📖 A Quick Preface
- These aren't theoretical mistakes I've observed in others.
- Every single one on this list is something I did personally, sometimes for months before someone or something corrected me.
- If you recognize yourself in several of these, that's not a bad sign.
- It means you're far enough along to know what you don't know yet. That's actually progress.
❌ Mistake 1: Trying to Learn Everything at Once
Cybersecurity is enormous. Networking, web app security, cloud, malware analysis, forensics, red teaming, GRC, cryptography, the list goes on and the temptation to study all of it simultaneously is real.
What actually happens when you try:
- You develop surface familiarity with many things
- You develop deep competency in nothing
- Job listings ask for specific skills you haven't gone deep enough to demonstrate
- Every new topic feels like starting over because nothing connects
How I fixed it: I picked web application security and spent four months doing almost nothing else.
By the end I could explain every OWASP Top 10 vulnerability mechanically, not just by definition. That depth made job interviews dramatically easier than the previous months of broad skimming had.
Pick a lane. Go deep. Branch out later.
❌ Mistake 2: Treating Certifications as the Goal
Early on I thought the path was: get cert, get job. I spent a lot of energy optimizing which cert to get next rather than building actual skill.
The reality:
- Certifications get your resume past the ATS filter
- The interview tests whether you can actually do things
- A cert without hands-on skill falls apart the moment a technical question comes up
- Two people with the same cert are differentiated by everything else on their profile
How I fixed it: I stopped treating certifications as endpoints and started treating them as checkpoints.
Study the material, but spend at least as much time practicing in labs as studying for the exam. The certification should document skill you already have, not be the reason you have it.
❌ Mistake 3: Only Using Kali Linux Without Understanding the Tools
Installing Kali and running tools feels like hacking. It mostly isn't, at first.
- Running
nmap -sV targetand getting output back does not mean you understand what Nmap is doing, what the flags mean, what the output is telling you, or how to use that information to move forward. - You're just typing commands that other people wrote tutorials about.
- This creates a brittle skill set.
- Change one variable, like a target that filters ICMP or a web app that doesn't behave the way the tutorial assumed, and you're stuck because you don't understand the underlying concepts.
How I fixed it: For every tool I used regularly, I made myself understand what it was actually doing at a protocol level.
What packets is Nmap sending? What does that SYN scan actually mean at the TCP handshake level? Why does a certain Burp Suite extension do what it does? Understanding the tool means you can adapt when it doesn't behave as expected.
❌ Mistake 4: Skipping the Networking Fundamentals
I skipped networking fundamentals early on because it felt slow and boring compared to hacking content. This was one of my more expensive mistakes in terms of time lost.
Almost every attack technique has networking underneath it:
- SQL injection comes back to how HTTP requests are structured
- SSRF is fundamentally about how servers make network requests
- Lateral movement in an AD environment is about authentication protocols
- Every traffic analysis finding requires understanding what normal traffic looks like
When I eventually went back and properly learned subnetting, the OSI model, TCP and UDP behavior, DNS, and HTTP at a protocol level, everything I had already learned clicked into place in a way it hadn't before.
How I fixed it: Professor Messer's Network+ course and a lot of Wireshark time. Capturing my own traffic and making sense of it manually was more valuable than any amount of reading.
❌ Mistake 5: Never Documenting Anything
When I started, I kept no notes. I'd solve a TryHackMe room, close the window, and move on. A week later I couldn't reproduce what I'd done or explain how I'd solved it.
Documentation is not busywork. It's how you:
- Consolidate learning into something retrievable
- Build a portfolio that demonstrates your thought process
- Develop the habit that real pentest work requires (reports don't write themselves)
- Avoid solving the same problem three times because you forgot how you did it last time
How I fixed it: Obsidian for personal notes, organized by topic and tool. Every CTF and lab machine got a write-up even if I never published it.
Once I started publishing writeups publicly, the discipline got even sharper because I had to explain my reasoning clearly enough for someone else to follow.
❌ Mistake 6: Asking for Answers Before Struggling
In the early months I'd get stuck on a challenge and immediately ask for help or look up the solution. It felt efficient. It was not.
