Core Concepts

๐Ÿ”บ The CIA Triad

Every security decision protects one or more of these three pillars.
  • Confidentiality โ€” Only authorized people can see the data. Tools: encryption, MFA, access control
  • Integrity โ€” Data cannot be changed without permission. Tools: hashing (SHA-256), digital signatures
  • Availability โ€” Systems must be up when needed. Tools: backups, redundancy, DDoS protection
โญ EXAM TIP: "Data must not be modified" = Integrity. "Only authorized users can read it" = Confidentiality. "System must stay online" = Availability.

Start Here โ€” What Is the CIA Triad?

Before you learn any other topic in cybersecurity, you must understand the CIA Triad. It is the foundation of everything else. CIA stands for Confidentiality, Integrity, and Availability. It has nothing to do with the spy agency โ€” it is simply the three goals that every security team is trying to achieve, every single day.

Think of it like this: cybersecurity exists to protect information. But what does "protect" actually mean? The CIA Triad answers that question. Information is protected when only the right people can see it (Confidentiality), when nobody can secretly change it (Integrity), and when it is available whenever it is needed (Availability). If any one of these three is broken, you have a security problem.

1. Confidentiality โ€” Keeping Secrets Secret

Confidentiality means that only people who are authorized (given permission) can see the data. Imagine your medical records at a hospital. Your doctor should be able to read them. A random stranger should not. When a hacker steals customer credit card numbers, that is a breach of confidentiality โ€” someone who was not authorized saw the data.

How do we protect confidentiality? Three main tools:

  • Encryption โ€” Scrambles data into unreadable text. Even if a thief steals the file, they cannot read it without the key.
  • Access control โ€” Rules that decide who can open which files. Like a keycard system in a building.
  • MFA (Multi-Factor Authentication) โ€” Requires a password PLUS something else (like a code on your phone) before letting someone in.

Real-world example: In 2017, Equifax (a company that stores credit information for millions of Americans) was breached. Attackers saw the personal data of about 147 million people. That was a massive confidentiality failure.

2. Integrity โ€” Keeping Data Honest

Integrity means data cannot be changed by someone who is not allowed to change it โ€” and if a change happens, we can detect it. Imagine your bank balance is $5,000. If a hacker changes it to $5, no data was stolen and no system went down โ€” but you clearly have a serious problem. That is an integrity attack.

How do we protect integrity?

  • Hashing โ€” A hash is like a fingerprint for a file. You run the file through a math function (like SHA-256) and get a unique code. If even one letter in the file changes, the fingerprint changes completely. Compare fingerprints before and after โ€” if they match, the file was not modified.
  • Digital signatures โ€” Prove both WHO created the data and that it was not changed since they signed it.
  • Version control and logging โ€” Keep records of every change, so unauthorized changes can be found and reversed.

Real-world example: When you download software, the website often shows a SHA-256 checksum. After downloading, you can generate the hash of your copy. If it matches the website's hash, your download was not tampered with on the way to you.

3. Availability โ€” Keeping Systems Running

Availability means systems and data are up and reachable when authorized users need them. A hospital's patient database must work at 3 AM during an emergency. An online store must stay online during Black Friday. If the data is perfectly confidential and perfectly accurate but the system is down โ€” security has still failed.

How do we protect availability?

  • Backups โ€” Extra copies of data stored safely, so you can recover after a disaster or ransomware attack.
  • Redundancy โ€” Duplicate equipment (two servers, two internet lines, two power supplies). If one fails, the other takes over.
  • DDoS protection โ€” Services that filter out attack traffic when criminals try to flood your website until it crashes.

Real-world example: Ransomware attacks on hospitals lock up patient systems so staff cannot access records. Surgeries get postponed and ambulances get redirected. That is an availability attack โ€” and it shows why availability can be a life-or-death matter.

How the Three Work Together

Every attack you will ever study breaks at least one part of the triad. A data leak breaks Confidentiality. A hacker modifying a website breaks Integrity. A DDoS attack breaks Availability. Ransomware is nasty because it breaks two at once: your files become unavailable, and the criminals often threaten to publish them (confidentiality) too.

Security teams also have to balance the triad. If you lock a system down too tightly (maximum confidentiality), it can become hard for real users to do their jobs (poor availability). Good security is always a balance between protection and usability.

๐Ÿงช HANDS-ON LAB: Prove Integrity with File Hashing

What you will do

You will create a file, generate its unique fingerprint (hash), secretly change the file, and watch the fingerprint change. This is exactly how professionals detect file tampering.

Tools you need (all free)
  • Windows PowerShell โ€” already installed on every Windows computer (search "PowerShell" in the Start menu). Mac/Linux users: use the built-in Terminal.
  • Notepad โ€” already installed.
Step-by-step instructions
  1. Open Notepad, type the sentence: My bank balance is $5000, and save it to your Desktop as balance.txt.
  2. Open PowerShell and type: Get-FileHash $HOME\Desktop\balance.txt -Algorithm SHA256 then press Enter. (Mac/Linux: shasum -a 256 ~/Desktop/balance.txt)
  3. Look at the long code it prints. That is the SHA-256 hash โ€” the file's fingerprint. Copy it into a second Notepad file.
  4. Now play the attacker: open balance.txt and change $5000 to $5. Save it.
  5. Run the exact same hash command again. Compare the two fingerprints โ€” they are completely different, even though you changed only three characters.
  6. Change the file back to $5000, hash it again, and confirm the fingerprint returns to the original. You have just verified integrity.
How this connects to a real cybersecurity job

SOC analysts and incident responders use hashing every day. When malware is found, the analyst takes the file's SHA-256 hash and searches it in threat databases like VirusTotal to identify the malware family. File Integrity Monitoring (FIM) tools โ€” required by the PCI DSS credit card standard โ€” automatically hash important system files and alert the SOC when a fingerprint changes, because that can mean an attacker modified the system. Digital forensics investigators hash evidence drives so they can prove in court that the evidence was never altered.

Threats & Attacks

โ˜ ๏ธ Types of Malware

  • Virus โ€” Attaches to files. Spreads when you open an infected file. Needs a host.
  • Worm โ€” Spreads BY ITSELF across networks. Does NOT need a host file. Very dangerous.
  • Trojan โ€” Disguised as legitimate software. Opens a backdoor for attackers.
  • Ransomware โ€” Encrypts your files and demands payment to unlock them.
  • Spyware โ€” Secretly monitors your activity and steals data.
  • Keylogger โ€” Records every key you type โ€” captures passwords and messages.
  • Rootkit โ€” Hides deep in the OS. Gives attacker full control. Very hard to detect.
  • Botnet โ€” Thousands of infected computers controlled by one attacker. Used for DDoS.
โญ EXAM TIP: Worm = self-replicating. Virus = needs a host. Trojan = pretends to be good software.

Start Here โ€” What Is Malware?

Malware is short for "malicious software" โ€” any program written to cause harm. Just like there are many kinds of crime in the real world, there are many kinds of malware, and each one behaves differently. Your job as a security student is to know each type by its behavior: how it spreads, what it does, and how we stop it.

Virus โ€” Needs a Host to Live

A computer virus works like a biological virus: it cannot survive on its own. It attaches itself to a host โ€” a real file, like a Word document or a program โ€” and it only spreads when a human opens or shares that infected file. No human action, no infection. Viruses can corrupt files, slow down machines, or destroy data.

Example: The famous "Melissa" virus (1999) hid inside a Word document. When someone opened it, it emailed itself to the first 50 people in their address book โ€” but it still needed each new victim to open the attachment.

Worm โ€” Spreads All by Itself

A worm is more dangerous because it does not need a host file and does not need a human to click anything. A worm scans the network, finds other vulnerable computers, and copies itself to them automatically. One infected laptop can infect an entire company overnight.

Example: WannaCry (2017) was a worm that spread through a Windows file-sharing flaw (port 445, the EternalBlue exploit). It infected over 200,000 computers in 150 countries in a few days โ€” hospitals in the UK had to cancel appointments because their systems were locked.

Trojan โ€” The Liar

Named after the wooden Trojan Horse story. A trojan pretends to be something useful โ€” a free game, a PDF reader, a "cracked" version of paid software โ€” but when you install it, it secretly installs malware too. Trojans commonly open a backdoor: a hidden entrance that lets the attacker into your computer later, whenever they want.

Key difference: A trojan does not spread itself. It tricks YOU into installing it. This is why you should never download software from unofficial websites.

Ransomware โ€” The Kidnapper

Ransomware encrypts (locks) all your files, then shows a message demanding payment โ€” usually in cryptocurrency โ€” for the key to unlock them. Modern ransomware gangs also use double extortion: they steal a copy of your data first, then threaten to publish it if you refuse to pay. Ransomware is currently the number one money-making crime in cybersecurity.

Best defense: Offline backups. If you have a clean backup, you can restore your files without paying. This is why backup strategy is a security topic, not just an IT topic.

Spyware and Keyloggers โ€” The Stalkers

Spyware hides on your device and quietly watches: your browsing, your files, sometimes your camera and microphone. A keylogger is a special kind of spyware that records every key you press. Think about what you type in a day โ€” usernames, passwords, credit card numbers, private messages. A keylogger captures all of it and sends it to the attacker.

Rootkit โ€” The Ghost

A rootkit buries itself deep inside the operating system โ€” sometimes below the operating system โ€” and hides its own existence. It can lie to the antivirus, hide files, and hide running programs. The name comes from "root," the all-powerful admin account on Linux. Rootkits are extremely hard to remove; often the only safe fix is to completely wipe the machine and reinstall everything.

Botnet โ€” The Zombie Army

When malware quietly takes control of thousands of computers, those machines become bots (or "zombies"), and together they form a botnet controlled by one criminal called the bot herder. The infected owners usually have no idea. Botnets are rented out to send spam, mine cryptocurrency, and launch DDoS attacks โ€” flooding a target website with traffic from thousands of machines at once.

Example: The Mirai botnet (2016) infected smart cameras and home routers โ€” not even computers โ€” and used them to knock major websites like Twitter and Netflix offline for hours.

How Professionals Fight Malware

  • Antivirus / EDR โ€” Endpoint Detection and Response tools watch every computer for malicious behavior, not just known virus signatures.
  • Patching โ€” Worms exploit unpatched flaws. Keeping systems updated closes the doors they use.
  • Least privilege โ€” If users are not administrators, malware they run has less power.
  • User training โ€” Trojans and ransomware usually arrive through phishing. Trained humans are a defense layer.

๐Ÿงช HANDS-ON LAB: Test Antivirus Safely with EICAR + Analyze Malware Hashes in VirusTotal

What you will do

You will safely trigger your antivirus using the harmless industry-standard EICAR test file, then use VirusTotal โ€” the same tool SOC analysts use daily โ€” to investigate a file's reputation. Nothing in this lab involves real malware.

Tools you need (all free)
  • Windows Defender โ€” already built into Windows (any antivirus works).
  • EICAR test file โ€” from the official site eicar.org (a harmless text string that all antivirus products agree to detect as if it were malware, made exactly for safe testing).
  • VirusTotal โ€” free website at virustotal.com, no install needed.
Step-by-step instructions
  1. Open Notepad and type this exact string on one line: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
  2. Try to save it as test.txt on your Desktop. Within seconds, Windows Defender should detect and quarantine it. You just watched real-time protection do its job.
  3. Open Windows Security โ†’ Protection history. Find the detection event. Read what it says: detection name, file path, action taken. This is the same kind of alert a SOC analyst reads.
  4. Now go to virustotal.com, click the Search tab, and paste this SHA-256 hash of the EICAR file: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
  5. Study the results page: how many antivirus engines flag it, the detection names, and the Details tab showing file hashes (MD5, SHA-1, SHA-256).
  6. Bonus: upload any harmless file from your computer (like a photo) and see how VirusTotal reports 0 detections. Notice you can check a hash WITHOUT uploading the file โ€” professionals prefer this because uploading company files can leak data.
How this connects to a real cybersecurity job

This is the daily bread of a Tier 1 SOC analyst. When an antivirus alert appears in the SIEM, the analyst copies the file hash and checks it in VirusTotal and other threat intelligence tools to answer: is this a false alarm or real malware? What family is it โ€” ransomware, trojan, worm? Their triage decision determines whether the incident gets escalated. Malware analysts go deeper, running samples in isolated sandboxes to study behavior. Knowing how to safely test detection (EICAR) and investigate file reputation (VirusTotal) is a skill you can mention in job interviews.

Threats & Attacks

๐ŸŽญ Social Engineering

Social engineering tricks PEOPLE instead of hacking technology. The human is the vulnerability.
  • Phishing โ€” Fake email pretending to be a trusted company (bank, IRS, Microsoft)
  • Spear Phishing โ€” Targeted phishing. Attacker knows your name, company, and boss's name.
  • Whaling โ€” Spear phishing targeting executives (CEO, CFO).
  • Vishing โ€” Voice phishing over the phone. "Your bank account is compromised."
  • Smishing โ€” SMS/text phishing. "Click here to claim your prize."
  • Pretexting โ€” Attacker creates a fake scenario. "I'm from IT โ€” I need your password."
  • Tailgating โ€” Following an authorized person through a secure door without swiping.
  • Baiting โ€” Leaving infected USB drives in parking lots hoping someone plugs them in.
โญ EXAM TIP: Best defense against social engineering = SECURITY AWARENESS TRAINING.

