Your 90-Day Cybersecurity Kickstart Plan
From Zero to Job-Ready
Everything in this book has been building to this chapter. You understand the landscape. You know which skills matter. You have seen how attacks work. You understand identity security. You know how to build a lab. You have the zero trust mindset. You understand AI's role. You know what hiring managers look for. And if entrepreneurship interests you, you have a sense of that path too.
Now it is time to put it all together into a concrete, week-by-week plan that takes you from wherever you are right now to job-ready in 90 days.
I want to be clear about what "job-ready" means: it means you have the foundational skills, a demonstrable portfolio, a relevant certification, and the ability to contribute meaningfully from day one in an entry-level security role. It does not mean you know everything. You will keep learning for the rest of your career. But after 90 days of focused effort, you will be a competitive candidate.
The 90-Day Roadmap
Weeks 1-2: Foundation Building
| Day | Focus | Activities | Time |
|---|---|---|---|
| 1 | Setup | Install VirtualBox, download Kali Linux VM, set up your lab journal (use GitHub, Notion, or a simple text file) | 3-4 hrs |
| 2 | Linux Basics | Boot Kali, practice basic commands (ls, cd, cat, grep, find, chmod). Complete Bandit wargame levels 0-10 on OverTheWire | 2-3 hrs |
| 3 | Linux Continued | Continue Bandit wargame levels 11-20. Practice shell scripting basics (variables, loops, conditionals) | 2-3 hrs |
| 4 | Networking | Study TCP/IP model, DNS, and HTTP. Watch Professor Messer's free Network+ videos on these topics | 2-3 hrs |
| 5 | Networking Hands-On | Install Wireshark on Kali. Capture traffic while browsing. Identify DNS queries, TCP handshakes, HTTP requests | 2-3 hrs |
| 6 | Security Concepts | Study CIA triad, authentication vs authorization, encryption basics. Begin Security+ study material (Professor Messer's free videos or a study guide) | 2-3 hrs |
| 7 | Review + Rest | Review notes from week 1. Update lab journal. Rest | 1-2 hrs |
| 8 | Python Basics | Variables, loops, functions, file I/O. Follow Automate the Boring Stuff (free online) chapters 1-4 | 2-3 hrs |
| 9 | Python for Security | Write a script to parse a log file, extract IP addresses, and count occurrences. Use the re module | 2-3 hrs |
| 10 | Networking Deep Dive | Study common ports (22, 25, 53, 80, 443, 3306, 3389). Install Nmap, scan your lab network, interpret results | 2-3 hrs |
| 11 | Security+ Study | Continue Security+ material. Focus on risk management and threat landscape | 2-3 hrs |
| 12 | Hands-On Review | Set up Metasploitable 2 in your lab. Run Nmap scan against it. Document all services found | 2-3 hrs |
| 13 | Community | Create or update LinkedIn profile with security focus. Join 2 security communities (InfoSec Discord, TryHackMe community) | 2 hrs |
| 14 | Review + Rest | Review weeks 1-2. Update skills self-assessment from Chapter 2 | 1-2 hrs |
Weeks 3-4: Core Skills Development
| Day | Focus | Activities | Time |
|---|---|---|---|
| 15-16 | Web Security | Study OWASP Top 10. Set up DVWA in your lab. Complete SQL injection exercises (Low difficulty) | 3 hrs/day |
| 17-18 | Web Security Continued | Complete XSS, Command Injection, and CSRF exercises in DVWA. Study Burp Suite Community basics | 3 hrs/day |
| 19-20 | Network Security | Deep dive into firewalls, IDS/IPS concepts. Configure host-based firewall rules on your lab VMs | 3 hrs/day |
| 21 | Review + Blog | Write your first blog post about something you learned. Publish on LinkedIn, Medium, or a personal site | 3 hrs |
| 22-23 | Security+ Study | Focus on cryptography, PKI, certificates. Understand TLS handshake in depth | 3 hrs/day |
