Entry Point
Foundational Layer
You cannot break into a network you don't understand. That sounds obvious, but most beginners skip right past it. They jump into hacking tools before they know what a packet even is, and then they wonder why nothing makes sense.
Level 00 is your foundation. You're learning the hidden logic that runs the internet — how computers talk to each other using TCP/IP, how your browser finds a website using DNS, and how networks are divided into segments using subnetting. More importantly, you're getting comfortable with the terminal. Everything in this field happens in the command line. The sooner it stops feeling foreign, the faster everything else clicks.
Google Cybersecurity Certificate
Google / Coursera
What it teaches
This is an 8-course programme that walks you through the basics of security, Linux, networking, and Python scripting. It's built for complete beginners and doesn't assume you know anything going in. You get hands-on labs, readable content, and a certificate from one of the most recognised names in tech.
Why at this level
When you're applying for your first role with no experience, you need something on your CV that signals you're serious. Google's name carries real weight in the eyes of HR teams. It also gives you a structured path to follow instead of bouncing between random YouTube videos, which is where most people get stuck.
Practical Security Fundamentals
TCM Security
What it teaches
A video course from TCM Security that teaches you how real systems work and, more usefully, how they can be broken. You'll cover networking, common attack types, basic scripting, and get a feel for the offensive mindset early on. It's made by working professionals, not academics.
Why at this level
If you feel like you learn better by watching things break than by reading theory, this is the one for you. It builds intuition fast. Where the Google cert gives you breadth, this gives you a taste of what the job actually feels like. A lot of people run both at the same time.
Pre-Security Path
TryHackMe
What it teaches
TryHackMe is a browser-based learning platform where you complete interactive labs directly in your browser — no setup required. The Pre-Security path covers networking, web fundamentals, and basic Linux in small, digestible modules. Each room takes about 30 to 60 minutes.
Why at this level
Nothing kills motivation faster than spending three hours trying to set up a lab environment before you've even learnt anything. TryHackMe removes that barrier completely. You're doing real tasks from day one, which builds confidence much faster than reading. Start here if you've never touched security before.
Networking (TCP/IP)
Digital Physics
What it is
TCP/IP is the language computers use to talk to each other. Every time you visit a website, send a message, or download a file, this protocol is doing the work behind the scenes. You need to understand how data is broken into packets, how those packets travel from one machine to another using IP addresses, and how TCP makes sure they all arrive in the right order.
Why you need it here
Everything in network pentesting is built on top of this knowledge. When you run a port scan, you're probing TCP and UDP ports. When you capture traffic in Wireshark, you're reading these packets. When you spot something suspicious, it's because you know what the traffic is supposed to look like normally. Without this, you're guessing.
Resources
Free Resources
NetworkChuck has a gift for making networking feel like something you'd actually want to learn. His videos are energetic and visual. Watch his networking and subnetting series before anything else.
More structured and thorough than NetworkChuck. Messer covers every networking concept you'll need for CompTIA certifications and real-world work. Great to watch alongside a cert course.
Paid / Professional
If you want to go deep on networking, Jeremy's CCNA course is the gold standard. It's affordable, incredibly detailed, and covers everything from basic routing to advanced switching. You don't need the CCNA cert right now, but working through the course gives you a level of network understanding that very few junior pentesters have.
OS Fundamentals
The Ground You Stand On
What it is
Operating system fundamentals means understanding how Linux and Windows actually work — user accounts, file permissions, processes, services, and the file system structure. On Linux, you're living in the terminal. On Windows, you need to understand things like the registry, Active Directory, and PowerShell. Both matter.
Why you need it here
Almost every server you'll ever attack will be running Linux. Almost every user device in a corporate environment runs Windows. You need to be comfortable in both. If you don't know how to navigate a Linux file system, or how Windows manages user permissions, you'll get stuck the moment you land on a machine. This is non-negotiable.
Resources
Free Resources
An interactive, self-paced website that teaches Linux from scratch. It starts with the absolute basics and builds up to more advanced topics over time. It's well-written and genuinely enjoyable to go through.
Microsoft's free learning portal. The paths on Windows Server and PowerShell fundamentals are especially useful. It's dry in places, but the content is accurate and comprehensive.
Paid / Professional
TCM's Linux course is specifically designed with pentesters in mind. It covers the commands and concepts you'll actually use in the field, rather than the theory-heavy content you'd get from a general Linux certification. Well worth the price.
Junior Network Pentester
First Scans, First Reports
You've found your first open port. You've spotted a service that hasn't seen a security patch since 2017. Now comes the part that actually matters: making the client understand why they should care.
