Cybersecurity Roadmaps

  • Home /
  • Cybersecurity Roadmaps
Table of Contents

General Roadmap

General Security Roadmap

The assumption is you are starting from scratch. You don’t know what you don’t know, hence you don’t know what you need to know.

I’m here to help you with that.

Let me preface this by saying: THERE IS NO ONE PATH INTO CYBERSECURITY.

There are merely my suggestions based on experience.

Take what you think is useful, tailor it to your schedule and goals, and feel free to discard the rest.

Unless you already know exactly what you want to specialize in, take your time to explore different areas.

It’s okay to feel a little lost as you try to figure out what exactly piques your interest.

Starting Point

Start with TryHackMe.

In my humble opinion, TryHackMe has the best content (beginner and advanced) out there for the price.

My favorite thing about TryHackMe is the wide variety of paths to pick from, with most of them including FREE.99 content.

They even have a whole localized roadmap around their content to help you learn the right things.

There are two views: Premium & Free.

I always gravitate towards starting with free stuff and then paying if you like what you see.

I recommend you do the following paths to:

  1. Get familiar with the basics of security
  2. Get familiar with the different specializations within security

After all, you might just decide you want to be a blue teamer after trying out the SOC Level 1 path, and that’s totally okay.

Go to the learning paths and go through the following:

  • Pre Security
  • Intro to Cyber Security
  • Complete Beginner
  • SOC Level 1 (optional — this one is long, so feel free to skim)
  • Jr Penetration Tester
  • Security Engineer

At this point, you should be able to decide what route you want to take.

By this, I mean either red team or blue team.

This is a very important decision, as it will inform most of what you consume from this point on.

Red Team / Hacker Roadmap

I work as a penetration tester (hacker), and there are a few things you do to start learning the skills required for the job:

Use Capture The Flag (CTF) Platforms

CTFs are gamified learning scenarios intended to test and develop cybersecurity skills. Platforms to check out include:

  • TryHackMe (General) — Covers everything security-related. Free & Premium labs. Probably the best starting point for anything with a paid subscription.
  • Hack The Box (General) — Covers everything security-related. Free & Premium labs. Has a separate academy platform that is a goldmine, but a little more pricey than other alternatives.
  • PwnedLabs (Cloud & DevOps) — Mostly focused on cloud security with AWS, GCP, and Azure (free + premium labs). Also covers DevSecOps topics.
  • PortSwigger (Web) — Best resource for anything web application security-related. All labs are free. Research papers are gold.
  • Vulnlab (Enterprise Security/AD) — Focuses on enterprise security with red teaming labs that have standalone machines and big Active Directory environments.

Certifications

There are a lot of certifications available.

In my humble opinion: the cheaper the certification, the less recognition it gets you (for the most part).

Of course, there are exceptions to the rule — vendors like TCM Security and Altered Security offer rich content at affordable prices.

But a $25 certification by some random vendor with no street cred? C’mon now.

Course, sure. But certification?

Don’t get caught up in people telling you what certifications to take and what not to take.

Everyone has a different experience with different vendors.

If you can afford the certification you are eyeing and you like the curriculum, go for it.

  • eJPT by eLearnSecurity
  • AWS Cloud Practitioner
  • AWS Solutions Architect Associate
  • PJPT by TCM Security
  • BSCP by PortSwigger
  • CRTP by Altered Security
  • PNPT by TCM Security
  • OSCP by Offsec
  • Certified Cyber Defender by Cyber Defenders (opens doors for purple teaming-type work)
  • CPTS by Hack The Box
  • OSEP by Offsec
  • CWEE by Hack The Box

At this point, you probably already know what else to take.

Bug Bounty Platforms

These are programs that allow companies and hackers to meet.

Companies basically outsource their security testing, and anyone on the platform can try to find vulnerabilities in the infrastructure listed and get paid for it.

This requires a lot of prior knowledge, so you’d probably want to start bug bounty hunting after learning some fundamentals of web security, Linux, etc.

There are a lot of people who can help you navigate the bug bounty world more than I would. Here are some of my favorite creators (or some of their products/services which I am not affiliated with):

Blue Team / Defender

Coming Soon!

But for now check out Day Cyberwox. He started out in SOC analysis and is now in cloud security, detection, and incident response.

AppSec Roadmap

I do not want to bore you with my life story so let’s pretend my life started in November 2021.

I had completed almost a full year of college, it wasn’t working out for me, I had prior experience with CTFs via TryHackMe (THM) and Hack The Box (HTB); so I decided I would take a year off and try to get a job in security.

Because I didn’t know much, I did quite a bit of research on where to start with certifications.

I was faced with a few options: Security+, Pentest+, CEH, and eJPT.

