This post has been prepared with the invaluable (and necessary) help of Maite Moreno (@mmorenog) and the cybersecurity team of S2 Grupo.
One of the good things that Information Security shares with other IT disciplines is the wide variety of training resources available, both free and for tight budgets.
Without a large financial investment, anyone with time and desire (and a minimum knowledge of technical knowledge, for which there is another large number of resources that we will not cover here) can be trained from practically zero to expert levels in practically any area of cybersecurity.
Below are some of the resources available on the Internet for free or for a reduced cost, bearing in mind that:
- This list is not intended to be exhaustive. Feel free to comment on any content you think is missing and we will add it as soon as we can.
- Some platforms have a freemium approach, combining free content and functionalities with paid ones.
- Although the less technical areas of Information Security such as GRC are less (very little) represented in the list, the more generalist training sites include courses on data protection, control frameworks, risk management, etc.
- Most of the courses are in English, so a minimum level is required to understand instructions and texts. This level is essential nowadays in the field of information technology.
- Blogs, vblogs and podcasts on Information Security are left out, but there are plenty of extremely useful resources. This includes the thousands of webinars on every conceivable topic.
- Nor have we included more general platforms such as edX or Coursera, which nonetheless contain many courses from prestigious universities and organizations.
- Finally, we have not included courses from the device manufacturers, software or cloud providers, which in some cases are free, and which sometimes also provide free versions (with limitations) of their products. AWS, Tenable or Splunk come to mind, but there are many others.
That said, here we go:
- Try Hack Me is currently, along with HTB (below) one of the main platforms used to train in cybersecurity, due to the fact that it has a very gamified and gradual approach, which makes it perfect for beginners. From my own experience, although the gamified approach makes progress more interesting, it is important not to get obsessed with score and rating, and focus on learning.
- Hack The Box is another platform with a similar approach to THM (above), although it requires more knowledge than the previous one and perhaps its use by people without knowledge or experience is more complex. In this case, where machines are shared with other users, many users recommend paying a subscription to reduce interruptions during exercises.
- TCM Security Academy is the course section of TCM, a cybersecurity company that in recent times is becoming known for having several (much) more affordable pentesting certifications than the usual Offensive Security or EC-Council ones on the market, without impacting their quality. In this case, there is not a huge variety of courses, but the ones that are available are very complete. For those interested, parts of the courses have been released on the company’s YouTube channel.
- AttackIQ Academy corresponds to AttackIQ’s course section, and as such is very focused on threat hunting and purple teaming, with specific coverage on MITRE tools. While some people may find the content somewhat basic, it is a good introduction to many topics, and to using tools such as Attack Navigator.
- The US Cybersecurity and Infrastructure Security Agency (CISA) provides through its virtual training portal where it collects multiple free online courses that provide a basic understanding of infrastructure cybersecurity.
- Cybrary.it is a provider of online technical training, both webinars and practical workshops, which offers a wide range of IT and cybersecurity courses, including courses in the field of GRC, specific training for recognized certifications such as CISSP, as well as mentoring services.
- The Atenea and Ángeles platforms, managed and provided by the Spanish CCN-CERT, are two important resources in Spanish, where we can find both security challenges, in the case of Atenea, and basic and advanced training courses, in the case of Ángeles. It should be noted that they contain specific training courses related to the National Security Scheme, which is very useful for those who need to implement or evaluate one of these systems.
- Cyber Defenders is a platform mainly oriented to BlueTeam that collects multiple challenges ranging from log analysis, forensics of different artifacts or memory analysis. It also incorporates WriteUp so that the user can learn while doing the exercises.
- DFIR DIVA is an aggregator and search engine for courses and training focused mainly on DFIR/BlueTeam, allowing searches by different technologies and environments, as well as by training cost.
- Hack Tricks is a page created and maintained by Carlos Polop (@carlospolopm), and contains a compilation of techniques, tricks and any other interesting aspects that the author has found in the realization of CTFs, as well as in his own research and training. It is an almost mandatory bookmark and a good repository for learning hacking methodologies and techniques.
- Antonio Sanz (@antoniosanzcalc), with extensive experience in incident management and threat hunting (among many other things) collects in this page of the University of Zaragoza different challenges that he himself has developed throughout his career, some of which can be found in this blog. Although they require a certain technical level, their complexity and design simulating real scenarios make them especially interesting.
- Root Me is a learning site about cybersecurity and Information Security. Here you can find a large number of challenges and virtual environments to work on hacking and cybersecurity skills.
- C1b3rwall Academy is another of the leading cybersecurity training resources in Spanish, managed and provided by the Spanish National Police, and framed within the C1b3rwall project. As a novelty, the latest edition contains both technical and informative modules (awareness and securitization, for example) designed for those who have no knowledge of cybersecurity but want to protect their families or businesses.
- Finally, Portswigger Web Security Academy is a free online training center for web application security provided by the manufacturer Portswigger. Drawing content from PortSwigger’s in-house research team, experienced academics and the company’s founder, author of The Web Application Hacker’s Handbook, the academy contains content with both a more “static” focus and interactive labs.
Chances are, when you get here, you’re thinking why didn’t X or Y get included in that listing, and that for you it’s a reference link. In that case, leave it in the comments (preferably with a brief description) and after validating it we will add it to the list.