At this level you're a vulnerability detective. You use Nmap to map out what's running on a network, Metasploit to test whether an old vulnerability is actually exploitable, and then you sit down and write a clear report that explains the risk in plain English. The technical skill is important, but the communication skill is just as valuable. Companies pay for reports, not just shells.
eJPTv2 (eLearnSecurity Junior Penetration Tester)
INE / eLearnSecurity
What it teaches
The eJPTv2 is a practical, hands-on exam that tests you on a live network. You'll scan for open ports, identify vulnerable services, and exploit them to complete a set of objectives. There's no multiple choice. You either compromise the machines or you don't. The course material that comes with it covers the full pentesting methodology from reconnaissance through to reporting.
Why at this level
This is the best starting cert for someone brand new to pentesting. It's affordable, achievable within a few months of study, and it forces you to actually do the work rather than just memorise answers. More importantly, it gives you a structured methodology to follow so you're not just throwing tools at a target and hoping something works. Recruiters recognise it as a sign that you know the basics.
PJPT (Practical Junior Penetration Tester)
TCM Security
What it teaches
The PJPT is a 48-hour practical exam set in an Active Directory environment. You need to compromise a network, escalate your privileges, pivot through machines, and submit a professional written report when you're done. TCM built it specifically to address the gap between book knowledge and what real junior pentesting jobs actually look like.
Why at this level
It's one of the most affordable professional certifications available and it produces better evidence of practical skill than most certs that cost five times the price. The report-writing requirement is especially valuable because it prepares you for the part of the job that most beginners ignore entirely. If you want the eJPTv2 but prefer a more direct route into Active Directory work, this is a solid alternative.
Enumeration and Discovery
Mapping the Target
What it is
Enumeration is the process of systematically figuring out what's running on a target network. You're looking for open ports, the services behind them, the version numbers of those services, and any configuration details that might hint at a weakness. This includes things like identifying what operating system a machine is running, what shares are accessible over the network, and what usernames might be valid.
Why you need it here
Pentesting is about finding doors. Enumeration finds every single door and labels each one. If you rush this step and miss an open port, you've potentially missed the one service that would have given you access to everything. Professionals spend as long on enumeration as they do on exploitation itself, sometimes longer. It's not glamorous, but it's where engagements are won or lost.
Resources
Free Resources
John is a competition hacker and security educator who walks through real machines step by step. Watching how he approaches enumeration on HackTheBox and TryHackMe rooms teaches you the mental process, not just the commands.
This learning path covers everything in this level in a practical, guided format. You'll get hands-on time with Nmap, Burp Suite, and various exploitation techniques. It's the most structured free resource for building a junior skill set.
Paid / Professional
This is the course that most people in the industry point juniors toward. It covers everything from basic networking through to Active Directory exploitation, and it's taught in a way that actually makes sense. If you can only buy one course at this level, make it this one.
Report Writing
The Deliverable
What it is
A pentest report is the formal document you hand to the client at the end of an engagement. It needs to explain what you found, how serious each vulnerability is, how you tested it, and exactly what the client should do to fix it. A good report is clear enough for a non-technical manager to understand but detailed enough for a developer to act on.
Why you need it here
The shell is yours. The report is theirs. Clients can't see what you did inside their network — all they have is the document you produce. If the report is vague, poorly structured, or full of jargon, the client won't know what to fix and you won't get hired again. Report writing is a skill that separates people who get repeat business from people who don't. Learn it early.
Resources
Free Resources
A curated collection of real-world writeups from bug bounty hunters and pentesters. Reading how others document their findings teaches you what good reporting looks like and gives you a reference point for structuring your own work.
Paid / Professional
TCM built a dedicated course on report writing because they noticed how many people coming out of technical training couldn't produce a professional deliverable. It teaches you the structure, the language, and the reasoning behind professional pentest reports.
Advanced Network Pentester
Active Directory and Lateral Movement
In most corporate environments, the real target isn't a single server. It's the Domain Controller — the machine that manages identity and access for every user and device in the company. Owning that machine means owning the organisation.
Level 02 is about thinking in chains rather than individual vulnerabilities. You find one unpatched machine, capture a password hash, crack it or relay it to another machine, and keep moving until you reach a Domain Controller. Tools like BloodHound help you visualise the shortest path through the network. The technical complexity here is real, but once it clicks, it feels less like hacking and more like solving a puzzle.
