A comprehensive, community-driven resource for cybersecurity professionals and aspiring practitioners
Getting Started • Careers • Fundamentals • Domains • Certifications • Tools • Resources
Whether you're just starting your journey into cybersecurity or looking to specialize in a new domain, this knowledge base provides practical answers to common questions, curated learning paths, and vetted resources to accelerate your growth.
- 🚀 Getting Started
- 🎯 Career Paths & Domains
- 📚 Foundational Skills
- 🔐 Security Domains
- 🏆 Certifications & Education
- 🛠️ Tools & Lab Setup
- 🤖 AI, Automation & Future Trends
- 💼 Career Development
- 📖 Curated Resources
- 🤝 Contributing
Where do I start with cybersecurity?
Start with the fundamentals before diving into security-specific topics:
- Learn Linux basics - Most security tools run on Linux. Get comfortable with the command line.
- Understand networking - TCP/IP, DNS, HTTP, and how data flows across networks.
- Pick up basic programming - Python is the go-to language for security automation.
- Learn how systems work - Operating systems, web applications, databases.
Recommended first steps:
- Complete the TryHackMe Pre-Security Path (free tier available)
- Watch Professor Messer's Network+ for networking fundamentals
- Follow Linux Journey for Linux basics
Key insight: Security is about understanding how systems work and then learning how they can be broken. Build the foundation first.
What equipment/hardware do I need?
Good news: You don't need expensive equipment to start.
Minimum requirements:
- CPU: Intel i5/i7 or AMD Ryzen 5/7 (ideally not more than 2 generations old)
- RAM: 16GB minimum (8GB will struggle with VMs)
- Storage: 256GB+ SSD (NVMe preferred)
- OS: Windows (with WSL2), macOS, or native Linux all work
Budget-friendly tip: Consider:
- Refurbished business laptops (ThinkPad T-series, Dell Latitude)
- Cloud-based labs (TryHackMe, HackTheBox) reduce local hardware needs
- WSL2 on Windows eliminates dual-boot hassle
For advanced work:
- 32GB+ RAM for multiple VMs and memory analysis
- Apple Silicon (M1/M2/M3) offers excellent battery life and ARM virtualization
- Dedicated Wifi adapter for wireless testing (check chipset compatibility with Kali)
Reality check: Password cracking happens in the cloud now, not on your laptop. Don't overspend on GPU.
Am I too old/young to start?
No. Age is irrelevant in cybersecurity.
- Many successful professionals transitioned from other careers in their 30s, 40s, and beyond
- What matters: curiosity, persistence, and willingness to continuously learn
- The field values skills and demonstrated knowledge over age or traditional backgrounds
The best time to start was yesterday. The second best time is now.
How do I stay motivated during the learning journey?
- Set small, achievable goals - "Finish one TryHackMe room this week" beats "become a hacker"
- Join communities - Discord servers, local meetups, Twitter/X security community
- Document your progress - Blog about what you learn, even as a beginner
- Participate in CTFs - Capture The Flag competitions make learning fun and social
- Find a study buddy - Accountability partners help maintain consistency
Remember: Everyone was a beginner once. The security community is generally welcoming to those who put in genuine effort.
What are the main cybersecurity career paths?
- Penetration Tester - Authorized hacking to find vulnerabilities
- Red Team Operator - Simulating advanced threat actors
- Bug Bounty Hunter - Finding vulnerabilities for rewards
- Exploit Developer - Creating proof-of-concept exploits
- Security Analyst (SOC) - Monitoring and responding to alerts
- Incident Responder - Investigating and containing breaches
- Threat Hunter - Proactively searching for hidden threats
- Digital Forensics - Investigating cybercrimes and breaches
- Security Engineer - Building and maintaining security systems
- Cloud Security Engineer - Securing AWS, Azure, GCP environments
- Application Security Engineer - Securing software development
- Security Architect - Designing enterprise security strategies
- GRC Analyst - Managing policies, risk assessments, audits
- Security Auditor - Evaluating security controls
- Compliance Specialist - Ensuring regulatory requirements are met
- Malware Analyst - Reverse engineering malicious software
- Cryptographer - Designing and analyzing cryptographic systems
- IoT/OT Security - Securing industrial and embedded systems
Which path should I choose based on my background?
