From Classroom to HackTheBox: My Journey Through Cybersecurity Degree, Certifications, and the Power of Practical Experience

Cybersecurity Journey
Information Technology
Published on May 27, 2025 | 12 min read #
🏷 Cybersecurity HackTheBox TryHackMe CyberSec Tips

Table of Contents


Introduction

Quick note before we begin, I am an aspiring offensive security professional with a growing portfolio of certifications and hands-on experience, particularly through platforms like INE (formally known as eLearnSecurity), TryHackMe and HackTheBox. While I have made significant progress in my learning journey, I am still early in my career. This review reflects my personal experiences and observations so far, and I highly encourage readers to consider multiple perspectives when planning their own cybersecurity education paths.

This topic is important because many newcomers to cybersecurity face the same dilemma: Should I pursue a degree, stack certifications, or dive straight into practical experience? Will I land a job by the end of my studies? In this blog, I’ll share how all three, classroom learning, professional certifications, and platforms like TryHackMe, HackTheBox, INE and many more out there can be leveraged to build a well-rounded foundation. Whether you’re just starting out or looking to level up, I hope my insights offer some clarity and direction.

The Traditional Route: Cybersecurity University Degrees

Below are 2 overview tables highlighting pros, cons and job readiness offers by a Cybersecurity degree. There are several other points that I might not mention in the tables but again keep in mind that each University has its own curriculum. As such, I can’t pronounce myself much on the curriculum, however based on common statistics and patterns, the below tables can be taken into consideration.

Category Relevant Details
What Degree Offers?
  • Structured curriculum covering computer science and cybersecurity fundamentals
  • Strong theoretical foundation (e.g., networking, OS, cryptography)
  • Academic & professional networking opportunities (peers, faculty, events)
Pros
  • Recognized by employers (especially corporate/government roles)
  • Teaches broad tech concepts beyond just security (teamwork, leadership)
  • Access to internships, research, and graduate programs
  • Builds discipline, academic writing, and problem-solving skills
Cons
  • Often lacks practical, hands-on training
  • May not reflect current industry tools or attack methods
  • Can be expensive and time-intensive
  • May only lightly cover security-specific content
Cybersecurity Degree Overview
Preparation for Real-World Cybersecurity Roles
Offensive Security (e.g. Penetration Tester, Red Teamer)
  • Limited practical exposure
  • Theory helps (e.g., OS internals, networking), but hands-on skills must be learned outside (HackTheBox, TryHackMe, VulnLab, etc.)
Defensive Security (e.g. SOC Analyst, Threat Hunter, Blue Teamer)
  • Slightly more aligned (especially for SOC, IR, GRC roles)
  • Still needs labs, internships, and tools like SIEMs for practical knowledge
Cybersecurity Role Preparation

Overall, a degree is a great starting point, but not enough on its own. A well structured curriculum combined with hands-on practice, certifications, and self-learning to be job-ready is the best approach. By the time of writing this blog (May 2025), I have an on-going subscription on HackTheBox where I have been actively learning for over a year and half after a good 6 months of grinding on TryHackMe.

Certifications: Focused, Practical, and Industry-Recognized

The “Golden Standards” Widely Recognized

  • OffSec → Consider the gold standard and known for hardcore hands-on exams like the OSCP, OSEP, OSWE, OSCE and beyond.
  • CREST → CREST certifications are highly practical, industry-driven, and often essential for senior technical roles. In fact, CREST has a strong emphasis on formal industry standards and company accreditation.
  • GIAC (SANS Institute) → Premium-priced but extremely well-respected, their certs like GCIH, GPEN, and GCIA are staples in large enterprises and government roles.
  • EC-Council → CEH is popular and often requested in job listings. However, it’s often criticized for being outdated. Note that there is CEH and CEH(Practical).
  • CompTIA → Ideal for those starting out but also great stepping stones for junior to mid-level roles.