Start Here โ€” Why Hack a Computer When You Can Trick a Human?

Companies spend millions of dollars on firewalls, antivirus, and encryption. But there is one part of every system that cannot be patched with software: the human being. Social engineering is the art of manipulating people into giving up information or access. It is behind the majority of successful breaches today โ€” most attacks do not start with genius hacking; they start with one person clicking one link.

Social engineers exploit basic human emotions:

  • Fear โ€” "Your account will be closed in 24 hours!"
  • Urgency โ€” "The CEO needs this wire transfer NOW."
  • Trust in authority โ€” "This is IT support / the IRS / your bank."
  • Curiosity โ€” "Salary_Report_2026.xlsx" left on a USB drive.
  • Desire to help โ€” Humans naturally hold doors open and answer questions politely.

The Phishing Family โ€” Know Each Member

Phishing is the mass-mail version: the attacker sends thousands of identical fake emails ("Your Netflix payment failed โ€” update your card") hoping a small percentage of people click. The link leads to a fake login page that steals your password, or the attachment installs malware.

Spear phishing is targeted. The attacker researches YOU first โ€” your name, your job, your manager's name, projects you work on (often from LinkedIn). The email looks like it comes from a coworker and references real details. Far more convincing, far more dangerous.

Whaling targets the "big fish" โ€” CEOs, CFOs, directors. These accounts can approve payments and access everything, so criminals invest weeks preparing one perfect email.

Vishing is voice phishing โ€” a phone call. "This is your bank's fraud department. We detected suspicious activity. To secure your account, confirm your card number." Attackers now use AI voice cloning to sound like real people, even a victim's own boss or family member.

Smishing is phishing by SMS/text: fake delivery notifications ("Your package is held โ€” pay $1.99 customs fee") and fake bank alerts, with links to credential-stealing pages.

In-Person and Scenario Attacks

Pretexting means inventing a believable story (a pretext) to extract information. Classic example: calling an employee while pretending to be the IT help desk โ€” "We're migrating email servers tonight, I just need your username and password to move your mailbox." A good pretexter sounds friendly, confident, and busy.

Tailgating (also called piggybacking) is physical: the attacker follows an employee through a badge-controlled door before it closes, often carrying coffee cups or boxes so the polite employee holds the door open. Once inside, they can plug devices into the network or steal equipment.

Baiting uses a tempting object. The classic is a USB drive labeled "Payroll" or "Confidential" dropped in the parking lot. Studies show a large share of found drives get plugged in. The drive then silently installs malware.

How Organizations Defend Against Social Engineering

  • Security awareness training โ€” Teach every employee to spot the tricks. This is THE number one defense, and it appears on the exam that way.
  • Phishing simulations โ€” Companies send fake phishing emails to their own staff to measure and improve awareness.
  • Verification procedures โ€” Any request for money or credentials must be verified through a second channel (call the person back on a known number).
  • MFA โ€” Even if a password gets phished, the attacker still cannot log in without the second factor.
  • Email filtering โ€” Blocks many phishing emails before humans ever see them.

๐Ÿงช HANDS-ON LAB: Spot the Phish โ€” Train Your Eye Like a SOC Analyst

What you will do

You will take Google's phishing detection challenge, then dissect a real email header to trace where a message truly came from โ€” the same skill email security analysts use to investigate reported phishing.

Tools you need (all free)
  • Google Phishing Quiz โ€” free website: phishingquiz.withgoogle.com
  • Your own email account (Gmail works best for this exercise).
  • MXToolbox Email Header Analyzer โ€” free website: mxtoolbox.com/EmailHeaders.aspx
Step-by-step instructions
  1. Go to phishingquiz.withgoogle.com. Enter any made-up name and email (it's a simulation). Work through all 8 examples, deciding: phishing or legitimate?
  2. For every one you get wrong, read the explanation carefully. Note the tricks: lookalike domains (paypa1.com), mismatched link text vs. real URL, urgent language, unexpected attachments.
  3. Now open any email in your Gmail. Click the three dots menu โ†’ Show original. This displays the raw email header โ€” the email's travel record.
  4. Copy the whole header, paste it into mxtoolbox.com/EmailHeaders.aspx, and click Analyze.
  5. Study the output: the "From" address vs. the actual sending server, each "Received" hop the email took, and the SPF/DKIM/DMARC results (these verify whether the sender is authorized to send for that domain โ€” Pass is good, Fail is suspicious).
  6. Practice: hover over (do NOT click) links in a few promotional emails and compare the displayed text with the true destination URL shown at the bottom of your browser.
How this connects to a real cybersecurity job

Phishing investigation is one of the most common daily tasks for a Tier 1 SOC analyst and email security specialist. When an employee clicks "Report Phishing," an analyst pulls the email header, checks SPF/DKIM/DMARC results, extracts URLs and attachments, checks them against threat intelligence, then decides: delete the email from all mailboxes, block the sender domain, and check whether anyone clicked. Companies also employ security awareness coordinators who run phishing simulation programs. Being able to read a header and explain WHY an email is fake is a genuine interview-ready skill.

Threats & Attacks

๐Ÿ’ฅ Network-Based Attacks

  • DDoS โ€” Flooding a server with traffic from thousands of sources until it crashes
  • MITM (Man-in-the-Middle) โ€” Attacker secretly intercepts communication between two parties
  • ARP Poisoning โ€” Fake ARP replies redirect traffic through the attacker's machine
  • DNS Spoofing โ€” Corrupts DNS records to redirect users to fake websites
  • SQL Injection โ€” Injects malicious SQL code into forms/URLs to steal or destroy a database
  • XSS (Cross-Site Scripting) โ€” Injects scripts into websites to attack users who visit
  • Zero-Day โ€” Exploits a vulnerability with NO patch yet. Most dangerous type.
  • Replay Attack โ€” Captures valid authentication data and re-sends it to gain access
โญ EXAM TIP: Zero-Day = no patch. SQL Injection = database attack. DDoS = availability attack.

Start Here โ€” Attacks That Travel Over the Network

Once computers talk to each other over a network, attackers gain new ways in. Network-based attacks target the connections between systems rather than tricking a person. To understand them, remember the CIA Triad: some of these attacks break Availability (DDoS), some break Confidentiality (MITM), and some break Integrity (DNS spoofing). Let's go one by one, in plain language.

DDoS โ€” Flooding the System

DoS stands for Denial of Service. The goal is to make a website or server unavailable to real users. A simple DoS comes from one machine. A DDoS (Distributed Denial of Service) comes from thousands of machines at once โ€” usually a botnet. Imagine a shop with one door. If 10,000 fake customers crowd the doorway, real customers can't get in. DDoS attacks Availability, the "A" in CIA.

MITM โ€” The Eavesdropper in the Middle

In a Man-in-the-Middle attack, the criminal secretly sits between you and the website you're talking to. You think you're talking directly to your bank; really, everything passes through the attacker first. They can read it (breaking confidentiality) and even change it (breaking integrity). This is why public Wi-Fi is risky and why HTTPS encryption matters so much โ€” encryption makes intercepted data unreadable.

ARP Poisoning โ€” Lying About Addresses

On a local network, devices use ARP (Address Resolution Protocol) to match IP addresses to hardware (MAC) addresses. ARP was designed with no security โ€” it trusts any reply. In ARP poisoning, the attacker sends fake ARP replies saying "I am the router," so all your traffic flows through the attacker's computer first. It is a common way to set up a Man-in-the-Middle attack on a local network.

DNS Spoofing โ€” Poisoning the Phone Book

DNS (Domain Name System) is the internet's phone book: it turns a name like yourbank.com into an IP address. In DNS spoofing (or cache poisoning), the attacker corrupts these records so that when you type the real bank address, you are silently sent to a fake copy of the site that steals your login. The web address can look correct while the destination is fake.

SQL Injection โ€” Talking to the Database Directly

Many websites store data in an SQL database (users, passwords, orders). When a website is poorly built, an attacker can type database commands into a normal input box โ€” like a login or search field โ€” and the website mistakenly runs them. This is SQL injection. A classic trick types ' OR '1'='1 into a login form to fool the site into logging in without a valid password. Consequences: stealing entire databases, deleting data, or bypassing logins. This attacks the database, and it is one of the most famous web vulnerabilities in history.

XSS โ€” Attacking the Website's Visitors

Cross-Site Scripting (XSS) is different from SQL injection: instead of attacking the database, it attacks other users who visit the site. The attacker injects malicious JavaScript into a page (for example, in a comment field). When other visitors load that page, their browsers run the attacker's script โ€” which can steal their session cookies and hijack their accounts.

Easy way to remember: SQL injection attacks the server's database. XSS attacks the other users' browsers.

Zero-Day โ€” The Attack With No Defense Yet

A zero-day is a vulnerability that the software maker does not yet know about, so there is no patch. Attackers who discover it can exploit it freely โ€” defenders have had "zero days" to prepare. These are the most dangerous and most valuable attacks, because standard "just update your software" advice cannot help until the vendor releases a fix.

Replay Attack โ€” Recording and Re-Sending

In a replay attack, the attacker captures valid data โ€” such as an encrypted "unlock the door" command or a login token โ€” and simply sends it again later to gain access, without ever needing to understand or decrypt it. Defenses include timestamps, session tokens, and one-time numbers (nonces) that make each message valid only once.

How Professionals Defend the Network

  • Encryption (HTTPS/TLS, VPNs) โ€” Defeats MITM and eavesdropping.
  • Input validation and parameterized queries โ€” Stop SQL injection and XSS at the source.
  • Web Application Firewall (WAF) โ€” Filters malicious web requests.
  • Patch management โ€” Closes known vulnerabilities before they are exploited.
  • DDoS mitigation services โ€” Absorb and filter flood traffic (e.g., Cloudflare).
  • Network monitoring / IDS / IPS โ€” Detect strange traffic like ARP poisoning.

๐Ÿงช HANDS-ON LAB: Practice SQL Injection Safely in a Legal Training App

What you will do

You will run a real (but harmless) SQL injection against a deliberately vulnerable practice website that is built for learning. You will bypass a login and understand exactly why the attack works. Important: only ever do this on apps you own or that are designed for practice. Attacking real sites is illegal.

Tools you need (all free)
  • OWASP Juice Shop โ€” a free, legal, deliberately vulnerable practice website. Easiest path: use the free hosted demo at demo.owasp-juice.shop (no install), or run your own from owasp.org/www-project-juice-shop.
  • DVWA (Damn Vulnerable Web Application) โ€” another free legal target if you want more practice: github.com/digininja/DVWA
  • A web browser โ€” you already have one.
Step-by-step instructions
  1. Open the OWASP Juice Shop demo site in your browser. Click Account โ†’ Login.
  2. In the Email field, type this classic injection: ' OR 1=1-- and type anything in the password field.
  3. Click Log in. If the app is vulnerable (it is, on purpose), you get logged in as the first user without knowing any real password. You just performed authentication bypass.
  4. Think about WHY: the app pasted your text straight into a database query, so OR 1=1 made the condition always true, and -- commented out the password check.
  5. Explore the Juice Shop "Score Board" (a hidden page it teaches you to find) for guided challenges of increasing difficulty, each mapped to a real vulnerability type.
  6. Reflect on the fix: developers prevent this using parameterized queries, which keep user input as data, never as commands.
How this connects to a real cybersecurity job

Penetration testers and application security engineers do exactly this for a living โ€” legally testing company web apps to find injection flaws before criminals do, then writing reports telling developers how to fix them. On the defensive side, SOC analysts recognize SQL injection attempts in web server logs and WAF alerts (spotting patterns like ' OR 1=1 or UNION SELECT in URLs). OWASP Juice Shop is so widely used for training that mentioning it in an interview signals you understand the OWASP Top 10, the industry-standard list of web risks.

Networking

๐ŸŒ Must-Know Ports โ€” Security+ & Network+

PortProtocolWhat It DoesEncrypted?
20/21FTPFile Transfer โ€” sends files between computersโŒ No โ€” use SFTP
22SSH / SFTPSecure Shell โ€” encrypted remote login and secure file transferโœ… Yes
23TelnetOld remote login โ€” plain text. NEVER use this. Use SSH instead.โŒ No
25SMTPSending email (Simple Mail Transfer Protocol)โŒ Basic โ€” use port 587
53DNSConverts website names (google.com) to IP addressesโŒ Standard
67/68DHCPAutomatically assigns IP addresses to devices on a networkโŒ No
80HTTPUnencrypted web browsing โ€” NEVER enter passwords on HTTP sitesโŒ No โ€” use HTTPS
110POP3Receiving email โ€” downloads to device and deletes from serverโŒ No
143IMAPReceiving email โ€” keeps on server, syncs across all devicesโŒ No
443HTTPSEncrypted web browsing โ€” the padlock in your browser. Always use this.โœ… Yes (TLS)
445SMBWindows file sharing. WannaCry/EternalBlue attacked this port.โš ๏ธ High Risk if exposed
3389RDPRemote Desktop Protocol โ€” Windows remote access. High-risk if exposed.โš ๏ธ Often targeted
โญ EXAM TIP: Port 80 = HTTP = no encryption. Port 443 = HTTPS = encrypted. Port 22 = SSH = secure. Port 23 = Telnet = insecure. Port 3389 = RDP = remote desktop.

