Skip to content

securitycipher/penetration-testing-roadmap

Repository files navigation

Penetration Testing Roadmap

Last updated: July 2026

A structured learning path from zero to junior penetration tester - topics, tools, labs, certifications, and hands-on guides.

Live roadmap: securitycipher.com/penetration-testing-roadmap

Quick start

  1. Read Intro.md for the recommended learning path and TL;DR
  2. Work through phases: FoundationsWebInfrastructureSpecializeLabs & certs
  3. Open any topic below for a short guide with tools, labs, and links
  4. See FAQ.md for career and cert questions

Learning path

Phase Focus Time (part-time)
1. Foundations Linux, networking, scripting, crypto basics 4-6 weeks
2. Web security HTTP, OWASP Top 10, Burp Suite, PortSwigger Academy 6-8 weeks
3. Infrastructure AD basics, cloud, wireless, recon 6-8 weeks
4. Specialize Web, cloud, mobile, API, or LLM track Ongoing
5. Prove it HTB, TryHackMe, certs (eJPT, Security+, OSCP) 3-6 months

Full write-up: Intro.md

Content index

Getting started

Foundations

Core security

Web and application testing

Infrastructure and cloud

Emerging areas

Practice and credentials

Related Security Cipher resources

Certifications

Cert Guide
CEH CEH.md
CISSP CISSP.md
CompTIA Security+ CompTIA Security+.md
OSCP OSCP.md
OSWE OSWE.md
OSWP OSWP.md
eJPT eJPT.md
PNPT PNPT.md
CRTP CRTP.md
BTL1 BTL1.md

Labs

Platform Guide
Hack The Box HackTheBox.md
TryHackMe TryHackMe.md
pwn.college pwn.college.md
VulHub VulHub.md
Web Security Academy Web Security Academy.md
Root Me Root Me.md
Altoro Mutual Altoro Mutual.md

Contributing

Contributions are welcome. This repo is the source of truth for roadmap content.

  1. Fork the repo and create a branch
  2. Add or edit markdown under the right folder (one topic per file, clear headings, practical links)
  3. Open a pull request with a short description of what you added or fixed

Guidelines

  • Keep guides concise and actionable - labs, tools, and further reading where possible
  • Match the tone of existing topics (see Linux.md or SQL Injection.md)
  • Fix typos and broken links anytime - small PRs are fine
  • New topics: pick the closest folder from Content index above

All contributions are reviewed before merge. After merge, updates appear on the live roadmap on the next publish cycle.

Questions? Open a GitHub issue.