You're stuck in IT Support making $40k, watching YouTube videos about hacking, dreaming of breaking into cybersecurity. You've tried courses, certifications, and tutorialsβbut nothing connects the dots.
This roadmap changes everything.
This isn't another "learn cybersecurity" guide. This is the definitive path from complete beginner to Principal Security Engineerβthe same path that took me from fixing printers to leading red teams at Fortune 500 companies.
Every vulnerability. Every tool. Every technique. Every resource.
Curated. Organized. Battle-tested.
Not theory. Practice. Every topic links to:
- The best YouTube tutorials (not random videosβthe ones that actually teach)
- Free CTF challenges that test exactly what you're learning
- Hands-on labs from PortSwigger, TryHackMe, HackTheBox
- Quality resources vetted by working professionals
No more scrolling through walls of text. Every concept is organized in tables with:
- What it is (clear description)
- Best tutorial (the video that actually explains it)
- Practice lab (where to test your skills)
- Real-world application (why it matters)
Completely overhauled for 2025:
- β Modern attack vectors (HTTP Request Smuggling, Cache Poisoning, AI-augmented pentesting)
- β Updated OWASP Top 10
- β Cloud security (AWS, Azure, GCP)
- β AI-driven penetration testing frameworks
- β Zero-day research methodologies
- β New Principal level for industry leaders
Before moving to the next vulnerability, master these 4 aspects:
- Find - How do you discover it?
- Exploit - How do you exploit it?
- Fix - What are the modern fixes?
- Bypass - How do you bypass weak mitigations?
This framework alone will make you better than 90% of pentesters.
| Level | Role | Salary Range | Timeline | Focus |
|---|---|---|---|---|
| x00: Clueless | IT Support Specialist | $30k - $45k | 6-12 months | Hardware, OS, Networking fundamentals |
| x01: Newbie | Associate Pentester | $50k - $80k | 12-18 months | 80% Web App Security - OWASP Top 10 mastery |
| x02: Associate | Junior Pentester | $80k - $90k | 18-24 months | The Big 4: Web, Network, Binary, Mobile |
| x03: Mid-Level | Security Consultant | $95k - $120k | 2-3 years | Cloud security, advanced exploitation, specialization |
| x04: Senior | Senior Security Engineer | $120k - $150k | 3-5 years | Research, conferences, advanced techniques |
| x05: Principal | Principal/Architect | $150k - $250k+ | 5-10 years | Leadership, zero-day research, industry shaping |
β Start at x00_Clueless - Master IT fundamentals first.
β Jump to x01_Newbie - This is where the real hacking begins.
β Find your level and level up. Each level builds on the previous.
- OWASP Top 10 (2021) - Every vulnerability, every bypass
- Modern attacks: HTTP Request Smuggling, Cache Poisoning, SSRF, SSTI
- Burp Suite mastery: Proxy, Repeater, Intruder, Scanner
- Authentication bypasses, authorization flaws, session hijacking
- Practice: 50+ PortSwigger labs, TryHackMe web path
- Stack overflows, heap exploitation, ROP chains
- Bypassing DEP, ASLR, Stack Canaries, CFI
- Reverse engineering with Ghidra, IDA Pro, Binary Ninja
- Exploit development from scratch
- Practice: pwnable.kr, Exploit Education, ROP Emporium
- Android/iOS app assessment
- Frida dynamic analysis
- OWASP Mobile Top 10
- Jailbreaking/rooting for security testing
- Practice: Mobile security labs, vulnerable apps
- AWS, Azure, GCP security assessment
- IAM misconfigurations, S3 bucket vulnerabilities
- Container security (Docker, Kubernetes)
- Serverless security (Lambda, Functions)
- Practice: Flaws.cloud, CloudGoat, Azure Goat
- LLM-driven autonomous pentesting
- AI-powered fuzzing and vulnerability discovery
- Adversarial AI and ML model security
- Practice: RapidPen, PenTest++, custom AI agents
- Vulnerability discovery methodologies
- Exploit development and weaponization
- Responsible disclosure and CVE assignment
- Practice: Bug bounty programs, research projects
| Category | Tools | Why It Matters |
|---|---|---|
| Web Testing | Burp Suite, OWASP ZAP, SQLmap, WPScan | 80% of pentesting work is web apps |
| Network Testing | Nmap, Metasploit, Wireshark, Netcat | Network security is foundational |
| Binary Analysis | Ghidra, IDA Pro, Binary Ninja, GDB | Reverse engineering is advanced |
| Mobile Testing | Frida, MobSF, APKTool, jadx | Mobile apps are everywhere |
| Cloud Security | Scout Suite, Prowler, CloudSploit | Cloud is the future |
| Password Cracking | Hashcat, John the Ripper | Still relevant in 2025 |
| Certification | Level | Why Get It | Cost |
|---|---|---|---|
| CompTIA Security+ | Entry | HR filter, foundational knowledge | ~$370 |
| CompTIA PenTest+ | Entry | General pentesting overview | ~$392 |
| eJPT | Entry | Practical, hands-on, affordable | ~$200 |
| OSCP | Associate | The gold standard, hands-on | ~$1,499 |
| OSEP | Mid-Level | Advanced Windows exploitation | ~$1,499 |
| GXPN | Senior | Exploit research and advanced pentesting | ~$7,000 |
| OSEE | Principal | Advanced Windows exploitation expert | ~$1,499 |
Pro Tip: Don't collect certifications like PokΓ©mon. Get them strategically based on your career goals.