PNPT (Practical Network Penetration Tester)
TCM Security
What it teaches
The PNPT is a five-day practical exam where you're given access to a real Active Directory environment and told to compromise it. You need to perform full network enumeration, exploit vulnerabilities in the AD configuration, escalate to Domain Admin, and then present your findings in both a written report and a live debrief session with the exam board. No multiple choice. No shortcuts.
Why at this level
This is widely considered the best practical certification for aspiring professional pentesters. The live debrief component is unique — it mirrors what real consultants have to do at the end of a client engagement. Passing this proves you can handle the full lifecycle of a professional assessment, not just the technical parts. Many hiring managers see this as the benchmark for junior-to-mid level roles.
HTB CPTS (Certified Penetration Testing Specialist)
Hack The Box
What it teaches
The CPTS is one of the most technically demanding entry-level certifications in the industry. It covers the entire penetration testing methodology across web applications, internal networks, and Active Directory environments. The exam itself is a gruelling ten-day practical assessment against a simulated corporate network.
Why at this level
Hack The Box has a reputation for difficulty that the broader industry respects. Candidates who pass the CPTS have genuinely earned it. For employers, it's a reliable signal that the person knows their methodology and can handle complex, real-world engagements. If you want to signal technical seriousness on your CV, this carries serious weight alongside the PNPT.
Active Directory Exploitation
The Keys to the Kingdom
What it is
Active Directory is the system that almost every Windows-based corporate network uses to manage who has access to what. Every user account, every computer, every permission in the organisation flows through it. Exploiting AD means abusing the misconfigurations and design weaknesses in that system to gain access to accounts and machines you weren't meant to touch. Common techniques include Kerberoasting, Pass-the-Hash, and NTLM relay attacks.
Why you need it here
If you're doing a corporate pentest and you can't attack Active Directory, you're limited to the surface. Nearly every client network you'll encounter will run on Windows and AD. Understanding how to enumerate it with BloodHound, extract credentials with Mimikatz, and move laterally using Impacket is what separates a junior who does web vulns from a mid-level consultant who can demonstrate full domain compromise.
Resources
Free Resources
IppSec publishes methodical video walkthroughs of retired HackTheBox machines. His AD-focused videos are among the best free resources for learning how real attacks play out in practice. Watch how he thinks, not just what he types.
Impacket is a Python library that powers most network-level AD attacks. Understanding how to use the scripts that come with it — psexec.py, secretsdump.py, GetST.py — is a fundamental skill. The GitHub page has documentation and usage examples for each tool.
Paid / Professional
The Certified Red Team Professional course from Altered Security is built specifically around attacking Active Directory. It's thorough, well-structured, and taught by people who research AD attacks professionally. If you want to truly understand AD exploitation rather than just knowing a handful of commands, this course makes the difference.
Senior Red Team Operator
Adversary Simulation and EDR Evasion
You're not running a vulnerability scan anymore. You're playing a specific role: a real-world threat actor with time, patience, and a goal. Your job is to test whether the organisation's security team can actually detect and stop a determined attacker.
Red Team operations are built for stealth. You manage your own command and control infrastructure, write custom code to avoid triggering antivirus and endpoint detection tools, and map your actions against known threat actor techniques using frameworks like MITRE ATT&CK. The difference between a pentest and a red team engagement is that in a pentest you find the holes. In a red team engagement, you test whether anyone notices you going through them.
OSCP+
OffSec
What it teaches
The OSCP is a 24-hour hands-on exam where you're given a set of machines and told to compromise as many as possible. The course that comes with it — PEN-200 — covers the full offensive security methodology including enumeration, exploitation, privilege escalation, and post-exploitation. The 2026 version adds updated Active Directory scenarios and modern evasion techniques.
Why at this level
The OSCP is the most recognised penetration testing certification in the world, full stop. It has been the industry benchmark for senior roles for over a decade. Even if you have other strong certifications, many job listings still list it as a requirement or preference at the senior level. The difficulty is real and the pass rate is not high, which is precisely why passing it carries so much weight.
CRTO (Certified Red Team Operator)
Zero-Point Security
What it teaches
The CRTO is a focused course and exam built around Cobalt Strike and modern red team tradecraft. You learn how to set up and manage a C2 infrastructure, how to stay under the radar of EDR tools, and how to conduct a structured adversary simulation campaign. The exam is a 48-hour practical lab scenario.
Why at this level
While the OSCP proves you can find and exploit vulnerabilities, the CRTO proves you understand how to operate like a threat actor over time. It covers the tradecraft side — opsec, persistence, pivoting, and staying quiet — that most offensive tools courses skip over. For anyone moving into dedicated red team roles, this is the most directly applicable cert available.