| 24-25 | SIEM Basics | Set up Wazuh in your lab (Chapter 5). Install agents on VMs. Run attacks and observe alerts | 3 hrs/day |
| 26-27 | Cloud Basics | Create AWS free-tier account. Explore IAM, S3, VPC. Study shared responsibility model | 3 hrs/day |
| 28 | Review + Rest | Comprehensive review of weeks 1-4. Update lab journal, update self-assessment | 2 hrs |
Weeks 5-6: Applied Practice
| Day | Focus | Activities | Time |
|---|---|---|---|
| 29-31 | CTF Practice | Start TryHackMe "Complete Beginner" learning path. Complete 3-5 rooms | 3 hrs/day |
| 32-33 | Metasploit | Learn Metasploit basics. Exploit vulnerabilities on Metasploitable 2. Document every step | 3 hrs/day |
| 34-35 | Log Analysis | Practice analyzing Windows event logs and Linux auth logs. Write Python scripts to automate analysis | 3 hrs/day |
| 36-37 | Identity Security | Study OAuth 2.0 and OIDC flows. Trace a real "Sign in with Google" flow with browser dev tools | 3 hrs/day |
| 38-39 | Security+ Deep Study | Focus on identity and access management, incident response, governance chapters | 3 hrs/day |
| 40-41 | CTF Write-up | Complete a TryHackMe room and write a detailed write-up. Publish it as a blog post | 3 hrs/day |
| 42 | Review + Network | Attend a virtual security meetup or BSides event. Connect with 3 new people | 3 hrs |
Weeks 7-8: Portfolio Building
| Day | Focus | Activities | Time |
|---|---|---|---|
| 43-45 | Portfolio Project 1 | Build a Python tool - network scanner, log analyzer, or IOC lookup tool. Push to GitHub with documentation | 3 hrs/day |
| 46-48 | Breach Analysis | Analyze 3 recent breaches using the framework from Chapter 3. Write detailed analysis posts | 3 hrs/day |
| 49-51 | Security+ Intensive | Practice exams. Focus on weak areas. Take at least 3 full practice tests | 3-4 hrs/day |
| 52-53 | Portfolio Project 2 | Build a home lab showcase - document your environment, detection rules, and investigation workflow | 3 hrs/day |
| 54-55 | CTF Deep Dive | Complete more advanced TryHackMe or HackTheBox challenges. Write up 2 more solutions | 3 hrs/day |
| 56 | Review + Rest | Review everything. Ensure all portfolio items are polished and publicly accessible | 2 hrs |
Weeks 9-10: Certification + Career Prep
| Day | Focus | Activities | Time |
|---|---|---|---|
| 57-60 | Security+ Final Prep | Intensive exam preparation. Practice tests daily. Review weak areas | 3-4 hrs/day |
| 61 | EXAM DAY | Take CompTIA Security+ exam | Full day |
| 62 | Recovery + Plan | Rest. Begin outlining your job search strategy | 2 hrs |
| 63-65 | Resume Building | Craft your resume using the format from Chapter 8. Get feedback from 2-3 people in security | 2-3 hrs/day |
| 66-67 | Interview Prep | Practice common security interview questions. Prepare 5 STAR-format stories | 3 hrs/day |
| 68-70 | LinkedIn Optimization | Update LinkedIn with certification, portfolio links, project descriptions. Write 3 LinkedIn posts about your journey | 2-3 hrs/day |
Weeks 11-12: Job Search Launch
| Day | Focus | Activities | Time |
|---|---|---|---|
| 71-73 | Applications | Apply to 5-10 roles per day. Tailor each application. Focus on SOC analyst and security analyst roles | 3-4 hrs/day |
| 74-75 | Networking | Reach out to 5 security professionals for informational interviews or advice. Follow up on earlier connections | 2-3 hrs/day |
| 76-78 | Skills Sharpening | Continue practicing - daily CTF challenges, lab exercises, blog posts | 3 hrs/day |
| 79-80 | Interview Practice | Mock interviews with peers or mentors. Record yourself answering technical questions | 2-3 hrs/day |
| 81-83 | Applications + Content | Continue applying. Write 2 more technical blog posts to maintain visibility | 3-4 hrs/day |
| 84-86 | Advanced Skills | Start studying your specialization area. Begin next certification if appropriate | 3 hrs/day |
