Tooling

Security Training Platforms

HackTheBox, TryHackMe, PortSwigger Academy, OffSec — where to actually learn this stuff.

The fastest way to get good is to do hands-on labs against deliberately-vulnerable systems. The 2024–26 best-of breed is a mix of free academies (PortSwigger, Pwn College, OverTheWire) and paid platforms with vetted certifications (OffSec, HackTheBox, TryHackMe). For CTF tooling see CTF Tools (pwntools). For bug bounty platforms see Bug-Bounty Platforms. For workflow / labs against AD specifically see Active Directory Pentesting (GOAD).

The two giants

  • HackTheBox — labs, machines, Pro Labs (multi-host networks like Dante, Offshore, RastaLabs), Academy (modular courses), CDSA / CWEE / CPTS / CBBH certifications. Free tier (limited active machines), VIP / VIP+ paid (~$14–30/mo).
  • TryHackMe — gentler curve; gamified learning paths; Junior Pentester / SOC Level 1 / CompTIA-aligned tracks. Free tier, paid $10/mo.

Free, must-do

  • ★ ★ PortSwigger Web Security Academy — Burp's owners; the reference free web-app security training; topic-by-topic with deliberately-vulnerable labs. Free. Pair with Burp Community.
  • OverTheWire — wargame ladders (Bandit → Krypton → Natas etc.); the canonical "first time on the CLI" resource. Free.
  • Pwn College (ASU; Yan Shoshitaishvili & co.) — structured pwn / RE / web / system-security curriculum; free.
  • picoCTF (CMU) — beginner CTF resource; free.
  • Vulnhub — downloadable vulnerable VMs.
  • HackingHub — bug-bounty-focused free labs.
  • The Cyber Mentor (TCM Security) free YouTube + paid courses.
  • CryptoHack — crypto-focused; free.
  • Web.dev's security learning path — Google's free path.

Defender / blue-team training

  • CyberDefenders — DFIR / blue-team labs (Sherlock-style investigations); free + paid.
  • LetsDefend — SOC simulator; alerts to triage; free + paid.
  • BlueTeamLabsOnline (BTLO) — DFIR / IR labs.
  • Splunk Boss of the SOC (BOTS) — free; classic.
  • DetectionLab (Chris Long) — labs you build at home.
  • Atomic Red Team / DetectionLab combination — see Detection (Sigma / YARA / ATT&CK).

Vendor / certification ladders

  • OffSec (Offensive Security) — paid; PEN-200 / OSCP, PEN-300 / OSEP, EXP-301 / OSED, EXP-401 / OSEE, WEB-200 / OSWA, WEB-300 / OSWE. The reference offensive certs.
  • HackTheBox Certifications — CPTS, CBBH, CWEE, CDSA. Cheaper than OffSec; respected and growing.
  • TryHackMe Certifications — Junior Pentester, SOC Level 1.
  • eLearnSecurity / INE — eJPT, eCPPT, eWPTX. Affordable middle tier.
  • SANS GIAC — GPEN, GXPN, GREM, GCFA, GNFA, etc. Expensive ($8–10k); strong for fed / DoD careers.
  • CompTIA PenTest+ / Security+ — entry-level; HR-friendly.
  • (ISC)² CISSP — managerial; not technical pentest.
  • Zero-Point Security — CRTO (Cobalt Strike–style red team), CRTL (lateral movement). Highly regarded.
  • Altered Security — CRTP, CRTE, CRTM, PACES — AD-focused; affordable.

AD / red team labs

  • Hack The Box Pro Labs — Dante, Offshore, RastaLabs, Cybernetics, APTLabs, Zephyr.
  • Altered Security labs — paired with their certs.
  • GOAD (Game of Active Directory) — free self-host; see Active Directory Pentesting.

Cloud / DevSecOps training

  • flAWS / flAWS2 — free AWS challenge labs.
  • CloudGoat / AzureGoat / GCPGoat — see Cloud Pentesting.
  • HackTricks Cloud — free reference.
  • PentesterLab — paid; web-app-focused; great for foundational web vuln learning.

Web / mobile / API specifics

  • PortSwigger Web Security Academy — see above.
  • OWASP WebGoat / OWASP Juice Shop — self-host OWASP-themed labs; free.
  • MAS Hacking (OWASP MASTG labs) — see Mobile Pentesting.
  • APIsec University — free API security course.
  • VAmPI / DamnVulnerableAPI — vulnerable API labs.

Crypto / RE / forensics

  • CryptoHack — modern crypto challenges.
  • Crackmes.one — RE crackmes archive.
  • Embedded CTF — IoT challenge sets.

What to actually do, in what order

  • Day 0: OverTheWire Bandit + PortSwigger Web Academy (3 most-common labs).
  • Month 1–3: TryHackMe pentester path or HackTheBox starting machines.
  • Month 3–6: PortSwigger advanced + CTF-style HTB machines + start writing notes.
  • Year 1: OSCP (PEN-200) or HTB CPTS — a real exam pushes structured learning.
  • After: specialise (web/AD/cloud/RE/mobile) and keep doing labs.

Pick this if…

  • Default web-app deep dive, free: PortSwigger Web Security Academy.
  • Default progression labs, paid: HackTheBox + TryHackMe.
  • OSCP / OSEP path: OffSec.
  • Cheaper, equally respected cert: HackTheBox CPTS/CBBH or Altered Security CRTP.
  • Defender / SOC training: CyberDefenders + LetsDefend.
  • Free ladder for absolute beginners: OverTheWire + picoCTF + TryHackMe free path.

On this page