Cybersecurity Roadmaps

Interactive, task-based roadmaps so you can track progress while you learn.

Introduction & Starting Point

Core foundation
Why start here?

The assumption is you are starting from scratch. You don’t know what you don’t know hence you don’t know what you need to know.

I'm here to help you with that.

Let me preface this by saying: "THERE IS NO ONE PATH INTO CYBERSECURITY."

There are merely my suggestions based on experience.

Take what you think is useful, tailor it to your schedule and goals, and feel free to discard the rest.

Unless you already know exactly what you want to specialize in, take your time to explore different areas.

It's okay to feel a little lost as you try to figure out what exactly piques your interest.

Start with TryHackMe and explore the paths below to build fundamentals.

  • Complete the Pre Security path.
  • Complete the Intro to Cyber Security path.
  • Complete the Complete Beginner path.
  • Skim the SOC Level 1 path (optional, long).
  • Complete the Jr Penetration Tester path.
  • Complete the Security Engineer path.

Red Team / Hacker Roadmap

CTFs + Certs + Bug Bounties
How I structured this

I grouped the tasks by how you actually build skills with hands-on labs first, then certifications to validate it, or bug bounty content to learn how real-world reports look.

If you only do one thing in each group, you’ll still progress. Everything else is optional, but high leverage.

Pick at least one platform from each category and build momentum.

  • TryHackMe (General).
  • Hack The Box (General).
  • PwnedLabs (Cloud & DevOps).
  • PortSwigger (Web).
  • Vulnlab (Enterprise Security/AD).
Certifications (in order of difficulty).

There are a lot of certifications available. In my humble opinion: the cheaper the certification, the less recognition it gets you (for the most part).

Of course, there are exceptions to the rule — vendors like TCM Security and Altered Security offer rich content at affordable prices.

But a $25 certification by some random vendor with no street cred? C’mon now.

Course, sure. But certification? Don’t get caught up in people telling you what certifications to take and what not to take. Everyone has a different experience with different vendors.

  • eJPT by eLearnSecurity.
  • AWS Cloud Practitioner.
  • AWS Solutions Architect Associate.
  • PJPT by TCM Security.
  • BSCP by PortSwigger.
  • CRTP by Altered Security.
  • PNPT by TCM Security.
  • OSCP by Offsec.
  • Certified Cyber Defender by Cyber Defenders.
  • CPTS by Hack The Box.
  • OSEP by Offsec.
  • CWEE by Hack The Box.
Bug bounty ecosystem to learn from.

Bug bounty platforms are a great way to learn about real-world vulnerabilities and how to report them.

There are a lot of people who can help you navigate the bug bounty world more than I would. Here are some of my favorite creators (or some of their products/services which I am not affiliated with)

  • Follow Nahamsec.
  • Follow JHaddix.
  • Follow Critical Thinking Bug Bounty Podcast.
  • Follow Bug Bounty Reports Explained.
  • Subscribe to Securi Bee newsletter.

Blue Team / Defender

Coming soon
Blue team isn’t second place

Plenty of people find their home in defense. If that sounds like you, follow that thread.

For now, check out Day Cyberwox for SOC analysis and incident response insights.

  • Watch Day Cyberwox on YouTube.

AppSec Roadmap

Hands-on progression
My AppSec detour

I do not want to bore you with my lifestory so let’s pretend my life started in November 2021.

I had completed almost a full year of college, it wasn’t working out for me, I had prior experience with CTFs via TryHackMe (THM) and Hack The Box (HTB); so I decided I would take a year off and try get a job in security.

Because I didn’t know much, I did quite a bit of research on where to start with certifications.

I was faced with a few options, Security +, Pentest +, CEH, and eJPT.

The eJPT was the only practical exam out of those options, I had cramming information just to pass an exam, so I pulled the plug on the eJPT.

It was fairly new at the time and had a lot of buzz about how it’s the best for beginners.

I learned a lot of networking stuff, but outside of that I don’t remember much else about what I learned.

What I do know for sure is I finished the eJPT excited about my accomplishment and that steered me in the right direction.

These tasks are ordered to build fundamentals, then depth, then specialization (code review, cloud, and mobile).

Follow the sequence below to build an application security skill stack.

  • Start with TryHackMe (Junior Penetration Tester path).
  • Complete PortSwigger labs (Apprentice-level for each topic).
  • TCM Security Bug Bounty course.
  • TCM Security PWPT course.
  • Study bug bounty reports and follow top creators.
  • Add code review practice (PentesterLab or HTB CWEE).
  • Dive into cloud security (PwnedLabs + CloudBreach).
  • Master mobile AppSec (Mobile Hacking Labs + Hextree).

PortSwigger Labs To Do

Apprentice checklist
Why this list exists

If I had to do it all over again, here’s how I’d break into cybersecurity, specifically focusing on application security.

These are the resources that I have used in the past, continue to use, and will continue to use.

By the way, my YouTube video on this goes into much more detail so check it out.

  • XSS labs.
  • CSRF labs.
  • SSRF labs.
  • CORS labs.
  • Request smuggling labs.
  • Path traversal labs.
  • Access control labs.
  • Web cache deception labs.
  • Web cache poisoning labs.
  • OAuth labs.
  • File upload labs.
  • JWT labs.
  • SQL & NoSQL labs.
  • API testing labs.
  • GraphQL labs.

Extras

Ongoing habits
The long game

Networking and sharing what you learn compounds faster than any single course. These aren’t “nice to have” if you want real opportunities.

  • Attend conferences or local hacker meetups.
  • Share your knowledge (blog, YouTube, or LinkedIn).