Cybersecurity: Linux, Networking, and Offensive Security

1. Purpose of This Part

This part defines the cybersecurity roadmap.

Cybersecurity is one of the most practical and reality-testing domains in the master plan because it forces the builder to understand systems from the perspective of failure.

Software development asks:

  “How do I make this work?”

Cybersecurity asks:

  “How does this break?”

Both questions are necessary.

A serious builder must understand both construction and failure.

The goal is not to become a reckless hacker.

The goal is: To become an ethical, disciplined, technically strong security practitioner

who can understand systems deeply, find weaknesses legally, document them professionally, and help make systems safer.

This connects directly to the original brief: the desired cybersecurity path is specifically to complete the Hack The Box Penetration Tester path, complete boxes, earn CPTS, complete OSCP, and do real bug bounties successfully.

The standard is:

Can I legally assess a system, find weaknesses, prove impact safely, document evidence, explain risk, and recommend remediation?

2. Ethical and Legal Boundary

This section must be built on a strict ethical foundation.

Cybersecurity skills are dual-use.

The same technical skill can be used to protect or harm.

Therefore, this domain requires a stronger boundary than most others.

The rule is:

Only test systems I own, systems I have explicit written permission to test, controlled labs, CTF environments, or programs whose scope clearly authorizes the activity.

No exceptions.

Do not test random websites.

Do not scan companies without permission.

Do not exploit real systems without scope.

Do not touch accounts, data, infrastructure, or networks that are not explicitly authorized.

Do not confuse curiosity with permission.

Bug bounty and vulnerability disclosure programs exist precisely because ethical security work needs rules of engagement. HackerOne’s disclosure guidelines state that vulnerability submissions through programs are governed by published guidelines, and Bugcrowd describes vulnerability disclosure programs as structured frameworks for documenting and submitting vulnerabilities under responsible disclosure terms. (HackerOne)

The ethical standard is:

     If there is no authorization, there is no testing.

3. What Cybersecurity Competence Actually Means

Cybersecurity competence is not running tools.

It is not typing commands from a writeup.

It is not copying payloads.

It is not collecting certificates without judgment.

Real cybersecurity competence means understanding:

●​ systems ●​ networks ●​ protocols ●​ operating systems ●​ web applications ●​ authentication ●​ authorization ●​ databases ●​ cloud infrastructure ●​ misconfigurations ●​ human processes ●​ logging ●​ detection ●​ impact ●​ risk ●​ reporting ●​ remediation

A serious security practitioner asks:

●​ What is the asset? ●​ What is the scope? ●​ What is the threat model? ●​ What is exposed?

• What trust assumptions exist?
• What inputs are accepted?
• What permissions exist?
• What can an attacker control?
• What can be chained?
• What evidence is safe to collect?
• What is the business impact?
• How can this be fixed?
• How can this be prevented?

The standard is not:

    “Can I exploit this lab box?”

The standard is:

Can I understand why the weakness exists, prove it safely, explain the risk, and help eliminate it?

4. The Research-Backed Source Spine

The cybersecurity roadmap should be grounded in labs, official documentation, professional frameworks, and responsible disclosure practice.

The main source spine is:

• Hack The Box Academy Penetration Tester Path for structured hands-on offensive

security learning. HTB’s Penetration Tester path includes modules such as penetration testing fundamentals and network enumeration with Nmap, and is organized as a job-role path. (academy.hackthebox.com)

• HTB CPTS as the first major practical certification target. Hack The Box describes CPTS

as a highly hands-on certification assessing penetration testing skills, and HTB’s own “where to start” guidance recommends completing the Penetration Tester job-role path modules. (academy.hackthebox.com)

• OffSec PEN-200 / OSCP as the second major practical certification target. OffSec

describes PEN-200 as its foundational hands-on ethical hacking and penetration testing course, teaching core skills including enumeration, exploitation, and evidence gathering, while the OSCP+ exam guide describes the exam as a private VPN lab environment with vulnerable machines and a 23-hour-45-minute exam window. (OffSec)

• OWASP Web Security Testing Guide for web application testing methodology. OWASP

describes WSTG as a comprehensive guide for testing web applications and web services. (OWASP Foundation)

- OWASP Top 10 for awareness of major web application security risks. OWASP

describes the Top 10 as a standard awareness document representing broad consensus about critical web application security risks, and its current released version is OWASP Top 10 2025. (OWASP Foundation) ●​ PortSwigger Web Security Academy for hands-on web security labs. PortSwigger describes it as a free online training center for web application security, with content from PortSwigger’s research team, academics, and Dafydd Stuttard. (PortSwigger) ●​ MITRE ATT&CK for adversary tactics and techniques. MITRE describes ATT&CK as a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. (MITRE ATT&CK) ●​ NIST Cybersecurity Framework 2.0 for defensive/risk-management context. NIST CSF 2.0 organizes cybersecurity outcomes around Govern, Identify, Protect, Detect, Respond, and Recover. (NIST Publications) ●​ HackerOne and Bugcrowd disclosure guidance for responsible vulnerability reporting and bug bounty conduct. HackerOne provides vulnerability disclosure guidelines, and Bugcrowd describes VDPs as structured frameworks with scope, safe harbor, and remediation methods. (HackerOne)

The rule is:

Labs teach technique. Frameworks teach structure. Reports teach professionalism. Ethics defines the boundary.

