Free training - skill primer
Learn Security fundamentals for free
A free, source-cited path to learning defensive security concepts, practiced only on systems and accounts you own — this is a learning path, not a certification and not a job guarantee. Security is learned by understanding how to protect systems, never by attacking anyone else's.
What it is
Security fundamentals is the foundational, defensive understanding of how information and systems are protected — and it is deliberately framed here as defense, not offense. At its center is the CIA triad: confidentiality (keeping data readable only to those authorized), integrity (keeping data accurate and unaltered), and availability (keeping systems and data reachable when needed). Almost every security control, policy, and decision maps back to protecting one of those three properties. Because these concepts apply to any system on any platform, security fundamentals is a broadly transferable foundation that underpins cybersecurity-analyst, SOC-analyst, security-engineering, and system-administration work.
The rest of the foundation builds on the triad. Access control: authentication (proving who you are), authorization (what you are allowed to do), and least privilege (granting only the access needed). Risk: understanding threats, vulnerabilities, and impact, and that security is about reducing risk to an acceptable level rather than achieving perfection. Protection concepts: encryption to defend confidentiality, hashing and backups to defend integrity and recoverability, and layered defenses so no single failure is catastrophic. Human factors: recognizing phishing and social engineering, because attackers often target people rather than software. None of this requires touching anyone else's systems — it is a conceptual and defensive skill you practice on your own machine and accounts.
The most important discipline in learning security is ethical: you build the skill by understanding and hardening systems you own, not by probing systems you do not. This primer stays strictly defensive. It sequences free, official-first resources — including a formal web-security learning lab that runs against its own sandbox — and gives you a first hands-on exercise that reviews your own machine's protective posture and threat-models a scenario. Nothing here involves attacking, scanning, or accessing any system you do not control.
Why it matters
Security fundamentals is the shared baseline beneath cybersecurity-analyst, SOC-analyst, security-engineering, and system-administration roles, because protecting confidentiality, integrity, and availability underlies nearly every decision in those fields. The concepts transfer across platforms and employers, so the foundation compounds rather than tying you to one tool or vendor.
The free path, in order
- Learn the CIA triad and core vocabulary. Start with the confidentiality/integrity/availability model and the basic terms (threat, vulnerability, risk, control). NIST's glossary and CISA's foundational material are authoritative, free references for precise definitions.
- Understand access control and least privilege. Learn authentication vs. authorization and the principle of least privilege. Professor Messer's free Security+ videos walk these with concrete examples of how access decisions protect the triad.
- Grasp risk and layered defense. Learn that security reduces risk to an acceptable level rather than eliminating it, and how layered ('defense in depth') controls mean no single failure is catastrophic. Frame every control by which part of the triad it protects.
- Study the web-security slice hands-on. Work through PortSwigger's free Web Security Academy, which teaches how common web vulnerabilities work and how to defend against them — using its own legal, in-browser sandbox, never a real third-party site.
- Train the human-factor defense. Take a free phishing-awareness exercise (such as Google's phishing quiz) to sharpen your eye for social engineering, then review your own machine's basic protective posture (firewall and antivirus status).
Best free resources
- Professor Messer — CompTIA Security+ (free video course) Vetted communityFree video course
A widely used, free Security+ series that covers the CIA triad, access control, risk, and cryptography basics with clear, defensive, exam-aligned explanations.
- PortSwigger — Web Security Academy (free) Vetted communityFree hands-on labs
Free, high-quality labs that teach how web vulnerabilities work and how to defend against them, run entirely against PortSwigger's own legal sandbox — learning, never attacking real sites.
- NIST Computer Security Resource Center — Glossary OfficialOfficial reference
The authoritative U.S. government reference for precise security definitions (confidentiality, integrity, availability, risk, and more) — the source of truth for the vocabulary.
- Google — Phishing Quiz (Jigsaw) OfficialFree awareness exercise
A free interactive quiz that trains you to spot phishing and social-engineering cues — the human-factor defense that most real incidents depend on.
Every resource is free and dated. Official sources are labeled; vetted community resources are labeled separately. Verify a resource is still free on its own page before relying on it.
Try it (free, safe, hands-on)
Defensive posture check and a CIA threat model
Sharpen your defensive eye and practice threat-modeling — take a phishing-awareness quiz, review your own machine's built-in protections, and write a small confidentiality/integrity/availability threat-model table for a scenario. Entirely defensive, entirely on systems you own.
You will need: Your own computer (the one you use), for checking its own security posture; A web browser to take the free phishing quiz; A text file or notebook for your threat-model table
- Take the free Google phishing quiz and note which cues (sender address, urgency, link mismatch) gave away the fakes. Write down two habits you will use to spot phishing in your own inbox.
- Check your own machine's protective posture: on Windows, open Windows Security and confirm the firewall and virus protection are on; on macOS, check the Firewall in System Settings. Record what is enabled — you are auditing only your own device.
- Pick a simple scenario you understand (for example, the photos on your own laptop) and write a three-row table: one row each for confidentiality, integrity, and availability.
- For each row, name a realistic threat (confidentiality: a lost unencrypted laptop; integrity: accidental overwrite or malware; availability: a failed drive) and a defensive control that protects it (disk encryption, a hash/backup, and an offline backup copy).
- Write one paragraph mapping each control back to which part of the triad it protects, so the abstract model connects to concrete defenses on your own device.
What you should see: A completed phishing quiz with your own notes on the tells, a record of your own machine's firewall/antivirus status, and a CIA threat-model table that ties realistic threats to defensive controls for a scenario you own — all defensive, all on systems you control.
Safety: This exercise is strictly defensive and stays entirely on systems and accounts you own. Never scan, probe, attack, or 'test' any system you do not control, and use the PortSwigger labs only against their own provided sandbox. Understanding attacks in order to defend is the goal; performing them on others is not.
Where this skill gets used
Certifications that test it: comptia-security-plus, isc2-cc-certified-in-cybersecurity, isc2-sscp-systems-security-certified-practitioner, comptia-pentest-plus, comptia-cysa-plus, comptia-a-plus, comptia-server-plus, comptia-tech-plus.
Roles that need it: Cybersecurity analyst, SOC analyst, Security engineer, Systems administrator.
Sources
- Professor Messer — free CompTIA Security+ training (as of 2026-07-10)
- PortSwigger — Web Security Academy (as of 2026-07-10)
- NIST CSRC Glossary (as of 2026-07-10)
- Google (Jigsaw) — Phishing Quiz (as of 2026-07-10)
Every resource is free and dated; official-first, community clearly labeled. A skill primer is a free learning path, not a certification, not professional experience, and not a job or salary promise. This primer is strictly defensive; labs run only on systems and accounts you own or on the resources' own sandboxes. Born draft, pending human review.