The Entry Point
Foundational Theory & Basic Logic
In the world of security, you will inevitably break things, and you need to understand exactly how they broke. Before you can ever spot a real attacker, you must learn the basic ground you stand on. This starts with the physics of the internet and the mechanics of operating systems.
The entire internet essentially runs on Linux. If you cannot navigate a terminal comfortably, you are effectively operating with a blindfold on. It is the clear difference between clicking a shiny button on a dashboard and genuinely understanding the command that just executed across your entire fleet of endpoints.
You also cannot defend or exploit what you do not understand. If you do not know how a normal packet moves from point A to point B, you will never be able to spot the packet that shouldn't be there. This level turns scary technical jargon into concepts you can actually explain to a friend over coffee.
Certifications
Google Cybersecurity Certificate
Coursera / Google
What it teaches
A broad and accessible start to security. It guides you from the absolute basics of networking and the Linux command line through to fundamental threat detection and simple Python scripting.
Why at this level
This is the best generalist starting point because it doesn't bog you down with overly dense engineering details. More importantly, finishing it proves to employers that you have the discipline to finish a multi-month course. HR departments universally recognize the Google brand, which helps with your initial resume screening.
TCM Practical Security Fundamentals
TCM Security Academy
What it teaches
A hands-on course that focuses on real-world demonstrations rather than dry slide decks. It shows you exactly how the modern digital world works and then logically takes it apart.
Why at this level
This is for learners who prefer doing over watching. If you want to see how networks and operating systems actually break from day one, this is your best choice. It focuses on the fundamental 'how' of security rather than just the academic theory.
Skills & Labs
Networking (TCP/IP)
Core Knowledge
What it is
The fundamental language of how data moves across a network, including DNS, DHCP, and Subnetting.
Why you need it here
You can't exploit what you don't understand. If you don't know how a DNS request is supposed to look, you'll never spot a malicious server hiding in plain sight. This is the physics of the digital world.
Resources to Learn
Free Options
The gold standard for clear, free networking education with zero fluff.
An high-energy, visual way to learn complex networking concepts.
Paid Options
The best exam prep if you plan on actually taking the Network+ certification.
OS Fundamentals
Operating Systems
What it is
Deep knowledge of how operating systems manage files, processes, and users across Windows and Linux environments.
Why you need it here
You need to know what 'Normal' looks like to identify 'Abnormal.' Attackers hide in system folders or create hidden users. If you don't know your way around the Linux filesystem, you are a blind hacker.
Resources to Learn
Free Options
A free book that is widely considered the bible for terminal beginners.
Hands-on labs to get you over the fear of the black command prompt.
Paid Options
Practical, video-led instructions from people who use Linux for hacking every day.
Scripting Basics
Automation
What it is
Using code like Python or Bash to automate repetitive tasks and process large datasets.
Why you need it here
Speed is your greatest weapon. You don't want to manually check 500 logs. You want to write a 10-line script to do it in 5 seconds. Automating the boring stuff leaves you time for actual hacking.
Resources to Learn
Free Options
The most practical Python guide ever written for non-programmers.
A world-class introduction to Python from Harvard University.
Paid Options
Python explained specifically through the lens of a security professional.
Junior Pentester
Breaking the Logic & Writing Proofs
As a Junior Pentester, you move from reading about vulnerabilities to proving they exist. You will begin and end your day in Burp Suite, catching web requests in mid-air and changing them before they reach the server.
However, finding the bug is only half the battle. The other half is writing a report that is so clear a stressed-out developer can fix it in ten minutes. If you can't explain the risk, the bug doesn't matter to the business. You are developing 'The Eye' — the instinct to look at a login screen and know exactly which technique to try first.
Certifications
PWPA — Practical Web Pentest Associate
TCM Security
What it teaches
A purely lab-based exam that tests if you can actually perform a web assessment. There are no multiple-choice questions; you are given a target and must find and document vulnerabilities.
Why at this level
This is excellent value for proving you can sit down on Day 1 and start worked. Employers want to know if you can find a bug and write a professional report explaining it. PWPA proves exactly that without the high cost of traditional certs.
eWPT — eLearnSecurity Web Pentester
INE
What it teaches
A respected practical exam covering advanced web exploitation, from authentication bypass to exploiting blind SQL injections.
Why at this level
This serves as a massive confidence builder. Passing it requires you to not just exploit a network, but to professionally document every finding. It teaches you that a hacked server means nothing if you can't communicate the threat clearly.
Skills & Labs
OWASP Top 10
Core Vulnerabilities
What it is
Mastering the common vulnerabilities like SQL Injection, Cross-Site Scripting (XSS), and Broken Access Control.
