Discover / Reading path

How to learn Cybersecurity

@readingsherpaNew to it → Going deep
11
Books
~116
Hours
4
Stages
Not yet rated

This curriculum takes you from zero cybersecurity knowledge to professional-level mastery across four carefully sequenced stages. Each stage builds on the mental models of the previous one — starting with how attackers and defenders think, moving through technical fundamentals, then hands-on offensive and defensive skills, and finally reaching the strategic and cutting-edge depth that separates practitioners from experts.

1

Foundations: Mindset & Mental Models

New to it

Understand how attackers think, why security failures happen, and develop the core vocabulary and intuition needed for everything that follows — without needing a technical background.

Study plan for this stage

Pace: 10–12 weeks total, reading ~20–25 pages/day. Week 1–3: "The Art of Invisibility" (sets the attacker-awareness mindset through real privacy failures). Week 4–6: "Cybersecurity for Beginners" (builds structured vocabulary and conceptual frameworks). Week 7–10: "The Art of Deception" (deepens attacker

Key concepts
  • Attacker mindset: thinking offensively to understand defensive needs — introduced through Mitnick's real-world privacy exploits in The Art of Invisibility
  • Digital footprint & privacy hygiene: how everyday actions (email, browsing, payments) leave exploitable traces, per The Art of Invisibility
  • Core security vocabulary: confidentiality, integrity, availability (CIA triad), threats, vulnerabilities, risk, and controls — systematically defined in Cybersecurity for Beginners
  • Threat actors & motivations: distinguishing nation-states, criminals, hacktivists, and insiders, as categorized in Cybersecurity for Beginners
  • The human as the weakest link: why people, not technology, are most frequently exploited — the central thesis of The Art of Deception
  • Social engineering mechanics: pretexting, impersonation, phishing, and manipulation tactics dissected through Mitnick's case studies in The Art of Deception
  • Security as a process, not a product: the idea (reinforced across all three books) that security is ongoing behavior, culture, and decision-making — not a one-time technical fix
  • Trust and verification: how attackers exploit assumed trust relationships, and why zero-trust thinking is a foundational mental model
You should be able to answer
  • After reading The Art of Invisibility, can you identify at least five ways your daily digital behavior creates exploitable information about you — and what an attacker could do with each?
  • Using the vocabulary established in Cybersecurity for Beginners, how would you explain the difference between a threat, a vulnerability, and a risk to someone with no technical background?
  • What are the three pillars of the CIA triad, and can you give a real-world example of each being violated, drawing on scenarios from any of the three books?
  • From The Art of Deception, what psychological principles (e.g., authority, urgency, social proof) do social engineers exploit, and why are technical controls alone insufficient to stop them?
  • How do the threat actor categories described in Cybersecurity for Beginners map to the real attackers and techniques portrayed in Mitnick's two books?
  • Across all three books, what consistent pattern explains why security failures happen — and what does that pattern suggest about where defenses should be focused?
Practice
  • Digital footprint audit: Google yourself, check HaveIBeenPwned.com, and review app permissions on your phone. Document what an attacker could learn about you from open sources alone — directly applying the privacy lens from The Art of Invisibility.
  • Vocabulary flashcard deck: As you read Cybersecurity for Beginners, create a flashcard for every defined term (threat, vulnerability, control, risk, etc.). Quiz yourself at the end of each chapter and write one real-world example per term in your own words.
  • CIA triad journal: Keep a running log while reading all three books. Each time you encounter a security incident or anecdote, classify it — which pillar of the CIA triad was violated, and how?
  • Social engineering scenario analysis: After each case study chapter in The Art of Deception, write a one-paragraph 'defender's memo' — what policy, training, or verification process would have stopped that specific attack?
  • Threat actor profile cards: Using the categories from Cybersecurity for Beginners as a template, create a one-page profile for three different threat actors (e.g., a cybercriminal, an insider threat, a nation-state). Draw on specific examples from Mitnick's books to make each profile concrete.
  • End-of-stage synthesis essay (500–700 words): Answer the question 'Why do security failures happen?' using evidence and examples from all three books. This forces integration of mindset, vocabulary, and human-factor concepts before moving to more technical material.

