Intro
Since there are many beginners here, I think it would be fair to give some advice in one big post, rather than answering hundreds of questions individually.
You can find a lot of resources to use for learning in Tech Wiki. I’m trying to update it when I have time.
I will suggest two paths, both of which work, but have different approaches and end goals.
- The “Long way”.
- The “Fast and Furious” way.
Long way
The idea of the Long Way is to start from the very beginning, with the basics, namely computer science, programming, and networking.
This will take you a long time, 1, maybe 2, or maybe even all 5 years, but that’s okay, there’s no need to rush. In the long run, you will become a much better specialist than most applicants on the job market.
Of course, you can learn all this in college/university, and in fact, that would be the best option. It took me a long time to learn all this on my own, and it was difficult. Really.
The idea behind this long journey is simple:
You hack programs → programs run on computers → therefore, you need to know how both work.
Seriously, this simple idea is often overlooked because advertising wants you to think that it’s easy and that MegaCoolHackingAcademy knows some magical way to teach you all of this in 3 months.
What’s next
Okay, you’ve learned the basics, you know how computers work, you know the basics of operating systems, a little bit of assembly language, C, maybe C++. That’s pretty cool. So what’s next?
Start with the basics of binary file exploitation. Thirty years ago, people hacked binary files because literally the entire Internet consisted of only HTML + CSS and nothing else.
And don’t think it’s useless. How do you think researchers find vulnerabilities in server software?
Don’t rush, maybe another year. Maybe more, don’t worry, learn as much as you can.
And FINALLY, you can learn web application security, API security, web3, and anything else you want. Trust me, after all this, everything will be easy for you.
You will have enough knowledge to quickly gain a deep understanding of almost any topic. Your knowledge will allow you to learn anything.
Fast and Furious way
Now let’s talk about the Fast and Furious way.
I think most of you want to hack just for the money. That’s okay, I’m not judging anyone. And yes, it’s possible, it will be faster, but not too fast, don’t even think about a few months. At least 2 years.
I would advise you to start with web application security rather than penetration testing. Penetration testing is actually much more complex than it appears, because it encompasses several topics, such as web application security, API security, pivoting, and perhaps even binary exploitation.
First, participate in CTF games to get used to working outside the training ground. When you feel confident, IT’s TIME to start hacking for free…
Unfortunately, most large bug bounty programs are filled with professionals in the field. Start with VDP programs. In fact, no one else is doing them, so there is no competition. You won’t always earn money, but you will gain something more valuable than experience: reputation. Maybe someone will even invite you to join a private vulnerability program, who knows?
What’s Next
It’s the same as with the Long way. The difference lies in how difficult it will be to learn something new or perhaps switch completely to another area of cybersecurity. It will always be difficult because you will need to find answers to many questions, while the long road will give you enough knowledge to understand why something works the way it does and why it is vulnerable.
Myths we believe in
-
“Hacker mindset” is something we born with.
NO AND NO. Any “mindset” is just a skill, you will adopt it by time, don’t worry. -
“White hat” hackers have carte blanche.
No (unfortunately). Actually 90% of what white hat hackers do, is work with bureaucratic hell. They need to follow a lot of rules. -
CTF games are useless.
CTF games are perfect to learn some new skill. Especially CTF games is useful for beginners to learn work in black box scenarios. -
Low level hacking is dead
Say that to IoT and kernel developers who encounter with security issues day by day -
Certifications makes you professional
Sorry for the bad language, but that’s complete bullshit. I know many excellent professionals who don’t have a single certificate, but they are better hackers than most “certified” hackers. -
(Suggest some myth in comments
)
Outro
I hope I have been of some assistance to you. Do not be afraid of new things; it is always difficult at first. It will become easier later.
I would very much like to hear your opinion in the comments. Feel free to criticize and ask questions. This will help us improve.



