If you're learning web security, you've probably heard of PortSwigger Web Security Academy.

It offers:

  • Hundreds of free labs
  • Cheat sheets
  • Certifications
  • Progress tracking
  • Security research updates
  • Tools like Burp Suite

In theory, it's one of the best learning platforms for web security.

But for beginners?

It can feel extremely overwhelming.

Many people learn the theory of web attacks, but when they open PortSwigger labs, they ask the same question:

"Where do I even start?"

I know this feeling very well.

Because I went through the same thing.

My First Experience With PortSwigger

I started learning hacking when I didn't even own a laptop.

Yes.

I was literally running Linux on my mobile phone just to practice.

This was when I was in 12th grade.

At that time, I didn't understand:

  • How websites work
  • Frontend vs backend
  • Databases
  • HTTP requests

But instead of learning the basics…

I did what most beginners do.

I jumped straight into SQL Injection labs.

And it was a disaster.

3 Months… 5 Labs

It took me more than 3 months to solve just 5 SQLi labs.

Why?

Because I didn't understand SQL fundamentals.

I kept seeing terms like:

  • Blind SQL Injection
  • Boolean-based SQL Injection
  • Out-of-band SQL Injection

It felt like I was fighting the final boss of cybersecurity.

I genuinely believed:

"If SQLi is this hard… completing all PortSwigger labs will take a lifetime."

And the same fear existed for other categories:

  • Authentication
  • XSS
  • Web Cache Poisoning

Everything looked impossible.

Fast Forward to Today

Yesterday, I created a new PortSwigger account.

I started solving labs again.

This time something shocking happened.

I solved 29 labs in a single session.

None

No confusion. No fear. No frustration.

And suddenly I realized something:

I wasn't bad at hacking before. I was just missing the fundamentals.

The Biggest Mistake Beginners Make

Most beginners try to break systems before understanding them.

That's backwards.

Before learning attacks, you should understand:

  • How websites work
  • How databases work
  • How authentication works
  • How HTTP requests work

Once these concepts are clear, many "complex" attacks suddenly become very simple.

A Better Way to Learn (Example: Cross-Site Scripting — XSS)

Instead of jumping directly into labs, do this:

Step 1 — Learn the Basics

Focus only on the core fundamentals:

  • How HTML works
  • Basic JavaScript concepts
  • How DOM manipulation works
  • How browsers render web pages
  • How user input is reflected in a page

Understanding these basics usually takes 2–3 weeks.

That's enough.

You don't need to become a JavaScript expert.

Step 2 — Start Practicing

Now start solving XSS labs.

At this point, you'll understand:

  • Why scripts execute
  • How input gets reflected in the page
  • How payloads actually work

You'll notice something surprising:

Labs that once felt impossible can now be solved in 2–3 days.

Why Most People Quit Cybersecurity

I've seen many people start learning cybersecurity.

Very few continue.

Why?

Because they get stuck, frustrated, and eventually think:

"Maybe this field isn't for me."

But the difference between those who quit and those who succeed is simple:

They don't give up.

Sometimes you will even hate the thing you once loved.

But if you keep going, that passion becomes stronger.

Final Advice

If you want to succeed in cybersecurity:

Don't rush.

Learn how systems work first.

Breaking them will become much easier later.

If you're learning from PortSwigger, let me know:

  • What labs are you struggling with?
  • Which topic feels the hardest right now?

I'll try to help in the next article.

Next article: Learning Without Forgetting — PortSwigger