Everything I need to learn, understand, and master to become a Cybersecurity Expert

Why I Built This Roadmap

Over the past few months, I’ve been diving deep into the world of cybersecurity and quickly realized how massive and layered this field is. From foundational computer science concepts to offensive hacking tools, there’s just so much to absorb.

To stay focused and build real expertise, I created this personal roadmap — a structured path of everything I need to learn, understand, and practice on my journey to becoming a Cybersecurity Expert.

This roadmap is based on well-known frameworks (like MITRE ATT&CK), real-world tools, and community-recommended resources. It includes both Red and Blue Team skills, hands-on tools, and foundational knowledge.

Whether you’re just starting out like me or want to double-check your learning plan, I hope this guide helps bring some clarity.

1. Foundational Knowledge

Core Areas

Computer Science Fundamentals

• Binary & Logic: Understand how bits and bytes work (AND, OR, XOR, NOT operations)
• Memory Hierarchy: RAM, ROM, Cache, Virtual Memory, Swap, Page Tables
• Instruction Cycle: Fetch, Decode, Execute, Store
• Data Representation: Hexadecimal, Binary, ASCII, Base64
• Computational Thinking: Recursion, abstraction, pattern recognition

Learn From: Harvard CS50, MIT OpenCourseWare

Operating System Concepts

• Process Management: How a process is created, PID, threads, fork(), exec()
• File Systems: NTFS, FAT32, ext4 – Permissions, ACLs, Inodes
• System Calls: open(), read(), write(), execve()
• Windows Internals: Registry, WinAPI, Services, Task Scheduler
• Linux Internals: init/systemd, journald, runlevels, /proc, SELinux

Practice With: OverTheWire: Narnia, Bandit, Root Me OS challenges

Networking Essentials

• TCP/IP Model vs OSI Layers: What each layer does and tools per layer (Wireshark, Nmap)
• Packet Lifecycle: SYN → SYN-ACK → ACK, teardown, retransmission, window size
• DNS Resolution: Recursive vs Iterative, CNAME, TTL, DNS poisoning
• Common Protocols: HTTP/HTTPS, FTP, SMTP, IMAP, SSH, SMB, RDP
• NAT, VLAN, VPNs: Use in corporate networks, tunneling, segmentation

Practice: Wireshark capture exercises, tcpdump, HTB Academy Network Fundamentals

Encryption & Cryptography

• Symmetric vs Asymmetric: AES vs RSA, use cases, speed differences
• Hashing Algorithms: MD5, SHA-1, SHA-256 – Collision, Pre-image attacks
• Digital Signatures & Certificates: PKI, Certificate Chain, CA, OCSP
• TLS/SSL Deep Dive: Cipher suites, Perfect Forward Secrecy, handshakes
• Cryptanalysis Basics: Frequency analysis, padding oracle, replay attack concepts

Practice With: Cryptopals Challenges, PortSwigger Crypto labs

Software & Programming Foundations

• Memory Layout: Stack vs Heap, buffer overflow intro
• Python for Security: Regex, file handling, subprocess, socket, requests
• Shell Scripting: Bash loops, sed/awk/grep, cron jobs
• PowerShell Scripting: Cmdlets, piping, remote commands, WMI usage
• C Programming Basics: Pointers, arrays, functions, segmentation faults

Practice: TryHackMe Python for Pentesters, Pwn.college

Tools & Environments

Version Control: Git & GitHub

• git init, clone, add, commit, push, pull, rebase, merge
• Branching strategies (feature, hotfix)
• Writing good commit messages
• Using .gitignore, reviewing pull requests

Terminal Proficiency

• Linux:
  • Navigation (cd, ls, pwd, find, grep)
  • Permissions: chmod, chown, umask
  • System management: top, ps, kill, cron, journalctl
• Windows:
  • netstat, tasklist, schtasks, reg, Get-Process, Get-EventLog

Networking Tools (Hands-on)

Tool	Purpose
ping	Basic reachability, RTT
traceroute	Path discovery, hop tracking
nslookup	DNS queries (A, MX, CNAME)
netcat	Port scanning, manual HTTP/SMTP talk
curl	Web requests with headers, APIs
nmap	Host discovery, OS detection, scripting

Red Team – Tools & Skills

Core Tools

Cobalt Strike

• Beacon deployment and configuration
• C2 infrastructure setup
• Payload delivery (HTML smuggling, maldoc, LNK)
• Fileless attack execution
• AV/EDR evasion techniques

