So you've decided to jump into the world of cybersecurity because the demand is skyrocketing (as they always say and I think it's shrinking, check out my recent video on claude code security).
Based on my long time on THM platform, there are hundreds of rooms and learning paths pulling you in a dozen different directions. Do you start hacking web apps? Do you learn Python? Do you jump straight into Metasploit?
While TryHackMe offers fantastic structured paths (like the Cyber Security 101 or Pre-Security tracks), sometimes you just need a no-nonsense, curated list of the absolute must-play rooms to build a rock-solid foundation.
And in this post, I will give you my top list to get started even without IT experience. Again as always, you can check out my video below for visual presentation
Networking
Before you can break into a system or defend a network, you need to understand how the digital world communicates. Below are the recommended rooms to learn networking:
Introductory Networking: If you don't understand the OSI model, TCP/IP, and basic tools like ping, traceroute, and whois, you are flying blind. When you're a SOC analyst staring at packet captures later, this knowledge will be your compass.
DNS in Detail: This is the phonebook of the internet. You need to understand domain-to-IP resolution because it's the backbone of everything and the target of massive attacks like DNS spoofing.
HTTP in Detail: How does your browser talk to a web server? What are HTTP headers and methods (GET, POST)? If you don't learn this, using advanced web testing tools like Burp Suite later will feel like trying to fly a spaceship with zero training.
Network Services 1 & 2: Now we expand. You'll get your hands dirty with SMB, Telnet, FTP, NFS, SMTP, and MySQL. You won't just learn what they are; you'll learn how to enumerate and exploit them.
Intro to LAN & Packets and Frames: You might wonder, Am I studying for a CCNA? No. But understanding ARP, DHCP, subnets, and the TCP 3-way handshake is crucial. AI can write code for you these days, but AI cannot untangle a physical or local network architecture for you. You need this knowledge to troubleshoot and hunt threats.
Operating Systems & Web
Now that you know how computers talk to each other, you need to understand the environments you'll be attacking and defending.
How Websites Work: A gentle introduction to the front-end (HTML, JavaScript) and back-end. You'll even get a taste of your first exploits: sensitive data exposure and HTML injection.
Windows & Linux Fundamentals (Parts 1–3): You cannot hack what you don't understand, and you cannot defend what you don't know. These rooms teach you the core components of the two major operating systems. Where are the weaknesses? Where do attackers hide? You'll find out here.
Active Directory Basics: Welcome to the corporate world. 99% of large enterprises run on Active Directory. If you want to investigate corporate breaches or conduct real-world penetration tests, you must understand AD users, group policies, and organizational units (OUs).
The Toolkit
Wait, shouldn't I learn to code first? In 2026, AI is doing a lot of the heavy lifting when it comes to writing scripts and in my video below I talked about how AI is starting to replace vulnerability scanners
But still learning programming basics goes a long way in pushing your further in your cyber career.
Python Basics & Bash Scripting: You need Python because it's the lingua franca of cyber. If you stumble across a Python backdoor during an incident, you need to read the variables and loops to understand the story it's telling. You need Bash because attackers use it to establish persistence on Linux servers.
Windows Command Line & PowerShell: When you finally exploit a Windows box, you'll land in a terminal, not a pretty graphical interface. If you don't know how to navigate via the command line or interpret a malicious PowerShell script, your attack stops right there.
Nmap: The legendary network mapper. This is your very first actual cyber tool. You'll use it to scan networks, find open ports, and even detect vulnerabilities using the Nmap Scripting Engine (NSE).
Red Teaming
It's time to put it all together.
Content Discovery: A massive part of web app penetration testing is finding what the developer tried to hide like admin panels, backup files, site maps.
Burp Suite: The Basics & Vulnversity: This is where the magic happens. Learn Burp Suite (the industry standard web testing proxy) and apply everything you've learned to actively compromise the vulnerable web server in the Vulnversity room.
Vulnerabilities 101 & Metasploit: Learn how vulnerabilities are scored (High, Medium, Low) and then fire up Metasploit, the world's most famous exploitation framework, to weaponize those vulnerabilities.
Linux & Windows Privilege Escalation: Getting onto a machine is only half the battle. If you only have a low-level user account, you can't prove the system is truly compromised. These rooms teach you how to become 'root' on Linux or the 'Administrator' on Windows.
The Blue Team
Traffic Analysis Essentials & Intro to Logs: If you want to be a defender, log files and network traffic are your crime scenes. Learn how to read them.
Wireshark (Basics & Packet Operations): The ultimate network protocol analyzer. When you need to dissect a suspicious packet down to the byte to see exactly what an attacker did, Wireshark is your microscope.
Malware Introductory: Learn the difference between static and dynamic analysis to understand exactly what that suspicious executable is doing to your environment.
Next Steps
Once you conquer this list, you have a formidable foundation. Your next step is to choose your path , do you want to dive deeper into the offensive side (Red Team) or the defensive side (Blue Team)?
TryHackMe has advanced paths for both, and platforms like Hack The Box await when you're ready for harder challenges. But for now? Start at the top of this list, open up that Introductory Networking room, and take your very first step.
Also I need to remind you to check out my playlist below for walkthroughs should you get stuck while solving THM rooms:
Join the cyber security learning system membership: