Pick offense or defense

There are two viable entry vectors into information security. Offense and defense. Both require the same foundation. Both diverge sharply once the foundation is in place. Pick one based on how you think, not on which sounds more interesting in a job description.

The foundation is non-negotiable. You need to understand how a computer actually executes code. Not abstractly. Specifically. The CPU fetches an instruction from memory at the address held in the instruction pointer. It decodes the opcode. It executes against registers and memory. It updates flags. It advances. Every exploit primitive - every detection - collapses back to this loop. If you cannot describe what happens when a function returns and the saved RIP is overwritten, you are not ready for either path. Read Intel’s Software Developer’s Manual Volume 1. Read it again when you understand 30% of it.

You need operating system internals at the same level. Process address space layout. Virtual memory and page tables. The user-mode to kernel-mode transition. Syscalls. How DLLs are loaded on Windows and how the linker resolves symbols on Linux via the GOT and PLT. How a thread context is stored and switched. The Windows Internals book by Russinovich and Solomon is the reference. On Linux, read the kernel documentation directly and trace a syscall from libc through the vDSO into the kernel. T1055 process injection makes no sense without this. Neither does detecting it.

Networking comes next. TCP three-way handshake. TLS 1.3 handshake including the ClientHello extensions and the key schedule. DNS resolution including CNAME chains and NXDOMAIN behaviour. HTTP/1.1 versus HTTP/2 framing. ARP and how MAC address resolution becomes a local network attack primitive. You should be able to read a packet capture in Wireshark and identify a SYN scan, a TLS handshake failure, a DNS exfiltration pattern, and a beacon by visual inspection of timing and size distribution. If you cannot, every detection rule you write later will be guesswork.

Programming is the last foundation piece. C is mandatory. Not because you will write production C, but because every memory corruption bug class - stack overflow, heap overflow, use-after-free, double free, type confusion, integer overflow leading to undersized allocation - is a C-level concept. Python for tooling. One scripting language for automation, ideally PowerShell if you intend to operate in Windows environments because attackers do, and detection engineers must read what attackers write. Assembly at the level of reading, not writing. x86-64 and ARM64. You need to disassemble a function and understand the calling convention, the prologue and epilogue, and what a ROP gadget looks like.

That is the floor. Six to twelve months if you are disciplined. Now the paths diverge.

The offensive path begins with vulnerability research and moves through exploit development, red team operations, and adversary emulation. Start with web application vulnerability classes because the attack surface is largest and the feedback loop is fastest. SQL injection, including blind and time-based variants. Server-side request forgery and the cloud metadata pivot - IMDSv1 on AWS yields credentials to a process that should not have them. Insecure deserialization in Java, .NET, Python pickle, and PHP. XML external entity processing. Server-side template injection. Each class has a mechanism. Memorise the mechanism, not the payload. PortSwigger’s Web Security Academy is the curriculum. Complete it. The labs are not optional.

Move from web to binary. Buffer overflows on Linux x86-64 with NX and ASLR disabled, then with NX enabled and ROP required, then with full ASLR and a leak primitive required. Use-after-free in C++ class hierarchies and how vtable pointers become control flow. Heap exploitation against modern allocators - glibc tcache, Windows segment heap, jemalloc. Format string bugs. Read the original Phrack articles. Read the Project Zero blog from start to current. Solve pwn challenges on pwn.college and pwnable.kr. Write your own crackmes. Disassemble malware that has already been analysed publicly and confirm the analyst’s findings.

Learn one C2 framework deeply. Cobalt Strike if you have legitimate licence access through an employer. Sliver, Mythic, or Havoc otherwise. Understand the beacon protocol. Understand how malleable C2 profiles modify the traffic shape. Understand process injection variants - T1055.012 process hollowing, T1055.001 DLL injection, T1055.004 APC injection - at the API level. CreateProcess with CREATE_SUSPENDED, NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread. Each call is a telemetry source the defender will see if they are watching.

The MITRE ATT&CK matrix is your map. Memorise the tactics. T1190 exploit public-facing application. T1078 valid accounts. T1059 command and scripting interpreter. T1003 OS credential dumping with subtechniques for LSASS memory, SAM, and DCSync. T1486 data encrypted for impact. Every technique has known tooling, known telemetry, and known detections. Knowing all three is what separates an operator from someone running scripts.

The defensive path begins with detection engineering and moves through incident response, threat hunting, and ultimately back into vulnerability research from the defender’s side. Start with telemetry. Sysmon on Windows configured with the SwiftOnSecurity or Olaf Hartong baseline. Event ID 1 for process creation with full command line. Event ID 3 for network connections. Event ID 7 for image loads. Event ID 8 for CreateRemoteThread. Event ID 10 for ProcessAccess with a granted access mask of 0x1010 or 0x1410 against lsass.exe. Event ID 11 for file creation. Event ID 22 for DNS queries. Each ID maps to attacker techniques. Memorise the mapping.

Windows Security event log gives you 4624 logon events with logon types - type 3 network, type 10 RDP, type 9 new credentials. 4688 process creation if command line auditing is enabled. 4769 Kerberos service ticket requests for Kerberoasting detection. 4662 directory service access for DCSync detection on the krbtgt account. 5145 file share access. The defender who cannot recite the relevant event IDs without reference will miss the attack.

Learn Sigma rule syntax. Translate Sigma to your SIEM query language - KQL for Sentinel, SPL for Splunk, EQL for Elastic. Read the Elastic Detection Rules repository. Read the Sigma rules repository. Understand why each rule fires and what the false positive surface looks like. A detection rule that fires 4000 times a day is not a detection. It is noise that hides the real signal.

EDR telemetry is the next layer. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Carbon Black. The vendor differs. The data model is similar. Process tree. Image loads. File operations. Registry operations. Network connections. Script content from AMSI on Windows. The defender reads this telemetry against known TTPs and writes correlation logic that survives attacker variation. Atomic Red Team is the testing framework. Run the atomics in a lab. Observe what fires. Observe what does not. The gap between executed technique and triggered alert is the visibility deficit. Closing it is the job.

Network detection complements endpoint. Zeek for protocol metadata. Suricata for signature-based IDS. RITA or similar for beacon detection through connection interval analysis and payload size distribution. JA3 and JA4 fingerprinting for TLS client identification. DNS query analysis for tunnelling and exfiltration patterns. The attacker who beacons every 60 seconds with 200-byte payloads is visible in Zeek conn.log if you query for it. The defender who does not query does not see.

Incident response procedure is the operating manual. NIST 800-61 is the framework. Identification, containment, eradication, recovery, lessons learned. The technical work inside the framework is forensic acquisition - memory capture with WinPmem or LiME, disk imaging with dd or FTK Imager, triage collection with KAPE. Volatility 3 plugins for memory analysis. Plaso and log2timeline for super timeline construction. The IR analyst reconstructs the attacker’s actions from artifacts. Prefetch files, ShimCache, AmCache, UserAssist registry keys, ScheduledTasks, WMI persistence in __EventFilter and __EventConsumer. Each artifact answers a specific question about what executed and when.

Both paths converge on threat intelligence. Read CISA Known Exploited Vulnerabilities. Read the Mandiant M-Trends report annually. Read CrowdStrike’s Global Threat Report. Read Cloudflare’s Radar reports for traffic-pattern intelligence. Track named threat groups by their TTPs, not their names - names change, TTPs persist. APT29 still uses cloud credential theft. Scattered Spider still uses help desk social engineering for MFA reset. ShinyHunters still hits CI/CD credential stores.

Certifications matter only as a forcing function for study. OSCP for offensive baseline. OSEP and OSED for offensive depth. GIAC GCFA, GCIH, GCFR for defensive depth. CISSP if compliance roles are the destination. The certificate is the receipt. The skill is the work that produced it.

The practical reality is this. The offensive path rewards patience with binaries, tolerance for failure, and obsession with mechanism. The defensive path rewards pattern recognition at scale, telemetry fluency, and the discipline to write detections that survive attacker adaptation. Most working professionals end up touching both. The foundation is the same. The mindset diverges. Pick the one that matches how you already think when you are not being paid to think about it.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.