5. The Cybersecurity Builder Identity

The identity to build here is:

   Ethical offensive security engineer.

This means you are not trying to become “a hacker” as an aesthetic.

You are trying to become someone who understands systems deeply enough to protect them.

An ethical offensive security engineer can think like an attacker while acting like a professional.

They know that security work is not about ego.

It is about:

●​ truth ●​ evidence ●​ scope

• restraint
• repeatability
• impact
• remediation
• communication
• trust

The best security people are not only technically sharp.

They are disciplined.

They know when to stop.

They know what not to touch.

They know how to report without exaggeration.

They know how to protect data they encounter.

They know that the goal is not “owning systems.”

The goal is making systems safer.

6. The Cybersecurity Roadmap Ladder

The roadmap is divided into layers.

Each layer must produce artifacts.

Do not move forward simply because a course section is complete.

Move forward when lab notes, writeups, reports, methodology, and safe practice show competence.

Layer 0 — Ethics, Law, Scope, and

Operational Discipline Purpose This is the foundation of the entire cybersecurity domain.

Without ethics and scope discipline, technical skill becomes dangerous.

Topics

• authorization
• scope
• rules of engagement
• safe harbor
• responsible disclosure
• vulnerability disclosure programs
• bug bounty program rules
• data minimization
• evidence handling
• privacy
• professional conduct
• reporting boundaries
• legal risk
• stopping conditions
• personal lab separation
• note-taking discipline

Required Artifacts Create:

1. Personal cybersecurity ethics policy
2. Scope and authorization checklist
3. Rules of engagement template
4. Responsible disclosure checklist
5. Bug bounty program reading template
6. Evidence-handling policy
7. “When to stop testing” checklist
8. Lab-only testing declaration
9. Report redaction checklist
10. “Why permission matters” essay

Completion Standard This layer is complete when:

• scope is checked before any activity
• testing only happens in authorized environments
• bug bounty rules are read before testing
• evidence is collected minimally and safely
• ethical boundaries are written and followed

Layer 1 — Linux, Shell, and Security

Workstation Foundations Purpose Cybersecurity work requires comfort with Linux and the command line.

The terminal must become a normal working environment.

This layer overlaps with the low-level/Linux roadmap, but cybersecurity needs its own practical Linux fluency.

Topics

• Linux filesystem
• users and groups
• permissions
• processes
• services
• logs
• package management
• shell navigation
• pipes and redirection
• grep/sed/awk basics
• bash scripting
• SSH
• file transfer
• environment variables
• cron
• systemctl
• networking commands
• terminal multiplexing
• Kali or Parrot basics
• VM snapshots
• lab isolation

Required Artifacts Create:

1. Linux security workstation setup notes
2. Kali/Parrot VM setup log
3. Linux command cheat sheet
4. Permissions practice lab
5. Bash scripting mini-lab
6. Log inspection notebook
7. SSH and file transfer notes
8. VM snapshot and recovery guide
9. Lab network diagram
10. “Linux skills for pentesting” essay

Completion Standard This layer is complete when:

• Linux navigation is comfortable
• permissions are understood
• common commands are usable
• files can be searched and processed
• VMs are managed safely
• lab environments can be reset

Layer 2 — Networking Foundations

Purpose Penetration testing requires understanding how systems communicate.

Without networking, tools become magic. Topics

• OSI and TCP/IP models
• IP addressing
• subnets
• routing basics
• DNS
• DHCP
• ARP
• TCP
• UDP
• ports
• sockets
• HTTP/HTTPS
• TLS basics
• ICMP
• packet capture
• Wireshark
• firewalls
• NAT
• VPNs
• common service ports
• network troubleshooting

Required Artifacts Create:

1. Networking fundamentals notebook
2. Subnetting practice set
3. Common ports reference sheet
4. Wireshark packet-capture lab
5. DNS lookup notes
6. TCP handshake diagram
7. HTTP request/response examples
8. TLS basics concept map
9. Home/lab network diagram
10. “Networking for security testing” essay

Completion Standard This layer is complete when:

• IPs, ports, and protocols are understandable
• subnetting is usable
• packet captures can be interpreted at a basic level
• HTTP and DNS are not mysterious
• network issues can be debugged systematically

Layer 3 — Programming and Scripting for

Security Purpose Security practitioners need enough programming ability to automate, parse, test, and build tools.

The goal is not only to run existing tools.

The goal is to write small tools when needed.

