Learning Track
Cybersecurity
From curious to capable defender.
A parent track containing 11 domain-specific sub-tracks. Start with the free Intro lesson, then choose the domains that interest you. Complete all sub-tracks to earn the full Cybersecurity certification.
Sub-Tracks
Understand every domain before picking your path.
A single free lesson covering all nine cybersecurity domains. Required before unlocking any sub-track.
First lesson: Overview of All Cybersecurity Domains
Control who can access what, and prove it.
Passwords, MFA, RBAC, SSO, Privileged Access Management, hands-on Entra ID / AWS IAM / OAuth flows / Zero Trust.
First lesson: What is IAM?
Find weaknesses before attackers do.
CVEs, CVSS, Nmap scanning, hands-on OpenVAS, enterprise patch management, and continuous vulnerability programs.
First lesson: What is Vulnerability Management?
Secure the software itself.
OWASP Top 10 (hands-on in DVWA and WebGoat), injection, XSS, secure code review, bug bounty, and WAFs.
First lesson: What is Application Security?
Be ready before something goes wrong.
NIST IR lifecycle, detection, containment, eradication, recovery, SIEM with Splunk, and tabletop exercises.
First lesson: What is Incident Response?
Keep sensitive data inside the organization.
Data classification, encryption, DLP tools, insider threats, and compliance regulations.
First lesson: What is Data Leakage?
Authorized attack simulation.
Ethics-first legal frame, full PTES methodology, exploitation, web app testing, post-exploit, HTB Starting Point passion project, and professional reporting.
First lesson: Ethics and the Law (Mandatory First)
The business side of security.
Risk assessment, security policies, compliance frameworks, and business continuity.
First lesson: What is Risk Management?
Secure every endpoint: laptops, phones, IoT.
OS hardening, endpoint protection platforms, MDM, patch management, and IoT security.
First lesson: What is Endpoint Security?
Know your adversaries.
Threat actors, IoCs vs IoAs, OSINT toolkit (Shodan, Censys, VirusTotal, URLscan), MITRE ATT&CK Navigator, threat-report writing, and ISACs.
First lesson: What is Threat Intelligence?
The five core functions: Identify, Protect, Detect, Respond, Recover.
An in-depth study of the NIST CSF. Understand how each function maps to real controls and other frameworks.
First lesson: Introduction to the NIST Framework
How AI is reshaping offense and defense.
AI-powered threat detection, SOC automation, vulnerability assessment, pen testing augmentation, and securing AI systems. Optional sub-track within Cybersecurity.
First lesson: AI in Cybersecurity: The Landscape
How computers talk, and how attackers exploit it.
The networking foundation for the whole Cybersecurity track: OSI and TCP/IP, TCP vs UDP, Wireshark, ARP spoofing, man-in-the-middle, SYN floods and DDoS, DNS attacks, and wireless attacks. Hands-on labs in isolated environments. Prerequisite knowledge for Penetration Testing and Incident Response.
First lesson: Networking for Security: Why Protocols Are the Battleground
Credentials are the keys to the kingdom.
How attackers brute force, crack, and stuff credentials (Hydra, hashcat, John), the online-vs-offline distinction, and the defensive side: password managers, passkeys, and credential hygiene for users and developers. Hands-on DVWA lab.
First lesson: Credentials: The Keys to the Kingdom
Build the lab the rest of the track runs in.
The practical foundation for every hands-on lab: install VirtualBox and Kali Linux, configure isolated networking, use snapshots, add a vulnerable target VM, and learn the Kali tool categories you will use throughout the track. Take this before any lab that requires Kali.
First lesson: Setting Up a Kali Linux Lab
The math that makes security possible.
Symmetric and asymmetric encryption, hash functions and HMAC, key exchange and digital signatures, TLS 1.3 in depth, and practical cryptography for developers (which primitive to use, which library, and what never to implement yourself).
First lesson: What Cryptography Protects
Attacking and defending Android and iOS apps.
Android and iOS security models, the OWASP Mobile Top 10, static analysis (jadx, APK decompilation), dynamic analysis (Frida, Burp proxy), and common mobile vulnerabilities. Hands-on with a deliberately vulnerable app.
First lesson: The Mobile Security Landscape
Securing what you run in AWS, Azure, and GCP.
The shared responsibility model, IAM misconfigurations and least privilege, cloud attack techniques (metadata SSRF, privilege escalation), cloud security tooling (Prowler, ScoutSuite, Trivy), and secrets management. Hands-on with CloudGoat.
First lesson: Cloud Security and the Shared Responsibility Model
Understanding software without the source.
An advanced subtrack: static analysis (file formats, PE/ELF), disassembly and decompilation with Ghidra, dynamic analysis and safe handling, malware categories, sandbox analysis, and YARA rules. No real malware is ever used in labs.
First lesson: What Reverse Engineering Is
The enterprise attack surface that matters most.
Active Directory structure, Kerberos and NTLM authentication, common AD attacks (Pass-the-Hash, Kerberoasting, AS-REP Roasting, Golden Ticket), BloodHound attack-path mapping, and AD defense and monitoring. Hands-on with a lab AD environment.
First lesson: Active Directory: The Enterprise Attack Surface
Zero to professional web app tester.
The industry-standard web application security testing tool, from never having opened it to working as a professional tester. Four mini-tracks (Setup and Core Concepts, Repeater and Manual Testing, Intruder and Automated Attacks, Advanced Techniques) plus a portfolio passion project and job readiness. Labs use the free PortSwigger Web Security Academy. Prerequisite: Networking and Protocol Security.
First lesson: What is Burp Suite and Why Do Security Professionals Use It?