Cybersecurity Encyclopedia Guidebooks

Cybersecurity Encyclopedia is a Learn-section guidebook shelf for calm, defensive cyber education. The guides use toy examples, checklists, evidence questions, and official reference links instead of exploit instructions or operational offensive procedures.

For quick practice between guides, use the Cybersecurity Encyclopedia game track . It turns defender thinking, telemetry, identity, ransomware, AI security, incident response, and control mapping into short checks.

Tools and diagnostics

• Attack Path Sketcher for static defensive path-mapping practice.
• Alert Triage Helper for severity, confidence, and next-evidence notes.
• Ransomware Readiness Scorecard for recovery-preparation review.
• Cloud Exposure Prioritizer for reachability, privilege, data, and logging questions.
• Evidence Note Builder for separating observations, decisions, and unknowns.
• Security Control Crosswalk for plain-language NIST, CIS, and ATT&CK-style mapping.

Full path

• Cyber Defense Quickstart: Think Like a Defender - Start Here: Defender Thinking; Beginner; assets, risk, evidence, and calm prioritization.
• What an Attack Path Is - Start Here: Defender Thinking; Beginner; how defenders model routes through systems.
• Assets, Identities, Exposures, and Controls - Start Here: Defender Thinking; Beginner; the four-part mental model for defense.
• Evidence-First Triage - Start Here: Defender Thinking; Beginner; replacing panic with observable facts.
• Security Alerts Without Panic - Start Here: Defender Thinking; Beginner; reading alerts, avoiding false certainty, deciding next steps.
• Known-Good Baselines - Start Here: Defender Thinking; Intermediate; normal behavior, drift, and anomaly context.
• Risk Scores, Severity, and Confidence - Start Here: Defender Thinking; Intermediate; separating urgency, impact, likelihood, and evidence confidence.
• Safe Cyber Learning Boundaries - Start Here: Defender Thinking; Beginner; defensive education, legal boundaries, and toy examples.
• Processes, Parents, and Command Lines - Endpoint Telemetry; Intermediate; process trees, parent-child relationships, command-line context.
• Suspicious Process Indicators - Endpoint Telemetry; Intermediate; unusual names, locations, privilege, ancestry, and behavior.
• Network Connections: Ports, Protocols, and Remote Hosts - Endpoint Telemetry; Intermediate; how defenders reason about endpoint network connections.
• Logs: What to Keep and Why - Endpoint Telemetry; Beginner; audit logs, service logs, authentication logs, and retention basics.
• File Entropy and Mass-Encryption Clues - Endpoint Telemetry; Advanced; ransomware-like file behavior and false positives.
• YARA Matches Without Panic - Endpoint Telemetry; Intermediate; signature matches, context, confidence, and next steps.
• Memory Injection Concepts for Defenders - Endpoint Telemetry; Advanced; RWX memory, unbacked executable regions, and cautious interpretation.
• Rootkits and Kernel-Level Signals - Endpoint Telemetry; Advanced; hidden processes, kernel tampering concepts, and trustworthy evidence.
• eBPF for Defenders - Endpoint Telemetry; Advanced; what eBPF can observe, why it matters, and how to reason safely.
• USB, DMA, and Peripheral Risk - Endpoint Telemetry; Intermediate; new devices, DMA capability, IOMMU protection, and policy basics.
• IAM Roles and Least Privilege - Cloud, Identity, and Exposure; Beginner; identity permissions, role scope, and privilege reduction.
• MFA, Passkeys, and Recovery Paths - Cloud, Identity, and Exposure; Beginner; strong login controls and account recovery risk.
• Email Authentication Signals - Cloud, Identity, and Exposure; Intermediate; SPF, DKIM, DMARC, alignment, forwarding caveats, and investigation context.
• OAuth Consent and SaaS App Risk - Cloud, Identity, and Exposure; Intermediate; app consent, scopes, shadow SaaS, and review habits.
• Browser Extensions and Session Risk - Cloud, Identity, and Exposure; Intermediate; extension permissions, session tokens, profiles, consent, and data exposure.
• SaaS Admin Change Logging - Cloud, Identity, and Exposure; Intermediate; admin changes, role edits, app integrations, sharing changes, and audit retention.
• Cloud Public Exposure Mapping - Cloud, Identity, and Exposure; Intermediate; internet-facing assets, admin surfaces, and compensating controls.
