roadmap updated 2026-06-01
Security Engineer Roadmap
Build and operate application and infrastructure security programs. Learn vulnerability management, identity and access, cloud security posture, secure SDLC integration, and incident response for security events.
Phase 1 — Beginner
Build foundational security knowledge: networking protocols, cryptography basics, and common vulnerability classes.
NmapNessusWiresharkBurp Suite CommunityMetasploit
Phase 2 — Intermediate
Implement security controls across cloud infrastructure, application pipelines, and identity systems; operate a security program.
WizPrisma CloudOktaSnykCrowdStrike
Phase 3 — Advanced
Lead security architecture, design security programs, manage red team/blue team exercises, and drive compliance at enterprise scale.
SentinelChronicle SIEMCortex XSOARWizTanium
The path: Beginner → Intermediate → Advanced
Beginner
Focus: Build foundational security knowledge: networking protocols, cryptography basics, and common vulnerability classes.
Skills to build
- Networking fundamentals: TCP/IP, DNS, TLS/SSL, firewalls
- OWASP Top 10 web application vulnerabilities
- Cryptography basics: symmetric, asymmetric, hashing
- Identity and access management: authentication, authorization, MFA
- Linux security: file permissions, sudoers, SSH hardening
- Vulnerability scanning with Nessus or OpenVAS
- Basic penetration testing methodology (OWASP testing guide)
- Security incident response fundamentals
Tools to learn
- Nmap
- Nessus
- Wireshark
- Burp Suite Community
- Metasploit
- OpenVAS
Intermediate
Focus: Implement security controls across cloud infrastructure, application pipelines, and identity systems; operate a security program.
Skills to build
- Cloud security posture management (CSPM) on AWS/Azure/GCP
- Identity federation: SAML, OIDC, OAuth 2.0, SSO
- Vulnerability management lifecycle and CVE prioritization
- Container and Kubernetes security hardening
- Application security integration in CI/CD (SAST, DAST, SCA)
- Security information and event management (SIEM)
- Zero-trust network design and implementation
- Threat modeling with STRIDE or MITRE ATT&CK
Tools to learn
- Wiz
- Prisma Cloud
- Okta
- Snyk
- CrowdStrike
- Splunk
- AWS Security Hub
Advanced
Focus: Lead security architecture, design security programs, manage red team/blue team exercises, and drive compliance at enterprise scale.
Skills to build
- Security architecture review and threat modeling leadership
- Red team operations and purple team exercises
- Security operations center (SOC) design and SOAR automation
- Compliance frameworks: SOC 2 Type II, ISO 27001, PCI DSS, HIPAA
- Supply chain security and third-party risk management
- Detection engineering: custom SIEM rules and behavioral analytics
- Security program metrics and risk quantification (FAIR model)
- Board-level security communication and risk reporting
Tools to learn
- Sentinel
- Chronicle SIEM
- Cortex XSOAR
- Wiz
- Tanium
- CrowdStrike Falcon
- MITRE ATT&CK Navigator
Labs to practice
Interview questions to prepare
- Walk me through how you would conduct a threat model for a new microservice.
- What is the difference between authentication and authorization, and how does OAuth 2.0 address each?
- How would you detect and respond to a compromised AWS IAM credential?
- Explain the principle of least privilege and how you enforce it in a cloud environment.
- What is CSPM and how does it differ from a traditional vulnerability scanner?
- How do you prioritize vulnerabilities when you have hundreds of CVEs to address?
- What is a supply chain attack and how would you defend against one?
- Describe the incident response process you would follow after detecting a data breach.
Certification suggestions
- Certified Information Systems Security Professional (CISSP) — (ISC)²
- CompTIA Security+ — CompTIA
- AWS Certified Security – Specialty — Amazon Web Services
- Offensive Security Certified Professional (OSCP) — Offensive Security
- Certified Cloud Security Professional (CCSP) — (ISC)²
See exam formats, costs and official links in the certification registry.
Free resources
- OWASP Testing Guide
- MITRE ATT&CK Framework
- AWS Security Best Practices
- TryHackMe Learning Platform
- HackTheBox Academy
- Google Cloud Security Best Practices Center
Portfolio project ideas
- Set up a CSPM workflow using Wiz or Prowler to scan an AWS account, triage findings by severity, and remediate the top 10 issues with Terraform
- Build a security-focused CI/CD pipeline for a web application with SAST, SCA, DAST, and container scanning gates integrated with GitHub Actions
- Design and implement a zero-trust access architecture using Cloudflare Access or AWS Verified Access for a set of internal applications
- Create a detection rule in a SIEM (Splunk or Elastic) for a common attack pattern from MITRE ATT&CK and test it with simulated attack data
Mistakes to avoid
- Treating security as a gate at the end of the SDLC instead of integrating it throughout development
- Relying solely on perimeter defenses — assume breach and design internal controls for lateral movement prevention
- Not rotating credentials and access keys — static long-lived credentials are the most common cause of cloud breaches
- Focusing only on technical controls while ignoring the human element — phishing and social engineering bypass most technical defenses
- Underestimating the blast radius of overly permissive IAM roles — audit and right-size permissions quarterly
Keep going
- Follow the structured SecOps 90-Day Learning Path
- Explore Security Tools
- Explore DevSecOps Tools
- Explore Identity and Access Management Tools
- Explore Vulnerability Management Tools
- Explore Cloud Security Posture Management Tools
- Want guided, instructor-led training? See DevOpsSchool.com courses (paid).