Open in app

Sign up

Sign in

Write

Sign up

Sign in

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Cybersecurity Roadmap For Dummies

As a self-taught Ethical Hacker with a profound passion for cybersecurity, I am pleased to offer a comprehensive roadmap based on my personal offensive & defensive experiences for aspiring individuals aiming to venture into this field using freely available internet resources, I believe the following professional guidance can serve as a foundation for success. The article will be continuously updated as the tech industry is pretty unstable and continuously evolving, so make sure to save the article to keep up with the further changes.

Photo by Markus Spiske on Unsplash

While an IT or Cyber Security degree is preferred by recruiters, it’s not mandatory. Demonstrating passion and work ethic can lead to success. I’m passionate about cyber security and have self-taught extensively. Still, I plan to pursue a Cyber Security degree to enhance my knowledge further.

Fundamental Knowledge:

Assuming you have a non-IT background, you will need to become familiar with the basics of computing, internet networking, and security principles. This foundational knowledge can be acquired through a variety of resources, including online courses, books, and tutorials. Once you have a solid understanding of the basics, you can begin to pursue more advanced certifications.

I have included a list of free resources available online for each certification. These resources can be used to learn the material at your own pace and on your own time. However, if you want you can take the certifications. And besides that I have included some paid courses and certifications to demonstrate your skills to your potential employer however these are optional but having these certifications would add additional skills to your toolbox. I hope this roadmap helps you on your journey to becoming a cybersecurity expert. Please do not hesitate to reach out if you have any questions at support@safwanluban.xyz.

Introduction to Cyber Security

To begin your journey into cyber security, it is essential to have a fundamental understanding of what cyber security is and the basic terms associated with it. Completing the course below will provide you with this foundation. However, if you are already familiar with cyber security, you may skip this stage.

Resources:
Cyber Security Training for Beginners by Edureka

Comptia A+

Comptia A+ will help you to understand the cutting-edge fundamentals of computer hardware and software.

Resources: (Complete only one)
CompTIA A+ Training Course by Professor Messer
CompTIA A+ Full Course [31+ Hours] by Paul Browning

Comptia Network+

Network+ focuses mainly on networking knowledge. So you will be able to learn about how the internet works from in depth.

Resources: (Complete only one)
CompTIA Network+ Training Course by Professor Messer
CompTIA Network+ Full Course [23+ Hours] by Paul Browning

Operating Systems

You need to master both windows and linux operating systems. You don't really need to study hard for this but if unix based OS is your main machine it would be a lot easier.

Resources: (Complete all)
Windows [Tryhackme]
Linux [Tryhackme]
Introduction to Linux — Full Course for Beginners by FreeCodeCamp

Comptia Security+

Security+ is an entry-level certification that validates foundational knowledge in areas such as network security, cryptography, and risk management. Security+ will teach you how to secure online devices.

Resources: (Complete only one)
CompTIA Security+ Training Course by Professor Messer
CompTIA Security+ Certification Course by Hans IT Academy

Google Dorking

Google dorking is a technique that uses advanced search operators to search for information that is not typically indexed by search engines. This can be used to find sensitive information, such as passwords, credit card numbers, and other confidential data.

There are many resources available online that can help you learn how to use Google dorking. One of the most popular resources is the Google Hacking Database (GHDB). The GHDB is a collection of Google dorks that have been compiled by security researchers.

Resources:
Cheatsheet

CEH

CEH is gonna give you exposure to weaknesses and vulnerabilities in systems. Which will help you to understand the attacker’s perspective and you’ll know about cyber attacks and how they’re performed.

Resources:
CEH V12 PDF

Tryhackme

Once you have a fundamental understanding of cyber security, it is important to gain hands-on experience. TryHackMe is a great platform for doing this. It offers a variety of beginner-friendly challenges that allow you to learn and practice at the same time. You can perform both blue and red teaming exercises on TryHackMe, which will give you a well-rounded experience. Additionally, the challenges on TryHackMe are based on real-world scenarios, which will help you to prepare for a career in cyber security.

