BRUNOVSKI.COM — cybersecurity and OSINT roadmap

If you want to go deeper after this article, also read the Application Security learning path for beginners and the DevSecOps engineering route into security.

If you are reading this, you probably already understand the main point: information security is not a pile of certificates—it is continuous practice. In 2026 the market wants people who can think like an attacker, document like an auditor, and automate drudgery like an engineer. Data protection, investigations, vulnerability discovery, and open-source intelligence (OSINT) form one chain of skills: without networks and APIs you keep hitting a ceiling.

This text is not a “top ten courses” list—it is a roadmap you can adapt to your starting level: what to learn, in what order, and which artifacts to collect so it becomes skill, not a folder of bookmarks.

Why you need a roadmap in 2026, not chaotic “cybersecurity training”

The market is saturated with content: free videos, CTFs, random checklists. Without a map you spend months on things that never compound into a competence. For example, you memorize Kali tools but do not understand how a packet moves from browser to server—then every vulnerability hunting report becomes guesswork.

A solid roadmap answers three questions:

  1. Which baseline stack is mandatory (operating system, networks, scripting, documentation).
  2. What trail you leave in a portfolio—reproducible labs, write-ups, scripts on GitHub.
  3. How you stay legal and ethical—without that, neither red team, SOC, nor consulting will hire you.

The shift from “cybersecurity 2025” into 2026 does not change the skeleton: Linux, TCP/IP, Python, and the web/API layer remain the backbone. The accents move: more cloud identities, more supply-chain chains, more automation in investigations. That is why this roadmap explicitly includes APIs and scripting—the bridge between classic pentesting, DevSecOps, and OSINT automation.

This roadmap is about practice and portfolio: labs, write-ups, scripts, reports, and reproducibility.

Level zero: ethics, law, and work hygiene

Before you google “how to become an ethical hacker”

Ethical hacking sounds romantic, but the professional meaning is simple: you get explicit permission to test, you fix scope, you keep an activity log, and you do not touch other people’s data. Practice on other people’s systems without a contract is not “learning”—it is legal risk. All training labs should live on your own VPS, local VMs, or legal platforms (Hack The Box, TryHackMe, your own ranges).

Minimum rules

  • Written scope: IPs, domains, time windows, prohibitions (for example social engineering or DoS).
  • Separate personal and work accounts; 2FA everywhere you touch infrastructure.
  • Documentation: what you scanned, which software versions, which CVEs you checked—that is the auditor’s report backbone.

Foundation: Linux and network protocols without magic

Why Linux matters in security

Most security tooling assumes Unix-like systems: from log parsing to containers. Your goal is not to memorize 300 commands—it is to confidently:

  • navigate the filesystem, chmod/chown, processes and services (systemd);
  • configure networking at the interface, routing, DNS, and firewall level;
  • read logs and collect investigation artifacts (journalctl, /var/log, auditd).

Networks: what interviews actually probe

Understand the model well enough for vulnerability discovery and OSINT:

  1. TCP vs UDP: connection setup, retransmissions, typical uses (HTTP/HTTPS, DNS, VPN).
  2. Routing and NAT: where visibility “breaks”, asymmetric paths.
  3. TLS: certificates, chain of trust, common misconfiguration, downgrade.
  4. HTTP: methods, headers, cookies, cache, typical vectors (injection, SSRF at the request-understanding level).

Without this you cannot explain why the same issue is “visible” from a browser but “invisible” to a scanner, or the reverse. For QA engineers moving into security this is especially important: the same principles underpin API testing and contracts.

If you are coming from QA automation or SDET and want security grounded in daily checks, read SDET and Security Testing: practical zones (BOLA, injections, auth) and how to lock them into CI.

OSINT: methodology beats a list of tools

OSINT (Open Source Intelligence) is collecting and verifying data from open sources. Typical source classes:

  • domains, DNS, infrastructure history;
  • document metadata and public code repositories;
  • social networks, maps, marketplaces, web archives;
  • data in legal databases with a clear legal basis (no “gray” dumps).

