How to learn hacking and defending: The (step-by-step) beginner's bible for 2026

To hack, or to defend? That is the question!

Those who stumbled into this incredibly vast field, like yourself, have plenty of questions. As I started, I talked to a wide range of people, dove into blogs, and even went to school asking:

• What skills should I develop? 

• What is a good pathway to follow? 

• What are the differences between all these roles? 

And of course: “What’s the best way to do ___?” Because everyone wants to find the quickest way to success (whatever that may look like). 

This is for you. The truly green, new to the concept of cybersecurity. The absolute rookie who wants to dive into one of the most incredible—and coolest—fields around. 

This blog has been updated to cover those interested in hacking and defensive roles. Let’s jump in. 

What is hacking? 

A textbook definition of “hacking” is the act of finding exploitable weaknesses in computer systems, digital devices, or networks to gain unauthorized access to systems and data. Real hacking, however, is more than that. 

It’s a technical discipline and mindset that requires outside-the-box thinking, creativity, and persistence in the face of evolving and unforeseen challenges:

• What happens when you follow an established path to exposing a vulnerability or flaw, and there’s nothing to find?

• How do you avoid detection once you’ve infiltrated a secure system?

• How can defenses be improved for the target you’re hacking? 

This outside-the-box mindset applies to the different types of hacking that even include physical (testing the security of a physical location) and social (exploiting human errors or vulnerabilities). 

Good (ethical) vs. bad (unethical) hacking

Many references to hacking portray it as a malicious activity orchestrated by rogue hoodie-wearing tech wizards. This is not the case.

Recommended read: How to become an ethical hacker. 

At Hack The Box, we champion ethical hacking because it’s akin to a technical superpower that can be used for the greater good: to help protect modern infrastructure and people. 

Ethical hacking requires the knowledge and permission of the business before infiltration. It’s about finding the weak spots before the bad guys do and fixing any flaws before they become exploitable by malicious hackers. 

Related read: Best entry level cybersecurity jobs for aspiring hackers.

Organizations hire ethical hackers or Penetration Testers (the common term used in industry to describe the job description of professional hackers in the corporate world), to proactively simulate attacks against their networks, devices, software, users, applications, and just about anything that could expose them.

This allows them to be a step ahead of any nefarious hacker by gaining insight into and improving on weaknesses. 

At the end of the day, these security professionals are there to help businesses and do everything in their power to keep them as protected as possible. Having a set of guidelines distinguishes the good guys from the cybercriminals, and also lets businesses employ hackers with more confidence.  

Haris Pylarinos, CEO at Hack The Box

What's the difference: Red, blue, and purple teaming

Modern cybersecurity isn’t a single discipline. It’s a balance of perspectives. Over time, the industry has settled into three core lenses for understanding how security work gets done (largely based on military strategy): red, blue, and purple.

Simple enough. But what does it mean?

Maybe you’ve heard this before, but each plays a distinct role, and none operate in isolation. Understanding this triad helps you make sense of where you might fit and why learning across boundaries matters more than ever.

The red doctrine: Offensive security

Red teamers think like attackers.

Their responsibility is to identify how systems can be broken before someone else does. That means probing web applications, networks, and infrastructure to uncover weaknesses that aren’t obvious on the surface.

Common responsibilities include:

• Discovering vulnerabilities through reconnaissance and enumeration

• Exploiting misconfigurations and design flaws

• Chaining attacks to demonstrate real-world impact

• Reporting findings clearly so they can be fixed or monitored

Roles that often live in this space include penetration testers, red team operators, offensive security engineers, and bug bounty hunters.

Red team work answers a critical question: if someone wanted to break in, how would they do it?

The blue doctrine: Defensive security

Blue teamers focus on visibility, detection, and response. They're the defenders.

Their responsibility is to protect systems in real time by understanding what “normal” looks like, spotting deviations, and reacting before damage spreads. This work is less about breaking things and more about reading signals correctly under pressure.

Common responsibilities include:

• Monitoring logs, alerts, and telemetry

• Investigating suspicious behavior and incidents

• Containing and responding to malicious alerts 

• Improving detection rules and defensive coverage

Roles here include SOC analysts, DFIR specialists, detection engineers, incident responders, and security operations engineers.

Blue team work answers a different question: If something goes wrong, will we see it, understand it, and act fast enough?

The purple doctrine: Hybrid and threat-focused security

Purple security sits between red and blue. Not as an observer, but as a connector.

Purple practitioners understand how attacks work and where to implement a defense suitable for stopping a second incident. Their responsibility is to turn exposure into readiness by making sure defensive teams can actually see what offensive techniques look like in practice.

