Hands-on Experience and Self-study - Orion Cyber Knowledge Base

# The Importance of Hands-on Experience in Cybersecurity Cybersecurity can almost be thought of as a trade. Because of this, the more *actual* experience you have *doing* the tasks related to the job, the more you prove your competence which will boost your desirability come hiring time. ## How can I get experience when I can't get a job that gives experience? This is a very, very important question to answer. Oftentimes for junior and entry level roles, you'll see things like - Requires a Bachelor's or Master's degree in computer science or related field - Requires 5+ years of experience - Requires CISSP certification - Requires CEH certification or any other combination of ridiculous requirements for an *entry level* position. Despite this, many job postings aren't *actually* going to get these requirements in candidates. The individuals who hold that level of experience will be making six-figures and certainly will not be considering themselves entry level. This comes from a major disconnect between recruiters, hiring managers and qualified talent pools. There's a lot of good content talking about this on [Josh Fullmer](https://www.linkedin.com/in/josh-fullmer/) and [Naomi Buckwalter's](https://www.linkedin.com/in/naomi-buckwalter/) LinkedIn profiles. Josh is an incredible cybersecurity recruiter that I, and many others, have been following for quite some time. I encourage you to follow them for some of the most insightful information about the difficulties surrounding the hiring process for cybersecurity professionals. The solution to "needing experience without having experience" starts by how we classify "experience". A lot of people disqualify what they do on a daily basis from being experience because it's not *paid* experience or it wasn't gained from a cybersecurity position. Here are some things that *can* and *should* be counted as experience on your resume, provided you can explain how they align with providing value to the company during an interview: - ### Things you do in your [[home lab]] > If you stand up an Active Directory server, set up a self hosted web app, build and self host your own website, configure firewall rules, setup VLANs or anything else that directly shows you have a desire to learn and take initiative, this should be listed as experience. If you find things that stick out in job listings that you could replicate and get experience with in your home lab environment, that's even better. If a job description asks for experience with [Splunk](https://www.splunk.com/en_us/data-insider/what-is-siem.html) and you have on your resume that you've completed [Boss of the SOC](https://www.splunk.com/en_us/blog/security/what-you-need-to-know-about-boss-of-the-soc.html) challenges, you're going to be favored over other candidates. Having a home lab gives you some of the best experience you can get, outside of actual employment in the field. - ### [[Cyber Range]] practice >Getting familiarized, then diving head first into challenges on [TryHackMe](https://tryhackme.com/), [Blue Team Labs Online](https://blueteamlabs.online/), [LetsDefend](https://letsdefend.io/) and other cyber ranges is one of the best ways to gain hands on experience. - ### Additional security-related tasks at your job > If you already work in IT, a great way to get experience without necessarily being in a security role is to volunteer to do security related tasks. Ask if you're able to shadow someone from the security team, in hopes of furthering your skillset or maybe even ask if you're able to assist with security related work. - ### Hands on certification training > Some of the best packaged cybersecurity training you can get comes from the [Blue Team Level 1](https://securityblue.team/why-btl1/) and [Certified CyberDefender](https://cyberdefenders.org/blue-team-training/courses/certified-cyberdefender-certification/) courses and exams. If financially feasible, I would highly recommend these certifications to anyone looking to become a cybersecurity analyst, due to the breadth of relevant information you'll learn and practical labs/training you will complete that can later act as a talking point in interviews. You can learn more about the Blue Team Level 1 exam in my [review](https://arionmartin.medium.com/blue-team-level-1-the-golden-standard-for-defensive-cyber-training-5b3db7c1700e).