> For the complete documentation index, see [llms.txt](https://book.ahmad.science/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ahmad.science/page-12/table-of-content.md). # Annotated Table of Contents A one-paragraph summary of every chapter, so you can decide what to read next without flipping through the whole book. **Chapter 1: Breaking In** The career chapter. Why cybersecurity is a viable field to enter without a degree, the four pillars of security careers (offensive, defensive, GRC, engineering) with honest pros, cons, and salary expectations, which skills and certifications actually matter (and which are expensive traps), and a concrete plan for landing the first job — from building proof of skill to where the jobs actually get posted. **Chapter 2: Foundations — Cyber Security and Information Security** The technical and conceptual baseline everything else builds on. The threat landscape, the attack types you'll be asked about in every interview (phishing, denial of service, man-in-the-middle, injection, credential attacks), malware families, how encryption protects data in transit and at rest, the core tools of the trade, and digital forensics. Then the concepts layer: the CIA triad, assets, threats, vulnerabilities, risk, security policies, and the regulations that shape how organizations protect data. **Chapter 3: Understanding Ethical Hacking** What separates an ethical hacker from a criminal — consent, scope, and law — plus the penetration testing lifecycle, bug bounty programs, and the legal frameworks you must understand before touching anything. The second half is the skills roadmap: networking, Linux, programming, web fundamentals, the practice platforms, and the certification path from beginner to OSCP. **Chapter 4: Governance** Who decides what "secure enough" means and who is accountable when it isn't. Governance versus management, the CISO role, the major frameworks (NIST CSF 2.0, ISO 27001, COBIT, SOC 2), what boards are responsible for, and how to build a governance framework from scratch. Also the entry point for GRC careers. **Chapter 5: Risk Management** How organizations decide which dangers to fix, accept, transfer, or ignore. The risk lifecycle from identification to monitoring, asset-based versus scenario-based assessment, third-party and supply chain risk, quantitative analysis with FAIR, and how to report risk so executives actually act on it. **Chapter 6: Compliance** Why compliance is not security (and why you need both). The major frameworks — GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001, CMMC, FedRAMP — what they demand, who they apply to, the audit and evidence lifecycle, and how organizations handle multiple overlapping frameworks without drowning. **Chapter 7: Cryptography** From Caesar cipher to post-quantum algorithms without requiring a math degree. Symmetric and asymmetric encryption, hashing, digital signatures, TLS, certificates and PKI, where cryptography breaks in practice, and what the post-quantum transition means for the next decade of security work. **Chapter 8: Threat Modeling** Thinking like an attacker before the attacker shows up. Data flow diagrams, STRIDE, MITRE ATT\&CK, PASTA, and OCTAVE — what each is for and when to use it — plus how threat modeling fits into real development workflows and which tools support it. **Chapter 9: Security Design Principles** The principles that separate systems that survive attacks from systems that make the news: least privilege, defense in depth, fail-safe defaults, economy of mechanism, complete mediation, open design, and the modern additions — Zero Trust and secure by default. With real-world failures showing what happens when each is ignored. **Chapter 10: DevSecOps** Security at the speed of modern software delivery. Embedding SAST, SCA, DAST, container scanning, infrastructure-as-code scanning, and secrets management into CI/CD pipelines, plus the cultural side — why DevSecOps fails when it's just tools, and how to make security the path of least resistance for developers. **Chapter 11: Secure Developer — The SSDLC** Security across the whole software development lifecycle, not bolted on at the end. The SSDLC frameworks (Microsoft SDL, OWASP SAMM, BSIMM), security requirements, secure coding principles, dependency management, security testing, code review, and the OWASP Top 10 as a working checklist. **Chapter 12: Hacking the CTF** Capture the Flag competitions as a training ground and a hiring signal. The challenge categories, the essential toolkit, how to actually get better instead of plateauing, why writeups are the highest-leverage habit in your job search, and a large library of free platforms and resources. **Chapter 13: Hacking the Interview** The last mile: turning skill into an offer. Resume and portfolio strategy, what each interview stage tests, role-specific technical questions with strong answers, scenario questions, salary negotiation, and a 30-60-90 day plan for succeeding once you're in. **Chapter 14: Home Lab and Portfolio** The build guide for the two things that get you hired without prior experience: a safe place to practice and the public proof you did. Lab setups for every budget (from $0 browser-based to a dedicated Proxmox box), how to keep a vulnerable lab safely isolated, starter builds for each career pillar, and how to turn it all into a GitHub portfolio that hiring managers actually read. Numbered late, but best read early — right after Chapter 3. **Chapter 15: AI and LLM Security** The fastest-growing specialization in the field. Why AI systems are a new kind of attack surface (the instruction/data problem), the OWASP Top 10 for LLM Applications and MITRE ATLAS, how to defend AI systems and agents, AI red teaming as a career, using AI to do security work without being misled by it, and how to break into the specialization. Builds on the technical chapters — read it once you have the fundamentals. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://book.ahmad.science/page-12/table-of-content.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.