Welcome back everybody!

A while back, we did an issue on training in the cybersecurity space. It’s a topic that’s relevant not just for practitioners looking to level up, but also for employers trying to keep their talent happy and effective. In that last issue, we focused on the biggest training platforms—but the biggest isn’t always the best fit for everyone. Whether you’re bootstrapping a career or trying to skill up a team, sometimes you need more cost-conscious, but still highly effective, options.

So today, I’m pulling a section out of my paid course, Hacking Your Career. The first module is a crash course in skill-building through a bunch of vetted training outfits that I personally think are great. These aren’t sponsored spots—just solid companies offering value for folks on a budget. In the course, I break things down by the three domains of cybersecurity: red, blue, and purple. Then inside each domain, I organize resources by cost: free, cheap, and expensive tiers.

If you’re trying to gain some experience and build real trust in your own abilities—especially without a ton of on-the-job time yet—stacking your resume with free and cheap training is one of the smartest plays you can make.

That’s why today, I’m giving that portion of the class away for free. I think it’s that important. So we’ll be posting the free tier resources for the red and blue domains. Hope you enjoy it—and if it’s helpful, please share it with your friends and colleagues! As always, I do exhaustive research, but I might’ve missed something. If I did, ping me. <3

🌐 Free Red Resources

PentesterLab

Link: https://pentesterlab.com/

PentesterLab is an OG in the red domain training space. They’ve had some of the most polished labs for folks getting into web hacking for a long time now. Even today, their “Web for Pentester” series is still one of the best intros out there for anyone starting in web app assessment and AppSec. The bundled exercises come with a free certificate you can slap on your resume, and Louie and the PentesterLab brand are highly respected in the security community—not just for their solid training, but for giving back through research and talks too.

TryHackMe and HackTheBox

Links: https://tryhackme.com/resources/blog/free_path
Links: https://academy.hackthebox.com/catalogue

We mentioned these two in the last Roundup as they have really taken the training scene by storm in both platforms have free exercises and lessons for all kinds of Security Professionals we won't overly spend a bunch of time here but they also offer certificates for completing exercises and exercise collections. Both of them are highly regarded in the cyber security community and they are also mentioned in my subsequent tier of cheap as well. For try hack me specifically, we've referenced their free path blog which is a fantastic resource to start with on their platform. Hack the box has a different model where when you sign up for a free account you get 60 “cubes”. 60 cubes can buy you a couple of their intro modules! Since I won't repeat them in the next section it also bears to mention that both have several blue team modules that are free as well so check them out!

Portswigger’s WebSecAcademy

Link: https://portswigger.net/web-security/

We actually mentioned this one last week in the LLM resources because of their solid AI modules—but honestly, PortSwigger Web Security Academy has been one of the biggest things to hit AppSec in the last five years. Hands down, they offer the most comprehensive set of challenges out there, completely free. It's quickly becoming the benchmark for up-and-coming AppSec analysts looking to prove they understand the full scope of the field. No certs offered though.

APISec University

Link: https://www.apisecuniversity.com/#courses

API assessment has quickly become one of the most important skill sets to have in modern application testing which is a big part of the red domain. Originally a companion to Corey balls excellent book on API hacking, he launched this companion site with three free trainings on API assessment. Amazing resources and should be taken by any red practitioner.

The OWASP Vulnerable Web Applications Directory Project

Link: https://owasp.org/www-project-vulnerable-web-applications-directory/

The OWASP VWAD project tracks the massive list of intentionally vulnerable application projects that end up on GitHub and elsewhere. You’ve probably seen some of the classics—Juice Shop, WebGoat, DVWA, etc. There’s a whole community of security folks building and sharing these purposely vulnerable apps you can host and hack against. VWAD pulls them all into one place and refreshes the list every six months.

Now, these self-driven labs don’t come with certificates, but they do show potential employers that you can spin up web servers and work with the underlying tech—which is a big plus. Being well-rounded is never a bad thing. So dig into the directory, explore some new tech, solve the labs, blog your journey… and profit.

