Skip to content
Security Roadmap
0 / 18
Roadmap · 2026 Edition

Security
Engineer.

18 stations. 3 tracks. From the security mindset and cryptography to threat modeling, cloud and detection, then DevSecOps, zero trust and securing AI — become the engineer who breaks and defends systems.

Foundations
~6h 0/6
Offense & Defense
~6h 0/6
Frontiers
~6h 0/6
0 of 18 stations · ~0h of ~17h
Lines —
Foundations
Offense & Defense
Modern Frontiers
Stations —
Not started
Completed

The roadmap.

Three tracks. 18 stations. Click any node to open its detail. Mark complete as you go — your progress is saved locally.

Practice tools

Go deeper.

Interactive tools to practice what you've learned from the roadmap above.

    Keep reading.

    The Prompting Handbook covers the Foundation track in depth — interactive, no code required.

    Read the handbook →

    Security Engineer Roadmap 2026 — the full roadmap in text

    A written version of the interactive roadmap above — every station, what you'll learn, and a small thing to build — laid out for reading, reference and search.

    Foundations Start here

    F1. The Security Mindset

    Beginner · 40 min

    Security is a way of thinking before it is a toolset: assume breach, distrust input, and ask "how would I abuse this?" of everything. Learn the CIA triad (confidentiality, integrity, availability), the principle of least privilege, defense in depth, and why the attacker only has to be right once while you have to be right always.

    Skills: CIA triad · Least privilege & defense in depth · Threat vs vulnerability vs risk · Thinking like an attacker

    Build it: Take a login form and list ten ways to abuse it. Which are your problem to defend, and which belong to the platform?

    F2. Networking & the Web

    Beginner · 55 min

    You cannot secure what you do not understand. Learn how packets, TCP/IP, DNS and TLS actually move data, what a request really contains, and where trust boundaries sit — because most attacks live at the seams between systems that each assumed the other was safe.

    Skills: TCP/IP & DNS · HTTP & the request lifecycle · TLS & certificates · Trust boundaries

    Build it: Trace an HTTPS request end to end: DNS, handshake, headers, response. Where could a man-in-the-middle sit, and what stops them?

    F3. Cryptography Foundations

    Intermediate · 60 min

    Crypto is the load-bearing wall of security, and misusing it is worse than skipping it. Learn symmetric vs asymmetric encryption, hashing vs encryption vs encoding, digital signatures, and the golden rule that saves careers: never roll your own crypto — use vetted libraries correctly.

    Skills: Symmetric vs asymmetric · Hashing vs encryption vs encoding · Signatures & key exchange · Don’t roll your own

    Build it: A junior stores passwords with SHA-256. Explain why that is still wrong, and what salted, slow hashing (bcrypt/argon2) fixes.

    F4. Identity & Access

    Intermediate · 55 min

    Most breaches are authentication and authorization failures, not exotic exploits. Learn the difference (authn = who you are, authz = what you may do), how sessions and tokens work, OAuth2 and OIDC flows, MFA, and why "confused deputy" bugs let one component act with another’s power.

    Skills: Authn vs authz · Sessions, JWTs & OAuth2/OIDC · MFA & password security · Broken access control

    Build it: Design the permission check for an API where users may read any profile but edit only their own. Where do most teams get this wrong?

    F5. Web Vulnerabilities

    Intermediate · 65 min

    The OWASP Top 10 is where security engineering meets the keyboard. Learn injection (SQL, command), cross-site scripting, CSRF, SSRF and insecure deserialization — how each works, how to find it, and the input-validation and output-encoding disciplines that shut whole classes of bug.

    Skills: Injection (SQLi, cmd) · XSS & CSRF · SSRF & deserialization · Input validation & encoding

    Build it: A search box builds SQL by string concatenation. Show the injection, then the parameterized-query fix — and why validation alone is not enough.

    F6. Secure Coding

    Intermediate · 55 min

    Security is a property you build in, not bolt on. Learn to handle secrets (never in code or logs), manage dependencies and their vulnerabilities, fail closed, and read code adversarially — the everyday habits that keep vulnerabilities out of the codebase in the first place.

    Skills: Secrets management · Dependency & supply-chain hygiene · Fail closed · Adversarial code review

    Build it: Review a snippet that logs a full request for debugging. What sensitive data just leaked into your log pipeline forever?

    Offense & Defense The craft

    T1. Threat Modeling

    Intermediate · 60 min

    Before you defend, decide what you are defending against. Learn structured threat modeling (STRIDE, attack trees, data-flow diagrams): enumerate assets, entry points and adversaries, then prioritize by likelihood × impact so effort lands where the real risk is, not where the fear is.

    Skills: STRIDE & attack trees · Data-flow diagrams · Assets & entry points · Risk prioritization

    Build it: Threat-model a file-upload feature. List the threats by STRIDE category and pick the two you would fix first, with reasons.

    T2. Offensive Security

    Advanced · 65 min

    You defend better once you have attacked. Learn the penetration-testing workflow — recon, scanning, exploitation, privilege escalation, reporting — the core tooling, and the discipline that separates a professional from a criminal: scope, authorization, and a written rules-of-engagement.

    Skills: Recon & scanning · Exploitation & privesc · Pentest tooling · Scope & authorization

    Build it: You are asked to "test our staging site". Write the three questions that must be answered before you touch a single request.

