I Spent 6 Months Learning Cybersecurity from Scratch — Here Is Everything That Actually Worked

by

Six months ago I knew how to use a computer. That was about it. I had heard words like “penetration testing” and “ethical hacking” and vaguely understood that cybersecurity was a career. I had no CS degree. No IT background. I was switching careers from something completely unrelated. This is what actually worked — and what was a complete waste of time.

Month 1: I Was Lost, and That Is Normal

The first thing I did was Google “how to learn hacking” and immediately drowned in conflicting advice. “Learn Python first.” “No, start with networking.” “You need a degree.” “Degrees are useless.” Everyone had a hot take and nobody agreed. I spent the first two weeks watching YouTube videos and feeling like I was learning without actually doing anything.

The thing that actually got me unstuck was a single realization: cybersecurity is not magic. It is deeply practical. Every attack exploits something specific and understandable. Once I stopped trying to learn “everything” and started following a structured path, things clicked. The path I ended up on was TryHackMe’s Pre-Security pathway, which cost $14/month and was the single best investment of this entire journey.

What I Learned in Month 1

  • How the internet actually works: DNS, HTTP, TCP/IP — not surface level, but actually how a packet travels from your browser to a server and back
  • Basic Linux commands: navigating the file system, reading files, managing processes
  • What an IP address, subnet, and port actually mean in practice

Time spent: ~2 hours per day, mostly after work.

Month 2: The Linux Rabbit Hole

I installed Kali Linux in VirtualBox and started doing the OverTheWire “Bandit” wargame. Bandit is a series of challenges that teaches Linux by making you actually use it to find passwords hidden in various files, processes, and system quirks. It sounds simple. It is absolutely not simple when you are new.

# Commands I had never used before Bandit that I now use daily:
ls -la          # list ALL files including hidden ones
cat /etc/passwd # read file contents
find / -name "*.txt" -readable 2>/dev/null  # find readable text files
grep -r "password" /home/  # search recursively for keyword
ssh -p 2220 bandit0@bandit.labs.overthewire.org  # connect to Bandit

By the end of Bandit (33 levels), Linux felt like home. I stopped Googling every command. That muscle memory was worth more than any course I had taken.

Month 3: First Real Hack — and the Feeling Is Indescribable

TryHackMe has a room called “Basic Pentesting” that walks you through hacking a deliberately vulnerable machine. I remember the exact moment I typed su root and it worked. I had compromised my first (fake) system. I understood at a cellular level why this skill matters.

Month 3 was all about web vulnerabilities on PortSwigger Web Academy. This is completely free and in my opinion is the best single resource for web security on the internet. I went through the SQL injection labs, the XSS labs, the path traversal labs. Each lab makes you actually exploit a real vulnerability in a realistic application.

# The SQL injection that changed my perspective:
# Normal login query: SELECT * FROM users WHERE username='input' AND password='input'
# With injection: username = ' OR '1'='1
# Query becomes: SELECT * FROM users WHERE username='' OR '1'='1' AND password='...'
# '1'='1' is always true → bypasses authentication completely

# This is why parameterized queries exist:
# cursor.execute("SELECT * FROM users WHERE username = ? AND password = ?", (user, pwd))

Month 4: The Networking Deep Dive

I had been avoiding networking theory because it sounded boring. I was wrong. Understanding networking is what separates someone who can run tools from someone who actually understands what they are doing.

I used Professor Messer’s free CompTIA Network+ materials and combined them with hands-on labs in Packet Tracer (also free). Key things that finally clicked:

  • Subnetting — once you understand CIDR notation (/24 means 256 addresses, /16 means 65,536), network scanning makes so much more sense
  • The three-way handshake — how TCP connections are established, and why a half-open SYN scan is “stealthy”
  • ARP and how it can be poisoned — the basis of man-in-the-middle attacks on local networks
  • DNS and how it resolves — why DNS poisoning and tunneling work

Month 5: HackTheBox and Real Frustration

HackTheBox is harder than TryHackMe. Significantly harder. The machines do not hold your hand, the community forums hint but do not spoil, and some boxes require hours of methodical enumeration before you find anything. I failed. A lot.

But failing on HackTheBox taught me something that courses never could: what to do when you are completely stuck. The answer is: go back to basics. Re-enumerate. Run a UDP scan. Check the web app source code. Look at every open port again. The answer is always there — you missed something.

I completed my first HTB machine (Blue — MS17-010 EternalBlue) in 4 hours. I was embarrassed that it took so long. But I also understood every single step of what happened, why it worked, and how to defend against it. That understanding was worth 4 hours.

Month 6: The Certification Question

Everyone asks: which certification should I get first? My honest answer after six months:

  • CompTIA Security+ — If you need a job quickly and your target employers list it as a requirement. Broad coverage, not deep, respected in corporate environments. Exam cost: ~$400.
  • eJPT (eLearnSecurity Junior Penetration Tester) — If you want a hands-on entry-level cert that proves you can actually hack. Exam is 100% practical. Cost: ~$200. This is what I took.
  • OSCP — The respected gold standard. 24-hour practical exam. Do not attempt until you have 6 months of hands-on lab work. Cost: ~$1,500. My next target.

The Complete Resource List That Actually Worked

  • TryHackMe.com — Best starting point for absolute beginners. Guided, gamified, browser-based (no VM needed to start)
  • OverTheWire Bandit (bandit.labs.overthewire.org) — Free Linux command line training through progressive challenges
  • PortSwigger Web Academy (portswigger.net/web-security) — Free, world-class web vulnerability training with real labs
  • HackTheBox — Harder, more realistic machine hacking. Use once you have fundamentals
  • VulnHub — Free downloadable VMs to hack, no internet needed
  • HackTricks (book.hacktricks.xyz) — The encyclopedia of attack techniques, free, community-maintained
  • IppSec YouTube Channel — HackTheBox walkthroughs explained beautifully. Watch after you attempt a machine

What I Wish I Had Known on Day One

  • Stop consuming, start doing. An hour of hands-on lab time beats five hours of watching videos. Every time.
  • Take notes from day one. Use Obsidian or Notion. Your notes will become your personal command reference, and you will use them for years.
  • The community is your fastest learning accelerator. The TryHackMe Discord, the r/netsec and r/hacking subreddits, HTB forums — ask specific questions, help others, read writeups.
  • Consistency beats intensity. 2 hours per day, every day, beats 10 hours on the weekend then nothing for a week. Compound learning is real.
  • You do not need a degree. You need demonstrated skill, a portfolio of completed machines, and certifications that prove you can work. The cybersecurity job market rewards people who can actually do the work.

Six months in, I have a job offer on the table for a junior penetration tester role. I still have an enormous amount to learn — I think about this career as a decade-long journey, not a six-month sprint. But if you are at day zero and wondering if this is possible without a technical background: it is. Start today. Pick one resource and go deep on it before moving to the next. The path is long but it is absolutely navigable.