Must-Know 30 — The Minimum Viable Security Literacy The 200+ notes in this vault are the long form. This is the short form: 30 notes that any IT person, developer, or junior security practitioner should be able to explain in 90 seconds each. If you can do that for all 30, you have a working security model — not a complete one, but a working one. Everything else in the vault is depth on top of this breadth. How to read this list: - The grouping mirrors the Phase 0 → Phase 1 → Phase 2 ordering, but each entry can be read on its own. - Each entry has one line of why this matters to everyone — that line is the point, not the title. - Notes marked (future) are seeded but not yet written; safe to skip on first pass. Mindset (4) What is cybersecurity (and why not a tool list) — fixes the most common newcomer error before the rest of the list lands. CIA triad as a decision tool — name the property under threat first, before reasoning about controls. Threat modeling quickstart — the 4 questions + STRIDE pass that takes an hour and changes how you read tickets. Attacker-defender duality — every topic in security is a pair; studying one half plateaus you. Networking substrate (6) TCP/IP basics — without this, every other networking note is memorization. Ports and services — what "open port" actually means, beyond Nmap output. DNS resolution — DNS is half of every attack story and half of every fix. HTTP overview — the protocol you debug for the rest of your career. TLS/HTTPS — what TLS actually proves (and what it does not). Reverse proxies — modern apps are mediated; this is where trust gets misplaced. Web surface (5) Broken access control — the #1 web vulnerability class in every real-world study. SQL injection — the canonical injection class; understanding it transfers to every other injection. SSRF — the bug that turns "the server fetches a URL for me" into cloud compromise. XSS — the browser-trust vulnerability everyone has heard of and few have internalized. CSRF — taught as "old", still alive in every poorly-designed admin panel. Cryptographic correctness (4) Hashing vs encryption vs signing — the distinction that fixes half of all crypto questions. Password hashing — bcrypt/scrypt/argon2 and why MD5/SHA-256 on passwords is a bug. AEAD and nonce misuse — modern encryption gives you confidentiality and integrity; understanding why matters. JWT cryptographic correctness — JWTs are right or they are theatre; almost no one validates them correctly on first attempt. Offense / defense pair (5 — read each row together) Host and port discovery ↔ Scan anomaly detection — the most basic recon move and what it looks like to defenders. Nmap scanning ↔ Network telemetry sources and visibility — what an Nmap scan is and where it shows up in your logs. Active recon ↔ IDS/IPS and behavioral detection pipelines — how attackers enumerate and how defenders catch the pattern, not the payload. Enumeration ↔ Behavioral vs signature detection — the two ways of catching the same activity and why behavioral wins in 2026. Cloaking and security evasion ↔ Detection evasion myths — what evasion actually buys an attacker and what it does not. Practical capability (3) Threat modeling quickstart (re-read) — the only entry that appears twice. It is the single highest-leverage habit on this list. Playbook: exploit SQLi — read one offensive playbook end-to-end to see how concept becomes procedure. Playbook: run scan pipeline — the engagement-level recon workflow tying Phase 1-3 together. Always-on (3) Privacy, Anonymity & OPSEC (branch index) — at minimum the threat-model and account-correlation notes; the rest is depth. DevSecOps (branch index) — at minimum the secrets-management and supply-chain notes if you touch CI/CD. Cloud Security (branch index) — at minimum the IAM-boundaries and metadata-endpoints notes if your systems run in cloud. How to use this list As a pre-test. Before reading anything new, scan the 30 entries and rate yourself "could explain in 90 seconds" / "could not". Your gaps are your reading list. As a quarterly refresh. Senior practitioners drift. Re-rate yourself every quarter; the drift directions are diagnostic. As an interview prep. Most "junior security engineer" / "AppSec engineer" / "detection engineer" interviews probe a subset of these 30 directly. As a teaching index. Onboarding a junior teammate? This is the curriculum. Track which of the 30 they have internalized. This list is deliberately short. The hard part of curating it was not picking 30 — it was leaving out the next 30. The vault is depth on top of these; the next 30 (database security, Kubernetes hardening, AD/Kerberos basics, EDR internals, IR/forensics, malware analysis basics, secure SDLC governance) live in the branches, reachable from here. Related navigation Start Here — persona-driven triage page. Cybersecurity Index — full branch listing. Foundations — Phase 0 entry. Explore nearby notes Privacy, Anonymity & OPSECAccount CorrelationAccount correlation is the process of linking separate activities or personas through shared accounts, recovery data, identifiers, devices, or repeated usage... Offensive Security / ReconActive ReconActive recon is information gathering that directly interacts with target infrastructure, services, or applications to validate or extend what passive recon... Attack Surface MappingAdmin Interface DiscoveryAdmin interface discovery is the process of identifying management, control-plane, support, diagnostic, or privileged interfaces that should be restricted but may... CryptographyAEAD and Nonce MisuseAuthenticated Encryption with Associated Data (AEAD) encrypts plaintext and authenticates both ciphertext and optional associated data. Nonce misuse happens when... Privacy, Anonymity & OPSECAnonymity Threat ModelsAn anonymity threat model is a structured account of who is trying to link an action to a person, what they can observe, and what privacy controls actually reduce... API SecurityAPI Authentication FlawsAPI authentication flaws are practical weaknesses in how an API verifies identity across login, recovery, MFA, device, token, and machine-client flows.