Phase 0
Pre-Sem
Pre-Semester Bootcamp 👑
Jun 15, 2026 → Aug 1, 2026 · 45 days
0%
▼
Most uninterrupted block of the entire roadmap. No college, no assignments. Treat it like a full-time bootcamp. This is where the foundation gets cemented.
week 1–2 — networking fundamentals (non-negotiable prerequisite)
OSI model — all 7 layers, cold
Not memorized as a list. Understood as a framework. Know which attacks live at which layer. ARP is layer 2. DNS is layer 7. SQLi is layer 7. Jamming is layer 1. This is your mental map for everything.
TCP/IP, subnetting, CIDR — hands-on
You know what a subnet is conceptually. Now do it with a calculator, then without. Subnetting.org for drills. CIDR notation must become reflex. This blocks you on eJPT and every lab after if you skip it.
Common ports and services — memorised
21 FTP, 22 SSH, 23 Telnet, 25 SMTP, 53 DNS, 80 HTTP, 443 HTTPS, 445 SMB, 3389 RDP, 3306 MySQL. Nmap output becomes readable instantly when you know these cold.
week 2–3 — finish zaid sabih course
Complete remaining sections
You're past WiFi attacks and ARP spoofing. Finish the rest. Don't skip sections. Take notes in a markdown file — not on paper, not in your head. A notes repo on GitHub is your second brain.
Build your first home lab
VirtualBox (lighter than KVM on your Ryzen 3) running Kali + Metasploitable 2. This is your sandbox. Every technique you learn, you practice here the same day. Theory without lab is just reading.
week 3–5 — TryHackMe learning path
TryHackMe — Pre-Security path (free)
Covers networking, web fundamentals, Linux basics in guided rooms. Fills the gaps the Udemy course left. Do every room, don't skip because you think you know it.
TryHackMe — Jr Penetration Tester path
This path directly mirrors eJPT domains. Recon, scanning, exploitation, post-exploitation, web fundamentals. Premium is ~$14/month. One month of this is worth every rupee.
week 5–6 — PortSwigger introduction
PortSwigger Web Academy — first 3 topics
Start with SQL injection, XSS, and path traversal. Apprentice-level labs only for now. These three topics alone cover 40% of bug bounty low-hanging fruit. This is where the ₹200 WhatsApp hacker comparison ends — PortSwigger is the real thing.
week 6 — bug bounty basics
Create HackerOne and Bugcrowd accounts
Read 20 public disclosed reports. Don't hack yet — just read. Understand scope, report format, severity ratings. Find programs with broad scope and low competition. Note them for later.
First bug bounty attempt — VDP only
VDP = Vulnerability Disclosure Program. No money, but legal and real. Use it to practice report writing. Finding nothing is fine. Learning to look systematically is the goal. Don't expect a payout this early.
Phase 1
Year 2 Spring
Year 2 Spring Term 👑
Aug 1, 2026 → Jan 1, 2027 · 5 months
0%
▼
Exam period hits second half of December. Throttle back cybersec work from Dec 10 to Jan 1. Physics and maths need enough attention to not drag your GPA into disaster territory.
aug–sep — eJPT prep and home lab expansion
TCM Security — Practical Ethical Hacking course
Heath Adams (TheCyberMentor). Backbone of PNPT prep and excellent eJPT prep. Covers Active Directory basics, pivoting, and report writing. Included in the PNPT $400 bundle.
HackTheBox — Starting Point machines
Free tier machines. Very Easy and Easy difficulty only. Guided walkthroughs that teach methodology. Don't look at writeups for the first 45 minutes of each machine — struggle first.
eJPT exam — target: October 2026
$249 for voucher + 3 months INE fundamentals access. 48-hour practical exam. Open book. If the property business lands a deal by Sep–Oct, this is the first cert to pull the trigger on. If not, push to January 2027.
oct–nov — web application focus
PortSwigger — complete apprentice tier
All apprentice-level labs across all topics. SQLi, XSS, CSRF, SSRF, XXE, access control, authentication, path traversal, OS command injection. Your web hacking foundation. Free and respected by every bug bounty program that matters.
