Resources

An interative, gamified introduction to cybersecurity fundamentals. This path covers networking basics, how the web works, Linux fundamentals, and Windows fundamentals. Perfect if you've never touched a command line before. TryHackMe uses virtual machines in your browser, so you don't need to install anything - just create an account and start learning.

Why we recommend it: It's specifically designed for absolute beginners and teaches you by doing, not just reading. The guided format means you won't get lost.

Comprehensive video series covering everything you need to know for the CompTIA Security+ certification. Even if you're not planning to take the cert exam immediately, these videos provide an excellent overview of cybersecurity concepts, threats, architecture, operations, and governance. Professor Messer has a gift for explaining complex topics clearly.

Why we recommend it: Industry standard content taught by someone who's been doing this for years. Great to watch at 1.5x speed while taking notes.

A beginner friendly course that introduces cybersecurity careers, foundational concepts, and why security matters. Includes interactive activities and assessments. Cisco is a major player in networking and security, so their content is industry relevant. You'll get a certificate of completion, which looks good on LinkedIn.

Why we recommend it: Provides context about WHY security matters and what careers look like, not just technical details.

Alexis (Hackersploit) creates practical, hands on tutorials covering everything from ethical hacking basics to penetration testing. His "Complete Beginner" series walks through Kali Linux, reconnaissance, exploitation, and more. Videos are well-produced and easy to follow.

Why we recommend it: Visual learning with real demonstrations. Great supplement to text-based courses.

The best platform for learning by doing. TryHackMe offers "rooms" (guided lessons) and challenges covering web exploitation, privilege escalation, cryptography, OSINT, and more. The browser-based virtual machines mean you can practice on any computer. Start with the free rooms - there are hundreds of them.

Recommended free rooms to start:

• Basic Pentesting: Introduction to penetration testing methodology

• OWASP Top 10: Learn the most critical web application security risks

• Linux Fundamentals: Master the command line

• Advent of Cyber: Annual Christmas-themed beginner event (archives available)

Why we recommend it: Progressive difficulty, strong community, and you earn points/badges for completing challenges (gamification helps motivation).

A classic wargame that teaches Linux command line skills through progressive challenges. You SSH into their servers and solve puzzles to find passwords for the next level. Starts extremely simple ("use ls to list files") and gradually builds complexity. No handholding - you'll need to Google commands and think critically.

Why we recommend it: Builds genuine Linux skills that you'll use constantly in cybersecurity. The community is massive, so solutions and hints are available if you get stuck.

Created by Carnegie Mellon University, PicoCTF is a free capture-the-flag competition designed for high school and college students. Even when the live competition isn't running, you can access previous years' challenges. Categories include cryptography, reverse engineering, forensics, web exploitation, and binary exploitation.

Why we recommend it: Educational CTF that teaches as you go. Great for club competitions - we can tackle challenges together during meetings.

More structured than the main HackTheBox platform (which is quite difficult). HTB Academy offers learning paths with theory, examples, and practical exercises. The free tier includes modules on Linux fundamentals, Windows fundamentals, and introduction to pentesting. Premium unlocks advanced content.

Why we recommend it: Professional-grade training that many companies use for employee development. Completion certificates for each module.

Blue team (defensive security) challenges focusing on digital forensics, incident response, malware analysis, and threat hunting. You download real-world forensic artifacts (disk images, memory dumps, network captures) and answer questions by investigating them. Great balance to the offensive-focused platforms.

Why we recommend it: Most platforms focus on attacking - this teaches defense, which is where most jobs are.

The gold standard entry-level cybersecurity certification. Covers threats, vulnerabilities, architecture, operations, and governance & compliance. Recognized by employers worldwide and often required for government/defense jobs (DoD 8570 compliant). Many cybersecurity jobs list Security+ as "required" or "preferred."

Free study resources:

• Professor Messer videos (linked above)

• Jason Dion practice exams (watch for Udemy sales - often $15)

• r/CompTIA subreddit for study tips and encouragement

Why we recommend it: Opens doors. Having this cert significantly improves your resume and can increase starting salaries by $5-10k.

Eight-course program covering security fundamentals, network security, Linux, SQL, Python, assets & threats, detection & response, and preparing for cybersecurity jobs. Created by Google for people with no prior experience. Includes hands-on labs and projects. Certificate shows up on Coursera, LinkedIn, and your resume.

