Almost nobody learns to hack from a single course or a single book. The people who get good follow a staged path: they build fundamentals, break things in safe labs, grind CTFs, then pick a specialty and go deep. This guide lays out that exact roadmap, stage by stage, with the free resources that work at each step. If you want the definition and history first, read our pillar guide on what is hacking. This article is about the path to learning it.
The roadmap below is the one most working penetration testers followed in some variation. It assumes you are starting from zero, you want to do this legally, and you would rather have a sequence to follow than a pile of disconnected tutorials. You can practice every stage hands-on in HackerDNA Labs, which run in your browser with no setup.
TL;DR: Hackers learn in four stages. Stage 1 is fundamentals (networking, Linux, one scripting language). Stage 2 is hands-on labs where you exploit real vulnerabilities in a sandbox. Stage 3 is CTFs and wargames that pressure-test those skills under time and ambiguity. Stage 4 is specialization, picking one area (web, network, binary, cloud) and going deep. The whole thing runs on self-directed practice plus a community to learn from, not lectures.
How Do Hackers Learn to Hack?
Hackers learn to hack by following a self-directed, staged path: they first build fundamentals in networking, Linux, and scripting, then move to hands-on labs where they exploit real vulnerabilities in a sandbox, sharpen those skills against CTFs and wargames, and finally specialize in one area like web or network security. Community and consistent practice tie it all together.
Two things separate the people who make it from the people who quit. The first is sequence. Beginners who jump straight to running Metasploit without understanding TCP/IP burn out, because nothing they do makes sense. The second is volume of hands-on time. You do not learn hacking by reading about SQL injection. You learn it by exploiting a vulnerable login form yourself, failing a dozen times, and finally watching the database dump scroll past. Theory points you at the door. Practice is what walks you through it.
The four stages below are not rigid. You will loop back to fundamentals when a lab confuses you, and you will start specializing before you have finished every CTF you wanted. That is normal. Treat the roadmap as a default order, not a gate you must clear before moving on.
The 4-Stage Learning Roadmap
Here is the path from absolute beginner to specialist, with a rough time estimate and the free resources that actually move the needle at each stage.
-
Stage 1: Build the Fundamentals (3-6 months)
Networking, Linux, and one scripting language. This is the part beginners skip and later regret.
You need working knowledge of three things before any exploit makes sense. Networking comes first: how TCP/IP, DNS, and HTTP actually move data, what a port is, and how a three-way handshake works. The CompTIA Network+ objectives cover this well even if you never sit the exam. Linux is second, because nearly every tool, server, and security distro runs on it. Get comfortable in the terminal: file permissions, processes, pipes, and SUID bits. Free option: OverTheWire's Bandit wargame teaches Linux through hands-on puzzles. Third is one scripting language, and that language is Python. You do not need to be a software engineer. You need to read code fluently and write small scripts to automate the boring parts.
-
Stage 2: Exploit Things in Hands-On Labs (overlaps Stage 1)
Start breaking real vulnerabilities the moment your fundamentals are shaky-but-present. Do not wait.
Reading about a vulnerability and exploiting it are different skills, and only the second one gets you hired. The fastest way to start is a browser-based lab where the target is intentionally vulnerable and explicitly legal to attack. Pick a single vulnerability class, read how it works, then exploit it yourself in a sandbox. When it works, write down why. When it does not, that confusion is the actual lesson. We break down what these environments are and how to use them in our guide to cybersecurity labs. The point of Stage 2 is volume: dozens of small wins, not one big project.
-
Stage 3: Grind CTFs and Wargames (6-12 months in)
Labs teach one bug at a time. CTFs throw you an unknown target and a ticking clock.
Capture The Flag competitions are where you learn to operate under ambiguity. A lab tells you the topic. A CTF hands you a box and says "find the flag," which forces you to enumerate, form a hypothesis, and pivot when you are wrong. That loop is the core skill of real assessments. Start with beginner-friendly events rather than the brutal ones, or you will bounce off. Our CTF for beginners guide covers where to start and how to think during a challenge. When you want unlimited targets instead of timed events, the always-on HackerDNA challenges let you grind at your own pace.
-
Stage 4: Pick a Specialty and Go Deep (12 months and beyond)
Hacking is too broad to learn evenly. Depth in one area beats shallow coverage of all of them.
By now you have touched many areas and one or two will feel like home. Commit to one. Web application hacking is the most common entry point because it only needs a browser and an intercepting proxy, and most companies expose web apps to the internet. HackerDNA's Web Security Basics course is a structured route into that specialty. Network and Active Directory hacking is the other big track, heavier on tooling but central to internal penetration testing. Binary exploitation, cloud, and mobile are deeper specialties you can grow into later. Pick the one that keeps you up at night and let the others wait.
Stage 1 in Detail: What "Fundamentals" Actually Means
The biggest mistake new hackers make is treating fundamentals as a box to tick before the fun starts. Fundamentals are the fun, just delayed. Every exploit you will ever run is a manipulation of something at this layer, so the deeper your base, the faster everything above it makes sense.
Networking
Understand how data flows: IP addressing and subnetting, the difference between TCP and UDP, what each common port does, and how DNS resolution works. You do not need to memorize RFCs. You need a mental model solid enough that when a scan returns "port 445 open," you immediately think SMB and know roughly what that means for the target.