Why you need it here
Almost every web vulnerability found in real life falls into these categories. You cannot be a pentester without mastering them inside and out.
Resources to Learn
Free Options
The single best web security training resource in existence, for free.
The formal definitions used by every security company on the planet.
Paid Options
Shows you the 'messy' reality of finding bugs that aren't in a clean lab environment.
Request Interception
Dynamic Testing
What it is
Using local proxies to catch, modify, and replay HTTP/S requests in mid-air.
Why you need it here
Modern web apps rely on complex client-side interactions. If you only look at the buttons on the screen, you miss 80% of the attack surface. Interception lets you talk directly to the server's brain.
Resources to Learn
Free Options
Incredibly detailed walkthroughs of PortSwigger labs.
Paid Options
The official path to becoming a certified master of our industry's most important tool.
Documentation
Reporting
What it is
Learning to write concise Proof-of-Concepts (PoCs) that prove a business risk is real.
Why you need it here
Finding the bug is fun, but writing the report is what actually gets you paid. Clear documentation separates the hobbyists from the professionals.
Resources to Learn
Free Options
Read actual reports from the world's most successful bug hunters to see how the pros write.
Paid Options
Teaches you the corporate side of reporting that most courses skip.
Exploitation Specialist
Complex Chaining & Cloud Infrastructures
At this stage, you stop looking for single bugs and start looking for chains. An attacker doesn't stop at an information leak; they use that leak to steal a session, which they use to bypass an IDOR, which leads to a full data breach.
You are also moving into the Cloud. Most modern companies rent their servers from AWS or Azure. If you don't know how to find a misconfigured S3 bucket or a leaky identity policy, you're missing half of the modern attack surface. You are now a specialist, acting as a trusted advisor to the client.
Certifications
HTB Certified Web Specialist (CWES)
Hack The Box
What it teaches
An intensely difficult, scenario-based exam that puts you in the shoes of a real attacker. It tests your ability to read complex source code and leverage advanced techniques.
Why at this level
At this level, generic scanners won't find the bugs anymore. You have to manually bend the logic of the application. CWES proves you can handle high-pressure scenarios and creatively engineer an exploit when the easy tools fail.
Burp Suite Practitioner (BSCP)
PortSwigger
What it teaches
The official pro badge from the creators of Burp Suite. This exam is a pure sprint, testing your ability to rapidly identify and chain complex vulnerabilities under a strict time limit.
Why at this level
Burp Suite is the definitive weapon for web hackers. Having the BSCP tells any manager in the world that you are a power-user of the tool, capable of bypassing modern firewalls and writing custom extensions.
OSCP — OffSec Certified Professional
OffSec
What it teaches
The infamous 24-hour exam where you must compromise a network with zero hints. It forces you to enumerate services, drop shells, and escalate privileges.
Why at this level
It is the undisputed gold standard of the industry. While it is broader than just web hacking, passing the OSCP proves you have the technical stamina and the 'Try Harder' mindset needed to survive professional hacking.
Skills & Labs
Cloud Pentesting
Infrastructure Attack
What it is
Hunting for misconfigurations in AWS, Azure, and GCP, targeting identity policies and leaky storage.
Why you need it here
Most modern companies live in the cloud. If you can't exploit an S3 bucket or move laterally in Azure, you're missing the big picture of modern security.
Resources to Learn
Free Options
Excellent training from the leaders in cloud security posture management.
A high-quality playground specifically for learning cloud attack vectors.
Paid Options
Deep, technical training for the engineer who needs to secure cloud workloads.
Vulnerability Chaining
Exploitation
What it is
Connecting small, visually insignificant flaws together to create a massive security impact.
Why you need it here
Real attackers don't use one bug. They chain three or four together. Proving catastrophic impact is what separates a specialist from a junior.
Resources to Learn
Free Options
The absolute best resource for learning how a professional hacker thinks and chains attacks.
Paid Options
A grueling course for those who want to master high-level exploit development.
Client Scoping
Engagement Management
What it is
Learning to manage the business side of an engagement, defining boundaries and rules of engagement.
Why you need it here
As a specialist, you are a consultant. Understanding exactly what is out-of-bounds technically prevents legal disasters and ensures the client gets the value they paid for.
Resources to Learn
Free Options
Great summaries of the legal and administrative side of pentesting.
Paid Options
The premier course for turning your technical skills into a high-end consulting business.
Senior Pentester
Red Teaming & Advanced Adversary Simulation
You are no longer just testing a product; you are simulating a real-world predator. As a Senior, you conduct Red Team engagements where you must stay hidden inside a network for weeks without being caught.
You use Command and Control (C2) frameworks to manage your infected machines and move laterally through complex environments. You are also exploring the new frontier of AI security, finding ways to poison models or trick LLMs into leaking company secrets. You think in Tactics and Techniques, not just individual bugs.
