6-Month Blue Team Roadmap For Students
This roadmap cuts through the noise. Six months. Free tools. One month at a time. Each phase builds on the last. Don't skip ahead the fundamentals in Month 1 are what make Month 6 make sense.
Breaking into blue team cyber security feels overwhelming. There's no clear starting line, the tools are endless, and the certifications are expensive. This roadmap cuts through the noise. Six months. Free tools. One month at a time.
Why Blue Team?
Offensive security gets all the glory, but defenders are what keep organisations alive. Every SOC, every SIEM dashboard, every incident response playbook exists because someone chose to learn the blue side and companies are desperately hiring for it.
The barrier to entry is lower than you think. You don't need a degree. You don't need expensive bootcamps. You need structure, consistency, and the right free tools.
The Month-by-Month Breakdown
Each phase builds on the last. Don't skip ahead the fundamentals in Month 1 are what make Month 6 make sense.
Month 1: Foundations: Networking basics, OSI model, TCP/IP, DNS, HTTP. Start with Professor Messer's free Security+ content. This is the unglamorous stuff that everything else depends on.
Month 2: OS & Linux: Command line, file permissions, process monitoring, Windows Event Logs. Work through OverTheWire: Bandit to build real comfort in the terminal.
Month 3: Threat Basics: MITRE ATT&CK framework, common attack types, phishing, malware categories. Start thinking like an attacker so you can defend against them.
Month 4: SIEM & Logs: Splunk free tier, log analysis, alert triage. Follow the TryHackMe SOC Level 1 path, this is where it starts feeling like a real job.
Month 5: Incident Response: Blue Team Labs Online, IR playbooks, Wireshark packet analysis, IOC hunting. Practice responding to real scenarios under pressure.
Month 6: Apply & Certify: Do the SAL1 certification, finish building your portfolio, and start applying for Tier 1 SOC roles.
Your Free Starter Kit
Every resource below is free or has a meaningful free tier.
- Learning: TryHackMe's SOC Level 1 path, structured blue team labs
- SIEM: Splunk Free · Elastic SIEM ingest logs, write queries, build dashboards
- Packets: Wireshark · NetworkMiner capture and analyse real network traffic
- Threat Intel: MITRE ATT&CK · Any.Run map attacker behaviour, analyse suspicious files
- Practice: Blue Team Labs Online, real incident scenarios and scored challenges all on TryHackMe
What Nobody Tells Students
These are the real differentiators between candidates who get hired and those who don't.
Consistency beats intensity. 30 minutes every day beats 5-hour weekend sessions. The students who make it don't burn bright and fade they show up daily, even when it's boring. Build the habit before you build the skills.
Certs open doors, labs get jobs. SAL1 gets you the interview. What you built in the lab closes it. A hiring manager who sees a TryHackMe profile full of completed rooms trusts you more than a resume full of buzzwords.
Document everything publicly. A GitHub with your lab notes, writeups, and detection rules is worth more than a blank LinkedIn. Every challenge you solve is a portfolio piece. Write it up, push it, link it everywhere.
Imposter syndrome is universal. Every SOC analyst felt unqualified once. The feeling of being out of your depth isn't a sign you're wrong for this it's a sign you care. Keep going.
Where to Start Right Now
Don't overthink it. Create a free TryHackMe account and enrol in the SOC Level 1 path. Set a 30-minute daily calendar block same time, every day. Open a GitHub repo called blue-team-journey and push your first notes tonight. Bookmark the MITRE ATT&CK framework and read one technique per day.
Six months from now, you'll either have the foundation for a SOC career or you'll wish you started today.