Start Here โ€” What Is a Port, Really?

Every computer has one IP address, but it runs many services at the same time โ€” web, email, file sharing, remote login. How does incoming data know which service it belongs to? The answer is ports. Think of the IP address as a building's street address, and ports as the individual apartment numbers inside. Port 80 is the "web browsing apartment." Port 25 is the "sending email apartment." When data arrives, the port number tells the computer which service should handle it.

There are 65,535 ports, but for Security+ and Network+ you must memorize the common ones below. Examiners love asking "which port does X use?" and "is this port encrypted?" Knowing these cold earns easy points and, more importantly, helps you spot danger on a real network.

The Two Big Questions for Every Port

For each port, always ask: (1) What service uses it? and (2) Is the traffic encrypted or plain text? Plain-text protocols send data โ€” including passwords โ€” in readable form, so anyone intercepting the traffic can read it. That is why we replace old plain-text protocols with encrypted ones.

File Transfer and Remote Access

FTP (20/21) transfers files but sends everything, including your password, in plain text โ€” insecure. SSH (22) gives you an encrypted remote command line and also powers SFTP, the secure way to transfer files. Telnet (23) is the ancient, plain-text version of remote login โ€” never use it; SSH replaced it. RDP (3389) is Windows Remote Desktop; it is powerful and therefore heavily targeted โ€” attackers constantly scan the internet for exposed RDP to break into.

Email Ports

SMTP (25) sends email out. POP3 (110) downloads email to one device and removes it from the server. IMAP (143) keeps email on the server and syncs it across all your devices โ€” which is why your phone and laptop show the same inbox. The basic versions are unencrypted; secure email uses encrypted variants (like port 587 with encryption for sending, 993 for secure IMAP, 995 for secure POP3).

Web and Core Network Services

HTTP (80) is unencrypted web traffic โ€” never type a password on an HTTP page. HTTPS (443) is encrypted with TLS โ€” this is the padlock in your browser and the standard for all modern websites. DNS (53) translates names to IP addresses. DHCP (67/68) automatically hands out IP addresses to devices when they join a network. SMB (445) is Windows file sharing; because the WannaCry worm spread through it, an exposed port 445 is a serious red flag.

Why This Matters for Security

Attackers begin by scanning which ports are open on a target โ€” open ports are doors, and each door is a potential way in. Defenders do the opposite: they close unneeded ports and monitor the ones that stay open. If you see Telnet (23) open on a company server, that is a finding you would report. If you see RDP (3389) exposed to the whole internet, that is a critical risk. Knowing ports turns a wall of numbers into a security story you can actually read.

๐Ÿงช HANDS-ON LAB: Scan for Open Ports with Nmap

What you will do

You will use Nmap โ€” the world's most famous port scanner โ€” to discover which ports and services are open on a machine you are legally allowed to scan. You will read the results the way a security professional does. Only scan your own computer or the official practice target below. Scanning others without permission is illegal.

Tools you need (all free)
  • Nmap โ€” the free industry-standard scanner. Download from the official site nmap.org/download (Windows installer includes the Zenmap graphical version).
  • scanme.nmap.org โ€” a server the Nmap project officially provides for people to legally practice scanning.
Step-by-step instructions
  1. Install Nmap from nmap.org. On Windows, this also installs Zenmap, a point-and-click version if you prefer buttons over typing.
  2. Open a terminal / command prompt and scan your own machine first: type nmap localhost and press Enter. Read the list of open ports and the service names beside them.
  3. Now scan the official practice target: nmap scanme.nmap.org. (This is explicitly allowed by the Nmap project.)
  4. Run a service/version scan to see WHAT software is behind each port: nmap -sV scanme.nmap.org. Notice how it identifies the exact server software and version.
  5. For each open port, match it to your notes: is it 22 (SSH), 80 (HTTP), 443 (HTTPS)? Is it encrypted or plain text?
  6. Write a two-sentence "finding" for one port, as an analyst would: which port, which service, and whether it looks risky.
How this connects to a real cybersecurity job

Port scanning is a core task for penetration testers (finding an organization's exposed services during an authorized assessment) and for vulnerability analysts and network administrators (auditing their own networks to close ports that should not be open). SOC analysts see the other side: they detect unauthorized scans hitting the company and investigate them as possible reconnaissance. Nmap is on almost every cybersecurity job description that mentions "network scanning," so hands-on Nmap experience is directly resume-worthy.

Networking

๐Ÿ›ก๏ธ Firewalls & Security Devices

  • Firewall โ€” Filters traffic based on rules (ports, IPs, protocols). First line of defense.
  • Packet Filtering Firewall โ€” Checks packet headers only. Fast but basic.
  • Stateful Firewall โ€” Tracks the state of connections. More intelligent.
  • NGFW โ€” Next-Gen Firewall. Deep packet inspection, app control, built-in IPS.
  • IDS โ€” Intrusion Detection System. Monitors and ALERTS only. Does NOT block. Read-only.
  • IPS โ€” Intrusion Prevention System. Monitors AND BLOCKS automatically. Active defense.
  • WAF โ€” Web Application Firewall. Protects web apps from SQL injection, XSS, etc.
  • DMZ โ€” Demilitarized Zone. Network between public and private. Web servers go here.
โญ EXAM TIP: IDS = detect only. IPS = detect AND prevent. Detection = passive. Prevention = active.

Start Here โ€” The Security Guards of the Network

If a network is like a building, then firewalls and security devices are the guards, gates, and alarm systems. Their job is to decide what traffic gets in, what gets out, and to raise the alarm when something looks wrong. This topic is about knowing which device does which job โ€” a favorite exam area because the names sound similar but the roles are very different.

The Firewall โ€” The Gate With Rules

A firewall is the first line of defense. It sits between two networks (usually your private network and the internet) and enforces a set of rules about what traffic is allowed. Rules are based on things like port numbers, IP addresses, and protocols. For example: "Allow web traffic on port 443, block everything on port 23 (Telnet)." Anything not explicitly allowed is denied. This "default deny" idea is central to security.

Generations of Firewalls

Packet-filtering firewall โ€” the simplest. It looks only at the "envelope" of each packet (source, destination, port) and decides yes or no. Fast, but it does not understand the conversation as a whole.

Stateful firewall โ€” smarter. It remembers the state of active connections. If your computer starts a conversation with a website, the stateful firewall knows to let the website's replies back in โ€” but it blocks unexpected traffic that no one asked for. This context makes it much harder to sneak past.

NGFW (Next-Generation Firewall) โ€” the modern all-in-one. On top of stateful filtering, it does deep packet inspection (looking inside the traffic, not just the envelope), application control (it can tell Facebook traffic from Zoom traffic even on the same port), and often includes a built-in IPS and antivirus. Most business firewalls today are NGFWs.

IDS vs IPS โ€” The Most Important Distinction

These two get confused constantly, so learn the difference clearly. An IDS (Intrusion Detection System) watches network traffic and alerts a human when it sees something suspicious โ€” but it does not stop it. Think of it as a security camera: it records and sounds an alarm, but it cannot lock the door. IDS is passive.

An IPS (Intrusion Prevention System) also detects suspicious traffic, but it can automatically block it in real time. Think of it as a security guard who can slam the gate shut. IPS is active. Because an IPS sits directly in the traffic path and can block, a mistake (a false positive) could accidentally block legitimate business traffic โ€” so tuning it correctly matters.

Memory hook: IDS = Detect only. IPS = Prevent. Detection is passive; prevention is active.

WAF โ€” The Web App Bodyguard

A regular firewall does not understand website attacks like SQL injection or XSS. A WAF (Web Application Firewall) specializes in exactly that: it sits in front of a web application and inspects web requests for malicious patterns, blocking things like injection attempts before they reach the app.

DMZ โ€” The Safe Buffer Zone

A DMZ (Demilitarized Zone) is a separate network segment that sits between the public internet and your private internal network. You put internet-facing servers โ€” like your public web server and email server โ€” in the DMZ. That way, if a hacker breaks into the web server, they are stuck in the DMZ and still separated from your sensitive internal systems. It is like a hotel lobby: guests can enter the lobby, but they still cannot walk into the private offices.

How Professionals Use These Devices

Security teams layer these tools together โ€” this is called defense in depth. A firewall filters at the edge, an IPS blocks known attack patterns, a WAF protects the web apps, an IDS quietly watches and feeds alerts into the SOC's SIEM, and the DMZ keeps public servers isolated. No single device does everything; strength comes from the layers.

๐Ÿงช HANDS-ON LAB: Build and Test Firewall Rules on Your Own Computer

What you will do

You will inspect your computer's built-in firewall, create a rule, and test it โ€” seeing exactly how a firewall allows and blocks traffic. This uses only your own machine, so it is completely safe and legal.

Tools you need (all free)
  • Windows Defender Firewall โ€” already built into Windows (search "Windows Defender Firewall with Advanced Security").
  • Optional, for a deeper lab: pfSense โ€” a free, professional-grade firewall you can run in a virtual machine. Download from pfsense.org/download. Run it inside free VirtualBox (virtualbox.org).
Step-by-step instructions (Windows Firewall)
  1. Open "Windows Defender Firewall with Advanced Security" from the Start menu.
  2. Click Outbound Rules on the left, then New Rule on the right. Read each screen โ€” this is where rules are born.
  3. Choose Program, then browse to a program you can safely test (for example, your web browser). Choose Block the connection. Name it "TEST BLOCK".
  4. Try to open a website in that browser โ€” it should now fail, because your firewall rule blocks its outbound traffic. You just watched a firewall enforce a rule.
  5. Go back, disable or delete the TEST BLOCK rule, and confirm the browser works again. Always clean up test rules.
  6. Explore Inbound Rules and notice how the firewall already blocks unsolicited incoming connections by default (default deny in action).
Bonus (pfSense)

Install pfSense in VirtualBox to configure a real business firewall: create allow/deny rules, set up a DMZ interface, and enable the Snort IDS/IPS package. This mirrors an enterprise firewall closely.

How this connects to a real cybersecurity job

Firewall administration is a daily job for network security engineers and firewall administrators: they write and review rules, remove risky "any-any" rules, and segment networks with DMZs. SOC analysts read firewall logs to investigate blocked and allowed connections during incidents. Being able to say "I've built firewall rules and configured pfSense with an IDS" is concrete, hands-on experience that stands out for entry-level network security and SOC roles.

Networking

๐Ÿ“ก Wireless Security Protocols

  • WEP โ€” BROKEN. Deprecated. Never use. Can be cracked in minutes.
  • WPA โ€” Better than WEP but still has known weaknesses.
  • WPA2 โ€” Uses AES encryption. Widely used standard.
  • WPA3 โ€” Latest. Strongest encryption. Required for Wi-Fi 6 devices.
  • Evil Twin โ€” Fake Wi-Fi hotspot with same name as the real one. Attacker sees all your traffic.
  • War Driving โ€” Driving around scanning for open/weak Wi-Fi networks.
  • Deauth Attack โ€” Attacker kicks you off Wi-Fi, forcing reconnection through their device.
โญ EXAM TIP: WEP = broken. Use WPA3. Public Wi-Fi = always use a VPN.

Start Here โ€” Why Wi-Fi Needs Special Protection

Wired networks keep data inside cables. Wi-Fi broadcasts your data through the air, in every direction, where anyone nearby with the right tool can catch it. That is why wireless security exists: to scramble that airborne data so only the right devices can read it. Over the years the protocols got stronger as older ones were cracked. Knowing the order โ€” and which are safe today โ€” is essential exam knowledge and real-world safety.

The Wireless Encryption Timeline

WEP (Wired Equivalent Privacy) โ€” the original, from the late 1990s. It is completely broken. Its encryption has fatal flaws, and free tools can crack a WEP password in minutes. If you ever see WEP in use, treat it as no protection at all. Never use it.

WPA (Wi-Fi Protected Access) โ€” the quick replacement for WEP. Better, but it was built on some of the same weak foundations and also has known vulnerabilities. Considered outdated.

WPA2 โ€” the standard that ruled for over a decade. It uses AES, a strong encryption algorithm, and is still widely used today. It is solid when configured with a strong password, though it has some known weaknesses (like the KRACK attack).

WPA3 โ€” the latest and strongest. It improves password protection (making guessing attacks much harder), protects even open public networks with individual encryption, and is required for the newest Wi-Fi 6 certified devices. When available, always choose WPA3.

