- Navigating Security
- Pages
- AppSec Roadmap
Intro
I do not want to bore you with my lifestory so let’s pretend my life started in November 2021.
I had completed almost a full year of college, it wasn’t working out for me, I had prior experience with CTFs via TryHackMe (THM) and Hack The Box (HTB); so I decided I would take a year off and try get a job in security.
Because I didn’t know much, I did quite a bit of research on where to start with certifications.
I was faced with a few options, Security +, Pentest +, CEH, and eJPT.
The eJPT was the only practical exam out of those options, I had cramming information just to pass an exam, so I pulled the plug on the eJPT.
It was fairly new at the time and had a lot of buzz about how it’s the best for beginners.
I learned a lot of networking stuff, but outside of that I don’t remember much else about what I learned.
What I do know for sure is I finished the eJPT excited about my accomplishment and that steered me in the right direction.
I posted about it on LinkedIn and Twitter and thought I would 100% get a job.
Nope. I did not. Some people cared. Most didn’t.
At this time, December 2021, the PNPT had just come out.
The buzz was crazy, everyone wanted it because the reviews were so good.
This is also the time I started my YouTube channel - just FYI.
I had a bit of money saved up from working my exhausting day job - retail, and I had a choice to make.
Everyone said that the OSCP was the gold standard, but everyone who took the PNPT was saying TCM would overtake Offsec (Offensive Security) in no time.
Because I couldn’t justify paying $1600 for a certification at the time, I went with the PNPT (about $300-$350 - don’t remember) and the rest is history…
Roadmap
If I had to do it all over again, here’s how I’d break into cybersecurity, specifically focusing on application security.
These are the resources that I have used in the past, continue to use, and will continue to use.
By the way, my YouTube video on this goes into much more detail so check it out.
1. Start with TryHackMe
Forget Hack The Box for now; it's more advanced.
Start with TryHackMe, especially their Junior Penetration Tester path.
This will get you grounded in the fundamentals—everything from network security to privilege escalation.
It’s affordable too, about $14/month, which is solid for what you're getting.
Once you’ve nailed this, move on.
2. PortSwigger Labs
PortSwigger is the resource for web app security.
And the best part? It’s free.
Get hands-on with labs covering SQL injection, XSS, CSRF, and SSRF.
Focus on the Apprentice-level labs first for ALL the topics listed below — mastering these will set you up perfectly for real-world bug hunting and pen testing.
Labs To Do:
XSS
CSRF
SSRF
CORS
Request smuggling
Path traversal
Access control vulns
Web cache deception
Web cache poisoning
OAuth
File upload
JWT
SQL & NoSQL
API testing
GraphQL
3. TCM Security Courses
Once you’re done with TryHackMe and PortSwigger, it's time to level up with some certifications.
I recommend TCM Security’s Bug Bounty and PWPT (Practical Web Application Penetration Tester) courses.
The content is affordable and solid, plus you get certifications that add some value to your resume.
4. Get into Bug Bounties
Bug bounties aren’t just about making quick cash.
They train your mind to think like a hacker. Follow people like NahamSec, Jason Haddix, Greg from Bug Bounty Reports Explained, the guys from the Critical Thinking - Bug Bounty Podcast.
Study disclosed bug reports on bug bounty platforms and Pentester.Land to get into the mindset of real bug hunters.
5. Add Code Review to Your Skillset
Once you’ve got a solid grasp of web hacking, add code review to your skillset.
Platforms like PentesterLab offer fantastic code review exercises.
Learn how to analyze large codebases and hunt for vulnerabilities hidden deep in the code.
Skip the OSWE IMO.
Pentesterlab Code Review: https://pentesterlab.com/badges/codereview
HTB CWEE: https://academy.hackthebox.com/preview/certifications/htb-certified-web-exploitation-expert
6. Dive into Cloud Security
Cloud is the future, and you’ll need to get good at it.
Start with one of the major cloud providers such as AWS and consider certifications like Certified Cloud Practitioner.
After that, jump into labs on Pwnlabs and CloudBreach for hands-on experience hacking AWS environments.
PwnedLabs: https://pwnedlabs.io
CloudBreach: https://cloudbreach.io/breachingaws/
7. Master Mobile AppSec
Mobile application security is a goldmine, and it’s relatively untapped.
Use platforms like Mobile Hacking Labs and Hextree.
They offer free courses and labs to get you up to speed on both Android and iOS hacking.
Mobile Hacking Labs is more focused on the low level side of exploitation with free courses such as their Frida course and the paid courses on userland fuzzing.
Hextree is more focused on the mobile bug bounty side of things as their course is sponsored by Google’s bug bounty program.
Once you’re comfortable, consider certifications in mobile app security.
Mobile Hacking Labs: https://www.mobilehackinglab.com/link/64VRlg
Hextree: https://app.hextree.io/map/android
Extras
These are things you should be doing from day one!
Attend Conferences & Network
Never underestimate the power of in-person networking.
Attend local hacker meetups, like the Dallas Hackers Association, if you can.
You’ll make connections, learn from others, and find opportunities you never expected.
Share Your Knowledge
Start a blog, YouTube channel, or post on LinkedIn.
Be unique though, everyone does HTB writeups.
Share what you’re learning, create unique content, and build a personal brand.
Even if you’re still learning, you can teach someone who’s just starting out.
Conclusion
This is not the end all be all. Take what you can, add personality to it. Your circumstances are different from mine, but the end goal might the same.
Happy hacking 🫡