Zero-to-hero tracks. Each path orders topics by what you have to understand first, what unlocks the next thing, and where to stop being a learner and start being an operator. Skills aim at real-world applicability — bug bounty, audit, red team, IR — with CTFs as training ground.

Web and API

• web-application-security — fundamentals to advanced web bugs.
• api-security — REST and GraphQL, auth flaws, BOLA / BFLA.
• bug-bounty-methodology — how to turn knowledge into reports.
• code-auditing — source-driven bug hunting in PHP and Java.

Network and infrastructure

• network-pentesting — recon → enum → access → post-ex.
• active-directory — AD as an attack surface.

OS internals, reverse, exploit dev

• reverse-engineering — disassembly, decompilation, anti-analysis.
• windows-internals — user-mode primitives + exploit-dev intro.
• advanced-windows-exploitation — kernel, mitigations bypass.
• linux-internals — privilege model, kernel surface, container escape.
• macos-security — TCC, SIP, sandbox, control bypasses.

Mobile and emerging

• mobile-security — Android and iOS pentesting and reverse.
• blockchain-security — smart-contract audit.
• ai-red-teaming — LLM, agent, and MCP attack surface.

Red team and cloud

• red-team-operations — opsec, C2, evasion, persistence.
• cloud-red-team — AWS, Azure / Entra, GCP, Kubernetes.

Applied disciplines

• Applied cryptography for attackers — symmetric, asymmetric, RSA breakages, hash-length extension.