Payload Development
Bypassing the Guard
What it is
Payload development means writing your own code to deliver and execute a malicious action on a target system. This includes things like shellcode loaders that inject your beacon into a running process, custom droppers that disguise themselves as legitimate files, and obfuscation techniques that change the signature of your code so endpoint detection products don't flag it.
Why you need it here
Off-the-shelf tools like Metasploit payloads and known C2 frameworks are immediately detected by any half-decent endpoint security product. If you show up to a red team engagement using a standard Cobalt Strike beacon with default settings, you'll be caught in under ten minutes. Writing your own tooling, or at least understanding how to significantly modify existing tools, is what allows you to actually operate in hardened environments where clients are spending serious money on detection.
Resources
Free Resources
One of the most comprehensive free references for red team techniques on the internet. The malware development and evasion sections are particularly valuable, covering everything from basic shellcode injection to bypassing modern Windows security features.
Paid / Professional
SEC660 is a week-long advanced course that covers exploit development, custom tool writing, and attacking hardened environments. It's expensive, but it's one of the most technically rigorous courses available and is often funded by employers for senior team members.
Principal Security Researcher
Zero-Days and Exploit Development
At this level, you're not using other people's exploits anymore. You're finding the vulnerabilities that nobody else in the world has documented yet.
Principal researchers spend their days pulling apart compiled software using tools like Ghidra and IDA Pro, looking for logic errors, memory corruption bugs, or cryptographic weaknesses. They run automated fuzzing campaigns that throw millions of malformed inputs at a target application until it crashes in an interesting way. When they find something, they weaponise it — building a working proof of concept — and then responsibly disclose it or publish research that changes how the industry thinks about a problem. This is where the ceiling of the profession is.
OSEP (OffSec Experienced Pentester)
OffSec
What it teaches
OSEP covers advanced attack techniques for hardened environments — environments that have modern AV, EDR, application whitelisting, and other defensive layers in place. The course teaches you how to bypass each of these controls using a combination of custom tooling, living-off-the-land techniques, and creative exploitation chains. The exam is a gruelling 48 hours in a fully defended simulated corporate network.
Why at this level
For anyone who has passed the OSCP and wants to demonstrate that they can operate at the expert level, OSEP is the natural next step. It's specifically designed for situations where the standard playbook doesn't work — where the target organisation actually knows what they're doing defensively. Passing it proves you can think creatively under constraints and that you're not reliant on known public exploits.
GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
GIAC / SANS
What it teaches
The GXPN validates deep knowledge of exploit development, including writing shellcode, bypassing modern OS memory protections like ASLR and DEP, and performing advanced network protocol attacks. It's associated with the SANS SEC660 course and is entirely exam-based, requiring you to demonstrate both theory and application.
Why at this level
In the research and specialist exploit development world, the GXPN is one of the certifications that marks you out as a serious technical mind. It's not for everyone — the content is demanding and the exam reflects that — but for people pursuing roles in vulnerability research, offensive tooling development, or government-adjacent security work, it's a meaningful credential that most candidates don't have.
Zero-Day Research
Finding What Nobody Else Found
What it is
Zero-day research is the process of finding previously unknown vulnerabilities in software, usually in closed-source commercial applications or operating system components. You use reverse engineering tools to read compiled machine code without access to the source, fuzz testing frameworks to find crash conditions, and debugging tools to understand exactly what goes wrong at the code level when those crashes occur. The goal is a working proof of concept that demonstrates real-world impact.
Why you need it here
This is the deepest form of offensive security work. Finding a zero-day in a Microsoft product, a network device, or a widely used piece of software is a significant technical achievement that commands both industry respect and serious financial compensation, whether through bug bounty programmes, direct disclosure payments, or the specialised commercial research roles that operate at this level. It also has a direct impact on security for everyone, which is worth noting.
Resources
Free Resources
OST2 offers a series of self-paced courses on low-level security topics including architecture, operating system internals, and exploit development. The content is academically rigorous and written by people who research this professionally. It's the best free deep-dive resource available for this level of work.
LiveOverflow makes long-form videos about binary exploitation, CTF challenges, and low-level vulnerability research. His explanations of heap exploits, format string bugs, and browser vulnerabilities are accessible without dumbing them down. An excellent resource for building the mental models you need at this level.
Paid / Professional
A free but structured exercise repository that teaches fuzzing by having you find real CVEs in real software. Working through the exercises gives you practical experience with AFL++ and other fuzzing frameworks in a way that no amount of reading about fuzzing can replicate.