Wireless Attacks You Must Know

Evil Twin โ€” The attacker sets up a fake Wi-Fi access point with the same name (SSID) as a real one โ€” say, "Airport_Free_WiFi." Your device connects to the stronger fake signal, and now all your traffic flows through the attacker. It is a Man-in-the-Middle attack built out of a fake hotspot. This is why you should never do banking on unknown public Wi-Fi without a VPN.

War Driving โ€” Literally driving around a city with a laptop or phone scanning for Wi-Fi networks, mapping which ones are open or weakly protected. Attackers use it to find easy targets; the name is a nod to older "war dialing."

Deauthentication (Deauth) attack โ€” The attacker sends forged "disconnect" frames to kick your device off the real Wi-Fi. Frustrated, your device reconnects โ€” and the attacker can use that moment to capture the connection handshake (to crack the password) or push you onto their Evil Twin.

How Professionals Secure Wireless

  • Use WPA3 (or WPA2-AES at minimum) with a long, strong passphrase.
  • Separate guest Wi-Fi from the internal business network.
  • Use a VPN on public Wi-Fi so even an Evil Twin only sees encrypted traffic.
  • Wireless intrusion detection โ€” Enterprise systems detect rogue access points and deauth floods.
  • Disable WEP/WPA everywhere and retire equipment that only supports them.

๐Ÿงช HANDS-ON LAB: Survey the Wi-Fi Around You Like a Wireless Analyst

What you will do

You will scan the wireless networks near you and read their security settings โ€” spotting which use strong encryption (WPA2/WPA3), which are weak or open, and understanding the risk. This is passive observation of signals in the air on equipment you own, which is legal. Do not attempt to connect to or attack networks you do not own.

Tools you need (all free)
  • Windows: the built-in command prompt (no install), plus optional free WiFi Analyzer from the Microsoft Store.
  • Android: free WiFiAnalyzer (open-source) by VREM from the Play Store.
  • Advanced/optional: Kali Linux (free, kali.org) which includes professional wireless tools, run in VirtualBox with a compatible adapter.
Step-by-step instructions (Windows, no install)
  1. Open Command Prompt and type: netsh wlan show networks mode=bssid then press Enter.
  2. Read the output. For each network you will see the SSID (name), signal strength, and the Authentication type โ€” for example WPA2-Personal or WPA3.
  3. Make a small table: network name, encryption type, and your risk rating (Open = high risk, WEP/WPA = weak, WPA2 = good, WPA3 = best).
  4. Now check your own home router's admin page (usually 192.168.1.1) and confirm which protocol it uses. If it is on WEP or WPA, that is a finding โ€” upgrade it to WPA2/WPA3.
  5. Install the free WiFi Analyzer app to see a visual graph of channels and signal strength, and identify which networks overlap.
  6. Write one sentence recommending a fix for the weakest network you found (that you own).
How this connects to a real cybersecurity job

Wireless security assessments are a real service that penetration testers and security consultants perform for clients โ€” surveying the airwaves, finding rogue access points, and testing whether Wi-Fi encryption can be cracked. Network administrators run wireless site surveys to place access points and enforce WPA3. SOC and physical security teams watch for Evil Twin and deauth attacks. Even the simple skill of reading a network's authentication type and rating its risk is exactly the mindset employers want in entry-level security staff.

Cryptography

๐Ÿ” Encryption Types

Encryption scrambles data so only the right person with the right key can read it.
  • Symmetric Encryption โ€” Same key encrypts AND decrypts. Fast. Problem: how to share the key safely? (AES, DES, 3DES)
  • Asymmetric Encryption โ€” Two keys: PUBLIC key (everyone gets it) + PRIVATE key (only you keep it). Slower but more secure. (RSA, ECC)
  • Hashing โ€” One-way. Turns data into a fixed-length fingerprint. Cannot be reversed. Verifies integrity. (MD5, SHA-1, SHA-256)
  • Salting โ€” Adds random data to password BEFORE hashing. Defeats rainbow table attacks.
AES = Symmetric RSA = Asymmetric SHA-256 = Hash
โญ EXAM TIP: AES = best symmetric. RSA = best asymmetric. SHA-256 = best hash. MD5 and SHA-1 = BROKEN. Never use for security.

Start Here โ€” What Problem Does Encryption Solve?

Encryption exists to keep data secret from people who should not read it. It takes readable data (called plaintext) and scrambles it into unreadable data (called ciphertext) using a key. Only someone with the correct key can turn it back into readable form. If a thief steals encrypted data without the key, all they get is meaningless garbage. There are three big cryptography ideas you must master: symmetric encryption, asymmetric encryption, and hashing. Let's build them up slowly.

1. Symmetric Encryption โ€” One Shared Key

In symmetric encryption, the same key both locks (encrypts) and unlocks (decrypts) the data. Imagine a physical box with one key: you lock it and mail it, and your friend uses an identical key to open it. It is very fast, which makes it perfect for encrypting large amounts of data โ€” files, hard drives, video streams.

The catch is the key distribution problem: how do you get that secret key to the other person without an eavesdropper copying it along the way? If you email the key, anyone reading the email now has it. This problem is exactly what asymmetric encryption was invented to solve.

Examples: AES is the modern gold standard (used everywhere, very strong). DES and 3DES are older and now considered weak or retired.

2. Asymmetric Encryption โ€” A Pair of Keys

Asymmetric encryption uses two mathematically linked keys: a public key that you can share with the whole world, and a private key that you keep secret forever. Here is the magic: anything locked with your public key can only be unlocked with your private key.

So if someone wants to send you a secret, they encrypt it with your public key (which everyone has). Only your private key can decrypt it โ€” so only you can read it. The key distribution problem disappears, because the public key was never a secret. The trade-off is that asymmetric encryption is slower, so it is not used for bulk data.

The clever real-world combo: HTTPS uses asymmetric encryption just at the start, to safely exchange a symmetric key. Then both sides switch to fast symmetric encryption for the actual conversation. You get the safety of asymmetric plus the speed of symmetric.

Examples: RSA (the classic) and ECC (Elliptic Curve โ€” strong with smaller keys, great for phones).

3. Hashing โ€” A One-Way Fingerprint

Hashing is different from encryption because it is one-way โ€” you cannot reverse it back to the original. A hash function takes any input and produces a fixed-length code (the hash, or digest). The same input always gives the same hash, but even a tiny change in the input produces a wildly different hash.

Hashing does not hide data; it verifies integrity โ€” proving data was not changed. It is also how passwords should be stored: a website stores the hash of your password, not the password itself. When you log in, it hashes what you typed and compares. Even the company cannot see your actual password.

Examples: SHA-256 is the current strong standard. MD5 and SHA-1 are broken โ€” attackers can create collisions โ€” so never use them for security.

4. Salting โ€” Stopping Password Shortcuts

Attackers use rainbow tables โ€” giant precomputed lists of common passwords and their hashes โ€” to reverse stolen password hashes quickly. Salting defeats this: before hashing, the system adds a unique random value (the "salt") to each password. Now every password hash is unique even if two users chose the same password, and the attacker's precomputed tables become useless. Modern systems always salt password hashes.

Putting It Together

Remember the jobs: Symmetric (AES) = fast bulk encryption, one shared key. Asymmetric (RSA/ECC) = solves key sharing, public + private key pair. Hashing (SHA-256) = one-way integrity check and password storage. Salting = makes password hashes unique and rainbow-table-proof.

๐Ÿงช HANDS-ON LAB: See Encryption, Hashing, and Salting in Action

What you will do

You will hash text and watch tiny changes explode the output, see how salting makes identical passwords hash differently, and inspect the encryption on a real website. All safe, all on your own machine and public tools.

Tools you need (all free)
  • PowerShell / Terminal โ€” already installed, for hashing.
  • CyberChef โ€” a free browser tool called "the cyber Swiss-army knife": gchq.github.io/CyberChef (no install).
  • Your web browser โ€” to inspect a real TLS certificate.
Step-by-step instructions
  1. Hashing: Open CyberChef. Drag the "SHA2" operation into the recipe. Type password123 in the input. Read the 64-character SHA-256 hash. Now change it to Password123 (capital P) and watch the entire hash change completely โ€” this is the avalanche effect.
  2. Broken vs strong: Swap the operation to "MD5," then to "SHA1," then back to "SHA2." Notice the different lengths, and recall that MD5/SHA-1 are broken for security.
  3. Salting: Hash mypassword and note the result. Now hash mypasswordX7g2 (pretend "X7g2" is a random salt). Completely different hash. Two users with the same password would now have different stored hashes.
  4. Encryption: In CyberChef, use "AES Encrypt" with a key to scramble a sentence, then "AES Decrypt" with the same key to recover it โ€” that is symmetric encryption (same key both ways).
  5. Real TLS: Visit any HTTPS site, click the padlock in the address bar โ†’ Connection is secure โ†’ certificate details. Read who issued it (the CA), its validity dates, and the encryption used. That certificate carries the site's public key.
  6. Write one sentence explaining why the website's certificate uses asymmetric keys but the actual page data uses symmetric encryption.
How this connects to a real cybersecurity job

Cryptography underpins nearly every security role. SOC analysts and incident responders hash suspicious files to identify malware (as in the malware lab) and check whether sensitive data was encrypted during a breach. Security engineers configure TLS certificates, choose strong cipher suites, and make sure passwords are salted and hashed correctly โ€” a top cause of real breaches is companies storing passwords in plaintext or with broken MD5. Tools like CyberChef are used daily by analysts to decode and analyze data. Understanding when to use symmetric vs. asymmetric vs. hashing is a frequent technical interview question.

Cryptography

๐Ÿ›๏ธ PKI & Digital Certificates

PKI = the system that manages digital certificates. Like a passport system for the internet.
  • CA (Certificate Authority) โ€” Trusted organization that issues and verifies digital certificates (DigiCert, Let's Encrypt)
  • Digital Certificate โ€” Electronic document proving a website is legitimate. Contains the public key.
  • SSL/TLS โ€” Protocols that use certificates to encrypt web traffic. TLS is the modern version.
  • CRL โ€” Certificate Revocation List. List of certificates that have been cancelled early.
  • OCSP โ€” Real-time way to check if a certificate is still valid. Faster than CRL.
  • Self-signed certificate โ€” Not issued by a CA. Browsers warn you. Only use internally.
โญ EXAM TIP: Padlock in browser = valid TLS certificate. Red warning "Not Secure" = expired, wrong domain, or self-signed cert.

Start Here โ€” The Trust Problem of the Internet

Asymmetric encryption lets anyone send you secrets using your public key. But there is a hidden danger: how do you know a public key really belongs to your bank, and not to an attacker pretending to be your bank? If a criminal can trick you into using their public key, they can read everything. PKI (Public Key Infrastructure) is the system built to solve this trust problem. Think of it as a passport system for the internet: a trusted authority vouches for who you are.

The Certificate Authority โ€” The Trusted Passport Office

A CA (Certificate Authority) is a highly trusted organization whose job is to verify identities and issue digital certificates. When a website wants to prove it is really "yourbank.com," it asks a CA to check its identity and issue a certificate. Your browser comes with a built-in list of trusted CAs (like DigiCert, Sectigo, and the free Let's Encrypt). Because your browser trusts the CA, and the CA vouches for the website, your browser can trust the website. This is a "chain of trust."

The Digital Certificate โ€” The Passport Itself

A digital certificate is an electronic document that binds a website's identity to its public key. It contains: the website's name, its public key, who issued it (the CA), and validity dates. When you connect to an HTTPS site, the site hands your browser this certificate. Your browser checks that it was issued by a trusted CA, that it is not expired, and that it matches the website name. If all checks pass โ€” you get the padlock.

SSL/TLS โ€” The Protocols That Use Certificates

TLS (Transport Layer Security) is the protocol that actually encrypts your web traffic, using the certificate's keys. You will often hear "SSL," but SSL is the old, insecure ancestor; TLS is the modern version everyone uses now (the terms are used loosely, but on the exam, TLS = current, SSL = outdated). This is the technology behind HTTPS and the padlock.

What Happens When a Certificate Goes Bad

Sometimes a certificate must be cancelled before its expiry date โ€” for example, if the website's private key gets stolen. Two mechanisms handle this:

  • CRL (Certificate Revocation List) โ€” A published list of certificates that have been revoked. The downside: it is a big list that must be downloaded and can be out of date.
  • OCSP (Online Certificate Status Protocol) โ€” A faster, real-time check: the browser asks "is this one certificate still valid?" and gets an immediate answer.

Self-Signed Certificates

A self-signed certificate is one that an organization creates and signs itself, without a trusted CA vouching for it. It still provides encryption, but no outside authority has verified the identity โ€” so browsers show a warning. Self-signed certificates are fine for internal testing and internal tools, but should never be used on a public website, because visitors cannot verify who they are really talking to.

Reading Browser Warnings Like a Pro

When you see "Not Secure" or a certificate error, it usually means one of three things: the certificate is expired, it is for the wrong domain name, or it is self-signed / not from a trusted CA. Attackers running fake sites often trigger these warnings โ€” which is why teaching users not to click past them is real security work.

