Skip to main content

Cybersecurity Foundation: A Practitioner's Guide

Jason J. Boderebe
14 min read
#cybersecurity #beginner #guide

This guide is for anyone who has ever looked at a system and wondered — how does that actually work? And what happens if I push it past what it was designed to do?

That question is where cybersecurity starts. Not with a certification. Not with a tool. With curiosity.

I started asking that question as an undergrad, watching the real-world cybersecurity landscape unfold — breaches making headlines, systems failing in ways nobody predicted, attackers finding paths that defenders never thought to close. It wasn’t abstract. It was happening everywhere, all the time, to real organizations and real people. That’s what pulled me in.

If something similar pulled you here — you’re already thinking the right way. The rest is building the knowledge and skills to back it up.

Before anything else — set realistic expectations

The cybersecurity field is broad, constantly evolving, and genuinely difficult to master. Nobody learns it in a month. Nobody learns it in a year. The practitioners you see doing impressive things have years of accumulated experience behind them — hours in labs, dozens of failed attempts, concepts that took months to click.

You are not going to shortcut that. Nobody does.

What you can do is build consistently, stay curious, and trust that incremental progress compounds over time. The people who make it in this field are not the most naturally talented. They’re the ones who kept going when things got hard.

Give yourself permission to be a beginner. It doesn’t last forever, but it has to be honored before you can move past it.

Take notes — seriously

Before you start learning anything, build a system for capturing what you learn. This sounds obvious. Most people skip it and regret it.

Your notes are not a transcript. They are a field manual — your personal reference that you’ll return to for months and years. The goal is to capture the essential information in a way that’s searchable, concise, and useful to future you.

What bad notes look like:

  • Writing down everything you hear or read
  • Filling pages with screenshots that aren’t searchable
  • Long passages that take time to scan when you need a quick answer

What good notes look like:

  • Short, searchable summaries of key concepts
  • Commands and code blocks with context on what they do
  • Links back to original sources rather than rewriting everything
  • Diagrams for complex topics — a visual representation beats paragraphs every time

Tools worth using:

  • Notion — flexible, web-based, great for organizing notes by topic with linked pages
  • Obsidian — local, markdown-based, excellent for building a connected knowledge base
  • Paper — underrated for working through concepts in real time before digitizing

Use whatever you’ll actually maintain. The best note-taking tool is the one you open consistently.

Ask yourself before writing anything down: will this be useful to me six months from now? If the answer is no, link to it instead of copying it.

The four things you must build before anything else

There are four core skill areas that every cybersecurity practitioner needs regardless of which direction they eventually go. Think of these as the foundation everything else is built on. Skip them and you’ll hit a ceiling that’s hard to break through later.

1. Operating systems

You need to be genuinely comfortable with both Linux and Windows — not just familiar, comfortable.

Linux is where most security tools live, most servers run, and most CTF challenges operate. You need to navigate filesystems, manage files and processes, understand permissions, read and write basic scripts, and feel at home on the command line. If you freeze up when you open a terminal, fix that before anything else.

Windows matters because most enterprise environments run on it. Active Directory, PowerShell, the Windows Registry, event logs — these are the things you’ll encounter in real-world security work whether you’re attacking or defending.

Core concepts to understand:

  • Filesystem hierarchy and core directories
  • Boot procedure and system internals
  • CPU, memory, and storage at a conceptual level
  • Shells — bash, zsh, PowerShell, cmd
  • Common command line operations — file manipulation, process management, package installation, text streams

Where to start:

  • Linux Journey — interactive Linux fundamentals
  • OverTheWire: Bandit — learn Linux through security challenges
  • Microsoft Learn — Windows and PowerShell fundamentals
  • UnderTheWire — PowerShell challenges

2. Computer networking

Security is fundamentally about how data moves — and how to manipulate, intercept, or protect that movement. Networking is non-negotiable.

When you understand networking, attacks stop looking like magic. A port scan is just asking what’s listening. A man-in-the-middle attack is just inserting yourself into a conversation. The mystique disappears and the logic becomes clear.

Core concepts to understand:

  • IP addressing and subnetting
  • Routing (layer 3) and switching (layer 2, ARP)
  • TCP/UDP and common protocols and ports
  • DNS — how names resolve to addresses
  • HTTP/HTTPS — how the web communicates
  • Firewalls, proxies, VLANs, and tunnels
  • The OSI model and TCP/IP model

Networking tools to know:

  • IP configuration — ip address, ipconfig, Get-NetIPAddress
  • Host discovery — ping, arp-scan, nmap
  • Packet capture — Wireshark, tcpdump
  • DNS troubleshooting — nslookup, dig
  • Remote connectivity — ssh, scp, OpenVPN

Where to start:

  • Professor Messer’s free CompTIA Network+ material
  • Wireshark Tutorial for Beginners — actually capture and read traffic
  • Subnetting Practice — subnettingpractice.com

3. Web technologies

Web application security is one of the most in-demand areas in the field. It starts with understanding how the web actually works at a level most people never bother to reach.

