A written version of the interactive roadmap above — every station, what you'll learn, and a small thing to build — laid out for reading, reference and search.
Foundations Start here
F1. The Security Mindset
Beginner · 40 min
Security is a way of thinking before it is a toolset: assume breach, distrust input, and ask "how would I abuse this?" of everything. Learn the CIA triad (confidentiality, integrity, availability), the principle of least privilege, defense in depth, and why the attacker only has to be right once while you have to be right always.
Skills: CIA triad · Least privilege & defense in depth · Threat vs vulnerability vs risk · Thinking like an attacker
Build it: Take a login form and list ten ways to abuse it. Which are your problem to defend, and which belong to the platform?
F2. Networking & the Web
Beginner · 55 min
You cannot secure what you do not understand. Learn how packets, TCP/IP, DNS and TLS actually move data, what a request really contains, and where trust boundaries sit — because most attacks live at the seams between systems that each assumed the other was safe.
Skills: TCP/IP & DNS · HTTP & the request lifecycle · TLS & certificates · Trust boundaries
Build it: Trace an HTTPS request end to end: DNS, handshake, headers, response. Where could a man-in-the-middle sit, and what stops them?
F3. Cryptography Foundations
Intermediate · 60 min
Crypto is the load-bearing wall of security, and misusing it is worse than skipping it. Learn symmetric vs asymmetric encryption, hashing vs encryption vs encoding, digital signatures, and the golden rule that saves careers: never roll your own crypto — use vetted libraries correctly.
Skills: Symmetric vs asymmetric · Hashing vs encryption vs encoding · Signatures & key exchange · Don’t roll your own
Build it: A junior stores passwords with SHA-256. Explain why that is still wrong, and what salted, slow hashing (bcrypt/argon2) fixes.
F4. Identity & Access
Intermediate · 55 min
Most breaches are authentication and authorization failures, not exotic exploits. Learn the difference (authn = who you are, authz = what you may do), how sessions and tokens work, OAuth2 and OIDC flows, MFA, and why "confused deputy" bugs let one component act with another’s power.
Skills: Authn vs authz · Sessions, JWTs & OAuth2/OIDC · MFA & password security · Broken access control
Build it: Design the permission check for an API where users may read any profile but edit only their own. Where do most teams get this wrong?
F5. Web Vulnerabilities
Intermediate · 65 min
The OWASP Top 10 is where security engineering meets the keyboard. Learn injection (SQL, command), cross-site scripting, CSRF, SSRF and insecure deserialization — how each works, how to find it, and the input-validation and output-encoding disciplines that shut whole classes of bug.
Skills: Injection (SQLi, cmd) · XSS & CSRF · SSRF & deserialization · Input validation & encoding
Build it: A search box builds SQL by string concatenation. Show the injection, then the parameterized-query fix — and why validation alone is not enough.
F6. Secure Coding
Intermediate · 55 min
Security is a property you build in, not bolt on. Learn to handle secrets (never in code or logs), manage dependencies and their vulnerabilities, fail closed, and read code adversarially — the everyday habits that keep vulnerabilities out of the codebase in the first place.
Skills: Secrets management · Dependency & supply-chain hygiene · Fail closed · Adversarial code review
Build it: Review a snippet that logs a full request for debugging. What sensitive data just leaked into your log pipeline forever?
Offense & Defense The craft
T1. Threat Modeling
Intermediate · 60 min
Before you defend, decide what you are defending against. Learn structured threat modeling (STRIDE, attack trees, data-flow diagrams): enumerate assets, entry points and adversaries, then prioritize by likelihood × impact so effort lands where the real risk is, not where the fear is.
Skills: STRIDE & attack trees · Data-flow diagrams · Assets & entry points · Risk prioritization
Build it: Threat-model a file-upload feature. List the threats by STRIDE category and pick the two you would fix first, with reasons.
T2. Offensive Security
Advanced · 65 min
You defend better once you have attacked. Learn the penetration-testing workflow — recon, scanning, exploitation, privilege escalation, reporting — the core tooling, and the discipline that separates a professional from a criminal: scope, authorization, and a written rules-of-engagement.
Skills: Recon & scanning · Exploitation & privesc · Pentest tooling · Scope & authorization
Build it: You are asked to "test our staging site". Write the three questions that must be answered before you touch a single request.
T3. Cloud Security
Advanced · 65 min
The perimeter dissolved into the cloud, and misconfiguration is now the #1 breach cause. Learn the shared-responsibility model, IAM done right (roles over keys), network controls (VPCs, security groups), secrets and KMS, and why one public S3 bucket has ended more companies than any zero-day.
