You Don’t Need Money to Learn Cybersecurity — Start Free in 2026

How to Learn Cybersecurity for Free in 2026 — Complete Self-Study Roadmap for Beginners (India & Global)

By Amardeep Maroli  |  April 26, 2026  |  Cybersecurity Learning, Career, Free Resources  |  16 min read

Home About Contact

I am an MCA student in Kerala. I did not come from a computer science background before I started. I had a basic laptop, a decent internet connection, and no money for paid courses. Everything I know about cybersecurity — API security, ethical hacking, web vulnerabilities, penetration testing concepts — I learned using free resources. This blog is the result of that.

I am telling you this because I want to be direct: you do not need to pay for expensive courses to learn cybersecurity in 2026. The free resources available today are genuinely excellent — better than most paid courses from five years ago. What you need is a structured roadmap that tells you what to learn in what order, which free platforms to use, and what to build to prove your skills to employers.

That is exactly what this guide provides. A complete, honest, free-first cybersecurity learning roadmap for 2026 — built for Indian students, freshers, and career changers globally. No hidden paid requirements, no affiliate recommendations, just the actual path.

Before you start: Cybersecurity has a severe skills shortage globally — 4.8 million unfilled jobs in 2026. India is emerging as a global cybersecurity talent hub with 30-35% annual job growth. The demand is real and employers are actively hiring people with demonstrated practical skills, regardless of degree or prior experience. The path is achievable. What it requires is consistency over time, not money.

Quick Navigation:

1. What you need before you start — honest prerequisites
2. The 5-phase free learning roadmap — beginner to job-ready
3. Every free platform reviewed honestly — TryHackMe, PortSwigger, and more
4. Free certifications that employers actually recognise
5. Building a portfolio with no money
6. The 6-month self-study plan — week by week
7. How to get your first cybersecurity job from India

What You Need Before You Start — Honest Prerequisites

You do not need to know programming to start learning cybersecurity. You do not need a computer science degree. You do not need an expensive laptop. What you genuinely need:

• Basic computer literacy: Comfortable using a computer, installing software, navigating file systems. If you can browse the internet and install applications, you have enough.
• Willingness to learn Linux basics: Almost all security tools run on Linux. You don't need to be a Linux expert before starting — TryHackMe teaches you as you go — but knowing basic terminal commands is important early in the journey. (Free: Linux Basics for Hackers textbook is available legally free as PDF from No Starch Press.)
• Consistent time: 1-2 hours per day, 5-6 days per week. Cybersecurity is a skill built through practice, not a subject memorised through reading. The platforms below are practice-based — you are solving real problems in labs, not watching lectures.
• A device that can run a browser: TryHackMe and PortSwigger both run entirely in-browser — no powerful hardware required. For later-stage labs you will want to run Kali Linux in a virtual machine (free), which works on most laptops made after 2015.

That is genuinely the full list. Let's begin.

Every Free Platform — Reviewed Honestly

🟦

TryHackMe

Free TierBeginnerIntermediate

What it is: Browser-based guided cybersecurity labs with gamification. You earn points, progress through learning paths, and complete challenges in virtual machines that run entirely in your browser. No setup required.

Free vs paid: The free tier gives you access to a large portion of rooms (labs). The paid tier ($14/month) removes the daily free machine time limit and unlocks more content. Start free. Only pay if you are consistently hitting the time limit.

What to do on TryHackMe: Start with the "Pre-Security" path (completely free — networking basics, web fundamentals, Linux basics). Then move to the "Jr Penetration Tester" path. Complete the "OWASP Top 10" room — it directly covers the vulnerabilities detailed in the OWASP guide on this blog.

Best for: Complete beginners. The most beginner-friendly platform available in 2026.

🟧

PortSwigger Web Security Academy

100% FreeBeginnerIntermediate

What it is: The best free resource for web application security — bar none. Created by the company behind Burp Suite. Covers every OWASP Top 10 vulnerability with guided theory explanations and hands-on labs you solve in a real application. Everything is free, no limits.