What does an HTTP request look like? What’s in a response header? What is a cookie actually doing? How does authentication work under the hood? How does a browser decide what to render and what to execute?

Once you understand normal web behavior, you can start identifying abnormal behavior — and that’s where security gets interesting.

Core concepts to understand:

  • HTTP methods and headers
  • Web servers and how they process requests
  • Directories, files, and how servers expose them
  • HTML, CSS, JavaScript — not as a developer but as a reader
  • Databases and how applications query them
  • Inputs and parameters — where user data enters a system
  • Authentication and sessions
  • APIs and REST

Web tools to know:

  • HTTP inspection — Burp Suite, mitmproxy, Caido
  • Content discovery — gobuster, feroxbuster, ffuf
  • Web stack analysis — Wappalyzer, WhatWeb
  • CLI HTTP clients — curl, wget, Invoke-WebRequest

Where to start:

  • OWASP Top 10 — required reading, full stop
  • PortSwigger Web Security Academy — the best free web security resource in existence
  • MDN HTTP reference — understand the protocol deeply

4. Programming and scripting

You don’t need to be a developer. You need to be able to read code, write basic scripts, and understand what a program is doing at a high level.

Python is the best first language for security — it’s readable, widely used for tooling, and almost every security script you’ll encounter is written in it. Bash is essential for Linux work. PowerShell matters for Windows environments.

Beyond your own scripting, learn to read code in whatever language the systems you’re testing use. Understanding what a PHP application is doing, or what a JavaScript function is executing, is often the difference between finding a vulnerability and walking past it.

Core concepts to understand:

  • Data types and variables
  • Flow logic — if/else, loops
  • Functions and scope
  • Object-oriented programming basics
  • Reading and modifying existing code
  • Writing automation scripts

Where to start:

  • learnpython.org — free interactive Python
  • shellscript.sh — bash scripting fundamentals
  • Exercism.org — multi-language coding exercises
  • Codewars — coding challenges that actually make you think

Build a home lab

A home lab is where theory becomes real skill. There is no substitute.

You don’t need expensive hardware. An old laptop or a desktop with VirtualBox or VMware is enough to start. What matters is that you have a safe, isolated environment where you can practice attacks and defenses against systems you own and control.

A practical starting setup:

  • Kali Linux as your attack machine — comes pre-loaded with most tools you’ll need
  • A vulnerable target — DVWA or WebGoat for web security, VulnHub machines for system exploitation
  • A monitoring layer — Splunk or a basic SIEM to practice detection while you attack

The lab teaches you things no course can. You’ll break configurations, misunderstand how tools work, get stuck for hours on something that turns out to be a simple mistake. Every one of those experiences builds intuition that no video tutorial can replicate.

I’ve documented the full process of building a security lab step by step: → Building a Cybersecurity Home LabDeploying Vulnerable Applications for PracticeNetwork Security Monitoring with Suricata

Where to practice

Once your lab is running, these platforms will keep you busy for a long time.

TryHackMe

The best starting point for most people. Structured, guided, and designed for beginners. The Pre-Security path covers networking, Linux, and web fundamentals in a hands-on environment. The learning curve is gentle enough that you’ll build confidence quickly without getting overwhelmed.

Start here. Work through the structured paths before going free-form.

Hack The Box

Where you go after TryHackMe. The machines are harder, the hints are fewer, and completing a box without a walkthrough gives you real confidence. The HTB Starting Point bridges the gap between the two platforms — guided machines that ease you into the HTB style.

PortSwigger Web Security Academy

The definitive free resource for web application security. Every major vulnerability class covered — SQL injection, XSS, SSRF, XXE, business logic flaws — with hands-on labs that require you to actually exploit real vulnerabilities. World-class material, completely free.

OverTheWire

Security fundamentals through wargames. Bandit is for beginners and teaches Linux through challenges that actually make you think. Natas moves into web security. The later challenges get seriously difficult.

PicoCTF

Beginner-friendly CTF challenges from Carnegie Mellon University. Good for your first taste of CTF-style thinking across cryptography, reverse engineering, forensics, and web security.

Developing your methodology

CTF and practice platforms are where you build methodology — the systematic approach you take to any target. Without methodology, you’re just poking randomly and hoping something works.

For boot2root style machines — where you start with nothing and work toward full system compromise — a basic methodology looks like this:

1. Reconnaissance — gather information about the target. What ports are open? What services are running? What versions?

nmap -Pn -p- -T4 -sC -sV -oN nmap_scan.txt <target_ip>

2. Enumeration — go deeper on what you found. Don’t just see that port 80 is open — enumerate everything the web server exposes. Directories, files, technologies, parameters.

