Cyber Security
Track from basics to pro.
Start track →Cryptography
Fundamentals
Networks
- OSI and TCP/IP models applied to security
- Common protocols and ports — and their risks
- Traffic sniffing with Wireshark
- ARP spoofing and MITM — poisoning the ARP table
- DNS attacks: spoofing, cache poisoning, and tunneling
- Firewall, IDS, and IPS — differences, rules, and limitations
- VPN and IPSec — tunnels, authentication, and use cases
- Network segmentation and VLAN — zone isolation and DMZ
Application & Code
- Secure coding — input validation, output encoding, fail secure
- Static analysis (SAST) — tools, false positives, CI integration
- Dynamic analysis (DAST) — fuzzing, scanning a running application
- Dependency management and CVE — lock files, SCA, patch policy
- Secrets management — never in code, vaults (Vault, Secrets Manager)
- Security-focused code review — what to look for, checklists, pull requests
System & Host
- Linux Hardening — users, SSH, firewall, SUID, and auditing
- Windows Hardening — GPO, UAC, AppLocker, and unnecessary services
- Privilege Escalation — common techniques and detection on Linux and Windows
- Malware Persistence — cron, registry, services, and startup
- Log Analysis — where they live, what to look for, and suspicious events
- Antivirus and EDR — signatures, heuristics, behavioral detection, and evasion
- Container Security — Docker, Kubernetes, images, capabilities, and network policies
Web — OWASP Top 10
- SQL Injection — Payloads, Bypass, and Prevention
- XSS: Reflected, Stored, and DOM-based
- CSRF — Forging Authenticated Requests
- SSRF — Accessing Internal Services Through the Server
- Broken Authentication and Session Management
- Broken Access Control and IDOR
- Insecure Deserialization — Code Execution via Manipulated Objects
- Sensitive Data Exposure
- Security Misconfiguration — Insecure Defaults and Exposed Settings
- Vulnerable Components and Software Supply Chain
Cloud
- Shared Responsibility Model — what belongs to the cloud provider vs the customer
- IAM and least privilege in the cloud — policies, roles, SCPs, and common mistakes
- Cloud misconfiguration — public S3, open security groups, bucket ACLs
- Secrets in the cloud — Secrets Manager, KMS, automatic rotation
- Logging and auditing in the cloud — CloudTrail, Cloud Audit Logs, event alerts
- Serverless and container security in the cloud — Lambda, ECR, EKS best practices
Defense (Blue Team)
DevSecOps
- Shift-left security — moving security earlier in the development cycle
- Secure pipeline — SAST, DAST, SCA in CI/CD and quality gates
- Image and IaC scanning — Trivy, Checkov, Terrascan, and shift-left infrastructure
- Secrets management in the pipeline — no credentials in env vars or logs
- Policy as code — OPA, Rego, and automatic rule enforcement
Governance & Compliance
- LGPD and GDPR — legal bases, data subject rights, DPO, and penalties
- ISO 27001 — ISMS, controls, PDCA cycle, and certification
- Risk management — identify, assess, treat, and accept risk
- Security policy — structure, approval, review, and communication
- Awareness and social engineering — phishing, pretexting, vishing, and simulations
Pentest & Offensive
- Pentest methodology — recon, enum, exploit, post-exploit, report
- OSINT — passive information gathering: Shodan, LinkedIn, WHOIS, Google dorks
- Scanning with nmap and masscan — ports, services, OS fingerprinting, stealth
- Service enumeration — banner grabbing, versions, exposed configurations
- Exploitation with Metasploit and manual — modules, payloads, shells
- Password attacks — brute force, hash cracking (hashcat), password spray
- Pivoting and lateral movement — reaching internal networks via compromised host
- Pentest report — structure, CVSS, reproduction, remediation, executive summary