Common responsibilities include:

• Translating attacker behavior into detection logic

• Validating that alerts trigger when they should

• Hunting for threats that evade standard controls

• Improving communication between red and blue teams

This space includes threat hunters, purple team analysts, detection engineers, and hybrid security roles that don’t fit neatly into one box.

This mindset is how we aim to help learners grow in the future by taking a dual-sided approach to learning security, considering both offensive and defensive perspectives. 

Can anyone learn how to hack? 

The short answer is: yes, most people can learn how to hack provided that they give themselves enough time, have the right attitude, and commit to the process ahead.

We’ve heard stories from the community of hard-working people who took an interest in hacking (despite not having technically-relevant backgrounds) and are now good enough to get paid to hack ethically and professionally: 

• Jeremy Chisamore was hit by layoffs and events outside his control and still carved out a career in cybersecurity; going from struggling poker player to Senior Penetration Tester at Oracle.

• Chuck Woolson, a former United States Marine changed careers in his 50s and became a Red Team Operator with little prior experience.

• Josiah Beverton started off studying physics, but his passion for cybersecurity lead him to become a professional Penetration Tester with experience in Blue and Red Team roles.

• Gary Ruddell left the military to pursue a cybersecurity career and become the Regional head of Cyber Threat Intelligence at a global financial organization. 

With that said, there are shared traits among successful hackers that indicate how much enjoyment you’ll get from learning how to hack: 

• A passion for problem-solving: A college or recognized training certification certainly helps you acquire the knowledge, skills, and abilities required to work as a pentester; but a great hacker is a tenacious problem-solver at heart! 

• The ability to think outside the box: To defend against an attacker, you must think and act like one. This requires the ability to not only respect, but also think beyond routine practices like firewall reviews and scanning for known vulnerabilities. 

• A love of learning: Most professional hackers I know enjoy learning, which makes sense considering how fast the digital world moves. And that’s one of the many beauties of learning how to hack; there’s always new hardware, applications, concepts, and vulnerabilities to explore. You’re free to specialize, upskill, or pursue a career (it’s no secret that professional hackers/penetration testers are in extremely high demand) in whatever specialty you want. 0

What security really is now (and why hacking is only half the story)

Security isn’t just about breaking things anymore. It’s about understanding how systems fail, how attacks happen, and how teams detect, respond, and recover when they do.

Hacking, at its core, is still a mindset. It’s curiosity under pressure. It’s pulling on threads to see what unravels. But modern security doesn’t stop at finding a weakness. It asks what happens next, who sees it, how fast, and how it could have been prevented or detected earlier.

That’s why the line between offensive and defensive security is thinner than it’s ever been. Attackers study defenses. Defenders study attacks. 

The best practitioners understand enough of both to communicate clearly, test assumptions, and reduce real risk. You don’t need to master every side to get started. 

But learning how attacks work and how defenses catch them gives you a much clearer picture of the problem you’re trying to solve. Go figure!

The folks here at Hack The Box (HTB) are steadfast in the belief that learning both sides as you grow will increase your chances of success in the field. 

I’ve heard enough, take me your recommended junior resource

Whether you end up breaking systems, defending them, or doing a bit of both, that shared understanding is what modern security teams are built on.

Security today isn’t about choosing a side. It’s about learning how the whole system behaves when something goes wrong. It is about being part of the solution in a world of bad actors.

Things you can expect when you get into security and investing in the culture: 

1. Making new global friends 

2. Participating in a community that loves educational conferences 

3. Learning a skill that brings security to your own life (we will have your tinfoil hat ready for you)

4. Learning a skill that grows alongside the advent of new technologies

5. An opportunity to be involved in one of the greatest challenges in modern history

But the term hacker gets a bad rep. Why is that? I’m so glad you asked.

Where should beginner hackers start? 

The industry has a wide variety of roles that you can specialize into. However, one thing that you’ll see everywhere is that the basics are universal across anything you’ll be doing. 

We know you’re excited to be an elite forensics agent or a hacker savant, but we have it on good authority that people who have those titles build on fundamentals.

Here are some suggestions to get your started.

1. Networking 

Most things in hacking or cybersecurity revolve around a network. This is why a firm grasp of networking fundamentals is foundational for beginner hackers who are learning the ropes. Understanding how networks are structured and how devices communicate means you can identify, protect, exploit, and, of course, remediate weaknesses in networks. 

With this knowledge, you’ll know what services are running on a server, what ports and protocols they’re using, and how the traffic behaves.

2. OS knowledge (Windows/Linux)

At some point, every security role runs headfirst into an operating system. Whether you’re attacking, defending, or investigating, you need to understand how systems actually behave under the hood.

