15 Best Free Cybersecurity Resources to Learn in 2026

cybersecurity resources
cybersecurity resources
By HOC Team  |  Last updated: July 2026 | Read time: ~18 min

The biggest myth in cybersecurity education is that you need to spend thousands on courses, bootcamps, or certifications to build real skills. The truth: some of the most respected penetration testers, bug bounty hunters, and security engineers working today learned almost entirely through free resources — platforms, labs, YouTube channels, and open documentation that cost nothing but time.

This list covers the 15 best free cybersecurity resources available in 2026, ranked and reviewed with honest assessments of what each one teaches, who it is best for, and exactly where to start. Whether you are completely new to security or an intermediate looking to go deeper, these resources cover every major skill area — from hands-on hacking labs and web security training to SIEM platforms and career guidance.

💡 How this list is organised Resources are grouped into four categories: Hands-On Labs (where you actually practice hacking), Courses and Learning Paths, Tools and Documentation, and Community and CTF platforms. Use the table of contents to jump to what you need, or read through for the full picture. All 15 resources have meaningful free tiers — nothing on this list requires payment to get real value.
Quick comparison — all 15 resources at a glance
#ResourceBest forSkill levelFormatFree tier quality
1TryHackMeComplete beginners, structured guided learningBeginner → MidBrowser-based labs⭐⭐⭐⭐⭐ Excellent
2HackTheBoxIntermediate skill-building, realistic machinesMid → AdvancedVPN + machines⭐⭐⭐⭐ Very good
3PortSwigger WSAWeb application security, 100% freeBeginner → AdvancedBrowser-based labs⭐⭐⭐⭐⭐ All free
4OverTheWireLinux skills, cryptography, web basicsBeginner → MidSSH wargames⭐⭐⭐⭐⭐ All free
5OWASPWeb vulnerability reference, secure codingAll levelsDocumentation⭐⭐⭐⭐⭐ All free
6Professor MesserCompTIA Security+ / Network+ exam prepBeginnerYouTube videos⭐⭐⭐⭐⭐ All free
7TCM Security (YT)Practical pentesting video coursesBeginner → MidYouTube videos⭐⭐⭐⭐ Very good
8CybraryStructured course library, many specialisationsAll levelsVideo courses⭐⭐⭐ Good
9Google Cert (audit)Career starters, no IT backgroundAbsolute beginnerVideo + readings⭐⭐⭐⭐ Good (audit)
10LetsDefendSOC analyst simulation, alert investigationBeginner → MidSOC simulator⭐⭐⭐⭐ Good
11PicoCTFBeginners learning through competition challengesAbsolute beginnerCTF challenges⭐⭐⭐⭐⭐ All free
12VulnHubDownloadable VMs, offline practiceMid → AdvancedVM download⭐⭐⭐⭐⭐ All free
13MITRE ATT&CKThreat intelligence, adversary TTPsMid → AdvancedFramework / docs⭐⭐⭐⭐⭐ All free
14Exploit DatabaseExploit reference, CVE researchMid → AdvancedSearchable DB⭐⭐⭐⭐⭐ All free
15HOC TutorialsPractical how-to articles, tool guidesBeginner → MidWritten tutorials⭐⭐⭐⭐⭐ All free
Recommended learning pathway using free resources — beginner to job-ready
Free Resource Learning Pathway — Beginner to Job-Ready STAGE 1 Months 1–2 Foundations TryHackMe Pre-Security path OverTheWire Bandit levels 0–20 Prof. Messer Network+ videos PicoCTF General skills CTF Google Cert Audit for free STAGE 2 Months 3–5 Hands-On Hacking PortSwigger WSA SQLi + XSS paths TCM Security YT Practical Ethical Hacking OWASP Guides Top 10 + Testing Guide HOC Tutorials Burp, Nmap, XSS, SQLi VulnHub VMs Kioptrix → Mr Robot STAGE 3 Months 6–9 Specialisation HackTheBox 20+ retired machines LetsDefend SOC analyst path MITRE ATT&CK TTPs study + threat maps Exploit-DB CVE research + searchsploit Cybrary Specialisation courses STAGE 4 Months 10–12 Job-Ready ✓ Security+ certified ✓ 5+ writeups on blog ✓ HTB / THM rank visible ✓ GitHub active ✓ Home lab running ✓ Bug bounty reports filed 🎯 Applying for Security Roles
1
TryHackMe
Guided, browser-based hacking labs — the best starting point for absolute beginners
Best for beginners Free tier available Browser-based
URL
tryhackme.com
Free rooms
300+
Skill level
Beginner → Mid
No setup required
✓ Browser only
Premium
$14/month (optional)

TryHackMe is the single best starting point for anyone new to cybersecurity. It removes the biggest barrier to entry — environment setup — by running everything in your browser. You deploy a virtual machine in one click, connect through a browser-based AttackBox, and follow guided learning paths that teach concepts and techniques together. No Kali Linux installation, no VPN configuration, no home lab required to get started.

