Capture The Flag (CTF) competitions and hacking practice platforms are the fastest way to build real penetration testing skills. Reading about tools is one thing; actually using them against real systems is another. These platforms give you legal, structured environments to practice without risk.
TryHackMe — Best for beginners
TryHackMe is the most beginner-friendly platform available. Rooms are structured learning paths — they walk you through concepts step by step, often explaining the why behind each tool before you use it.
Key features:
- Browser-based attack machine (no Kali installation required to start)
- Learning paths for complete beginners through pre-OSCP
- Guided rooms with hints and explanations
- Free tier covers a large portion of content
Best paths to start with:
- Pre-Security (absolute beginners)
- SOC Level 1
- Jr Penetration Tester
The free tier is generous, but a subscription (~$14/month) unlocks the full library and is worth it if you’re serious.
Hack The Box — Best for intermediate learners
HackTheBox takes a less guided approach. Machines are categorised by difficulty (Easy → Insane) but you’re largely on your own. The community produces detailed walkthroughs (called “writeups”) after machines retire, which you can use to learn from after attempting a box yourself.
Key features:
- Realistic, enterprise-style machines
- Active competitive community
- Pro Labs for network-level scenarios (paid)
- Starting Point section for beginners
Don’t start here if you’re new. TryHackMe first, then HackTheBox once you’ve completed a few paths.
PortSwigger Web Security Academy — Best for web app testing
PortSwigger Web Security Academy is completely free and focuses exclusively on web application security. It’s made by the team behind Burp Suite, and the labs are exceptional — covering SQL injection, XSS, CSRF, authentication flaws, SSRF, XXE, and more.
Why it stands out:
- 100% free, no account required for labs
- Structured learning with built-in labs
- Directly relevant to bug bounty and OSCP web modules
- Written by actual security researchers
If web app security is your focus (bug bounty, web pentesting), start here alongside TryHackMe.
VulnHub — Best for offline practice
VulnHub hosts downloadable VM images of intentionally vulnerable machines. Download them, run them in VirtualBox or VMware on your local network, and attack them offline. No subscription, no internet required.
Good starter machines:
- Kioptrix series (great for beginners)
- Mr-Robot (based on the TV show)
- DC series
VulnHub is ideal if you want to practice without an internet connection or prefer to keep everything local.
PicoCTF — Best for absolute beginners and students
PicoCTF is run by Carnegie Mellon University and targets high school and college students, but the challenges are open to everyone. It covers cryptography, reverse engineering, forensics, web exploitation, and binary exploitation in a very approachable way.
Challenges are permanently available outside of competition season. Good for building foundational skills before moving to TryHackMe or HackTheBox.
CTFtime — For competitive CTF events
CTFtime tracks upcoming CTF competitions worldwide. These are timed events (usually 24–72 hours) where teams compete to solve challenges. Participating in live CTFs forces you to work under pressure and exposes you to challenge types you wouldn’t find on practice platforms.
Filter by difficulty rating and join with a team or solo. After each competition, teams typically publish writeups — these are some of the best learning resources available.
Recommended progression
| Stage | Platform |
|---|---|
| Complete beginner | PicoCTF → TryHackMe (Pre-Security path) |
| Building fundamentals | TryHackMe (Jr Pentester path) + PortSwigger |
| Intermediate | HackTheBox (Easy boxes) + live CTFs via CTFtime |
| Pre-OSCP | HackTheBox Pro Labs + TryHackMe (Advanced paths) |
The most important thing
Consistency beats intensity. Thirty minutes a day five days a week will advance your skills faster than a 10-hour Saturday once a month. Pick one platform, follow one path, and don’t jump around until you’ve finished it.