What to do: Complete the learning paths in order: Server-Side Topics (SQL injection, authentication, path traversal) then Client-Side Topics (XSS, CSRF) then Advanced Topics. The labs range from Apprentice (beginner) to Expert. Start at Apprentice and work upward. Each lab you solve teaches you more than any lecture could. See how PortSwigger fits into a pentesting career.

Honest assessment: This is arguably the single most valuable free cybersecurity learning resource in existence. If you spend 3-4 months completing PortSwigger's full curriculum, you have a deeper understanding of web application security than most entry-level professionals.

Best for: Web application security, API security, penetration testing. Essential for bug bounty hunting.

⬛

HackTheBox (HTB)

Free TierIntermediate

What it is: Real penetration testing challenge machines that you root (gain administrator access to) using actual hacking techniques. Less guided than TryHackMe — you are given a machine and must figure out how to compromise it yourself. Also has HTB Academy (more structured, partially free) for learning specific topics.

Free vs paid: Active machines require a VIP subscription. Retired machines (large library) are accessible free with some limitations. HTB Academy has a significant free curriculum.

Best for: Intermediate-to-advanced learners after completing TryHackMe. The closest experience to real penetration testing available for free.

🔵

Google Cybersecurity Certificate (Coursera)

Free (Audit)BeginnerCertificate Available

What it is: Google's official cybersecurity professional certificate on Coursera. Covers networking, Linux, SQL, cybersecurity tools, and SIEM basics. Designed for complete beginners. Coursera allows you to audit most courses for free (no certificate) — the certificate costs approximately $50-200.

Honest assessment: Good for building foundational knowledge and understanding how security operations work. Not a substitute for hands-on lab practice on TryHackMe/PortSwigger. The certificate is recognised by employers, but demonstrated practical skills (HTB profile, PortSwigger labs, bug bounties) are more compelling. Use it alongside lab practice, not instead of it. Apply for financial aid on Coursera if cost is a barrier — it is genuinely free for those who qualify.

Best for: Structured beginners who want a curriculum they can follow linearly. Good complement to TryHackMe.

🟩

SANS Cyber Aces / CyberStart

FreeBeginner

What it is: SANS Institute (one of the world's leading cybersecurity training organisations) offers Cyber Aces as a free introductory curriculum covering operating systems, networking, and system administration basics. CyberStart (cyberstartamerica.com / cyberstart.com) offers free cybersecurity game-based challenges for beginners.

Best for: Absolute beginners wanting a reputable introduction. Good supplement to TryHackMe.

🐛

HackerOne, Bugcrowd — Bug Bounty Programmes

Free to ParticipateIntermediate

What it is: Real-world vulnerability disclosure programmes where companies pay security researchers for finding and responsibly reporting bugs. Legal, authorised hacking on real targets. The best way to build a portfolio that employers and clients take seriously — a paid bug bounty submission is objective proof of practical skill.

When to start: After completing PortSwigger Web Security Academy's Apprentice labs. Start with programmes that have "Easy" ratings and wide scopes. The bug bounty beginner guide covers how to approach your first programme.

Best for: Portfolio building and income generation after developing foundational web security skills.

The 5-Phase Free Learning Roadmap — Beginner to Job-Ready

1

Phase 1 — Foundations

Weeks 1-4

Build the mental models you need before touching any hacking tools. Skipping this phase creates gaps that slow you down later.

• Networking basics: How TCP/IP works, DNS, HTTP/HTTPS, ports and protocols. TryHackMe "Pre-Security" path covers this with labs. Understanding how data moves across networks is the foundation of understanding how it can be intercepted or exploited.
• Linux fundamentals: Terminal navigation, file permissions, process management, text manipulation (grep, sed, awk). TryHackMe's Linux Fundamentals rooms (3 parts, all free). This is non-negotiable — almost every security tool runs on Linux.
• Web technology basics: How HTTP requests and responses work, what cookies and sessions are, how web applications are structured. PortSwigger's "How the Web Works" section (free). You cannot hack what you don't understand.
• Read this blog: The What is Cybersecurity guide, What is Malware, and How Hackers Find Vulnerabilities give you the strategic context for everything practical you will do.