The free tier includes over 300 rooms covering Linux, networking, web vulnerabilities, Burp Suite, Metasploit, digital forensics, and SOC analysis. The learning paths — "Pre-Security", "Jr Penetration Tester", "SOC Level 1", and "SOC Level 2" — are structured curricula that take you from zero to job-relevant skills with clear progression and explanations at every step.

  • Start here: Pre-Security learning path → complete all free rooms in sequence
  • Then do: Jr Penetration Tester path (partially free) or SOC Level 1 path
  • Best free rooms: Introduction to Cybersecurity, Network Fundamentals, Web Fundamentals, OWASP Top 10, Metasploit module, Burp Suite module
  • Why premium isn't necessary: The free rooms alone take 3–4 months to complete thoroughly. Start free and upgrade only if you exhaust the free content.
  • Job value: Employers recognise TryHackMe rankings. A "Top 1%" badge on your LinkedIn profile is a conversation starter in interviews.
Visit TryHackMe →
2
HackTheBox
Realistic hacking machines and labs — the platform serious pentesters use to sharpen their skills
Best intermediate platform Free machines available Needs home lab or VPN
URL
hackthebox.com
Free machines
Retired machines (free)
Skill level
Intermediate → Advanced
Setup needed
VPN + Kali recommended
Premium
$14/month (optional)

HackTheBox is where serious penetration testers go to sharpen their skills. Unlike TryHackMe's guided approach, HackTheBox machines are deliberately challenging — they give you an IP address and leave the rest to you. No hints, no step-by-step guidance. This replicates real-world pentesting more accurately, which is exactly why OSCP candidates use HTB as their primary preparation platform.

The free tier includes all retired machines (machines that have been replaced by new active ones). Since writeups for retired machines are publicly available, you can learn from the community's solutions when you get stuck. There are hundreds of retired machines covering web exploitation, buffer overflows, Active Directory attacks, binary exploitation, cryptography, and cloud misconfigurations.

  • Start with these retired machines (roughly in order): Lame, Legacy, Blue, Devel, Optimum, Bastard, Jerry, Bashed, Nibbles
  • After 10 machines: Aim for machines rated "Medium" — these align with OSCP difficulty
  • When stuck: Look up the IppSec YouTube channel — he has walkthroughs of every retired HTB machine, explained in detail
  • The HTB Academy (separate from the main platform) has free learning modules covering many attack techniques
  • Community: The HTB Discord is active, helpful, and full of people working on the same machines
Visit HackTheBox →
3
PortSwigger Web Security Academy
The definitive free resource for web application security — made by the creators of Burp Suite
100% free forever Best web security resource Browser-based labs
URL
portswigger.net/web-security
Labs
250+ free labs
Cost
Completely free
Skill level
Beginner → Advanced
Made by
PortSwigger (Burp Suite)

PortSwigger Web Security Academy is simply the best free web security resource that exists. It is entirely free — no premium tier, no content locked behind payment. The platform was built by PortSwigger, the company that makes Burp Suite, and the quality shows: every learning topic has clear written explanation, interactive labs that deploy in your browser, and difficulty levels from apprentice to expert.

It covers every major web vulnerability class in depth: SQL injection, XSS, CSRF, SSRF, XXE, access control flaws, authentication vulnerabilities, business logic errors, clickjacking, WebSocket attacks, GraphQL injection, OAuth weaknesses, and more. The "Learning Paths" feature guides you from beginner concepts through to advanced exploitation in a logical sequence.

