Wireshark / TShark
Packet analysisBest starting point for protocol troubleshooting, TLS/DNS analysis, and validating what really happened on the wire.
$ wireshark / tshark
analyst@hack3rs:~$ cat index.html
Free network security learning — protocols, threats, tools, and defensive workflows. No courses. No paywalls.
analyst@hack3rs:~$ cat scope.txt
White-hat content: attack vectors, defenses, tools, and learning paths for defenders.
focus
Network defense: visibility, hardening, detection, and incident response.
audience
SOC analysts, sysadmins, students, and people switching into security.
approach
Threat-informed, tool-practical. We cover the tools defenders actually run.
Network Security Threats and Defensive Priorities
evergreenDurable attack vectors, practical defenses, and hands-on tool guidance — from a white-hat, operations-first perspective. The goal is working knowledge, not vendor marketing.
learning-navigation.txt
Pick a path, follow the modules, and track progress yourself. No logins, no checkmarks.
recommended-next-links
threat-signals.log
- AV-01 high
Phishing works because it targets the person, not the system. Email lures, credential-harvesting pages, MFA fatigue, and session theft bypass firewalls and EDR by exploiting the authentication workflow itself.
$ action: Deploy phishing-resistant MFA, add conditional access controls, and build a fast account lock and session revocation playbook you've actually tested.
- AV-02 critical
Exposed services and remote access weaknesses
VPNs, firewalls, admin panels, RDP, SSH, and internet-facing applications are continuously scanned. Attackers don't need to know your organization to find what you've left reachable.
$ action: Maintain a live inventory of exposed services, patch aggressively starting with internet-facing systems, and lock down administrative access paths.
- AV-03 critical
Vulnerability exploitation and misconfiguration abuse
Attackers consistently exploit known weaknesses and insecure defaults, especially on public-facing systems, cloud services, and network appliances. Misconfiguration is usually the multiplier that turns a bug into a breach.
$ action: Prioritize externally exposed assets, enforce secure defaults, and validate remediation with direct testing — not just ticket status.
open /threats/vulnerability-exploitation-and-misconfiguration-abuse
- AV-04 high
Lateral movement after initial access
Once inside, attackers use shared credentials, over-trusted network paths, and gaps in east-west monitoring to move across systems and escalate privileges before defenders notice.
$ action: Segment networks, reduce admin sprawl, monitor east-west traffic, and alert on abnormal authentication patterns between internal hosts.
why-this-matters.txt
Most teams don't need more tools — they need better prioritization. Asset inventory, identity hardening, visibility, KEV-driven patching, and practiced response deliver more than another product license.
Framework anchor:
NIST CSF (Govern, Identify, Protect, Detect, Respond, Recover)
Threat model anchor:
MITRE ATT&CK for enterprise + network devices + cloud platforms
open /threats Detailed pages for the four main attack vectors listed on the homepage learning-paths.md
Work through these modules in order. Traffic interpretation and defensive operations first — advanced tooling comes after you can read a packet and explain what it means.
Foundations (Weeks 1-2)
Detection & Monitoring (Weeks 3-6)
Vulnerability & Exposure (Weeks 7-8)
defender-toolkit-index.json
These are the tools defenders actually run. Learn what each one is best at, where it fits in a workflow, and what its output is telling you — not just how to invoke it.
Nmap
Discovery & auditUse for host discovery, port/service enumeration, version checks, and scripted validation of exposed services.
$ nmap -sV -O
Zeek
Network telemetryProduces rich protocol logs and metadata for threat hunting and retrospective analysis at scale.
$ zeekctl deploy
Suricata
IDS / IPS / detectionSignature and protocol-aware detection engine for network monitoring, IDS/IPS, and traffic inspection.
$ suricata -c suricata.yaml
Security Onion
Blue team platformIntegrated platform for network visibility, host visibility, log management, and case management.
$ so-setup
OpenVAS / Greenbone CE
Vulnerability managementCommunity vulnerability management stack for recurring scans and remediation workflows.