Next up: By internalizing the attacker's perspective, the language of risk, and the primacy of the human factor, the reader now has the mental scaffolding needed to make sense of technical security controls — understanding not just *how* they work, but *why* they exist and *what specific threats* they are designed to counter.

The Art of Invisibility
Kevin D. Mitnick · 2017 · 315 pp

Written by the world's most famous hacker, this accessible book reveals how personal data is exposed and how attackers exploit human behavior — the perfect first lens into the cybersecurity world.

Cybersecurity for Beginners
Raef Meeuwisse · 2015 · 190 pp

A plain-English primer that defines the essential terminology, concepts, and frameworks used across the entire field, giving you the vocabulary to read everything that follows.

The Art of Deception
Kevin D. Mitnick · 2001 · 352 pp

Focuses on social engineering — the human element of hacking — cementing the attacker mindset and showing that technology alone never solves security problems.

2

Technical Core: Networking & Systems

New to it

Build a solid technical foundation in how networks, operating systems, and protocols work, so that attacks and defenses make mechanical sense rather than feeling like magic.

Study plan for this stage

Pace: 8–10 weeks total: Weeks 1–5 on "CompTIA Security+ Study Guide" (~35–40 pages/day, covering one domain per week); Weeks 6–10 on "Network Security Essentials" (~25–30 pages/day, reading one part/chapter cluster per week). Plan for 5 days of reading per week, leaving 2 days for review and hands-on exer

Key concepts
  • The OSI and TCP/IP models — how data moves through layers and why each layer is an attack surface (Chapple, Domain 1 & 2)
  • Core network protocols: DNS, HTTP/S, SMTP, FTP, SSH, TLS/SSL — their purpose, handshake mechanics, and common weaknesses (Chapple + Stallings Ch. 1–2)
  • IP addressing, subnetting, VLANs, and routing — understanding how traffic is segmented and directed (Chapple, Network Architecture domain)
  • Authentication, authorization, and access control models: DAC, MAC, RBAC — the principles that underpin every security control (Chapple, Identity & Access Management domain)
  • Cryptography fundamentals: symmetric vs. asymmetric encryption, hashing, digital signatures, PKI, and certificate chains (Chapple Crypto domain + Stallings Ch. 2–4)
  • Firewalls, IDS/IPS, proxies, and VPNs — how perimeter and network-layer defenses work mechanically (Chapple + Stallings Ch. 7–8)
  • Wireless security protocols: WEP, WPA2, WPA3 — why earlier standards failed and how modern ones address those flaws (Chapple Wireless domain + Stallings Ch. 6)
  • Operating system security basics: user privileges, file permissions, patch management, and hardening concepts (Chapple Threats & Vulnerabilities domain)
You should be able to answer
  • Can you trace a single HTTPS request from browser to server, naming the protocol, port, and security mechanism active at each layer of the TCP/IP model?
  • What is the difference between symmetric and asymmetric encryption, and why does TLS use both in the same session? (Stallings Ch. 2–3)
  • How does a stateful firewall differ from a packet-filtering firewall, and what class of attacks can each one — and cannot — stop? (Chapple + Stallings Ch. 7)
  • Why was WEP fundamentally broken, and what specific cryptographic and protocol changes did WPA2/WPA3 introduce to fix those weaknesses? (Chapple Wireless domain + Stallings Ch. 6)
  • What is a PKI, and how does a browser verify that a web server's certificate is trustworthy without having met that server before? (Chapple Crypto domain + Stallings Ch. 4)
  • How do VLANs provide network segmentation, and why is segmentation a core principle of defense-in-depth? (Chapple Network Architecture domain)
Practice
  • Packet capture lab: Use Wireshark to capture HTTP and HTTPS traffic to the same site. Compare what is visible in plaintext vs. encrypted sessions, and identify the TLS handshake packets — directly reinforcing Stallings' cryptography and protocol chapters.
  • Subnet a fictional corporate network: Given a /24 address block, design at least 4 VLANs (e.g., servers, workstations, IoT, guest Wi-Fi) with correct subnet masks and justify each boundary from a security standpoint, applying Chapple's network architecture domain.
  • Build a simple firewall ruleset: Using a free tool such as pfSense (VM) or iptables on Linux, write and test at least 10 rules that allow only specific traffic (SSH on port 22, HTTPS on 443) and block everything else — then verify with nmap from another VM.
  • Cryptography hands-on: Use OpenSSL on the command line to (a) generate an RSA key pair, (b) encrypt and decrypt a file, (c) create a self-signed certificate, and (d) inspect its fields. Map each step back to the PKI concepts in Chapple and Stallings Ch. 4.
  • Protocol dissection exercise: For each of DNS, SMTP, and FTP, look up one documented CVE, read its summary, and write a one-paragraph explanation of which protocol weakness (from Stallings Ch. 1–2) it exploited and how a modern control (firewall, TLS, DNSSEC) would mitigate it.
  • OS hardening checklist: Download the CIS Benchmark for Windows 10 or Ubuntu. Apply at least 10 recommendations in a VM, documenting what each setting changes and which Chapple domain (Access Control, Threat Management, etc.) it maps to.

