Getting Started in Cybersecurity

Get a lab running locally, then learn from one book and one free course. Don't buy gear before you have outgrown free options.

Home lab

• LabKali Linux — the attacker VM. Boot from VirtualBox or VMware Player (both free).
• LabMetasploitable 2 — intentionally vulnerable target. Pair with Kali.
• LabVulnHub — more vulnerable VMs to practice on.
• LabVirtualBox — free hypervisor for the home lab. Any 8 GB laptop runs two VMs comfortably.

First reads

• BookHacking: The Art of Exploitation (Erickson) — the canonical intro to thinking like an attacker.
• BookMetasploit: The Penetration Tester's Guide — pair with your Kali + Metasploitable setup.
• BookThe Web Application Hacker's Handbook — older but still the AppSec foundation.

First course

• CourseGoogle Cybersecurity Professional Certificate — newer entry point. Foundational, ~6 months self-paced. Free to audit on Coursera financial aid.
• CourseTryHackMe — guided rooms, free tier is generous. Best place to start hands-on.
• CourseProfessor Messer Security+ SY0-701 — full Security+ video course, free. The exam itself costs but the prep is the value.

Free, structured, recently maintained. Pick one. Finish it before starting another.

• FreeOpen Security Training 2 (OST2) — modern successor to the original OST. Vuln research, RE, low-level security.
• FreeHack The Box Cybersecurity Roadmap — annotated map of which HTB Academy modules to take in what order.
• FreeHTB Academy paths — job-role-based skill paths. Free tier covers fundamentals.
• FreeAntisyphon Pay-What-You-Can classes — John Strand's training. Excellent, name-your-price.
• FreeSam Bowne's courses (CCSF) — full college courses on infosec, ethical hacking, malware, posted free.
• PaidTCM Security Academy — affordable practical courses. Their PNPT cert is well-regarded.
• PaidOffSec OSCP — the classic offensive cert. Hard, respected, expensive.
• Freeroadmap.sh / cyber-security — community-curated skill tree showing what to learn and in what order.

Don't learn "cybersecurity." Learn one role's daily work. The big tracks:

• RolePenetration tester / Red team — breaks into systems for clients. Hands-on, technical, travel sometimes. OSCP / PNPT path.
• RoleSOC analyst / Blue team / DFIR — defends, investigates incidents, hunts threats. Most entry-level jobs sit here. Sec+ / CySA+ / GCIH.
• RoleAppSec engineer — secures code and product. Sits between dev and security. Often the highest-paid track for people with dev backgrounds.
• RoleCloud security — AWS / GCP / Azure security engineering. High demand, cert-friendly path.
• RoleVulnerability research / RE / exploit dev — finds new bugs in binaries, browsers, kernels. Hardest path, smallest job market, highest ceiling.
• RoleBug bounty hunter — self-employed, paid per finding. Compatible as a side income.
• RoleGRC / risk / compliance — non-technical track. Audits, frameworks, policy. Good entry for career changers without a tech background.

Career exploration

• CyberWire — Career Notes podcast — short weekly interviews on how people actually got in.
• Cybersecurity Interviews

Interview prep

• PlaylistCyber: Defense — defensive security interview prep. Blue team, detection, incident response, threat hunting. Curated by Coach Zubair.
• PlaylistCyber: Offense — offensive security interview prep. Red team, exploit dev, pentest fundamentals. Curated by Coach Zubair.
• Daniel Miessler — InfoSec interview questions — if you can answer these, you're hireable.

Reading without practice doesn't stick. Pick one platform and finish a track.

• LabTryHackMe — guided, free-tier-friendly. Where most beginners actually start now.
• LabHack The Box — next step after TryHackMe. Less hand-holding.
• Labpwn.college — ASU's free, deep dive on binary exploitation and CTFs. Excellent if you have time.
• LabOverTheWire wargames — terminal-based CTF, the classic Linux + crypto warmup.
• LabRoot-Me — huge catalog of challenges across every category.
• LabpicoCTF — Carnegie Mellon's ongoing CTF. Beginner-friendly, runs year-round.
• Labpwnable.tw  ·  pwnable.kr — for serious binary exploitation practice.
• LabCTFtime — calendar of upcoming CTFs + a huge writeup archive. Read writeups even if you don't play.