| 87-89 | Full Job Search Mode | Applications, networking, interview prep, portfolio updates | 4+ hrs/day |
| 90 | Reflection | Review your 90-day journey. Update self-assessment. Plan next 90 days | 2 hrs |
Resource Checklist
Free Learning Platforms
| Resource | Best For | URL Pattern |
|---|---|---|
| TryHackMe | Guided, structured learning paths | tryhackme.com |
| HackTheBox Academy | Hands-on technical modules | academy.hackthebox.com |
| PicoCTF | Beginner CTF challenges | picoctf.org |
| OverTheWire | Linux and security wargames | overthewire.org |
| CyberDefenders | Blue team challenges | cyberdefenders.org |
| LetsDefend | SOC analyst simulation | letsdefend.io |
| Professor Messer | Free Security+ video course | professormesser.com |
| SANS Cyber Aces | Free intro security courses | cyberaces.org |
| Cybrary | Mixed free and paid courses | cybrary.it |
| Portswigger Web Security Academy | Web application security | portswigger.net/web-security |
Podcasts Worth Your Time
| Podcast | Focus | Why Listen |
|---|---|---|
| Darknet Diaries | True cybercrime stories | Engaging storytelling, real-world context |
| Risky Business | Security news and analysis | Industry pulse, expert interviews |
| SANS Internet StormCast | Daily threat briefings | Short, informative, keep current |
| Security Now | Deep technical dives | Thorough explanations of security concepts |
| Smashing Security | Security news with humor | Accessible, entertaining, covers major stories |
| CyberWire Daily | Daily security news digest | Quick and comprehensive daily update |
| Hacking Humans | Social engineering focus | Understanding the human element of security |
| Blueprint Podcast (SANS) | Career-focused | Advice from security professionals |
Blogs and News Sources
| Source | Type | Best For |
|---|---|---|
| Krebs on Security | Investigative journalism | Deep breach investigations |
| The Hacker News | Daily security news | Staying current on threats |
| Schneier on Security | Analysis and commentary | Security thinking and policy |
| Troy Hunt's blog | Data breaches, identity | Practical security perspectives |
| The DFIR Report | Intrusion analysis | Detailed attack chain breakdowns |
| CISA Advisories | Government alerts | Vulnerability and threat alerts |
| Daniel Miessler's Unsupervised Learning | Curated newsletter | Weekly security digest |
CTF Platforms and Practice
| Platform | Difficulty | Cost | Focus |
|---|---|---|---|
| PicoCTF | Beginner | Free | General security fundamentals |
| TryHackMe | Beginner-Intermediate | Free + Premium ($10/mo) | Guided learning paths |
| HackTheBox | Intermediate-Advanced | Free + Premium ($14/mo) | Realistic machine exploitation |
| VulnHub | All levels | Free | Downloadable vulnerable VMs |
| OverTheWire | Beginner-Intermediate | Free | Linux and programming challenges |
| CTFtime | All levels | Free | CTF competition calendar and archives |
| Root Me | Beginner-Intermediate | Free | Web, network, and system challenges |
Communities to Join
| Community | Platform | Best For |
|---|---|---|
| InfoSec Community | Discord | General networking, Q&A |
| TryHackMe Community | Discord | Study partners, help with challenges |
| Black Hills InfoSec | Discord + Events | Blue team community, free training |
| Antisyphon Training | Discord | Affordable training community |
| r/cybersecurity | Industry discussion, career questions | |
| r/netsec | Technical security content | |
| OWASP Local Chapters | Meetup/Local | In-person networking, web security |
| BSides Events | Conference | Affordable, community-driven conferences |
Progress Tracking Template
Use this template weekly to track your progress. Print it, copy it to a spreadsheet, or keep it in your lab journal.