  • Start with: SQL Injection learning path → complete all apprentice and practitioner labs before moving on
  • Then do: XSS learning path — most extensive XSS training available anywhere, free or paid
  • Priority topics for bug bounty: IDOR (access control), SSRF, OAuth, CORS misconfigurations, business logic
  • Expert-level labs are genuinely hard — comparable to real bug bounty findings. Completing them earns a PortSwigger certification.
  • Pair with: Our XSS tutorial, and SQL injection tutorial for conceptual context before the labs
Visit PortSwigger Web Security Academy →
4
OverTheWire
Classic wargames teaching Linux, networking, and cryptography through progressively harder challenges via SSH
100% free SSH-based Best Linux trainer
URL
overthewire.org/wargames
Cost
Completely free
Access method
SSH from any terminal
Wargames
Bandit, Natas, Leviathan, Krypton, Narnia +
Skill level
Absolute beginner → Mid

OverTheWire is one of the oldest and best free security learning resources on the internet. It teaches through wargames — progressively harder challenge levels you access via SSH. Each level requires you to find a password hidden using security techniques relevant to the topic. You are thrown in at the deep end with minimal hints, which builds genuine troubleshooting skill.

Bandit is the entry point — 34 levels teaching Linux command line skills that every security professional uses daily. It is the most efficient way to get comfortable with the terminal because every command you learn immediately solves a real puzzle. After Bandit, Natas teaches web security basics, Leviathan covers Linux privilege escalation, Krypton teaches cryptography, and Narnia covers memory exploitation basics.

  • Start: Bandit Level 0 — just SSH to the server and find the password. Each level's connection info is on the website.
  • Command line skills Bandit teaches: file reading, file permissions, grep/find/sort, ssh keys, tar/gzip, bash history, cron, networking basics
  • After Bandit: Move to Natas (web) or Leviathan (Linux privesc) depending on your focus
  • When stuck: Search "OverTheWire Bandit Level X walkthrough" — the community has documented every level. Read the walkthrough, then go back and do it yourself without notes.
Visit OverTheWire →
5
OWASP (Open Web Application Security Project)
The open-source authority on web application security — essential reference for every security professional
100% free Industry standard reference Constantly updated
URL
owasp.org
Cost
Completely free
Key resources
Top 10, Testing Guide, WSTG, ASVS, Juice Shop
Maintained by
Global volunteer community

OWASP is the gold standard reference for web application security. The OWASP Top 10 is the most referenced vulnerability classification in the industry — every web security job description, penetration test methodology, and bug bounty programme references it. Understanding the Top 10 is non-negotiable for anyone pursuing web security.

Beyond the Top 10, OWASP publishes the Web Security Testing Guide (WSTG) — a detailed, free methodology document describing how to test for every web vulnerability class. It is what professional penetration testers follow during engagements. The OWASP Juice Shop is a deliberately vulnerable web application built specifically for security training — modern, realistic, and excellent for hands-on practice.

  • OWASP Top 10 2021 — read every entry, understand the root cause and prevention for each. This takes an afternoon.
  • Web Security Testing Guide (WSTG) — use as a reference when testing. Every test case has a description, test steps, and remediation advice.
  • OWASP Juice Shop — a deliberately vulnerable Node.js application. Run locally on Docker, hack it to complete challenges, self-scoring scoreboard. Free and excellent.
  • OWASP API Security Top 10 — increasingly important as APIs become the dominant attack surface in 2026
  • OWASP Cheat Sheet Series — quick developer-focused reference for secure coding in many languages
Visit OWASP →
6
Professor Messer
Free, comprehensive CompTIA Security+ and Network+ video courses — the definitive free certification study resource
100% free on YouTube CompTIA aligned Cert prep
URL
professormesser.com + YouTube
Cost
Free on YouTube
Covers
Security+, Network+, A+
Format
Video lectures, study groups

Professor Messer is the most recommended free resource for CompTIA certification study, and has been for over a decade. His full Security+ SY0-701 course is available free on YouTube — every exam domain covered in clear, well-paced video lectures with his famously calm teaching style. The quality is comparable to paid courses costing hundreds of dollars.

For anyone who cannot afford a paid Security+ prep course, Professor Messer makes the certification genuinely accessible. He updates his courses with each CompTIA exam revision and offers free study group sessions where he answers questions live. His website also provides free course notes in PDF format for each exam objective.

