Zero to OSCP.
Every step documented.

Before touching real tools, the fundamentals have to be solid. Linux command line, basic networking (TCP/IP, DNS, HTTP), how web applications work, and the mindset shift from user to attacker. TryHackMe's learning paths cover this ground in a structured way. HackTheBox Starting Point machines provide the first live targets. This phase is not skippable — it's the reason OSCP candidates fail when they rush the cert.

The eJPT is the first real exam — a hands-on, practical assessment that validates the fundamentals. No multiple choice. You get a network, you get objectives, you have 72 hours. It's cheap (~$200), beginner-friendly, and creates the first line on the résumé. TCM Security's free PEH course is the recommended prep. Passing eJPT means the foundation is solid enough to move into more aggressive territory.

TCM Security's Practical Ethical Hacking course is where the methodology locks in. Active Directory attacks, privilege escalation, post-exploitation, pivoting, and report writing. Heath Adams (The Cyber Mentor) built this course specifically for people heading to OSCP — it bridges the gap between "I can hack CTF boxes" and "I understand how real internal networks fall." The PNPT certification that comes with it is one of the best practical certs in the field.

OSCP now includes web application attacks as a significant component of its exam. The HTB Bug Bounty Hunter certification covers the web attack surface systematically — SQLi, XSS, SSRF, XXE, authentication bypasses, and the methodology real bug bounty hunters use. This phase runs parallel to or after TCM PEH depending on comfort level. The PortSwigger Web Security Academy is the free supplement that goes deeper on individual vulnerability classes.