Web / AppSec roadmap

Secure web apps, APIs, client-side code, and auth flows. Start with PortSwigger Academy, then add CTF-style labs and secure code review.

4 courses22 resourcesPenetration tester

Step-by-step path

HTTP, browsers, auth, and APIs
OWASP Top 10 labs with Burp
Secure code review and report writing
Build a portfolio artifact and publish a short writeup.

Starter stack

HTTPOWASP Top 10Burp SuiteAPI testing

Free: PortSwigger Academy Paid: Hack The Box Academy

Best next resources

Hack The Box AcademyHack The Box · Free + Paid PEN-200 / OSCP PrepOffSec · Paid Learn Ethical Hacking From ScratchUdemy / z Security · Paid IppSecYouTube · Free The Cyber MentorYouTube · Free + Paid HackerSploitYouTube · Free