This roadmap is designed for an experienced software developer who wants to reach professional-grade cybersecurity capability. The goal is not tool collecting. The goal is dual competence: break into hardened systems during authorized testing, then switch hats and detect, contain, and permanently defend against the same techniques.
Use the PDF when you want the polished printable version; use this article when you want the web-friendly version with links and section navigation.
Roadmap at a glance
- Duration: 26 weeks.
- Weekly load: 12 to 18 focused hours.
- Target outcome: red-team capability, blue-team detection skill, and a public portfolio.
- Primary lab style: free platforms, local VMs, intentionally vulnerable systems, and your own telemetry.
- Final proof: a purple-team exercise that demonstrates attack execution, detection, hardening, and reporting.
Use this as a six-month training plan. Budget 12 to 18 hours per week, extend or compress as needed, and treat every milestone as proof of skill.
The mission
Expert-level capability means you can assess a protected system, find the holes a real attacker would use, exploit them in an authorized engagement, and then build the detection and hardening that closes the loop.
Most people entering security fight the fundamentals: code, networking, command lines, and application behavior. A developer already owns much of that foundation. That lets you move faster into how systems fail, why attacks work, and how defenders can see them.
How to use this guide
Treat each phase as a loop: learn the concept, run the lab, write the attacker notes, write the defender notes, then produce an artifact. The artifact matters. It turns private practice into evidence: threat models, exploit reports, Sigma rules, incident timelines, hardened configs, and portfolio write-ups.
Do not skip the blue-team mirror when a red-team topic feels exciting. The job market rewards people who can explain impact and remediation, not just people who can run payloads.
The expertise ladder
- Level 1: Foundation - understand attack surface, networking, and application security models.
- Level 2: Offensive Web - find and exploit OWASP-class vulnerabilities in web apps and APIs.
- Level 3: Full Attack Chain - recon, exploit, privilege escalation, pivoting, and persistence.
- Level 4: Defense and Detection - logging, SIEM, detection engineering, and incident response.
- Level 5: Threat Hunting - hunt adversaries, map to MITRE ATT&CK, and harden systems.
- Level 6: Purple Mastery - run an emulated attack end to end and build the detection that beats it.
You are my cybersecurity mentor. I'm an experienced software developer training to red-team and blue-team level.
For any topic: explain the attacker technique with a concrete example, map it to MITRE ATT&CK, then explain exactly
how a defender detects and prevents it. Quiz me and challenge sloppy reasoning. Never give CTF/lab answers outright;
guide me.Phase 01: Foundations and Attack Surface
Weeks 1 to 3 focus on the mental model an expert uses to look at any system and see how it could be attacked and defended.
- Master the security triad plus authentication, authorization, non-repudiation, and defense-in-depth.
- Learn TCP/IP, DNS, HTTP/HTTPS, TLS, cookies, sessions, headers, NAT, and firewalls from an attacker perspective.
- Understand the web security model: same-origin policy, CORS, CSP, and how misconfiguration creates attack paths.
- Threat model systems using assets, trust boundaries, attack surface, and STRIDE.
- Read OWASP Top 10 end to end.
Hands-on work:
- Build an isolated lab with VirtualBox, Kali Linux, and snapshots.
- Capture browser traffic in Wireshark and identify TLS and HTTP details.
- Complete TryHackMe Pre Security and Network Fundamentals.
- Produce a one-page threat model of an app you built.
Resources:
Phase 02: Offensive Web and API Exploitation
Weeks 4 to 8 are about becoming dangerous against the largest modern attack surface: web applications and APIs.
- Week 4: SQL injection, including in-band, blind, and time-based techniques.
- Week 5: XSS, including reflected, stored, DOM, CSP interaction, and cookie/token theft.
- Week 6: Authentication and access control, including IDOR, privilege escalation, and JWT attacks.
- Week 7: SSRF, XXE, command injection, path traversal, and insecure deserialization.
- Week 8: API testing, BOLA, mass assignment, race conditions, and business logic.
Red-team focus:
- Drive testing through Burp Suite by hand before automating.
- Chain bugs into meaningful impact.
- Write a clean exploit proof of concept for each finding.
Blue-team mirror:
- Write the secure code fix for every vulnerability.
- Identify log entries and WAF rules that would catch the attack.
- Build a reference doc for validation and output encoding patterns.
For every exploit you learn, write the developer fix and the defender detection. That is how red-team knowledge becomes engineering leverage.
Resources:
- PortSwigger Web Security Academy
- OWASP API Security Top 10
- Burp Suite Community
- PortSwigger Documentation
- PwnFunction
- John Hammond
Phase 03: Full Attack Chain - Red Team Core
Weeks 9 to 13 move from single bugs to full intrusions.