| Your Background | Recommended Paths |
|---|---|
| Programming/Development | Application Security, Bug Bounty, Security Research |
| System Administration | Security Engineering, Cloud Security, SOC Analyst |
| Network Engineering | Network Security, Penetration Testing, Incident Response |
| IT Support/Help Desk | SOC Analyst, Security Analyst, GRC |
| No tech experience | Start with fundamentals → SOC Analyst or GRC |
| Law/Business | GRC, Risk Management, Security Compliance |
Pro tip: Don't stress too much about choosing the "right" path initially. Skills transfer between domains, and most security professionals work across multiple areas over their careers.
What does a typical workday look like?
SOC Analyst:
- Monitor SIEM dashboards for alerts
- Triage and investigate suspicious activity
- Escalate confirmed incidents
- Document findings and update playbooks
Penetration Tester:
- Plan and scope engagements with clients
- Execute testing methodology (recon, exploitation)
- Write detailed technical reports
- Present findings to technical and executive audiences
Security Engineer:
- Deploy and configure security tools
- Respond to security tool alerts
- Automate security processes
- Collaborate with Dev/Ops on secure architecture
What are realistic salary expectations?
Salaries vary significantly by location, experience, and specialization. US-centric ranges (2024-2025):
| Role | Entry-Level | Mid-Level | Senior |
|---|---|---|---|
| SOC Analyst | $60-80K | $80-100K | $100-130K |
| Penetration Tester | $70-90K | $100-140K | $150-200K+ |
| Security Engineer | $90-120K | $130-170K | $180-250K+ |
| GRC Analyst | $60-80K | $90-120K | $130-160K |
| CISO | - | - | $200-400K+ |
Factors that increase earning potential:
- OSCP, OSCE, OSWE for offensive roles
- Cloud certifications (AWS, Azure) + security expertise
- Bug bounty track record
- Contributing to security tools/research
- Remote work for US/EU companies from lower cost-of-living areas
Linux is the backbone of cybersecurity. Most security tools, servers, and target systems run Linux.
Learning Resources:
| Resource | Type | Level | Notes |
|---|---|---|---|
| Linux Journey | Interactive | Beginner | Excellent starting point |
| OverTheWire: Bandit | Wargame | Beginner | Learn by doing |
| Linux Fundamentals - TryHackMe | Course | Beginner | Structured learning path |
| CMD Challenge | Interactive | All levels | Command line practice |
| The Linux Command Line (Book) | Book | Beginner-Intermediate | Free, comprehensive |
Key skills to develop:
- File system navigation and permissions
- Text processing (grep, sed, awk)
- Process management
- Bash scripting basics
- Package management (apt, yum)
- Service management (systemd)
You cannot secure what you don't understand. Networking knowledge is non-negotiable.
Learning Resources:
| Resource | Type | Level | Notes |
|---|---|---|---|
| Professor Messer's Network+ | Video | Beginner | Free, comprehensive |
| Practical Networking | Website | All levels | Excellent visual explanations |
| NetworkChuck | YouTube | Beginner | Entertaining, practical |
| Cisco Networking Academy | Course | All levels | Industry standard |
Core concepts to master:
- OSI and TCP/IP models
- IP addressing and subnetting
- Common protocols (TCP, UDP, ICMP, DNS, HTTP/S, SSH)
- Firewalls, NAT, VPNs
- Wireshark packet analysis
Python is the lingua franca of security automation. Learn it well.
