Focused starting points by area of practice. Each page includes a learning path, free training resources, tools, books, certifications, and who to follow.
| Discipline | Focus |
|---|---|
| Threat Intelligence | Collecting, analyzing, and acting on threat data to understand adversary capabilities and intent |
| Detection Engineering | Building, tuning, and validating detections across log sources, SIEMs, and EDR platforms |
| Incident Response | Responding to, containing, and recovering from security incidents |
| Offensive Security | Penetration testing, red teaming, adversary emulation, and vulnerability research |
| Vulnerability Management | Identifying, prioritizing, and remediating vulnerabilities across the environment |
| Cloud Security | Securing cloud infrastructure, containers, serverless, and cloud identity |
| Network Security | Monitoring and defending network traffic; NSM, IDS/IPS, Zero Trust networking |
| Malware Analysis | Static and dynamic malware analysis, reverse engineering, and sandbox investigation |
| ICS / OT Security | Securing industrial control systems, SCADA, PLCs, and critical infrastructure |
| Application Security | Web/API security, secure SDLC, SAST/DAST, threat modeling, and bug bounty |
| Adversarial AI Attacks | Attacking AI and ML systems — adversarial examples, model inversion, data poisoning, and LLM jailbreaks |
| AI & LLM Security | Securing AI systems, red-teaming LLMs, prompt injection, and adversarial ML |
| Governance, Risk & Compliance | Risk frameworks, compliance programs, NIST CSF/800-53, ISO 27001, GRC tooling |
| Hacker Hobbies & Community | Locksport, SDR, electronics, badge hacking, ham radio, car hacking, DEF CON villages, and the broader hacker community |
| Digital Forensics | Disk, memory, and network forensics; evidence handling; DFIR methodology |
| Security Architecture | Zero Trust design, threat modeling, defense-in-depth, and architectural frameworks |
| DevSecOps | Integrating security into CI/CD pipelines; SAST, SCA, IaC scanning, secrets detection |
| Cryptography & PKI | Certificate lifecycle, key management, HSMs, TLS hardening, and post-quantum readiness |
| Supply Chain Security | SBOM generation, artifact signing, dependency security, and SLSA framework |
| Privacy Engineering | PII detection, data minimization, consent management, DSR automation, GDPR/CCPA |
| Identity & Access Management | IAM/PAM architecture, SSO/MFA, Zero Trust identity, AD security, and CIEM |
| Security Operations | SOC operations, SIEM/SOAR, threat hunting, detection lifecycle, and SOC metrics |
| Data Security | Data classification, DLP, encryption, DSPM, and database activity monitoring |
| Active Defense & Deception | Honeypots, honeytokens, canary tokens, deception grids, and adversary engagement |
| Hardware Security | Firmware analysis, secure boot, TPM/HSM, hardware hacking, side-channel attacks |
| Mobile Security | iOS/Android app security, MASVS, MDM/EMM, mobile threat defense, dynamic analysis |
| Purple Teaming | Adversary emulation, BAS, detection validation, ATT&CK coverage measurement |
| Radio Frequency Security | RF attack techniques, SDR tooling, replay attacks, protocol analysis, and wireless security testing |
| Bug Bounty | Web/API/mobile vulnerability research, recon methodology, responsible disclosure |
| Social Engineering | Phishing simulations, pretexting, vishing, security awareness training, human risk management |
| Physical Security | Physical pen testing, RFID cloning, badge bypass, access control systems, facility security |
| Threat Modeling | STRIDE/PASTA/LINDDUN methodologies, threat model as code, DFD-based analysis, DevSecOps integration |
| OSINT | Open source intelligence collection, recon methodology, SOCMINT/GEOINT, OpSec for analysts |
| Zero Trust Architecture | ZT principles, CISA ZTMM, microsegmentation, ZTNA tooling, BeyondCorp, NIST SP 800-207 |
| IoT Security | IoT attack surface, firmware analysis, MQTT/CoAP testing, device identity, OWASP IoT Top 10 |
