logo

Coding Activist

HomeQuestionsTech Roadmap
Product
JobsSign In

Cybersecurity Learning Roadmap

Master cybersecurity from fundamentals through ethical hacking, incident response, and cloud security

Duration: 36 weeks | 5 steps | 54 topics

Career Opportunities

  • Security Analyst
  • Penetration Tester
  • Security Engineer
  • Security Architect
  • CISO (Chief Information Security Officer)
  • Security Consultant
  • Incident Responder

Step 1: Security Fundamentals

Build a strong foundation in information security principles, frameworks, risk management, and governance

Time: 8 weeks | Level: beginner

  • CIA Triad (required) — Understand Confidentiality, Integrity, and Availability as the three pillars that guide all information security decisions.
    • Confidentiality ensures that information is accessible only to authorized individuals
    • Integrity guarantees that data is accurate, consistent, and unaltered by unauthorized parties
    • Availability ensures that systems and data are accessible when needed by authorized users
    • Every security control maps back to protecting one or more of these three properties
  • Security Frameworks (NIST, ISO 27001) (required) — Learn the major security frameworks that organizations use to structure their security programs and demonstrate compliance.
    • NIST CSF organizes security into five functions: Identify, Protect, Detect, Respond, Recover
    • ISO 27001 is an international standard for Information Security Management Systems (ISMS)
    • CIS Controls provide a prioritized set of actions to improve cyber defense
    • Framework adoption helps organizations systematically manage risk and demonstrate due diligence
  • Threat Modeling (required) — Systematically identify potential threats, attack vectors, and vulnerabilities in systems before they are exploited.
    • STRIDE categorizes threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
    • Create data flow diagrams to visualize trust boundaries and potential attack surfaces
    • Prioritize threats by likelihood and impact to focus remediation efforts
    • Threat modeling should be integrated into the software development lifecycle
  • Risk Assessment (required) — Evaluate the likelihood and impact of threats to determine risk levels and guide security investment decisions.
    • Risk = Likelihood x Impact; quantitative and qualitative methods both have their place
    • Asset identification and valuation form the foundation of any risk assessment
    • Risk treatment options: accept, mitigate, transfer (insure), or avoid
    • Document residual risk after controls are applied and review regularly
  • Authentication & Authorization (required) — Learn how systems verify user identity (authentication) and control what users can access (authorization).
    • Authentication verifies WHO you are; authorization determines WHAT you can do
    • Multi-Factor Authentication (MFA) combines something you know, have, and are
    • Access control models include RBAC (Role-Based), ABAC (Attribute-Based), and MAC (Mandatory)
    • Single Sign-On (SSO) and federated identity simplify user management across services
  • Encryption Basics (required) — Understand symmetric and asymmetric encryption, hashing, digital signatures, and their applications in securing data.
    • Symmetric encryption (AES) uses one key for both encryption and decryption, ideal for bulk data
    • Asymmetric encryption (RSA, ECC) uses a public/private key pair for secure key exchange and signatures
    • Hashing (SHA-256) creates a fixed-size fingerprint of data for integrity verification
    • TLS/SSL uses both symmetric and asymmetric encryption to secure data in transit
  • Security Policies & Governance (recommended) — Develop organizational security policies, standards, and procedures that define acceptable behavior and controls.
    • Policies define high-level security objectives; standards specify mandatory requirements
    • Procedures provide step-by-step instructions for implementing policies and standards
    • Acceptable use policies (AUP) govern how employees interact with organizational IT resources
    • Regular policy review and updates are necessary to address evolving threats
  • Compliance (GDPR, HIPAA, SOC2) (recommended) — Understand key regulatory and compliance frameworks that mandate specific security and privacy controls.
    • GDPR protects EU citizens' personal data and requires consent, breach notification, and data minimization
    • HIPAA governs the protection of health information in the United States
    • SOC 2 audits evaluate service organizations on security, availability, processing integrity, confidentiality, and privacy
  • Security Awareness (recommended) — Build a human-centric security culture through training programs that reduce the risk of social engineering and user error.
    • Human error is a factor in the majority of successful cyberattacks
    • Regular phishing simulations train employees to recognize and report suspicious emails
    • Security awareness programs should be ongoing, not one-time events
  • Physical Security (optional) — Protect physical assets, facilities, and hardware from unauthorized access, theft, and environmental threats.
    • Physical security includes access controls (badges, biometrics), surveillance, and environmental controls
    • Defense in depth applies to physical security: fences, locks, guards, cameras form layered protection
    • Environmental controls protect against fire, flooding, temperature, and humidity damage
  • Security Certifications Overview (optional) — Survey the major cybersecurity certifications and understand which align with different career paths.
    • CompTIA Security+ is the most common entry-level security certification
    • CISSP (ISC2) is the gold standard for security management and architecture roles
    • OSCP (Offensive Security) validates hands-on penetration testing skills

