Blog

SOC Analyst: How I Actually Broke Into Cybersecurity

SOC Analyst: How I Actually Broke Into Cybersecurity

Note: This is the real story - not the sanitized LinkedIn version.

So I Just Started My First Job in Cybersecurity

A few months ago (March 2025) I started as a Tier 1 SOC Analyst with Leidos on the CISA contract. After years of building, learning, and honestly questioning if I'd ever make this transition, I'm finally here.

People keep asking me "How'd you do it?" So I figured I'd write the honest version of how a Marine turned facilities guy became a cybersecurity professional. Spoiler alert: it wasn't linear, it wasn't quick, and networking saved my career.

The Long Road From Hawaii to Here

Let me back up. I spent four years in the Marines from 2009-2013, stationed in Hawaii as a Team Leader. After getting out, I did what a lot of vets do - I bounced around trying to figure out what came next.

I ended up working for Lite It Electric in Cleveland, which was actually owned by my step-father. But here's the thing - even though I fell into that work, the electrical troubleshooting was complex and I really excelled at it. There's something satisfying about diagnosing problems that aren't immediately obvious.

Then a buddy from the Marines told me his company in Boston was hiring. I applied, got the job, and that's how my 10-year facilities career really took off. C&W Services, CBRE, BTE, UG2 - I moved through facilities roles, learning HVAC systems, coordinating maintenance, managing vendors. Solid work, and I was good at it.

But I had no idea cybersecurity was even a thing I'd be interested in. Zero interest. Hadn't even crossed my radar.

The "Aha" Moment

2022 changed everything. My daughter was born, and I was on parental leave, doing that new parent thing where you're sleep-deprived but somehow have pockets of time while the baby naps.

I was scrolling YouTube and came across a NetworkChuck video on ethical hacking. I don't even remember which one, but something about it just clicked. Maybe it was the problem-solving aspect that reminded me of electrical troubleshooting, or maybe I was just ready for a mental challenge that wasn't changing diapers.

Whatever it was, I was instantly hooked.

I started doing TryHackMe challenges at every opportunity - during lunch breaks, after my daughter went to sleep, any free moment I could find. My wife probably thought I'd lost my mind, but I couldn't stop.

Here's where being a veteran with leftover GI Bill benefits became clutch. I'd already used some for journeyman electrical school and got an Associate's in Firearms Technology (seemed like a fun thing to do at the time since I had no real college plans). But I had enough benefits left to do something serious.

So in early 2024, I enrolled in the SANS Technology Institute for their Bachelor's in Cybersecurity program. Going from "what's ethical hacking?" to getting a BS in cybersecurity felt like drinking from a fire hose, but I was all in.

Here's Where Most People Get It Wrong

Everyone talks about getting certifications (which I did - GCIA, GRID, GCFA, GCFE, GPYC, GCIH, BTL1). But here's what nobody tells you: certs without hands-on experience are just expensive pieces of paper.

The real game-changer was building a home lab and actually doing projects. Not just following tutorials, but building things, breaking them, documenting everything, then talking about it publicly.

My lab setup became my playground:

  • VMware environment with Linux Ubuntu (attacker) and Windows (victim) VMs
  • LimaCharlie and Sysmon for monitoring
  • Sliver C2 Framework for attack simulation
  • Custom detection rules and webhooks
  • ELK stack for log analysis
  • Capture The Flag Events

But here's the kicker - and this is crucial - having the world's greatest home lab is worthless if you never document what you do.

The Documentation Game-Changer

This is where GitHub became my best friend, even though I'm not a developer. Every script I wrote, every configuration file I tweaked, every step-by-step process I figured out - it all went up on GitHub. Not because the code was groundbreaking, but because it showed I could actually build things.

Take my DShield honeypot automation scripts. Sure, the Bash code wasn't winning any awards, but when I uploaded it with detailed README files explaining what problem it solved, how to set it up, and what I learned from the process - that's what mattered. Someone could actually follow my documentation and replicate what I built and other interns could benefit from the experience i gained.