$ greenbone / openvas
defender-starter-checklist.sh
# Inventory internet-facing assets, remote access systems, and network devices.
# Turn on MFA for remote/admin access and review inactive accounts.
# Centralize firewall, VPN, IDS/IPS, DNS, and auth logs.
# Patch internet-facing KEV-listed vulnerabilities first, then high-risk exposures.
# Baseline alerting for auth anomalies, DNS spikes, scanning, and exfil patterns.
# Drill one ransomware and one DDoS response scenario each quarter.frameworks-and-feeds
- $ Use KEV-style exploited-vulnerability tracking for patch prioritization.
- $ Use practical baseline controls for small/medium teams.
- $ Use NIST CSF to structure governance and operations.
- $ Use MITRE ATT&CK to map detections and gaps.
- $ Use vendor/community tool docs to learn workflows deeply.
Status: learning hub index online
Content mode: white-hat / educational
Content mode: white-hat / educational
global-security-conferences-calendar.md
Key conferences organized by the month they normally fall in — DEF CON, Black Hat, BSides, RSAC, CCC, and more. Dates shift year to year; confirm on the official site before booking anything.
Month labels are recurring patterns, not confirmed dates. Always verify on the official site before travel.
open /security-conferences Browse the full conference calendar by recurring month and regionnetwork-security-faq.schema
Common questions with direct answers. Also published as structured FAQ data to help these show up in search.
open /network-security-faq Detailed beginner FAQ on careers, schools, skills, labs, ethics, and getting started in network securityWhat should I learn first in network security?
TCP/IP, DNS, and routing first. Then packet analysis with Wireshark, discovery with Nmap, and telemetry/detection with Zeek and Suricata. Add vulnerability management and incident response once you can read a log and explain what it means.
How do I prioritize vulnerabilities?
CISA KEV first — patch what's actively exploited on internet-facing systems. Then rank by asset criticality and exploitability. CVSS score alone will steer you wrong.
Do I need both Zeek and Suricata?
Usually yes. Zeek produces structured protocol logs useful for hunting and retrospective investigation. Suricata handles signature-based and protocol-aware detection. They solve different problems — run both if you can.
Which framework should guide a small team?
Start with CISA CPGs — they're operationally concrete. Use NIST CSF 2.0 to structure the program. Use MITRE ATT&CK to map detection gaps. That order keeps the team doing work rather than producing frameworks about work.
learning-resources.lst
Framework docs, tool documentation, and conference links. All evergreen — no dated report summaries that go stale.
- $ CISA Known Exploited Vulnerabilities (KEV) Catalog
- $ CISA Cross-Sector Cybersecurity Performance Goals
- $ CISA Secure by Design
- $ NIST Cybersecurity Framework (CSF)
- $ MITRE ATT&CK Enterprise Matrix
- $ Suricata Documentation
- $ Zeek Documentation
- $ Wireshark Documentation
- $ Nmap Documentation
- $ Security Onion Docs (About)
- $ Greenbone Community Edition Docs
- $ Black Hat Upcoming Events
- $ Black Hat MEA
- $ DEF CON Forums Calendar (official)
- $ RSAC Conference (official)
- $ Infosecurity Europe (official)
- $ FIRST Annual Conference (official)
- $ GISEC Global (official)
- $ GovWare (official)
- $ it-sa Expo&Congress visitor information
- $ Nullcon (official)
- $ CanSecWest / secwest.net
- $ Chaos Communication Congress (official)
canada-government-cyber-careers.lst
Canadian federal agencies with active cyber missions — CSE/Cyber Centre, RCMP NC3, CSIS, SSC, DND, and more. Official links included; check GC Jobs for current postings.
Nearly every federal department hires cyber professionals. Mandates and hiring pages change — verify on the official site and GC Jobs before applying.
open /cyber-careers Browse Canadian federal agencies, cyber mission areas, and official careers linkslabs-and-comparisons.lst
Hands-on labs and tool comparisons to turn theory into repeatable workflows. Run the scenario, then explain what you found.
network-security-certifications.lst
Certifications help structure study and signal baseline knowledge to employers. Start with Network+, not Security+. Pair every cert with labs, packet analysis, and logging practice — or the cert becomes theory without depth.
Choose certs that match the role you actually want: network ops, SOC, IR, cloud, or governance. Follow the roadmap, not cert vendor marketing.
open /netsec-certifications See recommended cert order, timelines, and detailed learning guidance for each certification