The curated list of resources we actually use ourselves and recommend without reservation. Updated regularly.
Hands-On Training Platforms
- HackTheBox — the canonical playground for offensive security
- HackTheBox Academy — structured modules and pathways
- TryHackMe — best onboarding for beginners
- PortSwigger Web Security Academy — free, irreplaceable for web
- OverTheWire — classic Linux + crypto wargames
- PWN.college — binary exploitation, Arizona State University
Free Learning Resources
- HackTricks — the offensive cheat sheet
- MITRE ATT&CK — the adversary tactic & technique reference
- MITRE D3FEND — defensive technique counterpart
- OpenSecurityTraining2 — full courseware, free
- LiveOverflow YouTube — high-quality binary exploitation
- John Hammond YouTube — CTF walkthroughs
Books We Recommend
Offensive
- The Web Application Hacker’s Handbook — Stuttard & Pinto
- The Hacker Playbook 3 — Peter Kim
- Red Team Field Manual (RTFM) — Ben Clark
- Real-World Bug Hunting — Peter Yaworski
Defensive / DFIR
- The Art of Memory Forensics — Ligh, Case, Levy, Walters
- Practical Malware Analysis — Sikorski & Honig
- Blue Team Field Manual (BTFM) — Alan White & Ben Clark
- The Practice of Network Security Monitoring — Richard Bejtlich
Engineering & Foundations
- Computer Networking: A Top-Down Approach — Kurose & Ross
- Operating System Concepts — Silberschatz
- Cryptography Engineering — Ferguson, Schneier, Kohno
Certifications by Career Stage
Entry
- CompTIA Security+ — HR filter cert; cheap, broad
- eLearnSecurity eJPT — best entry-level offensive cert
- Microsoft SC-200 — for SOC analysts in M365 environments
Mid-Career Offensive
- OSCP — still the canonical offensive cert
- HTB CPTS — increasingly accepted as OSCP alternative
- OSWE — web exploitation specialization
- CRTP / CRTE — Active Directory specialization
Mid-Career Defensive
- GCIA / GCIH / GCFA — SANS, gold standard, expensive
- HTB CDSA — defensive analyst cert
- CCD — Certified CyberDefender by CyberDefenders
Strategic / Leadership
- CISSP — for management track and HR filters
- CISM — for security management
- CCSP — for cloud-security leadership
CTF Platforms & Competitions
- CTFtime — calendar of every public CTF
- picoCTF — beginner-friendly, year-round
- Cyber Apocalypse — annual HTB event
- Google CTF — high-quality challenges, annual
- DEF CON CTF — pinnacle competition
Newsletters & Podcasts
Newsletters
- tl;dr sec — Clint Gibler’s weekly AppSec roundup
- Risky Biz News — security news, mostly free
- CyberWire Daily — daily news with depth
Podcasts
- Darknet Diaries — long-form security storytelling
- Risky Business — weekly news and analysis
- SANS ISC Stormcast — daily 5-minute brief
Conferences
- DEF CON (Las Vegas) — annual, late summer
- Black Hat USA — co-located with DEF CON
- RSA Conference — enterprise security
- BSides events — local, free or low-cost; check your region
- OffensiveCon — offensive research focus
- NULLCON (India), NorthSec (Canada), Insomni’hack (Switzerland)
Communities
- Reddit: r/netsec, r/AskNetsec, r/cybersecurity (lighter)
- Discord: HackTheBox, TryHackMe, individual creator servers
- Twitter/X: follow @csecurityelite plus established researchers
- InfosecMastodon: infosec.exchange — the post-Twitter holdout community
If we missed a resource you find indispensable, tell us — contact [at] cybersecurityelite.com.