Step 2: Network Security

Protect network infrastructure through firewalls, intrusion detection, packet analysis, and secure architecture design

Time: 6 weeks | Level: intermediate

  • TCP/IP Security (required) — Understand the security implications of TCP/IP protocols and common attacks targeting each layer of the network stack.
    • ARP spoofing allows attackers to intercept traffic on local networks by poisoning ARP caches
    • TCP SYN floods exhaust server resources by sending incomplete connection requests
    • IP spoofing disguises the origin of packets to bypass access controls or amplify attacks
    • Understanding the OSI/TCP model helps identify which layer an attack targets
  • Firewalls & ACLs (required) — Configure firewalls and Access Control Lists to filter traffic based on IP addresses, ports, and protocols.
    • Stateful firewalls track connection state and only allow responses to established sessions
    • Next-generation firewalls (NGFW) inspect application-layer traffic for deeper threat detection
    • ACL rules are processed top-down; order matters for both security and performance
    • Default deny (implicit deny) blocks all traffic not explicitly permitted
  • IDS/IPS Systems (required) — Deploy Intrusion Detection and Prevention Systems to monitor network traffic for malicious activity and block threats.
    • IDS passively monitors and alerts on suspicious traffic; IPS actively blocks threats inline
    • Signature-based detection matches known attack patterns; anomaly-based detects deviations from baselines
    • Place IDS/IPS at network perimeters, between segments, and in front of critical assets
    • Tune rules regularly to reduce false positives without missing real threats
  • VPN & Tunneling (required) — Secure communications across untrusted networks using Virtual Private Networks and encrypted tunneling protocols.
    • IPSec VPNs (site-to-site and remote access) encrypt traffic at the network layer
    • SSL/TLS VPNs operate at the application layer and are accessible via web browsers
    • WireGuard is a modern, lightweight VPN protocol with strong cryptographic foundations
    • Split tunneling routes only corporate traffic through the VPN, reducing bandwidth overhead
  • Wireless Security (required) — Secure Wi-Fi networks against eavesdropping, rogue access points, and authentication bypass attacks.
    • WPA3 provides the strongest current wireless encryption with SAE (Simultaneous Authentication of Equals)
    • WPA2-Enterprise with 802.1X uses RADIUS for individual user authentication
    • Rogue access points and evil twin attacks can capture credentials on unsecured networks
    • Disable WPS and use strong, unique passphrases for all wireless networks
  • Packet Analysis (Wireshark) (required) — Capture and analyze network packets to troubleshoot issues, detect intrusions, and understand protocol behavior.
    • Use display filters (e.g., tcp.port==443, http.request) to isolate relevant traffic
    • Follow TCP streams to reconstruct full conversations between hosts
    • Identify anomalies like unusual ports, excessive retransmissions, or cleartext credentials
    • Export objects (files, images) transferred over HTTP for forensic examination
  • Network Segmentation (recommended) — Divide networks into isolated segments to limit lateral movement and contain breaches to smaller zones.
    • VLANs logically separate broadcast domains without requiring separate physical infrastructure
    • Microsegmentation provides granular, workload-level isolation in data centers and cloud environments
    • Segment critical assets (databases, payment systems) from general user networks
  • DNS Security (recommended) — Protect the Domain Name System from spoofing, cache poisoning, and hijacking attacks that redirect traffic.
    • DNSSEC adds cryptographic signatures to DNS records to prevent spoofing and cache poisoning
    • DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries for privacy
    • DNS filtering can block access to known malicious domains at the network level
  • DDoS Mitigation (recommended) — Understand Distributed Denial of Service attack vectors and implement strategies to absorb or deflect volumetric attacks.
    • DDoS attacks overwhelm targets with traffic from many distributed sources (botnets)
    • Volumetric (bandwidth), protocol (SYN flood), and application-layer (HTTP flood) are the three main categories
    • CDNs and DDoS scrubbing services (Cloudflare, AWS Shield) absorb attack traffic at the edge
  • Network Forensics (optional) — Collect and analyze network evidence after a security incident to reconstruct attacker actions and timeline.
    • Full packet capture provides the richest evidence but requires significant storage
    • NetFlow/IPFIX metadata provides connection summaries for long-term traffic analysis
    • Correlate network evidence with host logs and SIEM alerts for a complete incident picture
  • SDN Security (optional) — Explore security considerations for Software-Defined Networking where the control plane is centralized and programmable.
    • SDN centralizes network control, creating a high-value target if the controller is compromised
    • The southbound API (e.g., OpenFlow) between controller and switches must be encrypted and authenticated
    • SDN enables dynamic, policy-driven security responses like automatic quarantine of compromised hosts