Sliver

• Open-source C2 framework
• Listener setup and shell management
• OPSEC-safe payload generation

Metasploit Framework

• Module search and execution
• Payload configuration (meterpreter, reverse_tcp)
• Post-exploitation (privilege escalation, persistence)
• Writing custom modules

BloodHound & SharpHound

• AD topology enumeration
• ACL, SIDHistory, kerberoasting attack paths
• Graph-based path to Domain Admin
• AD misconfigurations mapping

PowerShell Empire / GhostPack / Nishang

• PowerShell-based attack scripts
• Script obfuscation
• Credential dumping
• Pass-the-Hash, Pass-the-Ticket usage

Mimikatz

• LSASS memory credential extraction
• Golden/Silver ticket generation
• Local privilege escalation via SeDebugPrivilege

Impacket

• Remote command execution: smbexec, wmiexec
• NTLM relay attacks
• SMB file transfer
• Kerberos TGT and ST extraction

CrackMapExec

• Credential spraying over SMB/RDP/WinRM
• Domain enumeration and access mapping
• Quick validation of credentials

Responder

• LLMNR/NBT-NS/MDNS spoofing
• NTLMv2 hash capture
• SMB relay for authentication hijack

Purple Team – Tools & Practices

MITRE ATT&CK Navigator

• Technique mapping and filtering
• Gap analysis across tactics
• Detection heatmap generation

Atomic Red Team

• Small-scale emulations of ATT&CK techniques
• SIEM/EDR detection rule validation
• Build a purple team lab playbook

Sigma Rules

• SIEM-independent detection rules
• Translation into Splunk, ELK, etc.
• Correlating Red Team behavior with logs

Caldera (MITRE)

• Automated TTP simulation
• Testing EDR and Blue Team response
• Adversary emulation exercises

Velociraptor

• Endpoint telemetry and threat hunting
• IOC matching and live forensics
• Remote script execution

Sysmon + Logstash + Kibana (ELK Stack)

• EventID-based detection logic
• Visual dashboards for incident monitoring
• Rule tuning and correlation

TTP Development & Adversary Simulation

• Chain tactics > techniques > procedures
• Bypass techniques in lab EDRs
• Develop test cases for detection engineers

Blue Team – Tools & Practices

Core Tools

1. SIEM (Security Information and Event Management)

Tools: Splunk, ELK Stack, IBM QRadar, Graylog

• Collect, normalize, and analyze logs
• Write detection rules to identify anomalies
• Create dashboards
• Threat hunting using query languages (SPL, Lucene)

2. EDR (Endpoint Detection and Response)

Tools: CrowdStrike, Defender for Endpoint, SentinelOne, Velociraptor

• Monitor endpoint telemetry
• Detect behavioral anomalies
• Respond live (kill process, isolate system)

3. Log Analysis

• Windows Event Viewer
• Sysmon (EventID 1, 3, 11…)
• Linux: /var/log/syslog, /var/log/auth.log, auditd logs

4. Threat Hunting

Tools: Elastic SIEM, Velociraptor, Kibana

• IOC-based searches
• Anomaly detection from traffic patterns
• Outlier behavior hunting

5. Incident Response

Tools: TheHive, Cortex, GRR, KAPE

• Classify and investigate incidents
• Extract artifacts: registry, MFT, prefetch, event logs
• Contain and triage live

6. IDS/IPS

Tools: Suricata, Snort, Zeek

• Deep packet inspection
• Signature-based and anomaly detection
• Rule tuning and alerting

7. MITRE ATT&CK Integration

• Map logs to TTPs
• Build Sigma and SPL rules
• Coverage mapping and simulation

8. Forensics Tools

Tools: Autopsy, FTK Imager, Volatility, Plaso, Redline

• Memory dump analysis
• Registry hives, shimcache, prefetch
• MAC times, USB usage, browser activity

Required Skills

Skill	Description
IOC Analysis	Understand IPs, hashes, domains, file indicators
Rule Engineering	Create custom detection logic for SIEM/EDR
Log Normalization	Standardize logs from different sources
Alert Triage	Separate real threats from false positives
Threat Intelligence	Use tools like VirusTotal, AbuseIPDB, Shodan
Digital Forensics	Reconstruct events using artifacts
Behavioral Detection	Identify suspicious behavior using baselines & heuristics

Learning Platforms

• TryHackMe: SOC Analyst Path
• BlueTeamLabs
• Security Onion
• DetectionLab by Chris Long
• DFIR.training
• Elastic SIEM Labs