Weekly Check-In
| Question | Week ___ Response |
|---|---|
| What did I learn this week? | |
| What hands-on practice did I complete? | |
| What did I struggle with? | |
| What will I focus on next week? | |
| Did I publish anything (blog, write-up, code)? | |
| Did I connect with anyone new? | |
| How many hours did I spend this week? | |
| Self-assessment score update (from Chapter 2) |
30-Day Milestones
| Milestone | Target Date | Completed? |
|---|---|---|
| Lab environment fully operational | Day 14 | |
| Linux command line comfortable | Day 14 | |
| Networking fundamentals solid | Day 20 | |
| Python basics working | Day 14 | |
| DVWA exercises completed (Low) | Day 18 | |
| First blog post published | Day 21 | |
| Wireshark comfortable | Day 25 | |
| Cloud free-tier account set up | Day 28 | |
| First CTF rooms completed | Day 30 |
60-Day Milestones
| Milestone | Target Date | Completed? |
|---|---|---|
| SIEM (Wazuh) operational | Day 35 | |
| Metasploit basics comfortable | Day 40 | |
| 3+ blog posts published | Day 45 | |
| First Python security tool built | Day 45 | |
| 3 breach analyses written | Day 50 | |
| Security+ practice tests: 80%+ | Day 56 | |
| GitHub portfolio presentable | Day 55 | |
| 5+ CTF write-ups published | Day 55 |
90-Day Milestones
| Milestone | Target Date | Completed? |
|---|---|---|
| CompTIA Security+ passed | Day 61 | |
| Resume completed and reviewed | Day 65 | |
| LinkedIn optimized | Day 70 | |
| 20+ job applications submitted | Day 80 | |
| 2+ informational interviews completed | Day 80 | |
| Portfolio: 2 tools, 5 write-ups, 5 blog posts | Day 85 | |
| Mock interview completed | Day 80 | |
| Next specialization identified | Day 90 |
Daily Habits That Compound
Beyond the week-by-week plan, these daily habits will accelerate your progress:
| Habit | Time | Why It Matters |
|---|---|---|
| Read one security news article | 10 min | Builds awareness and vocabulary |
| Practice one CLI command you did not know | 5 min | Builds muscle memory over time |
| Update your lab journal | 10 min | Documentation skill + personal reference |
| Engage on LinkedIn or a community | 10 min | Builds visibility and network |
| Review one MITRE ATT&CK technique | 10 min | Builds threat knowledge systematically |
That is 45 minutes per day of micro-habits that compound enormously over 90 days. On top of the focused study blocks in the roadmap above, these habits build the ambient knowledge and professional presence that separate strong candidates from the pack.
What I Wish Someone Had Told Me
I want to close this book the way I wish someone had closed a conversation with me when I was starting out - with the unfiltered truth about building a career in security.
You will feel like an imposter. Everyone does. I have 15 years of experience, five patents, and companies that serve over a billion users, and I still sometimes feel like I do not know enough. The feeling never fully goes away - you just learn to recognize it as a signal that you are growing, not a sign that you do not belong.
The first year is the hardest. The gap between "I am studying" and "I got my first role" is genuinely difficult. You will apply for jobs and not hear back. You will study for hours and feel like you have barely scratched the surface. You will compare yourself to people who seem to know everything. Keep going. The curve is steepest at the beginning, and it flattens out.
Nobody knows everything. The person with the CISSP and 20 years of experience has massive gaps in their knowledge too. They are just better at working around them. Security is too vast for any single person to master. Your goal is not to know everything - it is to know enough to be useful and to know how to learn the rest when you need it.
Relationships matter more than credentials. The people who advance fastest in security are not necessarily the most technically skilled. They are the ones who build strong professional relationships, communicate well, and are known as people who get things done. Invest in your network alongside your technical skills.
Your unique background is an asset. If you are a career changer, your previous experience gives you perspectives that lifelong security people do not have. A nurse who becomes a security analyst brings crisis management skills. A teacher brings communication skills. An accountant brings analytical rigor. Do not hide your background - leverage it.
The industry needs you. 4.8 million unfilled positions. That is not a marketing number. That is real organizations with real security gaps that affect real people. Every ransomware attack that shuts down a hospital, every breach that exposes millions of people's data, every phishing campaign that drains someone's savings - these happen in part because there are not enough security professionals. Your decision to enter this field matters.
Start before you are ready. You will never feel ready enough. The best time to start was a year ago. The second-best time is today. Open a terminal. Spin up a VM. Write your first script. Break something in your lab. Apply for that job. Send that LinkedIn message. The only way to get from where you are to where you want to be is to start moving.
I wrote this book because I believe the biggest barrier to entering cybersecurity is not talent or intelligence or money - it is information. Too many capable people are kept out of this field because nobody showed them the path. This book is my attempt to show you the path. Now it is on you to walk it.
Welcome to cybersecurity. The industry needs you. Let us get to work.
Deepak Gupta is the founder of LoginRadius (customer identity, 1B+ users), GrackerAI (AI-powered security market intelligence), and LogicBalls AI. He holds 5 patents, has 15+ years in security, and is based in the San Francisco Bay Area. Connect with him on LinkedIn or at guptadeepak.com.