- Reconnaissance with passive OSINT, active scanning, Nmap, version detection, and NSE scripts.
- Enumeration of services, shares, web directories, users, and exposed interfaces.
- Exploitation using known-service weaknesses and Metasploit concepts.
- Linux and Windows privilege escalation with SUID, sudo, cron, capabilities, tokens, services, and unquoted paths.
- Lateral movement and pivoting with credential reuse, tunneling, Active Directory basics, Kerberos, and BloodHound concepts.
- Persistence and C2 concepts for defensive awareness.
Hands-on work:
- Hack The Box Starting Point and free Academy modules.
- TryHackMe Jr Penetration Tester and Offensive Pentesting rooms.
- Metasploitable 2/3 or other vulnerable VMs in an isolated lab.
- Active Directory labs, because enterprise breaches often route through AD.
Milestone:
- Compromise an HTB or THM box from recon to root.
- Write a full red-team report with kill chain, evidence, and remediation for each step.
Resources:
- Hack The Box Starting Point
- Hack The Box Academy
- TryHackMe Jr Penetration Tester
- GTFOBins
- LOLBAS
- Nmap Book
Phase 04: Defense, Logging and Detection
Weeks 14 to 18 flip the board. You know how attacks work; now learn to see them and stop them.
- Logging and telemetry across endpoint, network, and application layers.
- Windows Sysmon and Linux auditd.
- SIEM fundamentals: ingest, parse, query, and alert.
- Detection engineering with Sigma rules, false-positive handling, and tuning.
- Network defense with IDS/IPS concepts, Snort, Suricata, and PCAP analysis.
- Incident response lifecycle: prepare, identify, contain, eradicate, recover, and learn.
Build the detection:
- Replay attacks from Phase 3 in your lab.
- Generate malicious telemetry yourself.
- Write Sigma rules that catch each technique.
- Triage a simulated alert end to end and document the incident response.
Resources:
- TryHackMe SOC Level 1
- Blue Team Labs Online
- CyberDefenders
- Splunk Free
- Splunk Free Training
- Sigma
- Malware Traffic Analysis
Phase 05: Threat Hunting, Cloud and Hardening
Weeks 19 to 22 build proactive defense. You are not only reacting to alerts; you are hunting for adversaries who evade them.
- Use MITRE ATT&CK as a shared language for attacks and detections.
- Run hypothesis-driven hunts.
- Understand the Pyramid of Pain and behavioral analytics.
- Consume threat intelligence and recognize TTPs.
- Learn cloud security: shared responsibility, IAM misconfiguration, public buckets, IMDSv2, and web-to-cloud attack chains.
- Harden systems using CIS Benchmarks, least privilege, segmentation, patching, and secrets management.
Hands-on work:
- Complete flaws.cloud and flaws2.cloud.
- Execute Atomic Red Team techniques safely in your lab, then hunt them.
- Harden a lab VM against CIS Benchmark controls.
- Run a structured threat hunt using your own SIEM data.
Resources:
Phase 06: Purple Team Mastery and Portfolio
Weeks 23 to 26 prove you own both sides. The clearest demonstration is a purple-team exercise: run a realistic attack, then build and validate the detection that beats it.
- Emulate a realistic adversary end to end.
- Write detections for each attack step.
- Run secure code review with SAST and DAST in CI/CD.
- Trace taint from source to sink.
- Use Semgrep, Bandit, gitleaks, and dependency scanning.
- Practice CTFs and wargames to keep reflexes sharp.
- Write professional reports with CVSS scoring, executive summaries, technical detail, responsible disclosure, scope, and rules of engagement.
Final capstone:
- Run a documented attack-and-defend exercise in your lab.
- Publish a GitHub portfolio with lab write-ups, detection rules, secure-code-review case studies, and CTF notes.
- Write one polished pentest report and one incident-response report.
- Start documenting the journey on your own site.
Resources:
Beyond 26 weeks
Expertise is maintained, not finished. Pick a depth specialization such as AppSec, red team, detection engineering, cloud security, or DevSecOps. Keep one lab or hunt per week. Follow active researchers. Work toward a certification when it fits your goals: eJPT for hands-on pentesting, Security+ objectives for breadth, or BTL1-style defensive paths.
Ethical use
Every technique in this guide is strictly for education and authorized, legal security testing. Only test systems you own or have explicit written permission to assess, and always operate inside an agreed scope and rules of engagement.
Unauthorized access to computer systems is a serious criminal offense. Build and attack only in isolated, deliberately vulnerable labs unless you have explicit written authorization.
The capability to break into systems carries the responsibility to use it lawfully and make systems safer.