Step 3: Ethical Hacking and Penetration Testing

Learn offensive security techniques to find and exploit vulnerabilities before malicious attackers do

Time: 8 weeks | Level: intermediate

  • Reconnaissance & OSINT (required) — Gather publicly available information about a target organization, its infrastructure, and employees before active testing.
    • Passive recon collects data without directly interacting with the target (WHOIS, DNS records, social media)
    • Active recon directly probes the target and may be detected (port scanning, banner grabbing)
    • Tools like theHarvester, Shodan, and Google dorks reveal exposed assets and email addresses
    • OSINT findings shape the attack plan and identify the most promising entry points
  • Vulnerability Scanning (Nmap) (required) — Use Nmap and vulnerability scanners to discover open ports, running services, and known vulnerabilities on target systems.
    • Nmap performs host discovery, port scanning, service detection, and OS fingerprinting
    • Use -sV for service version detection and -sC for default script scanning
    • Vulnerability scanners (Nessus, OpenVAS) automatically identify known CVEs on discovered services
    • Always have written authorization before scanning any system you do not own
  • Web App Testing (OWASP Top 10) (required) — Test web applications for the most critical security risks as defined by the OWASP Top 10 vulnerability categories.
    • SQL Injection allows attackers to manipulate database queries through unsanitized input
    • Cross-Site Scripting (XSS) injects malicious scripts that execute in other users' browsers
    • Broken Access Control lets users access resources or actions beyond their permissions
    • Use Burp Suite to intercept, modify, and replay HTTP requests for manual testing
  • Exploitation (Metasploit) (required) — Use the Metasploit Framework to exploit discovered vulnerabilities and gain access to target systems.
    • Metasploit provides a database of exploits, payloads, and auxiliary modules for penetration testing
    • Match discovered vulnerabilities to appropriate exploit modules and configure payloads
    • Meterpreter is a powerful post-exploitation payload with file system access, pivoting, and more
    • Always document exploitation steps for reproducibility in the final report
  • Password Cracking (required) — Recover passwords from hashes using dictionary attacks, brute force, and rule-based techniques with specialized tools.
    • Dictionary attacks try common passwords and wordlists (rockyou.txt) against captured hashes
    • Rule-based attacks apply transformations (capitalization, numbers, symbols) to dictionary words
    • Hashcat leverages GPU acceleration for dramatically faster cracking than CPU-only tools
    • Understanding hash types (MD5, SHA-256, bcrypt, NTLM) is essential for choosing the right attack
  • Post-Exploitation (required) — Maintain access, escalate privileges, and move laterally through the network after initial compromise.
    • Privilege escalation exploits misconfigurations or vulnerabilities to gain root/admin access
    • Lateral movement uses compromised credentials or sessions to access other systems on the network
    • Persistence mechanisms (backdoors, scheduled tasks, registry keys) maintain access after reboot
    • Data exfiltration tests determine what sensitive data an attacker could steal
  • Reporting & Remediation (recommended) — Document penetration testing findings in a professional report with severity ratings and actionable remediation guidance.
    • Include executive summary, methodology, findings with severity (CVSS), evidence, and remediation steps
    • Provide both technical details for engineers and business context for leadership
    • Prioritize findings by risk (Critical > High > Medium > Low > Informational)
  • Social Engineering (recommended) — Test the human element of security through phishing campaigns, pretexting, and other manipulation techniques.
    • Phishing remains the most common initial attack vector for real-world breaches
    • Pretexting builds a fabricated scenario to manipulate targets into revealing information
    • Spear phishing targets specific individuals with personalized, researched messages
  • Mobile App Security Testing (recommended) — Test Android and iOS applications for vulnerabilities in storage, communication, authentication, and code integrity.
    • OWASP Mobile Top 10 covers insecure data storage, weak authentication, and insufficient cryptography
    • Use tools like Frida, Objection, and MobSF for dynamic and static analysis of mobile apps
    • Intercept mobile traffic with Burp Suite by installing a proxy CA certificate on the device
  • Wireless Penetration Testing (optional) — Assess Wi-Fi network security by testing for weak encryption, rogue access points, and authentication bypass.
    • Aircrack-ng suite captures handshakes and performs offline password attacks against WPA/WPA2
    • Monitor mode on a wireless adapter is required to capture packets from all nearby networks
    • Evil twin attacks create a fake access point to intercept victim traffic and credentials
  • Red Team vs Blue Team (optional) — Understand the roles of offensive (Red Team) and defensive (Blue Team) security professionals and how they collaborate.
    • Red teams simulate real-world adversaries to test an organization's detection and response capabilities
    • Blue teams defend, detect, and respond to attacks using monitoring, analysis, and incident response
    • Purple teams combine red and blue activities to maximize learning and improve defenses collaboratively

