Most people who break into cybersecurity didn’t pay for the training that got them there. They Googled their way through it, broke things in lab environments, watched too many YouTube videos, and eventually figured out which resources actually built skill and which just filled time. The gap between those two categories is wider than it looks.
This is a curated list of seven free resources that hold up under real scrutiny — sites and references that working practitioners still recommend in 2026, not because they’re cheap, but because they’re effective. Each entry below explains what the resource is, who it’s for, how to actually use it, and what its honest limitations are. No affiliate links. No bootcamp pitches. Just the stack.
How To Read This List
The order matters less than the sequencing inside it. The first four resources are skill-building platforms — places where you actually break things and learn by doing. The fifth and sixth are reference libraries every senior in the field treats as canon. The seventh is the publication you read to stay current. And then there’s YouTube, which only works if you use it as a shadowing tool, not a passive feed.
You don’t need to use all seven. You do need to pick one tonight, get stuck, and come back tomorrow.
1. TryHackMe — The Best Place to Start From Zero
Link: https://tryhackme.com
TryHackMe is the on-ramp. As of early 2026, the platform has over 800 rooms and more than 3 million registered users, organized into guided “rooms” that walk you through a single topic — Linux fundamentals, Nmap basics, SQL injection — with embedded tasks on a real virtual machine. You don’t install anything. The browser-based Kali Linux desktop, the AttackBox, means zero local setup to begin.
The free tier is genuinely useful. You get access to selected rooms and challenges including popular ones like Learn Linux Fundamentals and basic networking modules, plus partial access to most learning paths. Two paths are the consensus best entry points in the industry: Pre-Security and SOC Level 1. Both hold up against paid alternatives, and Pre-Security assumes you know nothing — no terminal experience, no networking background, nothing.
Where TryHackMe earns its place isn’t depth. It’s pacing. The platform was built for beginners and career changers, and its strength is the structured progression from “what is an IP address” to “exploit this vulnerable web app” without dumping you into the deep end. Once you can finish medium-difficulty rooms without hints, you’ve outgrown the free tier — that’s the signal to move on.
The honest limitations
You’ll likely outgrow it within 6 to 12 months. The hand-holding that makes TryHackMe approachable for beginners becomes a ceiling once you’re competent. The platform shines for foundations; it’s not where you build interview-ready offensive skills.
2. Hack The Box — Where Tutorials End and Hacking Begins
Link: https://www.hackthebox.com
Hack The Box (HTB) is what TryHackMe graduates into. The philosophy is opposite: even machines labeled “easy” on HTB require more foundational knowledge than TryHackMe’s “hard” rated content. HTB expects you to research tools, identify vulnerabilities independently, and solve challenges with minimal direction. No room walks you through it. You get an IP and a target. That’s it.
The free tier includes Starting Point, a guided introduction across three tiers of vulnerable machines. Tier 0 covers foundational boxes — Redeemer, Mongod, Synced — designed to teach the very first steps of enumeration and exploitation. Tier 1 moves into beginner-friendly machines like Responder, Three, Bike, and Funnel. Tier 2 escalates into more complex scenarios with Archetype, Oopsie, Vaccine, Unified, Included, Markup, and Base. Sixteen machines total, bridging the gap between “I followed a tutorial” and “I rooted a box on my own.”
Beyond Starting Point, the free tier gives you access to a small selection of active machines and retired boxes. Connect via OpenVPN from a local Kali or Parrot VM, or use Pwnbox — HTB’s browser-based attack environment. Free users get limited Pwnbox time; subscribers get more.
When to make the jump
You’re ready for HTB when:
- You can enumerate a target without Googling Nmap syntax
- You know what SUID, LinPEAS, and GTFOBins are without looking them up
- You’ve completed at least five TryHackMe rooms unguided
If those don’t describe you yet, stay on TryHackMe. HTB’s frustration curve has discouraged more aspiring pentesters than it’s trained.
3. PortSwigger Web Security Academy — The Best Web Hacking Course on the Internet
Link: https://portswigger.net/web-security
This one isn’t close. PortSwigger Web Security Academy is, by consensus, the best web application security training available — and it’s 100 percent free, with content from PortSwigger’s in-house research team and Chief Swig Dafydd Stuttard, author of The Web Application Hacker’s Handbook. PortSwigger makes Burp Suite, the industry-standard web testing proxy, and the Academy was built to train people to use it well.
The structure is what makes it work. Each lesson begins with a theory chapter explaining a vulnerability — SQL injection, cross-site scripting, server-side request forgery, prototype pollution — and ends with a live, interactive lab where you exploit a working vulnerable application. You don’t watch. You exploit. Then you move to the next one.