- The struggle before the solution is where the actual learning happens.
- Your brain processes information differently when you've already wrestled with a problem versus when you're just reading the answer cold.
- Bypassing the struggle bypasses the learning.
How I fixed it: A self-imposed rule of at least 30 minutes of genuine effort before looking anything up, and a specific Google query about the concept blocking me rather than the full solution.
Searching "how does Kerberoasting work" is fine. Searching "Kerberoasting walkthrough for [specific room]" before you've tried anything is not.
❌ Mistake 7: Ignoring the Blue Team Side
Early on I identified as "offensive security" and mostly ignored defensive content. Detection, logging, SIEM, incident response — not my thing, I thought.
This was shortsighted for two reasons.
- First, understanding detection makes you a better attacker. If you know how defenders detect lateral movement, you understand which techniques are noisy and which are stealthy.
- The best offensive security people think in both directions simultaneously.
- Second, most entry-level roles are on the blue team side. SOC analyst positions vastly outnumber junior pentester positions.
- Ignoring the defensive side significantly narrows your job opportunities.
How I fixed it: I spent a month going through TryHackMe's SOC Level 1 path. Understanding what defenders see when attacks happen changed how I thought about offensive techniques entirely.
❌ Mistake 8: Underestimating the Writing and Communication Requirement
I thought cybersecurity was mostly technical. It's about 50 percent communication.
- Pentest reports are written documents. Vulnerability findings need to be explained to developers who didn't write the buggy code and to executives who don't know what SQL injection means.
- Incident reports get read by legal teams and board members.
- Threat intelligence needs to be communicated to people who need to make decisions based on it.
- If you can find vulnerabilities but can't explain them clearly in writing, you're half the value you could be.
How I fixed it: Writing. Writeups, blog posts, documentation, anything. The skill improves with practice and the practice has to be deliberate.
Writing a paragraph that explains a technical finding to a non-technical audience is harder than writing the technical finding itself, and it's worth getting good at.
❌ Mistake 9: Treating the Lab as Completely Separate from Real Life
Lab environments are controlled. Every challenge has a solution. The vulnerable service is definitely vulnerable in exactly the way the challenge intends.
- Real assessments aren't like that.
- Applications have unexpected behavior, scans return confusing results, tools behave differently against production systems than against intentionally vulnerable VMs, and the scope constraints of a real engagement add complexity that lab work never prepares you for.
- The gap between "I can do CTFs and lab machines" and "I can conduct a real pentest" is real, and underestimating it leads to overconfidence.
How I fixed it: Bug bounty hunting. Real applications with unpredictable behavior, no guaranteed solution, and actual consequences for how you approach scope and authorization.
Even spending time on HackTheBox "realistic" machines rather than purely CTF-style challenges helped close the gap.
❌ Mistake 10: Not Building in Public
For months I learned privately. No blog, no GitHub, no posts, no engagement with the community. I thought I needed to be good enough before I had anything worth sharing.
This was backwards. Building in public:
- Forces you to explain things clearly enough that others can follow
- Creates a portfolio that exists outside your own head
- Attracts people at similar stages who become collaborators and eventually colleagues
- Builds an audience that creates opportunities (job leads, consulting, course sales) you can't manufacture any other way
Nobody expects perfection from a beginner post. They expect honesty and genuine effort, both of which you already have.
How I fixed it: I published a beginner writeup on Medium when I was still clearly a beginner.
The response was kind and the discipline of writing it consolidated the learning. Every post after that came easier.
🔁 The Pattern Underneath All of These
- Looking at the list, most of these mistakes come from the same place: optimizing for comfort and the appearance of progress rather than actual skill development.
- Skimming breadth feels like coverage. Collecting certifications feels like advancement. Using tools without understanding them feels like capability. Never documenting feels like efficiency.
- Real progress is less comfortable. It's going deep when broad feels easier. It's struggling with a problem before looking up the answer. It's writing a public post before you feel ready. It's learning the boring networking fundamentals that make everything else make sense.
- The good news is that once you recognize the pattern, correcting any one of these mistakes is straightforward. You just have to choose the uncomfortable thing consistently enough for it to become a habit. 🔐