Certifications
OSWE — OffSec Web Expert
OffSec
What it teaches
A grueling 'White Box' assessment where you are handed the source code of an application and must find deeply hidden logic flaws.
Why at this level
As a Senior, you can't rely on guessing anymore. OSWE elevates your game by forcing you to understand backend code in Java, PHP, and Python. It proves you can find zero-day vulnerabilities in custom software.
CRTP — Certified Red Team Professional
Altered Security
What it teaches
A hands-on certification focused entirely on attacking enterprise Active Directory environments.
Why at this level
Web hacking doesn't exist in a vacuum. Once you exploit a web server, you are usually dropped into a massive corporate network. CRTP shows you how to pivot from a web app to owning the entire Domain Controller.
Skills & Labs
Red Team TTPs
Adversary Simulation
What it is
Simulating Advanced Persistent Threats by establishing stealthy footholds and moving laterally undetected.
Why you need it here
Finding a hole is easy; executing an entire invasion silently for two weeks is an art. Seniors test the defenders' ability to catch a real threat.
Resources to Learn
Free Options
The world's leader in finding complex, high-impact logic chains in enterprise software.
Paid Options
The most practical training available for learning modern red team operations.
Threat Modeling
Offensive Architecture
What it is
Predicting and mapping out how an attacker will strike a complex architecture before they even attempt it.
Why you need it here
Seniors must think steps ahead of the defenders. Identifying the weak links in trust boundaries allows you to focus your exploitation where it truly hurts.
Resources to Learn
Free Options
The industry standard for formalizing threat modeling workflows.
Paid Options
Teaches you how to build architectures that are designed to fail safely.
Emerging Threat Vectors
Social Eng / AI
What it is
Exploiting cutting-edge technologies like poisoning AI models to leak secrets, combined with human-element Social Engineering.
Why you need it here
The boundaries of hacking evolve daily. Tricking a human or a high-permission AI instance bypasses millions of dollars in conventional security.
Resources to Learn
Free Options
One of the few researchers documenting practical AI hacking techniques.
Paid Options
The definitive course for those who want to reach the absolute apex of web exploitation.
Pentest Lead
Enterprise Security Ownership & Strategy
You've survived the trenches, and now you're the one who must build them. As a Lead, you aren't just hacking one app; you're designing the entire program that secures a thousand applications simultaneously across a global enterprise.
Your success is no longer measured by how many bugs you find, but by how many bugs your system prevents. You are the bridge between the technical wizardry of the security team and the cold reality of the boardroom. You take a catastrophic vulnerability and translate it into a business risk report that a CEO can prioritize. You are the architect of the company’s digital defense.
Certifications
CISSP
ISC²
What it teaches
The management 'Golden Ticket' — a mammoth exam covering eight massive domains of security, from risk management to software development security.
Why at this level
At the Lead level, nobody asks you to pop a shell anymore. They ask you how much it costs to mitigate a risk across a thousand servers. CISSP is the passport that gets you the Director title and proves you speak the language of business.
GXPN — GIAC Exploit Researcher
GIAC
What it teaches
A prestigious technical certification focused on advanced exploit development, memory corruption, and network evasion.
Why at this level
Just because you are managing the program doesn't mean you should lose your technical edge. The GXPN commands massive respect from engineers. It proves you still have the lethal skills needed to guide your team through complex engagements.
Skills & Labs
Security Program Design
Strategy
What it is
Designing the entire framework and operational workflows for securing a thousand interconnected applications.
Why you need it here
Success at this level is about systemic prevention. You need to plan scaling strategies and define what an internal security team focuses on annually.
Resources to Learn
Free Options
The definitive guide for managing the emerging risks of artificial intelligence.
Paid Options
The gold standard for becoming a high-level Information Security Manager.
Executive Communication
Leadership
What it is
Translating catastrophic technical vulnerabilities into clear, actionable business risk reports for the C-Suite.
Why you need it here
To get the budget to fix the flaws, the Board needs to understand the financial impact. You are the critical bridge between the technical team and the boardroom.
Resources to Learn
Free Options
A great channel for seeing how tech leaders talk about business problems.
Paid Options
Teaches you the exact management skills required to lead a global security organization.
Governance & Compliance
Legal Frameworks
What it is
Navigating international compliance standards to ensure testing is legal and meeting all regulatory thresholds.
Why you need it here
When operating at an enterprise scale, the law catches up with technical risk. Ensuring your internal program maps to legal requirements is mandatory at this seniority.
Resources to Learn
Free Options
The best explanation of the technical reality of AI, which is mandatory for modern governance.
Paid Options
The most comprehensive source for learning high-level security governance.