🌐 Free Blue Resources

Picus Security Academy

Link: https://academy.picussecurity.com/courses

A blue teamer friend who took one of my courses put me onto Picus’s free Security Academy—and it’s a gem. It covers a bunch of blue and purple topics, from intro to intermediate level. Each module is a bite-sized webinar, most are free, they offer CPE credits, and you get certificates too. For topics that blur into purple—like security engineering and threat modeling—these are great adds to your resume. Everyone’s looking for multi-talented hires right now, and this kind of cross-domain knowledge really stands out.

Security Blue Team

Link: https://www.securityblue.team/courses/blue-team-junior-analyst-pathway-bundle

Security Blue Team offers a free Junior Analyst course that clocks in at around 30 hours of solid training on the fundamentals. It covers tools and processes across the domain—things like threat hunting, vuln management, forensics, network analysis, dark web ops, and OSINT. All in all, it’s a pretty solid foundation for anyone looking to break into the blue side.

Splunk Academy

Link: https://www.splunk.com/en_us/training/course-catalog.html?filters=filterGroup1FreeCourses

While there are more options than ever in the SIEM and SOAR world, Splunk is still one of the titans in the space. In a lot of orgs, you’ll find one or two Splunk specialists who are basically irreplaceable—so for candidates looking to join those teams, having Splunk Academy training under your belt is a huge green flag to employers. Splunk offers several free courses on their observability platform and general cybersecurity topics that tie into it.

That said, it doesn’t have to be Splunk. If you’ve got some time between applying and getting an interview date, do a little OSINT on the company. Figure out what tech stack they’re using and see if there are free resources or training out there. Take advantage of whatever you can, and bring it up during the interview. That kind of effort shows initiative—and it stands out.

The Google Cybersecurity Professional Certificate

Link: https://www.coursera.org/google-certificates/cybersecurity-certificate?action=enroll

Google, through Coursera, offers a free six-month, eight-course series on cybersecurity basics—with a certificate at the end. It’s scheduled like a real course, so it keeps you on track, and it’s totally free. It kicks off with foundations, then moves into risk management, network and network security, Linux, vuln management, detection and response, automation, and finally, how all of that ties into a real-world job role. It’s an awesome course—super well-reviewed on Coursera—and definitely worth checking out if you’re building your base.

Class Central Blue Team Courses

Link: https://www.classcentral.com/subject/blue-team?free=true

Class Central has 25 micro-modules focused on the blue and purple domains—all free and many with certificates. A big plus: they lean into open-source tooling, which might be exactly the flavor you're looking for. You’ll find modules on Wazuh, Wireshark, Snort, Suricata, FireEye, Splunk, Autopsy, Security Onion, and more. Definitely check out Hackersploit_’s modules—they’re more structured and class-like. Some of the others are more like one-off conference talks that got turned into quick lessons.

LetsDefend

Link: https://letsdefend.io/

Let’s Defend offers several solid modules for free, including SOC Fundamentals, Phishing Email Analysis, Linux for Blue Team, Detecting Web Attacks, Building a Malware Analysis Lab, and Malware Traffic Analysis with Wireshark. Each of these comes with a certificate, which is a nice bonus. If you're looking to get hands-on with blue team topics, this is a great place to start.

AttackIQ Academy

Link: https://www.academy.attackiq.com/catalog

AttackIQ has over 20 free resources covering a wide range of blue and purple topics. It’s a super valuable spot if you're looking to get into AppSec engineering or security engineering roles. The content dives into areas like threat modeling, MITRE ATT&CK, breach emulation, purple teaming, and more. If you're aiming to level up in those spaces, this is definitely worth checking out.

/ Outro

Alright, that wraps up the first batch of resources in the free category. We’ve got more issues coming soon that’ll cover training in the budget-friendly and higher-tier categories—as well as some cool niche options. Can’t wait to keep sharing stuff that helps you build the skills you need and land the job you want!