  • CompTIA Security+ SY0-701 course — search "Professor Messer Security+ SY0-701" on YouTube. Watch all videos in order, take notes.
  • Network+ N10-009 course — study this before Security+ if your networking knowledge is weak
  • Free study notes — download PDF notes from professormesser.com for each exam objective (free with email sign-up)
  • Pair with: Jason Dion's Udemy practice exams ($15 on sale) — the combination of Messer's videos and Dion's practice questions is the most recommended free+cheap Security+ prep stack
  • Study approach: Watch each video, take handwritten notes, then answer related practice questions before moving to the next topic
Visit Professor Messer →
7
TCM Security (YouTube)
Free practical ethical hacking video courses by working penetration testers — the best free pentesting video content
Free on YouTube Pentest-focused Practical, no fluff
YouTube
@TCMSecurityAcademy
Cost
Free on YouTube
Key videos
Ethical Hacking in 15hrs, Python for hackers
Paid platform
academy.tcm-sec.com (optional)

TCM Security's YouTube channel is the best free source of practical penetration testing video content. Heath Adams (The Cyber Mentor) built his reputation by releasing full-length, high-quality ethical hacking courses on YouTube for free — the kind of content other instructors charge hundreds of dollars for. His teaching style is direct, practical, and zero-fluff.

His "Practical Ethical Hacking" course on YouTube is a complete introduction to penetration testing methodology, covering networking, Linux, Python scripting, Active Directory attacks, web application testing, and report writing. It is several hours long and regularly recommended by security professionals as the best free starting point for aspiring pentesters.

  • Start with: "Ethical Hacking in 15 Hours" free course on YouTube — covers the full pentest methodology
  • Also watch: "Open-Source Intelligence (OSINT) in 5 Hours", "Python for Hackers" — both free on YouTube
  • Active Directory: "Active Directory Attacks for Beginners" free YouTube series — teaches the techniques most relevant for enterprise pentesting and OSCP
  • Other channels to follow: IppSec (HTB machine walkthroughs), John Hammond (CTF solutions and malware analysis), LiveOverflow (binary exploitation), David Bombal (networking + hacking)
Visit TCM Security on YouTube →
8
Cybrary
Structured cybersecurity course library with free tier — covers dozens of roles and specialisations
Free tier available Structured paths Many specialisations
URL
cybrary.it
Free courses
Selected free content
Skill level
All levels
Format
Video + virtual labs
Premium
$49/month (unlocks all)

Cybrary is a cybersecurity-specific online learning platform with a curated library of courses covering everything from entry-level fundamentals to advanced penetration testing, threat hunting, DFIR, and cloud security. The free tier provides access to a meaningful selection of courses, and the platform is particularly strong on career-oriented learning paths aligned to specific job roles.

  • Best free courses: Introduction to IT & Cybersecurity, CompTIA Security+ prep, Ethical Hacking foundations
  • Career paths available: SOC Analyst, Penetration Tester, Incident Responder, Cloud Security, Threat Hunter
  • MITRE ATT&CK course on Cybrary is well-regarded for learning the framework practically
  • Honest assessment: Cybrary's free tier is more limited than TryHackMe or PortSwigger — but it is a good supplement, particularly for video learners who prefer a course-style format over lab challenges
Visit Cybrary →
9
Google Cybersecurity Certificate (Coursera Audit)
Structured beginner-to-employable curriculum — audit for free on Coursera to access all video and reading content
Audit free Best for career changers No IT background needed
Platform
coursera.org
Cost to audit
Free (no certificate)
Duration
~6 months at 7hrs/week
Covers
Security foundations, SIEM, Python, Linux, detection
Certificate cost
~$230 (optional)

The Google Cybersecurity Certificate on Coursera is an 8-course professional certificate designed for people with no IT background. By selecting "Audit" on each course on Coursera, you access all video lectures and readings for free — the only thing withheld is the graded assessments and the certificate itself. For learning purposes, the free audit content is everything you need.

The course is genuinely beginner-friendly, covering security foundations, network security, Linux and Python basics, threat detection using SIEM tools, and incident response. It is not technically deep — it will not make you a penetration tester — but it is the best structured introduction to security for complete beginners who need hand-holding through the fundamentals.