Bug bounty — first paid program attempts
Start with programs tagged beginner-friendly on HackerOne. Information disclosure, basic XSS, open redirects. First valid report — real money, real recognition. Even P5 counts.
dec — exam throttle down
Exam season maintenance mode
2 hours/day max on cybersec. No new topics. Review existing notes, do light TryHackMe rooms you've already done. Physics and maths get priority from Dec 10 onward.
Phase 2
Year 2 Autumn
Year 2 Autumn Term 👑
Jan 2, 2027 → Jun 15, 2027 · 5.5 months
0%
▼
By now you should have eJPT. If not, that's the first objective of this phase. Don't skip ahead — the cert is a milestone, not just a piece of paper.
jan–feb — active directory focus
TCM — Active Directory attacks course
AD is 80% of real internal penetration tests. Kerberoasting, Pass-the-Hash, BloodHound enumeration, lateral movement. If you don't know AD you cannot pass PNPT. Non-negotiable.
Build a home AD lab
Windows Server 2019 evaluation (free 180-day license) + 2 Windows 10 VMs on VirtualBox. Set up a domain. Break it yourself. This is what PNPT actually tests. Your Ryzen 3 will sweat but 32GB RAM saves it.
mar–apr — PNPT prep and HackTheBox
HackTheBox — Easy/Medium Windows + AD machines
Specifically target AD-related boxes: Forest, Sauna, Active, Intelligence. Do them without guides first. IppSec walkthroughs after. These are the classic pre-PNPT machines everyone recommends.
TCM — Linux + Windows privilege escalation courses
Separate skills, both needed for PNPT. GTFOBins and LOLBAS become your best friends. Both included in the PNPT bundle.
may — exam throttle + PNPT purchase
PNPT voucher purchase — May 2027
$400 for exam + all TCM courses. 20% student discount — email TCM with college ID. Brings it to ~$320 (~₹26,700). Purchase before exams. Voucher valid 12 months.
Exam season — throttle cybersec
May 15 to June 15. Maintenance mode. Light lab work only. No new attack techniques before exams.
Phase 3
Summer 2027
PNPT Attempt + Year 3 👑
Jun 15, 2027 → Jun 2028 · Summer + Year 3
0%
▼
45 days of uninterrupted summer time. 5-day PNPT exam + 2-day report + debrief. The summer break is structurally perfect for this.
june 15–30 — final PNPT prep
Full mock pentest on home AD lab
Run a complete engagement on your own lab. OSINT → external foothold → internal enum → AD compromise → report. Time yourself. Write the report in the same format TCM expects. Do this twice.
Read 5 professional pentest reports
TCM has sample reports. Read them. Your report is 50% of the grade. A technically perfect pentest with a poor report fails. Learn executive summary writing, risk ratings, remediation recommendations.
july — PNPT exam
🏆 PNPT exam — 5 days + 2 days report + debrief
You will be nervous. That's fine. You've done a full mock. Methodology beats panic — follow your checklist. Document everything as you go, not after. The debrief is a 15-minute conversation, not an interrogation.
year 3 — aug 2027 to jun 2028
PortSwigger — practitioner tier labs
After PNPT, web exploitation depth increases. SSRF, GraphQL injection, HTTP desync attacks, OAuth vulnerabilities. This is the bug bounty skill multiplier.
Bug bounty — consistent program, go deep
Pick 2–3 programs and go deep rather than bouncing around. Understand the target's tech stack before hunting. PNPT credibility helps when submitting reports.
OSCP prep begins — PEN-200 research + budgeting
$1,499 for 90 days lab access + exam. Start budgeting seriously. Property business + bug bounty income needs to fund this. Target purchase: summer 2028 or earlier if income allows.
Phase 4
OSCP
OSCP — The Summit 👑
2028–2029 · Age 21–22
0%
▼
OSCP is a different animal. 90 days of lab access, 23.75-hour exam, full report required. This is not a sprint — it's a campaign. Don't attempt until you've compromised 50+ machines on HTB/THM.
prerequisites before buying OSCP
50+ HackTheBox/TryHackMe machines completed
Mix of Windows and Linux. At least 15 Medium difficulty. If you can't reliably root Medium HTB machines without hints, you're not ready. This is the honest benchmark. Check your Lab Tracker.