Learning Resources:
| Resource | Type | Level | Notes |
|---|---|---|---|
| CS50's Python | Course | Beginner | Harvard's free course |
| Automate the Boring Stuff | Book | Beginner | Free online, practical |
| 30 Days of Python | GitHub | Beginner | Structured daily learning |
| Black Hat Python | Book | Intermediate | Security-focused Python |
| Real Python | Website | All levels | Quality tutorials |
Also consider learning:
- Bash scripting - Automation on Linux
- JavaScript - Understanding web applications
- SQL - Database interactions and injection attacks
- Go/Rust - Modern security tooling languages
Most applications are web-based. Understanding the web stack is crucial.
Core concepts:
- HTTP methods, headers, cookies, sessions
- HTML, CSS, JavaScript basics
- REST APIs and authentication (OAuth, JWT)
- Databases (SQL basics, NoSQL concepts)
- Web servers (Nginx, Apache)
- Proxies and load balancers
Resources:
- MDN Web Docs - Comprehensive reference
- PortSwigger Web Security Academy - Free, excellent
- OWASP Web Security Testing Guide
The most common entry point for attackers and bug hunters alike.
Core Knowledge:
- OWASP Top 10 - Essential vulnerability categories
- PortSwigger Web Security Academy - The gold standard for free training
- OWASP Testing Guide - Methodology reference
Practice Platforms:
| Platform | Cost | Notes |
|---|---|---|
| PortSwigger Labs | Free | Comprehensive, high quality |
| TryHackMe OWASP Rooms | Free/Paid | Guided learning |
| HackTheBox Web Challenges | Free/Paid | Realistic scenarios |
| OWASP WebGoat | Free | Self-hosted vulnerable app |
| Damn Vulnerable Web App | Free | Classic practice app |
Bug Bounty Platforms:
Understanding network-level attacks and defenses.
Learning Path:
- Master networking fundamentals (see above)
- Learn common attack techniques (MITM, ARP spoofing, DNS poisoning)
- Practice with CTF platforms
- Study for certifications (eJPT → OSCP)
Practice Platforms:
- TryHackMe - Guided rooms, excellent for beginners
- HackTheBox - More challenging, realistic machines
- PentesterLab - Web and network exercises
- VulnHub - Downloadable vulnerable VMs
Essential Tools:
- Nmap, Masscan (scanning)
- Wireshark (packet analysis)
- Burp Suite (web proxying)
- Metasploit (exploitation framework)
- Netcat, Chisel (pivoting)
Cloud is the present and future. Every organization is migrating.
Key Concepts:
- Shared responsibility model
- Identity and Access Management (IAM)
- Network security in cloud (VPCs, Security Groups)
- Serverless security considerations
- Container and Kubernetes security
Learning Resources:
| Provider | Free Training | Certification |
|---|---|---|
| AWS | AWS Skill Builder | AWS Security Specialty |
| Azure | Microsoft Learn | AZ-500: Azure Security |
| GCP | Google Cloud Skills Boost | Professional Cloud Security |
Specialized Resources:
- CloudGoat - Vulnerable AWS deployment
- Awesome Cloud Security
- HackTricks Cloud
Securing iOS and Android applications.
Learning Resources:
Tools:
- Frida (dynamic instrumentation)
- jadx (Android decompilation)
- MobSF (automated analysis)
- Objection (runtime exploration)
For those who want to understand how malware works.
Prerequisites: Strong programming knowledge, assembly basics, OS internals
Learning Path:
Tools:
- IDA Pro / Ghidra (disassemblers)
- x64dbg / OllyDbg (debuggers)
- PEStudio, PE-bear (static analysis)
- Cuckoo Sandbox (dynamic analysis)
Investigating breaches and building the story of what happened.
Resources:
Tools:
- Autopsy / Sleuth Kit
- Volatility (memory forensics)
- Velociraptor (endpoint visibility)
- KAPE (artifact collection)
Security policy, risk management, and regulatory compliance.