๐Ÿงช HANDS-ON LAB: Inspect and Analyze Real Digital Certificates

What you will do

You will examine the certificates of real websites, trace their chain of trust up to the CA, spot the difference between a valid and a broken certificate, and check a certificate's health with a professional tool.

Tools you need (all free)
  • Your web browser โ€” for viewing certificates (no install).
  • SSL Labs Server Test โ€” free professional scanner: ssllabs.com/ssltest
  • badssl.com โ€” a free site that intentionally hosts broken certificates so you can safely see the warnings.
Step-by-step instructions
  1. Visit any major HTTPS site. Click the padlock โ†’ certificate details. Record: who it was issued to, who issued it (the CA), and the valid-from / valid-to dates.
  2. Follow the "Certification Path" or "chain" tab. See how the site's certificate is signed by an intermediate CA, which is signed by a root CA. That is the chain of trust.
  3. Now visit expired.badssl.com and self-signed.badssl.com. Read the exact browser warnings. Match each warning to your notes (expired vs. self-signed vs. wrong domain โ€” try wrong.host.badssl.com too).
  4. Go to ssllabs.com/ssltest, enter a website domain, and run the scan. It grades the site's TLS from A+ to F.
  5. Read the report: which TLS versions and cipher suites are supported, whether any are weak, and the certificate's validity. Note anything that lowers the grade.
  6. Write a short "recommendation" like a consultant would: e.g., "Disable TLS 1.0, renew certificate before expiry, remove weak ciphers."
How this connects to a real cybersecurity job

Certificate management is a genuine, ongoing job. Security engineers and system administrators install and renew certificates, and an expired certificate can take an entire company's website or app offline โ€” a very common real-world outage. GRC and compliance analysts run SSL Labs scans to prove systems use strong TLS for audits like PCI DSS. SOC analysts investigate certificate warnings that may signal a Man-in-the-Middle attack or a phishing site using a suspicious certificate. Being able to read a certificate chain and grade a site's TLS is a practical, demonstrable skill.

Identity & Access

๐Ÿ‘ค Authentication โ€” The 3 Factors

Authentication = proving you are who you say you are. There are exactly 3 types of factors.
  • Something You Know โ€” Password, PIN, security question. Weakest factor.
  • Something You Have โ€” Smart card, phone (authenticator app), hardware token (YubiKey)
  • Something You Are โ€” Biometrics: fingerprint, face scan, iris scan, voice print
  • MFA โ€” Multi-Factor Auth. Uses 2+ factors from DIFFERENT categories. Much stronger than password alone.
  • SSO โ€” Single Sign-On. Log in once, access many systems. (Google login, Microsoft 365)
โญ EXAM TIP: MFA needs DIFFERENT factor categories. Password + security question = both "Something You Know" = NOT MFA. Password + text code = IS MFA.

Start Here โ€” Three Words: Identification, Authentication, Authorization

These three are easy to mix up, so let's separate them with a simple story. You arrive at an airport. Identification is claiming who you are โ€” you say "I'm Lilian" and show your ticket with your name. Authentication is proving it โ€” you show your passport, and the officer verifies it is really you. Authorization is what you're allowed to do once verified โ€” your boarding pass lets you onto this flight, but not into the cockpit. This topic focuses on authentication: how you prove your identity.

The Three Authentication Factors

Every method of proving identity fits into one of exactly three categories, called factors:

1. Something You Know โ€” Information stored in your brain: a password, a PIN, or an answer to a security question. This is the most common but the weakest factor, because knowledge can be guessed, stolen, phished, or reused. Passwords leak in breaches every day.

2. Something You Have โ€” A physical item in your possession: your phone running an authenticator app, a smart card, or a hardware token like a YubiKey. An attacker on the other side of the world cannot easily steal a physical object from your pocket.

3. Something You Are โ€” A physical trait of your body, called biometrics: a fingerprint, face scan, iris scan, or voice print. Hard to fake and impossible to forget, though not perfect (and you cannot change your fingerprint if it is ever compromised).

Some models add somewhere you are (location) and something you do (behavior like typing rhythm), but the classic three are the exam core.

MFA โ€” The Power of Combining Factors

Multi-Factor Authentication (MFA) means using two or more factors from different categories. This is the single most effective way to protect accounts, because an attacker must defeat two very different things at once. Stealing your password (something you know) is useless if they also need the code on your phone (something you have).

The classic exam trap: Password + security question is NOT MFA โ€” both are "something you know." Password + a code texted to your phone IS MFA, because it combines "something you know" with "something you have." The factors must be from different categories to count.

SSO โ€” Convenience Done Carefully

Single Sign-On (SSO) lets you log in once and then access many different systems without logging in again. When you "Sign in with Google" to a new app, that is SSO. It improves user experience and lets companies enforce security centrally. The trade-off: that one login becomes a master key, so SSO accounts should always be protected with strong MFA โ€” if the SSO login falls, many systems fall with it.

How Professionals Apply This

  • Enforce MFA everywhere, especially for email, VPN, and admin accounts.
  • Prefer app-based or hardware MFA over SMS codes, since SMS can be intercepted (SIM swapping).
  • Use SSO with strong protection to reduce password fatigue while keeping control central.
  • Encourage password managers so users can have long, unique passwords everywhere.

๐Ÿงช HANDS-ON LAB: Set Up Real MFA and a Password Manager

What you will do

You will turn on multi-factor authentication using an authenticator app, and set up a password manager to generate strong unique passwords โ€” the exact controls security teams push across whole organizations. You do this on your own accounts, so it is safe and also directly improves your personal security.

Tools you need (all free)
  • An authenticator app โ€” free: Microsoft Authenticator, Google Authenticator, or the open-source Aegis (Android) / Raivo (iPhone).
  • A password manager โ€” free: Bitwarden (bitwarden.com, free tier is excellent and open-source).
  • One of your own online accounts (email or social media) to protect.
Step-by-step instructions
  1. Install an authenticator app on your phone.
  2. Log into one of your own accounts (e.g., your email). Go to Security settings and find "Two-Factor Authentication" or "2-Step Verification."
  3. Choose the "authenticator app" option. The site shows a QR code. Scan it with your app. Your app now generates a fresh 6-digit code every 30 seconds โ€” that is the TOTP (time-based one-time password) standard.
  4. Enter the current code to confirm. Save the backup/recovery codes somewhere safe. You have just added a "something you have" factor.
  5. Notice how logging in now needs your password (know) PLUS the app code (have) โ€” real MFA across two different categories.
  6. Install Bitwarden, create a vault protected by one strong master password, and use its generator to create a 16+ character random password for one account. Update that account to the new password.
  7. Reflect: you now have unique strong passwords (defeating reuse attacks) plus MFA (defeating stolen passwords).
How this connects to a real cybersecurity job

Identity and Access Management (IAM) is one of the fastest-growing areas of cybersecurity, with entire job titles built around it. IAM analysts and administrators roll out MFA to thousands of employees, manage authenticator enrollment, and handle lockouts and recovery. Help desk and SOC staff deal with MFA fatigue attacks, where criminals spam login prompts hoping a tired user approves one. Security awareness teams teach staff why "password + security question" is not real MFA. Having personally configured TOTP MFA and a password manager means you can speak about these controls credibly in an interview โ€” and you've protected your own accounts in the process.

Identity & Access

๐Ÿ”‘ Access Control Models

  • DAC (Discretionary) โ€” Resource owner decides who can access it. Your files โ€” you decide who sees them.
  • MAC (Mandatory) โ€” System enforces access based on security labels. Used in government/military. Top Secret, Classified.
  • RBAC (Role-Based) โ€” Access based on your JOB ROLE. Finance team = finance systems. Most common in companies.
  • ABAC (Attribute-Based) โ€” Access based on multiple attributes: role + location + time of day + device type.
  • Least Privilege โ€” Give users ONLY the minimum access needed to do their job. Nothing more.
  • Need to Know โ€” Even if you have clearance, you only get access to what you need for your specific task.
โญ EXAM TIP: RBAC = job role. MAC = government labels. DAC = owner decides. Least Privilege = give only what is needed.

Start Here โ€” Who Gets to Access What?

Once someone has proven who they are (authentication), the next question is: what are they allowed to do? That is authorization, and access control models are the different systems organizations use to decide it. The exam expects you to recognize each model by how it makes decisions. Let's walk through them from most flexible to most strict.

DAC โ€” The Owner Decides (Discretionary)

In Discretionary Access Control, the owner of a resource decides who can access it. It is "discretionary" because access is left to the owner's discretion. When you create a document and choose who to share it with in Google Drive or on Windows, that is DAC. It is flexible and common, but risky โ€” an owner can accidentally share sensitive data with the wrong person.

MAC โ€” The System Decides by Labels (Mandatory)

Mandatory Access Control is the strictest model. Access is decided by the system based on security labels (classifications), not by the owner. Every user gets a clearance level (like Confidential, Secret, Top Secret) and every file gets a classification. You can only access data at or below your clearance โ€” and even the file's owner cannot override the rules. This is used by governments and militaries where secrecy is critical. Remember: MAC = mandatory labels, no personal discretion.

RBAC โ€” Access by Job Role

Role-Based Access Control grants access based on your job role, not your individual identity. Instead of assigning permissions to each person one by one, the company defines roles โ€” "Accountant," "Nurse," "HR Manager" โ€” each with a set of permissions. New employees are simply placed into a role and instantly get the right access. This is the most common model in businesses because it scales well and is easy to manage. When someone changes jobs, you just change their role.

ABAC โ€” Access by Many Attributes

Attribute-Based Access Control is the most fine-grained and modern. It decides access using multiple attributes combined: the user's role, their department, the time of day, their location, the device they're using, and more. A rule might be: "Allow access only if the user is in the Finance role AND on a company laptop AND connecting from inside the country during business hours." This flexibility powers modern Zero Trust systems.

Two Guiding Principles Behind Every Model

Least Privilege โ€” Give each user the minimum access they need to do their job, and nothing more. If an intern doesn't need access to payroll, they don't get it. This limits the damage if their account is ever compromised.

Need to Know โ€” Even someone with high clearance only gets access to the specific information required for their current task. Having "Top Secret" clearance does not mean you can read every Top Secret file โ€” only the ones relevant to your work. Least privilege limits how much access; need-to-know limits which specific data.

๐Ÿงช HANDS-ON LAB: Enforce Least Privilege with File Permissions

What you will do

You will create user accounts and folders on your own computer, then set permissions so that one user can access a folder and another cannot โ€” implementing DAC and least privilege by hand. Safe, on your own machine.

Tools you need (all free)
  • Your Windows computer โ€” built-in user accounts and NTFS file permissions (no install). Mac/Linux users can use built-in users and chmod / chown.
Step-by-step instructions (Windows)
  1. Open Settings โ†’ Accounts โ†’ Other users, and create two standard local users, for example Nurse1 and Accountant1 (a "family/other user" without admin rights demonstrates least privilege nicely).
  2. Create two folders on the C: drive: MedicalRecords and Payroll.
  3. Right-click MedicalRecords โ†’ Properties โ†’ Security tab โ†’ Edit. Remove broad access and add Nurse1 with Read access. Make sure Accountant1 has no access.
  4. Do the reverse on the Payroll folder: give Accountant1 access and deny Nurse1.
  5. Sign in as Nurse1 and try to open both folders. MedicalRecords opens; Payroll is denied. Switch to Accountant1 and confirm the opposite. You have enforced role-appropriate least privilege.
  6. Notice that YOU, as the folder owner, decided these permissions โ€” that is DAC in action. Imagine instead a system that forced labels on everyone regardless of your choice โ€” that would be MAC.
How this connects to a real cybersecurity job

Managing permissions is bread-and-butter work for IAM analysts, system administrators, and SOC teams. In real breaches, over-privileged accounts are how attackers move from one small foothold to taking over everything, so companies run regular "access reviews" to strip unnecessary permissions โ€” enforcing least privilege. GRC/compliance analysts audit whether access matches job roles (required by standards like HIPAA and SOC 2). Being able to say "I've configured NTFS permissions and enforced least privilege on user accounts" demonstrates you understand authorization in practice, not just theory.

Cloud Security

โ˜๏ธ Cloud Service Models

Cloud = using computing resources over the internet instead of owning the hardware yourself.
  • IaaS โ€” Infrastructure as a Service. Provider gives: servers, storage, networking. YOU manage: OS, apps, data. (AWS EC2, Azure VMs)
  • PaaS โ€” Platform as a Service. Provider gives: infrastructure + OS + runtime. YOU manage: apps and data only. (Google App Engine)
  • SaaS โ€” Software as a Service. Provider manages EVERYTHING. You just use the app. (Gmail, Microsoft 365, Salesforce)
  • Shared Responsibility Model โ€” Security is split between you and the cloud provider. Know YOUR responsibility.
  • Public Cloud โ€” AWS, Azure, Google Cloud. Shared resources among many customers.
  • Private Cloud โ€” Resources used by ONE organization only. More control, more cost.
  • Hybrid Cloud โ€” Mix of public and private cloud. Most common in large enterprises.
โญ EXAM TIP: IaaS = most control, most responsibility. SaaS = least control, least responsibility. With SaaS, YOU are still responsible for who has access to accounts.