Hygiene matters (respect ToS and law) and fact-checking: OSINT without verification becomes gossip.

OSINT tool categories people mean in 2026

OSINT tools” usually means a bundle of categories, not one app:

  • Passive DNS and domain history—mapping infrastructure without active scanning.
  • Leak and public-dump search—only inside legal boundaries and with customer consent; for training use synthetic datasets.
  • Document metadata—PDF/Office sometimes exposes users and software versions.
  • Code and secrets in Git—patterns for API keys, .env, private tokens (in teaching repos use deliberate flags).
  • Geo and media—EXIF, cross-checking images (watch privacy carefully).

In practice, keep an “entity map”: subject → assets (domains, IPs, people, handles) → sources → confidence level. That pattern fits both incident response and legal B2B intelligence.

Cloud, identities, and “zero perimeter” in the 2026 roadmap

In enterprises the perimeter rarely equals “the office VLAN”. Employees, contractors, SaaS, and API gateways create a distributed attack surface. Modern information security needs at least applied knowledge of:

  • Cloud IAM—roles, policies, least privilege, typical bucket and key mistakes.
  • Federation and SSO—OAuth/OIDC/SAML flows at the depth needed for review and testing (without that, logical bugs in login chains are hard to catch).
  • CI/CD and artifacts—where secrets appear in pipelines, how leaks land in build logs, why supply-chain checks (signatures, hashes, lockfiles) matter.

This block does not replace classic networks and Linux—it extends them. Mid-level interviews often ask not “name twenty CVEs” but “how do you explain risk from a compromised Kubernetes service account or a broken trust policy between AWS accounts”. If you come from QA, that is good news: you are used to regression and contracts—apply the same habit to configuration and API policy checks.

Learning cloud without burning unlimited budget

You do not need to torch production budgets on day one. Enough:

  1. free tiers and training scenarios with explicit scope;
  2. local emulators and mini-clusters (kind/minikube) for network policies;
  3. reading public postmortems—real chains, not abstract textbook diagrams.

That connects OSINT (what is visible from outside), vulnerability discovery (how it is abused), and operational hygiene (how it is detected and fixed)—a coherent roadmap, not a pile of unrelated videos.

Python, scripting, and APIs: the bridge between security and automation

If you want to outgrow the average “video course” student, Python is not optional. For security plus QA automation you use it to:

  • write proof-of-concept checks and validate vulnerability hypotheses without manual UI clicking;
  • repeatedly drive REST/GraphQL requests and compare responses;
  • parse and normalize OSINT data (JSON/CSV, task queues), build timelines for reports;
  • integrate scanners and ticketing through APIs (REST, sometimes GraphQL);
  • later automate lab provisioning (Terraform/Ansible); until then, Python/bash plus checks in CI are enough.

Minimal practical track

Close these in order (each step = a small repo task):

  • Language basics—syntax, types, files, venv.
  • HTTP clientrequests or httpx: cookies, headers, redirects, typical TLS mistakes.
  • Asyncasyncio at the level of “many requests without pointless threads”.
  • Parsing—HTML/JSON without DDoS-like behavior: backoff, robots.txt, respect for third-party services.

Readiness criterion: you can explain what you tested, with which data, why it matters, and you can repeat it a week later from your own repository.

After the foundation: attack, defense, or applications

Next, the roadmap usually forks into three work logics. Red (including pentest)—you imitate an attacker under contract: find weaknesses and show how you reached them. Blue (including SOC)—you see the attack from the organization side: logs, alerts, investigation, containment. Application Security / API—you dig not into “the whole network” but apps and interfaces: bugs, tokens, OAuth, API contracts. Below is what to invest in per path.

The “attacker” path: pentest and red team

Focus on attack modeling: recon, exploitation, post-exploitation, reporting. You need web and infrastructure testing skills, Active Directory in enterprise context, and the ability to explain business risk—not only “I got a shell”.

The “defender” path: blue team and SOC

Focus on detection: logs, correlation, rules, threat hunting, common TTP literacy. OSINT here often enriches indicators and threat data.