    T3. Cloud Security

    Advanced · 65 min

    The perimeter dissolved into the cloud, and misconfiguration is now the #1 breach cause. Learn the shared-responsibility model, IAM done right (roles over keys), network controls (VPCs, security groups), secrets and KMS, and why one public S3 bucket has ended more companies than any zero-day.

    Skills: Shared responsibility · Cloud IAM & roles · VPCs & security groups · KMS & secrets

    Build it: An engineer makes a bucket public "just to test". Walk the blast radius, then design the guardrail that makes it impossible by policy.

    T4. Container & Infra Security

    Advanced · 60 min

    Containers and orchestration added power and a new attack surface. Learn image scanning and minimal bases, the difference between a container boundary and a VM boundary, Kubernetes RBAC and pod security, and how a compromised container tries — and should fail — to escape to the host.

    Skills: Image scanning & minimal images · Container vs VM isolation · Kubernetes RBAC & pod security · Runtime & escape defense

    Build it: A pod runs as root with the Docker socket mounted. Explain the escape path to the node, then the three fixes that close it.

    T5. Detection & Monitoring

    Advanced · 60 min

    Prevention fails; detection is how you find out before the headline does. Learn logging that means something, SIEM and detection rules, the signal-vs-noise problem, and detection engineering: writing and tuning the alerts that catch real attacks without burying the team in false positives.

    Skills: Security logging · SIEM & detection rules · Signal vs noise · Detection engineering

    Build it: Write the detection logic for "credential stuffing" against a login endpoint. What is the true signal, and how do you avoid paging on a Monday-morning login spike?

    T6. Incident Response

    Advanced · 55 min

    When — not if — something gets through, calm process beats panic. Learn the IR lifecycle (prepare, detect, contain, eradicate, recover, learn), evidence handling and forensics basics, and the blameless post-mortem that turns a bad day into a stronger system instead of a fired scapegoat.

    Skills: IR lifecycle · Containment & eradication · Forensics basics · Blameless post-mortems

    Build it: A server is confirmed compromised at 2am. List your first five actions in order — and justify why "pull it off the network" comes before "wipe it".

    Modern Frontiers Where it’s going

    P1. DevSecOps

    Advanced · 55 min

    Security that lives outside the pipeline gets skipped. Learn to shift security left: SAST/DAST and dependency scanning in CI, security as a merge gate, infrastructure-as-code scanning, and the cultural shift from "the team that says no" to the team that makes the secure path the easy path.

    Skills: Shift-left security · SAST/DAST in CI · IaC scanning · Security as a gate

    Build it: Design the CI gate that blocks a merge introducing a critical CVE — without grinding every build to a halt on low-severity noise.

    P2. Zero Trust & Network Security

    Advanced · 55 min

    The castle-and-moat model died; nothing inside the network is trusted anymore. Learn zero-trust architecture (verify every request, per-identity), micro-segmentation, mTLS between services, and why "on the corporate network" stopped being a meaningful security statement.

    Skills: Zero-trust principles · Micro-segmentation · mTLS & service identity · Beyond the perimeter

    Build it: Redesign access to an internal admin tool under zero trust. What replaces "it is only reachable on the VPN" as the control?

    P3. Application Security at Scale

    Advanced · 55 min

    One reviewer cannot secure a thousand engineers. Learn to scale AppSec: security champions embedded in teams, paved-road secure defaults and libraries, bug-bounty programs, and measuring security posture so you can show risk going down instead of asserting it.

    Skills: Security champions · Paved roads & secure defaults · Bug bounties · Posture metrics

    Build it: Your team of three secures 300 engineers. Design the leverage: what do you automate, delegate, and make impossible-by-default?

    P4. Securing AI & LLM Systems

    Advanced · 65 min

    AI applications broke the old rule that data and instructions are separate. Learn prompt injection (direct and indirect), the lethal trifecta, why filters cannot fully solve it, PII through model pipelines, and the model and MCP supply-chain risks that make securing AI its own discipline.

    Skills: Prompt injection & the trifecta · Guardrails & least privilege · PII in LLM pipelines · AI supply chain

    Build it: An agent reads web pages and can send email. Show the injection attack, then the architectural controls that make a hijack harmless.

    P5. Governance, Risk & Compliance

    Intermediate · 50 min

    Security engineers who speak compliance get budget and buy-in. Learn the frameworks (SOC 2, ISO 27001, GDPR, HIPAA) at working depth, how audits actually work, risk registers, and how to translate a technical vulnerability into the business-risk language executives fund.

    Skills: SOC 2 / ISO 27001 · GDPR / HIPAA basics · Audits & risk registers · Speaking business risk

    Build it: Turn "we have no MFA on admin accounts" into a one-paragraph risk statement a CFO will approve budget to fix.

    P6. The Security Career

    Intermediate · 45 min

    Security is a field of specializations and a mindset that never stops. Learn the branches (AppSec, cloud, offensive, detection, GRC, AI security), the certifications worth having versus the hype, how to keep current as attacks evolve, and how to grow from doing security to leading it.

    Skills: Specialization paths · Certs worth it · Staying current · IC to leadership

    Build it: Map your next six months: one foundational skill, one offensive skill, one frontier skill — and the lab or CTF that proves each.

    Finished this one? 0 / 17 Roadmaps done

    Explore the topic

    See this alongside everything else on the same subject — handbooks, system designs, challenges and tools, in one place.

    More Roadmaps