Technical & Practical-Focused Certifications

  • HackTheBox → Rigorous and reflect real-world TTPs, they are great for red teamers and SOC analysts alike. Check out HTB Academy & ProLabs for more details.
  • INE (formally known as eLearnSecurity) → Very hands-on and respected in the PenTesting community providing both Red and Blue Team Certifications. Shoutout to Sir Alexis Ahmed and other instructors for turning every moment of learning into something meaningful and rewarding.
  • TCM Security → Affordable, practical, and community-driven provider known for its flexibility in granting lifetime vouchers and certifications.
  • Altered Security → Known for Active Directory exploitation training ranging on various levels. Do check them out if you are serious about AD PenTesting and Red Teaming.
  • ZeroPoint Security → Known for their famous CRTO and CRTL Certifications, it’s very hands-on and focused on C2 infrastructure, AV evasion, and real TTPs. Checkout MITRE ATT&CK for more details on Tactics, Techniques, and Procedures (TTP).
  • SecurityBlueTeam (AKA SBT) & CyberDefenders → Excellent for those on the defensive side. Moreover, certifications like BTL1, CCD and BTL2 are ideal for those looking to go beyond just theory. Review My Journey Through BTL1 from Shanuka Samarasinghe (AKA Shan) for more insights.
  • TryHackMe → Recently launched their first certifications, SAL1 and PT1. Look up reviews online to learn more about each one.
  • CyberWarFare Labs → Offers affordable but highly technical certs worth reviewing. They cover wide range of domain such Blue Team, Purple Team, Red Team, and Cloud Security.
  • SecOpsGroup → Provides affordable exam vouchers worth exploring if you are on a budget.
  • Hacktricks → Learn everything about Cloud Hacking from Hacktricks. I haven’t personally enrolled to any course, hence can’t comment on them.
  • More valuable bodies include WhiteNightLabs, WifiChallenge, MobileHackingLab, ArcX and APISec University focused on specific areas of the field.

Note: Certifications such as OSCP, CEH, PNPT, and PenTest+ are often listed as entry-level job requirements for PenTesters. Believe it or not HTB CPTS is gradually becoming gold standard for Junior PenTesters. For Blue Team or SOC enthusiasts, some job ready certifications such as HTB CDSA, BTL1, CCD or PSAA would be suitable. Lastly, Security+ is applicable for any entry-level role (of course it depends on the specific target role requirements as well).

There’s no “one-size-fits-all” when it comes to certs. It depends on your goals, resume visibility, deep hands-on skills, or affordability. Feel free to choose what align best with your career path. Dive into Security-Certification-Roadmap to find out more about Cybersecurity Certifications.

Cybersecurity Degree or Certifications, Which one to choose?

Now comes the big question, should I focus on pursuing a Cybersecurity degree or invest in Certifications? Below is a quick summary table that I believe would give an overview of key differences between both hence help you decide.

Additionally, as you’re reading this, you probably came across Job Role such as Red Teamer, Threat Hunter, Malware Analyst, SOC Analyst and so forth. Worry not, I also had no idea about either of these role when I first started. Hence, do review 20-coolest-cyber-security-careers from SANS Institute to learn more about Cybersecurity Careers. Please do keep it mind that YOU DO NOT NEED a GIAC or OffSec certification to get started in Cybersecurity (no offense to the giants).

Aspect Cybersecurity Degree Cybersecurity Certifications
Duration 2-4 years (undergrad), longer for advanced programs Weeks to months
Cost High (up to tens of thousands) Varies based on Vendors and Certs
Scope Broad, theoretical, foundational Specialized, practical, skill-focused
Career Outcomes Leadership roles, broad job opportunities Mid-level roles, niche expertise
Learning Style Structured, academic Hands-on, exam-focused
Flexibility Less flexible, fixed schedule More flexible, self-paced options
Employer preference Preferred for management and research roles Value for specific technical skills
Degree vs Certifications Comparison

Below are few considerations to take into account while choosing where to invest your time, money and resources.

  • If you seek broad knowledge, leadership roles, and comprehensive education, a degree is more suitable. Think of it like looking at the bigger picture and having an overall understanding of core key concepts.
  • If you want quick entry, specialization, or to supplement existing knowledge, certifications are ideal. Once again, I would prioritize hands-on certifications over MCQs even though both require in-depth knowledge of the target domains.
  • Despite the above, many professionals combine both to balance theory and practical skills, enhancing employability and adaptability. In my humble opinion, there is no such thing as practical skills without theory, therefore a mix of both is the best possible approach.

Practical Hands-On Experience: The Game Changer

No amount of theory can ever replace the value of hands-on practice. Platforms like HackTheBox, TryHackMe, and INE’s labs have been instrumental in helping me build real-world offensive security skills. These environments simulate actual assessments and challenge you to think outside the box making it useful for real-world scenarios.

I won’t really dive much into each CTF platform individually, so feel free to explore the Top-10-Best-CTF-Platforms-2024 from Open Security Labs and Best-CTF-platforms-for-cybersecurity-skills by the Cyber Express covering the top CTFs Platforms to master Cybersecurity.

