How I’d Learn Ethical Hacking in 2026 If I Started Over

How I'd Learn Ethical Hacking in 2026 If I Started Over

Let me be straight with you. Most “ethical hacking roadmaps” online are either too vague, outdated, or written by someone who hasn’t actually done the work. I’ve been there, I know what it’s like to stare at a screen not knowing where to start, jumping between random YouTube videos, and getting nowhere.

This is the roadmap I’d actually follow if I had to start over from scratch in 2026. No fluff. No too expensive courses you don’t need. Just a clear, step-by-step path that actually makes sense.

Let’s get into it.

Step 1: Computer Networking (Non-Negotiable)

You cannot hack a system you don’t understand. Networking is the foundation of everything. If you skip this, you’ll hit a wall fast. and you won’t even understand why things are breaking.

You need to understand:

  • How the internet actually works (TCP/IP, DNS, HTTP)
  • IP addressing, subnetting, VLANs
  • How routers and switches move traffic
  • Protocols like ARP, ICMP, FTP, SSH

Resources:

  • Cisco Networking Academy — free, structured, and solid
  • Bitten Tech Networking Playlist (Hindi) — great if you’re more comfortable in Hindi/Urdu
  • FreeCodeCamp Computer Networking Course (CompTIA Network+) — long but very comprehensive

You don’t need to pass the Network+ exam. Just understand the concepts. That’s enough to move forward.

Step 2: Linux

Every serious penetration tester lives in Linux. Kali, Parrot, Ubuntu, doesn’t matter which one you start with. What matters is that you get comfortable with the terminal.

Learn:

  • File system structure (/etc, /var, /home, etc.)
  • File permissions and user management
  • Networking commands (ifconfig, netstat, ip, curl)
  • Bash basics – pipes, redirects, scripting
  • Package management

Resources:

  • Cyberwings Security (Hindi) – practical and beginner-friendly
  • FreeCodeCamp Linux Course (English) – covers everything from basics to intermediate

Step 3: First Practice – PicoCTF (General Category, Easy)

Now it’s time to do something practical. No more just watching and reading.

Go to PicoCTF and start the easy challenges in the General Skills category. These are not hard – they’re designed to make you think and get familiar with using tools. You’ll use the terminal, work with files, and get a taste of what CTFs feel like.

Don’t skip this. Getting your hands dirty early builds the habit of actually doing things instead of just consuming content.

Step 4: TryHackMe – Pre-Security + Cyber 101

Once you have the basics and some CTF exposure, head to TryHackMe.

Complete these two paths in order:

  1. Pre-Security – reinforces everything from Steps 1 and 2 in a guided, hands-on environment
  2. Cybersecurity 101 – introduces you to the broader security landscape

These paths are beginner-friendly, well-structured, and you’re actually hacking machines – not just reading theory. That hands-on practice is what matters here.

Step 5: TryHackMe – Jr. Penetration Tester Path

This is where things get real.

The Jr. Penetration Tester path covers:

  • Network scanning and enumeration
  • Exploitation basics
  • Web application vulnerabilities
  • Privilege escalation
  • Reporting

Go through it fully. Don’t rush it. If something doesn’t click, Google it, read more, and try again. This path gave me a solid foundation for real pentesting work.

Step 6: Back to PicoCTF – Web Category (Easy)

Now that you’ve learned some web hacking concepts from TryHackMe, go back to PicoCTF and solve the easy Web Exploitation challenges.

This is important – applying concepts in a CTF format forces you to actually think through problems. It’s not guided. It’s just you, a challenge, and your browser/tools.

You’ll encounter SQLi, XSS, path traversal, cookie manipulation. These are real vulnerabilities. Start recognizing them.

Step 7: PortSwigger Web Security Academy

This is the most important resource for web application penetration testing. Full stop.

PortSwigger Web Security Academy is free, incredibly in-depth, and built by the people who made Burp Suite. Every serious web pentester has gone through it.

Order matters:

  1. Start with Server-Side topics first:
    • SQL Injection
    • Authentication
    • Path Traversal
    • Business Logic Vulnerabilities
    • Access Control (IDOR, BFLA)
    • SSRF, XXE, SSTI, etc.
  2. Then move to Client-Side topics:
    • XSS (Reflected, Stored, DOM)
    • CSRF
    • CORS
    • Clickjacking
    • WebSockets

Do the labs. Every single one. Don’t just read the theory and move on. The labs are where the learning happens.

Step 8: Learn Python (Web + Network Libraries)

You don’t need to be a developer. But you do need to be able to write scripts.

Focus only on what’s relevant to pentesting:

  • requests – for automating HTTP requests
  • BeautifulSoup – for parsing HTML
  • socket – for basic networking scripts
  • subprocess – for running system commands
  • String manipulation, loops, conditionals, file I/O

If you can write a script that sends HTTP requests, parses responses, and checks for a vulnerability automatically – you’re at a good level.

Learn from python.org docs, FreeCodeCamp, or CS50P. Practice by scripting things you’ve been doing manually in Burp Suite.

Step 9: PicoCTF – Web Category (Medium)

Now you have real knowledge. Go back and tackle the medium-level Web Exploitation challenges on PicoCTF.

These will be harder. You might get stuck. That’s fine – that’s the point. The struggle is where the growth is. Use hints only as a last resort. Try to figure it out yourself first.

Step 10: TryHackMe – Web Application Penetration Tester Path

Come back to TryHackMe and complete the Web Application Penetration Tester path.

By now you’ll recognize a lot of the concepts – but this path goes deeper and ties everything together in a structured way. It’s also good practice for methodology – how to approach a web app assessment from recon all the way to reporting.

Step 11: HackTheBox – Machines + Web Challenges

Now you’re ready for the real playground.

HackTheBox is where you prove your skills. Start with:

  • Easy machines – focus on the enumeration phase, identify services, find footholds
  • Web challenges – these are short, focused, and excellent for sharpening specific skills

HTB machines teach you to think like a real attacker. You’re not guided. You have an IP, and you need to root the box. No hints, no guided steps.

Work through retired machines so you can look up writeups when you’re stuck – but only after you’ve tried hard yourself.

A Few Things I’d Tell My Past Self

Don’t rush. Skipping steps to feel “advanced” faster is how people end up with shaky foundations. Take your time with networking and Linux. They matter more than you think.

Don’t collect courses. One resource, done properly, beats five resources half-finished.

Do the labs. Reading theory without practicing is basically useless in this field. Everything you learn should be tested in a lab or challenge.

Get comfortable being stuck. When you’re stuck for an hour on a challenge, that’s not failure – that’s learning. The moment things click after you’ve been stuck is worth more than ten hours of passive watching.

Document everything. Start a notes repo, a blog, a private Obsidian vault – whatever works. Writing things down forces you to understand them.

This field rewards people who are consistent and curious. You don’t need to be a genius. You just need to keep showing up.

If you follow this roadmap properly, you’ll have real skills – not just a LinkedIn badge. And real skills are what get you into real roles.

Good luck. Stay consistent.

Leave a Reply

Your email address will not be published. Required fields are marked *