The Entry Point
Building the Foundation
In security you will inevitably break things and you will really need to understand exactly how they broke. Before you can ever spot a real attacker you must learn the basic ground you stand on. This starts right here.
You have to start learning about operating systems and networks. The entire internet essentially runs on Linux. If you cannot navigate a terminal comfortably you are effectively blind in a Security Operations Centre. It is the clear difference between clicking a shiny button on a dashboard and genuinely understanding the command that just executed across your entire fleet of endpoints.
You also cannot defend what you do not understand. Networking is basically the physics of the digital world. If you do not know how a normal packet moves from point A to point B you will never be able to spot the packet that shouldn't be there. This level slowly turns scary technical jargon into concepts you can actually explain to your friends over coffee.
Certifications
Google Cybersecurity Certificate
Coursera / Google
What it teaches
An overarching start to security. It guides you from the absolute basics of networking and Linux command line straight through to fundamental threat detection and simple Python scripting. It is incredibly comprehensive and quite affordable.
Why at this level
This is the absolute best generalist start. It doesn't bog you down with overly dense engineering details. More importantly finishing it proves to employers you can actually commit to a multi-month learning discipline while showing them you understand the broad strokes of a blue team role. It carries heavy weight because HR departments recognize the brand name.
TryHackMe Pre-Security
TryHackMe
What it teaches
Bite-sized gamified lessons focusing heavily on removing fear from foundational concepts. You get to interactively learn networking layers HTTP DNS and fundamental security terminology right in your normal browser.
Why at this level
We put this here because it has the absolute lowest barrier to entry. It turns intimidating tech into small manageable missions. It's about building your vital confidence and allowing you to spin up an interactive lab safely before you spend your hard-earned cash or get totally overwhelmed.
TCM Practical Security Fundamentals
TCM Security Academy
What it teaches
A hands-on practical course that avoids dry static slide decks in favour of real-world demonstrations of exactly how the modern digital world works and then quickly breaks it apart.
Why at this level
TCM is strictly for the hands-on soul. If you hate reading text-heavy slides and genuinely want to see how networks and operating systems actually break from day one this is your top pick. It heavily focuses on the fundamental 'how' of security not just the boring theory.
Skills & Labs
Networking (TCP/IP)
Core Knowledge
What it is
The fundamental 'language' of how data moves across a network, including DNS, DHCP, and Subnetting.
Why you need it here
You can't defend what you don't understand. If you don't know how a DNS request is supposed to look, you'll never spot a C2 server 'hiding' in plain sight. This is the physics of the digital world—ignore it, and you're just guessing.
Resources to Learn
Free Options
Paid Options
OS Fundamentals
Operating Systems
What it is
Deep knowledge of how operating systems manage files, processes, and users across Windows and Linux environments.
Why you need it here
You need to know what 'Normal' looks like to identify 'Abnormal.' Attackers love to hide in system folders or create 'ghost' users. If you don't know your way around the Linux filesystem or the Windows Registry, you're a blind defender.
Resources to Learn
Free Options
Paid Options
Scripting Basics
Automation
What it is
Using code like Python or Bash to automate repetitive, manual tasks and process large datasets.
Why you need it here
Speed is your greatest weapon. You don't want to be the person manually checking 500 logs. You want to be the person who writes a 10-line script to do it in 5 seconds. Automating the boring stuff leaves you time for the actual hunting.
Resources to Learn
Free Options
Paid Options
Junior Pentester
First Exploits, First Reports
Welcome to the middle of the fight. As a Junior Pentester, you’ve stopped just reading about bugs and started finding them. You’re learning to use Burp Suite to 'catch' web requests in mid-air and change them before they reach the server.
But here is the secret: Finding the bug is only 50% of the job. The other 50% is writing a report that is so clear a stressed-out developer can fix it in ten minutes. If you can’t explain the risk, the bug doesn't matter. You are developing 'The Eye'—the ability to look at a login screen and instinctively know three different ways to try and break it.
Certifications
PWPA — Practical Web Pentest Associate
TCM Security
What it teaches
A brutal, 100% lab-based exam that strips away the multiple-choice fluff and tests if you can actually hack. It forces you to enumerate services, find realistic web vulnerabilities, and chain them together in a live, sandboxed environment without having your hand held.
Why at this level
This is the best value in the industry right now for proving you can sit down on Day 1 and perform a real web assessment. Employers don't care if you memorized port numbers; they want to know if you can find the bug and write a professional report explaining it. PWPA proves exactly that.
eWPT — eLearnSecurity Web Penetration Tester
INE
What it teaches
A highly respected practical exam that dives deep into advanced web application exploitation. It covers everything from bypassing complex authentication mechanisms to exploiting blind SQL injections and chaining XSS attacks to steal admin cookies.
Why at this level
It serves as a massive confidence builder and a great 'middle ground' certification. Passing it requires you to not just exploit a network, but to professionally document every single finding. It teaches you that a hacked server means nothing if you can't articulate the business risk.