| Container & Kubernetes Security | Container runtime security, K8s RBAC, image scanning, Falco, OPA Gatekeeper, CKS prep |
| Cyber Risk Quantification | FAIR methodology, Monte Carlo simulation, ALE/ROSI calculation, board-level risk communication |
| Blockchain & Web3 Security | Smart contract auditing, DeFi exploits, reentrancy, Slither/Echidna/Mythril, Ethernaut CTF |
| Security Awareness | Phishing simulation, behavior change programs, KnowBe4/GoPhish, human risk metrics |
| Active Directory Security | AD attack paths, Kerberoasting, DCSync, BloodHound, defensive controls, and detection strategies |
| AI / ML Security | Adversarial ML, model inversion, data poisoning, MITRE ATLAS, and MLOps security |
| Exploit Development | Buffer overflows, ROP chains, heap exploitation, format strings, fuzzing, and CVE research |
| Penetration Testing | Scoping, methodology, CVSS scoring, tooling by phase, and report structure |
| Red Teaming | APT simulation, C2 frameworks, payload evasion, infrastructure OPSEC, and engagement types |
| Reverse Engineering | x86/x64 assembly, static/dynamic analysis, anti-analysis bypasses, and platform-specific RE |
| SIEM & SOAR | SIEM architecture, SPL/KQL query writing, SOAR playbook design, and log source onboarding |
| Threat Hunting | Hypothesis-driven hunting, ATT&CK-mapped procedures, Splunk/KQL queries, and maturity model |
High-quality training does not require a large budget. These platforms offer free or pay-what-you-can content taught by working practitioners.
| Platform | Focus |
|---|---|
| Antisyphon Training | Pay-what-you-can live courses from John Strand and practitioners; SOC, pentesting, active defense |
| Black Hills Information Security | Hundreds of free webcasts on every security discipline |
| TCM Security Academy | Free tier with 25+ hours of on-demand content; practical ethical hacking and SOC |
| PortSwigger Web Security Academy | The best free web application security training available; interactive labs for every major vulnerability class |
| Hack The Box Academy | Free Student tier; SOC analyst, DFIR, penetration testing, and cloud security paths |
| TryHackMe | Browser-based beginner-to-advanced labs; no local setup required |
| IppSec | HackTheBox walkthroughs demonstrating real attack techniques with full methodology |
| Blue Team Labs Online | Free investigation challenges for detection, forensics, and IR |
| LetsDefend | Free SOC simulator for alert triage and threat analysis |
| CISA Training Catalog | No-cost federal training open to the public including ICS/OT, cloud, and IR content |
| Anthropic Courses | Free AI and LLM security courses from Anthropic |
Machine-readable data files and an ATT&CK Navigator layer connecting the TeamStarWolf vendor stack to NIST 800-53 controls and ATT&CK techniques.
| Resource | Description |
|---|---|
| ATT&CK Navigator Layer | NIST 800-53 R5 → ATT&CK coverage heatmap (313 techniques, CTID-sourced). Load in Navigator ↗ |
| Vendor → Control edges | JSONL edge table: 100+ vendor → NIST 800-53 control mappings |
| Control → Technique edges | JSONL edge table: NIST 800-53 R5 → ATT&CK technique mappings (CTID) |
| Vendor → Technique edges | JSONL derived edge table: vendor → ATT&CK technique coverage via control join |
| Controls Mapping | Full Vendor → NIST 800-53 → ATT&CK cross-reference |
| Coverage Schema | Gap scoring data model, JSON schemas, Python scoring functions |
| OSINT Reference | Reconnaissance methodology, domain/IP/people intelligence, GitHub OSINT, cloud asset discovery, and tools reference |
MITRE ATT&CK workbench for coverage review, detection engineering, exposure mapping, and threat-intelligence correlation. Supports Enterprise, ICS, and Mobile ATT&CK domains.
Capabilities
-
Multiple heatmap modes across coverage, detection, exposure, compliance, and risk
-
CVE mappings with live integrations: MISP, OpenCTI, EPSS, CISA KEV, NVD, Elastic, Splunk, Sigma, Atomic Red Team, ExploitDB, and Nuclei
-
STIX 2.1 import/export, custom technique editing, and collection sharing
-
Deployable via Docker or GitHub Pages
Repository | Live Site | Docs