Start Here โ€” What Does "The Cloud" Actually Mean?

"The cloud" sounds mysterious, but it is simple: instead of buying and running your own computers, you rent computing power, storage, and software from a provider over the internet. When you use Gmail, your emails live on Google's computers, not yours. That is cloud computing. Companies love it because they avoid buying expensive hardware, they can scale up instantly, and they only pay for what they use. For security, the key question becomes: who is responsible for protecting what?

The Pizza Analogy for the Three Models

The three cloud models differ by how much the provider handles versus how much you handle. A classic way to remember it is "pizza as a service":

IaaS (Infrastructure as a Service) โ€” The provider gives you the raw ingredients: virtual servers, storage, and networking. YOU install and manage the operating system, the applications, and your data. It is like buying pizza ingredients and cooking at home โ€” most control, most work. Examples: AWS EC2, Azure Virtual Machines.

PaaS (Platform as a Service) โ€” The provider gives you the infrastructure PLUS the operating system and a ready platform to run your code. YOU only manage your application and its data. It is like a take-and-bake pizza โ€” you just add your toppings and bake. Examples: Google App Engine, Azure App Service. Great for developers who don't want to manage servers.

SaaS (Software as a Service) โ€” The provider manages everything: hardware, OS, and the software itself. You just log in and use the app. It is like ordering a finished pizza delivered to your door โ€” least control, least work. Examples: Gmail, Microsoft 365, Salesforce, Dropbox.

The Shared Responsibility Model โ€” The Most Important Cloud Concept

This is the heart of cloud security and appears on the exam constantly. In the cloud, security is shared between you (the customer) and the provider. The provider secures the cloud itself; you secure what you put in it. The exact split depends on the model:

  • IaaS โ€” Provider secures the physical data center and hardware. You secure the OS, applications, and data. Most responsibility is yours.
  • PaaS โ€” Provider also secures the OS and platform. You secure your application and data.
  • SaaS โ€” Provider secures almost everything. But YOU are still responsible for your data and, critically, who has access to your accounts.

The big lesson: even with SaaS, you are never fully off the hook. If you use weak passwords, skip MFA, or misconfigure sharing, that is your failure, not the provider's. Most real cloud breaches come from customer misconfiguration, not the provider being hacked.

Cloud Deployment Types

Public cloud โ€” Resources (like AWS, Azure, Google Cloud) are shared among many different customers, kept logically separated. Cheapest and most scalable.

Private cloud โ€” Cloud resources dedicated to ONE organization only. More control and privacy, but more expensive. Common for banks and governments.

Hybrid cloud โ€” A mix of public and private, letting a company keep sensitive data in a private cloud while using the public cloud for everything else. Most common in large enterprises.

๐Ÿงช HANDS-ON LAB: Explore Cloud Security in a Free AWS Account

What you will do

You will create a free cloud account, launch a simple resource, and practice securing it โ€” seeing the shared responsibility model with your own hands. You'll also learn the #1 real-world cloud mistake: accidentally exposing storage to the public.

Tools you need (all free)
  • AWS Free Tier account โ€” free 12-month tier at aws.amazon.com/free (a card is required for signup verification, but Free Tier resources cost $0 if you stay within limits and shut things down). Azure and Google Cloud offer similar free tiers if you prefer.
  • Your web browser.

No-cost alternative that needs no card: use the free interactive labs at AWS Skill Builder or the free tier of a SaaS app you already use (like Microsoft 365 or Google Workspace) to complete the "secure the account" steps below.

Step-by-step instructions
  1. Sign up for the AWS Free Tier. The very first security task: on the root account, turn on MFA (shared responsibility โ€” securing account access is YOUR job).
  2. Create a new IAM user instead of using the all-powerful root account daily. Give it only the permissions it needs โ€” least privilege in the cloud.
  3. Create an S3 storage bucket. Notice that by default AWS now blocks public access. Read the big warning that appears if you ever try to make it public.
  4. Upload a harmless test file. Confirm it is private. This models the real world: misconfigured public S3 buckets have leaked millions of records in famous breaches.
  5. Explore the IAM dashboard and the security recommendations AWS shows you. Note how the provider secures the data centers, but access control is on you.
  6. Clean up: delete the bucket and any resources so you stay at $0. Always tear down lab resources in the cloud.
How this connects to a real cybersecurity job

Cloud security is one of the highest-demand, best-paid areas in the field right now. Cloud security engineers and analysts spend their days doing exactly these tasks: enforcing MFA on accounts, applying least-privilege IAM policies, and hunting for misconfigured public storage buckets โ€” the single most common cause of cloud data leaks. GRC analysts map the shared responsibility model to compliance requirements. Even entry-level SOC roles increasingly monitor cloud logs (like AWS CloudTrail). Hands-on experience with an AWS/Azure free tier, and understanding who is responsible for what, is one of the most valuable things a beginner can put on a resume.

Networking

๐Ÿ”’ VPN & Secure Remote Access

VPN = Virtual Private Network. Creates an encrypted tunnel between your device and a remote network.
  • Site-to-Site VPN โ€” Connects two office locations permanently. Staff share resources as if on the same network.
  • Remote Access VPN โ€” Individual user connects to office network from home or while traveling.
  • IPSec โ€” Protocol suite that secures VPN connections. Works at Network Layer (Layer 3).
  • SSL/TLS VPN โ€” Uses HTTPS to create VPN tunnel. Works in a browser. Port 443.
  • Split Tunneling โ€” Only company traffic goes through VPN; personal traffic goes direct. Risk: personal traffic bypasses controls.
โญ EXAM TIP: VPN encrypts your traffic. IPSec VPN = network layer. SSL VPN = port 443. Split tunneling = security risk.

Start Here โ€” What a VPN Really Does

A VPN (Virtual Private Network) creates a private, encrypted "tunnel" through the public internet. Imagine sending a letter through a clear glass tube where anyone can read it โ€” that is normal internet traffic. A VPN wraps that tube in solid steel: your data still travels over the same public internet, but it is encrypted, so anyone who intercepts it sees only scrambled nonsense. VPNs solve a real problem: how do remote workers safely reach company systems, and how do offices connect securely across the internet?

Two Main Types of VPN

Remote Access VPN โ€” Connects one individual user to a network. This is what an employee uses to securely reach the office network from home, a coffee shop, or a hotel. Their laptop builds an encrypted tunnel to the company, so it's as if they were plugged in at the office. When you "connect to the company VPN" to work from home, this is it.

Site-to-Site VPN โ€” Permanently connects two whole locations โ€” for example, a company's New York office and its London office. The tunnel is always on, between the two networks' equipment, so staff at both sites share resources as if on one network. Individual users don't do anything; the connection lives in the network hardware.

The Protocols That Power VPNs

IPSec โ€” A suite of protocols that secures VPN connections at the Network Layer (Layer 3) of the OSI model. It encrypts and authenticates each packet. IPSec is very common for site-to-site VPNs and strong remote access. Remember: IPSec = network layer.

SSL/TLS VPN โ€” Uses the same TLS technology as HTTPS websites, working over port 443. Its big advantage: because it runs in a normal browser over the standard HTTPS port, it works almost anywhere without special client software or firewall changes. Remember: SSL VPN = port 443, browser-friendly.

Split Tunneling โ€” Convenience vs. Security

Split tunneling decides which traffic goes through the VPN. With split tunneling ON, only company-bound traffic goes through the encrypted tunnel, while your personal traffic (YouTube, personal email) goes directly to the internet. This saves company bandwidth and is faster โ€” but it is a security risk, because that personal traffic bypasses the company's security controls and monitoring. If your personal browsing gets you infected, that malware is now sitting on a device that also connects to the company network. The secure alternative, full tunneling, sends everything through the VPN so it can all be inspected.

How Professionals Use VPNs

  • Always-on VPN for remote workers so company traffic is never exposed.
  • MFA on the VPN โ€” a stolen password alone should never grant network access.
  • Full tunneling in high-security environments to inspect all traffic.
  • Personal VPNs on public Wi-Fi to defeat Evil Twin and Man-in-the-Middle attacks.
  • Note the modern shift: many companies are moving toward Zero Trust models that supplement or replace traditional VPNs.

๐Ÿงช HANDS-ON LAB: Build Your Own Encrypted VPN Tunnel

What you will do

You will set up a real, free VPN and prove it is working by watching your public IP address change and your traffic become encrypted. You'll see the encrypted tunnel with your own eyes.

Tools you need (all free)
  • ProtonVPN Free โ€” a reputable free VPN with no data limit: protonvpn.com. (Or WireGuard at wireguard.com if you want to configure a tunnel manually.)
  • Wireshark โ€” the free packet analyzer at wireshark.org, to see encrypted vs. unencrypted traffic.
  • Your browser โ€” to check your public IP at a site like whatismyipaddress.com.
Step-by-step instructions
  1. Before connecting, visit a "what is my IP" website and write down your current public IP address and location.
  2. Install and open ProtonVPN Free, create an account, and connect to a free server (perhaps in another country).
  3. Refresh the "what is my IP" site. Your IP and location have changed โ€” you now appear to be at the VPN server. Your real IP is hidden.
  4. Open Wireshark and start capturing on your active network adapter. Browse a few websites while connected to the VPN.
  5. In Wireshark, notice your traffic to the VPN server is encrypted (you'll see it going to one IP as protected/UDP or TLS traffic, not readable HTTP). Compare with browsing while the VPN is OFF, where plain HTTP requests are readable.
  6. Toggle the VPN on and off and watch the difference. Write one sentence explaining what an attacker on the same Wi-Fi would see in each case.
How this connects to a real cybersecurity job

Configuring and troubleshooting VPNs is a core duty for network and security administrators โ€” they set up remote access for the whole workforce, build site-to-site tunnels between offices, decide split vs. full tunneling, and enforce MFA on VPN logins. SOC analysts review VPN logs to spot suspicious remote logins (like a user connecting from two countries an hour apart โ€” "impossible travel"). Wireshark, used in this lab, is one of the most important tools in all of cybersecurity for analyzing traffic during investigations. Being comfortable with VPNs and basic packet capture is directly applicable to help desk, network, and SOC roles.

SOC Operations

๐Ÿ–ฅ๏ธ How a SOC Works

SOC = Security Operations Center. Monitors, detects, and responds to security threats 24/7.
  • Tier 1 Analyst โ€” First responder. Monitors alerts, triages events, escalates serious threats.
  • Tier 2 Analyst โ€” Deep investigation of incidents escalated from Tier 1.
  • Tier 3 / Threat Hunter โ€” Proactively hunts for threats that slipped past automated detection.
  • SIEM โ€” Security Information & Event Management. Collects logs from ALL systems and correlates them. (Splunk, IBM QRadar, Microsoft Sentinel)
  • Alert Triage โ€” Deciding if an alert is a True Positive (real threat) or False Positive (false alarm).
  • IOC (Indicator of Compromise) โ€” Evidence a system may be compromised: suspicious IP, malware hash, unusual login.
  • Playbook โ€” Step-by-step guide for responding to a specific type of incident.
โญ EXAM TIP: SIEM = logs + correlation + alerts. SOC analysts use SIEM to see the big picture across all systems at once.

Start Here โ€” What Is a SOC?

A SOC (Security Operations Center) is the team and room where an organization's cybersecurity defense happens 24 hours a day, 7 days a week. Think of it as the security guard station for a company's entire digital world. Analysts sit watching screens full of alerts, deciding which are real threats and responding to them. If you are studying cybersecurity to get a job, the SOC analyst role is the single most common entry point into the industry โ€” so understanding how a SOC works is understanding your likely first job.

The Three Tiers of a SOC

SOC analysts are organized into levels, called tiers, based on experience and the depth of work:

Tier 1 โ€” The First Responder. This is the entry-level role and where most people start. Tier 1 analysts watch the incoming stream of alerts, do quick triage (decide if an alert is real or a false alarm), handle the simple ones, and escalate anything serious to Tier 2. Think of them as the emergency call-takers of cybersecurity.

Tier 2 โ€” The Investigator. When Tier 1 escalates something, Tier 2 digs deep. They investigate how far an attack spread, what the attacker did, and how to contain it. They have more experience and access to more tools.

Tier 3 โ€” The Threat Hunter. The most senior analysts don't just wait for alerts โ€” they proactively hunt for hidden threats that slipped past the automated systems. They also handle the most complex incidents and improve the SOC's detection rules.

SIEM โ€” The SOC's Central Nervous System

Every device in a company โ€” servers, laptops, firewalls, applications โ€” produces logs (records of events). Alone, these logs are scattered and overwhelming. A SIEM (Security Information and Event Management) system solves this: it collects logs from ALL systems into one place and correlates them to spot patterns a human would miss.

Here's the power of correlation: one failed login is nothing. But the SIEM can notice "500 failed logins on one account, then one success, then that account downloaded the customer database at 3 AM" โ€” and fire an alert. The SIEM sees the big picture across all systems at once. Popular SIEMs include Splunk, IBM QRadar, and Microsoft Sentinel โ€” names worth knowing for interviews.