2

Phase 2 — Web Application Security

Weeks 5-12

Web application security is the highest-demand, most accessible specialisation for beginners. All the tools run in your browser — no expensive hardware needed.

• PortSwigger Web Security Academy — Server-Side Topics: SQL Injection, Authentication, Path Traversal, Command Injection, Business Logic Vulnerabilities, Information Disclosure, Access Control. Complete the Apprentice labs for every topic before moving to Practitioner level. Aim for 2-3 completed labs per day.
• Install Burp Suite Community Edition (free): PortSwigger's web interception proxy. Learn to intercept and modify HTTP requests. This is the core tool for web penetration testing.
• Read: OWASP Top 10 guide, XSS guide, CSRF guide, SQL Injection guide alongside the PortSwigger labs. Reading the concept and then immediately practising in a lab is the fastest learning method.
• TryHackMe "OWASP Top 10" room: Complements PortSwigger with a different lab environment and additional context.

3

Phase 3 — Network Security and Enumeration

Weeks 13-18

Expand from web applications to network-level attack and defence. This is essential for penetration testing and SOC analyst roles.

• Nmap mastery: Port scanning, service version detection, OS fingerprinting. TryHackMe "Nmap" room. Nmap is used in virtually every penetration test engagement.
• TryHackMe "Jr Penetration Tester" path: Covers the full pentesting methodology — reconnaissance, scanning, exploitation, post-exploitation — through guided labs on realistic targets.
• Metasploit basics: Understanding the exploitation framework. TryHackMe "Metasploit" room. Learn how to use existing exploits, not just understand they exist.
• Read: Penetration Testing guide — covers the professional methodology and tools used in real engagements.
• Practice platform progression: Start attempting retired HackTheBox machines. Read writeups (legally published after machines retire) to learn approaches you didn't think of.

4

Phase 4 — Specialisation and Portfolio Building

Weeks 19-22

Choose a primary specialisation based on your interests and job market demand. Build evidence of your skills through public, verifiable work.

• Choose a specialisation: Web/API security (highest demand, most accessible — continue PortSwigger Practitioner level), cloud security (cloud security guide + AWS free tier labs), or SOC/Blue Team (TryHackMe "SOC Level 1" path).
• Start CTF participation: Capture the Flag competitions are public competitions where you solve security challenges. ctftime.org lists all upcoming CTFs. Beginners should target CTFs rated "easy" and join as team members before solo competing. CTF writeups on your blog or GitHub are compelling portfolio items.
• Start bug bounty hunting: Begin with HackerOne or Bugcrowd programmes rated "Easy." Even if you don't find a paid bug immediately, the attempt process builds skills and shows employers you are practising on real targets. Bug bounty beginners guide
• Build your GitHub: Document your lab work, CTF writeups, and any tools you build. Employers look at GitHub profiles for evidence of what you actually know.

5

Phase 5 — Certification and Job Applications

Weeks 23-26

Certifications validate your skills to employers who cannot evaluate your GitHub portfolio. Target the right certificate for where you are.

• First certification target: CompTIA Security+ (covers broad fundamentals, widely required in job descriptions) OR ISC2 CC (free exam for limited period, internationally recognised beginner cert) OR eJPT (hands-on practical exam, affordable). See certificate guide below.
• Apply for entry-level roles: SOC Analyst Level 1, Junior Penetration Tester, Security Analyst, IT Security Associate. Your application package: GitHub profile with documented work + TryHackMe profile showing completed paths + certification + a brief portfolio writeup of your best work.
• Consider OSCP if aiming for pentesting careers: The Offensive Security Certified Professional is the gold standard for technical penetration testers. It is not free (~$1,499) but the 90-day lab access plus exam is the most valuable investment you can make after building a foundation. Many companies will reimburse this cost after hiring. Some Indian employers value OSCP over degrees for pentesting roles.

Free and Low-Cost Certifications That Employers Recognise

Free (Limited Time) ISC2 CC — Certified in Cybersecurity ISC2 (CISSP organisation) offered their entry-level CC certification exam free for a significant period. Check their current status — even at low cost, this is a globally recognised beginner cert from the world's most prestigious security certification body.