Buffer overflows understood (check current PEN-200 syllabus)
OffSec updates PEN-200. Check the current syllabus when the time comes. Scripting and custom exploit development are growing components regardless.
Python and bash scripting — intermediate level
You need to write custom scripts during the exam. Automating enumeration, modifying PoC exploits, writing simple stagers. Bash you already have. Python needs work.
during OSCP labs (90 days)
Try Harder — spend 2h minimum before any hint
The methodology of not giving up is literally what the exam tests. Enumerate more. You haven't found everything yet. You never have.
Build structured notes system (Obsidian / markdown repo)
Every machine: recon findings, what failed, what worked, why. This becomes your exam reference. OSCP is open-book — your own notes are the book.
🏆 OSCP Exam — 23.75 hours + report
The summit. 90 days of labs lead here. Full report required within 24 hours after exam. This is it.
Phase 5
Post-OSCP
The Goa Balcony Unlocks 🌅 ✨
Post-OSCP — Remote Life Begins
0%
▼
immediate next steps after OSCP
Build a public portfolio
Write-ups on retired HTB/THM machines. GitHub repos of custom tools. CTF writeups. Bug bounty hall of fame entries. This portfolio + OSCP is the job application. Degree is irrelevant at this point.
Apply to remote red team roles
Start with Indian security firms — Sequretek, Lucideus, Palo Alto India, Synack, Cobalt.io. Remote roles exist. OSCP is the filter most of them use.
Cobalt.io / Synack — vetted pentester application
These platforms pay per engagement. Apply, get vetted, get access to private programs. Better money than public bug bounty, structured like consulting. Bridge to full remote independence.
🚀 Structure the Allsafe startup vision
Once you have OSCP + 1–2 years experience, the Allsafe vision becomes fundable. Red team consulting + CTF training platform + education arm. DSCDU-CTF was proof of concept. Now it becomes a product.
eJPT
eLearnSecurity Junior Penetration Tester
$249
~₹20,800 · Target: October 2026
Entry-level practical exam. 48-hour window, open book, hands-on lab. Covers recon, scanning, exploitation, web basics. No prerequisites. Validates you can actually do the fundamentals, not just recite them.
Readiness~70%
networking gap needs filling first
PNPT
Practical Network Penetration Tester — TCM Security
$320
~₹26,700 w/ student discount · Target: Summer 2027
TCM Security's flagship cert. 5-day corporate network pentest + 2-day report + live 15-minute debrief. No flags. Real Active Directory environment. Closest thing to a real engagement that exists as a certification. All TCM courses included in the bundle.
Readiness~20%
AD lab and privesc needed first
OSCP
OffSec Certified Professional — Offensive Security
$1,499
~₹1,25,000 · Target: 2028–2029
The industry standard. 90 days lab access + 23.75-hour exam. Highest HR recognition. Required by most enterprise and government red team roles. Hardest cert on this list by a significant margin. This is the summit of the entire roadmap.
Readiness~5%
2 years of work sits between here and there
Monthly Budget from August 2026
Pocket money (father)
₹17,500
Rent (1 BHK/1 RK unfurnished)
−₹9,000
Metro (6 days × 4 weeks × ₹40)
−₹960
Food + supplies
−₹4,000
Laundry
−₹500
Nifty 50 SIP
−₹1,000
Available for learning
≈₹2,040
One-Time Certification Costs
eJPT — Oct 2026 (from property deal)
₹20,800
PNPT — May 2027 (student discount)
₹26,700
OSCP — 2028–29 (bug bounty + biz)
₹1,25,000
Total cert investment
≈₹1,72,500
Monthly Learning Allocation (₹2,040)
TryHackMe premium (1 month, phase 0)
₹1,200
HackTheBox VIP (occasional)
₹1,400/mo
PortSwigger Web Academy
FREE
TCM courses (in PNPT bundle)
FREE
HackTheBox free tier
FREE
VirtualBox + Metasploitable
FREE
The Beautiful Truth
The expensive parts are the certs themselves — funded by milestones: property deal, bug bounty income, student discount.