The Linux Command Line
Comfort in a terminal is non-negotiable. Navigate the filesystem, chain commands with pipes, read and change file permissions, and understand what SUID and SGID bits do, since they are a classic privilege escalation vector. The skill you are building is the ability to sit at an unfamiliar Linux box and orient yourself in under a minute.
One Scripting Language
Python is the default for a reason: the security tooling ecosystem is built on it, and the language is forgiving for beginners. Learn enough to parse output, hit an API, and automate a repetitive task. Bash scripting follows naturally from living in the Linux shell. You can pick up JavaScript later when you move into web work.
Why Hands-On Labs Beat Watching Tutorials
There is a trap that swallows a lot of beginners, sometimes called tutorial hell. You watch video after video, feel productive, and learn almost nothing, because watching someone else exploit a bug builds zero muscle memory. Skill in hacking lives in your fingers and your problem-solving habits, not in the videos you have seen.
In practice, the learning cycle that works looks like this: read just enough about a vulnerability to attempt it, try to exploit it yourself, fail, read the error, adjust, and repeat until it works. Then write a few sentences explaining why the fix would have stopped you. That write-up step is what most people skip and it is what turns a one-time win into a transferable skill. When you hit the same bug class in an unfamiliar app six months later, you will recognize it because you once explained it in your own words.
Always-on labs beat timed CTFs for this part of the journey because there is no clock and no scoreboard pressure. You can sit with one vulnerability for an afternoon, experiment freely, and break the target in ways a real engagement would never let you. That freedom to experiment without consequences is exactly what early-stage learning needs.
How Long Does It Take to Learn Hacking?
There is no single answer, but the timeline below reflects consistent, focused practice rather than casual weekend dabbling. Reaching a junior penetration tester level typically takes 12 to 18 months at five to ten hours per week.
- Months 0-6: Stage 1 fundamentals plus your first labs. You can exploit basic web vulnerabilities and navigate Linux confidently.
- Months 6-12: Stage 2 and 3 in parallel. Intermediate labs, your first CTFs, and the start of a methodology you can repeat.
- Months 12-24: Stage 4 specialization. You are deep in one track, completing hard labs, and ready to consider a certification like OSCP if hiring is the goal.
- Year 2 and on: Professional-level skill in your specialty, with the breadth to move between areas when a target demands it.
These numbers assume you treat the roadmap as a sequence and put in real hands-on hours. People who only read move much slower, if they progress at all.
Free Resources Worth Your Time
You can get a long way without spending a cent. These are the references that hold up, mapped to the stage where they help most.
OWASP
Stage 2 and 4, web track. The OWASP Top 10 is the canonical list of the most common web vulnerability classes, and the Web Security Testing Guide turns that list into a repeatable methodology. Free, vendor neutral, and referenced in real security audits.
OverTheWire Bandit
Stage 1, Linux. A free wargame that teaches the Linux command line one puzzle at a time. Each level hides a password you find with a different shell technique. The best zero-cost way to build terminal fluency.
NVD and CVE data
Stage 3 and 4. The National Vulnerability Database lets you read real CVEs: how a bug was discovered, its severity, and what versions it affected. Studying real disclosures teaches the shape of how vulnerabilities actually get found and fixed.
HackerDNA structured courses
Stage 4 structure. Scattered tutorials teach isolated tricks. Structured courses teach how vulnerabilities relate, how to chain them, and how to think systematically, which is what specialization requires. Free tier available to start.
The Habits That Make the Roadmap Stick
Consistency beats intensity every time. The classic failure pattern is a full weekend of labs followed by two weeks of nothing. Your brain needs regular, spaced practice to build the intuition that lets you spot a vulnerability you have never seen before.
Three habits do most of the work. First, practice in small daily doses; thirty focused minutes most days beats an occasional marathon. Second, keep a hacking journal where you write up what you learned from each lab or challenge, because writing forces understanding and gives you a searchable reference later. Third, plug into a community. Security people learn in public, on forums, Discord servers, and CTF teams, and a five-minute question to someone further along can save you a week of being stuck.
Stay Legal While You Learn
Critical reminder: Hacking a system you do not own or have explicit written authorization to test is a crime in every developed country, regardless of intent. "I was just learning" is not a legal defense. Practice only on sandboxed labs, CTF platforms, or bug bounty programs that explicitly authorize testing.
The whole point of the lab-and-CTF route is that it keeps your learning legal by construction. The targets are owned by the platform and exist to be attacked. The day you find a real vulnerability outside an authorized engagement, the right move is responsible disclosure: notify the owner privately, give them time to fix it, and never act on what you found. The fastest way to end a security career before it starts is to "just check" whether something outside your scope is exploitable.
Your Next Step on the Roadmap
Learning to hack is a long apprenticeship in how systems break, and the only way through it is the hands-on part. Reading this roadmap is the easy bit. The skill gets built when you read about a vulnerability, exploit it yourself, fail a few times, and finally understand why it exists and how to find others like it. There is no shortcut around that, and no substitute for it.
Start where you are. If you have never touched a lab, begin Stage 2 today in HackerDNA Labs while you shore up fundamentals in parallel. Move into CTF-style challenges once basic exploitation feels natural, then specialize through a structured course. The free tier gives you browser-based targets with no credit card and no local setup. Pick a lab and get your first foothold.
Part of our hacking guide: What Is Hacking? The Complete Guide
- How Do Hackers Learn to Hack?
- Hacking 101: White Hat vs Black Hat
- CTF for Beginners
