Free Hacking Roadmap — Every Platform, Cert, and Tool in One Place
Where the “awesome-hacking” lists fail you, we pick up the pieces.
One-Line Flow: 36 free resources to learn hacking from scratch — labs, certs, tools, all sorted by skill level so you don’t drown.

That GitHub repo you found? Tool cemetery. IDA Pro, radare2, Metasploit… cool names, zero context for someone who doesn’t know what a “buffer overflow” is.
This guide is different.
For the curious ones who:
- Don’t know code (yet)
- Don’t have Kali Linux
- Don’t understand half the jargon
- Just want to learn without drowning
“Why pick the lock when you can just ask the janitor?”
What Even Is Hacking
Problem-solving. Not magic commands. Not Hollywood nonsense.
- Find how something works
- Find where it breaks
- Exploit that weakness
That’s it. Everything else is details.
TIER 0 — Absolute Zero
No experience required. Literally none.
| Resource | What It Is | Why It Slaps |
|---|---|---|
| Hacksplaining | Browser-based vuln lessons | See the hack → See the fix |
| PicoCTF | CMU’s gamified CTF | Designed for middle schoolers (actually accessible) |
| OverTheWire: Bandit | SSH wargame, 34 levels | Learn Linux by using it |
| TryHackMe | Gamified paths + browser labs | AttackBox = full hacking env in browser |
🔌 OverTheWire Level 0 Login
ssh [email protected] -p 2220
# Password: bandit0
TIER 1 — Building Real Skills
| Resource | What It Is | The Move |
|---|---|---|
| HTB Starting Point | Guided intro machines | Pwnbox = browser-based Parrot OS |
| Hacker101 | HackerOne’s free training | 26 points → private bug bounty invites |
| PortSwigger Academy | Burp Suite team’s labs | SQLi, XSS, CSRF, everything web |
| Roppers Academy | Zero-knowledge foundations | Computing → Security → CTF fundamentals |
Pro tip: ippsec.rocks — searchable database of 500+ HTB walkthroughs.
TIER 2 — Blue Team
Good defenders make great attackers.
| Resource | Focus |
|---|---|
| CyberDefenders | 84+ free labs — forensics, threat hunting, malware |
| LetsDefend | SOC training, alert analysis, incident response |
TIER 3 — Free Certs (Yes, Really)
Resume gold. Zero cost.
| Provider | What’s Free | Notes |
|---|---|---|
| Fortinet NSE | NSE 1, 2, 3 + badges | 30+ courses, counts toward (ISC)² CPE |
| Cisco NetAcad | Intro to Cybersecurity, Networking Basics | CCST pathway, Packet Tracer included |
| CISA Learning | 850+ hours | Government training, open to everyone |
| AWS Training | 600+ courses | Security Learning Plan, Skills Builder |
📜 How to Get Fortinet NSE Certs
- Go to training.fortinet.com
- Create free account
- Complete NSE 1 “The Threat Landscape”
- Complete NSE 2 “The Evolution of Cybersecurity”
- Download your certificates
- Flex on LinkedIn
TIER 4 — OSINT
Before you hack anything, you need to find information.
| Tool | What It Does |
|---|---|
| OSINT Framework | Massive tree of data sources |
| Shodan | Search engine for internet-connected devices |
| Google Dork DB | Exposed data via search operators |
🔍 Google Dorking Quickstart
site:example.com filetype:pdf
intitle:"index of" passwords
inurl:admin
TIER 5 — Vulnerable Apps
Legal targets. Designed to be broken.
| App | Stack | Docker Command |
|---|---|---|
| DVWA | PHP | docker run --rm -it -p 80:80 vulnerables/web-dvwa |
| WebGoat | Java | docker run -it -p 8080:8080 -p 9090:9090 webgoat/webgoat |
| Juice Shop | Node/Angular | docker run --rm -p 3000:3000 bkimminich/juice-shop |
| bWAPP | PHP | 100+ vulns |
| Metasploitable | Full VM | VirtualBox/VMware |
Master list: OWASP VWAD
TIER 6 — Malware Sandboxes
Analyze suspicious files without nuking your machine.
| Sandbox | The Deal |
|---|---|
| ANY.RUN | Interactive — watch malware live, click around |
| Hybrid Analysis | CrowdStrike’s free sandbox, 1.4B+ IOCs |
| Joe Sandbox | Win/Mac/Linux/Android, AI detection |
| VirusTotal | 70+ AV engines, URL scanning |
TIER 7 — Browser Tools
No install. Just go.
| Tool | What It Does |
|---|---|
| CyberChef | GCHQ’s Swiss Army Knife — encode, decode, hash, encrypt, 300+ recipes |
| Pentest-Tools | Cloud-based scanning |