Topics

• Python scripting
• Bash scripting
• regex
• parsing files
• HTTP requests
• JSON handling
• CSV handling
• socket basics
• web scraping only where allowed
• API usage
• wordlist processing
• report automation
• log parsing
• simple scanners in lab contexts
• exploit proof-of-concept reading
• safe script design

Required Artifacts Create:

1. Python security utilities repo
2. Bash automation scripts repo
3. HTTP request script
4. Log parser
5. Wordlist processor
6. Port-list parser
7. Report evidence organizer
8. Screenshot/file naming helper
9. Lab-only scanner script
10. “Why security people should code” essay

Completion Standard This layer is complete when:

• repetitive tasks can be automated
• tool output can be parsed
• HTTP requests can be scripted
• Python and Bash are useful in labs
• scripts are documented and safe

Layer 4 — Web Foundations for Security

Purpose Web security cannot be learned properly without understanding how web applications work.

This layer overlaps with software development, but security requires a special focus on failure points.

Topics

• HTML forms
• JavaScript basics
• HTTP methods
• headers
• cookies
• sessions
• authentication
• authorization
• APIs
• REST
• JSON
• CORS
• CSRF
• databases
• SQL basics
• file uploads
• redirects
• OAuth basics
• browser security model
• same-origin policy
• content security policy basics

Required Artifacts Create:

1. Web security foundations notebook
2. HTTP request/response archive
3. Cookie/session explanation
4. Authentication flow diagram
5. Authorization failure examples in labs
6. Browser security model notes
7. SQL basics for security notebook
8. CORS concept map
9. OAuth basics notes
10. “How web apps break” essay

Completion Standard This layer is complete when:

• HTTP traffic can be read
• cookies and sessions are understood
• authentication and authorization are distinguished
• browser security concepts are clear
• web vulnerabilities can be connected to application design mistakes

Layer 5 — Web Application Security

Purpose Web application security is one of the most practical and bug-bounty-relevant areas.

This layer should be grounded in OWASP and PortSwigger.

OWASP WSTG provides a comprehensive testing framework for web applications and services, OWASP Top 10 gives a high-level awareness map of critical web risks, and PortSwigger Web Security Academy gives hands-on labs across major vulnerability classes. (OWASP Foundation)

Topics

• reconnaissance within scope
• authentication vulnerabilities
• access control
• IDOR
• SQL injection
• XSS
• CSRF
• SSRF
• XXE
• file upload vulnerabilities
• path traversal
• command injection
• insecure deserialization
• business logic flaws
• race conditions
• OAuth vulnerabilities
• CORS misconfiguration
• request smuggling
• JWT issues
• API security
• GraphQL security basics
• secure coding countermeasures

Required Artifacts Create:

1. OWASP Top 10 2025 study notes
2. OWASP WSTG checklist notes
3. PortSwigger lab writeup archive
4. Authentication vulnerability notes
5. Access control/IDOR notes
6. Injection vulnerability notes
7. XSS notes
8. File upload security notes
9. SSRF/XXE/path traversal notes
10. Web vulnerability remediation guide

Lab Rule For every web security lab:

• state the vulnerability class
• explain the root cause
• describe the safe lab exploit path at a high level
• include screenshots where allowed
• explain impact
• explain remediation
• write “how to prevent this as a developer”

Completion Standard This layer is complete when:

• common web vulnerabilities are recognized
• root causes can be explained
• labs are solved without blind copying
• findings can be written professionally
• remediation advice is clear
• offensive knowledge improves defensive coding

Layer 6 — Reconnaissance, Enumeration,

and Methodology Purpose Enumeration is the heart of penetration testing.

Many failed attempts are not caused by lack of exploits.

They are caused by weak enumeration.

HTB’s Penetration Tester path includes network enumeration with Nmap and penetration testing fundamentals as early modules, which makes this layer central to the HTB/CPTS path. (academy.hackthebox.com)

Topics

• methodology
• note-taking
• asset identification
• port scanning in labs
• service enumeration
• version detection
• banner analysis
• web enumeration
• directory discovery in labs
• DNS enumeration in scope
• SMB enumeration in labs
• FTP/SSH/HTTP enumeration
• vulnerability research
• exploitability assessment
• false positives
• evidence capture
• attack path mapping

Required Artifacts Create:

1. Enumeration methodology document
2. Lab note template
3. Service enumeration checklist
4. Web enumeration checklist
5. Common ports and service notes
6. Nmap learning notes
7. Vulnerability research template
8. Attack-path diagram template
9. Enumeration failure postmortems
10. “Enumeration before exploitation” essay Completion Standard This layer is complete when:

• enumeration is systematic
• notes are structured
• services are investigated before exploitation
• attack paths are mapped
• failed enumeration is reviewed
• tools are understood rather than sprayed blindly

Layer 7 — Exploitation Concepts in

Controlled Labs Purpose This layer teaches exploitation inside authorized lab environments only.

The goal is not to memorize payloads.

The goal is to understand how weaknesses become impact.

