Ask HN: Looking to Break into Cybersecurity – Where Do I Start?

You're a frontend web developer, so I'm assuming you're going to want to work in the areas of either:

1) application security engineering 2) application penetration testing 3) devsecops 4) vulnerability management

It really is a big difference from each person on how they "break into" it. You've got great foundational qualifications, and probably just need to layer on extra "security" ones, if you don't already have them. If you're looking to start a company / start freelancing -- I've got no clue about that though.

If you're just dipping your toes further into the web app security side, OWASP has great labs, resources, etc. They have the WSTG (more for pentesters) and ASVS (more for devs), and of course their cheat sheets as well.

PortSwigger has great resources to read through on vulnerabilities and labs that will cover a ton of different vulnerabilities. HackTheBox also offers certification pathways: CBBH and CWEE, CBBH is more beginner/intermediate and involves a blackbox approach, where CWEE is more whitebox (from what it looks like).

Just because systems have gaps, doesn't mean the orgs actually want help with those gaps, esp. unsolicited. You could always take a look at bug bounty as well (through HackerOne or BugCrowd), but it can be pretty brutal for a beginner as it can involve a ton of recon or "going deep" to reach untouched areas of an app.

> I live in a developing country where there’s no shortage of software developers who build systems for both personal and governmental use. However, many of these systems have serious gaps when it comes to security.

i.e. is there actually demand for Cybersecurity? A gap is not the same as demand. Maybe it shows they just don't care.

The obvious answer of course is that to be "cybersecurity specialist/expert", you have to be a hardcore hacker in its original meaning: to be a person who understands what things actually are (behave), not what people say they are (behave).

In my opinion, cybersec/infosec expertise/mindset should be always-on on everybody at 2025. Starting from scammers calling/messaging, to malware/spyware on devices, social engineering, physical security, people security/trustworthyness, trust/auth/integrity/encryption/backups/certs/audit-trail etc... Everything. One needs to know if one is hacked already ("Reflections on Trusting Trust.pdf"), and one needs to know when one is hacked (tripwire). And knowing what is/are your weakest link(s), because it usually defines the strength of your defences.

hackthebox.eu - hack 20 boxes on your own, a mix between easy and medium. Be sure to focus more on Windows than Linux. Then start applying for jobs at corporations. Do a double approach: just apply and do your best to network with people in the field by sending them a message that you want to switch over to the field as well. Keep on hacking and networking and eventually you'll land a job.

That's how a friend did it. To be fair, he's Dutch and did this with Dutch companies. So not sure if this would work in your country.

Sine you already know frontend, I would recommend starting with burpsuit and web exploitation. The issue with cybersec is that there are just too many things you can/need to learn, so the best thing would be to start with the area you already know something about.

https://portswigger.net/web-security is a great resource to get you started.

Good luck!

CTFs are a fun way to get started. Here are some that I like: Pwn.college, PicoCTF, and PortSwigger WebAcademy.