I Applied to 40 Cybersecurity Jobs With No Experience

-

I Applied to 40 Cybersecurity Jobs With No Experience — Here's What Actually Got Responses

By Amardeep Maroli  |  June 17, 2026  |  Cybersecurity Career, Job Search, Freshers India  |  16 min read
I Applied to 40 Cybersecurity Jobs With No Experience

The most common advice for getting your first cybersecurity job is: "get certified, build a portfolio, apply widely." That advice is true but incomplete — it doesn't tell you which certifications matter to which employers, what a portfolio actually needs to contain to generate responses, or how to frame zero work experience in a way that hiring managers don't immediately filter out.

I found out the hard way, over 40 job applications. I'm going to share the exact data: which applications got responses, which didn't, what the difference was, and what I'd do differently if I were starting the process again tomorrow.

I'm still a student — this is an ongoing process, not a completed success story. Some of these applications are still in progress. But six months of data across 40 applications is enough to see clear patterns, and I want to share them while they're fresh.

40Total applications submitted
11Initial responses received
6Progressed past first screen
3Reached technical interview stage
27.5%Response rate on strongest applications
2.5%Response rate on weakest applications

That gap between 27.5% and 2.5% response rate is the entire story. The difference wasn't luck — it was specific, identifiable factors in how I presented myself. Let me break down exactly what drove that difference.

What this covers:
  1. What didn't work — the 29 applications that got nothing
  2. What worked — the 11 applications that got responses
  3. The portfolio items that actually moved the needle
  4. How to frame zero experience on a resume and LinkedIn
  5. The interview questions I got and how I answered them
  6. The exact application strategy I'd use from day one

What Didn't Work — The 29 Silent Applications

Did Not Work

Applying to "Cybersecurity Engineer" roles at large MNCs

My first 12 applications were to established MNCs in Bengaluru and Hyderabad with "Cybersecurity Engineer" or "Information Security Analyst" titles. Most required "3-5 years experience." I applied anyway, reasoning that I might slip through. I didn't. These roles go through HR filters that screen on the experience field before a human ever sees the application. Entry-level in a large MNC means 2-3 years experience in practice, not zero.

Did Not Work

Applying through job portals without customising the application

Naukri.com and LinkedIn Quick Apply allow one-click applications. I used them extensively in the first two months. The response rate on these was close to zero — 1 response from approximately 18 quick-apply submissions. The problem: these submissions look identical to hundreds of other quick-apply submissions. There is no differentiation. I was competing on quantity against people with experience, which is not a winnable competition.

Did Not Work

Using a generic cybersecurity resume for every application

I made one good resume and sent it everywhere. The problem with this approach: a SOC Analyst role and a Junior Penetration Tester role require different skill emphasis. An application that doesn't reflect the specific requirements of the role reads as a generic application that doesn't understand the job. Hiring managers notice. Keyword matching in ATS (Applicant Tracking Systems) also scores customised applications higher.

Did Not Work

Listing "Studying cybersecurity" without specifics

On early applications, my experience section said things like "self-studying cybersecurity, completing online courses." This describes the activity but not the output. "Completed TryHackMe Jr Penetration Tester path, rooted 8 VulnHub machines, documented findings on GitHub" is specific and verifiable. Generic descriptions of learning are easy for recruiters to dismiss.

What Worked — The 11 Applications That Got Responses

Worked

Targeting smaller cybersecurity consultancies and MSSPs

The highest response rate came from small-to-mid security companies (10-100 employees): MSSPs (Managed Security Service Providers), boutique penetration testing firms, and security audit consultancies. These companies hire freshers more readily than large MNCs because they need volume and they can train. In smaller companies, applications are often read directly by the technical team lead or founder — someone who can evaluate a GitHub portfolio and TryHackMe profile, not an HR filter looking for keyword years-of-experience matches.

Worked

Cold outreach to founders and technical leads on LinkedIn

Three of my eleven responses came not from job listings at all, but from LinkedIn messages I sent directly to founders or technical leads at small security companies. The message: brief, specific, direct — "I'm an MCA student studying cybersecurity, I've been completing PortSwigger practitioner labs and doing bug bounty on HackerOne, I'm looking for an internship or entry-level role, here's my GitHub [link] and TryHackMe profile [link]. Is there any availability on your team?" No more than 5-6 sentences. Response rate on these messages: approximately 1 in 4, which is dramatically higher than job portal submissions.

