Learn cybersecurity defence the legal way in six months
Six months of steady practice — about 45 minutes a day on a hands-on platform, a free fundamentals course, and lawful lab targets — gets a beginner from curious to genuinely capable with security fundamentals and a clear path to the Security+ credential. Roughly 90 hours total. This is a defensive, ethical path. You only ever practise on systems you own or are explicitly authorized to test. Attacking anything else is a crime, full stop. You will not be a penetration tester after six months. You will understand how attacks work so you can defend against them.
6 months · ~90 hours · solid fundamentals, hands-on labs, and Security+ within reach
1.TryHackMe's Cyber Security 101 path
TryHackMe is the canonical beginner platform: everything runs in your browser against deliberately vulnerable machines that TryHackMe owns and gives you permission to use. Start with the "Cyber Security 101" path, which builds from networking and Linux basics through web fundamentals, defensive tooling, and an introduction to offensive technique — all on legal practice targets. Do the rooms in order and take notes. The free tier covers a lot; a subscription (around $14/month) unlocks the full path and a dedicated machine.
Free tier generous; full access ~$14/month
TryHackMe · Cyber Security 101 →2.Professor Messer's Security+ (SY0-701) course
The labs teach you to do; this teaches you to understand. Professor Messer's complete CompTIA Security+ SY0-701 video course is free on his site — 121 videos, roughly 15 hours — and it is the consensus foundation for security concepts: threats, cryptography, access control, network defence, risk, and governance. Watch it in parallel with your TryHackMe rooms so theory and hands-on reinforce each other. This course maps directly to the Security+ exam objectives, which sets up the credential below.
Free (optional course notes PDF for sale)
Professor Messer · Security+ →3.Go deeper on authorized labs — and earn Security+
Now consolidate. Keep working harder rooms on TryHackMe, or move to Hack The Box's beginner-friendly content for more open-ended challenges — both run on machines you are explicitly licensed to attack. Build your own small home lab in virtual machines if you want a target you fully own. Then sit CompTIA Security+: it is the entry-level credential hiring managers actually recognise, and it turns six months of self-study into something on a CV. Never point any tool or technique at a system you do not own or have written permission to test.
HTB free tier available; Security+ exam voucher ~$425
CompTIA Security+ →If this doesn't fit you
If your goal is purely a defensive blue-team or SOC analyst role rather than understanding the offensive side at all, swap the path emphasis and start with TryHackMe's "SOC Level 1" path instead, focused on detection, log analysis, and incident response. It points the same ethical, authorized-only practice at the defender's chair specifically, which is where most actual security jobs are.
Why this path
Beginners fail cybersecurity in two opposite ways: they binge theory and never touch a keyboard, or they download tools and — illegally and pointlessly — poke at systems they have no right to. This path closes both gaps. TryHackMe gives you real, lawful hands-on practice from day one; Professor Messer gives you the conceptual frame so the labs mean something; and Security+ converts the effort into a recognised credential. The discipline that matters most is the one repeated throughout: authorized targets only. The skill that gets you hired is the same one that, misused, gets you prosecuted — the difference is permission.