student@hack3rs:~/learning$ ls -R modules/
Network Security Learning Path
Work through these modules in order. Each page covers the topic in depth — notes, labs, common mistakes, example outputs, and a -> next page link to keep you moving.
Recommended Starting Paths (By Role)
Do the core curriculum first, then pick the tool path that fits your role. The links below jump directly into those tracks under /learning/tools/paths.
Canada Beginner Planning Guides
Canadian student or beginner? Use these pages to pick a learning order, evaluate programs, and build a realistic first-year plan tied to the core curriculum.
Foundations (Weeks 1-2)
- 1 TCP/IP, DNS, HTTP, TLS, Routing and Switching Fundamentalsopen module topic 1
TCP/IP fundamentals are the baseline for every detection and investigation skill that follows. We walk through how traffic moves, how names resolve, how web sessions are established, and where defenders can observe or control each step.
- 2 Subnetting, NAT, Firewall Policy Logic, and Segmentation Basicsopen module topic 2
Subnetting and firewall policy design are not just routing concerns — they are the structural controls that determine how far an attacker can move once they are inside. This module turns address planning, policy boundaries, and segmentation from routing afterthoughts into defensive controls.
- 3 Linux and Windows Logging Basics for Defendersopen module topic 3
Linux security logging and Windows event logs are the other half of network defense. Knowing which logs exist, what they are actually good for, and how to collect enough data for an investigation — without generating noise you cannot search — is a foundational skill.
Detection & Monitoring (Weeks 3-6)
- 4 Packet Capture and Protocol Analysis with Wireshark / TSharkopen module topic 1
Packet capture analysis is the highest-fidelity evidence available during a network incident. This module builds a repeatable workflow using Wireshark and TShark — scoping captures, filtering effectively, and turning raw packet data into analyst conclusions.
- 5 Network Security Monitoring with Zeek and Suricataopen module topic 2
Network security monitoring with Zeek and Suricata gives defenders two complementary layers: Zeek produces rich protocol logs for hunting and retrospective analysis, while Suricata fires signatures and protocol-aware alerts. Neither alone is sufficient.
- 6 Alert Triage, False Positives, and Detection Tuningopen module topic 3
Alert triage is how defenders convert detection signals into decisions. A disciplined triage workflow with a structured approach to false positive reduction keeps analysts making good calls at speed rather than burning through a queue without learning anything.
Vulnerability & Exposure (Weeks 7-8)
- 7 Nmap Scanning Strategy and Safe Validation Workflowsopen module topic 1
Nmap scanning belongs in every defender's toolkit — but used as a controlled validation and inventory tool, not as unguided reconnaissance. This module covers scope control, authorization, and repeatable workflows for exposure checks and service inventory.
- 8 OpenVAS / Greenbone Scanning: Credentialed vs Unauthenticated Scansopen module topic 2
OpenVAS vulnerability scanning gives defenders two very different views of a system depending on whether credentials are used. Understanding why credentialed scans produce dramatically more accurate results is essential before treating any scanner output as a reliable basis for remediation decisions.
- 9 Exploit-Informed Remediation and Asset Criticality Taggingopen module topic 3
Vulnerability exploitation in the real world does not follow CVSS order. This module moves beyond severity-only patching to a risk-based model that weighs exploit activity, exposure, privilege, and business impact — where vulnerability management actually becomes useful operationally.
Response & Improvement (Weeks 9-10)
- 10 Incident Response Playbooks Aligned to Recognized Cybersecurity Framework Functionsopen module topic 1
An incident response playbook is only useful if an analyst under stress can follow it. This module covers how to design playbooks that map to recognized framework functions — Identify, Protect, Detect, Respond, Recover — while staying concrete enough to guide real decisions.
- 11 Threat-Informed Defense Using ATT&CK-Style Technique Mappingopen module topic 2
ATT&CK-style technique mapping connects your detections to adversary behaviors, surfaces telemetry gaps, and gives teams a shared language for coverage decisions. The goal is an honest map of what you can actually detect — not a green matrix that creates false confidence.
- 12 Post-Incident Review, Hardening Backlog, and Detection Coverage Gapsopen module topic 3
Post-incident review turns a resolved incident into durable security improvement. This module covers how to run a structured review, convert findings into tracked hardening and detection work, and measure whether the improvements actually make a difference.
Tool Guides (Detailed Defensive Usage)
Long-form guides for Wireshark, Nmap, Zeek, Suricata, and more — CLI workflows, ethical-use boundaries, common mistakes, and how each tool fits into real defensive work.
Frameworks and Feeds (Decision-Making for Defenders)
How to prioritize work, build a practical baseline, structure operations with NIST CSF, map detection gaps with MITRE ATT&CK, and get real depth from vendor docs. This sits between core modules and advanced tooling because it improves judgment — not just command count.