Skip to main content

Learning resources

If you try to solve HTB machines without knowing what an LFI or Kerberoasting is, you’re playing chess without knowing how the pieces move. Theory first, terminal later.
This order isn’t optional: it’s the difference between learning in 3 months what most people take 12. Each platform covers a different layer — combining them produces a professional profile.

The new study algorithm

Skipping any step makes you inefficient. Skipping #4 makes you unhirable.

Tier 1 — Web layer (PortSwigger Web Security Academy)

portswigger.net/web-securityFREE, no paid signup.
🎯 What it is — Official academy by Burp Suite developers, the premier web pentesting tool. 🏆 Why it’s the gold standard — Does exactly what a junior needs: a rigorous technical article (what the vuln is, why it happens at code level, how to mitigate) and only then an isolated lab to exploit that single flaw. 📋 Recommended path
  1. Apprentice — Full track. SQLi, XSS, CSRF, auth, path traversal, command injection, file upload.
  2. Practitioner — XXE, SSRF, deserialization, OAuth, JWT, race conditions, web cache poisoning.
  3. Expert — Only after OSCP. Server-side prototype pollution, advanced web cache deception.
💡 Estimated time — Apprentice: 40 h. Practitioner: 100 h. ⚠️ Common trap — Jumping to the lab before reading the article. You lose 80% of the value.

Tier 2 — Tactical bridge (TryHackMe)

tryhackme.com — Free plan + premium (~$15/month).
🎯 What it is — Gamified lab platform with mandatory guided reading before every terminal. 🏆 Why it works — HTB assumes you already know everything and penalizes you. TryHackMe assumes you know nothing and forces you to read. Structured paths split each machine into tasks with reading control questions. 📋 Recommended paths in order 💡 Total time — ~200 h to comfortable pre-OSCP level. ⚠️ Common trap — Collecting badges without retention. Take notes in Obsidian/Notion as you go.

Tier 3 — Consultancy structure (TCM Security PEH)

academy.tcm-sec.comPractical Ethical Hacking ~30.Bundles 30. Bundles ~100.
🎯 What it is — “Practical Ethical Hacking” (PEH) by Heath Adams (TCM Security), a real consultancy with real clients. 🏆 Why it works — A pragmatic curriculum without academic filler. Teaches terminology, recon methodology, web exploitation and Active Directory assault, always tied to how to document it in a real client report. 📋 Key courses 💡 Own certification — If you don’t want OSCP, their PNPT (Practical Network Penetration Tester) is industry-respected. ⚠️ Common trap — Buying the 10-course bundle at once. Do it sequentially; material doesn’t expire.

Tier 4 — Raw documentation (OWASP)

owasp.org — Open Worldwide Application Security Project. Free, global authority.
🎯 What it is — Global authority on application security. Reference documentation. 🏆 Why it works — The manual you turn to when a platform explains a vulnerability and you can’t internalize it. Shows raw vulnerable code examples and the exact functions developers should use to mitigate. 📋 Must-have resources ⚠️ Common trap — Reading OWASP cover-to-cover. It’s reference, not manual. Open it when you need something specific.

Essential supplements

For Active Directory

HackTricks

Community pentesting wiki. For AD, mandatory search before each technique. Caveat: commands sometimes outdated.

The Hacker Recipes

Better structured than HackTricks for AD. Each technique with prerequisites, commands, detection.

Ired.team

Red Team notes. Excellent for EDR evasion and advanced Windows techniques.

ADSecurity (Sean Metcalf)

Blog by world AD expert. To truly understand Kerberos and delegations.

For privilege escalation

For crypto and hashes


Practice platforms (after theory)


Certifications by ROI order

Don’t start with OSCP. It’s the destination, not the starting line. Build the base with TryHackMe + PortSwigger. When mid HTB machines start falling, then plan OSCP.

The habit that multiplies results

Daily reading of real reports

Search “Public Pentest Reports GitHub”. Top firms like Cure53, Trail of Bits, NCC Group and Radically Open Security publish real sanitized reports. 📋 Daily exercise (15 min)
  1. Open a public report.
  2. Identify a medium/high severity finding.
  3. Read:
    • How they describe the technical vector.
    • How they word the business impact.
    • What remediation they propose, at what level of detail.
  4. Imitate that style in your own practice.
🔗 Curated repos

Newsletters and feeds worth following


Build your own lab

Mid-term, learning by consuming isn’t enough. You have to break things you yourself stand up. Teaches you the defensive perspective at no extra cost. 📋 Minimum viable lab
  1. Hypervisor — VMware Workstation Pro (free personal), VirtualBox or Proxmox.
  2. Attacker — Kali Linux or ParrotOS.
  3. Vulnerable web — DVWA, OWASP Juice Shop, WebGoat.
  4. AD labGOAD (4 Windows boxes with pre-configured real vulns).
  5. Personal notesObsidian with Excalidraw plugin for diagrams.
Portfolio challenge (2-4 weeks): stand up GOAD, compromise it end to end, write the report with professional template, push the sanitized report to your GitHub. Worth more than 50 HTB machines on your CV.