Two weeks into a structured cybersecurity learning journey. This is the Week 2 review. Week 1 review and daily posts are on my profile.
What changed between Week 1 and Week 2
Week 1 was about understanding how things work — networking protocols, Linux commands, basic Python. The goal was to build a mental model.
Week 2 was about applying that understanding — studying for a real certification, building tools that do real things, and confronting real evidence of attacks.
The difference is not just in what I learned. It is in what I produced.
Security+ — 7 days of study
I booked the CompTIA Security+ SY0-701 exam for June 9, 2026. Eight weeks to study. I am using Professor Messer's free course on his website.
Seven days in, three domains covered:
Domain 1 — General Security Concepts
The CIA triad is not marketing language. Each component represents a genuinely distinct security property that can fail independently:
- Confidentiality fails in data breaches
- Integrity fails when data is modified in transit
- Availability fails during DDoS attacks and ransomware
Authentication (proving identity) and authorization (granting permissions) are separate systems that both need to work correctly. Security+ tests whether you can identify which one is broken in a given scenario.
Domain 2 — Threats, Vulnerabilities, and Mitigations
This is the largest domain at 22% of the exam. Eight malware categories, eight social engineering attack types, vulnerability scanning, penetration testing phases, and threat intelligence.
The malware distinction that appears most on practice tests: a virus requires human action to spread. Worms spread automatically by exploiting vulnerabilities. They have different propagation mechanisms, which means they require different defenses.
Social engineering: pretexting is the one that most people underestimate. A convincing scenario and a phone call can bypass technical defenses entirely. Training is the only defense.
Domain 3 — Security Architecture
Zero Trust is the most important concept here. Never trust, always verify. Every access request is authenticated and authorized regardless of whether it comes from inside or outside the network. This replaced perimeter security when remote work and cloud services made the concept of a network perimeter meaningless.
Three tools built this week
Port Scanner v2 — upgraded with a service name dictionary. Port numbers now display with protocol names. Small change, more useful output.
Password Generator — generates cryptographically random passwords using Python's string and random libraries. Takes length and count as input. 20 lines.
Log Analyzer — this one produced something real. It reads Linux auth.log files and ranks source IP addresses by failed SSH login attempts.
I ran it against /var/log/auth.log on my Kali machine. My system has been running for less than two weeks and already has external IP addresses in the log with multiple failed SSH attempts.
That is a real attack against a real system I own, caught by a tool I wrote.
In a production environment, SIEM tools do this at enterprise scale — parsing millions of log entries from thousands of systems simultaneously and alerting on anomalous patterns. My script does the same thing on a small scale. Understanding it at the code level makes the enterprise tool more intuitive.
OverTheWire Bandit — levels 8 through 15
Key concepts from this week's levels:
Level 10 — base64 decoding. Base64 is encoding, not encryption. Looks mysterious, decodes instantly. Attackers use it for obfuscation. One command undoes it.
Level 12 — layered compression. A file compressed multiple times using gzip, bzip2, and tar. Had to use the file command after each decompression to identify the next layer. This is how malware analysts unpack obfuscated payloads.
Level 14 — SSH key authentication. A private key file is used to log into a server without a password. How cloud servers are accessed in production environments. Stolen SSH keys = persistent backdoor access.
Level 15 — netcat. Raw TCP connections to any host and port. One of the most versatile tools in network security and penetration testing.
Resume drafted
First draft complete. No cybersecurity job experience. Instead: technical skills section with 12 tools and concepts, three Python security tools with GitHub links and documentation, Security+ exam date, and 14 days of public learning documentation.
The goal is that a recruiter who spends 30 seconds on the resume and then 2 minutes on GitHub has enough verifiable evidence to decide this candidate is worth interviewing.
Week 3 starts
Security+ Domains 4 and 5 — Security Operations and Security Program Management — are 48% of the exam combined. Domain 4 alone is 28%. This is where incident response, threat intelligence, SIEM, and vulnerability management live. The most relevant domain for a SOC analyst role.
First job applications are being sent this week. Resume is ready. Security+ is listed as in progress with an exam date.
Everything is public. Two GitHub repositories and blog posts are linked on my profile.
Top comments (0)