3. Vulnerability identification — what in what you’ve found could be exploited? Cross-reference versions against known CVEs. Look for misconfigurations. Think about what each service is doing and what could go wrong.

4. Exploitation — try to exploit what you’ve identified. Start with the lowest effort, highest probability options first.

5. Post-exploitation — once you have a foothold, what can you do with it? Escalate privileges, move laterally, capture flags, document everything.

6. Documentation — write it up. What you found, how you found it, what you exploited, and what it means. This habit translates directly to professional penetration testing where reporting is half the job.

Is it okay to use walkthroughs?

Yes — absolutely. The best practitioners in this field use them.

The rule: if you’ve been genuinely stuck for 30 minutes and you’ve actually tried things, read enough to get unstuck and then put it away. Don’t read the full solution before you’ve struggled. The struggle is the learning.

Add what you learn to your notes. Make an effort to understand why the solution works, not just what it is. That understanding is what transfers to the next problem.

Certifications — honest take

Certifications matter more early in your career than they do later. They signal a baseline of knowledge to employers who don’t know you yet. Once you have a track record — a portfolio, write-ups, real experience — they matter much less.

The question to ask before pursuing any certification: Will this help me with my immediate job search?

Search job boards for the certification you’re considering. If employers are asking for it, it’s worth pursuing. If they’re not, your time is better spent building practical skills.

Certifications worth knowing about:

CompTIA Security+ — the most recognized entry-level cert in the field. If you’re job hunting without experience, having it is better than not having it. Professor Messer’s free study materials are excellent.

ISC2 CC — free to obtain, legitimate, good for getting a credential early with minimal investment.

eJPT — a practical exam that tests your ability to actually hack, not just answer multiple choice questions. Worth doing if penetration testing is your direction.

OSCP — the gold standard for penetration testing. Not a beginner cert. Work toward it once you’re consistently completing HTB machines without walkthroughs.

One honest warning: don’t chase certifications before you have hands-on experience. A cert without practical skills is easy to see through in an interview. Build first, validate second.

Finding your niche

Cybersecurity is too broad to master generically. At some point you need to pick a direction and go deep.

Try a bit of everything early. Then commit to something that genuinely interests you.

Penetration testing / red team — simulating attacks to find vulnerabilities before real attackers do. High demand, well compensated, and genuinely interesting work. Rewards curiosity and creativity.

Security operations / blue team — monitoring, detecting, and responding to incidents in real time. A great entry point into the industry that builds transferable skills across almost every security role.

Threat hunting — proactively searching for threats that evaded automated detection. Requires strong analytical skills and deep knowledge of attacker techniques.

Application security — securing software during development. Works closely with development teams, reviews code for vulnerabilities, and builds security into the software development lifecycle.

Cloud security — securing infrastructure and workloads in AWS, Azure, and GCP. One of the fastest-growing areas in the field.

Malware analysis / reverse engineering — understanding what malicious code does and how it operates. Deep technical work that requires patience and strong programming knowledge.

The specialists who truly understand their domain are the ones who build real reputations. Find your corner and go deep.

Impostor syndrome

This hits practitioners at every level. You will encounter people who seem to know everything. You will look at a target and feel like you have no idea where to start. You will read something that makes you feel like you’ve learned nothing.

That’s normal. That’s the field.

When you see someone very skilled, you are seeing a snapshot — their abilities at a specific moment in time, not how long it took them to get there. The years of failure, confusion, and frustration that built those skills are invisible.

The only comparison that matters is your current self versus your past self. Are you better than you were three months ago? Then you’re doing it right.

Be kind to yourself. Constantly grinding without rest leads to burnout. Give yourself time away from studying. The knowledge consolidates when you’re not actively trying to absorb it.

Community and mentorship

You don’t have to figure this out alone. The cybersecurity community is one of the most open and generous in tech — people share knowledge freely, help each other on challenges, and actively mentor those coming up behind them.

Where to find your people:

  • Discord — HackTheBox and TryHackMe both have active servers
  • Reddit — r/netsec, r/cybersecurity, r/homelab
  • Local meetups and OWASP chapters
  • CTF competitions — you meet people by competing alongside them

On mentorship: if you’re fortunate enough to have someone with experience willing to give you their time — treat it accordingly. Mentors have lives, jobs, and their own priorities. Come prepared with specific questions. Show that you’ve already tried to figure things out yourself. Don’t take the relationship for granted.

And if you don’t have a mentor yet — that’s okay. The platforms, the community, and the resources available online are precisely there to fill that gap.

Stay curious.