Skills: Shared responsibility · Cloud IAM & roles · VPCs & security groups · KMS & secrets
Build it: An engineer makes a bucket public "just to test". Walk the blast radius, then design the guardrail that makes it impossible by policy.
T4. Container & Infra Security
Advanced · 60 min
Containers and orchestration added power and a new attack surface. Learn image scanning and minimal bases, the difference between a container boundary and a VM boundary, Kubernetes RBAC and pod security, and how a compromised container tries — and should fail — to escape to the host.
Skills: Image scanning & minimal images · Container vs VM isolation · Kubernetes RBAC & pod security · Runtime & escape defense
Build it: A pod runs as root with the Docker socket mounted. Explain the escape path to the node, then the three fixes that close it.
T5. Detection & Monitoring
Advanced · 60 min
Prevention fails; detection is how you find out before the headline does. Learn logging that means something, SIEM and detection rules, the signal-vs-noise problem, and detection engineering: writing and tuning the alerts that catch real attacks without burying the team in false positives.
Skills: Security logging · SIEM & detection rules · Signal vs noise · Detection engineering
Build it: Write the detection logic for "credential stuffing" against a login endpoint. What is the true signal, and how do you avoid paging on a Monday-morning login spike?
T6. Incident Response
Advanced · 55 min
When — not if — something gets through, calm process beats panic. Learn the IR lifecycle (prepare, detect, contain, eradicate, recover, learn), evidence handling and forensics basics, and the blameless post-mortem that turns a bad day into a stronger system instead of a fired scapegoat.
Skills: IR lifecycle · Containment & eradication · Forensics basics · Blameless post-mortems
Build it: A server is confirmed compromised at 2am. List your first five actions in order — and justify why "pull it off the network" comes before "wipe it".
Modern Frontiers Where it’s going
P1. DevSecOps
Advanced · 55 min
Security that lives outside the pipeline gets skipped. Learn to shift security left: SAST/DAST and dependency scanning in CI, security as a merge gate, infrastructure-as-code scanning, and the cultural shift from "the team that says no" to the team that makes the secure path the easy path.
Skills: Shift-left security · SAST/DAST in CI · IaC scanning · Security as a gate
Build it: Design the CI gate that blocks a merge introducing a critical CVE — without grinding every build to a halt on low-severity noise.
P2. Zero Trust & Network Security
Advanced · 55 min
The castle-and-moat model died; nothing inside the network is trusted anymore. Learn zero-trust architecture (verify every request, per-identity), micro-segmentation, mTLS between services, and why "on the corporate network" stopped being a meaningful security statement.
Skills: Zero-trust principles · Micro-segmentation · mTLS & service identity · Beyond the perimeter
Build it: Redesign access to an internal admin tool under zero trust. What replaces "it is only reachable on the VPN" as the control?
P3. Application Security at Scale
Advanced · 55 min
One reviewer cannot secure a thousand engineers. Learn to scale AppSec: security champions embedded in teams, paved-road secure defaults and libraries, bug-bounty programs, and measuring security posture so you can show risk going down instead of asserting it.
Skills: Security champions · Paved roads & secure defaults · Bug bounties · Posture metrics
Build it: Your team of three secures 300 engineers. Design the leverage: what do you automate, delegate, and make impossible-by-default?
P4. Securing AI & LLM Systems
Advanced · 65 min
AI applications broke the old rule that data and instructions are separate. Learn prompt injection (direct and indirect), the lethal trifecta, why filters cannot fully solve it, PII through model pipelines, and the model and MCP supply-chain risks that make securing AI its own discipline.
Skills: Prompt injection & the trifecta · Guardrails & least privilege · PII in LLM pipelines · AI supply chain
Build it: An agent reads web pages and can send email. Show the injection attack, then the architectural controls that make a hijack harmless.
P5. Governance, Risk & Compliance
Intermediate · 50 min
Security engineers who speak compliance get budget and buy-in. Learn the frameworks (SOC 2, ISO 27001, GDPR, HIPAA) at working depth, how audits actually work, risk registers, and how to translate a technical vulnerability into the business-risk language executives fund.
Skills: SOC 2 / ISO 27001 · GDPR / HIPAA basics · Audits & risk registers · Speaking business risk
Build it: Turn "we have no MFA on admin accounts" into a one-paragraph risk statement a CFO will approve budget to fix.
P6. The Security Career
Intermediate · 45 min
Security is a field of specializations and a mindset that never stops. Learn the branches (AppSec, cloud, offensive, detection, GRC, AI security), the certifications worth having versus the hype, how to keep current as attacks evolve, and how to grow from doing security to leading it.
Skills: Specialization paths · Certs worth it · Staying current · IC to leadership
Build it: Map your next six months: one foundational skill, one offensive skill, one frontier skill — and the lab or CTF that proves each.