Worked

Cover letters with one specific, verifiable claim per application

The applications that got responses had cover letters that included one concrete, verifiable claim tied to the specific role. For a SOC Analyst role: "I have completed TryHackMe's SOC Level 1 path and worked through Splunk's free SIEM training — here's a link to my completed path." For a pentesting role: "I have documented IDOR and business logic findings on HackerOne — here is my profile." Specific. Verifiable. Relevant. This approach takes 20 minutes per application and dramatically increases signal-to-noise for the reader.

Worked

Applying to IT security adjacent roles (not pure security)

Two of my best responses came from "IT Support with security focus" and "Junior Systems Administrator" roles at companies that mentioned security responsibilities. These are bridging roles — less competitive than pure security positions, provide relevant experience, and create an internal pathway to a security team. I had been avoiding these as "not real security jobs." That was a mistake born of pride, not strategy. For a fresher, any role that builds relevant skills and adds an employer's name to your resume has value.

The Portfolio Items That Actually Moved the Needle

What Hiring Managers in India Actually Responded To

Based on what interviewers mentioned in follow-up calls and what seemed to correlate with responses:

  • A blog with technical content (this blog). Two interviewers specifically mentioned my blog as the reason they agreed to a call. A blog demonstrates technical knowledge, communication skills, and genuine sustained interest in the field — all things that are difficult to fake and that a resume cannot show. Of all the portfolio items I have, this blog has generated the most direct hiring interest.
  • A public GitHub with documented lab work. Not a GitHub full of empty repositories or repositories with a single commit — but repos that show consistent activity, documented methodology (README files explaining what the repo does and what was learned), and real work products. An interviewer at a small consultancy told me directly: "I looked at your GitHub before agreeing to this call. The DVWA writeups are what told me you actually know this stuff."
  • A HackerOne profile with valid findings. Even informational severity findings and Hall of Fame mentions. One verified finding on a real programme tells an interviewer more than any certification. It is objective, third-party-verified evidence that you can identify real vulnerabilities in real software.
  • Certifications were table stakes, not differentiators. Every application that got a response, I had ISC2 CC listed. This seemed to be a floor — something that got me past an initial threshold — rather than a differentiator that generated interest. The blog, GitHub, and HackerOne profile were the differentiators.

How to Frame Zero Experience — What Actually Works on a Resume

The experience section of my resume, before the improvement that started generating responses, looked like this:

Before (generated almost no responses):
• Self-studying cybersecurity and ethical hacking
• Completed various online courses in web security
• Learning penetration testing and vulnerability assessment
After (generated responses):
Independent Security Research & Lab Practice | 2025–Present
• Completed PortSwigger Web Security Academy Practitioner curriculum — web application vulnerabilities including SQLi, XSS, CSRF, IDOR, business logic flaws
• Compromised 12 intentionally vulnerable machines (VulnHub, HackTheBox Starting Point) — documented methodology and findings on GitHub [link]
• Submitted 23 reports on HackerOne/Bugcrowd; 6 validated findings including 2 Medium severity IDOR vulnerabilities — profile: [link]
• Completed TryHackMe Jr. Penetration Tester path; currently ranked in top 8% — profile: [link]
• Runs TechWithAmardeep cybersecurity blog covering web security, ethical hacking, and career development — 40+ published articles [link]

The difference: specific, quantified, verifiable, and linked. Every claim has evidence. An interviewer can check every item in under three minutes. This is not inflating experience — these are real things, described specifically rather than vaguely.

The Technical Interview Questions I Got — And How I Answered Them

Questions from Real Interviews (Entry-Level Security Roles)

