Defensive / SOC → Detection Engineer
The realistic on-ramp into security. Defensive, structured, hireable. Biased toward SOC-stack certs. NOT CISSP.
Phased progression
Foundations → first role → specialisation → advanced. The realistic order, not a script.
- 010–6 monthsFoundations
Literacy, lab habits, the cert that opens first conversations.
Security+ - 026–18 monthsFirst paid role
Land a Junior SOC Analyst (Tier 1). Operational time, not more certs, earns the next move.
Junior SOC Analyst (Tier 1)$60–95k entry - 031.5–3 yearsSpecialisation
Add a specialist credential aligned to the work you're already doing.
CySA+Splunk Core Certified User$95–135k mid - 043+ yearsAdvanced
Move into adjacent roles. Long-term credentials become worth their cost.
Detection EngineerGCIA$95–135k mid
- 01Foundations0–6 months
Literacy, lab habits, the cert that opens first conversations.
Security+ - 02First paid role6–18 months
Land a Junior SOC Analyst (Tier 1). Operational time, not more certs, earns the next move.
Junior SOC Analyst (Tier 1)$60–95k entry - 03Specialisation1.5–3 years
Add a specialist credential aligned to the work you're already doing.
CySA+Splunk Core Certified User$95–135k mid - 04Advanced3+ years
Move into adjacent roles. Long-term credentials become worth their cost.
Detection EngineerGCIA$95–135k mid
Certification sequence
Ordered by realistic relevance, not vendor marketing.
Practical projects
What to actually build, the portfolio that opens interviews.
- Home SIEM with Wazuh or Sentinel + Sysmon
- Author 5 Sigma rules with documented detections
- Phishing triage playbook end-to-end
- ·GRC route (lower technical bar)
- ·Cloud route then pivot to cloud security
Realistic expectations
What no recruiter will tell you.
That stacking certifications shortcuts the timeline. It doesn't. Operational time and a public portfolio are what compress the path.
8–14 months to first role is the realistic time to the first role on this route. Most people overshoot by 6–12 months. Plan for it; don't panic when it happens.