Next up: Mastering how networks and systems function mechanically — protocols, encryption, access control, and perimeter defenses — gives the reader the precise technical vocabulary and mental models needed to understand how attackers actively exploit those same components, which is the focus of the next stage on offensive techniques and threat analysis.

CompTIA Security+ Study Guide
Mike Chapple · 2021 · 672 pp

The industry's most recognized entry-level certification guide; it systematically covers cryptography, network security, threats, and controls in a structured, exam-tested way.

Network Security Essentials
William Stallings · 1999 · 432 pp

Provides rigorous, textbook-level coverage of how cryptographic protocols, firewalls, VPNs, and intrusion detection actually work under the hood — essential before diving into offensive techniques.

3

Offensive & Defensive Skills: Hands-On Practice

Some background

Learn how real attacks are executed — from penetration testing to malware analysis — and how defenders detect, respond to, and contain them in practice.

Study plan for this stage

Pace: 10–12 weeks total. Weeks 1–6: "The Web Application Hacker's Handbook" (~40–50 pages/day, 5 days/week) — read chapters sequentially, pausing at each attack category to practice in a lab. Weeks 7–12: "The Practice of Network Security Monitoring" (~30–40 pages/day, 5 days/week) — slower pace to allow t

Key concepts
  • Web application attack surface mapping: understanding how to enumerate inputs, parameters, authentication mechanisms, and session management flaws as covered in Stuttard's reconnaissance chapters
  • Core web vulnerabilities in depth: SQL injection, XSS (reflected, stored, DOM-based), CSRF, clickjacking, insecure direct object references, and business logic flaws as dissected in The Web Application Hacker's Handbook
  • Bypassing client-side and server-side controls: how attackers circumvent input validation, encoding schemes, and access controls — a central theme throughout Stuttard's attack chapters
  • Penetration testing methodology: the structured, repeatable process of mapping, analyzing, attacking, and reporting on web applications, as framed by Stuttard's overall approach
  • Network Security Monitoring (NSM) philosophy: Bejtlich's core principle that detection and response depend on full-fidelity network data — understanding the collect-detect-analyze cycle
  • Traffic collection and sensor architecture: how to deploy and tune NSM sensors, capture full packet data vs. metadata, and manage data retention as detailed in Bejtlich's infrastructure chapters
  • Intrusion detection with signature and anomaly methods: using tools like Snort/Suricata and Zeek (Bro) scripts to identify malicious patterns in network traffic, as practiced throughout Bejtlich's book
  • Incident triage and network forensics: Bejtlich's methodology for pivoting from an alert to full session reconstruction, timeline building, and determining scope of compromise
You should be able to answer
  • After working through The Web Application Hacker's Handbook, can you explain the full lifecycle of a SQL injection attack — from discovery of the injection point to data extraction — and describe at least two techniques for bypassing common filters?
  • How does Stuttard distinguish between authentication vulnerabilities and session management vulnerabilities, and what specific tests would you perform against each?
  • What is Bejtlich's definition of Network Security Monitoring, and why does he argue that prevention eventually fails and detection is therefore non-negotiable?
  • Using the NSM collect-detect-analyze framework from The Practice of Network Security Monitoring, how would you triage a Zeek (Bro) conn.log alert indicating an internal host making repeated outbound connections to a single foreign IP on port 443?
