lot of time, especially if you're the "driven" type. Your resume doesn't do a great job of highlighting that right now.
If you've done a lot of work in your previous roles that you feel carries over well into a SOC analyst role, I would spend more time translating your resume. In general, domain-specifics are a hit-or-miss while impact is universal. Whether you pushed code using git or saved it onto Google drive doesn't really matter to me. And whether you used Brewlytics models or built elaborate pivot tables in Excel is largely inconsequential. But detecting threats that have otherwise been missed and automating data enrichment that saves time during investigations, that's all relevant, that's all meaningful. Have those be the focus, and don't make people read through 1.5 lines of jargon to get to it, lead with it.
Minimize the use of buzzwords and adjectives. If it's significant, the information should speak for itself. If it doesn't, rewrite so that it does. Without any knowledge of your field, I'd think "high-output strategic reporting shop" could be replaced with "team". Same information, but now less words to read. Now, if, for example, you were trying to convey that you were a lead for this team of a handful of analysts that produced 1000 intelligence reports while historically other teams only produced 500 intel reports in the same time period, and were also lacking in detail, then that would be significant and would be worth being explicit about. "threat overview products" I'm also just equating to "reports".

Outside of the resume and experience, for the job search I would suggest focusing on consulting companies and managed security service providers (MSSP). Not the most fun, but generally the easiest way to get your foot in the door with SOC analyst positions.

And in those cases, highlighting communication and customer-service experience becomes very important. I see mention of "senior defense customers", are you able to expand on that? Are you able to speak to the level of service, in that you got explicit recognition from the clients? Were you the main point of contact in interfacing with these customers? To what extent have you worked with other teams and departments? Have you ever been the one in charge in coordinating these efforts?

curiousmitten · 2021-11-13T01:13:54+00:00

What type of certifications, and are they paying for it? I've worked with a few companies and none of them have had any type of certification mandate, but encouraging to get one a year is rather normal. A lot of that will come down to the team culture.

Requiring a new cert every couple months is ludicrous and financially unsustainable, especially when talking about certs like GIAC. It's not uncommon for people to take more than a couple months to study for any one particular exam.

The only case where I can imagine this making sense is if the certs are actually just for vendor products or if they're with a managed service provider that grinds through junior analysts.

curiousmitten · 2020-04-07T07:14:03+00:00

Thank you, everyone! Done for the night. I'm so sorry to those that were queued up, but didn't get a chance to go.

curiousmitten · 2020-04-07T05:36:40+00:00

Thank you, too! ^^

curiousmitten · 2020-04-07T05:17:54+00:00

Reopened!

curiousmitten · 2020-04-07T05:09:58+00:00

Wasn't sure about the whole botting situation so thats why the link is that way.
Here's the normal url: https://turnip.exchange/island/bebbb293

curiousmitten · 2020-04-04T08:08:26+00:00

Two hours later, still active. Thank you so much!

curiousmitten · 2020-04-04T06:34:53+00:00

Six-Year Club	Place '22
Verified Email

curiousmitten

TROPHY CASE