How I Would Learn Ethical Hacking in 2026 If I Started From Zero.

What I Got Wrong The First Time

If I started today with everything I know now, my first eighteen months would have taken six.

Not because I'm smarter now. Because I wasted enormous time on the wrong sequence — courses that built vocabulary instead of skill, certifications attempted before the foundation existed to support them, and months spent "preparing to start" instead of starting.

This is the path I'd actually take. No filler. No motivational padding. Just the sequence, the resources, and the reasoning behind each decision.

Month 1: Linux, Not a Linux Course

Skip the Linux fundamentals course. Install Kali or Ubuntu in a VM and make it your daily driver for thirty days.

Not for tutorials — for friction. Use it to write documents, browse the web, manage files. When something breaks, fix it by reading the error and searching, not by following a guided lesson.

This produces actual command-line fluency in weeks, not months. The fluency that matters isn't memorized commands — it's the instinct to read an error message and know where to look.

Resource: None paid. VirtualBox + Kali Linux ISO. Free.

Time: 1–2 hours daily, 30 days.

Month 1–2: Networking, Through Wireshark, Not Memorization

Run parallel to month 1. Open Wireshark. Watch a DNS query resolve. Watch a TCP handshake complete. Watch what an HTTPS connection actually looks like on the wire.

The OSI model, TCP/IP, DNS, ARP — all become real when you can see them happening instead of memorizing definitions for an exam.

Resource: Wireshark (free) + your own home network. No course needed for this stage.

The specific exercise that matters: Capture traffic while browsing a website. Identify the DNS query, the TCP handshake, the TLS negotiation, the HTTP request. Do this until it's boring. Boring means internalized.

Month 2–4: Web Application Security — PortSwigger Web Security Academy

This is the highest-value free resource in the entire field. Built by the team behind Burp Suite. Every lab is a real vulnerability class in a realistic simulated application.

Work through it systematically: SQL injection, XSS, CSRF, authentication flaws, access control, SSRF, business logic vulnerabilities. Don't skip categories because they seem boring. The vulnerability class you skip is the one you'll miss on a real target.

Resource: PortSwigger Web Security Academy. Free. Burp Suite Community Edition. Free.

Time: 2–3 hours daily, 8–10 weeks for comprehensive coverage.

Why this comes before certifications: Web application vulnerabilities are the most common attack surface in bug bounty and a significant component of most penetration testing engagements. Building this skill first gives you something to apply immediately — real targets exist the moment you finish.

Month 4–6: TryHackMe and HackTheBox — Applied Practice

Now you have networking fundamentals, Linux comfort, and web application methodology. Apply all three against machines designed to require chaining these skills together.

Start with TryHackMe's beginner-friendly rooms. Move to HackTheBox once you're consistently rooting easy and medium machines without walkthroughs.

The discipline that matters here: try every machine for a minimum of two hours before looking at any hint or walkthrough. The struggle is where the learning happens. A walkthrough consulted too early teaches you to follow instructions, not to think.

Resource: TryHackMe free tier or $14/month subscription. HackTheBox free tier or similar pricing.

Time: 10–15 hours weekly.

The specific skill being built: Methodology under uncertainty. Real targets don't tell you which vulnerability class is relevant. You have to enumerate, hypothesize, test, and adjust — the exact loop that professional engagements require.

Month 6: Your First Bug Bounty Submission

Stop waiting to feel ready. Pick a public program on HackerOne or Bugcrowd with a wide scope and a history of accepting lower-severity findings from newer hunters.

You will likely find duplicates first. This is normal and informative — it tells you that your methodology works, just not fast enough to be first.

Document every submission as a full professional report regardless of outcome: vulnerability description, reproduction steps, impact, remediation. This habit, built now, becomes the foundation of your reporting skill for the rest of your career.

Resource: Free. HackerOne and Bugcrowd public programs.

Why this matters more than another course: This is the first moment your skill meets a real, unguided target with real consequences. No lab can replicate this. The feedback — accepted, duplicate, informational, rejected — is the most honest teacher in the field.

Month 7–9: Active Directory and Internal Network Attacks

Web application security covers one attack surface. Most real penetration testing engagements involve internal networks, and Active Directory environments specifically.

Build this skill through dedicated AD-focused labs: HackTheBox's Pro Labs (Offshore, RastaLabs) or similar multi-machine AD environments. Learn Kerberoasting, AS-REP roasting, Pass-the-Hash, BloodHound for attack path mapping, and common AD misconfigurations like unconstrained delegation and ACL abuse.

Resource: HackTheBox Pro Labs (paid, approximately $20–30/month) or free AD-focused rooms on TryHackMe as a budget alternative.

Time: 10–15 hours weekly.

Why this comes here and not earlier: AD attacks require comfort with Windows environments, basic scripting, and the patience to chain multiple small findings into a complete compromise path. Attempting this in month two would produce frustration without comprehension. By month seven, the foundation supports it.

Month 9–12: OSCP — Now It's Earned, Not Aspirational

By month nine, if the previous phases were done with genuine engagement rather than passive consumption, OSCP becomes a realistic target rather than a stretch goal.

The OSCP doesn't teach you penetration testing from scratch. It validates and structures methodology you should already be building. Attempting it as your first real hands-on experience — which is what most beginners do — produces unnecessary failure and wasted exam attempts.

Complete the PEN-200 course material fully. Do every lab exercise. Build a personal methodology document — your own decision tree for enumeration, exploitation, and privilege escalation — before sitting the exam.

Resource: OffSec PEN-200 course + exam. Approximately $1,599-$2,499 depending on package and lab time.

Time: 3 months of structured preparation minimum.

The honest note: This is the first paid resource in this roadmap that costs more than $30. It is the first one where I'd recommend spending real money — because by this point you have enough foundation that the investment converts into genuine skill rather than premature exam attempts.

Month 10–12: Build in Public, Simultaneously

Parallel to OSCP preparation, start publishing.

Write technical breakdowns of vulnerability classes you've studied. Document your bug bounty methodology. Build one tool — even something simple, like a wrapper script that combines two recon tools you use regularly — and put it on GitHub with a proper README.

This is not optional polish. This is the visibility layer that converts technical skill into career opportunities. A hiring manager evaluating two candidates with similar lab experience will choose the one whose thinking is visible and verifiable over the one whose skill exists only in private study notes.

Resource: Free. Your own blog, Medium, or LinkedIn. GitHub for tools.

Time: 2–3 hours weekly, consistent.

The compounding effect: Twelve months of consistent technical writing produces a searchable body of work. When a hiring manager searches your name, the first page of results should be your own work, not an empty profile.

The Total Cost

PortSwigger Academy: $0 TryHackMe: $0–168 (12 months at $14/month, optional) HackTheBox: $0–168 (similar optional subscription) HackTheBox Pro Labs: $60–90 (2–3 months during AD phase) OSCP: $1,599–2,499

Total range: $1,659 to $2,925 over twelve months, with the overwhelming majority of that cost concentrated in the OSCP itself — the one credential in this entire roadmap that genuinely requires financial investment to access.

Compare this to the traditional advice path: CompTIA A+ ($492) → Network+ ($358) → Security+ ($392) → CEH ($1,199) → finally arriving at something hands-on, having spent over $2,400 and 12+ months before touching a real target.

The path above gets you hands-on by month one and produces your first real bug bounty submission by month six — for a fraction of the cost, because the expensive resource (OSCP) is positioned where it actually adds value instead of front-loaded before any foundation exists.

What This Roadmap Deliberately Skips

CompTIA A+. A help desk certification, not a security foundation. Covered in detail elsewhere — it doesn't belong on a security-focused path.

CEH. Widely regarded within the practitioner community as low-signal. The exam tests recognition of terminology, not applied skill. The cost-to-value ratio doesn't justify inclusion when OSCP exists.

Generic "cybersecurity fundamentals" bootcamps. Most repackage free content (networking basics, intro to Linux, intro to security concepts) at a markup, with completion certificates that carry minimal hiring signal compared to demonstrated practical skill.

Months of pure theory before any hands-on practice. The traditional advice sequence delays contact with real systems until a "foundation" is judged complete. This roadmap inverts that — foundation and application happen in parallel from week one.

What Changes If You Have Less Time or Less Money

If you can only commit 5–8 hours weekly instead of 15–20, extend every phase proportionally. The sequence doesn't change — the pace does.

If the OSCP budget isn't available, the path still works without it. PortSwigger Academy, free-tier TryHackTok/HackTheBox machines, and consistent bug bounty practice can take you to an entry-level offensive security role without a single paid certification, provided you can demonstrate real findings and a documented methodology. It takes longer and the door is narrower, but it is not closed.

If you have more money than time, the OSCP timeline can compress with focused, intensive preparation. Money buys lab time and structured content. It does not buy the hours of hands-on struggle that actually build the skill being tested.

The One Variable That Determines Everything

Every resource in this roadmap is available to everyone reading this article. The free ones cost nothing. The paid ones cost less than most people spend on subscriptions they don't use.

The variable that separates the people who follow this path successfully from the people who read it and do nothing is not access. It's the willingness to sit with a target for three hours before looking at a hint. To submit the bug bounty report knowing it's probably a duplicate. To publish the technical writeup that isn't perfect. To start month one today instead of after one more preparatory course.

The roadmap is not the hard part. Following it is.

Key Takeaways

• Skip Linux and networking courses — build fluency through daily use and Wireshark observation instead
• PortSwigger Web Security Academy is the highest-value free resource in the entire field — start here, not with a certification
• Apply skills against real machines (TryHackMe, HackTheBox) before attempting any unguided real-world target
• Your first bug bounty submission should happen by month six — duplicates and rejections are data, not failure
• OSCP belongs at month nine to twelve, after foundation exists — not as your first hands-on experience
• Build in public from month ten onward — visibility compounds into opportunity in ways private study never does
• Total realistic cost: $1,659-$2,925 over twelve months, concentrated almost entirely in OSCP itself
• The roadmap is freely available to everyone — the willingness to follow it through discomfort is the actual scarce resource

rem//S