Free Google Cybersecurity Certificate Audit free on Coursera. Certificate (~$200) is employer-recognised, especially for SOC and IT security roles. Apply for financial aid on Coursera for free certificate access if you qualify.

Low Cost (~$200) eJPT — eLearnSecurity Junior Pentester Hands-on practical exam — you hack a network, not answer multiple choice. Highly respected for demonstrating real skill. Best first pentesting-specific certification. Good OSCP stepping stone.

Low-Mid Cost (~$370) CompTIA Security+ Widely required in job descriptions, especially in IT security roles. Theory-heavy but covers broad fundamentals. Commonly listed as minimum requirement for entry-level security positions globally including India's MNC sector.

Mid Cost (~$500) CEH — Certified Ethical Hacker EC-Council certification. Updated for 2026 with AI security modules. Globally recognised, particularly strong in India's corporate sector. Some criticism of being theory-heavy, but employer recognition is solid for entry-level roles.

Gold Standard (~$1,499) OSCP — Offensive Security Certified Professional 24-hour hands-on exam. The most respected technical penetration testing certification. Not for beginners — attempt after Phase 4 above. Companies pay a premium for OSCP-certified pentesters.

Building a Portfolio With No Money

What Goes Into a Compelling Free Portfolio

Employers cannot verify your claimed experience — they can verify your public work. Every item below is free to create and publicly visible:

• TryHackMe public profile: Your completed rooms, badges, and progress are visible. A profile showing "Jr Penetration Tester" path completed is meaningful evidence to a hiring manager.
• CTF writeups on GitHub: After any CTF competition, write up how you solved the challenges. Include the approach, tools used, and what you learned. This demonstrates analytical thinking and communication skills — both valued in security roles.
• PortSwigger lab completion screenshots: Document your progress through PortSwigger's curriculum. A GitHub repo with screenshots of completed Practitioner labs is evidence of web security skill.
• Bug bounty submissions: Even a Hall of Fame mention (awarded for valid but low-severity findings) is public evidence that you found a real vulnerability in a real application. This is objectively more valuable than any certificate for demonstrating practical skill.
• A security blog or writeups: Document what you are learning. Explain security concepts in your own words. This blog you are reading right now is my portfolio — it demonstrates knowledge of security concepts far more convincingly than a certificate alone.
• Tools or scripts on GitHub: Even simple Python scripts that automate a security task (a port scanner, a basic fuzzer, an OSINT tool) demonstrate you can code and apply security knowledge programmatically. The Python API security testing guide has code you can start from.

Getting Your First Cybersecurity Job from India

The Indian cybersecurity job market in 2026 is growing 30-35% annually. Cities with the highest demand: Bengaluru, Hyderabad, Mumbai, Chennai, Pune. Remote roles with Indian employers and global MNCs are common. What Indian employers hire for:

• SOC Analyst (most entry-level positions): Monitor security alerts, investigate incidents, use SIEM tools. Requires: networking basics, SIEM awareness (Splunk free training available), and a security+ level foundation. Salary range: ₹3-8 LPA for entry level.
• Junior Penetration Tester: Web application and network security testing. Requires: demonstrated hands-on skill (PortSwigger labs, HTB, eJPT or higher cert). Salary range: ₹5-12 LPA entry level. OSCP significantly increases offers.
• Security Analyst: Vulnerability management, compliance, security monitoring. Requires: understanding of frameworks (ISO 27001, NIST), tools exposure, and communication skills. Salary range: ₹4-10 LPA.

Application strategy: Apply for 20-30 positions rather than carefully selecting 5. Entry-level cybersecurity hiring is imperfect — hiring managers vary widely in what they value. Your LinkedIn profile should prominently feature your TryHackMe profile link, GitHub link, and any certifications. In the experience section, list your labs and CTF participation as "Security Research / Lab Practice." It is real experience — it just happened in legal practice environments.