The labs run on PortSwigger’s infrastructure, scoped exclusively for that lesson. You don’t need Burp Suite Professional; Burp Suite Community Edition is free and sufficient for the Academy labs. The platform tracks your progress, maintains a Hall of Fame, and is constantly updated as new vulnerability classes emerge — recent additions include indirect prompt injection against AI-powered scanners.
How to actually use it
Start with server-side topics — SQL injection, authentication, access control. Server-side vulnerabilities are easier to learn because you only need to understand what’s happening on the server, while client-side issues add a layer of complexity. After server-side, work through XSS, then CSRF, then SSRF. The order matches how vulnerabilities actually nest in real applications.
The Academy also publishes formal Learning Paths that sequence labs into structured curricula. If you finish even half of the SQL injection and XSS paths, you’ll have stronger fundamentals than most “certified” pentesters working today.
4. OverTheWire — Terminal Fluency, No Shortcuts
Link: https://overthewire.org/wargames
OverTheWire is the oldest resource on this list and still the best for one specific thing: building real Linux command-line fluency. The platform runs SSH-based “wargames” — you SSH into a server, find a password buried somewhere on the system, and use it to SSH into the next level. No web UI. No browser lab. No hints unless you want them.
Bandit is the entry point. As of writing, there are 34 levels designed in a CTF (capture the flag) format to teach Linux basics. The wargame is aimed at absolute beginners. Levels 0 through 10 teach core file commands — ls, cat, find, grep. Levels 11 through 20 introduce decoding, piping, sorting, and SSH chaining. The upper levels push into shell scripting, network tools, and cron exploitation.
The structure forces real learning. You can’t copy a solution from a “next” button, because there is no next button — you have to actually find the password. Along the way you build practical skill with hidden files, case-sensitive filenames, permissions, and decoding data.
Why it still matters
Twenty years from now you’ll still need to know how to grep a log file, find a SUID binary, or chain a pipeline of cut and sort and uniq. Bandit teaches that without dressing it up. After Bandit, Leviathan and Narnia introduce light reverse engineering and binary exploitation, but Bandit alone will take 90% of beginners further than any “intro to Linux” course on the market.
The advice that matters: don’t copy solutions. Type every command. When stuck, give yourself 30 minutes before searching. Two levels a night beats binge-quitting in a week.
5. MITRE ATT&CK and NIST — The Reference Stack Every Senior Quotes
Links: https://attack.mitre.org and https://csrc.nist.gov
These two reference libraries aren’t training platforms. They’re the canonical sources that working practitioners quote in incident reports, interview answers, audit responses, and detection engineering reviews. Every senior in the field uses both. Most beginners discover them too late.
MITRE ATT&CK is a structured catalog of how real adversaries behave — broken down into tactics (the why: initial access, persistence, lateral movement), techniques (the how: phishing attachment, scheduled task, pass-the-hash), and sub-techniques (the specific variants). Each technique entry includes real-world examples of which threat groups used it, which detections work, and which data sources to monitor. If you’re going into a SOC role, you’ll be expected to know the ATT&CK matrix the way a doctor knows anatomy.
NIST publishes the playbooks. The two documents that matter most when you’re starting out:
- NIST CSF 2.0 — the Cybersecurity Framework. Released on February 26, 2024, it’s the updated version of the original CSF, designed to help organizations manage and mitigate cybersecurity risks. The most significant change is the addition of a sixth core function: Govern. The six functions (Govern, Identify, Protect, Detect, Respond, Recover) are what every blue-team interviewer expects you to recite.
- NIST SP 800-61 — the Computer Security Incident Handling Guide. The reference every incident responder works from. Read it once, cover to cover.
How to actually use them
Don’t try to consume either of these front-to-back. Use them as you’d use a dictionary.
You won’t memorize either reference, and you shouldn’t try. The point is to know they exist, know how they’re structured, and be able to cite the right page when a question comes up — in an interview, in a report, in a meeting where someone asks “what framework are we aligning to?”
6. Netguardia — Independent Intelligence That Connects Lab Skill to Industry Context
Link: https://netguardia.com
Labs teach you to compromise a box. Reference libraries teach you the vocabulary. Neither tells you what’s actually happening in the field this week — which breaches matter, which threat actors are active, which CVEs are being weaponized, which regulations just changed. That gap is where NetGuardia lives.