Why we recommend it: Completely beginner-friendly, substantial time investment shows commitment to employers, and the Google name carries weight.

ISC2 (the organization behind CISSP, the most prestigious security cert) created this entry-level certification to address the cybersecurity skills gap. Covers security principles, incident response, access controls, network security, and security operations. Free self-paced training course included.

Why we recommend it: From a highly respected organization, relatively affordable, and ISC2 offers one million free exam vouchers to qualifying candidates (yes, free exam).

Validates fundamental Linux knowledge. Since most cybersecurity tools run on Linux (Kali, ParrotOS, etc.) and most servers are Linux-based, this knowledge is crucial. Covers command line basics, file management, shell scripting, and system architecture.

Why we recommend it: Linux skills are non-negotiable in cybersecurity. This cert proves you have them.

Programming language heavily used in cybersecurity for automation, exploit development, data analysis, and tool creation. Easier to learn than C or Java but powerful enough for serious work. Many security tools are written in Python or have Python APIs.

Getting started: Install Python 3, then work through "Automate the Boring Stuff with Python" (free online book). Focus on file manipulation, web scraping, and regular expressions - all useful in security.

Why we recommend it: Scripting skills separate novice hackers from real professionals. Python is the easiest language to start with and the most useful in security.

Virtualization software that lets you run multiple operating systems on your computer simultaneously. Essential for cybersecurity labs - you'll run Kali Linux, vulnerable machines, and testing environments as virtual machines (VMs) without affecting your main system. Think of it as a computer within your computer.

Getting started: Download VirtualBox, then download a Kali Linux VM from kali.org/get-kali. Import it into VirtualBox and you have a complete penetration testing environment.

Why we recommend it: Free, well-documented, and every cybersecurity professional uses virtualization. Learning this early saves headaches later.

The most popular penetration testing and security auditing Linux distribution. Comes pre-loaded with hundreds of security tools including Nmap, Metasploit, Burp Suite, Wireshark, John the Ripper, and more. Maintained by Offensive Security (the company behind the OSCP certification).

Getting started: Download the VirtualBox image from Kali's website. Default credentials are kali/kali. Spend time exploring what tools are included.

Why we recommend it: Industry standard. Learning to use and navigate Kali is essential.

The world's most popular network protocol analyzer. Captures and displays network traffic in real-time, letting you see every packet moving across a network. Essential for network troubleshooting, security analysis, and understanding how protocols work. Steep learning curve but incredibly powerful.

Getting started: Download and install, then capture traffic on your own network. Filter by protocol (http, dns, etc.) to see what your computer is doing. TryHackMe has a Wireshark room that teaches the basics.

Why we recommend it: Understanding network traffic is fundamental to both offensive and defensive security. Wireshark is the tool for that.

Web application security testing tool and intercepting proxy. Sits between your browser and the web server, letting you view and modify HTTP requests/responses. Essential for finding web vulnerabilities like SQL injection, XSS, CSRF, and authentication bypasses. The Pro version ($449/year) adds automation, but Community Edition is powerful enough for learning.

Getting started: PortSwigger (the company behind Burp) has an excellent free Web Security Academy with labs specifically designed for Burp Suite practice.

Why we recommend it: Web applications are everywhere and constantly under attack. Burp Suite is the industry-standard tool for testing them.

Network discovery and security auditing tool. Scans networks to find active hosts, open ports, running services, operating systems, and potential vulnerabilities. The first tool you run during reconnaissance in penetration testing. Command-line based but has a GUI version (Zenmap).

Getting started: Install Nmap, then scan your own network: nmap -sV 192.168.1.0/24. Add the -A flag for aggressive scan with OS detection. TryHackMe's "Nmap" room teaches proper usage.

Why we recommend it: If you learn one command-line tool, make it Nmap. Used in every security assessment, ever.

Penetration testing framework with hundreds of exploits, payloads, and auxiliary modules. Once you find a vulnerability with Nmap or another tool, Metasploit helps you exploit it (ethically, in controlled environments). Includes a searchable database of exploits and an intuitive console interface.

Getting started: Come pre-installed on Kali. Start with Metasploitable 2 (intentionally vulnerable VM) as your target. TryHackMe's "Metasploit" room is excellent.

Why we recommend it: Understanding how exploits work is crucial for both attackers and defenders. Metasploit makes this accessible.