Same thing with my Azure honeypot project. I didn't just write a blog post saying "I built a honeypot." I documented the PowerShell script for extracting geolocation data, included the Log Analytics queries I used, and explained each step of the Azure Sentinel configuration. Someone reading it could build the exact same setup.

Here's what I learned: you don't need perfect code to have a valuable GitHub profile. You need clear documentation, good README files, and the ability to explain your thought process. Employers want to see that you can not only solve problems, but communicate how you solved them.

Even when I wasn't writing code, I documented everything. How I configured Sysmon, the exact ELK stack setup steps, the network topology of my lab - all of it went somewhere public where people could see my work and potentially learn from it.

The Tree Falling in the Woods Problem

You can have the most sophisticated home lab setup imaginable, but if you can't show someone what you built and explain why it matters, it's like a tree falling in the woods. Did it really happen?

This is where my blog (iamjoshgilman.com) became essential. Every project, every investigation, every lesson learned - I tried to documented it all. When I set up Azure honeypots and started seeing attacks from Vietnam within 30 minutes, I wrote about it. When I analyzed XorDDoS trojan activity on my DShield sensors, I documented the whole process.

The SANS Internet Storm Center internship was huge here. It gave me real data to analyze and legitimate experience to write about. Those attack observation reports, the DShield honeypot automation tools I built - all of that became content that showed I could do the work, not just talk about it.

The Application Grind (Spoiler: It Sucked)

Let's be honest about the job search. I applied to probably hundreds of positions. Hundreds. Most never responded. The ones that did often wanted 3-5 years of experience for "entry-level" roles.

I talked to recruiters who promised the world and delivered nothing. I had my hopes up more times than I care to count. It was discouraging as hell.

The Power of Veteran Networking

Here's where my story takes a turn, and it's the most important part for any veteran reading this.

I joined VetSec.org - specifically their Slack channel. For those who don't know, VetSec is a community of veterans working in cybersecurity and IT. It's not just a networking group; it's a support system.

I didn't just lurk. I was active. I shared my projects, asked questions when I was stuck, celebrated other people's wins, and genuinely contributed to the community. When I posted about setting up my DShield honeypots or analyzing malware, people noticed.

The Leidos opportunity came through that network. Someone in the VetSec community knew about the CISA contract opening, had seen my work, and was comfortable vouching for me. They knew I could do the job because they'd watched me actually doing similar work publicly.

That referral got me my first real cybersecurity interview. Not just a recruiter call - an actual technical interview with the team I'd be working with.

What Actually Mattered in the Interview

When I sat down with the Leidos team, we didn't spend much time on my facilities background. Instead, we talked about:

  • The DShield honeypot data I'd been analyzing
  • My approach to forensic analysis within my learning and homelab
  • Specific attack patterns I'd observed and documented
  • How I'd automated repetitive tasks with Python and Bash
  • And a whole lot of fundamental networking

I could speak to real examples because I'd been doing the work, even if it wasn't in a professional SOC environment yet.

The Real Lessons Learned

If I had to do this over again, here's what I'd focus on:

1. Build and Document Everything Don't just build a lab - document every project like you're teaching someone else. Your future self (and potential employers) will thank you.

2. Get Involved in the Community Join VetSec if you're a veteran. Find other communities if you're not. But actually participate - don't just network when you need something.

3. Quality Over Quantity Better to have three well-documented, thorough projects than thirty shallow tutorials you followed once.

4. Network Like Your Career Depends On It Because it does. The best opportunities come through people, not job boards.

What's Next

Starting as a T1 SOC Analyst at Leidos feels like the beginning, not the destination. I'll be working on the CISA contract, doing real incident response and threat analysis work that protects critical infrastructure.

I plan to keep writing about what I'm learning, keep building in my home lab, and keep contributing to the veteran cybersecurity community that got me here.

For anyone else making this transition - it's possible, but it's not easy. The path isn't linear, the job market is tough, and you'll question your decision more than once.

But if a facilities guy who started learning Python to close work tickets faster can become a SOC analyst, you can too.

Just remember: build it, document it, share it, and never underestimate the power of community.

What questions do you have about making the transition into cybersecurity? Drop me a line - always happy to help a fellow career changer or veteran.

Follow my journey