I would always recommend my all time favorite HackTheBox as the methodology utilized takes students out of their comfort zone making it invaluable. Moreover, if you’re serious about improving your skills, HTB Academy & Labs is one of the best place to start. Remember, self-learning and persistence leads to tangible skill growth.

Finding the right balance between academic coursework, certifications, and hands-on labs can be challenging, as it demands a high level of dedication and discipline. As such, prioritization is key to staying organized and making consistent progress. For instance, at the start of each semester, I would allocate more time to platforms like HackTheBox and pursue certifications such as eJPT, CBBH, and CPTS. As the semester progressed and academic demands increased, I would gradually adjust my focus to align with coursework deadlines and workload.

Relevant Foundational Skills to Guide Your Cybersecurity Career Path

Despite the number of certifications and hands-on platforms, it’s essential to recognize the core technical and soft skills that can guide your journey in cybersecurity. These are not always taught directly in certification programs, but often make a huge difference in both your growth and job readiness.


  1. System Administration (Windows & Linux)

    2. Foundational to nearly all areas of cybersecurity, an individual with SysAdmin expertise knows how operating systems start, run, and fail. Additionally, you understand processes, services, permissions, and privilege escalation paths, which are crucial when dealing with hardened systems. On top of that, managing users, groups, file permissions, systemd/init, networking are also core skills mastered by SysAdmin.

    How does these skills help in career choices:

    • Red Team: abusing processes, permission, performing privilege escalation, persistence, even pivoting and tunneling.
    • Blue Team: hardening system, log collection, and patching.

    Certificates to look into are RHCSA/RHCE (Linux), LPIC-1, Windows Server Admin, Microsoft SC-900, SC-200. I covered everything on Linux-based resources in my previous blog HERE.

  2. Programming & Scripting

    3. Mastering programming and scripting enables CyberSec enthusiasts to go beyond simple certifications and exploitations, they learn automation, tool development, and exploit analysis. Below is a list of programming languages and why they are useful.

    Note: I recommend checking the official documentation for each language listed below, and combining it with any other resource to learn/master it

    • Python → Useful for scripting, automation, recon tools, exploit writing.
    • C/C++ → Master theses if you’re interested in binary exploitation, buffer overflows, malware development. Check out MalDev Academy if you’re interested in malware analysis or exploit development.
    • Go / Rust → Known for their speed and robustness, Go and Rust are modern malware and cross-platform tools (lightweight & compiled). I am currently learning both and aiming to develop a C2 in the future.
    • PowerShell / Bash → These are native scripting for Windows/Linux ops and attacks.
    • Why it’s useful:
      • Red Team: Exploit writing, malware development.
      • Blue Team: automation, log parsing, SIEM integration.
  3. Web Development & WebApp Security

    4. Understanding how apps are built helps break or defend them. In fact, mastering HTML, CSS, JavaScript, basic Node.js, PHP and databases (SQL, PostgreSQL, Mongo/Maria) can be a great asset. Moreover, frameworks such as Django, React, Express sharpen our understanding of logic flaws and bypasses.
    Use Cases

    • Web App Pentesting (XSS, SQLi, SSRF, etc.) and Bug bounty hunting. HTB CBBH & CWEE Learning Paths as well as THM WebApp Pentesting covers everything you need to know.
    • DevSecOps → Securing SDLC pipelines

    TheOdinProject takes you from Zero to Hero in WedDev if you are ever interested in learning how to build a web app from scratch.

  4. Cloud Platforms and Security

    5. With the growing technology, keep in mind that everything is moving to the cloud, so will security. Having fundamental knowledge or expertise can sharpen your way into Cloud-Security. Some core skills include:
    Core Skills

    • AWS, Azure, GCP basics (IAM, S3, EC2, Lambda, VPC)
    • Cloud IAM, roles, misconfigurations (over-permissive roles, public buckets) and cloud logging and threat detection.

    Some notable certs include AWS Cloud Practitioner, Azure Fundamentals, or even CCA (Practical). You may also check out the eJPT + ICCA bundle from INE.

  5. Networking and Network Security

    6. Cybersecurity starts with the wire, hence understanding TCP/IP scheme, most common used ports, mastering tools such as wireshark, tcpdump, nmap, netcat, and so on helps understand protocol weaknesses and how packets are being forward from one endpoint to another. Learn more on OSI Model and TCP/IP from GeeksforGeeks.
    Use Cases

    • Blue Team: Traffic/PCAP analysis, NIDS tuning, alert triage
    • Red Team: Scanning, pivoting, lateral movement and so forth.