Topics

• vulnerability validation
• exploit preconditions
• proof of concept
• safe exploitation
• shells in lab contexts
• privilege boundaries
• misconfiguration exploitation
• weak credentials in labs
• vulnerable services in labs
• public CVE research
• exploit modification in labs
• payload safety
• impact proof without damage
• cleanup in lab environments Required Artifacts Create:

1. Exploitation concepts notebook
2. Lab-only exploit validation notes
3. Misconfiguration exploitation notes
4. Public CVE research template
5. Proof-of-concept explanation template
6. Safe evidence checklist
7. Exploit failure log
8. Impact explanation examples
9. Remediation mapping notes
10. “Exploitation as proof, not vandalism” essay

Completion Standard This layer is complete when:

• exploitation is tied to root cause
• exploitability is verified safely
• evidence is minimal and controlled
• impact is explained responsibly
• remediation is included
• lab work never spills into unauthorized targets

Layer 8 — Privilege Escalation

Purpose Privilege escalation teaches how local misconfigurations, weak permissions, vulnerable services, credentials, and system design issues can increase impact.

This should be practiced only in controlled labs.

Topics

• Linux privilege escalation concepts
• Windows privilege escalation concepts
• permissions
• SUID/SGID concepts
• writable paths
• service misconfigurations
• scheduled tasks
• credential hunting in labs
• kernel version research
• local exploit risk
• PATH issues
• sudo misconfiguration
• weak file permissions
• Windows services
• registry basics
• token/privilege concepts
• post-exploitation discipline

Required Artifacts Create:

1. Linux privilege escalation notebook
2. Windows privilege escalation notebook
3. Permission misconfiguration notes
4. Lab escalation checklist
5. Credential handling ethics note
6. Escalation path diagrams
7. Privilege escalation postmortems
8. Defensive hardening notes
9. Detection/logging notes
10. “Privilege escalation as risk amplification” essay

Completion Standard This layer is complete when:

• escalation paths can be reasoned about
• permissions are understood deeply
• lab escalation is documented clearly
• defensive fixes are included
• sensitive data is handled ethically
• escalation is understood as impact amplification, not trophy hunting

Layer 9 — Active Directory and Enterprise

Attack Paths Purpose Active Directory is central to many enterprise environments and is heavily represented in modern penetration testing.

This layer should come after Linux, networking, Windows basics, enumeration, web security, and privilege escalation foundations.

Topics

• Windows domain basics
• users
• groups
• domain controllers
• Kerberos concepts
• NTLM concepts
• SMB basics
• LDAP basics
• group policy
• domain enumeration
• privilege relationships
• credential abuse in labs
• lateral movement concepts
• attack path mapping
• misconfigurations
• defensive hardening
• logging and detection
• report writing

Required Artifacts Create:

1. Active Directory fundamentals notebook
2. Kerberos/NTLM concept map
3. Domain object glossary
4. AD lab setup notes
5. AD enumeration methodology
6. Attack path diagram examples
7. AD misconfiguration notes
8. AD lab writeups
9. AD defensive hardening guide
10. “Why enterprise security is relationship security” essay

Completion Standard This layer is complete when:

• AD terminology is understandable
• domain relationships can be mapped
• lab attack paths can be explained
• defensive remediations are included
• AD is understood as identity and trust infrastructure

Layer 10 — HTB Academy Penetration

Tester Path Purpose This is one of the central structured paths in the cybersecurity plan.

The Hack The Box Academy Penetration Tester path should be completed carefully, not rushed.

HTB’s own “where to start” page for CPTS recommends enrolling in the Penetration Tester job-role path and completing all included modules 100%. (academy.hackthebox.com)

Method For every HTB Academy module:

1. Complete the lesson.
2. Take notes.
3. Do the exercises.
4. Rewrite the method in your own words.
5. Create a checklist.
6. Apply the concept to a lab if available.
7. Write what went wrong.
8. Add defensive/remediation notes.

Required Artifacts Create:

1. HTB Academy master tracker
2. Module notes
3. Module checklists
4. Exercise writeups
5. Personal methodology updates
6. Common commands reference
7. Concept maps
8. Mistake log
9. Remediation notes
10. CPTS readiness map

Completion Standard This layer is complete when:

• the Penetration Tester path is completed thoroughly
• notes are usable without the course open
• exercises are understood, not copied
• methodology has improved
• CPTS objectives feel familiar
• weak modules are reviewed

Layer 11 — Hack The Box Boxes and Lab

Practice Purpose Boxes convert course knowledge into messy practice.

Labs are where methodology becomes real. Box Practice Method For every box:

1. Confirm it is a legal lab environment.
2. Record machine name and difficulty.
3. Start with enumeration.
4. Document findings.
5. Map possible attack paths.
6. Attempt carefully.
7. Record dead ends.
8. Capture minimal proof.
9. Explain root cause.
10. Write remediation.

