Resource Library

A list of resources I've personally found helpful in learning (or have on my to-do list), organized alphabetically, by category.  Nearly all of these are free resources.

Technical Topics

Access Management

• AD Security

Botnets

• A beginner's guide to building botnets
• Bots, Botnets, DDoS Attacks, and DDoS Attack Mitigation
• Detection and Classification of Different Botnet C&C Channels
• Model for HTTP Botnet Detection Based on DNS Traffic Analysis

Bug Bounties

• HackerOne's introductory course on web security

Coding

• FreeCodeCamp - A structured program to learn to code, with a built-in community to support you along the way
• Problem Solving with C++ - Excellent beginner resource for learning C++
• Data Structures and Algorithm Analysis in C++ - Solid introduction to data structures and algorithms
• Modern Operating Systems - Comprehensive book on how modern operating systems function
• A beginner's guide to Big O notation - Helpful intro to understanding Big-O notation
• Intro to Computer Science (Harvard)

CTFs (there's a lot of overlap between this section and penetration testing, below)

• PicoCTF (usually once a year, but event is left online for practice — difficulty varies)
• CTFlearn (a CTF-based learning platform with user-contributed challenges)
• Hack the Box (pen-testing labs)
• PortSwigger’s Web Security Academy (free, online web security training from the creators of Burp Suite)
• Google XSS Game (XSS for beginners)
• Google Gruyere (Vulnerable WebApp)
• OWASP WebGoat (Vulnerable WebApp — downloadable)
• CTFTime.org: includes a list of upcoming security competitions — and writeups from past competitions
• Additional information about upcoming CTFs

Cryptography

• Cryptography 1 (stanford)

DDoS

• DDoS Quick Guide US CERT
• AWS Best Practices for DDoS Resiliency
• NCC Cyber Incident Response DDoS
• Imperva DDoS Response Playbook

Email

• SPF
• More SPF
• DKIM
• Validate a DKIM Record
• DMARC
• More DMARC
• Even More DMARC
• Check if a domain has SPF or DMARC records configured

Encryption

• DiffieHellman vs RSA thread
• Crypto challenges from Cryptopals
• RSA
• DH (weaknesses)
• DH (more weaknesses)
• Hard DH Math
• Perfect Forward Secrecy
• Birthday Problem
• A mathematical theory of cryptography
• NIST Recommendations for Block Cipher Modes of Operation
• Diffusion and Confusion
• Confusion and Diffusion
• Kerckhoffs's Principle
• Padding Mechanisms
• Foundations of Computer Science: Stream and Block Encryption

Frameworks

• MITRE ATT&CK
• NIST 800-53

Home Lab

• Daniel Miessler has a list of suggested projects to complete here (it serves as a nice mini curriculum for building an at-home lab for any security professional)

Mainframes

• IBM z/OS Redbooks
• IBM Documentation
• PL/I (pronounced P-L one)
• Mainframe Hacking Resources

Microsegmentation

• What is Microsegmentation (Palo Alto)
• Illumio Guide to Microsegmentation
• Guardicore Microsegmentation

Miscellaneous

• SANS Faculty Free Tools list - A list of more than 150 open source security tools created by SANS (a very highly regarded education institution for cybersecurity)
• BlackHills InfoSec Collected Resources

Networking

• Advanced Networking (NYU)

OWASP Top 10

Cross Site Scripting/XSS

• Cross-Site Scripting from Troy Hunt
• Understanding XSS - Input Sanitization Semantics and Output Encoding Contexts
• OWASP XSS
• OWASP Types of XSS
• OWASP Cross Site Scripting Prevention
• OWASP DOM-Based XSS
• Acunetix Cross Site Scripting
• PortSwigger XSS
• Rapid7 XSS

CSP

• Report URI (get alerts on CSP violations)
• CSP Fiddler Extension (build a baseline CSP)

CSRF

• OWASP CSRF
• OWASP CSRF Prevention
• CSRF Attacks
• Anti-CSRF Tokens
• CSRF Basics
• PortSwigger CSRF

SQL Injection

• OWASP SQL Injection
• W3 Schools SQL Injection
• PortSwigger SQL Injection
• Netsparker SQL Injection

Memory Allocation/Buffer Overflows

• Computer and Network Security Lectures, Avinash Kak
• OWASP Buffer Overflows
• Stack vs Heap

Passwords

• Popular password cracking tools
• Brute Force Attacks
• Creating Rainbow Tables
• Peppers
• More details on hash chains
• Another explanation of rainbow tables
• A list of rainbow tables online

Penetration Testing (there's a lot of overlap between this section and CTFs, above)

• Metasploit: The Penetration Tester's Guide (book)
• Hacking Exposed 7: Network Security Secrets and Solutions (book)
• Penetration Testing: A Hands-On Introduction to Hacking (book)
• A free course on Metasploit
• A site to test out your hacking skills
• OvertheWire - Network challenges
• A free web security course (Hacker101)
• OWASP WebGoat

SASE

• Getting Started with SASE (Cloudflare)
• SASE - Cisco

Threat Modeling

• An intro to threat modeling

Career

Career Pathways

• A Career Pathway Guide (Cyberseek)
• Another Career Pathway Guide (World Economic Forum and Salesforce)
• Peer mentoring program

Career Advice

• Lesley Carhart's Infosec Career Advice
• Troy Hunt's Career Advice

Interviewing

• 60 Cybersecurity Interview Questions

Networking

• Local BSides Events
• CitySec Meetups

Certification Prep

General

• Cybrary offers a number of free and paid courses, though they are very certification focused. I used their CISSP class as one of my studying resources for that exam and found it helpful. This can be helpful if you have a specific certification in mind.
• Study Groups for Certifications

CISSP (resources ranked by usefulness)

1. ISC² Official Study Guide (definitely more information than you actually have to know.) 6/10
2. Kelly Handerhan videos (solid, though they're not as in-depth as the exam can be.) 7/10
3. 11th Hour CISSP guide  8/10
4. IT Dojo Daily CISSP Question Videos (The guy who runs the series has a really great way of explaining complicated concepts, but I don't think the questions were reflective of the exam questions.) 6/10
5. Made a million (probably around 1000) flashcards whenever I got a question wrong or ran into difficult concepts. Studied them. Made more (every time I ran into something I didn't know). Studied them again. 10/10
6. Used the Shon Harris book to research specific topics I didn't understand. And  asked other people, googled the topics, read blogs, watched youtube videos, etc. 9/10
7. Watched this video, this video, and this video on testing mindset. 10/10
8. Took all the practice questions in the ISC² Practice Test book (twice - same link as the study guide). The questions were good, but not necessarily reflective of what the exam questions look like. 7/10
9. Took all the Boson practice Qs. Took them again and read all of the explanations. These were the single most useful resource. The explanations were great, though the questions were more technical than the exam was. 10/10
   

CISM:

• I only leveraged the official practice questions for this exam and found it to be more than sufficient (if you've already taken the CISSP or have equivalent experience).