PortSwigger, TCM courses, TryHackMe free tier, HackTheBox free tier, Metasploitable, VirtualBox — all free.
The knowledge costs nothing. You just have to go get it.
PortSwigger, TCM courses, TryHackMe free tier, HackTheBox free tier, Metasploitable, VirtualBox — all free.
The knowledge costs nothing. You just have to go get it.
Based on your own modelling: up at 0630, college 0830–1700, gym + food 1700–2000, deep work 2000–0000. 4 clean hours per night on college days.
0630–0800
Wake, prep, transit to college. No doom scrolling. Electrolytes if you have them.
0800–1700
College. CS labs by heart. Use free periods for notes review or light PortSwigger reading. Assignments go into Proton Calendar the moment announced.
1700–2000
Transit home, electrolytes, gym, shower, food. Non-negotiable. Physical baseline keeps the 2000–0000 block functional.
2000–2200
Primary learning block. Active work — labs, machines, new technique. Hard stuff goes here when brain is freshest of the evening.
2200–0000
Secondary block — reading, notes, write-ups, PortSwigger theory, TCM lectures. Lower cognitive load tasks.
weekend
Saturday: BJC work + assignments. Sunday: long lab sessions — HTB machines, full AD lab runs, or mock pentests. Depth over breadth.
Exam period rule (Dec 10–Jan 1 and May 15–Jun 15): 2 hours max on cybersec. No new techniques. Review old notes. Physics and maths get genuine attention. Don't repeat the late submissions pattern from semester 1.
discipline anchors
Proton Calendar — everything goes in
Assignment announced → calendar. Lab session planned → calendar. Cert study milestone → calendar. The system only works if it's complete.
GitHub notes repo — second brain
Every technique learned gets a markdown note. Every machine compromised gets a writeup. Over 3 years this becomes a reference library worth more than any course.
The flat move is infrastructure, not comfort
2am labs with a roommate watching reels at 200% volume is not a viable setup. The flat isn't just comfort — it's a performance requirement. Silence and space are infrastructure for this kind of work.
completely free — use first
PortSwigger Web Security Academy
The single best free web security resource in existence. All labs, all topics, all theory. Do this before any paid web security course.
TryHackMe free tier
Pre-Security path, Jr Penetration Tester (first rooms free). Guided, structured, beginner-friendly.
HackTheBox free tier
Starting Point machines are guided and free. Academy has free modules. Enough to keep you busy for months.
TCM Security YouTube
Heath Adams posts full course content free on YouTube. Practical Ethical Hacking, AD attacks, bug bounty basics. Watch these before buying the PNPT bundle.
IppSec YouTube
Every retired HackTheBox machine has an IppSec walkthrough. Watch after you've attempted the machine. His methodology is textbook.
HackerOne disclosed reports
Real bug bounty reports from real programs. Read 3–5 per week. Learn how hunters think, how they write, what they find.
GTFOBins + LOLBAS
Linux and Windows privilege escalation references. Bookmark both. You'll use them in every engagement for the rest of your career.
paid — only when budget allows
TryHackMe Premium — 1 month only (phase 0)
~$14. Unlocks Jr Penetration Tester path fully. One month is enough to complete it. Use it intensively then cancel.
PNPT bundle — includes all TCM courses
$400 (~$320 with student discount). Practical Ethical Hacking, AD attacks, Linux privesc, Windows privesc, OSINT all included. Best value cert bundle in the industry.
communities — join now, costs nothing
TCM Security Discord
Active community. People ask for hints, share writeups, discuss methodology. Join before you start the courses.
Nahamsec Discord
Ben Sadeghipour — one of the best bug bounty educators. Free content, active community. Essential for the bounty phase.
r/netsecstudents
Good for cert advice, resource recommendations, and sanity checking your path against people who've done it.
// general notes
// hall of fame — wins, milestones, certs passed
// task notes — notes saved on individual tasks