Resources:
Tryhackme
Free 350+ rooms

At this point, I believe that you no longer require my assistance in finding resources. You have the capacity to locate them on your own. I have provided you with the tools and knowledge you need to succeed. It is now up to you to put them to use. I am confident that you will be able to find the resources you need to continue your education and advance your career.

Programming languages

Once you have a working understanding of real-world cyberattacks, it is essential to develop programming skills. Programming is a valuable skill for cybersecurity professionals because it allows them to comprehend how attackers think and how to write code to defend against attacks.

There are many different programming languages that are used in cybersecurity, but some of the most popular ones include Python, C/C++, and Java. Python is a good language to start with because it is easy to learn and it is versatile enough to be used for a variety of tasks. C/C++ are lower-level languages that are more powerful than Python, but they are also more difficult to learn. Java is a general-purpose language that is used for a variety of applications, including cybersecurity.

So you can start with Python and later on give SQL a go too cause you might need that in future for interacting with databases. And then you can move to other languages as well.

Cloud, VM, Docker & Databases

In order to become proficient in the areas of virtual machines (VMs), Docker, cloud computing (AWS, Azure), and databases, it is essential to have a firm grasp of the underlying concepts. This includes understanding how VMs function, how Docker containers are utilized, the different cloud computing platforms, and the various types of databases.

Once you have a solid understanding of the fundamentals, you may begin to master the more complex topics. This includes learning how to use VMs and Docker containers to create and manage applications, how to use cloud computing platforms to deploy and scale applications, and how to use databases to store and manage data. You can learn about these topics from tryhackme and other open sourced resources.

Scripting Languages

In addition to learning the fundamentals of cyber security, it is also important to learn scripting languages such as Bash and PowerShell. Scripting languages can be used to automate tasks, such as deploying security tools, managing security logs, and responding to security incidents.

Bash is a scripting language that is used primarily on Linux and Unix systems. PowerShell is a scripting language that is used primarily on Windows systems. Both Bash and PowerShell are powerful tools that can be used to automate a wide variety of tasks.

There are many resources available online that can help you learn Bash and PowerShell scripting languages. One of the most popular resources is the Bash Scripting Tutorial on the Linux Foundation website. This tutorial provides a comprehensive overview of Bash scripting, including how to install Bash, write Bash scripts, and run Bash scripts.

Another resource that you may find helpful is the PowerShell Scripting Tutorial on the Microsoft website. This tutorial provides a comprehensive overview of PowerShell scripting, including how to install PowerShell, write PowerShell scripts, and run PowerShell scripts.

Google Cybersecurity Professional Certificate

Google Cybersecurity professional certificate covers all the necessary basic skills you need for hardening your cybersecurity career. The course covers a few materials mentioned above in depth in a stack including IDS/IPS, Firewalls, Python, Managing Risks, Network Security, Linux, SQL, Incident Detection and Response, Preparing for jobs. And financial aid is available on this course meaning you can get the course absolutely for free, if you’re just starting out this course is a great material and comes with a credential too, which you might put on your resume later.

Resources:
Coursera Course

If you completed the previous steps congratulations you’re now an IT professional.

From here you can either take the Offensive Path or the Defensive Path that’s completely up to you if you wanna take the defensive path skip over to the next section. Or you can complete both of the offensive and defensive paths like me.

Offensive security:

Offensive security is a proactive approach to cybersecurity that seeks to detect and fix vulnerabilities in digital assets before attackers can exploit them, thereby improving the overall security of organizations. It is a complementary approach to defensive security, which focuses on preventing attacks from happening in the first place.

Photo by Alexandre Debiève on Unsplash

Comptia Pentest+

CompTIA PenTest+ is an intermediate-skills level cybersecurity certification that focuses on offensive skills through pen testing and vulnerability assessment. And pentest+ will help you understand the legal way to approach a target and exploiting them. As like previous steps you can learn from the learning material without taking the exam.

Resources:
Tryhackme Pentest+ Path

Web Basics

To be proficient in penetration testing, it is essential to have a fundamental understanding of web technologies. This includes HTML, CSS, and JavaScript. While you do not need to be an expert in these languages, you should have a basic understanding of how they work.

HTML (HyperText Markup Language) is the language used to create web pages. It defines the structure and content of a web page. CSS (Cascading Style Sheets) is used to control the style of a web page, such as its fonts, colors, and layout. JavaScript is a programming language that can be used to add interactivity to web pages.

