// Security Resources

ASU's structured binary exploitation and system security curriculum. Covers the full path from Linux basics to kernel exploitation. Designed for university students but open to all.

Industry-standard platform with realistic vulnerable machines, Pro Labs, and Battlegrounds. Completing machines here is respected on CVs. Active machines require a VPN connection.

Browser-based guided learning with structured paths covering pentesting, web hacking, SOC analysis, and more. The most beginner-friendly hands-on platform. No local Kali needed to start.

Classic text-based wargames. Bandit (start here!) teaches Linux command-line fundamentals via SSH puzzles. Natas covers web security. Leviathan, Krypton, and more for every level.

The gold standard for web application security. Made by the creators of Burp Suite. 100% free, covering XSS, SQLi, SSRF, IDOR, authentication flaws, and every OWASP Top 10 category with interactive labs.

Practical web application security exercises from beginner to expert. Covers JWT attacks, code review, SQL injection, and more. A Pro subscription unlocks all content; many free exercises available.

Download and run vulnerable virtual machines locally. No subscription needed — just VirtualBox or VMware. Great for offline practice and building a home lab environment.

Over 400 challenges organized by category: web, network, cryptography, steganography, forensics, scripting. French-origin platform with a strong international community.

Dedicated cryptography learning platform. Covers AES, RSA, elliptic curves, hash functions, and more through interactive Python challenges. The best crypto-specific resource available for free.

Free web security education from HackerOne — the world's largest bug bounty platform. Complete CTF challenges to earn invites to private bug bounty programs and start making real money.

Carnegie Mellon University's beginner-focused CTF competition. Runs annually and keeps past challenges accessible year-round via picoGym. The single best starting point for CTFs.

The definitive calendar and archive for CTF competitions worldwide. Browse upcoming events, read past writeups, and track team rankings. Bookmark this and check it weekly.

A semester-long CTF competition for US college students covering 9 security domains. Produces a Scouting Report (skill analysis) that employers and internship programs actively seek out.

One of the largest and longest-running academic CTF competitions, run by NYU. Separate beginner and advanced divisions. Great stepping stone between picoCTF and HackTheBox-level challenges.

Annual Google-hosted CTF with elite-level challenges. Past challenges stay accessible for practice. Even if the live competition is beyond you now, the archived problems are a goldmine to study.

Comprehensive community wiki covering every CTF category in depth: pwn, web, crypto, reverse engineering, forensics, and misc. Essential reference when you're stuck on a challenge type.

Practical, no-fluff courses by Heath Adams ("The Cyber Mentor"). Covers Practical Ethical Hacking, OSINT, web app, Active Directory, and more. Best value for money in the industry.

Large library of free and paid cybersecurity courses, career paths, and assessments. Good for CompTIA cert prep, threat hunting, SOC analyst training, and structured career paths.

Home of the eJPT (eLearnSecurity Junior Penetration Tester) — one of the best entry-level hands-on certifications with a free Starter Pass. Their practical labs are excellent for network pentesting.

Completely free, high-quality video courses for CompTIA A+, Network+, and Security+. The go-to resource for cert prep. Millions of students have passed their exams using his materials.

The most respected name in professional security training. Courses lead to GIAC certifications. Very expensive (~$5K/course) but often covered by employers. Look for work study programs and scholarships.

Google's entry-level certificate on Coursera. Covers foundations, network security, SQL, Python, Linux, and SIEM tools. Designed for career changers with no prior experience. Financial aid available.

Curated list of Unix binaries that can be exploited to bypass local security restrictions. Essential for Linux privilege escalation during CTFs and real engagements. Search for any binary you find with SUID set.

Living Off the Land Binaries and Scripts — the Windows equivalent of GTFOBins. Documents native Windows binaries that attackers can abuse to execute code, download files, and bypass defenses.

The most comprehensive pentesting methodology wiki available. Covers every attack technique, exploitation path, and tool usage. When you're stuck on a machine or challenge, check HackTricks first.

Public archive of exploits and vulnerable software maintained by Offensive Security. Use searchsploit on Kali to search locally. Always check here after finding a software version.

GCHQ's "Swiss Army Knife" for data manipulation. Encode/decode base64, hex, XOR, rotate ciphers, extract strings, analyze files — all in a browser-based drag-and-drop interface. Invaluable for CTF crypto challenges.

Scan files and URLs against 70+ antivirus engines and threat intelligence feeds. Used by security researchers to analyze suspicious files. Also great for understanding malware behavior via sandbox reports.

Search engine for internet-connected devices. Find exposed webcams, databases, industrial control systems, and servers by banner, port, or location. The go-to OSINT tool for passive reconnaissance.

Open Web Application Security Project — the nonprofit that defines web security standards worldwide. Home of the OWASP Top 10 (must-know vulnerabilities), WSTG (testing guide), and dozens of free tools.

Search engine for IppSec's HackTheBox video walkthroughs by technique. Type a tool or attack (e.g., "buffer overflow", "kerbrute") and jump to the exact timestamp where it's demonstrated.

Reverse shell generator for every language and platform — bash, Python, PHP, PowerShell, and more. Enter your IP and port, select the shell type, and copy the payload. Indispensable for CTFs.

CTF walkthroughs, malware analysis, and career advice. His beginner-friendly explanations make complex topics accessible. One of the most respected voices in the security community. Start here.

Methodical, in-depth HackTheBox walkthroughs. Watching IppSec is how most people level up their pentesting methodology. He narrates his thought process, not just the commands — that's the real value.

Deep dives into binary exploitation, web hacking, and browser security research. Some of the best low-level security content on the internet. His "How to Get Into CTFs" series is required viewing.

Heath Adams covers practical ethical hacking, AD attacks, OSCP prep, and career advice. His full Practical Ethical Hacking course is partially available free on YouTube. Direct, no-BS teaching style.

High-energy tutorials on networking, hacking, Linux, Python, and cloud. Great for absolute beginners who want an entertaining intro to concepts before going deeper. Excellent for visualizing how networks work.

Networking fundamentals, Python for network engineers, ethical hacking, and cert prep (CCNA, CompTIA). Long-form interview content with industry experts. Great for understanding the networking side of security.

Technical security news and research. High-quality discussion and link sharing. Also check r/cybersecurity (news), r/AskNetsec (Q&A), and r/HowToHack (beginner questions).

Active community of learners across all skill levels. Good for getting unstuck, finding study partners, and networking. Also check the HackTheBox and TCM Security Discord servers.

Leading cybersecurity news publication covering threat intelligence, vulnerabilities, breaches, and industry trends. Reading security news keeps you aware of real-world threats and builds professional context.

Investigative cybersecurity journalism by Brian Krebs. Deep reporting on data breaches, cybercrime, and the underground economy. Reading Krebs gives you real-world context that no course can provide.