Adversary emulation, internal red teams, and pentesting. Start with practical, move to TTPs.

• MITRE ATT&CK — the knowledge base that every red team and blue team references. Learn the matrix.
• Atomic Red Team — small tests mapped to ATT&CK. Great for both red and purple teaming.
• Red Teaming Toolkit (curated list)
• HTB Academy — Penetration Tester path
• TCM PNPT — practical pentest cert. Hands-on report-based exam.
• OffSec OSCP

Most entry-level security jobs are blue team. Get good at logs, detections, and investigations.

• LetsDefend — browser-based SOC simulator. Real alerts, real triage, free tier.
• CyberDefenders — blue team labs and CTFs. DFIR, log analysis, malware traffic.
• malware-traffic-analysis.net — Brad Duncan's long-running PCAP exercises. Free, excellent.
• Splunk BOTS — Boss of the SOC datasets. The classic SIEM training set.
• awesome-cybersecurity-blueteam — curated list of blue team tools and resources.
• The DFIR Report — public incident-response writeups. Read these monthly.
• Hoppers Roppers — free beginner-to-blue-team curriculum.
• Active Countermeasures — Threat Hunting Training

Slow path. Pick one tool family (Ghidra or IDA Free) and one course, and grind a sample a week.

• Ghidra — NSA's free reverse-engineering platform.
• IDA Free — industry-standard disassembler. Free tier works for learning.
• Practical Malware Analysis (Sikorski & Honig) — the canonical book. Labs included.
• OST2 — x86-64 Assembly — prereq for everything below.
• OST2 — Vulns 1001 (C-derived bugs)
• Kaspersky — Advanced Malware Analysis (paid)
• Open Security Training — Malware Analysis (original)

The single highest-leverage track if you already write code.

• PortSwigger Web Security Academy — free, the gold standard for learning web AppSec. Do every lab.
• OWASP Web Security Testing Guide — the standard test methodology.
• OWASP Top 10 — memorize. Cited in every interview.
• HTB Academy — Bug Bounty Hunter path
• HackerOne — Hacker101 — free video course + CTF, by HackerOne.
• BugBountyHunter (Z-winK) — real-target practice platform from a top hunter.
• PayloadsAllTheThings — payload cheatsheets by vuln class. Keep open while testing.

Hard to bluff. If you want to do this seriously, you will use math.

• Cryptopals challenges — the most respected hands-on crypto trainer. Do set 1 and 2 minimum.
• Crypto 101 — free intro book by Laurens Van Houtven.
• Coursera — Cryptography I (Dan Boneh) — Stanford's course. Free to audit.
• Matthew Green — Cryptography Engineering blog — readable, current. Follow for crypto news.
• Trail of Bits — Cryptography posts
• Real World Crypto conference — talks posted free. Best annual signal of where crypto is going.

Pick one podcast and one news source. Subscribe. Don't try to read everything.

Local (Toronto / Canada)

• DEFCON Toronto (DC416) — Slack invite via info@dc416.com.
• TASK (Toronto Area Security Klatch) — free monthly meetup, last Wednesday of the month.
• OWASP Toronto
• InfoSec Muslims Canada — message Zubair on LinkedIn for an intro.

Podcasts

• SANS Internet Storm Center — daily 5-min — if you pick one, this is it.
• Darknet Diaries — story-driven, accessible to non-technicals too.
• Risky Business — weekly news + interviews, Patrick Gray.
• The CyberWire

News & threat intel

• Krebs on Security
• The Hacker News
• BleepingComputer
• Unit 42 (Palo Alto)

Bridge programs that retrain internationally-educated professionals into Canadian cyber jobs. Eligibility varies; read carefully.

• ACCESS Employment — Cybersecurity Connections — free. For permanent residents, refugees, or naturalized citizens with prior IT background.
• Rogers Cybersecure Catalyst (TMU) — 7-month accelerator; competitive intake; ~$500 fee; three certs included.
• Palette Skills — SalesCamp / cyber programs