  • How to audit free: Go to coursera.org, search "Google Cybersecurity Certificate", click "Enroll for Free", then select "Audit" on each course
  • 8 courses include: Foundations of Cybersecurity, Play It Safe (Networks), Connect and Protect, Tools of the Trade (Linux + SQL), Assets Threats and Vulnerabilities, Sound the Alarm (Detection), Automate Cybersecurity Tasks with Python, Put It to Work (Prepare for jobs)
  • After completing: The Google certificate qualifies for CompTIA Security+ credit — you can skip some Security+ objectives and focus exam prep on the gaps
  • Best paired with: TryHackMe (for hands-on labs while working through the Google theory)
View on Coursera →
10
LetsDefend
The best free SOC analyst simulator — investigate real-format alerts in a mock security operations centre
Free tier available SOC focused Hands-on simulator
URL
letsdefend.io
Free alerts
Several free monthly
Best for
Aspiring SOC analysts
Format
SOC simulator + courses
Premium
$25/month (more alerts)

LetsDefend is unique — it simulates working as a Tier 1 SOC analyst. You pick up alerts from a queue, investigate them using simulated SIEM logs, network traffic, endpoint data, and email headers, then close the ticket with a correct verdict: true positive (escalate) or false positive (close). This is exactly the work you will do in a real SOC Tier 1 role.

The free tier includes a selection of alert investigations and free courses covering phishing analysis, malware analysis, incident response, log analysis, and SOC fundamentals. Completing LetsDefend alert investigations gives you a concrete talking point in SOC analyst interviews — you can describe the investigation process from a real case, not just theory.

  • Start with: Free SOC Fundamentals course and the first available alert investigations
  • Key free courses: Phishing Email Analysis, Malware Analysis Fundamentals, Log Analysis with Splunk, Incident Management
  • Interview value: "I investigated 20+ SOC alerts on LetsDefend and correctly identified phishing campaigns, web application attacks, and lateral movement" — this answer stands out compared to theory-only candidates
  • Complement with: Blue Team Labs Online (free DFIR challenges) and TryHackMe SOC Level 1 path for broader blue team coverage
Visit LetsDefend →
11
PicoCTF
Free Capture The Flag competition platform built by Carnegie Mellon University — ideal for absolute beginners
100% free CMU-backed CTF format
URL
picoctf.org
Cost
Completely free
Challenge archive
500+ challenges (picoGym)
Categories
Web, binary, forensics, crypto, reverse engineering
Skill level
Absolute beginner → Mid

PicoCTF is the best CTF platform for absolute beginners. Built by Carnegie Mellon University's cybersecurity team, it has a massive archive of challenges (picoGym) available year-round at no cost. The challenges are specifically designed to be approachable — they teach techniques through small, focused puzzles rather than full machine compromises, making them ideal when you are just starting to understand how different vulnerability classes work.

  • picoGym — the always-available challenge archive. Filter by category and difficulty. Start with "General Skills" and "Web Exploitation" at the easiest level.
  • Annual picoMini and piCTF competitions — free competitions open to all ages, with hints available during competition period
  • Categories covered: Web exploitation (XSS, SQLi, path traversal), binary exploitation, cryptography, forensics (file analysis, steganography), reverse engineering
  • Why CTFs matter: CTF participation is a credible portfolio item. Listing "picoMini 2026 — completed 40/60 challenges" on your resume demonstrates active learning and problem-solving skill.
Visit PicoCTF →
12
VulnHub
Free downloadable vulnerable virtual machines for offline hands-on practice — hundreds of machines at every difficulty
100% free Download and run locally Intermediate+
URL
vulnhub.com
Cost
Completely free
Machines
850+ downloadable VMs
Setup
VirtualBox + Kali Linux
Works offline
✓ No internet needed

VulnHub hosts a massive library of deliberately vulnerable virtual machines submitted by the security community. You download the VM, import it into VirtualBox, and attack it from your Kali Linux instance — exactly the same workflow as attacking a real system on a penetration test engagement, just without the legal risk. No subscription, no browser-based limitations, no internet connection needed during practice.

  • Recommended progression (beginner to intermediate): Kioptrix Level 1 → Kioptrix Level 2 → Mr-Robot → Stapler → VulnOS 2 → FristiLeaks
  • How to get started: Install VirtualBox + Kali Linux (see our home lab guide), download a VM from vulnhub.com, import as OVA into VirtualBox, set both attacker and target to "Host-Only" network
  • When stuck: Walkthroughs for almost every VulnHub machine exist on security blogs — search the machine name. Read the walkthrough, understand each step, then reset and do it yourself.
  • Works offline: Ideal if you have limited or metered internet — download machines when you have bandwidth, practice offline any time
Visit VulnHub →
13
MITRE ATT&CK Framework
The definitive knowledge base of adversary tactics, techniques, and procedures — used by every serious security team
100% free Industry standard Threat intelligence
URL
attack.mitre.org
Cost
Completely free
Techniques
600+ documented TTPs
Best for
SOC analysts, threat hunters, pentesters

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is the definitive free reference for understanding how real attackers operate. It documents tactics (the goal — e.g., Initial Access, Persistence, Lateral Movement) and the specific techniques used to achieve each tactic, with real-world examples from documented threat actor groups. Every SOC and penetration testing team in the world uses ATT&CK.