Step 4: Security Operations and Incident Response

Build and operate a Security Operations Center (SOC), manage incidents, and perform digital forensics

Time: 6 weeks | Level: advanced

  • SIEM Implementation (required) — Deploy and configure Security Information and Event Management systems to aggregate, correlate, and alert on security events.
    • SIEM aggregates logs from firewalls, endpoints, servers, and applications into a central platform
    • Correlation rules detect multi-stage attacks by linking related events across sources
    • Dashboards provide real-time visibility into security posture and alert volumes
    • Proper log source onboarding and normalization are critical for effective SIEM operation
  • Log Analysis & Correlation (required) — Analyze security logs to identify patterns, anomalies, and indicators of compromise across diverse data sources.
    • Windows Security Event IDs (4624, 4625, 4688, 4720) reveal logon activity and process creation
    • Linux auth logs, syslog, and audit logs track authentication and system changes
    • Correlating events across time and sources reveals attack patterns invisible in individual logs
    • Use SPL (Splunk), KQL (Elastic), or similar query languages to search and filter log data
  • Incident Response Process (required) — Follow structured incident response phases to detect, contain, eradicate, and recover from security incidents.
    • NIST IR phases: Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident
    • Containment isolates affected systems to prevent further spread while preserving evidence
    • Chain of custody must be maintained for any evidence that may be used in legal proceedings
    • Post-incident reviews identify lessons learned and improvements to prevent recurrence
  • Digital Forensics Basics (required) — Acquire, preserve, and analyze digital evidence from disks, memory, and network captures for investigations.
    • Create forensic images (bit-for-bit copies) of evidence drives before analysis to preserve originals
    • Use write blockers to prevent accidental modification of evidence media
    • Timeline analysis reconstructs the sequence of events leading to and following an incident
    • Tools like Autopsy, FTK, and EnCase are industry standards for disk forensics
  • Malware Analysis (required) — Analyze malicious software to understand its behavior, capabilities, and indicators of compromise for detection.
    • Static analysis examines malware without executing it (strings, imports, PE headers, disassembly)
    • Dynamic analysis runs malware in a sandboxed environment to observe its runtime behavior
    • Behavioral indicators (network connections, file drops, registry changes) inform detection signatures
    • Always analyze malware in isolated environments (VMs, sandboxes) to prevent accidental infection
  • Threat Intelligence (recommended) — Collect, analyze, and apply intelligence about threat actors, campaigns, and indicators of compromise.
    • MITRE ATT&CK maps adversary tactics and techniques across the attack lifecycle
    • IOCs (Indicators of Compromise) include IP addresses, domains, file hashes, and behavioral patterns
    • Threat feeds from ISACs, vendors, and open sources provide actionable intelligence for detection
  • SOAR Platforms (recommended) — Automate and orchestrate security operations with Security Orchestration, Automation, and Response platforms.
    • SOAR platforms automate repetitive tasks like alert triage, enrichment, and ticket creation
    • Playbooks define automated response workflows for common incident types
    • Integration with SIEM, ticketing, threat intel, and endpoint tools creates a unified response capability
  • Memory Forensics (recommended) — Analyze volatile memory (RAM) dumps to discover running processes, network connections, and malware hiding in memory.
    • Memory captures reveal running processes, open network connections, and loaded DLLs at the time of acquisition
    • Volatility is the leading open-source framework for memory forensics analysis
    • Malware that resides only in memory (fileless malware) leaves no disk artifacts
  • Threat Hunting (optional) — Proactively search for hidden threats in your environment that have evaded automated detection mechanisms.
    • Threat hunting is hypothesis-driven: start with an assumption about adversary behavior and search for evidence
    • Use ATT&CK techniques as hunting hypotheses (e.g., search for PowerShell-based lateral movement)
    • Successful hunts produce new detection rules that improve ongoing automated monitoring
  • Purple Team Exercises (optional) — Combine offensive and defensive teams in collaborative exercises to test and improve detection and response capabilities.
    • Purple team exercises execute known adversary techniques while defenders attempt to detect them in real-time
    • Gaps in detection coverage are identified and addressed immediately during the exercise
    • Results drive SIEM rule tuning, endpoint detection improvements, and updated response playbooks