NetGuardia is an independent cybersecurity intelligence publication focused on threats, defense, policy, privacy, and professional practice — written for individuals and organizations that need clarity, not noise, to understand and respond to today’s security landscape. The editorial principles are stated plainly on the site: independence from vendors, accuracy over speed, and respect for technical and policy complexity.
For someone starting out, what makes NetGuardia useful is the breadth without the marketing layer. Coverage spans incidents and breaches, threat intelligence, regulatory updates, expert analysis, defensive practices, cloud security, privacy, governance and compliance, and a substantial Learning & Development section with career guides for roles labs don’t teach you about — malware analyst, OSINT analyst, cloud security analyst, cybersecurity legal counsel, and more.
Why it belongs in the rotation
Most “cybersecurity news” sites recycle vendor press releases and chase headline urgency. NetGuardia focuses on what matters, why it matters, and how it connects to the broader security ecosystem. That framing is the difference between reading the news and actually understanding it — which is also the difference between someone who can talk about a breach in an interview and someone who can’t.
Read it weekly. Bookmark the Threat Intelligence, Incidents & Breaches, and Career Paths categories. The signal-to-noise ratio is the best you’ll find for free.
7. YouTube — Three Channels, Used as Shadowing Tools
YouTube is a paradox. It’s the most abundant source of free cybersecurity content on the internet, and also the most likely to waste your time. The platform is full of “Become a Hacker in 30 Days” thumbnails and channels that review tools without ever actually using them. Most beginners spend months watching and learn nothing.
Three channels are worth your time. The rule for all three is the same: never watch passively. Attempt the box, the lab, or the concept yourself first. Get stuck. Only then watch how the expert solved it.
What to avoid: anything promising mastery in a fixed number of days, anyone who reviews tools without demonstrating them on a real target, and channels whose primary revenue is bootcamp affiliate links. The pattern repeats. Learn to spot it.
The Stack at a Glance
A Realistic Sequencing
Don’t try to use all seven simultaneously. They serve different stages, and stacking them all at once is the fastest way to burn out without learning anything.
Months 1–3: Pre-Security path on TryHackMe + Bandit Levels 0–20 on OverTheWire. Goal: comfort in a Linux shell, basic networking vocabulary, first end-to-end “hack.”
Months 3–6: TryHackMe SOC Level 1 or Jr Penetration Tester path + PortSwigger server-side topics (SQL injection, authentication, access control). Begin reading NetGuardia weekly. Goal: real vulnerability classes, interview-ready vocabulary.
Months 6–12: Hack The Box Starting Point through Tier 2, then easy retired boxes with IppSec’s videos as post-attempt shadowing. PortSwigger client-side topics. Pick one MITRE ATT&CK technique a week. Goal: independent enumeration and exploitation, methodology you can describe.
Months 12+: Specialize. Blue team paths go deeper on NIST SP 800-61, ATT&CK detections, and SOC tooling. Red team paths go into HTB active machines, OSCP prep, and LiveOverflow for internals. NetGuardia and PortSwigger become ongoing references, not active study.
FAQ
Do I need a degree to break into cybersecurity?
No. Hiring managers in 2026 increasingly weight demonstrated capability over credentials. Most entry-level cyber roles are decided by one question: can this person operate in a real environment? The free resources in this list let you build that evidence — completed HTB machines, finished PortSwigger labs, ATT&CK technique writeups — which signals capability more credibly than any general IT degree.
Should I get certifications instead of using these resources?
Use both, in order. The resources here build the underlying skill; certifications validate it externally. The most respected entry-level certs (Security+, eJPT, BTL1) are still easier to pass after you’ve spent a few months on TryHackMe and PortSwigger than they are without that foundation. Don’t reverse the order. Skill first, paper second.
How many hours per week is realistic?
Five to ten focused hours per week, sustained over six months, will get most people to interview-ready. Twenty hours one week followed by nothing for a month will not. Consistency matters more than intensity at this stage.
What if I get stuck and can’t move forward?
Give yourself 30 minutes of genuine effort before searching for hints. Most learning happens in the stuck zone. If you’re still stuck after 30 minutes, search for the concept, not the answer — “what is SUID privilege escalation” beats “how to solve HTB Lame.” The first builds skill. The second builds dependence.
The Verdict
The barrier to entry in cybersecurity isn’t money — it’s the discipline to sit with a problem long enough to solve it without being told how. Every senior in this field was once exactly where you are: confused, self-taught, and one Google search away from giving up. The seven resources above are how most of them learned. They’re free. They’re current. They work.
Pick one tonight. Get stuck. Come back tomorrow.