Q: "Explain what a SQL injection is and give me a real example of how you'd test for it."
Don't describe it from a textbook. Describe it from practice. "SQL injection is when user-supplied input is included in a database query without proper sanitisation. In a login form, for example, entering ' OR '1'='1 in the username field might manipulate the query to return all users instead of matching credentials. I've practiced this on PortSwigger's labs and DVWA — the difference between theory and practice is significant, particularly understanding how blind SQLi works when there's no visible output."
Q: "What would be your first step when starting a penetration test on a web application?"
Answer from your methodology, not a textbook list. "Reconnaissance — understanding the application before touching it. I'd map the attack surface: enumerate subdomains, identify the technology stack from response headers and error messages, look at JavaScript files for hidden endpoints, and understand the authentication model before testing any specific vulnerability. Trying to exploit before you fully understand the target leads to missed findings and noise." Reference specific tools you actually use.
Q: "You don't have professional experience. Why should we hire you over someone who does?"
This is the key question. My answer: "Someone with three years in a role that didn't challenge them technically may have less practical skill than someone who spent the last year deliberately practicing against real targets. I can show you specifically what I can do — my GitHub documents exactly how I approach problems, my HackerOne profile shows I can find real vulnerabilities. I'm not asking you to take my word for it; I'm asking you to evaluate what I've built." Then stop talking. Don't oversell.

The Exact Application Strategy I'd Use From Day One

If I were starting this process again with what I know now:

  • Months 1-3: Build portfolio before applying anywhere. Complete PortSwigger Apprentice curriculum. Complete TryHackMe Pre-Security and Jr Penetration Tester paths. Start the blog. Get ISC2 CC. Every piece of work goes on GitHub with documentation.
  • Month 4: Start HackerOne — not for earnings but for the verifiable findings. Even informational findings on a legitimate programme are worth documenting.
  • Month 5: Begin applying — exclusively to small companies (under 100 employees) via direct LinkedIn outreach and targeted applications, not quick-apply. 5 high-quality targeted applications per week is better than 20 quick-apply submissions.
  • Simultaneously: Consider IT support or junior systems administrator roles that mention security — these are the actual entry pathway at many organisations, not the listed "security analyst" roles that require experience.
  • Resume: One resume template, customised for every single application to match the specific role's keywords and requirements. Takes 15 minutes per application. The difference in response rate is not subtle.
  • Application volume target: 20-30 over 6-8 weeks, all high-quality, not 40+ quick-applies. Quality absolutely beats quantity at this stage.
Related Guides on This Blog

About the Author

Amardeep Maroli

MCA (Master of Computer Applications) — PES University, Bengaluru
Cybersecurity Intern — Inhok Technologies
TryHackMe — Top 2% Globally (160+ completed labs, Jr Penetration Tester certified)
Certifications: CTIGA, CRTOM, CSEDP

Hands-on experience with SIEM tools (Wazuh, ELK Stack, Splunk), cloud security, and network penetration testing. I document my cybersecurity research at TechWithAmardeep.

All Posts | TryHackMe Profile | Portfolio | GitHub | LinkedIn

Cybersecurity Job Search FAQs

Is an MCA degree helpful for getting cybersecurity jobs in India?
It helps with initial ATS filtering on large company applications — many HR departments have minimum degree requirements and MCA satisfies them. For small security companies and direct outreach, the degree matters much less than demonstrated skill. The interviewers at smaller firms who responded to me never led with degree questions; they led with "walk me through a vulnerability you've found" type questions. The degree is a checkbox, not a differentiator. What differentiates candidates is the portfolio, the technical conversations, and the ability to demonstrate practical knowledge. An MCA plus demonstrated skills is excellent; an MCA alone, without practical work to show, has limited value in technical hiring.
Should I apply for SOC analyst or penetration tester roles as a fresher?
SOC Analyst roles are more accessible as entry-level positions — the technical bar is lower (monitoring, alert triage, incident response workflows) and there are more openings. Penetration testing roles, even "Junior" ones, typically expect demonstrated offensive skills that take longer to develop. My recommendation: if you're 6-12 months into self-study, apply for SOC Analyst roles as your primary target. Simultaneously develop the skills for penetration testing through bug bounty and labs. The SOC role gives you legitimate work experience, income, and industry exposure while you build toward the pentesting career. The two are not mutually exclusive — many good pentesters started in SOC roles.
What should a fresher's LinkedIn profile prioritise for security jobs?
In order of importance: (1) Your headline — not "MCA Student" but "Cybersecurity Researcher | Bug Bounty | PortSwigger Practitioner | ISC2 CC" — recruiters search LinkedIn and your headline determines whether you appear in results. (2) Links in the About section — your GitHub, your TryHackMe profile, your blog. Make them impossible to miss. (3) The experience section — use the "Independent Security Research" framing described above. (4) Skills section — add every relevant technical term: Burp Suite, Nmap, Metasploit, OWASP, SIEM, Python, Kali Linux. These are searchable keywords. (5) Certifications section with your ISC2 CC or any other completed certification. Activity — posting about your learning, sharing writeups — significantly increases your visibility to recruiters who are searching for security professionals.
How many cybersecurity internships are actually available for students in India?
More than most students think, but they are concentrated in specific places and require proactive searching. Large MNCs post internship programmes (Infosys, TCS, Wipro all have security team internships — check their careers pages directly, not just aggregators). Government internship programmes through NASSCOM, CERT-In (Computer Emergency Response Team India), and NCIIPC (National Critical Information Infrastructure Protection Centre) exist and are genuinely good resume builders. Small security consultancies frequently take unpaid or stipend-based interns who are useful immediately — these are found through direct LinkedIn outreach, not job portals. DSCI (Data Security Council of India) runs an internship programme worth applying for. The pipeline exists; it requires more active searching than waiting for listings to appear.
Tags: cybersecurity job search fresher India, first cybersecurity job no experience, SOC analyst entry level India, cybersecurity internship 2026, how to get cybersecurity job without degree, MCA cybersecurity career, job application cybersecurity portfolio

