Long exposure of a single thin cyan light-trail rising along a black slate staircase that recedes into fog.

From curious gamer to senior cyber operator.

Six honest stages. The duration ranges are real · faster than the slow end is rare, slower than the fast end is normal. Salary bands are from public 2024-2026 data (Levels.fyi, Pave, salary.com, federal pay tables). Certifications are real. The proof bar at each stage is observable — you either hit it or you didn't.

duration · Weeks

Curious gamer

You read this page and decide to try one TryHackMe room this weekend. You install a VM (VirtualBox, free), spin up Kali Linux (free), and finish the 'Introduction to Cyber Security' learning path. Zero money spent. Zero certifications. You learn that the field has a posture you can recognize.

::skills at this stage

·Linux command line basics (cd, ls, grep, ssh, cat, less, nano)
·TCP/IP fundamentals — what an IP address is, what a port is, what HTTP is
·Reading a CVE entry and understanding what it describes
·Hex / binary / base64 conversion in your head for short strings

::proof of stage

Finished TryHackMe's 'Introduction to Cyber Security' learning path + the 'Pre-Security' path. Public profile visible.

::salary band

None yet

::cumulative hours

20-40 hours total

duration · 3-6 months

Beginner

You finish TryHackMe's 'Junior Penetration Tester' learning path. You read 'The Web Application Hacker's Handbook' (2nd ed, Stuttard + Pinto) and you do every PortSwigger Web Security Academy lab in the Apprentice tier. You understand the OWASP Top 10 in the same way you understand the rules of your favorite game.

::skills at this stage

·Burp Suite (free Community edition) for intercepting web traffic
·Basic Python scripting (read + modify + write small scripts)
·Common vuln classes: XSS, SQLi, IDOR, CSRF, SSRF — what each is and why it works
·Active Directory basics (if you're going corporate)
·Subnetting · ports · protocols at the level a junior SOC analyst knows

::proof of stage

Top 5% on TryHackMe leaderboard. Five-plus rooms completed at Medium or Hard. CompTIA Security+ passed (~$370 exam fee, the federal-friendly entry cert).

::salary band

Entry SOC analyst $50-75K · helpdesk-to-cyber pivot

::cumulative hours

300-500 hours total

duration · 6-12 months

Practitioner

You pass the OSCP (Offensive Security Certified Professional) exam. This is the most respected entry-tier offensive credential in the world as of 2026. The exam is 24 hours of live hacking against five machines + a 24-hour report write-up. You can't fake it. People who pass OSCP get interviews at every penetration testing firm.

::skills at this stage

·Active Directory exploitation paths (Kerberoasting, AS-REP roast, ACL abuse) — taught in OSCP curriculum
·Bash / PowerShell scripting at intermediate level
·Privilege escalation Linux + Windows · using only LinPEAS / WinPEAS + manual enum
·Buffer overflow basics (still in some OSCP variants, increasingly in OSED)
·Report writing for a non-technical executive reader

::proof of stage

OSCP passed. HackTheBox 'Pro Hacker' rank or higher. First HackerOne or Bugcrowd valid finding submitted (any severity).

::salary band

Junior pentester $75-110K · in-house security engineer $90-140K

::cumulative hours

800-1500 hours total

duration · 1-3 years post-OSCP

Specialist

You specialize. The field bifurcates into deep tracks: web application security, internal network / Active Directory pentest, red team operator, application security engineer (defending instead of attacking), reverse engineer / malware analyst, cloud security (AWS / Azure / GCP), AI security. You pick one and earn a serious credential in it. You ship your first public CVE under your name.

::skills at this stage

·Domain-deep expertise in one track (e.g., for web: HTTP/2 smuggling, SSRF deep dives, race conditions, OAuth flow attacks)
·Tool development · you build your own. Even if it's just glue scripts that automate triage.
·Conference talk submission ready (DEF CON, Black Hat, BSides, regional cons)
·Public footprint — Twitter/X technical posts, blog, GitHub with security tooling
·Mentor stage 0-1 candidates · the act of teaching is the senior-level competence check

::proof of stage

OSEP, OSEE, OSED, GPEN, GWAPT, GCFR, or equivalent advanced cert. Public CVE credit. Conference talk accepted (any tier). Five-figure HackerOne / Bugcrowd career earnings.

::salary band

Senior pentester $130-200K · staff security engineer $180-280K · red team operator $150-230K · bug bounty solo $50-400K (highly variable)

::cumulative hours

Cumulative 2500-4500 hours

duration · 3-7 years from start

Pro

You hold a senior or principal role at a real security org. Or you run a successful bug bounty solo career. Or you're a federal cyber operator with a clearance. You shape strategy, not just tickets. You hire and grow other practitioners. The work is half technical and half judgment — picking the right engagement to take on, knowing when a finding is real and when it's a false positive, knowing when to escalate to leadership vs handle quietly.

::skills at this stage

·Threat modeling at the system level (STRIDE, attack trees, kill chains, ATT&CK mapping)
·Pre-sales / scope-writing for engagements (consulting track) OR program management (in-house track)
·Mentoring junior-mid practitioners formally
·Speaking at industry conferences as a known voice
·Publishing research that the field actually reads

::proof of stage

Principal / staff / senior title. Or independent contractor charging $300-650/hr. Or GS-13/14 federal / O-3 commissioned officer in cyber-coded billet. Or top-50 HackerOne hacker by lifetime earnings.

::salary band

Principal AppSec $220-380K total comp · CISO at small-mid co $250-500K · top bounty hunter $300K-$1M+

::cumulative hours

Cumulative 6000-10000 hours

duration · 7+ years

Lead

You set direction for a security organization, a practice, or a research agenda. Director / VP of security at a real company. Federal Senior Executive Service or O-5+ in military. Boutique-firm partner. Researcher who shifts the field. This is rare, takes a decade, and is not for everyone. Not everyone wants this · being a senior IC is fine and pays well.

::skills at this stage

·Org-design for security teams
·Board / C-suite reporting · translating technical risk into financial risk
·Hiring + retention at scale
·Public-facing voice — interviews, congressional testimony, vendor relations

::proof of stage

VP Security, CISO, SES, O-5+, full partner. Industry-shifting research published.

::salary band

CISO $400K-$1.5M+ total comp at scale · partner equity stake in firm · SES $200K + benefits

::cumulative hours

10000+ hours

Where people quit (and how to not).

Stage 01 → 02 plateau. The OSCP wall. The first 30-50 HackTheBox boxes are humbling. People who quit here read about hacking instead of doing it. The fix: do one box per week, post your write-up (sanitized), iterate. The volume IS the skill.

Stage 02 → 03 plateau.The specialization decision feels final. It isn't. Most senior practitioners re-specialize once or twice over a career. Pick the track that matches what you actually enjoy doing on a Tuesday night, not the one that pays most on paper. Burnout from the wrong track will end your career faster than a market downturn.

Stage 03 → 04 plateau.The technical ladder has a ceiling that's lower than the management ladder, by a lot, at most companies. People who want to stay technical without losing salary need to join a frontier security org (Mandiant, CrowdStrike, Trail of Bits, Bishop Fox, NCC Group, Praetorian, IOActive, frontier model labs' security teams) or go independent. Independent is harder than employed; both are real paths.

Skipping the legal page.Some otherwise talented people end their careers in their early 20s with a federal indictment from a Computer Fraud and Abuse Act violation that started as “just looking.” Read /learn/cyber/legal before you do any technical work. Every working professional in this field can point to people they knew who didn't.

start the labs →read the legal page →← cyber index