You really don't need much to get started with cyber. Actually, there is a lot you can do with just a smart phone, or in a web browser - which makes things way easier if you are working from a computer at a public library or something, where you may not be able to install your own software. There are even entire Linux distributions (operating systems) for security that can run on a Raspberry Pi (tiny computers that you can find for under $100 at the time of this writing). In the future, I do plan on making videos about specific limitations of different types of hardware, and the most affordable ways to accomplish certain goals, but for now I’m going to dump all of my favorite resources on this page and on the corresponding video channel(s) so that at the very least I can help others to not waste as much time as I did when I was getting started.
Below I have provided links to different resources, and many are free or at least what I consider to be affordable and of exceptional value. With cyber, there is no way to get around the fact that some things will cost money, and of course some of the best resources require a fee - and they should, as the architecture required to support a service like Hack The Box is not free. (Although, TryHackMe does have a good bit of free training in a similar style.) Especially with the demand for certifications, I will say that the financial barrier to entry for cyber is a little higher than for programming, but it is still possible to approach these studies in a financially responsible way. Also, for some activities programming knowledge will be helpful; refer to the homepage as necessary.
Disclaimer: I am not an expert of all things at all times - cyber is rapidly evolving - so feel free to send recommendations or corrections - email in footer. Also, prices of products I recommend are only accurate as of...the last time I checked, maybe; I don't update all of the prices every time I update the page.
Legend
= Click for more info.
= Non-free resource at the time of writing.
= Lessons that can be completed in browser and the resources that will enable you to do that.
Contents
Last Updated: Jul 2024
General Security Awareness
Cybersecurity is a broad field; it’s kind of like working in the automotive industry, where you could be making automobiles, or selling them, or repairing them, and even then there are specialties in each of those areas. I have included resources covering just a few different focus areas in cyber in the later sections – there is much more out there. For a broad overview (the short version), I recommend reading the Verizon Data Breach Investigations Report, attending a cyber meetup in your area, and checking out one of these CISSP study guides below. (The CISSP is a high-level certification that covers a broad range of cybersecurity topics.)
If you really want to just jump in and get hands on with security, then TryHackMe is probably a good place to start. They offer hundreds of training "rooms" for free, and although their in-browser virtual machine (VM) - the "AttackBox" - can only be used for one hour a day without a subscription, you can connect your own VM via OpenVPN and use it as much as you like. This link explains how to set up a Kali VM in VirtualBox - a free, cross-platform hypervisor - and you can find the TryHackMe OpenVPN Guide here. I recommend going through a bunch of the "Info" rooms when starting out. These rooms will not give you much in the way of practical, technical skills, but they will help you to understand how broad the field of cybersecurity is and where you may want to specialize.
ISC2 (The International Information System Security Certification Consortium), formerly (ISC)2, divides cybersecurity responsibilities into 8 domains:
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
The domains are useful from a management perspective, but at the engineer/analyst level cybersecurity activities are often divided between “red” and “blue”. A “red team” works on the offense, imitating real threat actors to find weaknesses in an application or organization, and the “blue team” provides defense against all threats, against both red team and real-world threat actors all the same. There is also a concept called “purple team”, where the red team works with the blue team to eliminate or mitigate against any vulnerabilities that they were able to exploit, but that should be a function of any red team if they are expected to provide real value to an organization. Still, there are more specialized responsibilities in the space as well like secure software development and DevSecOps.
Resources:
Things You Can Do About It
Ethical Hacking, Penetration Testing, and Red Team activities
There are companies that will pay you to find vulnerabilities in their systems and applications before the bad guys do. For this, you will need a certain set of skills. These resources will help you to learn these skills in a safe and legal way.
Resources:
Defensive Security and Blue Team activities
If you want to make your systems more secure and help others to do the same, these resources should help.
Resources:
Secure Software Development and DevSecOps
Secure software development is just what it sounds like, and DevSecOps is about integrating security into the application development and deployment cycle. This of course requires some programming and/or scripting knowledge, but it is extremely important to have at least some awareness of software security regardless of what you do in cybersecurity. Again, refer to the homepage for programming resources.
I'm including both unit testing and pipeline tools in this section, even though the learning curve can be steep and I haven't found a lot of good training resources yet (perhaps I should fill this gap myself). I'm also including cloud platforms - because they are useful for developing pipelines - even though they have much broader application and developing secure cloud architecture is its own thing entirely. I should break these out and expound on them at some point, but for now they are all here.