    The learning path might be different based on your learning style, however certifications such as CCNA, CCNP, or any other networking related can be a game-changer.

  6. Cryptography Fundamentals

    7. It’s essential to understand secure communication, encryption, and cracking. In fact, symmetric/asymmetric encryption, hashing, digital signatures, TLS, certificates, steganography and crypto attacks are common topics in the field. This is essential as it applies in Application Security (or AppSec for short), protocol analysis, CTFs and forensic challenges.

  7. Soft skills (Yes Seriously)

    8. This is often overlooked, but crucial for long-term growth. By this, I don’t mean being capable of entertaining basic conversation, it goes way beyond. The key factors here go as such:

    • Report writing → clear, structured, technical + non-technical
    • Communication → explaining risks to non-tech people
    • Time management & documentation
    • Curiosity and continuous learning mindset

    This is applicable to any cybersecurity professional out there.

The Do’s and Don’ts: Tips for Aspiring Cybersecurity Professionals

âś… Dos

  1. Learn and master the basics
    2. Before diving into advanced tools or frameworks such as Nessus or Wazuh, make sure you truly understand how systems, networks, and protocols work. Solid foundations in Linux, networking, and OS internals will take you further than any automated tool ever will.

  2. Commit to continuous learning
    3. Cybersecurity is a fast-moving field. What works today might be obsolete tomorrow. Always keep learning whether it’s a new technique, framework, or certification. As surprising as it may sounds, I still do revisit previous modules from TryHackMe and HackTheBox to help me refresh some knowledge.

  3. Balance theory and hands-on practice
    4. Reading about privilege escalation is one thing, actually performing it in a lab is another. Labs like Hack The Box, TryHackMe, or even self-made VMs are excellent practice grounds. By the time of writing this (May 2025), I am undergoing Local Privilege Escalation Skill path from HackTheBox and believe it or not, what you learn from the Academy is far different from some techniques used in the labs. Watch, read, then do, matter of fact, adopt your own methodology if applicable.

  4. Build your network
    5. Connect with like-minded individuals online or in person. Join communities, attend webinars, CTF competitions, talk to people at conferences or even LinkedIn. You’ll be surprised how many opportunities come from a simple conversation.

  5. Document your journey
    6. Take notes, write blogs, record your progress even if it’s just for yourself. Over time, this builds into a valuable knowledge base that can help compare the changes and see how much you have learned and become better. Additionally, sharing your journey might also inspire someone else, lead to mentorship or collaboration opportunities.

❌ Don’ts

  1. Don’t rely solely on one learning path
    2. Completing a learning path (like TryHackMe or HTB Academy) is great but don’t stop there. The main idea here is not just completing the paths but rather understanding key methodologies, techniques utilized and therefore going beyond.

  2. Don’t neglect soft skills
    3. Communication is just as important as technical skill. Whether you’re explaining findings to a client or reporting to a SOC team, the ability to clearly articulate your thoughts is vital. Growing up I thought Cybersecurity was all about running scripts and popping shells, I learned the hard way that writing, speaking, and active listening are far as equally important if not more.

  3. Don’t ignore emerging trends.
    4. The landscape is always changing cloud security, AI, threat intel, and zero trust are becoming mainstream. It’s advised to stay informed through blogs, newsletters, and conferences. The more you know about where things are headed, the more valuable you become. One more reason to give HTB a praise as they constantly update their modules with latest TTPs and tools.

Conclusion

Cybersecurity is a field that rewards curiosity, dedication, and adaptability. Whether you’re starting with a degree, certifications, or hands-on labs, the key is to blend all three for a truly well-rounded foundation. Remember, no matter the career you decide to pursue, you will come across tools such as Metasploit, Wireshark, BurpSuite, Nessus, Nuclei, Splunk, Snort as well as common services (FTP, SMB, RDP, DNS, Email services, and so forth) and common applications (WordPress, Drupal, Joomla, Tomcat, Jenkins, GitLab, LDAP and much more).

In terms of balance, everybody has their own schedule and what is applicable to me might not be to someone else. Consequently, feel free to find the right balance between school, certification and hands-on labs at your own pace.

Long story short, I would highly recommend starting off with TryHackMe as it is beginner friendly then progressively migrate to HackTheBox as things get serious and more challenging. Check out TryHackMe and HackTheBox learning paths to choose where you see yourself. Immediate action is key to achieving the best results.