🗺️ Guided Learning Paths for Newcomers

Intro: Reading order matters. A beginner who starts with obscure tooling details before understanding trust boundaries will memorize commands without building judgment.

What this page includes

one 30-day ramp-up plan;

one 90-day AppSec engineer plan;

role-specific starter tracks for cloud, Kubernetes, APIs, and Product Security management;

simple signals that the learner is progressing.

How to use the tracks

treat each week as read + review + practice, not reading only;
pair one content page with one real review, ticket, PR, or tabletop;
keep notes on what felt confusing and what repeated across services;
do not try to complete every page in the knowledge base before doing any practical work.

30-Day Product Security Ramp-Up

Week	Primary goal	Read first	Practice	Outcome
Week 1	Learn how Product Security sees systems	Threat Modeling Methods and Workflows, API Authentication and Authorization, From Zero to Useful	Sit in on one review and write down assets, actors, and trust boundaries	Can follow a review without getting lost in jargon
Week 2	Learn release and CI/CD trust boundaries	GitLab CI YAML Deep Dive, Runner Isolation and Trust Boundaries, Secret Handling Checklist	Review one pipeline or deployment flow with a teammate	Can explain where secrets and approvals live
Week 3	Learn cloud and runtime basics	AWS Networking and Policy Baseline, Runtime Protection for Microservices, IAM Review Checklist	Trace one workload identity end to end	Can explain which identity performs a production action
Week 4	Learn review and escalation discipline	Product Security Incident Response Playbooks, Pre-Release Security Checklist, Production Readiness Security Checklist	Lead a small review using a checklist	Can identify what needs escalation vs what can be fixed inline

90-Day AppSec Engineer Ramp-Up

Days 1-30: Build the mental model

learn trust boundaries, API auth, object-level authorization, deployment trust, and cloud identity;
join at least two design or release reviews;
practice writing short security notes after each review.

Days 31-60: Build review confidence

review SAST, secrets, dependency, and runtime findings without immediately escalating everything;
learn to distinguish scanner severity from actual exploit path and business impact;
shadow one architecture review and one incident tabletop.

Days 61-90: Build operating judgment

own a small review end to end;
propose one improvement to a checklist, gate, or detection rule;
write one risk summary for engineers and one version for managers.

Phase	Focus questions	Expected evidence of progress
1-30	What is the system? Who can act? What data matters?	Cleaner notes, better questions, less confusion in review meetings
31-60	Which findings matter first? What can be exploited in practice?	Better triage and fewer “everything is urgent” reactions
61-90	What should we fix now, later, or accept?	Clearer prioritization, stronger written recommendations

Cloud Security Starter Track

Order	Focus	Pages
1	Cloud identity and trust	Workload Federation and Non-Human Identities, GitHub, GitLab, and Cloud Trust Patterns
2	Provider-specific attack paths	Provider-Specific Cloud Attack Chains, AWS Provider-Specific Cloud Attack Chains
3	Review discipline	Cloud Change Review Checklist, IAM Review Checklist
4	Detection and response	Logging and Telemetry Strategy, High-Signal Detection Patterns and SIEM Examples

Kubernetes Security Starter Track

Order	Focus	Pages
1	Cluster baseline and workload identity	Kubernetes Baseline and Hardening, Kubernetes Deployment Review Checklist
2	Network and runtime controls	Kubernetes Network Policy Patterns, Runtime Investigation Playbook for Kubernetes and Containers
3	Image and build trust	Container Image Signing and Verification, Dockerfile Review Checklist
4	Practice	Worked Example Tabletop: CI Runner Compromise Before Release

API Security Starter Track

Order	Focus	Pages
1	Core risks and auth model	API Design and Contract Security, API Authentication and Authorization
2	Abuse and resilience	API Abuse Resilience and Rate Limits, Rate Limits, Quotas, Friction, and Abuse Detection
3	Review discipline	API Review Checklist, Worked Example API Review Lab
4	Observation	API Testing, Observability, and Release Gates

Product Security Manager Starter Track

Order	Focus	Pages
1	Operating model	Operating Models, Intake, and Ownership
2	Metrics and communication	Product Security Director Metrics, Stakeholder Communication and Executive Narratives
3	Risk and exceptions	Risk Acceptance, Exceptions, and Decision Records
4	Review and prioritization	From Zero to Useful, Production Readiness Security Checklist

Recommended training environments

When the learner is ready to move from reading into controlled hands-on practice, use:

Vulnerable Learning Labs and Goat Environments
OWASP Juice Shop for web, API, session, and browser flaws;
CI/CD Goat for release trust and pipeline abuse;
Kubernetes Goat for cluster and runtime thinking;
AWSGoat and CloudGoat for AWS attack-path understanding;
TerraGoat for IaC review and policy-as-code practice.
Secure Coding Training Platforms for Developers when the learner writes production code and needs repeated language-specific practice.

Progress signals

The track is working when the learner can:

summarize a review in one page without drowning in detail;
tell the difference between “this is broken” and “this is risky if these conditions exist”;
name the identity, data, and blast radius in a workflow;
ask which logs would prove success or abuse;
explain a recommendation differently to engineers and managers.

---Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.