If you've been through the cybersecurity job search process in India — fresher or experienced career changer — I want to hear what worked for you. The more data points we collectively have on what actually works in the Indian market, the more useful this becomes for everyone in the comments.
Privacy Policy | Terms of Service | About | Contact | Back to Home

Comments

Post a Comment

Popular posts from this blog

SQL Injection Explained: 5 Types, Real Examples & How to Prevent It (2026 Guide)

-
Image
What Is SQL Injection? Complete 2026 Guide — How It Works, Real Attack Examples, Every Type & Prevention Code By Amardeep Maroli | April 8, 2026 | SQL Injection, Web Security, Developer Guide | 16 min read Home About Contact 🎯 Why I'm Writing This Guide — My Personal Learning Journey Who I Am: MCA student from Kerala, India • Commerce background (NOT computer science) • No IT job experience • Learning cybersecurity through hands-on labs Why This Post Exists: Three months ago, I was stuck on a PortSwigger SQL injection lab. For 2.5 hours I kept trying random payloads without understanding the underlying query structure. At 11:47 PM I made the decision to go back and understand the QUERY LOGIC first — what was the backend code actually trying to do? Once I understood that, the payload became obvious. I rooted that machine in 5 minutes. That one momen...
Read more

Penetration Testing Guide: Real-World Methodology (Recon to Exploitation) [2026]

-
Image
What is Penetration Testing? Complete Beginner Guide 2026 — How It Works, All Types, Real Tools & Career Roadmap By Amardeep Maroli  |  April 10, 2026  |  Penetration Testing, Ethical Hacking, Cybersecurity  |  16 min read Home About Contact 🎯 Why I'm Writing This Guide — My Personal Learning Journey Who I Am: MCA student from Kerala, India • Commerce background (NOT computer science) • No IT job experience • Learning pentesting through hands-on labs Why This Post Exists: My first penetration testing attempt took 3 hours. I was testing a vulnerable web application in a lab. My goal: find all vulnerabilities and document them in a report. I found exactly 2 vulnerabilities in 3 hours: an SQL injection and an XSS. I was proud. Then I read the official solution. There were 14 vulnerabilities in that application. I had missed 12...
Read more

Phishing Scams in 2026: How They Work & How to Avoid Them

-
Image
What is Phishing? Every Type Explained with Real Examples & How to Spot Every Attack (Complete 2026 Guide) By Amardeep Maroli  |  April 9, 2026  |  Phishing, Social Engineering, Cybersecurity  |  15 min read Home About Contact 🎯 Why I'm Writing This Guide — My Personal Learning Journey Who I Am: MCA student from Kerala, India • Commerce background (NOT computer science) • No IT job experience • Learning cybersecurity through hands-on experience Why This Post Exists: Six months ago, I sent myself a phishing email as part of security awareness testing. My own email address. Subject line: "Urgent: Verify Your Credentials." It mimicked PayPal perfectly. I clicked the link. Before clicking, I thought I could spot phishing easily. Grammar mistakes. Strange domains. Urgency language. I looked for all of those. My own test had non...
Read more