The Daily Language of a SOC

Alert Triage โ€” The core Tier 1 skill: quickly judging each alert. A True Positive is a real threat that correctly triggered an alert. A False Positive is a false alarm โ€” the alert fired but there's no real threat. A big part of the job is cutting through false positives to find the real dangers, and reducing "alert fatigue."

IOC (Indicator of Compromise) โ€” A piece of evidence that a system may be hacked: a known-malicious IP address, a malware file hash, an unusual login time, or a strange outbound connection. Analysts hunt for IOCs across their logs.

Playbook โ€” A step-by-step guide for responding to a specific incident type (a phishing report, a malware detection, a ransomware outbreak). Playbooks make sure every analyst responds consistently and nothing is forgotten under pressure.

๐Ÿงช HANDS-ON LAB: Investigate Logs in a Real SIEM (Splunk)

What you will do

You will load real log data into Splunk โ€” the industry-leading SIEM โ€” and run searches to find suspicious activity, exactly like a Tier 1 SOC analyst on their first day. This is the closest thing to sitting in a real SOC seat.

Tools you need (all free)
  • Splunk Free โ€” download the free version from splunk.com/en_us/download (Splunk Enterprise runs free with a daily data limit), or use the browser-based Splunk Search Tutorial data.
  • Free guided SOC labs โ€” Boss of the SOC (BOTS) sample datasets, and free beginner SOC paths at tryhackme.com and letsdefend.io (both have free tiers with in-browser SIEM simulations โ€” no install needed).
Step-by-step instructions
  1. Easiest start: create a free account at tryhackme.com and open a free "SOC Level 1" or "SIEM" room. These give you a working SIEM in your browser with a scenario.
  2. Or install Splunk Free and upload a sample log file (Splunk provides tutorial data). Let it index the data.
  3. Run your first search. Try searching for failed logins โ€” for example, look for event patterns showing repeated authentication failures from one source.
  4. Practice triage: pick one alert or suspicious event and ask the analyst questions โ€” What happened? Which user/host? Is this a True Positive or False Positive? What would I escalate?
  5. Extract IOCs from your findings: note any suspicious IP addresses, usernames, or file hashes involved.
  6. Write a short "incident note" summarizing what you found, as a Tier 1 analyst would hand off to Tier 2: what triggered the alert, what you checked, and your recommendation.
How this connects to a real cybersecurity job

This IS the entry-level SOC analyst job. Employers hiring Tier 1 analysts look specifically for people who can search a SIEM, triage alerts, and write clear incident notes. Splunk skills alone appear on a huge number of cybersecurity job postings, and Splunk offers free training and certifications. Platforms like TryHackMe and LetsDefend are widely used by career changers to build a portfolio of completed SOC labs to show employers. If you complete even a few of these and can talk through your investigation process, you can speak credibly in a SOC interview โ€” this is one of the most job-relevant labs on this whole page.

SOC Operations

๐Ÿšจ Incident Response โ€” 6 Steps

When a security incident happens, always follow these steps IN ORDER. This is on every Security+ exam.
  • 1. Preparation โ€” Build the team, create playbooks, set up tools BEFORE an incident happens.
  • 2. Identification โ€” Detect that an incident is happening. Real threat or false alarm?
  • 3. Containment โ€” Stop the damage from spreading. Isolate infected systems immediately.
  • 4. Eradication โ€” Remove the threat. Delete malware, close vulnerabilities, patch systems.
  • 5. Recovery โ€” Restore systems from clean backups. Monitor for recurrence.
  • 6. Lessons Learned โ€” Meet after the incident. What went wrong? Update playbooks.
Prep โ†’ ID โ†’ Contain โ†’ Eradicate โ†’ Recover โ†’ Learn
โญ EXAM TIP: Know the order cold. The exam will try to trick you by swapping Containment and Eradication. Contain FIRST, then Eradicate.

Start Here โ€” Why a Fixed Process Matters

When a real security incident hits โ€” ransomware spreading, a hacker inside the network โ€” people panic. Panic leads to mistakes: pulling the wrong plug, deleting evidence, or missing part of the attack. Incident Response (IR) is a calm, proven, step-by-step process that everyone follows so nothing is forgotten under pressure. Security+ tests these six steps in order on nearly every exam, so you must know them cold. This is the widely used SANS model. (NIST uses a similar 4-phase version, but the six-step order below is what your notes emphasize.)

Step 1 โ€” Preparation

This happens before any incident. You build the incident response team, write the playbooks, set up the tools (like the SIEM and backups), and train staff. It is like a fire department buying trucks and running drills before there is ever a fire. Good preparation is what makes the other five steps possible. Many organizations fail here โ€” they only think about response after they've already been hit.

Step 2 โ€” Identification

This is detecting and confirming that an incident is actually happening. An alert fires in the SIEM โ€” is it a real threat (True Positive) or a false alarm (False Positive)? Analysts investigate to confirm. You cannot respond to something you haven't identified, and you don't want to trigger a full emergency response for a false alarm. Accurate identification also determines the scope: which systems and data are affected.

Step 3 โ€” Containment

Once confirmed, stop the damage from spreading immediately. If a laptop has ransomware, disconnect it from the network before it encrypts the shared drives. Containment is like closing the watertight doors on a ship to stop flooding from reaching other compartments. There is short-term containment (quickly isolate) and long-term containment (temporary fixes while you prepare to fully remove the threat). Critical: Contain BEFORE you eradicate โ€” you must stop the bleeding before you treat the wound.

Step 4 โ€” Eradication

Remove the threat completely. Delete the malware, disable compromised accounts, close the vulnerability the attacker used, and patch the systems. It is not enough to stop the spread; you must remove every trace, or the attacker simply comes back. This step often reveals the root cause โ€” how they got in โ€” which must be fixed so it can't be reused.

Step 5 โ€” Recovery

Restore normal operations safely. Rebuild systems, restore data from clean backups (backups made before the infection), and carefully bring systems back online. Then monitor closely to make sure the attacker is truly gone and doesn't return. Rushing recovery โ€” restoring from an infected backup, or reconnecting too soon โ€” is a common, costly mistake.

Step 6 โ€” Lessons Learned

After the dust settles, the team meets to review: What happened? How did they get in? What did we do well? What was slow or missed? The goal is not to blame people but to improve โ€” update the playbooks, fix the gaps, and strengthen defenses so the same incident can't happen again. This step feeds directly back into Step 1 (Preparation), making the whole cycle continuous.

The Classic Exam Trap

Memorize the order: Preparation โ†’ Identification โ†’ Containment โ†’ Eradication โ†’ Recovery โ†’ Lessons Learned. The most common trick question swaps Containment and Eradication. Remember the logic: you must Contain first (stop the spread) and Eradicate second (remove it). A handy memory phrase: "Prep, ID, Contain, Eradicate, Recover, Learn."

๐Ÿงช HANDS-ON LAB: Run a Tabletop Incident Response Exercise

What you will do

You will run a "tabletop" exercise โ€” a walkthrough of a realistic incident where you apply all six steps in order and write a mini incident report. This is a real technique used by professional IR teams, and it needs no special software.

Tools you need (all free)
  • A document editor โ€” free Google Docs, or any word processor, to write your incident report.
  • Optional guided practice โ€” free "Incident Response" rooms at tryhackme.com, and the free incident report templates and IR guidance published by NIST (search "NIST 800-61").
  • CISA tabletop exercise packages โ€” free scenario packets at cisa.gov (search "CISA tabletop exercises CTEP").
Step-by-step instructions
  1. Use this scenario: "An employee reports their files are all renamed with a strange extension and there's a ransom note on the desktop demanding Bitcoin. Three other staff report the same thing."
  2. Create a document with the six headings: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
  3. Under Identification, write how you'd confirm it's really ransomware and how many machines are affected.
  4. Under Containment, list your first actions โ€” e.g., disconnect affected machines from the network immediately, disable shared drives. (Notice you do this BEFORE removing anything.)
  5. Under Eradication, describe removing the malware and finding how it got in (maybe a phishing email). Under Recovery, describe restoring from clean offline backups and monitoring.
  6. Under Lessons Learned, list 3 improvements (e.g., better backups, phishing training, faster isolation). Then write 2 sentences on what you'd add to Preparation next time.
How this connects to a real cybersecurity job

Tabletop exercises are a genuine, regular activity for incident response teams, SOC teams, and even executives โ€” organizations are often required to run them for compliance and cyber insurance. Incident responders and SOC analysts follow exactly this six-step process during real attacks, and the ability to write a clear, organized incident report is a highly valued skill (much of the job is documentation). Understanding the correct order โ€” especially contain-before-eradicate โ€” and being able to walk through a ransomware scenario is the kind of practical knowledge that impresses interviewers for SOC and IR roles.

Frameworks & Compliance

๐Ÿ“‹ Security Frameworks You Must Know

FrameworkWhat It IsWho Uses It
NIST CSF5 functions: Identify โ†’ Protect โ†’ Detect โ†’ Respond โ†’ RecoverUS Government, large companies
ISO 27001International standard for building an Information Security Management System (ISMS)Global organizations
MITRE ATT&CKKnowledge base of real attacker tactics, techniques, and procedures (TTPs). Used by SOC analysts daily.SOC teams, threat hunters
PCI DSSRules for handling credit card data securelyAny business accepting card payments
HIPAAUS law protecting patient health informationHealthcare organizations
GDPREU law protecting personal data. Heavy fines for violations.Any company handling EU citizens' data
SOC 2Security audit standard for cloud service providersSaaS companies, cloud vendors
โญ EXAM TIP: NIST CSF = 5 functions. MITRE ATT&CK = attacker tactics. PCI DSS = credit cards. HIPAA = healthcare. GDPR = EU data privacy.

Start Here โ€” Why Frameworks and Laws Exist

Security cannot be random. If every company invented its own approach, there would be chaos and no way to measure whether anyone is actually safe. Frameworks are organized sets of best practices that tell organizations how to build good security. Regulations are laws that require certain protections, often with heavy fines for failure. As a security professional, you must know the major ones โ€” not to memorize every rule, but to recognize which applies to which situation. This is heavily tested and constantly relevant on the job.

Voluntary Frameworks โ€” Best-Practice Blueprints

NIST CSF (Cybersecurity Framework) โ€” Created by the US National Institute of Standards and Technology. Its heart is five functions: Identify โ†’ Protect โ†’ Detect โ†’ Respond โ†’ Recover. These give any organization a simple structure for a security program: know what you have, protect it, detect attacks, respond, and recover. Widely used by US government and large companies. Memorize those five functions in order.

ISO 27001 โ€” An international standard for building an ISMS (Information Security Management System) โ€” basically a documented, repeatable system for managing security. Organizations can get officially certified against ISO 27001, which they use to prove to customers worldwide that they take security seriously. Global in scope.

MITRE ATT&CK โ€” A huge, free knowledge base that catalogs the real tactics, techniques, and procedures (TTPs) that actual attackers use, organized by the stages of an attack. SOC analysts and threat hunters use it daily to understand attacker behavior, map their defenses, and describe incidents in a common language. Think of it as an encyclopedia of "how hackers actually operate."

Regulations and Compliance Standards โ€” The Rules You Must Follow

PCI DSS (Payment Card Industry Data Security Standard) โ€” Rules for any business that accepts credit card payments. It requires protections like encryption, firewalls, and access control around card data. Not a government law, but enforced by the card companies โ€” break it and you can lose the ability to accept cards.

HIPAA โ€” A US law protecting patient health information. Any healthcare organization (hospitals, clinics, insurers) must safeguard medical records, with real penalties for breaches. If the scenario mentions health data in the US, think HIPAA.

GDPR (General Data Protection Regulation) โ€” A strict EU law protecting the personal data of EU citizens. It gives people rights over their data and imposes huge fines (up to 4% of global revenue) for violations. It applies to any company worldwide that handles EU residents' data โ€” so it reaches far beyond Europe.

SOC 2 โ€” An audit standard (from the AICPA) for cloud and SaaS service providers. A SOC 2 report proves to customers that a vendor properly protects their data across principles like security and availability. SaaS companies are frequently asked for their SOC 2 report before customers will trust them.

How to Keep Them Straight

Match each to a keyword: NIST CSF = 5 functions (Identify, Protect, Detect, Respond, Recover). ISO 27001 = international certification / ISMS. MITRE ATT&CK = attacker tactics and techniques. PCI DSS = credit cards. HIPAA = US healthcare. GDPR = EU personal data privacy. SOC 2 = cloud/SaaS vendor audit.

๐Ÿงช HANDS-ON LAB: Map a Real Attack with MITRE ATT&CK + Explore a Framework

What you will do

You will use the free MITRE ATT&CK website to look up real attacker techniques and map out how an attack works โ€” the exact skill SOC analysts use to describe incidents. You'll also browse the NIST framework to see how organizations structure security.