Required Artifacts Create:

1. HTB box tracker
2. Enumeration notes per box
3. Attack path diagrams
4. Lab writeups
5. Dead-end log
6. Privilege escalation notes
7. Remediation section per box
8. Techniques index
9. Weakness heatmap
10. “What boxes taught me” monthly review

Completion Standard This layer is complete when:

• boxes are solved methodically
• notes are detailed enough to learn from
• writeups explain root cause and remediation
• dead ends are reviewed
• repeated weaknesses are identified
• methodology improves over time

Layer 12 — CPTS Preparation and Exam

Readiness Purpose CPTS is the first major cybersecurity certification target in this plan.

Hack The Box describes CPTS as highly hands-on and focused on assessing penetration testing skills. (academy.hackthebox.com)

Preparation Focus

• complete HTB Penetration Tester path
• review all module notes
• practice full attack chains
• improve reporting
• practice time management
• practice documentation while working
• practice evidence collection
• review weak domains
• simulate exam conditions
• write practice reports

Required Artifacts Create:

1. CPTS objective checklist
2. CPTS readiness self-assessment
3. Full methodology playbook
4. Practice report template
5. Evidence checklist
6. Weakness remediation plan
7. Time management strategy
8. Mock engagement report
9. Post-practice review notes
10. CPTS final review document

Completion Standard This layer is complete when:

• methodology is stable
• reporting is practiced
• full engagement flow is familiar
• weak areas are identified and repaired
• practice reports are professional
• exam attempt is justified by evidence, not hope

Layer 13 — OSCP / PEN-200 Preparation

Purpose OSCP is the second major cybersecurity certification target in this plan.

OffSec describes PEN-200 as its foundational ethical hacking and penetration testing course, and it teaches core pentesting skills including enumeration, exploitation, and evidence gathering. The current OSCP+ exam guide describes the exam as a private VPN environment with vulnerable machines and a 23-hour-45-minute completion period. (OffSec)

Preparation Focus

• PEN-200 course
• OffSec labs
• proving grounds/lab practice
• enumeration speed
• privilege escalation
• Active Directory
• reporting
• screenshots/evidence
• time management
• stress management
• methodology under pressure

Required Artifacts Create:

1. OSCP/PEN-200 tracker
2. PEN-200 notes
3. Lab machine writeups
4. Enumeration methodology sheet
5. Privilege escalation checklist
6. AD practice notes
7. Report template
8. Exam-day workflow
9. Mistake log
10. Post-lab review summaries

Completion Standard This layer is complete when:

• PEN-200 material is completed
• lab practice is substantial
• reports are clean and repeatable
• enumeration is disciplined
• AD basics are solid
• time pressure has been practiced
• exam readiness is based on repeated performance

Layer 14 — Bug Bounty and Vulnerability

Disclosure Purpose Bug bounty work is where controlled skill begins moving toward real-world authorized targets.

This layer should come after substantial lab experience.

Bug bounty work is not a game.

It is professional security research inside strict program scope.

HackerOne and Bugcrowd both emphasize structured disclosure and program rules. Bugcrowd describes VDPs as usually containing program scope, safe harbor, and remediation method, while HackerOne provides disclosure guidelines for vulnerability submissions through programs. (Bugcrowd) Topics

●​ program scope ●​ safe harbor ●​ rules of engagement ●​ severity ●​ duplicates ●​ triage ●​ report writing ●​ proof of concept ●​ impact ●​ remediation ●​ communication ●​ retesting ●​ disclosure timelines ●​ out-of-scope behavior ●​ data handling ●​ legal caution ●​ patience

Bug Bounty Method Start with:

1.​ Read program scope. 2.​ Read out-of-scope items. 3.​ Read safe harbor terms. 4.​ Identify allowed assets. 5.​ Choose low-risk testing first. 6.​ Avoid destructive testing. 7.​ Do not access unnecessary data. 8.​ Document evidence clearly. 9.​ Report professionally. 10.​Wait for triage.

Required Artifacts Create:

1.​ Bug bounty program review template 2.​ Scope reading checklist 3.​ Safe harbor notes 4.​ Report template

5. Severity rating notes

6.​ Duplicate analysis log 7.​ Finding tracker 8.​ Communication templates 9.​ Responsible disclosure case studies 10.​“Bug bounty as professional service” essay

Completion Standard This layer is complete when:

●​ program rules are followed exactly ●​ testing remains in scope ●​ reports are clear and respectful ●​ evidence is minimal and safe ●​ duplicates are handled professionally ●​ vulnerability disclosure is treated as collaboration, not combat

Layer 15 — Reporting and Professional

Communication Purpose A vulnerability that is poorly reported may not get fixed.

Reporting is not an afterthought.

It is a core security skill.

A strong report helps someone reproduce, understand, prioritize, and fix the issue.

