All stages, in order. The full arc — threat modeling, cryptography, identity, application and API security, infrastructure, cloud, detection, response, and offense. This is the spine; the other two paths are slices of it. Each topic links to a Semicolony deep dive or simulator where one exists, and to a curated external resource where it doesn't. Follow the arc in order, or jump to wherever you're stuck.
Core plus the recommended layer. The optional stops stay hidden until you have shipped a couple of real systems.
Working out what can go wrong before you build defenses.
Security starts with naming what can go wrong. Before any control, you should be able to draw the trust boundaries, enumerate the threats that cross them, and rank them by what an attacker actually gains. Everything downstream is a response to a threat you named here.
Confidentiality, integrity, availability — plus authenticity and non-repudiation. Every control you ship trades against one of these; knowing which one keeps you from solving the wrong problem.
Security fundamentalsSpoofing, tampering, repudiation, info disclosure, denial of service, elevation of privilege. Walk each data flow against the six and you have a backlog of real threats, not a vibe.
External OWASP Threat Modeling cheat sheetA trust boundary is any line where data crosses from less-trusted to more-trusted. Shrink the surface, validate at every boundary, and assume everything past the edge is hostile input.
External OWASP — Attack Surface AnalysisNo single control should be load-bearing. Layer independent controls so one failure does not mean game over, and grant the minimum access a thing needs to do its job.
External NIST SP 800-160 — Engineering Trustworthy SystemsUsing the primitives correctly, and never rolling your own.
You will rarely invent crypto, but you will constantly choose and wire it. Know what each primitive guarantees, where it breaks, and the handful of misuse patterns — ECB mode, hardcoded IVs, plain SHA for passwords — that turn correct algorithms into vulnerabilities.
Symmetric is fast and shares a secret; asymmetric solves key distribution at a cost. Reach for an authenticated mode like AES-GCM or ChaCha20-Poly1305 so ciphertext tampering is detectable, not silent.
External Crypto 101Encoding is reversible and not secret; encryption is reversible with a key; hashing is one-way. Conflating the three is the root of half of all crypto bugs — Base64 is not a security control.
External OWASP — Cryptographic Storage cheat sheetUse a memory-hard, salted KDF — Argon2id, scrypt, or bcrypt — never a bare hash. The cost factor is the whole point: it makes offline cracking expensive even after a dump leaks.
Sim Password hashing simulatorA MAC proves integrity to people who share a key; a signature proves it to anyone with the public key, and binds origin. Pick based on who needs to verify and whether you need non-repudiation.
External NIST FIPS 186-5 — Digital Signature StandardProving who someone is, without leaking how.
Authentication is the front door, and the front door is where attackers knock first. Know the flows — passwords, MFA, OAuth, OIDC — and the failure modes: credential stuffing, token theft, and the subtle ways a session can be hijacked or fixed.
Server-side sessions are easy to revoke but need shared state; stateless JWTs scale but are hard to invalidate before they expire. The trade-off drives your whole logout and rotation story.
Sim JWT lifecycle simulatorOAuth is delegation, not login — it hands out access tokens. The authorization-code flow with PKCE is the safe default; implicit flow is dead. Know what each token is for.
OAuth — how it worksOIDC is the identity layer OAuth lacks: it adds an ID token that actually says who logged in. If you are doing login with OAuth tokens, you are probably doing it wrong.
OIDC — how it worksTOTP beats SMS; phishing-resistant WebAuthn/passkeys beat both. The goal is to make a stolen password insufficient — but pick factors that survive a convincing phishing page.
External OWASP — MFA cheat sheetOnce you know who someone is, deciding what they can do.
Broken access control tops the OWASP list for a reason: it is logic, not a missing library. Get the model right — RBAC, ABAC, ownership checks — and enforce it server-side on every request, because the client is the attacker.
Roles are coarse and easy to reason about; attributes are fine-grained and flexible. Most systems start RBAC and grow ABAC checks for the cases roles cannot express cleanly.
External NIST — Attribute Based Access ControlChanging /orders/123 to /orders/124 should not work — but it constantly does. Enforce ownership on every object lookup, server-side, regardless of what the UI exposes.
External OWASP — Broken Access Control (A01)Vertical escalation gains you admin; horizontal gains you the next tenant. The confused deputy is a trusted service tricked into acting on an attacker's behalf — guard the service's own authority.
External PortSwigger — Privilege escalationTLS, segmentation, and the wire underneath it all.