Tools you need (all free)
  • MITRE ATT&CK โ€” free knowledge base at attack.mitre.org (nothing to install).
  • MITRE ATT&CK Navigator โ€” free interactive matrix tool, linked from the ATT&CK site.
  • NIST CSF โ€” free at nist.gov/cyberframework.
Step-by-step instructions
  1. Go to attack.mitre.org and look at the Enterprise matrix. The columns are attack stages called Tactics (like Initial Access, Execution, Persistence, Exfiltration).
  2. Click the tactic Initial Access. Read the Techniques under it โ€” notice "Phishing" is there. Click Phishing and read how attackers use it and how defenders detect it.
  3. Now map our ransomware story from the incident-response lab: find the techniques for Initial Access (Phishing), Execution (malware run), Impact (Data Encrypted for Impact). Write down each technique ID (they look like T1566).
  4. Open the ATT&CK Navigator and highlight the techniques you found, building a simple visual "attack map." This is what analysts present to their teams.
  5. Switch to nist.gov/cyberframework and find the five functions (Identify, Protect, Detect, Respond, Recover). For each function, write one control our fictional company should add to prevent the next ransomware attack.
  6. Reflect: which regulation would apply if that company were a US hospital (HIPAA) versus a store taking credit cards (PCI DSS)?
How this connects to a real cybersecurity job

MITRE ATT&CK is one of the most in-demand skills in modern SOC work โ€” analysts "map" every incident to ATT&CK techniques so teams share a common language and can measure their detection coverage. Threat hunters use it to plan hunts. On the compliance side, GRC (Governance, Risk, and Compliance) analysts spend their careers implementing NIST CSF and ISO 27001 and preparing organizations for PCI DSS, HIPAA, and SOC 2 audits โ€” a huge, well-paid field that values people who know which framework fits which situation. Being able to name these frameworks and use ATT&CK hands-on is directly interview-relevant for both SOC and GRC career paths.

Business Continuity

๐Ÿ’พ Backup & Recovery

  • 3-2-1 Backup Rule โ€” 3 copies of data, 2 different media types, 1 stored offsite. The gold standard.
  • Full Backup โ€” Copy of everything. Slowest to create, fastest to restore.
  • Incremental Backup โ€” Only backs up changes since the LAST BACKUP. Fast to create, slower to restore.
  • Differential Backup โ€” Backs up changes since the LAST FULL BACKUP. Middle ground.
  • RTO โ€” Recovery Time Objective. How FAST do we need to be back online after a disaster?
  • RPO โ€” Recovery Point Objective. How much DATA can we afford to lose? (RPO = 4 hours = backup every 4 hours)
โญ EXAM TIP: RTO = time to recover. RPO = how much data loss is acceptable. Differential = since last FULL. Incremental = since last backup (any kind).

Start Here โ€” Backups Are a Security Control

Many beginners think backups are just an "IT" thing. They are actually one of the most important security controls, protecting the "A" (Availability) in the CIA Triad. When ransomware encrypts your files or a server dies, a good backup is the difference between "restore and keep working" and "pay criminals" or "lose the business." This topic covers how backups are done and how organizations decide how much data loss and downtime they can tolerate.

The 3-2-1 Backup Rule โ€” The Gold Standard

The most famous rule in backups, and easy to remember: keep 3 copies of your data, on 2 different types of media, with 1 copy stored offsite (away from your building). Why? If you keep all copies in one place and there's a fire, flood, or ransomware, you lose everything at once. Three copies mean redundancy; two media types protect against one type failing; one offsite copy survives a local disaster. Modern versions add a fourth idea: keep at least one copy offline (disconnected), because ransomware can encrypt backups it can reach over the network.

The Three Backup Types

Full Backup โ€” A complete copy of everything. It takes the most time and storage to create, but it is the fastest to restore because everything is in one place. Companies often do a full backup weekly.

Incremental Backup โ€” Backs up only what changed since the last backup of any kind (full or incremental). Very fast to create and small, but slower to restore: to rebuild, you need the last full backup PLUS every incremental in order. Miss one and the chain breaks.

Differential Backup โ€” Backs up everything changed since the last FULL backup. It's the middle ground: larger and slower to create than incremental (because it re-copies all changes since the full, every time), but faster to restore โ€” you only need the last full backup plus one differential.

The exam distinction: Differential = changes since last FULL. Incremental = changes since last backup of any kind. This is a classic trick question.

RTO and RPO โ€” Measuring What You Can Tolerate

These two metrics look similar but mean very different things:

RTO (Recovery Time Objective) โ€” How fast must you be back online after a disaster? It's about time. If your RTO is 2 hours, systems must be restored within 2 hours. A lower RTO requires more expensive, faster recovery solutions.

RPO (Recovery Point Objective) โ€” How much data can you afford to lose, measured in time? It's about the backup frequency. If your RPO is 4 hours, you must back up at least every 4 hours, because you can tolerate losing at most 4 hours of data. A lower RPO means backing up more often.

Memory hook: RTO = Time to recover (how long down). RPO = Point in the past you restore to (how much data lost). Picture a timeline: RPO is how far back your last good backup is; RTO is how long forward until you're running again.

๐Ÿงช HANDS-ON LAB: Create and Restore Backups + Plan RTO/RPO

What you will do

You will make a real backup, simulate data loss, restore it, and then design a simple backup plan with RTO and RPO targets โ€” the same planning a business continuity analyst does. All on your own machine.

Tools you need (all free)
  • Windows File History or Backup โ€” built into Windows (Settings โ†’ Backup). Mac users: Time Machine, built in.
  • Veeam Agent (Free) โ€” a free professional-grade backup tool: veeam.com, if you want to try enterprise-style backups.
  • A USB drive or a second folder to act as your "offsite/second media" copy.
Step-by-step instructions
  1. Create a folder called ImportantData with a few test files (documents, an image).
  2. Do a full backup: copy the whole folder to a USB drive or second location. That's copy #2 on a different medium โ€” you're building toward 3-2-1.
  3. Now change one file and add a new one. Do an incremental-style backup by copying only the changed/new files. Notice how much faster and smaller this is than the full copy.
  4. Simulate disaster: delete the original ImportantData folder. Then restore it from your backup. Confirm every file came back. You just completed a backup-and-restore cycle.
  5. Try Windows File History (or Mac Time Machine): turn it on, let it back up, then right-click a file โ†’ "Restore previous versions" to recover an earlier copy.
  6. Write a one-page plan for a small business: state an RTO (e.g., "back online within 4 hours"), an RPO (e.g., "lose no more than 1 hour of data, so back up hourly"), and how you'd meet the 3-2-1 rule including one offline copy.
How this connects to a real cybersecurity job

Backup and recovery is central to Business Continuity and Disaster Recovery (BC/DR) roles, and to every SOC's response to ransomware โ€” the ability to restore from clean, offline backups is what lets a company refuse to pay a ransom. System administrators design and test backup schedules; security teams verify backups are offline and actually restorable (an untested backup is not a real backup). Defining RTO and RPO is a core task when organizations plan disaster recovery and buy cyber insurance. Being able to explain the backup types and set RTO/RPO targets shows employers you understand resilience, a theme that runs through Security+ and real operations alike.

Threats & Attacks

๐Ÿ•ต๏ธ Reconnaissance & OSINT

Before attacking, hackers gather information. This is called Reconnaissance.
  • OSINT โ€” Open Source Intelligence. Using PUBLIC information (Google, LinkedIn, WHOIS) to learn about a target.
  • Passive Recon โ€” Gathering info WITHOUT touching the target systems. Victim does not know.
  • Active Recon โ€” Directly probing target systems (port scanning). Leaves traces in logs.
  • Port Scanning โ€” Finding what ports/services are open on a target. Nmap is the most common tool.
  • Shodan โ€” Search engine for internet-connected devices. Attackers find exposed cameras, servers, industrial systems.
โญ EXAM TIP: Passive recon = no contact with target. Active recon = direct contact, can be detected. Nmap = port scanning. OSINT = public info only.

Start Here โ€” Attackers Do Homework First

In the movies, hackers just start typing and break in. In reality, the first and most important phase of almost every attack is reconnaissance โ€” gathering information about the target before touching anything. The more an attacker learns first (employee names, technologies used, exposed systems), the easier the actual attack becomes. Understanding recon matters for defenders too: if you know how attackers gather information, you can reduce what you leak. Recon is the very first stage in attack models like the Cyber Kill Chain and MITRE ATT&CK.

OSINT โ€” Intelligence from Public Sources

OSINT (Open Source Intelligence) means gathering information from publicly available sources โ€” no hacking required. This includes Google searches, company websites, LinkedIn profiles, social media, job postings, and public records like WHOIS (which lists who registered a domain). It's astonishing how much attackers learn this way: a job posting for "Splunk administrator" tells them the company uses Splunk; LinkedIn reveals the IT team's names for spear phishing; a photo posted online might show a badge or a screen. All of it is legal and public โ€” which is exactly why it's so powerful.

Passive vs. Active Reconnaissance โ€” The Key Distinction

Passive reconnaissance means gathering information without touching the target's systems at all. You look at Google, LinkedIn, WHOIS, and public databases. Because you never contact the target directly, the victim has no idea you're researching them โ€” it leaves no trace in their logs. OSINT is passive recon.

Active reconnaissance means directly interacting with the target's systems to probe them โ€” for example, port scanning their servers to see what's open. This gives more detailed, current information, but it leaves traces: the target's firewalls and intrusion detection systems can log and detect the probing. So active recon is more revealing but riskier for the attacker.

Simple way to remember: Passive = look, don't touch (undetectable). Active = touch and probe (can be detected).

Port Scanning โ€” The Classic Active Technique

Port scanning checks which ports (and therefore which services) are open on a target โ€” recall from the Ports topic that each open port is a potential door. The most famous tool is Nmap. Because scanning sends packets to the target, it's active recon and can be detected. Attackers scan to find weak services to attack; defenders scan their own systems to find and close those same weaknesses first.

Shodan โ€” The Search Engine for Devices

Shodan is often called "the scariest search engine." While Google indexes web pages, Shodan indexes internet-connected devices: servers, webcams, routers, databases, and even industrial control systems. Attackers use it to find exposed devices โ€” like a security camera with no password or a database open to the internet โ€” without scanning anything themselves (making this a passive OSINT technique). Defenders use Shodan too, to discover which of their own devices are accidentally exposed to the internet.

How Defenders Reduce Their Exposure

  • Limit public information โ€” Train staff on what not to overshare online; review what job postings reveal.
  • Reduce the attack surface โ€” Close unnecessary ports and take exposed devices off the public internet.
  • Monitor for scans โ€” IDS/IPS can detect active recon and alert the SOC.
  • Check yourself with attacker tools โ€” Run Shodan and Nmap against your own assets to find exposure before criminals do.

๐Ÿงช HANDS-ON LAB: Perform Passive Recon (OSINT) on a Domain You Own

What you will do

You will gather public information about a domain using passive OSINT tools โ€” exactly how a penetration tester begins an engagement. Use only your own domain, or a public practice target. Do not probe systems you don't own. Everything here is passive (looking at public data), so it's safe and legal.

Tools you need (all free)
  • WHOIS lookup โ€” free at whois.domaintools.com or the command whois.
  • Shodan โ€” free account at shodan.io (free tier lets you search).
  • Google Dorking โ€” just Google with special search operators (no install).
  • Advanced/optional: the free OSINT Framework (osintframework.com) directory, and Kali Linux tools like theHarvester.
Step-by-step instructions
  1. Pick a domain you own (or a public one you're allowed to research). Run a WHOIS lookup and read what's public: registrar, registration dates, and name servers. Notice how much (or how little) is exposed.
  2. Try Google Dorking: search site:yourdomain.com to see every page Google has indexed. Try site:yourdomain.com filetype:pdf to find exposed documents. This reveals what's publicly findable.
  3. Create a free Shodan account and search for your own domain or public IP. See what devices/services Shodan already knows are exposed โ€” this is passive because Shodan already scanned them, not you.
  4. Look up your own name or email on haveibeenpwned.com to see if it appeared in past data breaches โ€” a real OSINT source attackers check.
  5. Make an "exposure report": list every piece of information you found that an attacker could use, and one way to reduce each.
  6. Reflect on the passive/active line: everything you did was passive (you never probed a system directly). Running Nmap against the target โ€” from the Ports lab โ€” would have been active recon.
How this connects to a real cybersecurity job

Reconnaissance is the official first phase of every professional penetration test and red team engagement โ€” testers spend real time on OSINT before touching anything, and they document it in their reports. On the defensive side, threat intelligence analysts and "attack surface management" teams continuously run WHOIS, Shodan, and breach-database checks against their own organization to find exposed data and devices before attackers do. Recruiters and SOC teams also use these skills. Employers value candidates who understand the passive-vs-active distinction and can safely use tools like Shodan and Google Dorking โ€” it shows you think like both an attacker and a defender.

More notes added every week โ€” check back soon

๐Ÿ“š Ready for the Full Curriculum?

Access all lessons, labs, and practice exams โ€” 100% free, no login required.

VIEW FULL CURRICULUM โ†’