Key Frameworks:
- NIST Cybersecurity Framework
- ISO 27001/27002
- SOC 2
- PCI-DSS, HIPAA, GDPR (industry-specific)
Career Path: Often a good entry point for those from non-technical backgrounds or those who prefer strategic over hands-on technical work.
Do I need a degree in cybersecurity?
Short answer: It depends on your goals.
Degree benefits:
- Required for some government/defense positions
- Helps with visa sponsorship for international roles
- Provides foundational knowledge and analytical thinking
- Networking opportunities
Alternative paths:
- Many successful professionals are self-taught or transitioned from other fields
- Certifications + portfolio + demonstrated skills can substitute
- Some companies explicitly don't require degrees
Recommendation: If you're young and can afford it (time/money), a CS or related degree provides strong fundamentals. If transitioning careers, focus on certifications and practical skills.
Which certifications should I pursue?
| Certification | Focus | Cost | Notes |
|---|---|---|---|
| CompTIA Security+ | General security | ~$400 | Industry standard entry cert |
| eJPT (eLearnSecurity) | Practical pentesting | ~$250 | Hands-on, beginner-friendly |
| CC (ISC²) | General security | Free exam | Good for absolute beginners |
| Google Cybersecurity Certificate | General | ~$49/mo | Career starter, recognized |
| Certification | Focus | Cost | Notes |
|---|---|---|---|
| OSCP | Offensive security | ~$1,600 | Industry gold standard for pentesting |
| CySA+ | Blue team/SOC | ~$400 | Defensive focus |
| AWS/Azure Security | Cloud security | ~$300 | Essential for cloud roles |
| GPEN/GWAPT | Pentesting | ~$2,500+ | SANS courses, expensive but thorough |
| Certification | Focus | Cost | Notes |
|---|---|---|---|
| OSWE/OSEP/OSED | Advanced offensive | ~$1,600+ | Specialized OffSec certs |
| CISSP | Management/Architecture | ~$750 | 5 years experience required |
| CISM | Security management | ~$760 | Management focused |
Priority recommendation: Security+ → OSCP (offensive) or CySA+ (defensive) → specialized certs based on your path
Free vs Paid learning: what's the best approach?
Free resources can take you far:
- Most fundamentals can be learned for free
- YouTube, blogs, documentation are excellent
- TryHackMe free tier, PortSwigger Academy, OWASP resources
When to pay:
- Structured learning paths save time
- Certification exam fees (unavoidable)
- Specialized training for advanced topics
- Time is money: paid courses often more efficient
Best approach: Start free, validate interest and aptitude, then invest strategically in certifications that unlock career opportunities.
How do I set up a home lab?
- Install VirtualBox (free) or VMware Workstation
- Download Kali Linux or Parrot OS
- Set up vulnerable practice VMs
Recommended vulnerable VMs:
- TryHackMe / HackTheBox - Managed VPN-connected labs
- AWS/Azure/GCP free tier - Cloud security practice
- DigitalOcean/Linode - Cheap VPS for custom labs
- Run Kali Linux directly in Windows
- Lower resource overhead than full VMs
- Good for learning, limited for certain exercises
What tools should I learn first?
Reconnaissance:
- Nmap (port scanning)
- Amass, Subfinder (subdomain enumeration)
- theHarvester (OSINT)
Web Testing:
- Burp Suite (web proxy - community edition is free)
- OWASP ZAP (open source alternative)
- ffuf, gobuster (directory brute forcing)
- SQLMap (SQL injection automation)
Exploitation:
- Metasploit Framework
- Netcat / Socat
- Chisel, Ligolo (tunneling)
Post-Exploitation:
- BloodHound (Active Directory)
- Mimikatz (credential extraction)
- LinPEAS, WinPEAS (privilege escalation enumeration)
Defensive:
- Wireshark (packet analysis)
- Suricata, Snort (IDS/IPS)
- Splunk, ELK Stack (SIEM)
Kali vs Parrot vs other distros?
