Why I'm doing this
For the last two years, I have been building websites for clients. Mostly using the MERN stack, now mostly Next.js. Someone needs a website, I build it, they pay me. It’s good work and I’m decent at it.
But about a year ago, I installed Kali Linux on a virtual machine, just to try it out. I never really stopped using it. I started small — writing a port scanner in Python, doing some TryHackMe rooms, scanning my own home network with Nmap. And I kept asking myself the same question:
I know how to build these things. But what happens if someone tries to attack them?
A few weeks ago, I decided to go into security seriously. Not as a side hobby, but as my real career path. My goal is Cloud AppSec — securing cloud applications. That will take time, so I made a roadmap for myself: five phases, about two years, from the basics to where I want to be.
This blog is where I write down that process, as I go through it.
Why security, in simple words
One reason is timing. A lot of basic SOC work — like watching alerts all day and deciding if they are dangerous — is already being done by AI tools, faster and cheaper. That kind of job is shrinking. But the harder work — understanding why something is a security risk, and how a whole system can be attacked — is not going away. It’s actually becoming more valuable, because now people also need to know how AI systems can be tricked or misused. Very few people know that yet.
The other reason is that I am not starting from zero. I have spent years building the same things that security people attack — login forms, user sessions, APIs. For example, I know how a login system is supposed to check a password. Learning how that same system can be broken into is not a big jump for me. It’s the same knowledge, just used the other way around.
The plan
Here it is, simply:
- Phase 0 — Setup. Make accounts, set up Kali Linux, get the environment ready. No real studying yet. Just make sure nothing breaks later because I skipped a step now. (I just finished this phase.)
- Phase 1 — Foundations. Learn networking, Linux,
Python, and basic cryptography. Build small projects along the way — like a port scanner, and a log analyzer that uses the Claude API to explain suspicious log entries in plain language. - Phase 2 — SOC Basics. Learn Splunk, SIEM tools, MITRE ATT&CK, and incident response. I see this phase as a stop on the way, not the final goal, for the reason I explained above.
- Phase 3 — AppSec. Learn the OWASP Top 10, use Burp Suite, try real bug bounty programs, and study the newer risks around AI systems, like prompt injection. Goal: get one real bug bounty finding and pass the eJPT certification.
- Phase 4 — Cloud & DevSecOps. Learn AWS security, add security checks into CI/CD pipelines, and get the AWS Security Specialty certification. This is where I actually want to land.
Every phase has projects that I have to build myself and be able to explain — not just labs I clicked through without understanding.
Why I’m writing this in public
Simple reason: if you learn security quietly, in private, nobody notices. If I write everything in a private notebook, after two years I just have… a notebook. But if I write it here, and push my code to GitHub, and post about it as I go — there’s a chance someone actually sees my work before I even apply for a job.
There’s another reason too. I don’t have a security job or a network of security people yet. So writing things down publicly is the only proof I have that I’m actually doing the work. That’s what I’m counting on.
What you’ll see here
- Write-ups from labs and CTFs I complete — PortSwigger, TryHackMe, OverTheWire, whatever I’m working on.
- Project notes about the tools I build.
- Learning posts where I’m mainly explaining something to myself, because I finally understood it.
It won’t always be perfect. I’d rather post something a little rough, on time, than wait forever for a “perfect” version.
You don’t have to believe in yourself yet. Just show up like you do.
Starting Phase 1 this week.