A basic understanding of these technologies will help you to identify and exploit vulnerabilities in web applications. For example, if you understand how HTML works, you can identify vulnerabilities in the HTML code of a web page. Similarly, if you understand how CSS works, you can identify vulnerabilities in the CSS code of a web page.

Web Pentesting

To master web penetration testing, there are a number of resources available to you. You can read online books on the topic, participate in bug bounty programs, and complete labs on platforms such as PortSwigger. Additionally, mastering the OWASP Top 10 and OWASP SKF labs are essential for any aspiring web pentester.

Online books provide a comprehensive overview of web penetration testing, covering topics such as vulnerability identification, exploitation, and post-exploitation. Some popular online books on web penetration testing include The Web Application Hacker’s Handbook by Marcus Ranum and The Hacker’s Playbook by Peter Kim.

Bug bounty programs allow you to hunt for vulnerabilities in real-world websites and applications. This is a great way to gain experience in web penetration testing and earn money for your findings. Some popular bug bounty programs include HackerOne and Bugcrowd.

Labs provide a safe environment to practice your web penetration testing skills. Platforms such as PortSwigger offer simulated environments that allow you to identify and exploit vulnerabilities in a controlled setting.

The OWASP Top 10 is a list of the most common web application security vulnerabilities. Mastering the OWASP Top 10 is essential for any aspiring web pentester, as these vulnerabilities are frequently exploited by attackers.

The OWASP sfk labs are a set of hands-on exercises that cover the most common web application security vulnerabilities. Completing the OWASP sfk labs is a great way to gain practical experience in web penetration testing.

Preferred Certifications: Burp Suite Certified Practitioner, OSWP

PNPT & EJPT

The Practical Network Pentest (PNPT) and eLearnSecurity Junior Penetration Tester (EJPT) certifications are fundamental certifications in the field of penetration testing. Both certifications cover a wide range of topics, including networking, operating systems, web applications, and exploitation.

While taking the PNPT or EJPT certifications is a great way to validate your knowledge and skills in penetration testing, it is not necessary to take the certification to learn the material. There are many books and courses available that cover the same material as the PNPT and EJPT certifications.

If you are interested in learning about penetration testing, I recommend reading books or taking courses on the topic. You can also find many free resources online, such as blog posts, articles, and tutorials.

HTB & HTB Academy

Hack The Box (HTB) is a platform that allows users to practice penetration testing skills in a safe and controlled environment. HTB offers a variety of challenges, ranging from beginner-level to advanced. The challenges are designed to simulate real-world penetration testing scenarios, and they are updated regularly to keep users engaged.

One of the key features of HTB is that it offers black box penetration testing challenges. In black box penetration testing, the tester is not given any information about the target system, other than the IP address. This forces the tester to use their skills and knowledge to identify and exploit vulnerabilities in the target system.

TryHackMe is another platform that offers penetration testing challenges. TryHackMe is a bit more beginner-friendly than HTB, and it offers a wider range of challenges. However, the challenges on TryHackMe are not as realistic as the challenges on HTB. HTB will help you to get prepared for OSCP.

HTB Academy is a subscription-based platform that offers a variety of penetration testing courses and challenges. The courses are designed to teach users the skills they need to become penetration testers, and the challenges are designed to give users practice in identifying and exploiting vulnerabilities.

HTB CPTS & OSCP

The Certified Penetration Testing Specialist (CPTS) and Offensive Security Certified Professional (OSCP) are two of the most popular penetration testing certifications in the industry. Both certifications require a deep understanding of penetration testing concepts and techniques, and they both involve a hands-on practical exam.

The CPTS is a bit more challenging than the OSCP, as it requires a broader range of knowledge. However, the OSCP is more widely recognized by employers, and it is often seen as the gold standard for penetration testing certifications.

Both certifications require a significant investment of time and money. The CPTS costs $250-$1,000(depending on the plan you choose), and the OSCP costs $1599. However, both certifications can be a valuable asset to your career, and they can help you to get a job in penetration testing.

If you completed the previous steps then congratulation you’re an Ethical Hacker now and you can apply for jobs in the offensive sector of cyber security.

