Six months is enough time to go from "I do not work in tech" to "I can pass a junior security interview." Not from "I do not own a computer" — you need a baseline of comfort with technology. But from "I am curious and willing to put in the hours," yes.
Here is what those six months should look like.
Month 1 — Linux, networking, and the command line
Security work happens at the command line. If you are not comfortable there, nothing else makes sense. Spend the first month getting fluent.
Tasks:
- Install Ubuntu in a VM or dual-boot. Use it as your primary OS for the month.
- Work through Linux Journey (free) or the OverTheWire Bandit war game (the first 25 levels).
- Learn the networking fundamentals: TCP/IP, DNS, HTTP, ports. Professor Messer's Network+ playlist on YouTube is free and excellent.
- Get comfortable with grep, awk, sed, find, ssh, nc.
By the end of month one you should be able to navigate the file system blindfolded and read network output without hitting Google for every term.
Month 2 — Security fundamentals and Security+ study
Now learn the vocabulary of the field. Most of this is theoretical — terms, frameworks, models. It is boring. It is also non-skippable, because you cannot have a security conversation without it.
Tasks:
- Pick a Security+ study resource — Jason Dion's Udemy course is the most-recommended; Professor Messer's free playlist is a close second
- Cover: CIA triad, asymmetric vs symmetric crypto, threat models, common attack vectors, network defence concepts
- Start TryHackMe — work through the "Pre-Security" and "Intro to Cyber Security" paths
- Read the SANS Reading Room — pick three papers on topics that interest you, finish them
Month 3 — Hands-on with TryHackMe and HackTheBox
Theory only takes you so far. By month three you should be solving real boxes — virtual machines deliberately set up with vulnerabilities for you to find.
Tasks:
- Complete the TryHackMe "Complete Beginner" path
- Move to HackTheBox starting point machines once you have the basics
- Document every box you solve — even brief notes. Future you (and interviewers) will care.
- Start a public blog or GitHub for write-ups. Use pseudonyms for active vulnerabilities; full names are fine for published CVEs.
You will get stuck. That is the point. The skill being trained is "what do I do when I am stuck." Senior security engineers are very good at this.
Month 4 — Specialise: red team or blue team
By month four you should have a feel for which side of the field interests you more. Red team is offensive — penetration testing, vulnerability research. Blue team is defensive — SOC analyst, threat hunting, incident response. The Nigerian job market is currently stronger for blue team entry roles, but red team is what most beginners think they want.
If you pick blue team:
- Set up a small home lab — Security Onion or Wazuh
- Learn to read Sysmon logs, Windows event logs, Linux audit logs
- Practice with Splunk Free or the ELK stack — you will use one of these on the job
- Pivot TryHackMe to the SOC analyst path
If you pick red team:
- Work through PortSwigger's Web Security Academy — free and outstanding
- Move TryHackMe / HackTheBox to harder boxes
- Start eJPT or PNPT study if budget allows
- Learn Burp Suite (community edition) fluently
Month 5 — Take and pass Security+
Schedule the exam early in the month. The deadline forces you to finish. The exam is at most three weeks of focused review if you have been working through months 1–4.
In parallel, start applying to internships and SIWES placements if you are a student. Even unsuccessful applications give you feedback on how your CV reads.
Month 6 — Apply, interview, iterate
The first month of applications will feel like nothing is working. Then suddenly something will. Until then:
- Apply to 5 roles a week. Track each.
- Have someone in the field review your CV. Communities help here — local Discord and LinkedIn groups.
- For every interview that does not lead to an offer, ask for one piece of feedback. Most won't answer; some will.
- Keep working through boxes. Your problem-solving muscle is what interviewers will test.
What to expect from interviews
A junior security interview typically tests:
- Networking fundamentals
- Basic Linux command line
- Recognition of common attack patterns
- How you respond when shown an unfamiliar tool — do you ask sensible questions, or freeze?
- A scenario question — "you see this alert at 2am, what do you do next?"
There are no surprise math questions, no leetcode-style algorithm problems. The job is judgment under uncertainty, and that is what they are checking for.
A note on the timeline
Six months is the floor, not the average. Some people land roles at month four. Most take eight to twelve. A few take longer, especially if they are job-hunting alongside other obligations. The plan is the plan; the job market is the job market.
