OWASP
Just start there. OWASP stands for the Open Web Application Security Project.
An online community that produces outstanding resources in the field of web application security, to a decent degree beyond app security. I use it myself as my main source of literature on the topic, especially when it comes to frameworks, and tooling. It's also a gate, a portal into finding materials produced by other communities and vendors.
Udemy and other mainstream platforms? The noise to quality ratio is high, and marketing has taken over quality over those platforms. They are very growth and business oriented. So, as a beginner to intermediate learner, it's a trap. Stay way from it. Start with OWASP material only for now.
Also, why pay for something that may not even be for you. One will get better equipped to gauge the value and relevance of other courses out there once a foundation is laid out.
The courses are on cybrary. They provide free segments to get a feel. $59 per month? Will be well worth it over shopping like a madman for cheap courses on Udemy. But I will add more free labs and materials once I vet them.
I may expand and update this post, re-curate list which is for now quite brief, so stay tuned for updates.
The sections below are ordered by what I would recommend first before diving into other subfields of the vast cybersecurity domain. Certain background knowledge are transferable and often needed skills to have before taking on advanced or more specialized courses.
Vulnerable and Outdated Components
That's in the top ten.
What's good about it? It's a good, not entirely gentile but reasonable take into the world of tech. No need to analyze things at run time and handle large data sets, nor a large suite of tools. And, barely any source code.
(Mis)configuration is a prevalent cause of successful attack. Proper configuration of software and hardware components is also a must-have to secure systems.
It stands as an intermediary course, but as a 2h long training, worth taking on. You will get a taste for the wilderness out there.
Access and find more about it here.
Broken Access Control
Also in the top ten.
A good follow up, it relates to configuration, but focuses on auth configuration and mechanisms. Just an intro into access controls, really.
Also, intermediate level, but 2h well spent. And, it touches on PenTesting.
See it here.
Identification and Authentication Failures
Now we are talking. The ability to observing executions of systems, logs and overall what's going on now and historically is what we expect from analysts. Identity management? Not quite yet, but it touches on it, I think. A critical aspect of security systems. Who gets in there, who's failing to get in there is a start to get a sense of what's anomaly and what's not. Crucial for threats and attack, and pawned detections.
Access it here.
Injection
Can do 3h now?
This one gets further down and covers more surfaces of the applications and their vulnerabilitines. Injection.
There are many types of injections, it is most relevant to know the most prevalent. SQL injection is still a thing, and a terrible thing when it succeeds. Learn how injection works and common measures to help fence systems against it.
Ful access here.
Cryptographic Failures
I have not taken it, but the lab will be fun. Cryptographic failures aren't taking you all the way to create cryptographic ciphers and stuff like that, although it's a gate to the elite field of cryptographer research and applied cryptography. The applied one is what we all need, to a degree or another.
It made the news in recent years and cost the IT industry billions most likley. That small Openssl vuln? Even if it could be remediated, it took entire orgs having to adapt to patch software across the systems, just to be sure.
If you've followed the Vulnerable and Outdated component, dive into the cryptographic failures course. Learn how to adopt the best practices and how to keep up with them.
See it here.
Labs
Hands-on is best. The Tech and now platforms are there to help with that.
Here is a run-down of quality resources to use.
Try Hack Me
Anyone can learn cybersecurity. That's right. Look around and find what you want to get on with, here.
Hack The Box
A massive hacking platform. Modern look and feel, gamified learning, cool community. Browse what they've got here.
TCM Security
Certifications, coaching, and even consulting if you are a business, here.
Portswigger Web Academy
Like this post, it's mostly about apps. Apps are everything. Their growth and the tech they build upon aren't going to slow.
See their labs and courses here.
A VM
There also the do it yourself approach, using VM. Or containers running on a local laptop or workstation to do your training.
Honorable mentions
Virtualized environments and services that are more turn key.
kudo to Ralph and Sean, the's come up, not me, with the list and the juice, along with the goat, and the ridiculous yet so interesting API machine.
OS
Get a parallel OS or replace your OS altogether - it will be less distracting, and almost everything we can do on Windows can be done on Linux. Yes even gaming. But plenty of cool games totally compatible with Linux.
At least for security stuff, Windows isn't ideal at all. Mac OSX is OK. Linux's distribution are better, and some are awesome for practice.
Open source, well maintained and supported, great community, and suitable for other use too:
I would recommend Kali, long term project, does not disappoint. BlackArch? Maybe, I'm not personally familiar with it. Not familiar with Parrot either, but it seems more beginner-friendly.
Conclusion
That's All Folks!
For now. I may update the list with follow-ups, and may re-order the courses once I find some more introductory materials.
If you are a tight budget, and like to read up, just fall back to the resources referenced or povided by the OWASP project. You can't go wrong with it. Then decide where to go from there.
Getting into the security fields may lay the path of a wonderful journey, but know where you are getting into. It is a demanding profession. Both hard and soft skills are required, be prepared to work under extreme pressure from time to time, and high pressure for the most part. Also, keeping organisation safe is mostly about education. Pragmatism and compassion are key to survive and shine in the long run.
If you find misrepresentations in this post, have some ideas on what to add, or have comments or question, give me a shout!
You may also want to follow Sean's articles and other find further fascinating resources at blog.sean-wright.com