Ignore the giant roadmap infographics
You've probably seen the sprawling cyber security certification roadmap graphics with forty logos connected by arrows in every direction. They're not wrong exactly, they're just useless for planning — nobody needs forty certifications, and most of those arrows don't apply to any single person's actual path. Here's the version I actually give students: three stages, a handful of decision points, and permission to skip branches that don't apply to you.
Stage 1: foundations (0–12 months)
Everyone starts here regardless of eventual specialisation. The goal is vocabulary and a first credential, not depth.
- ISC2 Certified in Cybersecurity (CC) if you're starting from genuinely zero background.
- CompTIA Security+ (SY0-701) as the primary target for most people — the most broadly recognised UK entry credential. Full detail on why and how in is Security+ worth it.
- Alongside either: a basic home lab and one small documented project. This stage is incomplete without something practical to show, not just a certificate.
Stage 2: your first specialisation (year 1–3)
Once you have foundations and, ideally, your first junior role or strong applications going out, pick one direction rather than trying to cover all of them:
- Blue team / SOC analyst path — a hands-on credential like BTL1 for practical proof, then a Microsoft-specific certification if your employer or target roles run on that stack.
- GRC / risk path — fewer purely technical certifications, more focus on frameworks (ISO 27001, NIST) and communication skills; technical depth matters less here than in blue team roles.
- Offensive / pentesting path — a genuinely different track (CEH, OSCP and similar), not something I'll pretend to cover fully here since it's a different skill set from defensive work.
Pick based on what you actually enjoyed in Stage 1's hands-on project, not what looks most impressive on paper — motivation matters more than prestige for getting through the study. I've watched students pick a specialisation because it sounded prestigious, then grind to a halt three weeks in because they had no genuine curiosity about the material. The students who move fastest through Stage 2 are the ones who picked based on which part of Stage 1 actually held their attention, not which certification looked best on LinkedIn.
Stage 3: depth and management (year 3+)
This is where certifications like CISSP enter the picture — not as a first or second step, but once you have several years of real experience and are moving toward management, architecture, or a broader security leadership role. See is CISSP worth it for the full case on timing.
The roadmap as a table
| Stage | Typical timing | Certifications to consider | Primary goal |
|---|---|---|---|
| Foundations | 0–12 months | ISC2 CC, Security+ | Vocabulary + first credential |
| Specialisation | 1–3 years | BTL1, a Microsoft security cert, or GRC-focused study | Practical, role-specific proof |
| Depth/management | 3+ years | CISSP, CISM, or similar | Career progression into leadership |
What I tell students who want to skip stages
Almost every student who's frustrated with their progress has tried to skip Stage 1 or Stage 2 entirely — jumping straight to an advanced certification because it sounds more senior, or trying to specialise before they have any foundational vocabulary. It doesn't work the way people hope. The material assumes context you don't have yet, so you end up memorising rather than understanding, and it doesn't hold up in an interview when someone asks a follow-up question. Go through the stages in order. It's genuinely faster over eighteen months than the shortcut that stalls at month three.
If you're right at the start of Stage 1 and unsure which entry certification fits your background, best entry-level cybersecurity certifications walks through that decision in more depth.
FAQ
How long does the whole roadmap take?
Realistically two to four years from zero background to a solid specialisation with real experience behind it. People chasing it faster than that usually already had relevant experience going in.
Do I need a degree as well as certifications?
No, not in the UK cyber security market specifically — certifications plus demonstrable practical skills carry real weight without a degree, though a relevant degree can still help, particularly for graduate schemes.
Can I specialise in more than one area?
Eventually, yes, but not at the start. Depth in one area gets you hired faster than shallow exposure to three — breadth is something you build after you have your first role, not before.
What if I don't know which specialisation I want yet?
That's normal and expected at Stage 1. The hands-on project you do during foundational study is often the best signal — notice what you gravitated toward and let that guide Stage 2.
Is it a problem to change specialisation partway through?
No, though it costs some time. It's far more common than people admit, and better to switch after a few months of genuine effort than to force yourself through a path that isn't working just because you already started it.
If you want this roadmap turned into a plan with actual dates against your schedule, book a trial lesson and we'll build one around where you're starting from.