  • ATT&CK Enterprise Matrix — the main reference. Study the 14 tactics and the key techniques under each. Initial Access, Execution, Persistence, Privilege Escalation, and Lateral Movement are the most important for beginners.
  • Threat Groups — ATT&CK documents the TTPs of named threat actor groups (APT28, Lazarus, FIN7). Reading these is the best way to understand how real attacks unfold.
  • ATT&CK Navigator — free web tool that lets you build heatmaps of technique coverage. SOC teams use it to map their detection capabilities against the full technique matrix.
  • For SOC analysts: When an alert fires, look up the relevant ATT&CK technique ID (e.g., T1059 — Command and Scripting Interpreter) for context on how the technique is used by real attackers and what else to look for
  • For pentesters: Use ATT&CK to structure reports — map each finding to its ATT&CK technique ID. This makes your reports dramatically more useful to the blue team.
Visit MITRE ATT&CK →
14
Exploit Database (Exploit-DB)
Free searchable archive of public exploits and vulnerable software — essential reference for penetration testers
100% free Maintained by OffSec Exploit reference
URL
exploit-db.com
Cost
Completely free
Entries
50,000+ exploits
Maintained by
OffSec (OSCP creators)
Offline tool
searchsploit (Kali built-in)

Exploit-DB is an archive of publicly disclosed exploits maintained by OffSec, the organisation behind OSCP. When you identify a service with a specific version number during a penetration test or CTF challenge, Exploit-DB is where you search for known public exploits for that version. It covers every major operating system, web application, network service, and application framework.

  • Web search: exploit-db.com — search by software name, CVE, or vulnerability type
  • Offline search with searchsploit: Pre-installed on Kali Linux. searchsploit apache 2.4 instantly searches the local database for Apache 2.4 exploits — works without internet connection
  • Google Hacking Database (GHDB) — also on exploit-db.com. A searchable collection of Google dork queries used for OSINT and reconnaissance. Free and extremely useful for bug bounty recon.
  • How to use: When you find a service version (e.g., vsftpd 2.3.4 on port 21 during Nmap scan), search Exploit-DB for that version. Read the exploit code and understand what it does before running it.
  • CVE cross-reference: Every Exploit-DB entry lists the corresponding CVE number — use NVD (nvd.nist.gov) to get the full CVSS score and vulnerability details
Visit Exploit-DB →
15
Hackers Online Club (HOC)
Free practical cybersecurity tutorials, tool guides, and career resources — written by practitioners for practitioners
100% free Practical how-to guides Updated for 2026
URL
hackersonlineclub.com
Cost
Completely free
Tutorial depth, tool walkthroughs, career guides

HOC has published free cybersecurity tutorials since 2010 — over a decade of practical guides covering tools, techniques, career paths, and vulnerability deep-dives. The 2026 tutorial library covers the major tools and techniques used in real ethical hacking engagements, with step-by-step walkthroughs, inline SVG diagrams, and DVWA practice exercises for hands-on learning.

Key tutorials to bookmark
  • Nmap tutorial — complete scanning guide from basic port scans to service enumeration and NSE scripts
  • Wireshark tutorial — capture and analyse network traffic, identify attacks in pcap files
  • Burp Suite tutorial — Proxy, Repeater, Intruder, and Scanner for web application testing
  • <XSS tutorial — reflected, stored, and DOM-based XSS with payloads, Burp methodology, and DVWA exercises
  • SQL injection tutorial — error-based, UNION-based, and blind SQLi with sqlmap and filter bypass techniques
  • Home hacking lab guide — set up VirtualBox, Kali Linux, Metasploitable 2, and DVWA for free
  • Bug bounty hunting guide — how to find your first vulnerability and submit your first bug bounty report
  • Cybersecurity career roadmap — full 2026 career guide with salary data, certifications, and 12-month action plan
Bonus: 5 more free resources worth knowing

These didn't make the main list only because of space, not quality. Each is free and worth bookmarking.