Report Structure Every professional report should include:

1.​ Title 2.​ Summary 3.​ Severity 4.​ Affected asset

5. Scope confirmation
6. Preconditions
7. Reproduction steps at an appropriate level of detail
8. Evidence
9. Impact
10. Business risk
11. Technical root cause
12. Remediation
13. References
14. Timeline
15. Retest notes

Required Artifacts Create:

1. Vulnerability report template
2. Executive summary template
3. Technical finding template
4. Evidence checklist
5. Remediation language bank
6. Severity justification guide
7. Screenshot standard
8. Report redaction checklist
9. Practice report archive
10. “Writing is part of hacking” essay

Completion Standard This layer is complete when:

• reports are clear
• evidence is sufficient but minimal
• impact is not exaggerated
• remediation is practical
• executive and technical readers are both served
• report quality improves over time

Layer 16 — Defensive Thinking, Detection,

and Hardening Purpose Even if the path is offensive security, defensive thinking is necessary.

A good pentester understands how defenders think.

NIST CSF 2.0 is useful here because it organizes cybersecurity outcomes around Govern, Identify, Protect, Detect, Respond, and Recover, while MITRE ATT&CK provides a shared language for adversary behavior based on real-world observations. (NIST Publications)

Topics

• threat modeling
• asset inventory
• attack surface management
• hardening
• patching
• least privilege
• logging
• detection
• incident response basics
• backups
• recovery
• security monitoring
• MITRE ATT&CK mapping
• control validation
• secure configuration
• developer remediation
• risk communication

Required Artifacts Create:

1. Defensive security notebook
2. NIST CSF 2.0 concept map
3. MITRE ATT&CK tactics notes
4. Hardening checklist for Linux
5. Hardening checklist for web apps
6. Logging and detection notes
7. Threat modeling template
8. Secure coding checklist
9. Finding-to-remediation mapping guide
10. “Offense should improve defense” essay

Completion Standard This layer is complete when:

• findings can be mapped to defensive fixes
• MITRE ATT&CK is understood conceptually
• NIST CSF functions are familiar
• hardening recommendations are practical
• security becomes risk reduction, not just exploitation

7. Cybersecurity Project Ladder

Cybersecurity projects must produce evidence of skill, ethics, and communication.

Level 1 — Foundations Labs Purpose: build fundamentals.

Examples:

• Linux permissions lab
• networking packet capture lab
• HTTP request/response lab
• basic scripting tools
• VM lab setup
• subnetting exercises
• Wireshark exercises
• log analysis exercises
• shell scripting tasks
• safe lab documentation Level 2 — Web Security Labs Purpose: build web vulnerability understanding.

Examples:

• PortSwigger lab writeups
• OWASP Top 10 notes
• deliberately vulnerable app testing
• authentication flaw analysis
• access control lab notes
• injection vulnerability lab notes
• XSS lab notes
• file upload lab notes
• SSRF/XXE/path traversal lab notes
• remediation guides

Level 3 — HTB Academy and Box Practice Purpose: build practical methodology.

Examples:

• HTB module notes
• HTB box writeups
• enumeration checklists
• attack path diagrams
• privilege escalation notes
• remediation sections
• methodology updates
• monthly progress reviews
• weak-topic heatmaps
• practice report drafts

Level 4 — Certification Preparation Purpose: prepare for CPTS and OSCP. Examples:

• CPTS readiness report
• CPTS mock report
• OSCP/PEN-200 notes
• OSCP lab writeups
• AD practice notes
• privilege escalation checklist
• exam workflow
• time management plan
• final review docs
• post-practice reviews

Level 5 — Bug Bounty Practice Purpose: move into authorized real-world testing.

Examples:

• program scope analysis
• safe harbor notes
• target notes
• finding tracker
• duplicate analysis
• draft reports
• submitted reports
• triage communication log
• retest notes
• lessons learned

Level 6 — Tooling and Security Engineering Purpose: build useful security tools.

Examples:

• report generator
• recon note organizer
• scope parser
• screenshot/evidence manager
• HTTP request logger
• bug bounty tracker
• lab writeup template generator
• security checklist CLI
• remediation mapping tool
• personal methodology dashboard

8. Cybersecurity GitHub Strategy

Cybersecurity GitHub must be handled carefully.

Do not publish anything that exposes real targets, private data, credentials, unauthorized exploit details, or active exploitation of real systems.

Good cybersecurity GitHub content includes:

• lab writeups where allowed
• methodology notes
• defensive checklists
• scripts for personal labs
• report templates
• learning notes
• remediation guides
• tool documentation
• vulnerable toy apps built for education
• CTF/lab-only examples
• security research notes
• threat models

Repository categories:

1. cybersecurity-foundations
2. linux-security-lab
3. networking-security-lab
4. web-security-lab
5. portswigger-lab-notes
6. htb-academy-notes
7. htb-box-writeups
8. pentest-methodology
9. vulnerability-report-templates
10. bug-bounty-tracker
11. security-tools-lab
12. defensive-security-notes

Each repo should include:

• scope disclaimer
• ethical-use notice
• README
• source references
• lab-only warning
• methodology
• notes
• remediation
• lessons learned

The GitHub goal is:

    Make cybersecurity growth visible without creating harm.