The eJPT was the only practical exam out of those options. I had crammed information just to pass an exam, so I pulled the plug on the eJPT.

It was fairly new at the time and had a lot of buzz about how it’s the best for beginners.

I learned a lot of networking stuff, but outside of that I don’t remember much else about what I learned.

What I do know for sure is I finished the eJPT excited about my accomplishment, and that steered me in the right direction.

I posted about it on LinkedIn and Twitter and thought I would 100% get a job.

Nope. I did not. Some people cared. Most didn’t.

At this time, December 2021, the PNPT had just come out.

The buzz was crazy — everyone wanted it because the reviews were so good.

This is also the time I started my YouTube channel (just FYI).

I had a bit of money saved up from working my exhausting day job (retail), and I had a choice to make.

Everyone said that the OSCP was the gold standard, but everyone who took the PNPT was saying TCM would overtake Offsec (Offensive Security) in no time.

Because I couldn’t justify paying $1600 for a certification at the time, I went with the PNPT (about $300–$350 — don’t remember) and the rest is history…

If I had to do it all over again, here’s how I’d break into cybersecurity, specifically focusing on application security.

These are the resources that I have used in the past, continue to use, and will continue to use.

By the way, my YouTube video on this goes into much more detail so check it out.

1. Start with TryHackMe

Forget Hack The Box for now — it’s more advanced.

Start with TryHackMe, especially their Junior Penetration Tester path.

This will get you grounded in the fundamentals — everything from network security to privilege escalation.

It’s affordable too, about $14/month, which is solid for what you’re getting.

Once you’ve nailed this, move on.

Link: https://tryhackme.com/r/hacktivities

2. PortSwigger Labs

PortSwigger is the resource for web app security.

And the best part? It’s free.

Get hands-on with labs covering SQL injection, XSS, CSRF, and SSRF.

Focus on the Apprentice-level labs first for ALL the topics listed below — mastering these will set you up perfectly for real-world bug hunting and pen testing.

Labs to do:

  • XSS
  • CSRF
  • SSRF
  • CORS
  • Request smuggling
  • Path traversal
  • Access control vulns
  • Web cache deception
  • Web cache poisoning
  • OAuth
  • File upload
  • JWT
  • SQL & NoSQL
  • API testing
  • GraphQL

Link: https://portswigger.net/web-security/all-labs

3. TCM Security Courses

Once you’re done with TryHackMe and PortSwigger, it’s time to level up with some certifications.

I recommend TCM Security’s Bug Bounty and PWPT (Practical Web Application Penetration Tester) courses.

The content is affordable and solid, plus you get certifications that add some value to your resume.

4. Get into Bug Bounties

Bug bounties aren’t just about making quick cash.

They train your mind to think like a hacker. Follow people like NahamSec, Jason Haddix, Greg from Bug Bounty Reports Explained, and the guys from the Critical Thinking - Bug Bounty Podcast.

Study disclosed bug reports on bug bounty platforms and Pentester.Land to get into the mindset of real bug hunters.

5. Add Code Review to Your Skillset

Once you’ve got a solid grasp of web hacking, add code review to your skillset.

Platforms like PentesterLab offer fantastic code review exercises.

Learn how to analyze large codebases and hunt for vulnerabilities hidden deep in the code.

Skip the OSWE IMO.

6. Dive into Cloud Security

Cloud is the future, and you’ll need to get good at it.

Start with one of the major cloud providers such as AWS and consider certifications like Certified Cloud Practitioner.

After that, jump into labs on PwnedLabs and CloudBreach for hands-on experience hacking AWS environments.

7. Master Mobile AppSec

Mobile application security is a goldmine, and it’s relatively untapped.

Use platforms like Mobile Hacking Labs and Hextree.

They offer free courses and labs to get you up to speed on both Android and iOS hacking.

Mobile Hacking Labs is more focused on the low level side of exploitation with free courses such as their Frida course and the paid courses on userland fuzzing.

Hextree is more focused on the mobile bug bounty side of things, as their course is sponsored by Google’s bug bounty program.

Once you’re comfortable, consider certifications in mobile app security.

Extras (Do these from day one!)

Attend Conferences & Network

Never underestimate the power of in-person networking.

Attend local hacker meetups, like the Dallas Hackers Association, if you can.

You’ll make connections, learn from others, and find opportunities you never expected.

Share Your Knowledge

Start a blog, YouTube channel, or post on LinkedIn.

Be unique though — everyone does HTB writeups.

Share what you’re learning, create unique content, and build a personal brand.

Even if you’re still learning, you can teach someone who’s just starting out.

Conclusion

This is not the end all be all. Take what you can, add personality to it. Your circumstances are different from mine, but the end goal might be the same.

Happy hacking 🫡