Start by getting comfortable with Linux and Windows fundamentals, not as an administrator, but as an observer. Learn how files are structured, how permissions work, how processes start and stop, and how services run in the background. Spend time in the terminal. Break things safely. Fix them again.

You should understand:

• How users, groups, and permissions work across both systems

• How processes, services, and scheduled tasks behave

• Where logs live and what they’re used for

• Basic command-line usage (Bash and PowerShell) for navigating, querying, and troubleshooting

3. Web fundamentals  

If there’s one domain that touches nearly every corner of modern cybersecurity, it’s the web. Applications, APIs, dashboards, internal tools—almost everything lives behind a browser at some point.

As a beginner, you don’t need to jump straight into exploiting complex frameworks. You need to understand how the web actually works before it breaks.

Start with the basics:

• How HTTP and HTTPS requests are structured

• What happens when a browser talks to a server

• How cookies, sessions, headers, and authentication flows work

• The difference between client-side and server-side logic

From there, move into how applications are built and where things go wrong. Learn the fundamentals of HTML, JavaScript, and basic backend behavior. Understand how user input is handled, stored, and validated. 

4. Effective communication and written skills

Ah, yes. Did you expect to see this one? Don’t worry if not. We listen and we don’t judge. Also, these are two of the most overlooked skills in our industry. 

I’ve had plenty of discussions with security managers and senior security analysts who pray for good reports and effective communicators. At the end of the day, you’ll be part of a team with the same end goals.

Being someone who brings this to the role will make you infinitely more successful. So, just keep it in mind. 

5. Databases 

Databases are where the most valuable data lives. User accounts, credentials, transaction records, internal logs—if it matters, it’s probably stored in a database somewhere.

As a beginner, you don’t need to master every database engine under the sun, but you do need to understand how data is stored, queried, and protected. 

Start with the fundamentals: what relational databases are, how tables and relationships work, and how common query languages like SQL are used to retrieve and modify data.

The age of AI in cybersecurity for beginners 

Yes, AI is everywhere. A near-constant presence in ads, products, and conversations in our daily lives. 

Regardless of how you feel about it, it is good to become educated on the subject. All while becoming familiar with how it can help you on your journey.

There are two ways I see AI in terms of security for a beginner. Using AI to learn in parallel to your studies and learning how to hack/defend a world pressing forward with AI.

Learning cybersecurity with AI

Don’t ask AI to solve a whole problem for you. Use it as a companion application for the infinite number of questions you’ll have. 

It should be a backboard for moments you become lost or stuck in a forest of unknowns. Note, everything an AI tells you about security won’t be true. But I’ve found that at an early level, it’s pretty reliable. 

Example: You just did your first nmap scan, congrats! You now see a bunch of open ports and protocols that you forgot about after doing the networking.

I’d take a screenshot of my scan and ask it to remind me of what these protocols are, which are usually the most vulnerable, and to have me walk through an attack pattern of one of them. 

The trick is not to cheat yourself out of the knowledge and to wait until you’ve absolutely exhausted every bit of knowledge you have. 

Use it to dive deeper in moments I would have given up before. One of the best moments in hacking is the Ah-ha moment; you don’t want to rob yourself of that, trust me.  

Tips:

• Have it explain things step-by-step instead of giving you overwhelming answers

• Have it test you after every milestone to solidify what you’re learning

• Go to a Machine write-up and turn the PDF into a choose-your-own adventure

AI is a target 

On the other hand, we have a whole new field of technology that needs to be secured. Whenever these advancements happen, we can all be certain of one thing: more work for us! 

Vibe-coded applications, weaknesses in Large Language Models (LLMs), prompt injections that jailbreak AIs, and a slew of other complex avenues of attack have opened their doors to AI red teamers.

And on the flip side, give us new guardrails for blue teamers use to defend against these threats.  

Adding this knowledge to your arsenal will help you establish an edge in one of the most highly observed skill sets of the current moment. However, I’d recommend starting with the basics before you jump right in. 

Related read: 7 Powerful pentesting tools (and why you should stop pedestalizing them). 

Learning to hack from scratch: Create a powerful training plan to optimize learning 

Most (normal) humans won’t sufficiently understand all this new information overnight if they learn to hack from scratch. So give yourself enough time to develop a firm grasp of the fundamentals.

Continuing the magic analogy, don’t just memorize spells and wave a wand; know why you’re casting the spell, how it works, its weakness, and strengths to adapt it to any scenario and target! 

The importance of this can’t be emphasized enough; you will rely on this base of knowledge and skills repeatedly throughout your hacking journey. 

