How I Leveled Up from Help Desk to Cloud Security Researcher

The cybersecurity job market feels brutal right now, especially for newcomers. Companies are cutting back due to high interest rates and expired tax credits, while headlines scream about AI replacing junior talent. This reality is a stark contrast to the promises you might hear from colleges and bootcamps.

I get it. Working the help desk without a degree, I thought my ceiling was basic networking. The idea of becoming a security researcher at a top cloud company, tackling frontier problems in detection research, felt completely impossible.

This post isn't about offering false optimism. It's for those who see the challenges and still want to move forward.

There's no single 'right' path, so I'm not going to prescribe one. Instead, I'll share what I've learned from my own experiences with degrees, certifications, and getting hands-on. My hope is that it provides some direction for your own path and saves you some time.

Degree or No Degree?

College was my biggest early obstacle. My path without a degree was the hard road; getting an interview for a security company was impossible without it, a certification, or experience. I felt stuck, jumping between certifications with no clear direction until a job paid for a basic Cisco cert. That was just enough to land a junior networking role, but it was a slow grind that relied on a lot of luck.

College offers a more structured path. A degree is a key that unlocks doors and gets you past HR filters, but its biggest advantage is access to internships. An internship is a multi-month job interview where you prove your value and build relationships, which de-risks the hiring decision for the company. These programs are open to older students, too. In every organization I've worked for that we've had interns, we often looked there before hiring outside resources.

If you go to college, I strongly recommend a Computer Science degree over a dedicated cybersecurity one. Cyber programs can become outdated quickly, while a CS degree teaches timeless fundamentals of computing and code. That foundation is far more valuable. Supplement it with security clubs and CTF competitions, and you’re building a career launchpad. The exception is a cyber program with a strong internship program and frequent, hands-on labs. Do note, while I recommend a Computer Science program personallly, there are some schools that do over legitimately killer cybersecurity programs, though I feel as they are the exception currently rather than the norm.

Are Certifications Worth It?

People who claim certifications are useless are wrong. I went from zero interviews to landing a few after earning a basic Cisco cert noone had ever heard of, that I don't even remember the name of (not the CCNA). When I got my first GIAC cert, I got an interview for nearly any security job I applied for. The market is tighter now, but certs still show you're serious about learning, especially without a degree.

The landscape has changed. Today, a certificate of completion from a program like Applied Network Defense or Hack The Box impresses me more than a legacy cert because it shows that you're genuinely learning and getting valuable hands on experience. If a course made things click, put it on your resume.

Then there's the elephant in the room: SANS/GIAC courses and certifications. They're often considered the "gold standard" because they're taught by practitioners with a focus on real-world tools. The problem is that course costs have exploded, effectively pricing out most individuals.

Remember, a certification’s main purpose is to get you the interview. With that in mind, well-known certifications from CompTIA, Cisco (like the newer CCNA CyberOps), or for Linux will likely have a bigger payoff than a random course an employer has never heard of. However, if those options are still out of your budget, list what you can do. A completed course that shows you're actively and passionately learning can be just as valuable.

Giving Yourself Something to Talk About

To deepen your understanding of a topic, teach it. Writing a blog post forces you to find and fill the gaps in your own knowledge. A blog or GitHub repository is the best way to publicly showcase your hands-on skills. It’s more powerful to link to a project than to just list a skill on a resume.

In an interview, you can point a hiring manager to your work, show your enthusiasm, and provide concrete evidence of your capabilities. Using GitHub for projects also teaches you Git, an essential skill in modern security. This "Githubification of InfoSec" trend is real, and as a bonus, GitHub Pages gives you a free way to host a technical blog and master a tool employers expect you to know.

Your Resume's Best Friend: The Local Meetup

Attending local security meetups and conferences like a nearby BSides is one of the most valuable things you can do. Knowing someone at a company is the surest way to get your resume past automated HR filters. These events let you find unlisted jobs and see if you mesh with a team's culture.

Don’t feel pressured to attend massive conferences like Black Hat or DEF CON. The local scene, like BSides events and city-specific meetups, are wonderful for networking. If you do attend a major conference, prioritize hands-on participation in the villages over watching talks, which are usually posted online later. The experience you gain in places like the Packet Hacking village is irreplaceable.

Connecting the Dots for the Leap From 'Senior' to 'Researcher'

Later in your career, the focus shifts from certs to what you can do. My turning point was writing detection logic and contributing to open-source projects like Sigma. It forced me to connect theory to practical defense and truly understand how attacks work. Combining that with coding genuinely leveled up my skills.

This leap is fueled by continuous learning. Sometimes a single book makes a difference; for me, it was Intelligence-Driven Incident Response. But reading is only half the battle. You have to be hands-on: spin up VMs, experiment, and read documentation.

A serious caution, though: burnout is incredibly easy in this field. I spent years in an unhealthy cycle of working all day and scrolling security feeds all night, jumping between unfinished projects. A healthier path is possible. Find jobs that provide dedicated learning time. Master one programming language before moving to another. Don't fall into the comparison trap. Many people you see online have access to entire teams and commercial tools, when it seems like they may know everything, it may just be that they can access paid versions of VirusTotal or have access to high quality threat intel feeds (not that this is always the case.) If you're genuinely continuously learning, you will stand out.

Some Final, Honest Thoughts

The main takeaway is this: getting a job is about showing what you can do. You’ll likely need a degree, cert, or prior experience to get in the door, but a knock-out blog post can be a shortcut. Who knows, maybe you'll get lucky and it'll be a huge hit giving you a massive visibility boost. That said, the most effective way to bypass resume filters is to network at local meetups. People hire people they know and like.

I know "just go do all these things" is easier said than done. Life is messy with jobs, kids, and other challenges. If you can only do one thing, attending a local conference is a high-leverage move; one or two good connections can be all you need.

Finally, I have to acknowledge the luck and privilege that shaped my path. I was fortunate that jobs paid for my certifications and conferences, and that I had the time and ability to study. As a white male, I’ve almost certainly benefited from societal biases. It’s a critical truth to own, and I believe acknowledging it is a small but necessary step toward addressing the problem.

Your path will be your own, but I hope my story offers some ideas for the road ahead.