Learn the Topics This Roadmap Covers

• >What is Cybersecurity? — The Foundation Guide (Read This First)
• >OWASP Top 10 — The Vulnerabilities You Will Practice on PortSwigger
• >What is Penetration Testing? — Career Roadmap, Tools, and Certifications
• >Bug Bounty Beginner Guide 2026 — Start Hacking Ethically and Earning
• >API Security Testing with Python — Build Your First Portfolio Script
• >Start Here — Complete Blog Reading Roadmap Organised by Topic

About the Author

Amardeep Maroli

MCA student from Kerala, India. I learned cybersecurity using the free resources described in this guide. TechWithAmardeep is both my learning journal and my portfolio — everything on this blog was built using the same roadmap above.

All Posts GitHub Telegram Contact

Free Cybersecurity Learning FAQs

How long does it take to learn cybersecurity enough to get a job?

With consistent daily practice (1-2 hours/day) following the roadmap above, most people reach entry-level employability in 6-12 months. "Entry-level employability" means: completing TryHackMe's Jr Penetration Tester path, completing PortSwigger's Apprentice labs, holding one certification (Security+, eJPT, or ISC2 CC), and having a documented GitHub portfolio. Some people move faster (especially those with prior IT or programming experience), some slower — the variable is consistency, not intelligence. The 6-month timeline assumes you are starting from basics. Someone with networking or programming experience might reach that milestone in 3-4 months.

Is TryHackMe or HackTheBox better for beginners?

TryHackMe is significantly better for complete beginners. It provides guided learning paths, explains concepts as you go, and the labs are structured to teach skills progressively. HackTheBox assumes you already have foundational skills and drops you into challenges with minimal guidance. The recommended progression: start TryHackMe, complete the Pre-Security and Jr Penetration Tester paths, then transition to HackTheBox for more challenging, realistic targets. Using HackTheBox before TryHackMe is like trying to run before you can walk — you will get frustrated and quit, which many beginners unfortunately do.

Do I need to know Python to learn cybersecurity?

You do not need Python to start, but learning basic Python significantly accelerates your progress and opens career paths. Python is used for: writing custom security tools, automating repetitive tasks, analysing data, and most importantly — understanding how to read and modify the scripts you find in security resources. The minimum Python for cybersecurity: variables, functions, loops, conditional statements, reading and writing files, and making HTTP requests (the requests library). This is approximately 30-40 hours of learning (Automate the Boring Stuff with Python is free online and covers everything you need). Many CTF challenges and bug bounty automation tasks become much easier with even basic Python. The blog's Python API security testing guide shows practical security applications.

Is practicing on TryHackMe and HackTheBox legal?

Yes — both platforms provide dedicated environments where you are explicitly authorised to attack the provided machines. This is legal and fully ethical. The machines are isolated virtual environments running specifically for you to practice on. The legal and ethical line is clear: you may only use hacking techniques on systems you own, systems you have explicit written permission to test (real penetration testing engagements), or practice environments specifically designed for this purpose (TryHackMe, HackTheBox, DVWA running locally). Testing on any other system without explicit written authorisation — regardless of how it is framed — is illegal under the Indian IT Act 2000 and equivalent laws worldwide. Never test on real systems without authorisation. Practice environments exist precisely so you never need to.

What is the difference between CompTIA Security+ and CEH for Indian job seekers?

Both are widely recognised in India's cybersecurity job market, but they serve different purposes. CompTIA Security+ is a broad foundational certification covering network security, cryptography, identity management, and security operations. It is commonly listed as a minimum requirement in Indian IT company job descriptions, especially for SOC and security analyst roles. It is exam-only (no lab requirement). CEH (Certified Ethical Hacker) from EC-Council is more focused on offensive security and ethical hacking techniques. It is well-recognised in India's corporate sector and has been updated for 2026 with cloud and AI security modules. It is more expensive than Security+ but commands a slight premium in offensive security roles. For pure job-search value in India: Security+ is the most universally required. For pentesting-specific roles: CEH or eJPT is more relevant. If budget is limited, do eJPT (cheaper, more practical, demonstrates actual skill) over CEH.