Defensive Security:

Defensive security is a proactive approach to cybersecurity that seeks to identify and fix vulnerabilities in digital assets before attackers can exploit them, thereby improving the overall security of organizations. It is a complementary approach to offensive security, which focuses on preventing attacks from happening in the first place.

Photo by Philipp Katzenberger on Unsplash

Comptia CySA+

CompTIA Cybersecurity Analyst (CySA+) is a certification for cyber professionals tasked with incident detection, prevention and response through continuous security monitoring. This will help you to understand the defensive techniques.

Resources:
CompTIA CySA+ by Cybrary

SOC Level 1

The security operations center (SOC) analyst is a cybersecurity expert responsible for monitoring and responding to threats to an organization’s IT infrastructure. You can take courses based on SOC level 1 to gain all the skills you need in order to complete daily life tasks as a SOC analyst.

Resources:
Tryhackme
Cyber Defenders
LetsDefend.io
Blue Team Labs

HTB Sherlocks

HTB sherlocks is defensive labs which helps you to improve your defensive skills hands on, there are not much resources out there to practically practice defensive security so I would definitely recommend to the new comers who are interested in the defensive security, give it a shot. And you can basically use the active labs for free, same as the offensive labs but you would need a subscription in order to play the retired labs.

Resources:
Sherlocks

BTL1

Blue Team Level 1 is a practical cybersecurity certification focusing on defensive practices, security investigations, and incident handling. You can take the exam if you want or you may also learn from the available free resources on the internet. Also the same organization got a few free courses based on blue teaming.

SC-200

SC-200, also known as Microsoft Security Operations Analyst, is a certification offered by Microsoft that focuses on threat protection, incident response, and cloud security operations. This certification equips professionals with the necessary skills and knowledge to identify, investigate, and respond to security incidents using various Microsoft security tools and technologies. It’s also well renowned.

HTB CDSA

The Certified Defensive Security Analyst is a highly hands on certification exam which focuses on gaining the skills you’d need to perform on day to day tasks as an entry level defensive practitioner. CDSA can cost from 250$ to 500$(depending on the plan you choose). The exam covers in depth from the basics of defensive security to the advance level. In case if you're not intending to take the exam I would recommend you to just do the path material from the HTB Academy which would barely cost 50$.

If you completed these defensive security steps congratulations you can now land a job as a SOC level 1 analyst or in other entry level jobs.

Projects

In addition to the steps outlined above, I believe that projects can also make a resume strong from both blue and red teaming perspectives. For example, if you are interested in blue teaming, you could create a project that involves setting up and configuring a security monitoring system. This would demonstrate your ability to identify and respond to security threats. If you are interested in red teaming, you could create a project that involves developing and executing a penetration test against a target system. This would demonstrate your ability to exploit vulnerabilities and gain unauthorized access to systems.

By completing projects that demonstrate your skills and knowledge, you can make your resume stand out from the crowd and increase your chances of getting a job in cybersecurity.

TL;DR:

In conclusion, I believe that the following roadmap can provide a foundation for success for aspiring individuals who want to venture into cybersecurity using freely available internet resources:

  1. Start by learning the basics of networking, operating systems, and security concepts. There are many free resources available online and in libraries that can help you with this.
  2. Once you have a good understanding of the basics, start learning about specific security topics, such as vulnerability assessment, penetration testing, and incident response. Again, there are many free resources available online that can help you with this.
  3. Once you have learned about the different security topics, start practicing your skills on virtual machines and sandboxes. This will help you to gain experience and confidence in your abilities.
  4. Once you have a good level of experience, start looking for opportunities to volunteer or intern with a cybersecurity organization. This will give you real-world experience and help you to build your network.
  5. Finally, consider getting certified in cybersecurity. This will demonstrate your skills and knowledge to potential employers.

Signing out,
- Toothless

Roadmap
Cyber Security
Cyber Security Roadmap
Hacker
Hacking Roadmap
InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 22 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Safwan Luban
Safwan Luban
Follow

Written by Safwan Luban

191 Followers
4 Following

Ethical hacker, Independent Security Researcher

Follow

Responses (6)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech