project: unknownMission Request
← Back to Insights
Insights10 min read

The 10 Levels of Learning Cybersecurity

Learning cybersecurity is a beautiful journey that begins with "hackers are cool" and ends with you explaining DNS to a friend using a napkin, three arrows, and the thousand-yard stare of someone who has seen too many misconfigured servers.

From the outside, cybersecurity looks glamorous. Hoodies. Terminals. Neon lights. Fast typing. Illegal-sounding words used legally.

From the inside, it's more like:

  • "Why is this printer talking to Russia?"
  • "Who gave this intern admin rights?"
  • "Why does this legacy server still exist?"
  • "Please stop clicking things, Karen."

If you're learning cybersecurity, you've probably moved through some version of these 10 levels.

Level 1: "I'm Basically a Hacker"

Also known as: Watching two documentaries and becoming unbearable

This is where it starts. You watch a few videos, maybe a Netflix documentary, maybe a YouTuber with dramatic background music, and suddenly you know things.

You say words like: dark web, breach, exploit, zero-day.

You do not fully know what they mean, but you say them with confidence, and that's what matters.

At this level, you believe:

  • Every hacker wears a hoodie
  • Typing faster increases attack success by 40%
  • Green text on a black screen is a skill
  • Using a VPN makes you invisible to governments, corporations, and possibly ghosts

Your actual cybersecurity knowledge is 14 percent facts and 86 percent vibes.

Still, this stage matters. Curiosity is the gateway drug.

Level 2: "I Installed Kali Linux, So Things Are Getting Serious"

Also known as: The sticker-on-laptop phase

This is a major milestone. You install Kali Linux — or think very hard about installing Kali Linux, which is basically the same thing emotionally.

You now feel powerful. Dangerous, even.

You open the terminal and experience one of two outcomes:

  1. You run a cool command and feel like a genius.
  2. You break Wi-Fi and spend three hours wondering if you've joined Anonymous.

At this stage, cybersecurity is still mostly aesthetic. You are assembling an identity.

You may also begin collecting:

  • Browser tabs you'll never finish
  • GitHub repos you don't understand
  • Screenshots of terminal windows for no operational reason
  • A concerning number of opinions about operating systems

This is not learning. This is cosplay with command-line tools. But it's a start.

Level 3: "Wait, This Is Mostly Networking"

Also known as: Your first real betrayal

This is the first emotional turning point.

You came here to learn hacking. Instead, the internet hands you:

  • IP addresses
  • Subnets
  • DNS
  • Ports
  • Protocols
  • Routing
  • TCP vs UDP
  • Wireshark screenshots that look like alien tax forms

And you realize something deeply rude: cybersecurity is built on understanding how computers, networks, and applications actually work.

You cannot secure what you do not understand.

This is very upsetting, because "understand networking" sounds a lot less fun than "become cyber ninja."

But it's true. A shocking amount of cybersecurity is just:

  • Knowing what normal looks like
  • Noticing when something weird happens
  • Figuring out whether the weird thing is evil or just Microsoft being Microsoft

Level 4: "I Know Enough to Be Confused Properly"

Also known as: The enlightenment of structured suffering

At this stage, you've learned enough basics to become dangerous in a very limited and mostly theoretical way.

You now understand: what a vulnerability is, what an exploit is, what malware is, what phishing is, what authentication does, why patching matters, why public Wi-Fi makes people say dramatic things.

You also discover that every answer in cybersecurity leads to five new questions.

"What is a firewall?" Easy.

"What kind of firewall?" Okay.

"How is it configured?" Hmm.

"What traffic should it allow?" Depends.

"Why is it allowing that?" No one knows. Greg set it up in 2018 and left the company.

This is a hard level because your ignorance becomes more detailed. You no longer know nothing. You now know exactly which parts you don't know, which is worse.

Level 5: "I Can Run the Tool"

Also known as: Copy, paste, pray

Congratulations. You have met the tools.

You've probably touched some combination of: Nmap, Wireshark, Burp Suite, Metasploit, Splunk, Nessus, Linux commands copied from a forum post written by a wizard in 2016.

This is exciting because tools make you feel productive. You run a scan. Packets fly. Ports open. Results appear. You whisper, "Interesting," as if you understand all of it.

Then someone asks, "Why did the scan return that result?" and you experience spiritual evacuation.

This level is where many people get stuck. They know how to use the tool, but not what the tool is doing. That distinction matters.

  • Running Nmap does not mean you understand networks.
  • Using Burp does not mean you understand web security.
  • Opening Wireshark does not mean you understand packets.

It mostly means you have opened Wireshark, which honestly is already visually intimidating enough.

Level 6: "Oh No, Security Is Mostly People"

Also known as: The human misconfiguration era

This is where cybersecurity stops being purely technical and starts becoming psychological.

You realize a painful truth: the biggest vulnerability in many environments is not the firewall, the server, or the software.

It is Greg. And Karen. And Steve from finance. And sometimes you.

Because people:

  • Reuse passwords
  • Click links
  • Ignore warnings
  • Share secrets in chat
  • Approve MFA prompts they didn't request
  • Plug mystery USB drives into work devices like they're accepting side quests

At this stage, you stop thinking "users are stupid" and start thinking "systems should be built for reality."

