Cybersecurity Encyclopedia is a Learn-section guidebook shelf for calm, defensive cyber education. The guides use toy examples, checklists, evidence questions, and official reference links instead of exploit instructions or operational offensive procedures.
For quick practice between guides, use the Cybersecurity Encyclopedia game track . It turns defender thinking, telemetry, identity, ransomware, AI security, incident response, and control mapping into short checks.
Tools and diagnostics
- Attack Path Sketcher for static defensive path-mapping practice.
- Alert Triage Helper for severity, confidence, and next-evidence notes.
- Ransomware Readiness Scorecard for recovery-preparation review.
- Cloud Exposure Prioritizer for reachability, privilege, data, and logging questions.
- Evidence Note Builder for separating observations, decisions, and unknowns.
- Security Control Crosswalk for plain-language NIST, CIS, and ATT&CK-style mapping.
Full path
Start Here: Defender Thinking
- Cyber Defense Quickstart: Think Like a Defender — Beginner: assets, risk, evidence, and calm prioritization.
- What an Attack Path Is — Beginner: how defenders model routes through systems.
- Assets, Identities, Exposures, and Controls — Beginner: the four-part mental model for defense.
- Asset Inventory Drift — Beginner: asset records, ownership, visibility, and drift.
- Data Classification for Cyber Defense — Beginner: data sensitivity, ownership, access scope, and incident impact.
- Evidence-First Triage — Beginner: replacing panic with observable facts.
- Security Alerts Without Panic — Beginner: reading alerts, avoiding false certainty, deciding next steps.
- Known-Good Baselines — Intermediate: normal behavior, drift, and anomaly context.
- Risk Scores, Severity, and Confidence — Intermediate: separating urgency, impact, likelihood, and evidence confidence.
- Safe Cyber Learning Boundaries — Beginner: defensive education, legal boundaries, and toy examples.
Endpoint Telemetry
- Processes, Parents, and Command Lines — Intermediate: process trees, parent-child relationships, command-line context.
- Script Interpreter Telemetry — Intermediate: shell, PowerShell, Python, automation, and parent-process evidence.
- Suspicious Process Indicators — Intermediate: unusual names, locations, privilege, ancestry, and behavior.
- Network Connections: Ports, Protocols, and Remote Hosts — Intermediate: how defenders reason about endpoint network connections.
- Logs: What to Keep and Why — Beginner: audit logs, service logs, authentication logs, and retention basics.
- Detection Tuning and Signal Noise — Intermediate: alert quality, baselines, tuning records, and confidence.
- File Entropy and Mass-Encryption Clues — Advanced: ransomware-like file behavior and false positives.
- YARA Matches Without Panic — Intermediate: signature matches, context, confidence, and next steps.
- Memory Injection Concepts for Defenders — Advanced: RWX memory, unbacked executable regions, and cautious interpretation.
- Rootkits and Kernel-Level Signals — Advanced: hidden processes, kernel tampering concepts, and trustworthy evidence.
- eBPF for Defenders — Advanced: what eBPF can observe, why it matters, and how to reason safely.
- USB, DMA, and Peripheral Risk — Intermediate: new devices, DMA capability, IOMMU protection, and policy basics.
Cloud, Identity, and Exposure
- IAM Roles and Least Privilege — Beginner: identity permissions, role scope, and privilege reduction.
- MFA, Passkeys, and Recovery Paths — Beginner: strong login controls and account recovery risk.
- Authentication Log Patterns — Intermediate: login evidence, failed sign-ins, new devices, and account context.
- Password Managers and Credential Reuse — Beginner: password managers, reuse reduction, recovery, and account hygiene.
- Privileged Access Reviews — Intermediate: elevated access, approvals, ownership, and admin drift.
- Identity Lifecycle and Offboarding — Intermediate: joiner, mover, and leaver access drift.
- Email Authentication Signals — Intermediate: SPF, DKIM, DMARC, alignment, forwarding caveats, and investigation context.
- DNS and Domain Hygiene for Defenders — Intermediate: domain ownership, DNS changes, resolver evidence, and lookalike risk.
- TLS Certificates and Service Identity — Intermediate: certificates, hostnames, ownership, expiry, and service identity evidence.
- OAuth Consent and SaaS App Risk — Intermediate: app consent, scopes, shadow SaaS, and review habits.
- Browser Extensions and Session Risk — Intermediate: extension permissions, session tokens, profiles, consent, and data exposure.
- SaaS Admin Change Logging — Intermediate: admin changes, role edits, app integrations, sharing changes, and audit retention.