Chuck makes complex topics accessible and fun. His videos cover practical skills like setting up a home lab, earning certifications, and landing your first security job. Known for his "Coffee Time" openings and genuine enthusiasm. Great for motivation and broad overviews.

John walks through capture-the-flag challenges step-by-step, explaining his thought process. Excellent for learning problem solving approaches. Also does malware analysis videos where he reverse engineers actual malicious software in safe environments. Very educational without being dry.

More advanced than other channels on this list. LiveOverflow dives deep into topics like buffer overflows, heap exploitation, and reverse engineering. His "Binary Exploitation" series is phenomenal but challenging. Great for when you're ready to level up beyond beginner content.

IppSec has walkthroughs for nearly every HackTheBox machine. Watching him work through machines teaches methodology, tool usage, and thinking like a penetration tester. His videos are long (30-60 minutes) because he doesn't skip steps - you see the entire process including mistakes and troubleshooting.

Heath creates course quality content for free on YouTube. His "Practical Ethical Hacking" full course is legendary in the community. Also covers OSINT (open-source intelligence), Python for pentesters, and career advice.

David frequently interviews cybersecurity professionals, certification holders, and tool creators. Great for understanding career paths and what working in security actually looks like. Also has technical content on networking fundamentals (crucial for security) and Python automation.

In-depth investigative journalism on cybercrime, data breaches, and security industry. Brian breaks major stories, tracks cybercriminal operations, and provides context that helps you understand the human side of hacking. Updates several times per week. Writing is accessible to non-experts while still being technically accurate.

Why follow: Understand how breaches happen in the real world, not just in lab environments. Krebs often reports on incidents before they hit mainstream news.

Quick summaries of the latest vulnerabilities, breaches, malware campaigns, and security tool releases. Good for staying current without deep dives. Each article links to original sources if you want more detail. Free newsletter option.

Why follow: Cybersecurity moves fast. THN keeps you updated on what's happening right now. Good conversation starters for club meetings.

High-quality reporting on major security issues with more context and analysis than typical news sites. Writers actually understand technology. Good for understanding the "so what?" of security news - why a particular breach or vulnerability matters.

Why follow: Bridges the gap between technical security blogs and mainstream news. Great for explaining security news to non-technical people.

Community of 600k+ security professionals, students, and enthusiasts. Daily discussions about news, career advice, certifications, and technical questions. Check out related subreddits: r/netsec (more technical), r/AskNetsec (Q&A), r/blueteamsec (defensive focus).

Why follow: Real conversations with people at all levels. Great for asking questions and seeing what topics the community is discussing.

Story-driven podcast covering real cybercrimes, hacking incidents, and the people behind them. Episodes are narrative non-fiction - engaging storytelling about actual events. Topics include social engineering, data breaches, nation-state hacking, and cybercriminal investigations. Extremely well-produced and addictive.

Why listen: Makes cybersecurity come alive. Perfect for commutes or workouts. You'll retain information better when it's presented as a story rather than facts.

Industry-focused podcast discussing the week's major security news. More technical and policy-oriented than Darknet Diaries. Good for understanding business and geopolitical implications of cybersecurity. Host Patrick Gray interviews researchers and industry leaders.

Why listen: Understand cybersecurity from a professional/business perspective, not just technical.

Official US government cybersecurity alerts about current threats, vulnerabilities, and mitigation strategies. Very technical and authoritative. When a major vulnerability drops (like Log4Shell), CISA publishes detailed guidance.

Why follow: Official, authoritative, and free. Good to understand what threats government and enterprise are prioritizing.

Massive library of cybersecurity courses covering certifications, specific tools, and career paths. Free tier gives access to many courses but limits virtual labs. Good for structured learning paths if TryHackMe's style doesn't work for you.

From SANS Institute (a highly respected security training organization). Tutorials cover foundational skills needed before diving into offensive or defensive security. Less flashy than other platforms but very thorough.

From the creators of Burp Suite. Comprehensive coverage of web application vulnerabilities with hands-on labs. Topics include SQL injection, XSS, CSRF, authentication bypasses, and more. Probably the best free resource specifically for web security.

Simulate working as a SOC analyst investigating real-world alerts. Learn to use SIEM tools, analyze logs, investigate incidents, and create reports. Great complement to offensive-focused platforms like TryHackMe.

Non-profit foundation focused on improving software security. Their OWASP Top 10 list of critical web application security risks is industry standard. Also provides free tools (like ZAP, an alternative to Burp Suite), guides, and cheat sheets.