print(“Welcome to Part II”)

Annnnnnnddddd, we’re back. If you’ve been following along, you may be a career existentialist! Congratulations, you’re in good company.

In Part I of this guide, we talked about recognizing the cycle we find ourselves in when first considering a career in cybersecurity. Forcing ourselves to answer questions we don’t have enough context to ask, shaming ourselves for not knowing everything immediately, being fatigued by a surplus of varying resources…

You’re here because you found security and you have an itch to scratch. Perhaps you met a security engineer, were inspired by research that you happened upon, felt that it was time for a change, or always wanted to enter the industry but never knew how. Or, perhaps, it is what the legends foretold and this field was always going to find you :)

Regardless of how you got here - the questions running through your head are indeed universal, and the most common answers are isolating. Let’s dive into how you can take control of this journey and break the cycle that has been holding you back from being the badass security engineer you are meant to be.

^Ctrl + C: Breaking the Loop

Stopping the Spiral Before It Stops You

• Recognize the Pattern: The 7-step cycle from Part I isn’t productive learning - it’s anxiety masquerading as research. As soon as you recognize the existential loop starting, take a step away, get some fresh air, and give your mind a moment to breathe.

• Set a Timer: Literally. Give yourself 30 minutes and the grace to explore a rabbit hole, then force yourself to kill the process, realign, and refocus on the original task at hand.

• Ask Different Questions: Not “where do I fit in all of cybersecurity?” but “what problem do I want to solve right now?”

chmod +x: Anticipating the Paralysis and Executing Accordingly

When You Don’t Know Where to Start:

• Listen to Yourself: Pick the topic that made you feel something (curiosity, anger, excitement) most recently. I probably spent too much time trying to perfect the right topic for me – there is no correct answer; even seasoned security professionals take different paths before finding the thing that sticks.

• Do the Boring Stuff First: Can’t decide between malware research or threat hunting? Start with a basic tutorial; memorizing the advanced framework will do you no good, yet.

• Start a 2-Week Experiment: “I’m trying X for two weeks” is far less intimidating than “I’m committing to Y forever.”

When Imposter Syndrome Hits:

• Take Notes: Document what you did learn, not what you think you should know.

• Don’t Be Afraid to Ask Questions: Remember when not knowing something was fine? When you could just... ask? Somewhere between elementary school and now, we convinced ourselves that curiosity makes us look stupid. Of course you don’t know the latest IOC from last week’s attack. That’s okay! Understanding what IOCs are and why they matter will take you further than memorizing specific indicators that’ll be irrelevant in a month anyway.

• Network: This may be one of the strongest ways to challenge your imposter syndrome. Find one person who’s one (or a few) steps ahead of you and ask them a specific question. Have an industry leader you’re inspired by? Send them a message – I promise it’s worth pushing past the fear.

• Trust Yourself: You don’t need to be an expert to contribute. Curiosity and a passion for sharing knowledge are essential. The industry desperately needs new perspectives - yours included.

When Self-Doubt Creeps In:

• Reframe: “I don’t understand this yet” vs. “I’ll never understand this.” Every senior threat researcher was once someone staring at their first PCAP file with no idea what they were looking at. The difference isn’t talent – it’s persistence… the good kind ;)

• Build in Public: Leverage GitHub, Notion, CTF Time, TryHackMe, Hack The Box, and other platforms to record and share what you’ve learned, including projects or even an all-encompassing (and maybe slightly wordy) README.md, keeping track of the way you’ve managed your minutes. Not only will this help you show others what you’ve been up to, but it will also keep you organized.

• Record Your Wins: Every small breakthrough, every solved challenge, every lightbulb moment deserves to be celebrated. Don’t let your instinct force you to finish one thing and barely breathe into the next – slow down and celebrate progress.

The Moving Target Mindset

Remember the knowledge depreciation problem?

Here’s the reality: fundamentals outlive tools every single time.

Python syntax changes. SIEM platforms get replaced. Specific CVEs become irrelevant. But understanding how to think like an attacker, how to correlate disparate data points, how to ask better questions – these don’t expire.

The mechanics of social engineering remain consistent even as delivery methods evolve. Network protocols evolve, sure, but how systems fundamentally communicate? That’s not going anywhere.

When you’re choosing what to learn, prioritize concepts over implementations. Learn why security engineering works, not just how different platforms approach a problem. Understand what makes OSINT effective, not just which tools are popular this year. The tools will change. Your ability to adapt is what will set you apart and help you grow alongside the field.

Spiral vs. Progress: Knowing the Difference

Not all rabbit holes are bad. Some lead to breakthroughs. Here’s how to tell the difference:

You’re in a productive learning spiral if:

• You’re actively doing something (writing code, solving a challenge, building a project).

• Each new question brings you closer to answering your original one.

• You’re uncomfortable but engaged, not existential.

You’re in a paralysis spiral if:

• You’re reading about learning more than actually learning.

• You’ve opened 23 tabs but haven’t finished any of them.

• The overwhelm is growing, not shrinking.

• You feel more confused than when you started.

The spiral doesn’t make you a failure. It makes you human. Curiosity is an essential trait for a threat intelligence; but, there’s a difference between structured investigations and unproductive rabbit holes. The former solves problems; the latter just feels like work and often leads to burn out. So, reader, if you have 23 tabs open, ask yourself “am I getting closer to an answer, or am I just scrolling?” - let the answer redirect you accordingly.

Exit 0

You will always feel behind, and at first, you’ll feel uncertain too. The goal isn’t to eliminate that uncertainty – it’s to function despite it. The field will always move faster than anyone can keep up. Tools will become obsolete. Frameworks will evolve. Threat actors will pivot.

And you’ll keep learning anyway.

Not because you’ve found the perfect path or the right specialization or finally feel qualified. But because you chose to start somewhere and then keep going. The geolocation CTF at 2 AM. The MITRE technique you finally understood. The first time a detection rule you wrote actually caught something. The GitHub project gaining traction, stars & contributions…

These wins prove you can move forward even on a day when it feels like you’ve taken 10 steps back.

So, pick something. Anything. Give yourself two weeks. Then pick something else if you need to. The paralysis wants you to believe that choosing wrong is worse than not choosing at all. It’s lying.