Learning resources
If you try to solve HTB machines without knowing what an LFI or Kerberoasting is, you’re playing chess without knowing how the pieces move. Theory first, terminal later.This order isn’t optional: it’s the difference between learning in
3 months what most people take 12. Each platform covers a
different layer — combining them produces a professional profile.
The new study algorithm
Tier 1 — Web layer (PortSwigger Web Security Academy)
portswigger.net/web-security —
FREE, no paid signup.
🎯 What it is — Official academy by Burp Suite developers,
the premier web pentesting tool.
🏆 Why it’s the gold standard — Does exactly what a junior
needs: a rigorous technical article (what the vuln is, why it
happens at code level, how to mitigate) and only then an
isolated lab to exploit that single flaw.
📋 Recommended path —
- Apprentice — Full track. SQLi, XSS, CSRF, auth, path traversal, command injection, file upload.
- Practitioner — XXE, SSRF, deserialization, OAuth, JWT, race conditions, web cache poisoning.
- Expert — Only after OSCP. Server-side prototype pollution, advanced web cache deception.
Tier 2 — Tactical bridge (TryHackMe)
tryhackme.com — Free plan + premium
(~$15/month).
🎯 What it is — Gamified lab platform with mandatory guided
reading before every terminal.
🏆 Why it works — HTB assumes you already know everything and
penalizes you. TryHackMe assumes you know nothing and forces you
to read. Structured paths split each machine into tasks with
reading control questions.
📋 Recommended paths in order —
💡 Total time — ~200 h to comfortable pre-OSCP level.
⚠️ Common trap — Collecting badges without retention. Take
notes in Obsidian/Notion as you go.
Tier 3 — Consultancy structure (TCM Security PEH)
academy.tcm-sec.com —
Practical Ethical Hacking ~100.
🎯 What it is — “Practical Ethical Hacking” (PEH) by Heath
Adams (TCM Security), a real consultancy with real clients.
🏆 Why it works — A pragmatic curriculum without academic
filler. Teaches terminology, recon methodology, web exploitation
and Active Directory assault, always tied to how to document it
in a real client report.
📋 Key courses —
💡 Own certification — If you don’t want OSCP, their PNPT
(Practical Network Penetration Tester) is industry-respected.
⚠️ Common trap — Buying the 10-course bundle at once. Do it
sequentially; material doesn’t expire.
Tier 4 — Raw documentation (OWASP)
owasp.org — Open Worldwide Application
Security Project. Free, global authority.
🎯 What it is — Global authority on application security.
Reference documentation.
🏆 Why it works — The manual you turn to when a platform
explains a vulnerability and you can’t internalize it. Shows raw
vulnerable code examples and the exact functions developers
should use to mitigate.
📋 Must-have resources —
⚠️ Common trap — Reading OWASP cover-to-cover. It’s reference,
not manual. Open it when you need something specific.
Essential supplements
For Active Directory
HackTricks
Community pentesting wiki. For AD, mandatory search before each
technique. Caveat: commands sometimes outdated.
The Hacker Recipes
Better structured than HackTricks for AD. Each technique with
prerequisites, commands, detection.
Ired.team
Red Team notes. Excellent for EDR evasion and advanced Windows
techniques.
ADSecurity (Sean Metcalf)
Blog by world AD expert. To truly understand Kerberos and
delegations.
For privilege escalation
For crypto and hashes
Practice platforms (after theory)
Certifications by ROI order
The habit that multiplies results
Daily reading of real reports
Search “Public Pentest Reports GitHub”. Top firms like Cure53, Trail of Bits, NCC Group and Radically Open Security publish real sanitized reports. 📋 Daily exercise (15 min) —- Open a public report.
- Identify a medium/high severity finding.
- Read:
- How they describe the technical vector.
- How they word the business impact.
- What remediation they propose, at what level of detail.
- Imitate that style in your own practice.
- pentest-reports · 600+ public reports.
- Awesome Security Reports.
Newsletters and feeds worth following
Build your own lab
Mid-term, learning by consuming isn’t enough. You have to break things you yourself stand up. Teaches you the defensive perspective at no extra cost. 📋 Minimum viable lab —- Hypervisor — VMware Workstation Pro (free personal), VirtualBox or Proxmox.
- Attacker — Kali Linux or ParrotOS.
- Vulnerable web — DVWA, OWASP Juice Shop, WebGoat.
- AD lab — GOAD (4 Windows boxes with pre-configured real vulns).
- Personal notes — Obsidian with Excalidraw plugin for diagrams.
Related resources
- Tactical glossary — Operational dictionary.
- Professional methodology — Decision trees and PTES phases.
- Report template — How to write the result of your audit.
- Web recon — Reconnaissance without firing the WAF.