Comparison of foreign and domestic sites for white hat hackers by complexity
Disclaimer
Before starting, I want to emphasize that the assessment of platforms is absolutely subjective, since I mainly rely on my personal learning experience or the experience of my colleagues, each platform is good in its own way, the choice is yours.
TryHackMe – ideal for a beginner
As for me, you can safely start your path to information security from this site, since there are a lot of free database. The platform contains areas of study or paths (in general, they can be called courses, which consist of a large number of theoretical modules and laboratory work), which help the student understand what information security is in general, and also introduce individual professions in the field, indicating tasks and the required skills for each of them (for example, this well). Those who already have an idea of what information security is and who does what in this area, but who need to gain specific theoretical knowledge and practical skills, will like the following “directions”:
● TryHackMe | Web Fundamentals Training
A fairly easy course on web vulnerabilities and consisting of 3 main parts. The 1st part is aimed at the theory of how web applications work (after all, before breaking something, it is better to understand how it works), the 2nd part introduces students to the main web vulnerabilities, the reasons for their occurrence and methods of protection , The 3rd part teaches how to work with the basic tools for searching and exploiting web vulnerabilities.
● TryHackMe | Cyber Defense Training
In this course you will encounter such activities as “threat and vulnerability management”, security monitoring, incident response, forensics, malware analysis and reverse engineering.
● TryHackMe | SOC Level 1 Training
A direction that, as the name implies, introduces students to the profession of SOC analyst or SOC engineer of the 1st level (in fact, there is much more interesting and necessary information for the next levels of knowledge). What is a kill chain? where the logs are floating – everything can be found here.
It is worth noting that some modules from these courses are paid; on the platform itself you can buy a subscription – $14 per month for monthly payment and $10.50 per month for annual payment, but you can only pay with a foreign card. There is a second option – go through only free modules, and look for information on paid topics yourself, sometimes this even helps you learn the material better.
Of course, there are different levels on this platform “cars” for hacking, files and traffic for analysis, tasks for cryptography, steganography and everything, everything, everything.
What the platform will appeal to beginners is its step-by-step “rooms”, where the student is not left to the mercy of fate from the very beginning, but with leading questions (find out how many open ports, which one is responsible for this or that service on the machine, which he versions, etc.), which are then assembled into a full-fledged hacking chain, direct the student to solve a particular problem.
Returning to the assessment, I want to say that entering information security while studying on this platform is quite easy. Having built the right training route in accordance with your desires, you can easily get by with THM alone to gain knowledge sufficient even for an offer. But I think it's worth looking at other options.
HackTheBox – the next step
If you know what it means to “solve machines,” then you definitely know such a platform as HackTheBox, because it is the world’s largest information security platform. I won’t talk for a long time about the concept of training on it; it is similar to THM and other platforms. There are also “cars” of different levels, theory, hacking scenarios from real life, etc. If you are a beginner, then starting your journey with HTB is a rather difficult option, since, in my opinion, the average difficulty of a task from any category on THM is lower than the average difficulty of a task on HTB, which makes the transition from the first site to the second a logical step in training.
In case of the hardcore route, I highly recommend visiting academy, where a lot of content is collected that is useful to a specialist at any level. For a rather conservative price (for students – 7 euros/month) you get access to tier-1 and tier-2 modules (i.e., easy and medium difficulty), upon completion of which you receive internal currency – cubes, for which you can purchase additional modules any shooting gallery, and their number is infinite, it is likely that you can live on this platform.
Another interesting category at the academy is certificates. Currently there are 4 types of certificates on the site:
● Certified Penetration Testing Specialist (CPTS)
● Certified Bug Bounty Hunter (CBBH)
● Certified Defensive Security Analyst (CDSA)
● Certified Web Exploitation Expert (CWEE)
Essentially, everything here is like on THM, you can enroll in a course, go through modules step by step, solve laboratory work, and at the end you will be asked to take an exam, the results of which will give you (hopefully) a fairly serious certificate (not OSCP, but also not bad), and I know how sometimes I want to insert a couple of “important pieces of paper” into my resume.