| Platform | Best For | Cost | Why Use It |
|---|---|---|---|
| PortSwigger Web Security Academy | Web app security | FREE | Best web security labs, created by Burp Suite makers |
| TryHackMe | Beginners | Free + Premium | Guided learning paths, beginner-friendly |
| HackTheBox | Intermediate/Advanced | Free + Premium | Realistic machines, active community |
| pwnable.kr | Binary exploitation | FREE | Best binary exploitation challenges |
| Exploit Education | Binary exploitation | FREE | Phoenix, Nebula, Fusion challenges |
| PentesterLab | Web application security | FREE | Hands-on web security exercises and challenges |
Level 0 (Clueless): $30k β Level 1 (Newbie): $50k (+67%)
Level 1 (Newbie): $50k β Level 2 (Associate): $80k (+60%)
Level 2 (Associate): $80k β Level 3 (Mid-Level): $100k (+25%)
Level 3 (Mid-Level): $100k β Level 4 (Senior): $135k (+35%)
Level 4 (Senior): $135k β Level 5 (Principal): $200k (+48%)
Total Career Growth: $30k β $200k+ (567% increase)
This isn't just a roadmap. It's a career transformation.
Before: IT Support Specialist, $40k/year, fixing printers, bored
After: Principal Security Engineer, $200k+/year, leading red teams, speaking at DEF CON
The difference?
β Following a structured path instead of random tutorials
β Focusing on what matters (80% web app security)
β Practicing on real labs, not just watching videos
β Building a portfolio that proves your skills
- Find Your Level - Be honest about where you are
- Master Each Topic - Use the Find/Exploit/Fix/Bypass framework
- Practice Relentlessly - Complete the labs, solve the CTFs
- Build a Portfolio - Document your journey, write-ups, tools
- Level Up - Move to the next level only when you've mastered the current one
Pro Tip: Don't skip levels. Each builds on the previous. Mastery > Speed.
I spent 5 years figuring this out the hard way. Random tutorials. Scattered resources. No clear path. I made every mistake possible.
You don't have to.
This roadmap is everything I wish I had when I started. Every resource vetted. Every path tested. Every link verified.
Use it. Master it. Own it.
Found a broken link? Know a better resource? Want to add something?
Pull requests welcome. This roadmap is a living document, constantly improving.
- β Completely overhauled with modern 2025 content
- β Organized tables for every topic
- β Curated resources - only the best tutorials and labs
- β Direct links to YouTube videos, CTF challenges, practice platforms
- β New Principal level for industry leaders
- β AI-augmented pentesting section
- β Cloud security deep dive
- β Zero-day research methodologies
- Start at Level 0 if you're new to IT
- Jump to Level 1 if you're already in IT Support
- Find Your Level if you're already a pentester
Built by hackers. For hackers. With β€οΈ
Last Updated: January 2025
Contributors: [Your Name Here]
Issues: Report Issues
This project is licensed under the MIT License - see the LICENSE file for details.
From Zero to Hero. From $30k to $250k+. One Roadmap.