Every request rides a stack you should understand cold: TCP, DNS, and TLS on top. Know how the handshake establishes trust, how segmentation contains blast radius, and why "encrypted in transit" is necessary but never sufficient.
Connections begin with SYN, SYN-ACK, ACK — and that three-way dance is also where SYN floods and spoofing live. You cannot secure a protocol you cannot trace.
Sim TCP handshake simulatorTLS gives you confidentiality, integrity, and server authenticity — if the cert chain validates. The handshake negotiates keys; the PKI decides whom to trust. Pin the version, kill the weak ciphers.
HTTPS — how it worksDNS is the phone book attackers love to poison. Understand resolution, then the defenses — DNSSEC for integrity, DoH/DoT for privacy — and why a hijacked record routes your users anywhere.
DNS — how it worksFlat networks let one foothold reach everything. Segment by trust zone, default-deny between them, and treat the firewall ruleset as code you review — not a junk drawer of legacy ports.
External NIST SP 800-41 — Firewall guidelinesThe OWASP Top 10, where it actually bites.
The browser runs whatever script ends up on the page, and the server trusts whatever request shows up. This stage is the classic web bug classes — injection, XSS, CSRF, SSRF — and the encodings, headers, and same-origin rules that stop them.
The canonical map of what actually goes wrong on the web. If you can explain all ten classes and the control for each, you have covered the bulk of real-world findings.
External OWASP Top 10Mixing data into a command string is the original sin. Parameterize queries, never concatenate, and the entire SQLi class disappears — no clever escaping required.
External OWASP — Injection (A03)The browser runs whatever script ends up on the page — output encoding and a strict CSP are the difference between safe and pwned. Context-aware escaping, not blocklists, is the fix.
External OWASP — XSS PreventionCSRF rides the user's ambient cookies to act in their name. SameSite cookies plus a token or origin check shut the door; the same-origin policy is the fence everything else leans on.
External OWASP — CSRF PreventionTrick the server into making a request and it becomes your proxy into the internal network — cloud metadata endpoints especially. Validate and allowlist outbound destinations, do not just block localhost.
External OWASP — SSRF PreventionSecuring the traffic between your services.
APIs expose your data model directly, so the bug classes shift: object-level authorization, mass assignment, and resource abuse. Whether traffic flows through a gateway or service mesh, every call needs identity, authorization, and limits.
APIs fail differently from web pages — broken object-level authorization (BOLA) is the headliner. Memorize this list; it is the API equivalent of the classic Top 10.
External OWASP API Security Top 10The gateway is where you centralize authn, rate limits, and request validation so each service does not reinvent them. It is also a single point you must not misconfigure.
API gateway — how it worksWithout limits, an API is a free DoS amplifier and a scraping buffet. Throttle by identity and cost, not just IP, and return 429s before the database falls over.
External OWASP — Unrestricted Resource Consumption (API4)Inside the mesh, services still need to prove who they are. Mutual TLS with short-lived, automatically rotated certs replaces shared secrets and makes lateral movement much harder.
External SPIFFE / SPIRE — workload identityMaking security part of how code gets written and shipped.
The cheapest bug to fix is the one that never merges. Bake security into the development lifecycle — secure defaults, dependency hygiene, and automated scanning in CI — so the pipeline catches what code review misses.
Security is not a gate at the end; it is requirements, design review, testing, and response woven through delivery. The earlier a class of bug is designed out, the less it costs forever.
External OWASP SAMMMost of your code is somebody else's. Pin versions, scan for known CVEs, generate an SBOM, and treat a transitive dependency as the attack surface it is.
External OWASP — Vulnerable & Outdated Components (A06)Static analysis reads the code, dynamic analysis pokes the running app, secret scanners catch the credential you almost committed. Wire all three into CI and tune out the noise.
External OWASP — DevSecOps GuidelineWhere the keys live, and what leaking them costs.
A secret in source control is a breach waiting for a clone. Centralize secrets in a vault, rotate them automatically, and use a KMS so the encryption keys themselves never sit in plaintext on a disk.
Stop putting credentials in env files and configs. A secrets manager gives you central storage, access control, and an audit log of who read what — and makes rotation a config change, not a fire drill.
External OWASP — Secrets Management cheat sheetEnvelope encryption keeps your data keys encrypted under a master key the KMS never exports. Define key hierarchies, rotation, and who can use versus manage a key.
External AWS KMS conceptsA leaked secret is only as dangerous as how long it stays valid. Short TTLs and automatic rotation shrink the window; have a revoke-and-rotate runbook before you need it.
