My personal experience as a Cyber Security Graduate has been interesting. I've come across many people who have acquired various IT skills over the course of many years and then transitioned into security; however these individuals seem to lack the knowledge of what's best practice or don't have as strong of a command on various attack vectors.
On the other hand having the knowledge without the skills or hands on experience is the other side of the spectrum, which is where I fell in after graduating. I slowly hopped position to position to gain the hands on experience my college didn't provide. Luckily most jobs in IT will ask for CS degree or related field so your covered in that aspect.
As for free site to get a jump on things I'd recommend: https://www.cybrary.it/ A lot of good free training geared towards various certifications. You'll learn a lot from them even if you don't want to pursue certifications at the moment.
SonarQube is the first one that comes to mind. If you want a simple method for setting it up locally for testing, take a look at my Vagrant script here:
I provide unsolisited services to my customers, and I always just publish enough of their shit to embarras the hell out of them. I do not care about monies. It is just for kicks.
I've recently focused my efforts on transitioning from a web app developer to a penetration tester. There are a lot of tools that do similar things, but there are also a lot of tools that do unique scans and checks. CEH is not a great resource or certification. If you want an overview of pentesting in an educational setting, Penetration Testing with Kali (https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/) is an awesome course and certification.
If you are more interested in web app pentesting, start looking at OWASP (which is where WebGoat comes from).
The book Web Application's Hacker's Handbook (http://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/ref=sr_1_1?ie=UTF8&qid=1456009501&sr=8-1&keywords=web+application+hackers+handbook) is a great book. One of the authors is the creator of the Burp Suite tool, which is a must when doing web app pentesting.
There are a lot of resources and it can be overwhelming. Do you know anyone in pentesting you could talk to/work with? The best thing, in my experience, is to play with different tools and resources to see what you like best.
Security CTF's are another good way to get introduced to multiple types of pentesting.