Step 5: Cloud Security

Secure cloud environments across AWS, Azure, and GCP with identity management, network controls, and compliance

Time: 8 weeks | Level: advanced

  • Shared Responsibility Model (required) — Understand the division of security responsibilities between the cloud provider and the customer.
    • Cloud provider secures the infrastructure (physical, network, hypervisor); customer secures what runs on it
    • Responsibility boundaries shift depending on the service model (IaaS vs PaaS vs SaaS)
    • Misunderstanding the shared model is a leading cause of cloud security breaches
    • Always verify what the provider covers vs what you must configure and manage yourself
  • IAM in Cloud (required) — Implement Identity and Access Management policies to control who can access cloud resources and what actions they can perform.
    • Follow the principle of least privilege: grant only the minimum permissions needed
    • Use IAM roles instead of long-lived access keys for services and cross-account access
    • Enable MFA for all human users, especially privileged accounts
    • Regularly audit IAM policies and remove unused permissions and stale credentials
  • Cloud Network Security (required) — Secure cloud networking with VPCs, security groups, network ACLs, and private connectivity options.
    • Security groups act as stateful virtual firewalls at the instance level
    • Network ACLs provide stateless subnet-level traffic filtering as a secondary layer
    • Use private subnets and NAT gateways to keep workloads off the public internet
    • VPC peering and PrivateLink provide secure connectivity without traversing the public internet
  • Container Security (required) — Secure containerized applications from image build through runtime by scanning, hardening, and monitoring containers.
    • Scan container images for known vulnerabilities before deployment (Trivy, Snyk, Clair)
    • Use minimal base images and run containers as non-root to reduce the attack surface
    • Kubernetes RBAC, Pod Security Standards, and Network Policies enforce runtime security
    • Runtime monitoring detects anomalous container behavior like unexpected process execution
  • Serverless Security (required) — Address security challenges unique to serverless architectures including function permissions, event injection, and observability.
    • Each function should have its own minimal IAM role following least privilege
    • Event injection attacks exploit unsanitized input from triggers (API Gateway, S3, SQS)
    • Short-lived function execution reduces some attack windows but adds observability challenges
    • Dependency scanning is critical since serverless functions often pull many third-party packages
  • AWS Security Services (required) — Leverage AWS-native security services like GuardDuty, Security Hub, WAF, and CloudTrail for comprehensive protection.
    • CloudTrail logs all API calls for audit and forensic analysis of account activity
    • GuardDuty provides intelligent threat detection using machine learning on CloudTrail, VPC Flow, and DNS logs
    • Security Hub aggregates findings from multiple AWS services and third-party tools into a single pane
    • AWS WAF protects web applications from common exploits like SQL injection and XSS at the edge
  • Azure Security Center (recommended) — Use Microsoft Defender for Cloud to assess security posture, detect threats, and enforce compliance across Azure resources.
    • Secure Score provides a numeric assessment of your overall Azure security posture
    • Defender for Cloud detects threats across compute, storage, networking, and identity layers
    • Azure Policy and Blueprints enforce security standards at scale across subscriptions
  • Cloud Compliance (recommended) — Ensure cloud deployments meet regulatory and industry compliance requirements through controls and auditing.
    • Cloud providers offer compliance certifications (SOC 2, HIPAA, PCI DSS, FedRAMP) for their infrastructure
    • Customer responsibility remains for configuring services in a compliant manner
    • Automated compliance tools (AWS Config, Azure Policy) continuously evaluate resource configurations
  • DevSecOps in Cloud (recommended) — Integrate security into CI/CD pipelines so vulnerabilities are caught early and remediated before deployment.
    • Shift left by integrating SAST, DAST, and SCA tools into the CI/CD pipeline
    • Infrastructure as Code (IaC) scanning catches security misconfigurations before deployment
    • Automated policy gates prevent insecure artifacts from reaching production environments
  • Multi-Cloud Security (optional) — Manage security consistently across multiple cloud providers using unified visibility, policy, and identity management.
    • Each cloud provider has different security services, APIs, and IAM models requiring specialized knowledge
    • Cloud Security Posture Management (CSPM) tools provide unified visibility across providers
    • Federated identity (Azure AD, Okta) simplifies user management across multi-cloud environments
  • Cloud Forensics (optional) — Conduct forensic investigations in cloud environments by collecting logs, snapshots, and API activity records.
    • Cloud forensics relies heavily on API logs (CloudTrail, Activity Log) rather than disk images
    • EBS snapshots and memory dumps can be acquired for deeper analysis of compromised instances
    • Ephemeral resources (containers, Lambda) may leave limited forensic artifacts requiring proactive logging
Advertisement
Join Us
blur