ResourceURLWhat it offers
IppSec (YouTube)youtube.com/@ippsecVideo walkthroughs of every retired HackTheBox machine — the best supplement to HTB practice
Blue Team Labs Onlineblueteamlabs.onlineFree DFIR and SOC investigation challenges — labs involving log analysis, pcap analysis, malware investigation
Hacking Articleshackingarticles.inLarge library of free practical hacking tutorials covering tools and techniques with screenshots
Cybersecurity & Infrastructure Security Agency (CISA)cisa.gov/resources-tools/resourcesFree official guides, advisories, and training resources from the US government cybersecurity agency
SANS Reading Roomsans.org/white-papersThousands of free technical white papers on every cybersecurity topic — contributed by SANS course graduates
💡 The right order matters more than which resources you choose The biggest mistake beginners make is jumping between resources without completing anything. Pick one learning path — TryHackMe Pre-Security is the best default — and complete it entirely before moving to the next. Depth and completion consistently outperform breadth and jumping. After you finish a path, the next step will be obvious.

⚡ Start today — no excuses

  1. Create a TryHackMe account right now — tryhackme.com, free, takes 2 minutes. Start the Pre-Security learning path today. Do one room tonight. This is the single most impactful thing you can do in the next 30 minutes.
  2. Bookmark PortSwigger Web Security Academy — portswigger.net/web-security. Once you have 2–3 weeks of TryHackMe under your belt, start the SQL injection learning path here in parallel. It is 100% free and nothing else comes close for web security training.
  3. Set up your home lab this weekend — VirtualBox + Kali Linux takes about 2 hours. Once you have a lab, you can run VulnHub machines and DVWA offline any time. Full setup guide →
  4. Start the YouTube study stack — subscribe to: Professor Messer (cert prep), TCM Security (practical pentesting), IppSec (HTB walkthroughs). Watch one video per day while commuting or during lunch.
  5. Choose your career path and read the roadmap — every one of these resources maps to a specific career outcome. Knowing your target role focuses your learning and prevents the most common failure mode: learning everything about nothing. Career roadmap →
Frequently asked questions
What is the single best free resource to start learning cybersecurity?

TryHackMe for most beginners. It requires no setup, runs entirely in the browser, has guided learning paths with explanations at every step, and has hundreds of free rooms. Start the Pre-Security learning path and complete it before moving to anything else. If you know you want to specialise in web security, start with PortSwigger Web Security Academy instead — it is 100% free with nothing paywalled.

Is TryHackMe or HackTheBox better for beginners?

TryHackMe is significantly more beginner-friendly. It provides guided step-by-step instructions, hints, and explanations — you are taught as you hack. HackTheBox gives you a target IP and leaves everything else to you, which is realistic but overwhelming without prior experience. The recommended progression is TryHackMe first (3–4 months), then HackTheBox when you feel comfortable with the fundamentals and want challenge without guidance. Both have free tiers.

Can I realistically learn cybersecurity for free — or do I need to pay?

Yes, genuinely. The 15 resources in this article — TryHackMe free rooms, PortSwigger (100% free), OverTheWire (100% free), Professor Messer on YouTube, TCM Security on YouTube, OWASP guides, PicoCTF, VulnHub, MITRE ATT&CK, Exploit-DB — provide enough structured learning to reach job-ready skill levels without spending a penny on learning content. The only costs that are genuinely worth spending money on are the CompTIA Security+ exam ($400) once you are ready to certify, and optionally OSCP ($1,499) for penetration testing roles. The learning itself is free.

How long does it take to get through these resources?

Doing 2 hours per day: TryHackMe Pre-Security path takes 4–6 weeks. The Jr Penetration Tester or SOC Level 1 path takes 8–12 weeks. PortSwigger SQL injection + XSS learning paths take 4–6 weeks. OverTheWire Bandit takes 1–2 weeks. The full pathway to job-ready takes 9–12 months of consistent daily practice — which aligns with the realistic timeline for a career transition into cybersecurity.

Do I need my own computer or can I learn on a shared/limited machine?

TryHackMe, PortSwigger, OverTheWire, PicoCTF, Cybrary, and the Google certificate all run entirely in your browser — any computer with internet access works. You only need a machine capable of running virtual machines (8GB RAM minimum recommended) for VulnHub machines and the home lab setup. If RAM is limited, focus on browser-based platforms first and upgrade your hardware when budget allows.