So while you might be bursting with enthusiasm to get started with the wonderful wizardry of hacking, I’d suggest that you take a little bit of time to develop an organized plan or schedule for studying to master the basics. This will help you:

• Prevent feelings of overwhelm and burnout.

• Measure your progress and keep track of your journey. 

• Overcome the inevitable frustration and hurdles that are perfectly normal when learning new skills. 

Let’s say you have two hours per day to study, I would say spend at least four-eight months on the fundamentals while watching some retired content videos on YT. \

Give yourself two months for each domain: Networking, Linux, Windows, and Python plus any scripting like bash/powershell (optional) to build a strong foundation. This realistic approach combined with guided cybersecurity courses and practical cybersecurity exercises means you’ll hit the ground running.

Oh, and if you’re someone who likes organized lists and curated content, then there are Job Role Paths and Skill Paths tailored to fit your needs. These were created to not only help you dig into a specific skillset, but empower you become certified by utilizing content created with high standards. 

Example training plans to learn hacking 

Below are two different potential training plans from two hackers and content creators here at HTB, IppSec, and 0xdf. The purpose of showing both is to demonstrate there is no absolute answer that applies to everyone. Find what works for you and adapt as you go!

Ippsec’s recommendations

1. Establish your methodology: Use the guided step-by-step learning, read write-ups (tutorials), or watch videos and work alongside them. Don’t worry about “spoilers” ruining your learning experience, there will always be more challenges and opportunities to learn.

2. Validate the methodology: Watch a video in its entirety, then immediately do a challenge. If you are short on time, then divide the machines parts, for example watching up to the user flag and then solving the machine.

3. Work on memory retention: Add some time between watching the video and solving the machine. Start off with a few hour break between the video and solving the machine. Eventually, graduate up to waiting a day between. Don’t be afraid to go back and watch the video when you are stuck on a part for 20-30 minutes.

4. Make hacking muscle memory: Watch multiple videos but solve the machine yourself days later. Having watched multiple videos or read write-ups before solving the box will really test your skills.

0xdf’s recommendations

1. Note-taking is key. Writing something down is a great way to lock in information. Create some key sections in a way that works for you. I use markdown files in Typora, but find what works best for you.

2. When you first start, you are missing a lot of the information needed to complete a machine. Work alongside write-ups / video solutions, but don’t copy and paste. Type commands in, and make sure you understand what they do. Quiz yourself about what would happen if you changed various arguments in the commands, and then check if you are correct. Record the tools and syntax you learned in your notes for future reference.

3. Once you start being able to predict what the write-up author will do next, start working out ahead of the write-up/video. Try the various techniques from your notes, and you may start to see vectors to explore. When you get stuck, go back to the write-up and read/watch up to the point where you’re stuck and get a nudge forward. Make sure to update your notes with the new techniques you’ve learned.

4. Over time, you’ll find your notes contain more and more of what you need to explore a box. The secret is to find the balance. The more you practice, the less you want to rely on walkthroughs. That said, even the most talented hackers will often work in teams because anyone can get stuck.

How to learn to hack and defend with HTB (step-by-step)

Step 0: Start with your immediate learning needs 

From absolute beginners to high-level cybersecurity professionals, Hack The Box makes learning how to hack a fun, gamified experience for millions of hackers around the globe. You can start by learning the foundational fundamentals, transition into hands-on training that forces you to compromise realistic environments, compete in Capture The Flag events, and even land your first cybersecurity job. (I got my first ethical hacking job thanks to my public HTB rank.) 

But where should you start based on all the different options that we offer? 

1. HTB Academy: If you’re starting from scratch, the Academy will get you upto speed with step-by-step training on different hacking skills and topics. So if for example you have zero knowledge of networking, or want to master a specific network reconnaissance tool, like Nmap, the Academy will provide you with guided theoretical training and interactive exercises on live targets to reinforce your skills. 

2. HTB Labs: Test, grow, and prove your practical skills with a massive pool of hackable environments that simulate up-to-date security vulnerabilities and misconfigurations. New labs are added every week, ensuring the content is always up-to-date and the fun unlimited. Players can learn all the latest attack paths and exploit techniques. (If you’re new to HTB Labs, use the Starting Point Labs to familiarize yourself with our platform and the Machines they contain. 

3. HTB CTFs: Compete with other hackers around the globe. Capture the flag events are gamified competitive hacking events that are based on different challenges or aspects of information security. They are excellent for experienced hackers looking to develop, test, and prove their skills because they gamify hacking concepts. 

   

Step 1: Join the HTB community

Our community is the core purpose of everything we do! We are hackers at heart.