- Cloud Public Exposure Mapping — Intermediate: internet-facing assets, admin surfaces, and compensating controls.
- Storage Bucket Mistakes — Beginner: public access, sensitive data, logging, and least privilege.
- Container Image Trust — Intermediate: image digests, registries, signatures, and provenance.
- SBOMs, Signatures, and Attestations — Intermediate: software supply-chain evidence.
- Service Accounts and Secrets — Intermediate: non-human identities, secret rotation, and blast radius.
- Secrets in Source Repositories — Intermediate: exposed tokens, repository history, rotation evidence, and blast radius.
Attack Paths and Breach Stories
- Initial Access Without Drama — Beginner: common entry categories explained defensively.
- Phishing and BEC Triage — Beginner: suspicious messages, sender context, approval pressure, and escalation evidence.
- Exploited Public-Facing Apps — Intermediate: exposure, patching, compensating controls, and detection context.
- Patch Prioritization and Exposure Windows — Intermediate: exposure, exploitability signals, asset importance, compensating controls, and timing.
- Vulnerability Scan Findings Without Panic — Intermediate: scan interpretation, exposure, compensating controls, and remediation evidence.
- External Remote Services — Intermediate: VPN, RDP-like concepts, admin portals, and access hardening.
- Vendor Remote Access Reviews — Intermediate: vendor access, approvals, session visibility, and blast radius.
- Valid Accounts — Intermediate: why legitimate credentials complicate detection.
- Lateral Movement Signals — Advanced: suspicious authentication, remote execution concepts, and graph thinking.
- Network Segmentation and Flat Networks — Intermediate: flat networks, trust zones, allowed paths, and blast-radius reduction.
- Privilege Escalation Signals — Advanced: new admin rights, suspicious services, token/permission changes conceptually.
- Command-and-Control Concepts — Advanced: beaconing, remote control patterns, and network evidence.
- Exfiltration Paths — Intermediate: unusual data movement, cloud storage, compression, and egress review.
- Egress Filtering and DNS Logging — Intermediate: outbound policy, resolver evidence, approved destinations, and suspicious egress.
- Impact and Blast Radius — Beginner: estimating affected systems, data, identities, and business functions.
Ransomware and Recovery
- Ransomware Timeline — Beginner: typical defensive timeline from first clue to recovery.
- Backup Design for Recovery — Beginner: offline/immutable backups, restore objectives, and tests.
- Detecting Encryption Behavior — Advanced: file entropy, extension changes, high write rates, and process context.
- Containment Decision Trees — Intermediate: isolate, preserve evidence, communicate, and avoid accidental damage.
- Restore Drills — Beginner: proving recovery before an emergency.
AI-Era Cyber Defense
- Shadow AI Data Leaks — Beginner: unsanctioned tools, sensitive input, and governance.
- AI-Assisted Vulnerability Pressure — Intermediate: why patch prioritization and exposure management matter more now.
- Agentic Attack Paths — Advanced: agents, tool permissions, identity boundaries, and monitoring.
- Prompt Injection for Defenders — Intermediate: defensive awareness, data boundaries, and safe examples only.
- Secure AI Tool Intake — Beginner: vendor review, data handling, logging, and access controls.
Triage and Incident Response
- Incident Timeline Building — Intermediate: events, entities, timestamps, confidence, and narrative clarity.
- Time Synchronization and Log Correlation — Intermediate: clock drift, time zones, source timestamps, and correlation confidence.
- Evidence Notes and Chain of Custody — Intermediate: preserving observations, decisions, screenshots, hashes, and handoffs.
- Response Actions and Approvals — Intermediate: approvals, roles, reversible actions, and auditability.
- Incident Communications Channels — Intermediate: communication channels, status discipline, and audience boundaries.
- Endpoint Isolation and Rejoin Planning — Intermediate: isolation, evidence preservation, approvals, and return-to-service checks.
- After-Action Reviews — Beginner: learning without blame and turning incidents into controls.
Open Security Engineering
- Mapping Controls to NIST, CIS, and ATT&CK — Intermediate: using trusted frameworks without pretending to be certified.
- Threat Intelligence Without Overfitting — Intermediate: threat intelligence relevance, indicator confidence, and cautious defensive use.
- Open Security Engineering — Intermediate: inspectable systems, reproducible decisions, and transparent controls.
- Building a Personal Cyber Defense Learning Plan — Beginner: a 30-day learning route through the encyclopedia.











































































