h4ckers.infoSearch terms
Guide · ~10 min read

Getting started in security

You don't need a computer science degree or expensive gear to begin. You need curiosity, patience, and a structured way to turn confusion into competence. This guide is the path we wish we'd had on day one.

The mindset

Security is the discipline of asking "what did the designer assume, and what happens when that assumption is false?"Every exploit is a gap between intended behavior and actual behavior. Your job is to find that gap and prove it.

The traits that matter most:

  • Stubbornness with a timer. Push hard, but know when to step back, take notes, and switch approaches.
  • Reading carefully. The flaw is usually hiding in a detail you skimmed — an error message, a header, a comment.
  • Reproducing, not guessing. A vulnerability you can't reproduce on demand isn't yet understood.
  • Documenting everything. Your future self is your most important teammate.
Reframe failure. In this field, ninety failed attempts that teach you the shape of a problem are worth more than one lucky win. Treat every dead end as a map update.

Ethics & the law

This is the non-negotiable part. The same techniques that make you a great defender are crimes when pointed at systems you don't own or aren't authorized to test. The line is authorization, and it is bright.

  • Only test what you own or have written permission to test. "I was just curious" is not a legal defense.
  • Stay inside scope. Authorization for one host is not authorization for the network it sits on.
  • Disclose responsibly. If you find a real flaw in someone's system, report it privately and give them time to fix it.
  • Do no harm. Don't destroy data, degrade service, or access information beyond what proves the issue.
When in doubt, don't. Practice on the legal labs below and on your own machines. The skills transfer perfectly; the legal exposure does not.

Setting up your kit

You can do real work on any modern laptop. The standard approach is a Linux environment — either a dedicated security distribution in a virtual machine, or your own Linux install with tools added as needed.

The baseline

  • A Linux VM (or WSL2 on Windows) so you can break things in isolation.
  • A terminal you're comfortable in, plus tmux for managing sessions.
  • A scripting language — python3 is the lingua franca of CTF.
  • A notes system. Plain Markdown files in a folder beat any fancy app.
# a sane starting toolkit (names vary by distro)
sudo apt update
sudo apt install -y nmap netcat-openbsd python3-pip tmux git
pip3 install --user pwntools requests
# verify
nmap --version && python3 -c "import pwn; print('pwntools ok')"
Snapshot your VM once it's configured. When an experiment wrecks the environment — and it will — you roll back in seconds instead of rebuilding for an hour.

A repeatable workflow

Beginners flail; professionals follow a loop. Internalize this cycle and apply it to every target, regardless of category:

  1. Enumerate. Gather every fact you can — ports, routes, file types, versions. Breadth before depth.
  2. Hypothesize. Form a specific, testable theory: "this parameter looks like it hits a database."
  3. Test the smallest thing. Confirm or kill the theory with one minimal probe before building a full exploit.
  4. Exploit. Once confirmed, develop the technique into reliable access or data.
  5. Document. Record what worked, what didn't, and the exact steps to reproduce.

When you're stuck, you've almost always skipped step one. Go back and enumerate harder — the answer is usually a fact you never collected.

Your first challenge

Pick a beginner web challenge — they give the fastest feedback loop. Here's the loop in miniature against a fictional practice target:

# 1. enumerate: what's even here?
ffuf -u https://intro.lab/FUZZ -w common.txt -mc 200,301,302

# 2. hypothesize: /notes?id=1 looks like a database lookup
curl "https://intro.lab/notes?id=1"

# 3. test the smallest thing: does a quote break it?
curl "https://intro.lab/notes?id=1'"
#    -> 500 error mentioning SQL? Theory confirmed.

# 4. exploit: pull the table the flag lives in
curl "https://intro.lab/notes?id=0 UNION SELECT flag FROM secrets-- -"

That's the whole game in four commands: look, guess, poke, profit — then write down exactly how you did it. Read theSQL injection glossary entry if any of that felt fuzzy.

Where to practice

These are the kinds of legal, intentionally vulnerable environments built for exactly this. Run the self-hosted ones locally; treat the hosted ones as you would any authorized engagement.

Capture Range

Beginner Jeopardy CTF, all categories

Hosted weekly, archives stay open

WebGoat-style sandbox

Deliberately vulnerable web app

Run locally in Docker, zero risk

OverTheWire-style wargames

Linux & privilege escalation

SSH in, level up one box at a time

pwn.college-style modules

Binary exploitation from zero

Guided, with a built-in debugger

Note: these describe categories of legal practice platforms rather than endorsing any single provider. Choose ones that publish clear rules of engagement.

Habits that compound

  • Keep a write-up journal. After every solved challenge, write how you'd explain it to a teammate. Teaching cements learning.
  • Build a cheatsheet of your own. The commands you re-derive twice belong in a file you can grep.
  • Read others' write-ups — after you've tried. The gap between your approach and theirs is the lesson.
  • Rotate categories. Discomfort is the signal you're growing. The category you avoid is the one to schedule next.
Explore the disciplines Study the glossary