In learning these tools, you can actually get pretty far between just the documentation and asking ChatGPT for examples...and then asking ChatGPT for explanations of those examples; just be sure not to share sensitive or confidential information with ChatGPT. Also, whether you get code from forums or ChatGPT, make you that you read and understand what it does, 1. so that you are learning, and 2. because executing arbitrary code that you do not understand is generally not a responsible thing to do.
Resources:
- OWASP - Open Worldwide Application Security ProjectMy favorite application security resource.
(Click to close.)
- OWASP Cheat SheetsClick “Cheatsheets” on the sidebar for a library of current, concise, and actionable application security information.
(Click to close.)
- https://en.wikipedia.org/wiki/DevOps
- https://en.wikipedia.org/wiki/Continuous_integration
- https://en.wikipedia.org/wiki/Continuous_delivery
- https://en.wikipedia.org/wiki/Continuous_deployment
- AWS Skill Builder - Cloud Training for Amazon Web Services
- Google Cloud Skills Boost - Training for Google Cloud Platform
- Microsoft Learn for Azure - Cloud Training for Microsoft Azure
- Docker - Create Containers"Package Software into Standardized Units for Development, Shipment and Deployment"
Open source and free for some use cases.https://docs.docker.com/subscription/desktop-license/
(Click to close.)
- Kubernetes (K8s) - Orchestrate Containers"Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications."
(Click to close.)
- Jenkins - Build Automated Pipelines"The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project."
(Click to close.)
- SonarLint - LinterSonarLint is a free and open source linter. A linter performs static analysis of your code and makes recommendations for consistency, clarity, avoiding code smells, and sometimes even security.
(Click to close.)
- SonarQube Community Edition - SAST (Static Application Security Testing)SonarQube - Community Edition (specifically) is a free and open source static analysis tool. SonarQube makes recommendations for avoiding code smells and improving security, and it can be integrated into DevSecOps pipelines.
(Click to close.)
- Semgrep - SASTThe open source version can be used locally for single-file code analysis.
(Click to close.)
- OWASP Zed Attack Proxy (ZAP)An open source web application scanner, for dynamic application security analysis.
(Click to close.)
- 5 tools to automate SBOM creation - Eddie knightI could expound on SBOMs (software bill of materials) and tools that help with software supply chain management, but this is a pretty good article I found on the subject that already includes some useful tools.
(Click to close.)
- Snyk - Developer Security PlatformThere is a free version for individual developers and small teams.
(Click to close.)
- TruffleHog™ - Secrets Scanning Tool"TruffleHog™ is a secrets scanning tool that digs deep into your code repositories to find secrets, passwords, and sensitive keys."
(Click to close.)
- The free and open Elastic (ELK) Stack - Search, Analytics, and Visualization
- NUnit - .NET Unit Testing
- JUnit - Java Unit Testing
- Selenium - Browser AutomationOpen source browser automation tool – can be used for testing web applications.
(Click to close.)
- Jasmine - Testing Framework for JavaScript
- Karma - Test JavaScript in Multiple Browsers
- Angular Testing Guide - Uses Jasmine and Karma
- Jest - Testing Framework for JavaScript
- React Testing Guide - Uses Jest
- QUnit - Testing Framework for JavaScript
- Mocha - Testing Framework for Node.js
Data Forensics
It's just what it sounds like. I find memory analysis to be particularly interesting. Some malware cannot be found just by looking at the contents of the hard drive.
Resources:
Reverse Engineering
We're crossing into software territory here, for sure. Taking apart malware to understand how it works is a very useful thing in cybersecurity. (This is not the only legitimate application for reverse engineering, but it is the most relevant in this context.) Knowledge of programming and data forensics will definitely help here. As you are getting into these studies, understand that some malware propagates across networks, some malware knows when it is running in a virtual machine, some malware knows when it is being debugged, some malware is packaged and encrypted, some malware (polymorphic) changes every time it runs, and some malware can store itself in flash memory on the motherboard. This is not an exhaustive list of considerations; please read about fileless malware and malware persistence.
Resources:
Artificial Intelligence
AI is not exactly cyber, but it is the current hot topic, and it is widely misunderstood even in the security community. I recommend at least watching some of the free training videos out there to get an idea of the capabilities and limitations - especially the free WEKA and Udacity videos and courses. The link below is to the AI section on the homepage.
Resources:
Other Useful Tools
Some of these are covered as a part of other training listed above, but these are just tools that I think are cool.
Resources: