Security Training Platforms
HackTheBox, TryHackMe, PortSwigger Academy, OffSec — where to actually learn this stuff.
The fastest way to get good is to do hands-on labs against deliberately-vulnerable systems. The 2024–26 best-of breed is a mix of free academies (PortSwigger, Pwn College, OverTheWire) and paid platforms with vetted certifications (OffSec, HackTheBox, TryHackMe). For CTF tooling see CTF Tools (pwntools). For bug bounty platforms see Bug-Bounty Platforms. For workflow / labs against AD specifically see Active Directory Pentesting (GOAD).
The two giants
- ★ HackTheBox — labs, machines, Pro Labs (multi-host networks like Dante, Offshore, RastaLabs), Academy (modular courses), CDSA / CWEE / CPTS / CBBH certifications. Free tier (limited active machines), VIP / VIP+ paid (~$14–30/mo).
- ★ TryHackMe — gentler curve; gamified learning paths; Junior Pentester / SOC Level 1 / CompTIA-aligned tracks. Free tier, paid $10/mo.
Free, must-do
- ★ ★ PortSwigger Web Security Academy — Burp's owners; the reference free web-app security training; topic-by-topic with deliberately-vulnerable labs. Free. Pair with Burp Community.
- ★ OverTheWire — wargame ladders (Bandit → Krypton → Natas etc.); the canonical "first time on the CLI" resource. Free.
- ★ Pwn College (ASU; Yan Shoshitaishvili & co.) — structured pwn / RE / web / system-security curriculum; free.
- picoCTF (CMU) — beginner CTF resource; free.
- Vulnhub — downloadable vulnerable VMs.
- HackingHub — bug-bounty-focused free labs.
- The Cyber Mentor (TCM Security) free YouTube + paid courses.
- CryptoHack — crypto-focused; free.
- Web.dev's security learning path — Google's free path.
Defender / blue-team training
- ★ CyberDefenders — DFIR / blue-team labs (Sherlock-style investigations); free + paid.
- ★ LetsDefend — SOC simulator; alerts to triage; free + paid.
- BlueTeamLabsOnline (BTLO) — DFIR / IR labs.
- Splunk Boss of the SOC (BOTS) — free; classic.
- DetectionLab (Chris Long) — labs you build at home.
- Atomic Red Team / DetectionLab combination — see Detection (Sigma / YARA / ATT&CK).
Vendor / certification ladders
- ★ OffSec (Offensive Security) — paid; PEN-200 / OSCP, PEN-300 / OSEP, EXP-301 / OSED, EXP-401 / OSEE, WEB-200 / OSWA, WEB-300 / OSWE. The reference offensive certs.
- HackTheBox Certifications — CPTS, CBBH, CWEE, CDSA. Cheaper than OffSec; respected and growing.
- TryHackMe Certifications — Junior Pentester, SOC Level 1.
- eLearnSecurity / INE — eJPT, eCPPT, eWPTX. Affordable middle tier.
- SANS GIAC — GPEN, GXPN, GREM, GCFA, GNFA, etc. Expensive ($8–10k); strong for fed / DoD careers.
- CompTIA PenTest+ / Security+ — entry-level; HR-friendly.
- (ISC)² CISSP — managerial; not technical pentest.
- Zero-Point Security — CRTO (Cobalt Strike–style red team), CRTL (lateral movement). Highly regarded.
- Altered Security — CRTP, CRTE, CRTM, PACES — AD-focused; affordable.
AD / red team labs
- Hack The Box Pro Labs — Dante, Offshore, RastaLabs, Cybernetics, APTLabs, Zephyr.
- Altered Security labs — paired with their certs.
- GOAD (Game of Active Directory) — free self-host; see Active Directory Pentesting.
Cloud / DevSecOps training
- flAWS / flAWS2 — free AWS challenge labs.
- CloudGoat / AzureGoat / GCPGoat — see Cloud Pentesting.
- HackTricks Cloud — free reference.
- PentesterLab — paid; web-app-focused; great for foundational web vuln learning.
Web / mobile / API specifics
- PortSwigger Web Security Academy — see above.
- OWASP WebGoat / OWASP Juice Shop — self-host OWASP-themed labs; free.
- MAS Hacking (OWASP MASTG labs) — see Mobile Pentesting.
- APIsec University — free API security course.
- VAmPI / DamnVulnerableAPI — vulnerable API labs.
Crypto / RE / forensics
- CryptoHack — modern crypto challenges.
- Crackmes.one — RE crackmes archive.
- Embedded CTF — IoT challenge sets.
What to actually do, in what order
- ★ Day 0: OverTheWire Bandit + PortSwigger Web Academy (3 most-common labs).
- Month 1–3: TryHackMe pentester path or HackTheBox starting machines.
- Month 3–6: PortSwigger advanced + CTF-style HTB machines + start writing notes.
- Year 1: OSCP (PEN-200) or HTB CPTS — a real exam pushes structured learning.
- After: specialise (web/AD/cloud/RE/mobile) and keep doing labs.
Pick this if…
- Default web-app deep dive, free: PortSwigger Web Security Academy.
- Default progression labs, paid: HackTheBox + TryHackMe.
- OSCP / OSEP path: OffSec.
- Cheaper, equally respected cert: HackTheBox CPTS/CBBH or Altered Security CRTP.
- Defender / SOC training: CyberDefenders + LetsDefend.
- Free ladder for absolute beginners: OverTheWire + picoCTF + TryHackMe free path.