• Storage Bucket Mistakes - Cloud, Identity, and Exposure; Beginner; public access, sensitive data, logging, and least privilege.
• Container Image Trust - Cloud, Identity, and Exposure; Intermediate; image digests, registries, signatures, and provenance.
• SBOMs, Signatures, and Attestations - Cloud, Identity, and Exposure; Intermediate; software supply-chain evidence.
• Service Accounts and Secrets - Cloud, Identity, and Exposure; Intermediate; non-human identities, secret rotation, and blast radius.
• Initial Access Without Drama - Attack Paths and Breach Stories; Beginner; common entry categories explained defensively.
• Phishing and BEC Triage - Attack Paths and Breach Stories; Beginner; suspicious messages, sender context, approval pressure, and escalation evidence.
• Exploited Public-Facing Apps - Attack Paths and Breach Stories; Intermediate; exposure, patching, compensating controls, and detection context.
• Patch Prioritization and Exposure Windows - Attack Paths and Breach Stories; Intermediate; exposure, exploitability signals, asset importance, compensating controls, and timing.
• External Remote Services - Attack Paths and Breach Stories; Intermediate; VPN, RDP-like concepts, admin portals, and access hardening.
• Valid Accounts - Attack Paths and Breach Stories; Intermediate; why legitimate credentials complicate detection.
• Lateral Movement Signals - Attack Paths and Breach Stories; Advanced; suspicious authentication, remote execution concepts, and graph thinking.
• Network Segmentation and Flat Networks - Attack Paths and Breach Stories; Intermediate; flat networks, trust zones, allowed paths, and blast-radius reduction.
• Privilege Escalation Signals - Attack Paths and Breach Stories; Advanced; new admin rights, suspicious services, token/permission changes conceptually.
• Command-and-Control Concepts - Attack Paths and Breach Stories; Advanced; beaconing, remote control patterns, and network evidence.
• Exfiltration Paths - Attack Paths and Breach Stories; Intermediate; unusual data movement, cloud storage, compression, and egress review.
• Impact and Blast Radius - Attack Paths and Breach Stories; Beginner; estimating affected systems, data, identities, and business functions.
• Ransomware Timeline - Ransomware and Recovery; Beginner; typical defensive timeline from first clue to recovery.
• Backup Design for Recovery - Ransomware and Recovery; Beginner; offline/immutable backups, restore objectives, and tests.
• Detecting Encryption Behavior - Ransomware and Recovery; Advanced; file entropy, extension changes, high write rates, and process context.
• Containment Decision Trees - Ransomware and Recovery; Intermediate; isolate, preserve evidence, communicate, and avoid accidental damage.
• Restore Drills - Ransomware and Recovery; Beginner; proving recovery before an emergency.
• Shadow AI Data Leaks - AI-Era Cyber Defense; Beginner; unsanctioned tools, sensitive input, and governance.
• AI-Assisted Vulnerability Pressure - AI-Era Cyber Defense; Intermediate; why patch prioritization and exposure management matter more now.
• Agentic Attack Paths - AI-Era Cyber Defense; Advanced; agents, tool permissions, identity boundaries, and monitoring.
• Prompt Injection for Defenders - AI-Era Cyber Defense; Intermediate; defensive awareness, data boundaries, and safe examples only.
• Secure AI Tool Intake - AI-Era Cyber Defense; Beginner; vendor review, data handling, logging, and access controls.
• Incident Timeline Building - Triage and Incident Response; Intermediate; events, entities, timestamps, confidence, and narrative clarity.
• Evidence Notes and Chain of Custody - Triage and Incident Response; Intermediate; preserving observations, decisions, screenshots, hashes, and handoffs.
• Response Actions and Approvals - Triage and Incident Response; Intermediate; approvals, roles, reversible actions, and auditability.
• After-Action Reviews - Triage and Incident Response; Beginner; learning without blame and turning incidents into controls.
• Mapping Controls to NIST, CIS, and ATT&CK - Open Security Engineering; Intermediate; using trusted frameworks without pretending to be certified.
• Open Security Engineering - Open Security Engineering; Intermediate; inspectable systems, reproducible decisions, and transparent controls.
• Building a Personal Cyber Defense Learning Plan - Open Security Engineering; Beginner; a 30-day learning route through the encyclopedia.