Month 1-2: Foundations
HTTP, DNS, basic Linux commands. Cyfotok easy labs: SQLi, XSS. Set up LinkedIn, document each lab completion.
Month 3-4: Breadth
CSRF, IDOR, auth bugs, command injection. Finish a Cyfotok learning path. Join infosec Discord communities.
Month 5-6: Depth + proof
Hard labs, write blog posts or writeups. Apply for internships. Consider CEH or PNPT if budget allows.
Common mistakes
Certification collecting without labs. Watching videos without practice. Attacking illegal targets. Giving up after one hard lab.