TRAINING RESOURCES
Curated learning resources mapped to real skills, certifications, and Arsenal tools. Every resource builds the analyst mindset first — tools second.
All offensive security resources are provided for authorized penetration testing and defensive security research only. Applying techniques from these materials against systems you don't own is illegal.
Free online book covering practical Python automation — file system operations, web scraping, PDF manipulation, Excel automation, and scheduling. Foundational reading before moving to security scripting.
Harvard's structured Python introduction with problem sets, automated grading, and a certificate of completion. Rigorous academic framework with real programming challenges from day one.
PowerShell as a security operations language: Active Directory administration, WMI queries, event log analysis, incident response automation, and tradecraft used by both red and blue teams.
Free, project-based Ruby curriculum from fundamentals through object-oriented design. Ruby's clean syntax makes it ideal for rapid tool prototyping and is the language underpinning Metasploit modules.
Free SSH-based wargame series teaching security concepts through progressive challenges. Bandit teaches Linux command-line fundamentals; Narnia covers memory corruption; Leviathan, Natas, and Krypton cover escalating topics.
Free web hacking playground with structured missions covering JavaScript manipulation, server-side vulnerabilities, app logic flaws, and cryptography. Legal sandbox environment for offensive web techniques.
OffSec's standalone lab environment with beginner through advanced Linux and Windows machines. Play tier is free; Practice tier ($19/mo) provides full-difficulty machines matching OSCP exam complexity.
OffSec's flagship penetration testing course. 800+ page PDF, 17+ hours of video, and lab access to 70+ vulnerable machines. Culminates in the 24-hour OSCP practical exam — the gold-standard entry cert for pentesters.
Free, world-class web application security training from the makers of Burp Suite. 220+ interactive labs covering every OWASP category plus advanced topics: HTTP request smuggling, OAuth attacks, and GraphQL injection.
ASU-backed binary exploitation training platform covering program misuse, shellcoding, memory corruption, format strings, return-oriented programming, and kernel exploits. Docker-based dojo environment.
Free, comprehensive video course covering all Network+ domains: OSI model, TCP/IP, subnetting, routing protocols, wireless, network security, and troubleshooting. Foundational requirement before any network security work.
Professor Dan Boneh's rigorous cryptography course from Stanford. Covers stream ciphers, block ciphers, MACs, authenticated encryption, public-key cryptography, and digital signatures with mathematical rigor.
Adam Shostack's definitive guide on STRIDE threat modeling, data flow diagrams, attack trees, and security design review. Required reading for anyone producing architecture-level security assessments.
Michael Bazzell's comprehensive OSINT methodology guide, updated annually. Covers people searches, social media intelligence, image analysis, domain research, email tracing, and custom search tools.
Advanced study of Ring-0 kernel logic and recursive world-building compilers. CyberOS architecture for modern cybersecurity simulation and SOC operations.
Official CISA Cybersecurity Evaluation Tool documentation. Mapping enterprise assets to NIST and federal compliance standards.