  • How do the offensive techniques in Stuttard's book (e.g., parameter tampering, forced browsing) directly inform the detection signatures and anomaly baselines a defender would build in Bejtlich's NSM environment?
  • What data sources does Bejtlich prioritize for reconstructing an intrusion, and how do full packet capture, session data, and log data each contribute differently to the analysis?
Practice
  • **Web Attack Lab (Stuttard):** Deploy OWASP WebGoat or DVWA in a local VM and systematically walk through each vulnerability class covered in The Web Application Hacker's Handbook — SQLi, XSS, CSRF, IDOR — documenting your methodology in a written pentest report as if it were a real engagement.
  • **Burp Suite Mastery (Stuttard):** Use Burp Suite's Proxy, Repeater, Intruder, and Scanner tools against your lab target. Practice intercepting and modifying every type of request Stuttard describes — cookies, hidden fields, HTTP headers — and record what controls you bypassed and how.
  • **Build an NSM Sensor (Bejtlich):** Follow Bejtlich's sensor architecture guidance to install Security Onion (which bundles Zeek, Suricata, and full packet capture) in a VM on your home network or lab. Verify that conn.log, dns.log, and http.log are populating correctly.
  • **Hunt Your Own Traffic (Bejtlich):** Generate known-suspicious traffic in your lab (e.g., an Nmap scan, a Metasploit module against a vulnerable VM) and then use Zeek logs and Wireshark to reconstruct exactly what happened — practice the triage workflow Bejtlich describes chapter by chapter.
  • **Offensive-to-Defensive Translation Exercise:** Pick three specific attacks from Stuttard (e.g., stored XSS, blind SQLi, session fixation) and write a detection rule or Zeek script for each one that a defender running Bejtlich's NSM setup could use to catch the attack in progress.
  • **Capstone Incident Report:** Simulate a full attack chain in your lab — use techniques from Stuttard to compromise a web app, then switch roles and use Bejtlich's NSM methodology to detect, triage, and document the intrusion. Write a two-part report: attacker narrative and defender incident report.

Next up: By internalizing both the attacker's craft (Stuttard) and the defender's detection discipline (Bejtlich), the reader is primed to tackle more advanced topics such as malware analysis, threat intelligence, and enterprise-scale security operations — where understanding the full attack-defend loop at a technical level is an essential prerequisite.

Hacking
Jon Erickson · 2003 · 384 pp

The canonical hands-on book for understanding exploitation at the code and memory level; reading this after the networking foundation makes the mechanics of buffer overflows and shellcode click.

The web application hacker's handbook
Dafydd Stuttard · 2007 · 840 pp

The definitive reference for web security — covering SQL injection, XSS, authentication flaws, and more — since web applications are the most common attack surface professionals encounter.

The practice of network security monitoring
Richard Bejtlich · 2013

Shifts the perspective to the defender's side, teaching how to collect, analyze, and act on network data to detect intrusions — balancing the offensive skills built in the previous two books.

4

Advanced Mastery: Strategy, Adversaries & the Frontier

Going deep

Think at the strategic and systemic level — understanding nation-state threats, incident response at scale, secure software design, and the broader geopolitical and organizational dimensions of cybersecurity.

Study plan for this stage

Pace: 6–8 weeks total: Weeks 1–4 for "Countdown to Zero Day" (~30–35 pages/day, including pause days for reflection on technical chapters); Weeks 5–8 for "The Cuckoo's Egg" (~25–30 pages/day, journaling threat-hunting observations as you read).