9. How Cybersecurity Connects to the

Other Domains Cybersecurity is not isolated.

It strengthens and depends on the rest of the master plan.

Software Development Cybersecurity improves:

• secure coding
• authentication design
• authorization design
• API safety
• input validation
• deployment hardening
• logging
• dependency management
• threat modeling AI Cybersecurity connects to:

●​ prompt injection ●​ AI agent tool security ●​ data leakage ●​ model abuse ●​ RAG poisoning ●​ AI evals for safety ●​ AI-assisted security tooling ●​ securing AI applications

Operating Systems and Low-Level Programming Cybersecurity depends on:

●​ Linux ●​ Windows internals ●​ processes ●​ permissions ●​ memory ●​ filesystems ●​ networking ●​ C ●​ Rust ●​ exploit concepts ●​ malware analysis later

EEE and Hardware Cybersecurity connects to:

●​ embedded security ●​ IoT security ●​ firmware analysis ●​ side-channel concepts ●​ hardware hacking ●​ device interfaces ●​ physical attack surfaces

Mathematics Cybersecurity uses:

• logic
• graph theory
• probability
• statistics
• modular arithmetic
• cryptography
• algorithms
• complexity

Philosophy Cybersecurity raises questions of:

• ethics
• privacy
• consent
• harm
• responsibility
• power
• trust
• surveillance
• digital rights

Research and Writing Cybersecurity requires:

• careful documentation
• vulnerability reports
• reproducibility
• evidence
• responsible disclosure
• technical explanation
• risk communication

10. How AI Should Be Used in

Cybersecurity AI can help security learning and practice, but it must be used carefully.

Cybersecurity is dual-use, so AI must not be used to bypass ethical boundaries, scale harm, or attack unauthorized systems.

Correct AI Use Use AI to:

• explain concepts
• quiz you
• help write lab notes
• review authorized lab writeups
• create defensive checklists
• summarize OWASP topics
• help structure reports
• help write remediation advice
• analyze your own code for security issues
• generate safe practice exercises
• explain logs from your own lab
• help build ethical security tools
• help threat-model your own applications

Incorrect AI Use Do not use AI to:

• attack unauthorized systems
• generate malware
• steal credentials
• evade detection
• automate abuse
• bypass rate limits
• exploit real targets outside scope
• exfiltrate data
• write phishing kits
• hide activity
• produce destructive instructions

The AI Cybersecurity Rule

AI may support authorized learning and defensive/offensive lab work, but it must never expand activity beyond legal scope.

For every AI-assisted cybersecurity task:

1. Confirm authorization.
2. State the environment.
3. State the goal.
4. Keep the activity lab-safe or in-scope.
5. Ask for explanation, review, or defensive framing.
6. Avoid unnecessary exploitation detail for real systems.
7. Document ethical boundaries.
8. Include remediation.

11. Common Cybersecurity Traps

Trap 1 — Tool Addiction Running tools without understanding output creates shallow skill.

Rule:

    Every tool output must be interpreted.

Trap 2 — Skipping Fundamentals Weak Linux, networking, and web knowledge will block everything.

Rule:

    Foundations before exploitation.

Trap 3 — Writeup Copying Following writeups step-by-step does not create methodology.

Rule:

    Try independently before reading writeups.

Trap 4 — No Notes Without notes, every box becomes isolated memory.

Rule:

    Notes are part of the exploit chain.

Trap 5 — Ignoring Reporting Finding a vulnerability is not enough.

Rule:

    Every finding needs impact and remediation.

Trap 6 — Reckless Scope Behavior Curiosity without authorization is dangerous.

Rule:

    Scope is law.

Trap 7 — Certificate Tunnel Vision CPTS and OSCP are useful, but they are not the whole field.

Rule:

    Certifications are checkpoints, not identity.

Trap 8 — Offensive Ego Security skill can inflate ego.

Rule:

    The goal is safer systems, not personal superiority.

12. First 25 Serious Cybersecurity

Artifacts These are the first serious cybersecurity artifacts to create.

Artifact 1 — Cybersecurity Ethics and Scope Policy A personal code of conduct defining authorization, scope, responsible disclosure, and stopping rules.

Artifact 2 — Security Lab Setup Manual VMs, network isolation, snapshots, tooling, and safe lab practices.

Artifact 3 — Linux Security Foundations Notebook Users, groups, permissions, processes, services, logs, and shell usage.

Artifact 4 — Networking Security Notebook TCP/IP, DNS, HTTP, TLS, ports, packet captures, and troubleshooting.

Artifact 5 — Python/Bash Security Utilities Repo Small scripts for lab automation, parsing, note organization, and report support.

Artifact 6 — Web Security Foundations Notebook HTTP, sessions, auth, APIs, CORS, cookies, browser security, and SQL basics. Artifact 7 — OWASP Top 10 2025 Notes A structured study archive of critical web application risks and their remediations.

