Cybersecurity Basics Roadmap

Understand the threat landscape before learning any tools or techniques.

• CIA triad — Confidentiality, Integrity, Availability
• Common attack types — phishing, malware, ransomware, social engineering
• Authentication vs authorisation
• Principle of least privilege
• Threat modelling basics
• Personal security hygiene — passwords, 2FA, updates

Most attacks happen over the network. Understand how data moves and how to protect it.

• OSI model — layers and what they mean
• TCP/IP, DNS, HTTP, HTTPS basics
• Firewalls, VPNs, and network segmentation
• Common network attacks — MITM, DNS spoofing
• TLS/SSL — how HTTPS actually works
• Wireshark — reading network traffic

As a developer, the OWASP Top 10 is your security bible. Learn to write code that doesn't get hacked.

• OWASP Top 10 — the most critical web vulnerabilities
• SQL injection — how it works and how to prevent it
• Cross-Site Scripting (XSS) — stored, reflected, DOM
• CSRF — Cross-Site Request Forgery
• Broken authentication and session management
• Security headers — CSP, HSTS, X-Frame-Options
• Dependency vulnerabilities — npm audit

Integrate security into your development workflow — shift left, not bolt on.

• Input validation and output encoding
• Parameterised queries — never build SQL with string concatenation
• Secrets management — .env, vaults, never in git
• Dependency scanning with Snyk or Dependabot
• Security testing — SAST tools and code review
• Penetration testing concepts

Reinforce your learning with hands-on practice and optionally earn a recognised certification.

• TryHackMe and Hack The Box — hands-on labs
• Kali Linux — the pentester's OS
• Burp Suite — intercepting and analysing HTTP
• CompTIA Security+ certification path
• CEH (Certified Ethical Hacker) overview
• Staying up to date — CVE databases, security blogs