A strong path combines structured lessons, hands‑on labs, and CTFs: start with guided platforms, graduate to real‑world lab machines, and validate skills with a respected certification when ready.
Beginner‑friendly, guided learning
- TryHackMe: step‑by‑step rooms, learning paths (Pre‑Security, Jr Penetration Tester, SOC Level 1), browser‑based VMs, and write‑ups to build habits.
- Cisco Networking Academy (Ethical Hacker): free fundamentals from a reputable provider; solid for early theory before labs.
- Coursera/edX tracks: university‑backed courses for structured foundations and graded projects; good complement to labs.
Hands‑on labs and real attack surfaces
- Hack The Box: realistic boxes, Pro Labs, Intro/Academy paths; ideal after basics to build problem‑solving and manual enumeration skills.
- PortSwigger Web Security Academy: best free resource for web vulns (XSS, SQLi, SSRF, OAuth, deserialization) with interactive labs and progressive difficulty.
- OverTheWire and picoCTF: wargames and CTFs to sharpen Linux, crypto, and forensics fundamentals in short, addictive challenges.
Deep‑dive and certification providers
- Offensive Security (PWK/OSCP): rigorous pen‑test training with lab VPN and proctored exam; top hiring signal when paired with solid notes and reports.
- SANS Institute (SEC560 + GIAC): premium, instructor‑led courses and gold‑standard certs; best if employer‑funded or for senior upskilling.
All‑round cyber training hubs
- Cybrary and StationX: curated paths across blue/red/purple teams, labs, and exam prep for CEH/CompTIA Security+/Pentest+; good for survey then specialize.
- Altered Security/eLearnSecurity (INE): practical, exam‑style labs (eJPT, eWPTX, etc.) with strong web/appsec focus at reasonable cost.
Free options to start today
- PortSwigger labs for web, TryHackMe free rooms, picoCTF challenges, and selected Coursera audit tracks; assemble a weekly plan with one lab/day.
- Community lists often bundle multiple free platforms and starting tips for a zero‑cost first month.
Safety and legality
- Only test in authorized labs or with explicit written permission; follow platform rules and local laws strictly.
- Keep personal devices segmented; practice in VMs/VPNs; never run untrusted payloads on daily‑driver systems.
8‑week roadmap
- Weeks 1–2: Linux, networking, and web basics; TryHackMe Pre‑Security + PortSwigger fundamentals; maintain notes and commands.
- Weeks 3–4: TryHackMe Jr PenTester path + 10 PortSwigger labs (auth, sessions, IDOR); start simple HTB “Starting Point.”
- Weeks 5–6: Move to HTB Easy/Medium boxes; do one weekly write‑up; dabble in picoCTF for forensics/crypto variety.
- Weeks 7–8: Pick a focus (web/appsec or net/pentest); complete a mini‑project (Burp automation, recon script); evaluate a beginner cert path (eJPT/CEH) before OSCP.
Portfolio and signal
- Publish redacted write‑ups, methodology notes, and a small tool or script; add a threat‑model section and responsible‑disclosure mindset.
- Map labs to skills in your resume (e.g., “IDOR → access control testing,” “SSRF → cloud metadata exposure”) and link to sanitized notes.
Bottom line: start with TryHackMe and PortSwigger for guided, safe fundamentals, graduate to Hack The Box and wargames for realism, and aim for OSCP or a practical exam once you can consistently solve Medium‑level labs; keep everything legal, documented, and portfolio‑ready.
Related
Compare TryHackMe vs Hack The Box for beginners
Which certifications pair best with hands-on platforms
Free resources to practice web application hacking
Recommended learning path for OSCP preparation
How to set up a safe local lab for penetration testing