Skills & Labs
OWASP Top 10
Core Vulnerabilities
What it is
Mastering the most common 'death blows' like SQL Injection, XSS, and Broken Access Control.
Why you need it here
The vast majority of web vulnerabilities encountered in real assessments fall into these core categories. You cannot be a pentester without deeply understanding them.
Resources to Learn
Paid Options
Request Interception
Dynamic Testing
What it is
Using local proxies to catch, modify, and replay HTTP/S requests in mid-air before they reach the server.
Why you need it here
Modern web apps rely on complex client-side interactions. If you only look at the UI, you miss 80% of the attack surface. Interception lets you talk directly to the backend.
Resources to Learn
Free Options
Paid Options
Vulnerability Documentation
Reporting
What it is
Learning to write concise, reproducible Proof-of-Concepts (PoCs) that clearly prove the business risk is real.
Why you need it here
Finding the bug is only 50% of the job. Writing a report that is so clear a stressed-out developer can fix it in ten minutes is what actually gets you paid and rehired.
Resources to Learn
Free Options
Paid Options
Exploitation Specialist
Full Engagements, Cloud & Chaining
At this stage, you stop looking for 'single' bugs and start looking for 'chains.' An attacker doesn't just stop at a small information leak; they use that leak to steal a session, which they use to bypass an IDOR, which leads to a full data breach.
You’re also moving into the Cloud. Most modern companies don't own their servers anymore—they rent them from AWS or Azure. If you don't know how to find a misconfigured S3 bucket or a leaky IAM policy, you're missing half the attack surface. You are now an Exploitation Specialist, which means you aren't just a hacker; you’re a trusted advisor for the client.
Certifications
CWES — HTB Certified Web Exploitation Specialist
Hack The Box
What it teaches
An intensely difficult, scenario-based practical exam from Hack The Box that puts you in the shoes of a real-world attacker. It tests your ability to read thick, complex source code (Whitebox testing) and leverage advanced techniques like Server-Side Template Injections (SSTI) and insecure deserialization.
Why at this level
At this level, generic automated scanners won't find the bugs anymore—you have to manually bend the logic of the application. The CWES proves you can handle high-pressure, complex defensive layers and actually creatively engineer an exploit when the easy tools fail.
BSCP — Burp Suite Certified Practitioner
PortSwigger
What it teaches
The official 'Pro' badge from PortSwigger, the actual creators of Burp Suite. This exam is a pure sprint—testing your ability to rapidly identify, exploit, and chain complex vulnerabilities within strict time limits using the industry's most essential tool.
Why at this level
Burp Suite is the definitive weapon of choice for web hackers. Having the BSCP tells any hiring manager in the world that you aren't just clicking 'Scan'; you are a certified power-user of the tool, capable of writing custom extensions and bypassing modern Web Application Firewalls (WAFs).
OSCP — OffSec Certified Professional
OffSec
What it teaches
The infamous 24-hour exam where you are dropped into a hostile network with strict rules and zero hints. It forces you to enumerate web services, drop shells, and ultimately escalate privileges to gain full Administrator control across multiple machines.
Why at this level
It is the undisputed 'Gold Standard' of the offensive industry. While it's broader than just web hacking, passing the OSCP proves to employers that you have the raw technical stamina, frustration tolerance, and the 'Try Harder' mindset required to survive as a professional hacker.
Skills & Labs
Cloud Pentesting
Infrastructure Attack
What it is
Hunting for misconfigurations in AWS, Azure, and GCP infrastructures, specifically targeting IAM policies and leaky buckets.
Why you need it here
Most modern companies don't own their servers anymore. If you don't know how to exploit a misconfigured S3 bucket or lateral movement in Azure, you're missing half the attack surface.
Resources to Learn
Free Options
Paid Options
Vulnerability Chaining
Exploitation
What it is
Connecting visually insignificant small flaws together to escalate an attack into a massive impact.
Why you need it here
An attacker doesn't stop at an information leak; they use it to steal a session, bypass an IDOR, and achieve full data breach. Exploitation Specialists need to prove catastrophic impact.
Resources to Learn
Free Options
Paid Options
Client Scoping
Engagement Management
What it is
Learning to manage the business side of a hacking engagement, defining boundaries, Rules of Engagement (RoE), and managing client expectations.
Why you need it here
As an Exploitation Specialist, you are a trusted advisor. Understanding exactly what is out-of-bounds technically prevents legal disasters and ensures the client gets the targeted value they paid for.
Resources to Learn
Free Options
Paid Options
Senior Pentester
Red Teaming & Adversary Simulation
You are no longer just 'testing' a product; you are simulating a real-world predator. As a Senior, you conduct Red Team engagements where you try to stay hidden inside a network for weeks without being caught.
