The best free resources combine safe, legal attack ranges with guided tutorials, so you learn both how to find vulnerabilities and how to defend systems in real scenarios; use them to build a portfolio of reports, lab write‑ups, and mini‑postmortems.
1) TryHackMe
Guided, browser‑based labs from beginner to advanced with step‑by‑step rooms covering web, network, privilege escalation, and blue‑team paths; strong for structured daily practice and CTFs under safe sandboxes.
How to use: follow “Complete Beginner” then a job‑aligned path (Offensive/Blue/Cloud) and publish concise walkthroughs focusing on methodology and mitigations.
2) Hack The Box
Hands‑on hacking labs and machines with realistic attack surfaces, including beginner “Starting Point,” retired boxes with write‑ups, and skill assessments; great for progressing from fundamentals to real exploit chains.
How to use: clear “Tier 0–1” machines first, then one active box weekly; keep notes, payloads, and privilege‑escalation checklists.
3) Hack This Site
Classic, free wargames with missions on web vulns, realistic app logic, and crypto challenges; useful to sharpen reasoning and input‑validation instincts.
How to use: complete basic and realistic missions, then write short reports explaining root cause and secure fixes.
4) OverTheWire
Unix‑focused wargames (Bandit, Natas) that build core shell, networking, and web exploitation fluency; perfect for absolute fundamentals that transfer to every tool.
How to use: solve Bandit end‑to‑end, keep a command journal, and summarize lessons in a “Linux privilege and files” cheat sheet.
5) PortSwigger Web Security Academy
Free, world‑class labs on OWASP‑style web vulns with interactive payloads and detailed write‑ups; essential for AppSec and bug bounty readiness.
How to use: complete all “Apprentice” then “Practitioner” labs; maintain a payload notebook and map each vuln to a defense.
6) Google Gruyere (Web Security Lab)
A deliberately vulnerable web app for learning common flaws (XSS, CSRF, auth issues) with clear tutorials; great first web‑security sandbox.
How to use: exploit each vulnerability and then patch it locally, documenting both the attack and the fix.
7) OWASP Juice Shop
Open‑source intentionally vulnerable app with gamified scoreboard; covers modern web vulns end‑to‑end and supports secure coding practice.
How to use: run locally in Docker, complete challenges, then harden routes and add security headers; submit a mini “secure coding” report.
8) Cisco Networking Academy (Intro courses)
Free foundational security and networking modules (intro to cybersecurity, essentials) that build defender mindset and terminology for SOC/blue‑team roles.
How to use: finish an intro module, capture key concepts (CIA triad, IAM, logging), and set up a home lab for packet captures.
9) Cybrary (free tier)
Rotating free courses and intro labs across ethical hacking, blue team, and certification basics; good for sampling domains before deeper dives.
How to use: pick a short path (e.g., Pentest or SOC), complete one lab weekly, and track takeaways and commands in a shared notes repo.
10) SANS Holiday Hack Challenge (annual, free)
A high‑quality seasonal CTF with story‑driven challenges across web, forensics, and cloud; superb learning from world‑class write‑ups.
How to use: join during the event, team up in Discord, and publish a post‑event write‑up to demonstrate collaboration and problem‑solving.
How to study effectively (4‑week plan)
- Week 1: OverTheWire Bandit + PortSwigger Apprentice labs; publish notes and payloads.
- Week 2: TryHackMe “Complete Beginner” rooms + Juice Shop basics; write a secure‑coding checklist.
- Week 3: One HTB Starting Point box + PortSwigger Practitioner labs; create a report template (finding → impact → repro → fix).
- Week 4: Small home‑lab drill: spin a vulnerable app, find two issues, patch them, and record a 3–5 minute demo with before/after.
Ethics and safety checklist
- Only test in legal labs or systems you own/have written permission to assess.
- Never exfiltrate real data; practice responsible disclosure norms and keep PII out of notes.
- Document mitigations alongside exploits to build a defender mindset that employers value.
Using these free platforms with a disciplined weekly cadence will build real skills, a credible portfolio, and clear stories for internships in pentesting, AppSec, and SOC roles.