The machines on HTB also vary in their level, there are those that can be completed in 15 minutes, there are those that take days to complete, everything is according to the standard. At the first stages, a rather useful thing is to read write-ups for cars (just not for those that you are currently going through, it’s still better to decide without them), but it’s more interesting to watch them, YouTuber helps a lot with this IppSecwho has been making walkthroughs of various interesting machines on YouTube for a very long time, as a video for eating – it goes “with a bang.”
Summarizing all of the above, in my opinion, the site is more complex than THM, but no worse than the first, and in some aspects even better. This is proven by the large number of partners the company has, the volume of material that is given to students and the complexity of the machines in the academy and laboratory.
Do you want to go to WEB? You at Portswigger Academy
The largest “borda”, dotted with information about web attacks, ways to find and exploit web application vulnerabilities – this is Portswigger Academy. The creators of Burp Suite did their best here too; they included almost everything that Weber needed. Tasks from the “Beginner” level to the “Expert” level, a lot of theory, a lot of useful and necessary things for WEB pentesters and bounty hunters. Thanks to their labs, you will learn to use Burp at the highest level, which is also a big plus.
If you decide to become a penetration testing guru of WEB applications, then this academy will be of great help. On this platform, you can learn from scratch how to find and exploit WEB vulnerabilities, understand the reasons for their occurrence and, in general, their nature.
When manually testing and searching for vulnerabilities, I advise you to additionally use third-party manuals like HackTricksbecause labs can overtake theory.
Codeby Games
One of the domestic sites that I can recommend Codebay Games. But this is only a gaming format, since for educational purposes the company releases separate paid courses on its website academy. The only free thing they offer is a course on web application security analysis.
Returning to the site, I can say that in the “game” you can find tasks for almost every taste:
●OSINT
● PWN
● WEB
● Steganography
● Cryptography
● Forensics
● Reverse
● Mixed tasks
● New – Active Directory tasks
New students should not consider “gaming” as a platform for learning; there is an academy for that. If you have the means to pay for the course, and you want to learn the basics of information security from scratch, and so that it’s all in Russian, then the course is suitable for you “Introduction to Information Security”.
“Games” are created for entertainment or to sharpen existing skills and knowledge; in short, it’s suitable for skilled players, but not for beginners, although here you can find quite interesting tasks that do not require technical knowledge, at least you will find a couple of tasks that can be solved if Google is not in your bath.
Standoff365 – preparation for the main cyber battle
Quite recently died down TheStandoff13, where the red teams fought in the number of implemented unacceptable events in virtual states, and the blue teams fought in finding and investigating incidents. But where are new teams trained who have no previous experience of participating in the Positive Technologies cyber training ground? This Standoff365 – a year-round, 24-hour cyber training ground for pentesters and defenders. I can say right away that this is not at all for beginners; when designing a virtual infrastructure, real attack vectors, current CVEs, and real business risks are used that experienced hackers must realize. At the initial stage of training, you may get lost in the number of machines and accounts involved in the implementation of unacceptable events, and you also need to gain access to them.
However, if we include the site in the list “for training,” then, in my opinion, this is the most “difficult” site in terms of tasks, since the path to implementing any of the risks is very long and incomprehensible. If at the conventional HTB you need to solve 1 complex car, get 2 flags and leave with peace of mind, then at the PT test site you have to solve 3-4 cars in parallel, and the amount of knowledge that you need for this is enormous. In the first stages of training, you can earn yourself additional points, they are awarded not for implementing a neural network, but for finding web vulnerabilities, increasing privileges on a machine, etc., which is also a good result.
Such events and platforms encourage us to further develop and explore new directions in information science, grow and enjoy every achievement.
I hope I helped you with choosing a site and gave you a little motivation for self-improvement! Also, if you use any similar resources for learning and can recommend them, tell us about them in the comments.
