Introduction to Cybersecurity
What cybersecurity practitioners actually do
Cybersecurity is about protecting systems and data, but the work looks different depending on which side of the attack you're on. Here are the main roles:
Penetration Tester. Attacks systems to find vulnerabilities before real attackers do. Scans networks, exploits weaknesses, writes reports showing what they found and how to fix it. Authorized offensive work.
Security Analyst / SOC Analyst. Monitors systems for threats. Reads alerts, triages incidents, investigates suspicious activity. The first line of defense. Works in a Security Operations Center (SOC).
Detection Engineer. Writes the rules that detect attacks. Sigma rules, SIEM queries, alert logic. Turns knowledge of how attacks work into automated detection. A more specialized role that's growing fast.
Security Engineer. Builds and maintains security infrastructure. Firewalls, monitoring systems, access controls, hardening configurations. Makes sure the defenses are in place and working.
Incident Responder. Handles security incidents when they happen. Containment, investigation, eradication, recovery. Works under pressure with incomplete information.
These roles overlap significantly. At a smaller organization, one security person does all of it. This track follows a purple team model: you attack and defend the same systems, seeing every event from both sides.
The professional loop
Every cybersecurity project, whether it's a vulnerability assessment or a full purple team exercise, moves through the same cycle:
1. Scope, rules of engagement, and threat model. What systems are you assessing? What's off-limits? What threats does the system face? Security work always begins with authorization and boundaries. No exceptions.
2. TTP selection and attack planning. Which attack techniques are relevant to this system? Mapped to the MITRE ATT&CK framework, the industry-standard catalogue of how attackers actually operate. You don't try everything; you select the techniques that matter for this target.
3. Baseline visibility audit. Before attacking, check: what can the defenders already see? Which logs are being collected? Which alerts are in place? This establishes the starting line: what the system detects before you do anything.
4. Attack execution and exploit validation. Run the attacks. Scan the network, exploit the vulnerabilities, validate that the attack paths work. This is real offensive work against a lab system, not theoretical.
5. Detection review and triage. Switch sides. Did the defenses detect the attacks? Which alerts fired? Which attacks went unnoticed? This is where the purple team model pays off. You know exactly what you did, so you can evaluate exactly what was detected.
6. Hardening and remediation. Fix what you found. Patch vulnerabilities, write detection rules for attacks that went unnoticed, tighten configurations. The defensive work that comes from understanding the attack.
7. Re-test the same TTPs. Attack again, the same techniques as before. Do the fixes hold? Do the new detections fire? This verifies both prevention (the attack is blocked) and detection (the attack is caught even if it succeeds).
8. Reporting, metrics, and lessons learned. What percentage of techniques were detected? Blocked? What's the detection latency? These metrics drive improvement. The report is a professional deliverable: clear, evidence-based, actionable.
You'll run this loop in every project. What changes is the complexity: early projects give you a known vulnerability to exploit and a guided remediation. Later projects give you a complex system and expect you to discover the threats, build the detections, and measure the improvement.
What you'll work on
Each project is built for a client with a specific security concern. You'll direct AI to scan, exploit, detect, and harden, then verify whether the defenses actually work. Here's a sample:
- A vulnerability assessment of a web application using industry-standard scanning tools
- A detection engineering project that writes Sigma rules for specific attack techniques
- A hardening engagement that locks down a server and verifies the configuration
- A network security assessment with traffic analysis and intrusion detection
- An incident response exercise investigating a simulated breach
- A full purple team exercise across a complex system with multiple attack surfaces
The projects get harder in specific ways. The systems get more complex. The attacks get more subtle. The detection engineering gets more sophisticated. You move from single-host scanning to multi-system assessments with real monitoring infrastructure. And throughout, AI is your primary tool, useful for generating scripts and analyzing logs, but prone to specific mistakes with security context that you'll learn to catch.
Core tools
These are the tools cybersecurity practitioners use daily. You'll set up the core ones in the track setup; the rest are introduced as projects need them.
Terminal. Your command line. Security work is terminal-heavy. Most tools are CLI-based.
Claude Code. Your AI coding agent. You'll direct it to write scripts, analyze logs, generate detection rules, and automate security tasks. It's useful for security work, and it makes specific, predictable mistakes with security context that you'll learn to catch.
Git and GitHub. Version control. Every project lives in a repository.
Nmap. Network scanner. Discovers hosts, open ports, and running services. The first tool you reach for in any assessment.
ZAP (Zed Attack Proxy). Web application security scanner. Finds common web vulnerabilities: SQL injection, XSS, authentication flaws.
Grafana and Loki. Monitoring and log aggregation. Where you watch for attacks and read the evidence. Grafana visualizes; Loki stores and queries logs.
Sigma rules and sigma-cli. Detection-as-code. You write detection rules in a vendor-neutral format (Sigma), then compile them for your specific SIEM or log platform. The standard for portable detection engineering.
MITRE ATT&CK. Not a tool, but a framework. The industry-standard catalogue of adversary techniques. You'll reference it in every project to map what you're attacking and what you're detecting.
Docker. Runs your lab environments. Each project's target systems run in containers so you can attack them safely without affecting anything else.
You'll install additional tools as the track progresses: Metasploit for exploitation, Wazuh for SIEM, Wireshark for traffic analysis, and others. Each project tells you what's needed.