External AWS — rotating secretsThe shared-responsibility line, and keeping IAM from sprawling.
In the cloud, the provider secures the infrastructure and you secure everything you put on it. Misconfiguration — over-broad IAM, public buckets, open security groups — is the modern breach. Know the model and the guardrails.
IAM is the new perimeter. A single over-permissive role can be the whole breach; scope policies to least privilege and audit who can assume what.
External AWS IAM best practicesPublic buckets and wide-open security groups leak more data than zero-days. Default-deny, scan continuously, and treat a misconfig as a vulnerability with a CVE-sized impact.
External Google Cloud security best practicesVPCs, subnets, and private endpoints keep data off the public internet. Combine with security groups and you control exactly what can reach what — defense in depth at the cloud layer.
External AWS VPC securityTurn on default encryption everywhere it is free, and use customer-managed keys where you need control over the key lifecycle. The bar is "encrypted unless there is a reason not to."
External GCP — encryption at restHarden the image, the runtime, and the orchestrator.
Containers share a kernel, so isolation is thinner than a VM and the blast radius bigger than it looks. Secure the supply chain into the image, the runtime around it, and the Kubernetes control plane that schedules it all.
Namespaces and cgroups give you isolation, not a security boundary as strong as a VM. Knowing what a container actually shares with the host tells you what a breakout buys an attacker.
Containers — how it worksStart from minimal or distroless bases, run as non-root, and scan for CVEs before push. A fat image full of shells and package managers is a fat attack surface.
External Kubernetes — Pod Security StandardsThe pod spec is where privilege escalation hides — privileged containers, host mounts, hostNetwork. Enforce Pod Security Standards and admission policies so dangerous specs never schedule.
Pod creation — how it worksCluster RBAC decides who can do what to the API; network policies decide which pods can talk. Default-deny both, then open only what the workload provably needs.
External Kubernetes — RBAC authorizationYou only catch what you log.
Detection is the difference between a contained incident and a breach you learn about from a journalist. Log the security-relevant events, centralize and protect them, and write detections that fire on the behavior attackers cannot avoid.
Log authn events, authz failures, and admin actions — with enough context to reconstruct a timeline, without dumping secrets into the log. What you fail to log, you cannot investigate.
External OWASP — Logging cheat sheetCentralize logs, then write detections that match attacker behavior, not just known signatures. The goal is mean-time-to-detect measured in minutes, not the industry-average months.
External MITRE ATT&CKAn attacker's first move after access is often deleting the logs. Ship logs off-box, make them append-only, and you keep the evidence even when the host is owned.
External AWS CloudTrail — best practicesWhen something does go wrong, having a plan ready.
Every system gets breached eventually; maturity is measured by what happens next. Know the phases — prepare, detect, contain, eradicate, recover, learn — preserve evidence under pressure, and turn each incident into a control that prevents the next.
Prepare, detect, contain, eradicate, recover, learn. The phases sound obvious until 2am, which is exactly why you rehearse them before the real thing.
External NIST SP 800-61 — Incident Handling GuideStop the bleeding without destroying the evidence — isolate, do not just power off. Then root out persistence: the attacker's backdoor outlives the alert that found them.
External SANS — Incident Handler's HandbookCapture volatile state first, hash everything, and keep chain of custody. The investigation is only as good as the evidence you preserved before someone rebooted the box.
External NIST SP 800-86 — Forensic TechniquesBreaking your own systems before someone else does.
The best defenders think offensively. Learn the attacker's methodology, exercise it ethically through pen testing and red teaming, and feed every finding back into the controls. Offense is just defense with the order reversed.
Recon, initial access, escalation, lateral movement, exfiltration — the kill chain is a checklist you can defend against once you can run it. ATT&CK maps every step to real techniques.
External MITRE ATT&CKReading about XSS is not the same as landing one. Hands-on labs build the intuition for where bugs hide — and turn the OWASP Top 10 from a list into muscle memory.
External PortSwigger Web Security AcademyA pen test is a scoped, time-boxed attack with a report attached. Know the methodology so you can run one, scope one, or read the findings without getting snowed.
External OWASP Web Security Testing GuideBackend, system design, frontend, DevOps, security, DSA and data — the full set, in one place.
OpenJWT lifecycle, password hashing, CORS preflight, TLS — interactive, in the browser.
OpenLong-form curricula behind the links: security, networking, cloud, Kubernetes.
OpenTime-boxed practice rounds and concept flashcards.
Open