Artifact 8 — OWASP WSTG Testing Checklist A practical checklist derived from OWASP WSTG for authorized web testing.

Artifact 9 — PortSwigger Lab Writeup Archive Lab notes grouped by vulnerability class with root cause and remediation.

Artifact 10 — Enumeration Methodology Playbook A repeatable methodology for authorized lab and pentest enumeration.

Artifact 11 — HTB Academy Penetration Tester Tracker Module progress, notes, checklists, weak areas, and CPTS readiness mapping.

Artifact 12 — HTB Box Writeup Archive Authorized lab writeups with enumeration, attack path, root cause, and remediation.

Artifact 13 — Privilege Escalation Notebook Linux and Windows privilege escalation concepts practiced only in labs.

Artifact 14 — Active Directory Fundamentals Notebook Domain concepts, Kerberos/NTLM basics, attack-path mapping, and defensive notes.

Artifact 15 — CPTS Readiness Portfolio Methodology, practice reports, checklists, weak-area review, and evidence of readiness.

Artifact 16 — OSCP/PEN-200 Preparation Portfolio PEN-200 notes, lab writeups, AD practice, report templates, and exam workflow.

Artifact 17 — Vulnerability Report Template Pack Professional templates for technical findings, executive summaries, and remediation.

Artifact 18 — Evidence Handling and Redaction Guide A guide for screenshots, logs, sensitive data minimization, and report-safe evidence.

Artifact 19 — Bug Bounty Scope Analysis Template A template for reviewing program scope, exclusions, safe harbor, and testing limits.

Artifact 20 — Bug Bounty Finding Tracker A private tracker for authorized findings, duplicates, triage status, and lessons learned.

Artifact 21 — Defensive Remediation Guide A mapping between vulnerability classes, root causes, and secure fixes.

Artifact 22 — MITRE ATT&CK Concept Map A visual map of tactics, techniques, and how they relate to lab findings and defenses.

Artifact 23 — NIST CSF 2.0 Security Governance Notes Govern, Identify, Protect, Detect, Respond, and Recover mapped to practical examples.

Artifact 24 — Security Tooling Lab Personal tools for note-taking, report generation, checklist generation, and safe lab automation.

Artifact 25 — Cybersecurity Case Study Portfolio Long-form case studies of authorized lab or bounty work, written with professional structure and ethical boundaries.

13. When to Move Forward

Do not move forward because a tool ran successfully.

Move forward when skill is visible.

Move past ethics and scope when:

• authorization rules are written and followed
• scope is checked before testing
• responsible disclosure is understood
• lab and real-world boundaries are clear

Move past Linux foundations when:

• terminal work is comfortable
• permissions are understood
• logs and processes are readable
• VMs and snapshots are managed safely

Move past networking when:

• common protocols are understood
• packet captures can be interpreted
• DNS/HTTP/TCP basics are clear
• subnetting is usable

Move past web foundations when:

• HTTP traffic can be inspected
• cookies and sessions are understood
• authn/authz distinction is clear
• browser security concepts are known

Move past web security basics when:

• OWASP categories are understandable
• PortSwigger labs are solved with root-cause explanations
• remediation can be written
• vulnerabilities are connected to developer mistakes

Move past enumeration basics when:

• methodology is systematic
• notes are clean
• services are investigated deeply
• attack paths are mapped

Move past exploitation basics when:

• lab exploitation is understood conceptually
• evidence is minimal and safe
• impact and remediation are included
• root cause is explained

Move past privilege escalation when:

• Linux/Windows escalation concepts are understood
• lab paths can be explained
• defensive fixes are documented

Move into Active Directory when:

• networking, Windows basics, enumeration, and privilege escalation are strong enough
• identity and trust relationships are understood

Move into CPTS attempt when:

• HTB Academy Penetration Tester path is completed
• methodology is stable
• practice reports are strong
• weak areas are reviewed

Move into OSCP attempt when:

• PEN-200/lab performance is consistent
• reporting under pressure is practiced
• AD and privilege escalation are reliable
• time management has been tested Move into bug bounty when:

●​ scope discipline is strong ●​ reports are professional ●​ web security labs are substantial ●​ testing remains controlled and respectful ●​ duplicate and triage frustration can be handled calmly

14. The Cybersecurity Standard

The final standard for this domain is:

I can legally and ethically assess systems, understand their attack surface, enumerate carefully, identify weaknesses, validate impact safely, document evidence professionally, explain root cause, recommend remediation, and use offensive knowledge to improve defense.

Cybersecurity is not about destruction.

It is about disciplined truth.

It reveals where systems lie about being safe.

It teaches humility because every system has assumptions.

It strengthens software development because it shows how code fails.

It strengthens AI engineering because agents and models introduce new attack surfaces.

It strengthens operating-system knowledge because real attacks often depend on permissions, processes, memory, and misconfiguration.

It strengthens writing because a finding that cannot be explained may not be fixed.

The goal is not to become feared.

The goal is to become trusted.