Key concepts
  • Nation-state cyber operations and the use of cyberweapons as instruments of geopolitical strategy (Stuxnet as a case study in covert digital warfare against Iranian nuclear infrastructure)
  • Zero-day vulnerabilities: what they are, how Stuxnet chained four of them together, and why their discovery, hoarding, and deployment represent a strategic arms-race dynamic
  • Supply-chain and air-gap attacks: how Stuxnet propagated via USB and contractor networks to reach a physically isolated target, illustrating that no system is truly isolated
  • Attribution challenges: the forensic, intelligence, and geopolitical reasoning used to link Stuxnet to the US-Israeli operation, and why definitive attribution in cyberspace is inherently difficult
  • Persistent threat hunting and incident response at the individual level: Stoll's months-long manual log analysis in The Cuckoo's Egg as a masterclass in patience, curiosity, and methodical investigation
  • Early inter-agency and international coordination failures: how Stoll struggled to get the FBI, CIA, NSA, and foreign governments to act, foreshadowing modern challenges in cyber governance and information sharing
  • The adversary mindset: understanding how the KGB-sponsored hacker Marcus Hess systematically moved through systems, pivoted across networks, and monetized access — tactics that map directly onto modern APT behavior
  • Geopolitical and organizational dimensions: how both books illustrate that cybersecurity decisions are never purely technical — they involve diplomacy, law, organizational bureaucracy, and national interest
You should be able to answer
  • How did Stuxnet's designers use a chain of four zero-day exploits and a legitimate code-signing certificate to evade detection, and what does this reveal about the resource requirements of nation-state offensive operations?
  • What criteria did researchers and journalists use to attribute Stuxnet to the US and Israel, and what are the inherent limits of cyber attribution even with strong forensic evidence?
  • In The Cuckoo's Egg, what specific investigative techniques did Clifford Stoll use to track the intruder, and how do those techniques map onto modern threat-hunting and SIEM-based detection practices?
  • Both books feature adversaries who operated undetected for extended periods. What organizational, technical, and human factors enabled this persistence, and what would have shortened the dwell time?
  • How do both books illustrate the tension between operational security/secrecy and the need for inter-agency or international cooperation during a cyber incident?
  • What strategic and ethical questions does Stuxnet raise about the use of cyberweapons against civilian infrastructure, and how do those questions inform current debates around norms in cyberspace?
Practice
  • Zero-Day Chain Diagram: After finishing Countdown to Zero Day, draw a detailed attack-chain diagram of Stuxnet — entry vector, propagation mechanism, each zero-day's role, the PLC payload, and the cover-up logic. Annotate each stage with the defensive control that would have broken the chain.
  • Attribution Memo: Write a 1–2 page intelligence-style memo either attributing or challenging attribution of Stuxnet to a nation-state, using only the evidence Zetter presents. Practice distinguishing technical indicators, circumstantial evidence, and geopolitical inference.
  • Threat-Hunt Simulation: Using a home lab or a platform like TryHackMe/Hack The Box, ingest sample logs and practice the same manual anomaly-detection workflow Stoll used — look for 75-cent discrepancies, odd login times, and unfamiliar usernames. Document your findings in a running journal.
  • Incident Response Timeline: Reconstruct Stoll's investigation from The Cuckoo's Egg as a formal IR timeline (Preparation → Detection → Containment → Eradication → Recovery → Lessons Learned) using the NIST SP 800-61 framework. Identify every phase where modern tooling would have accelerated or changed the outcome.
  • Geopolitical Briefing: Choose a real-world nation-state cyber campaign (e.g., NotPetya, SolarWinds) and write a two-page strategic briefing modeled on the analytical style in Countdown to Zero Day — covering actor, motive, capability, targets, and international response.
  • Stakeholder Communication Exercise: Role-play Stoll's position in The Cuckoo's Egg. Draft the emails he might send today to CISA, the FBI Cyber Division, and a foreign CERT to escalate the incident — practicing the skill of translating technical findings into actionable language for non-technical decision-makers.

Next up: Mastering the strategic, adversarial, and geopolitical dimensions in these two books equips the reader to engage with the frontier of cybersecurity — emerging topics like AI-driven attacks, quantum-safe cryptography, and the evolving policy and legal frameworks that will define the next generation of the field.

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
Kim Zetter · 2014 · 448 pp

The definitive account of Stuxnet, this book reveals how nation-state cyberweapons are built and deployed, elevating your understanding from individual attacks to geopolitical cyber conflict.

The Cuckoo’s Egg
Clifford Stoll · 1989 · 378 pp

A gripping true story of the first documented cyber espionage case, teaching threat hunting, persistence, and incident response through a real, high-stakes investigation.

Threat modeling
Adam Shostack · 2014 · 624 pp

Written by a Microsoft security architect, this book teaches you to bake security into systems from the design stage — the mark of a mature security professional who thinks proactively, not reactively.

Discussion