The “applications” path: Application Security and API security

A narrow but hot track: static and dynamic analysis, code review for typical bugs, OAuth/OIDC flow testing, abuse scenarios for public APIs.

Role comparison: where you land after the roadmap

A compact matrix: how directions differ, what to learn first, and typical entry paths.

Simplified role comparison for career planning (2025–2026).
Role / specialization Primary focus Key skills (priority) Typical entry into the field
Pentester / Red Team (junior+) Attack modeling inside agreed scope Linux; TCP/IP and web; reporting; AD and cloud basics Labs, CTF, mentorship, outsourcing / product teams
SOC Analyst Monitoring, triage, and incident investigation Logs; SIEM; network artifacts; malware fundamentals Courses, simulations, certifications like CompTIA Security+ and peers
OSINT specialist Collect, verify, and deliver open-source intelligence Methodology; law and ethics; tooling; client-ready reports Private engagements, investigations, legal B2B intelligence
Application Security / API Security Security of apps, APIs, and data contracts HTTP/TLS; OAuth/OIDC; scripting; checks in CI/CD QA or development background plus deep security focus
GRC / audit Policies, compliance, risk assessment and communication Frameworks (ISO 27001, NIST, and others); written discipline Analytics, management, legal context plus basic technical literacy

Certifications: useful, but not instead of hands-on work

Certificates help pass HR filters, especially at large vendors. Employers still look for reproducible PoCs and business-level risk explanations. A rational strategy:

  • Baseline: a broad survey cert (Security+ and peers)—if you need shared vocabulary for interviews.
  • Pentest: practice exams with labs (OSCP-like formats)—after you already cleared dozens of boxes on legal platforms.
  • Cloud: a dedicated module on AWS/Azure/GCP IAM—in 2026 this is almost mandatory.

Typical self-study mistakes (and how mentorship avoids them)

  1. Video only, no labs—knowledge does not convert to skill; you need daily hands-on.
  2. Random CTF without theory—fun, but not a system; alternate foundation and competitions.
  3. Ignoring APIs and automation—you hit a ceiling on real projects full of orchestrators and CI.
  4. No write-ups—a month later you forget how you solved a task; documentation is part of the job.

Fix it with discipline: every week ends in an artifact (write-up, script, report, request collection), not “I watched/read something”.

Twelve-month outline (skeleton)

  1. Months 1–2: Linux daily, networks (TCP/IP, DNS, HTTP), two simple labs per week.
  2. Months 3–4: Python for requests and parsing; first OSINT cases with an entity map and verification.
  3. Months 5–6: Web weaknesses at OWASP Top 10 depth (understanding, PoC, report).
  4. Months 7–8: API scenarios (OAuth, tokens, rate limits, SSRF logic at application level).
  5. Months 9–10: Specialize—red, blue, or deeper OSINT; one major portfolio project.
  6. Months 11–12: CTF or bug bounty within program rules plus certification or interview prep.

Conclusion: a roadmap is a product, not a poster

In 2026, cybersecurity usually rewards people who combine foundations (Linux, networks, Python), applied OSINT, and API literacy: without that it is hard to hunt vulnerabilities in modern chains or automate investigation routine. Strong cybersecurity learning is not “I collected courses”—it is a calendar: sprints, labs, reports, code in a repository. A good 2025–2026 cybersecurity roadmap is exactly about that.

Separately: the market does not need “term collectors”. It needs people who can reproduce a chain, explain risk to the business, and propose mitigation. Every roadmap stage should end in an artifact—a note, script, mini-report, or data diagram. That is how you see your own progress—and how a recruiter can believe you are ready.

If you cannot show artifacts—you do not have a skill yet, only the feeling that “I studied something”.

A strong next step from here is how security knowledge is applied inside real product ecosystems plus why security testing matters for modern SDET roles.

Similar articles

Want a practical plan for your role?

Message on Telegram. We will align your starting point and build a 4–6 week plan: what to study, which labs to run, and which portfolio artifacts to ship.

Join the Telegram channel