| HackTools | Browser extension — payloads, shells, hashes in dev tools |
CyberChef runs 100% in browser. No data leaves your machine. Built by UK intelligence. Free.
TIER 8 — Reverse Engineering
| Resource | What It Is |
|---|---|
| Ghidra | NSA’s free RE tool. Competes with IDA Pro ($$$) |
| NSA Codebreaker | Annual CTF, RE focus, students can compete |
| Hackaday Ghidra Course | Free 4-session intro |
TIER 9 — Wordlists & Cracking
| Resource | What It Is |
|---|---|
| SecLists | Holy grail — passwords, usernames, fuzzing, payloads |
| rockyou.txt | 14M real passwords. /usr/share/wordlists/rockyou.txt on Kali |
| CrackStation | Free online hash cracker, 190GB backend |
| Weakpass | Specialized wordlists by language/industry |
YouTube That Actually Teaches
| Channel | Vibe |
|---|---|
| IppSec | HTB walkthroughs. Legendary |
| John Hammond | CTFs, malware, beginner-friendly |
| The Cyber Mentor | Practical ethical hacking, OSCP prep |
| LiveOverflow | Deep exploit dives |
| NetworkChuck | Networking + security basics |
GitHub Worth Bookmarking
| Repo | What |
|---|---|
| Awesome-Hacking | Meta-list |
| SecLists | Wordlists for everything |
| PayloadsAllTheThings | Payloads for everything |
| CyberChef | GCHQ’s data manipulation tool |
| Ghidra | NSA’s RE framework |
| CTF Archives | Past CTF challenges |
Practice Labs — The Full List
| Platform | Difficulty | Cost | Notes |
|---|---|---|---|
| PicoCTF | Baby → Hard | Free | Best for absolute beginners |
| TryHackMe | Beginner → Advanced | Free tier | Browser AttackBox |
| Hack The Box | Intermediate → Insane | Free tier | Browser Pwnbox |
| OverTheWire | Beginner | Free | SSH wargames |
| VulnHub | Intermediate | Free | Download VMs |
| Root-Me | All levels | Free | 400+ challenges |
| CyberDefenders | Intermediate | Free | Blue team focus |
| CTFtime | All levels | Free | CTF calendar + writeups |
The Path
PHASE 1: Foundations (Weeks 1-4)
├── Hacksplaining (understand vulnerabilities)
├── OverTheWire: Bandit (Linux basics)
├── Roppers: Computing Fundamentals
└── Fortinet NSE 1-2 (free certs!)
PHASE 2: Hands-On (Weeks 5-12)
├── TryHackMe: Complete Beginner path
├── PicoCTF: picoGym challenges
├── PortSwigger: Web Security Academy
└── DVWA / WebGoat (local practice)
PHASE 3: Real Challenges (Months 3-6)
├── HTB: Starting Point → Easy machines
├── Hacker101 CTF (bug bounty pipeline)
├── CyberDefenders (blue team)
└── CyberChef + malware sandboxes
PHASE 4: Specialization (6+ months)
├── Pick your path: Web / Network / Malware / OSINT
├── Bug bounties (HackerOne, Bugcrowd)
├── Ghidra + reverse engineering
└── NSA Codebreaker Challenge
The Mindset
- Google everything. 90% of hacking is research.
- Take notes. Future you will thank you.
- It’s okay to be stuck. The wall is where learning happens.
- Use writeups — but try first. Struggle builds skill.
- Community matters. Discord, forums, Twitter — connect.
Legal
Only hack what you have permission to hack.
- CTF platforms

- Your own lab

- Bug bounty programs

- Vulnerable apps (DVWA, WebGoat, etc.)

- Random websites
(jail time) - “For educational purposes”
(still jail time)
Quick Links
📎 All Links Organized
Browser-Based:
- https://hacksplaining.com
- https://tryhackme.com
- https://picoctf.org
- https://portswigger.net/web-security
- https://gchq.github.io/CyberChef/
- https://any.run
Labs:
Free Certs:
- https://training.fortinet.com
- https://netacad.com
- https://niccs.cisa.gov/training/cisa-learning
- https://aws.amazon.com/training/
Tools:
Final Words
That “awesome-hacking” repo wasn’t wrong — it’s just not for you yet.
Come back in 6 months. After you’ve:
- Popped your first shell
- Captured your first flag
- Understood why XSS is dangerous
- Felt the dopamine hit of solving something nobody told you how to do
- Earned your first free cert
Then those tools will make sense.
Until then? Start at Tier 0. Work your way up. Break things (legally).
“The unknown is not to be feared — it is to be understood.”
“Information wants to be free.” But it also wants to be reachable.
Welcome to the 1% club, 1Hacker. ![]()
!