Kali Linux:
- Industry standard, largest community
- Best documentation and support
- Pre-installed with extensive toolset
Parrot OS:
- Lighter weight, better as daily driver
- Privacy-focused features
- Similar toolset to Kali
Bottom line: Both are excellent. Pick one and learn it well. The distro matters far less than your skills.
Alternative: Use your preferred Linux distro and install tools as needed. Many professionals use Ubuntu or Arch-based systems.
Will AI replace cybersecurity professionals?
No, but it will transform the field.
What AI is good at:
- Analyzing large volumes of logs and data
- Pattern recognition and anomaly detection
- Automating repetitive analysis tasks
- Accelerating code review and vulnerability scanning
What AI struggles with:
- Novel attack techniques and creative thinking
- Understanding business context and risk decisions
- Complex multi-step reasoning
- Adversarial situations (attackers adapt to AI defenses)
Reality check: AI raises the floor (everyone becomes more capable) but doesn't raise the ceiling much. The professionals who understand both security AND how to leverage AI tools will thrive.
Action items:
- Learn to use AI tools (ChatGPT, Claude, Copilot) effectively
- Understand AI limitations and hallucinations
- Focus on skills AI can't easily replicate: architecture, threat modeling, creative problem-solving
How can I use AI tools effectively in security work?
Useful applications:
- Explaining unfamiliar code or concepts
- Generating regex patterns and scripts
- First-pass analysis of configurations
- Writing report sections and documentation
- Learning new topics with interactive Q&A
Cautions:
- Never paste sensitive data into public AI tools
- Always verify AI-generated code/claims
- AI can confidently give wrong answers
- Use AI as an assistant, not an oracle
What emerging trends should I watch?
Growing areas:
- Cloud Security - Everyone is moving to cloud
- Container/Kubernetes Security - Modern deployment patterns
- AI/ML Security - Securing AI systems, adversarial ML
- Zero Trust Architecture - Beyond perimeter security
- Supply Chain Security - Software composition analysis
- OT/ICS Security - Critical infrastructure protection
Declining focus:
- Traditional perimeter security (firewalls alone)
- On-premise-only infrastructure
- Manual, un-automated security processes
How do I build a portfolio as a beginner?
GitHub Profile:
- Contribute to open source security projects
- Build and share your own tools (even simple ones)
- Document CTF solutions and learning projects
- Keep your profile active (green contribution graph)
Blog/Write-ups:
- Document CTF solutions
- Write tutorials on topics you've learned
- Share tool comparisons and reviews
- Explain complex topics in simple terms
Practical Demonstrations:
- HackTheBox/TryHackMe completed rooms
- Bug bounty findings (even duplicates show effort)
- Certifications and course completions
- Conference talks or community presentations
How do I network in the security community?
Online:
- Twitter/X security community (#infosec, #bugbounty)
- Discord servers (TryHackMe, HackTheBox, Nahamsec)
- Reddit (r/netsec, r/AskNetsec, r/cybersecurity)
- LinkedIn (follow and engage with security professionals)
In-Person:
- Local security meetups (BSides, OWASP chapters, DEF CON groups)
- Conferences (start with regional/free ones)
- CTF teams
Key principle: Provide value first. Help others, share knowledge, ask thoughtful questions.
Resume tips for security roles?
- Lead with relevant certifications (Security+, OSCP matter)
- Highlight hands-on experience (labs, CTFs, projects)
- Quantify achievements ("Found X vulnerabilities," "Reduced response time by Y%")
- Include GitHub, blog, HTB profile links
- Tailor to job description using keywords from posting
- Keep it concise (1-2 pages max)
How do I prepare for security interviews?