That's real maturity. Because good security is not built for perfect people. It is built for normal, distracted, overworked, coffee-dependent humans who have 19 tabs open and one functioning brain cell before lunch.

Level 7: "Everything Is a Tradeoff"

Also known as: The loss of innocence

This is where you become less dramatic and more useful.

A beginner says: "Just lock everything down."

An experienced person says: "Okay, and would you also like the company to stop functioning?"

Security is full of tradeoffs:

  • Security vs convenience
  • Visibility vs privacy
  • Speed vs review
  • Access vs control
  • Budget vs literally everything else

You start to understand why companies don't "just patch everything." Sometimes patching breaks production. Sometimes old systems run critical operations. Sometimes the application is held together with hope, undocumented dependencies, and one script named final_v2_REAL.sh.

You also learn that compliance is not the same as security. A company can be extremely compliant and still one bad Tuesday away from disaster.

This level is less exciting, but it's where real professionals are made.

Level 8: "Specialization Hits You Like a Truck"

Also known as: The field is bigger than your ego

At first, cybersecurity feels like one big topic. Then you realize it contains entire universes:

  • Penetration testing
  • Security operations
  • Digital forensics
  • Incident response
  • Threat intelligence
  • Cloud security
  • Application security
  • Governance, risk, and compliance
  • Identity and access management
  • Malware analysis
  • Security engineering

This is the stage where you stop saying "I want to learn cybersecurity" like it's a single thing and start saying: "I think I like cloud security" or "web app security seems fun" or "forensics is cool, apparently I enjoy pain."

This is healthy. Because nobody learns all of cybersecurity. That would be like trying to master medicine, law, aviation, plumbing, and psychology because they all involve humans and consequences.

Pick a lane. You can always expand later. But for now, choose your flavor of stress.

Level 9: "I Speak Fluent 'It Depends'"

Also known as: The annoying but correct stage

This is a true professional milestone.

At Level 9, every answer becomes:

  • It depends
  • We should verify
  • What's the context
  • What are the assumptions
  • What's the business impact
  • Are we sure that's the root cause

To outsiders, you sound deeply irritating. To insiders, you sound competent.

Because cybersecurity is full of conditional truth.

Is this vulnerability critical? It depends.

Is this architecture secure? It depends.

Should we block that traffic? It depends.

Is this alert malicious? It depends.

Should Greg still have admin access? No. That one is actually easy.

This level is where your confidence becomes quieter and your thinking becomes sharper. You stop performing expertise and start practicing it.

Level 10: "The More I Learn, the Less I Pretend"

Also known as: Actual wisdom, with caffeine

This is the highest level, and the weirdest one.

You've learned a lot. You've built real skills. You've probably solved real problems. But instead of becoming louder, you become more honest.

You say things like:

  • "I don't know yet."
  • "I need to test that."
  • "That's one possible explanation."
  • "Let's confirm before we panic."
  • "This control reduces risk, but it won't eliminate it."

And ironically, this is when people should trust you the most.

Because real competence in cybersecurity is not pretending to know everything. It's knowing how to think, how to investigate, how to communicate uncertainty, and how not to turn every issue into a theatrical crisis.

You also gain one final superpower: you can explain complicated security concepts without sounding like a LinkedIn post written by a firewall.

That's when you know you've made it.

What These Levels Actually Teach You

Under the jokes, the path usually looks like this:

  1. You get interested.
  2. You get humbled.
  3. You learn fundamentals.
  4. You touch tools.
  5. You discover people are chaos.
  6. You realize business constraints are real.
  7. You specialize.
  8. You become cautious, precise, and slightly allergic to overconfidence.

That is growth.

Cybersecurity is hard because it sits at the intersection of technology, behavior, systems, incentives, and constant change. You are not just learning commands. You are learning how computers fail, how people behave, and how organizations make messy decisions under pressure.

Which, honestly, is very rude of the field.

How to Level Up Without Losing Your Mind

Learn the fundamentals first. Networking, operating systems, web basics, authentication, and scripting will carry you much farther than jumping straight into flashy tools.

Practice in labs. Do safe hands-on work where failure is expected. Break things. Fix them. Break them more intelligently.

When you use a tool, ask what it's doing underneath. Don't just memorize commands. Understand the traffic, the assumptions, and the output.

Pick a focus area. "Cybersecurity" is too broad to attack all at once, unless your learning strategy is panic.

Write about what you learn. Notes, blog posts, walkthroughs, tiny explanations. Nothing reveals confusion faster than trying to explain something clearly.

And please, for the love of all secure configurations, do not compare yourself to the loudest person online. Some people are brilliant. Some are performative. Some are both. The internet does not label them for your convenience.

Final Thoughts

The 10 levels of learning cybersecurity are not neat or linear. You will bounce around. One day you'll understand TLS and feel unstoppable. The next day you'll stare at a cloud IAM policy like a Victorian child seeing an escalator for the first time.

That's normal.

If you are at Level 2, good. If you are at Level 5, keep going. If you are at Level 9, congratulations on becoming professionally incapable of giving a one-word answer.

And if you are at Level 10, you already know the truth:

Nobody ever fully finishes learning cybersecurity. We just get better at being confused in more useful ways.