You’re using C2 (Command & Control) frameworks to manage your 'infected' machines and moving laterally through Active Directory. You’re also looking at the new frontier: AI. You’re finding ways to 'poison' an AI's brain or trick it into leaking company secrets. You think in Tactic, Techniques, and Procedures (TTPs). You don't just find a hole; you simulate an entire invasion.
Certifications
OSWE — OffSec Web Expert
OffSec
What it teaches
A grueling 'White Box' assessment where you are handed the actual source code of a web application and tasked with finding deeply hidden logic flaws. You must write a custom script that chains multiple vulnerabilities together to completely compromise the application with a single command.
Why at this level
As a Senior, you can't rely strictly on black-box guessing anymore. The OSWE completely elevates your game by forcing you to understand PHP, Java, and Python backend code. It proves you can find 0-days in custom, proprietary software and write the exploits from scratch yourself.
CRTP — Certified Red Team Professional
Altered Security
What it teaches
A purely hands-on certification entirely focused on attacking enterprise Active Directory environments. You learn how to abuse built-in Windows protocols, forge Kerberos tickets, and establish persistent footholds without ever needing to rely on third-party patched exploits.
Why at this level
Web hacking doesn't exist in a vacuum. Once you successfully exploit a web server, you are usually dropped into a massive internal corporate network. The CRTP is the essential badge that shows you know exactly how to pivot from a compromised web app to owning the entire Domain Controller.
Skills & Labs
Red Team TTPs
Adversary Simulation
What it is
Simulating Advanced Persistent Threats (APTs) by establishing stealthy footholds, utilizing memory injection, and moving laterally undetected.
Why you need it here
You are no longer just 'testing' a product; you are testing the SOC's ability to catch a real-world predator. Finding a hole is easy; executing an entire invasion silently is an art.
Resources to Learn
Free Options
Paid Options
Threat Modeling
Offensive Architecture
What it is
Predicting and mapping out how an attacker will strike a complex architecture before they even attempt it.
Why you need it here
Seniors must think steps ahead of the defenders. By modeling the threat landscape, you identify the exact weak links in trust boundaries and focus your exploitation where it hurts most.
Resources to Learn
Free Options
Paid Options
Emerging Threat Vectors
Social Eng / AI
What it is
Exploiting cutting-edge technologies like poisoning AI models to leak secrets, combined with human-element Social Engineering.
Why you need it here
The boundaries of hacking constantly evolve. Tricking a human or a high-permission LLM instance bypasses millions of dollars in conventional network security infrastructure.
Resources to Learn
Free Options
Paid Options
Pentest Lead
Program Ownership & Strategy
You’ve survived the trenches, and now you’re the one who has to build them. As a Lead, you aren't just hacking one app; you're designing the entire program that secures a thousand apps.
Your success is no longer measured by how many bugs you find, but by how many bugs your system prevents. You are the bridge between the technical 'wizardry' of the Red Team and the cold reality of the Boardroom. You take a catastrophic vulnerability and translate it into a business risk report that a CEO can understand. You’re the architect of the company’s defense.
Certifications
CISSP
ISC²
What it teaches
The management 'Golden Ticket'—a mammoth, mile-wide exam covering eight massive domains of security. It covers everything from cryptography and secure software development lifecycles (SDLC) to physical security and broad risk management architecture.
Why at this level
At the Lead level, nobody asks you to pop a reverse shell anymore. They ask you how much it financially costs to mitigate a risk across a thousand AWS instances. The CISSP is the exact vocabulary test that gets you the Director title and proves you can actually speak the language of the Boardroom.
GXPN — GIAC Exploit Researcher
GIAC
What it teaches
A highly prestigious technical certification focusing heavily on advanced exploit development, memory corruption, network evasion, and the deep, low-level mechanics of exactly how operating systems manage memory.
Why at this level
Just because you are managing the program doesn't mean you should lose your technical teeth. The GXPN commands massive respect in the Red Team community. It proves to your most senior engineers that you still have the lethal, technical edge needed to guide them through complex engagements.
Skills & Labs
Program Design
Strategy
What it is
Designing the entire framework and operational workflows for securing a thousand interconnected applications simultaneously.
Why you need it here
Your success is no longer measured by bugs found, but by bugs prevented systemically. You need to identify tool limitations, plan scaling strategies, and define what an internal security team focuses on.
Resources to Learn
Free Options
Paid Options
Executive Communication
Leadership
What it is
Translating catastrophic technical vulnerabilities into clear, actionable business risk reports that the C-Suite can economically understand.
Why you need it here
To get the budget to fix the flaws, the Board needs to understand the financial impact. You are the critical bridge between Red Team wizardry and the cold reality of the boardroom.
Resources to Learn
Free Options
Paid Options
Compliance & Governance
Legal Frameworks
What it is
Navigating international compliance standards to ensure testing is strictly legal, audited properly, and meets regulatory thresholds.
Why you need it here
When operating at an enterprise scale, the law catches up with technical risk. Managing external audits and ensuring your internal program maps to legal requirements is mandatory.
Resources to Learn
Free Options
Paid Options