Technical preparation:
- Practice explaining concepts out loud
- Hands-on labs and CTFs for practical skills
- Review common vulnerability types and how to exploit/defend
- Be ready for live technical assessments
Behavioral preparation:
- STAR method for experience questions
- Prepare stories about problem-solving and learning from mistakes
- Know the company's security posture and recent news
Common topics:
- OWASP Top 10 vulnerabilities
- Network protocols and attacks
- Incident response scenarios
- "Walk me through how you would..." exercises
How do I find remote or international opportunities?
Prerequisites:
- Strong English communication (written and verbal)
- Self-discipline and time management
- Reliable internet and workspace
- Certifications that translate internationally (OSCP, AWS, etc.)
Job boards for remote security roles:
Bug bounty as remote work:
- Platforms like HackerOne, Bugcrowd enable global participation
- Build reputation and consistent earnings
- Location independent
| Channel | Focus | Best For |
|---|---|---|
| John Hammond | CTFs, Malware | Beginners, CTF players |
| LiveOverflow | Binary exploitation, CTFs | Intermediate+ |
| NetworkChuck | Networking, basics | Beginners |
| IppSec | HackTheBox walkthroughs | HTB players |
| David Bombal | Networking, interviews | Career advice |
| The Cyber Mentor | Practical hacking | Pentest beginners |
| 13Cubed | DFIR | Forensics learners |
| PwnFunction | Web security | Visual learners |
Beginner:
- The Web Application Hacker's Handbook - Stuttard & Pinto
- Hacking: The Art of Exploitation - Jon Erickson
- The Linux Command Line - William Shotts (free online)
Intermediate:
- Black Hat Python - Justin Seitz
- Practical Malware Analysis - Sikorski & Honig
- Red Team Field Manual - Ben Clark
Advanced:
- The Shellcoder's Handbook - Anley et al.
- Windows Internals - Russinovich et al.
- Applied Cryptography - Bruce Schneier
- Darknet Diaries - True cybercrime stories
- Security Now - Weekly security news
- Risky Business - Industry news and analysis
- Malicious Life - Cybersecurity history
| Repository | Description |
|---|---|
| Awesome Hacking | Curated hacking resources |
| SecLists | Wordlists for fuzzing |
| PayloadsAllTheThings | Payload reference |
| HackTricks | Pentesting methodology |
| GTFOBins | Unix binary exploitation |
| LOLBAS | Windows binary exploitation |
| Personal Security Checklist | Personal security guide |
| Awesome Cloud Security | Cloud security resources |
- Pentest Cheatsheets
- Reverse Shell Generator
- CyberChef - Data transformation
- ExplainShell - Command explanation
- Mr. Robot (Series) - Realistic hacking portrayal
- The Matrix - Iconic, inspirational
- Snowden - Real-world impact of security
- Who Am I (Kein System ist sicher) - German hacker thriller
- The Imitation Game - Cryptography origins
- Zero Days (Documentary) - Stuxnet story
In-depth guides are available in the docs/ directory:
| Guide | Description |
|---|---|
| 🎯 Career Roadmaps | Detailed paths for SOC, Pentester, Cloud Security, GRC |
| 🏆 Certification Guide | Cost, difficulty, study resources for major certs |
| 🛠️ Tools & Resources | Comprehensive categorized tool reference (100+ tools) |
| 💻 Lab Setup Guide | VM, cloud, and Active Directory lab configuration |
| 🎤 Interview Preparation | Technical and behavioral interview guide |
| 🚩 CTF Guide | Getting started with CTF competitions |
This is a community-driven resource. Contributions are welcome!
How to contribute:
- Fork this repository
- Create a branch for your changes
- Submit a pull request with a clear description
Contribution ideas:
- Add missing resources or tools
- Fix broken links
- Improve explanations
- Translate sections (create language-specific files)
- Share your learning path or experience
Guidelines:
- Keep content actionable and practical
- Cite sources where applicable
- Maintain consistent formatting
- Test all links before submitting
This project is licensed under the MIT License - see the LICENSE file for details.
Happy Hacking! 🔐
The best way to learn security is by doing. Pick a path and start today.