• 4M+ members around the world

• 195 countries and territories

• 3.5k Discord messages every day

• 5.1k forum threads (for any box)

First of all, here is the Community Manifesto, how hackers behave with each other. 

We believe in making an inclusive, equal-opportunity, and diverse community. We try our best to provide a safe and happy place to all of our hackers, where the only thing that matters is a passion for cyber.

To enjoy Hack The Box to the fullest, you certainly cannot miss our main communication channels, where the real magic is happening! Join our Discord and forum. We normally disclose the latest updates and new features on Discord first, so…you better be part of it. 

Also on Discord, we have targeted channels per topic or skill level. Plus we are the biggest InfoSec Server with more than 200K members from all around the world. Join the discussions, ask any questions, find a study buddy, and get inspired.

HTB Team Tip: Make sure to verify your Discord account. To do that, check the #welcome channel. For the forum, you must already have an active HTB account to join.

HTB Learn more about the HTB Community

Step 2: Build your own hacking VM (or use Pwnbox) 

In order to begin your hacking journey with the platform, let’s start by setting up your own hacking machine. It will be a virtual environment running on top of your base operating system to be able to play and practice with Hack The Box. (This is the most important step for every hacker in the making.)

You can make it quick and easy by installing one of the following virtualization applications:

• VMWare Workstation Player

• Oracle VirtualBox

After installing your preferred virtualization software, select your operating system of choice. Here, you can learn everything about Parrot OS.

HTB Team Tip: Always install a stable version! 

Are you having difficulties with the installation process, or don’t have the necessary hardware or networking capabilities to run a virtual machine? Don’t give up, there is a solution. The answer is Pwnbox!

Pwnbox is a Hack The Box customized ParrotOS VM hosted in the cloud. It can be accessed via any web browser, 24/7. It’s HTB customized and maintained, and you can hack all HTB labs directly.

How to play machines with Pwnbox by HackerSploit  

How to play Pwnbox video by STÖK 

Step 3: Visit our knowledge base

Now if you still have questions we got you covered! For 99.99% of your HTB questions we have an answer and you can find them all in our Knowledge Base. This is a must visit resource for anyone who’s getting started with our platform.

Here are some friendly suggestions for something that might be crucial for you at this point:

• Getting started - Introduction to HTB

• Getting started - Setting up your account

• Getting started - VPN access

• Getting started - How to play machines

Step 4: Tools, tools, tools

These are the must-have tools you will need to master before you dive into hacking! 

• Nmap: Scan the network like a pro! Add your target IP, range of ports, type of scan and hit enter!

Recommended: Free Academy Module Network Enumeration with Nmap

• Metasploit: A framework that makes hacking simple. Set your target, pick an exploit and payload and hit run! 

• Curl/Burp: Inspect, modify and interact with web requests like an expert. 

Recommended: Free Academy Module Web Requests

• Ffuf/GoBuster/Seclists: Web application fuzzing to find hidden directories, files and more is a must. 

Recommended: Free Academy Module Attacking Web Applications with Ffuf

• Windows OS: Popular operating system for personal and corporate use. Learn the fundamentals to hack it.

Recommended: Free Academy Module Windows Fundamentals 

• Linux OS: Popular operating system in the security/InfoSec scene but also for many sysadmins. 

Recommended: Free Academy Module Linux Fundamentals

Step 5: Discover starting point

Starting Point is a series of free beginner-friendly Machines paired with write-ups that give you a strong base of cybersecurity knowledge and introduce you to the HTB app. You’ll train on operating systems, networking, and all the juicy fundamentals of hacking.

Try Starting Point Machines

Step 6: Complete the beginner track

It is time for the classics! Pwn the following list of machines, capture the user and root flags, and complete the Beginner Track today! You’ll be feeling like a hacker. You’re almost there! Click here to get started.

Step 7: Study, study, and then study some more

The Beginner Track was a nice first hands-on taste, right? The best is coming now. There are plenty of additional resources to explore and engage before getting the 100% out of all HTB training. 

• Write-ups and video walkthroughs

• Active and retired boxes

• Other cool tracks including: Intro to Dante, The Classics, OWASP TOP 10 

HTB Team Tip: Start on your own, explore the tools, watch the videos below and then level up your hacking with our subscriptions!

HTB Watch List 🍿

Some recommended video walkthroughs to get started:

• Active: Watch Video | Play Machine

• Forest: Watch Video | Play Machine

• Access: Watch Video | Play Machine 

• Traceback: Watch Video | Play Machine 

• OpenAdmin: Watch Video | Play Machine 

• Writeup: Watch Video | Play Machine