Ever since hacking (or rather cybersecurity) has become a real field of work, where you can actually do the hacking without the consequences (aka Jail) the influx of newcomers has risen. And generally, that's great! We need more security conscious ppl. But it comes with a lil caveat: how do you get started with hacking?
Hacking is generally an extremely difficult field to get into (unless you just wanna be a script kiddie), but luckily we have a plethora of tutorials from ppl like me that put out hacking content. Or is that a bad thing? You watch a video about an attack on a vulnhub machine, follow it step by step and BOOM - you hacked into the machine and are now a hacker. But you're just following along without developing true skills.
I've seen this problem come up in the software dev field before it happened to the "hacking field". And it has a name: Tutorial hell. The Problem with it: Tutorials make you feel like you're learning something, but you don't.
Learning requires active participation, a feeling of discomfort and a bunch of failures. There is no learning without those. And Tutorials don't provide any of those, but there is something that does! (That I will reveal at the end of the article, so you have to read scroll it to the end)
No one ever built muscle by watching someone else lift
If you wanna built muscles, you need to put in the work. If you wanna hack systems, you need to put in the work, too.
Watching tutorials, reading guides and even following them along just creates an illusion of progress. You feel like you've done something, but then you try to remember it and.... you forgot? That's because in order to learn any skill, you need active participation. A lesson I try to teach my students all the time, what they tried to teach me at education school and also what the newest research on learning shows:
In their research they found that
Active learning techniques encourage students to produce thoughts and get feedback through interactive settings rather than passively receiving information [...]
And the problem with tutorials is that you're just passively receiving information - at most you're just actively following steps. You may think you learn while watching a tutorial, but you do not. My experience as student, teacher and even research, shows it: Active learning produces better outcomes.
Learning means doing - and suffering a little along the way
"Real learning" and breakthroughs happen when you get into a state of discomfort. Especially when they come with a payoff at the end.
You don't learn hacking by memorising the top 10 tools to hack, or the owasp top 10. Even if that is valuable knowledge to have - it won't make you a hacker. It's also subject to change, and who's to say you're not gonna forget it in a week anyways?
These moments of discomfort and facing the unknown - in short, getting out of your comfort zone - force you to work harder and more actively. This in turn helps you retain information better, build muscle memory and even build up a sort of hacker intuition over time.
hacker intuition: the ability to recognize patterns, spot anomalies, and solve unique problems without needing a step-by-step guide.
The recon tutorial you followed along yesterday may be entertaining and give you a lil bit of satisfaction, but how much of it do you actually remember?
(source)
Imagine you're spending hours on finding a bug, your brain fuming, monster energy cans laying everywhere and the urge to smash your face against a keyboard ever present. You're close to giving up but then boom. You did it! You found a weird Javascript function that implements the payment gateway in the frontend and you can change the price of whatever you're buying before it gets sent to the backend with Burp or ZAP.
I still remember the details of such a CSRF BUG I found over 6 years ago and how fucking genius I felt, when hours before I didn't even understand what the application was doing! (Only for the client to dismiss it and be like "ah that ain't bad, we do double check the orders by hand")
You don't see the grind in the highlight reel
Due to the nature of social media and what kind of content "sells" or gets views and clicks, the journey to hack into a system is often misrepresented by hacker influencers. Influencers and content creators tend to showcase their polished results while hiding the messy, difficult reality of learning.
This creates unrealistic expectations for noobs (about how fast they should be, but also about how fast and quick other content creators should be). Hacking is not about quick wins and and "I'm in" all the time. Real Hacking is messy:
You can spend hours, sometimes even days staring at error messages, breaking things (by accident or on purpose) and going down rabbit holes to nowhere. You may not know the tools you need for this specific bug - or not even know that one exists and write your own code that is full of bugs. Guides won't make sense halfway through them. You'll google stuff multiple times in hopes that it will turn up some useful results. And that's the point.
Failing your way towards finding a way into a system or website is exactly how you learn to hack. Or learn in general. It may look or feel chaotic, broken and even slow - but that's how you know you're on the right track to learn something. You begin to notice patterns, make connections, and build mental models that no tutorial could ever hand you. You develop persistence, creativity, and problem-solving instincts, because you had no choice but to develop those skills to succeed. (Luckily, I showcase most of my failures in my videos and especially during my livestreams.)
Learning from failure is more powerful and lasts longer. And using the right question, or apply something like the triple insight framework:
“Before the failure, I thought that (…), but then I realized that (…); now, I do (…).”
Stop Consuming, Start Producing
In the end, the only way to become a capable hacker is to stop consuming and start creating. Tutorials can be useful for getting started, but they should never become a crutch. The real path to mastery lies in engaging directly with problems, embracing failure, and getting out of your comfort zone.
And another important aspect of learning is curiosity. Start shifting your mindset from "how do I hack XYZ?" to "how does XYZ work?".
