A hands-on operating system for learning offensive and defensive security — built around real labs, a clear roadmap, and the discipline to practice legally. Boot in, pick a track, break things you're allowed to break.
Read this first, every time. The single thing separating a security researcher from a criminal is authorization. Skills are neutral; how you point them is not. These rules keep you legal, employable, and trusted.
Seven phases, roughly in order. You don't need to finish one to peek at the next, but the foundations make everything above them faster. Colors map to depth: green for groundwork, amber for core skills, coral for advanced offense, teal for the defensive side.
You can't break what you don't understand. Learn how data moves and how systems are built before you try to subvert them.
Automate the boring parts and read other people's exploits. Python and Bash are the lingua franca of security work.
The biggest, most accessible attack surface and where most beginners land their first real findings. Master the OWASP Top 10 by exploiting it.
Scanning, enumeration, traffic analysis, and the reconnaissance that precedes every engagement. Learn to see a network the way an attacker does.
Chain vulnerabilities into access, escalate privileges, and write it all up like a professional. This is where pentesting becomes real.
The other half of the field, and where most jobs actually are. Investigate incidents, analyze memory and logs, and build detections.
Go deep on one thing. Reverse engineering and malware analysis, cloud security, crypto, hardware/IoT, or full-time bug bounty — depth beats breadth from here.
Theory fades; muscle memory sticks. Work through these in roughly the order shown — each one teaches a concrete skill on a target you're allowed to attack. Hit how to start for step-by-step instructions, follow the link to the lab, and tick the box (top-right) to mark it done. Progress saves in this browser.
An isolated sandbox is the single most important thing you'll set up. It's where you attack freely without touching anything real. The golden rule: keep your vulnerable targets on a host-only network so nothing leaks onto the internet or your home LAN.
Once both VMs are on the host-only network, find your target and start enumerating:
Then point your browser at localhost:3000 and start hunting.
Hand-picked places to learn, practice, and read. Most of the best resources in this field are free — start there before spending a cent on courses or certs.