Phase 4 — Specialty Tracks (Pick What Your Job Demands)

Phase 4 is the only phase you do not read linearly. By design, it is job-context-chosen: you pick the specialty your role actually requires, learn it deeply enough to be effective, and revisit the others only when your work expands into them.

Generalists who try to read all four Phase 4 branches in parallel produce shallow knowledge of all four and depth in none. The specialist path is the right path here.

Six tracks, each with its own persona, curated path, and entry conditions:

API Security · Cloud Security · DevSecOps · Wireless Security · Identity & Active Directory · Binary Exploitation

Each track assumes you have completed Phases 0–2 first-pass; some assume Phase 3 too. Track entry conditions are stated explicitly. The Binary Exploitation track has the strongest non-vault prerequisites (C/C++ literacy, debugger fluency, x86-64 baseline) — see Track F.

Track A — API Security

Pick this if: you build, test, or operate APIs (REST, GraphQL, gRPC). Most modern web/mobile/SaaS engineering touches this.

Entry conditions: - Phase 1 first-pass complete (especially HTTP overview, HTTP headers, TLS/HTTPS). - Web Security basics complete — APIs inherit most of the web threat model.

First-pass path (8 of 14 notes):

1. API Security Top 10 — the OWASP API canon; the right entry point because it frames every subsequent note.
2. API Inventory Management — you cannot secure APIs you do not know about. Inventory is the first capability.
3. Broken Object Level Authorization (BOLA) — the #1 API vulnerability class by real-world frequency. IDOR's API-shaped sibling.
4. Broken Function Level Authorization — admin/role boundary failures in API routing.
5. Broken Object Property Level Authorization — fine-grained field-level authorization; closes the gaps the previous two leave open.
6. Broken Authentication — token issuance, refresh, validation, rotation failures.
7. JWT Attacks — the most common token-trust failures, paired with JWT Cryptographic Correctness from Phase 1.
8. Excessive Data Exposure — APIs that return more than they should; the data-minimization failure.

Extended (6 more): API auth flaws, API rate limiting, Authorization, Token lifecycle, Mass assignment, Polymorphic deserialization.

You are done with first-pass API when: given any API endpoint, you can walk it through the 8 notes above as a checklist and articulate which of the 8 controls it implements correctly, which it implements weakly, and which it skips.

Track B — Cloud Security

Pick this if: your systems run in cloud (AWS, GCP, Azure, multi-cloud) and the security boundaries you care about live in cloud control planes, not on-prem network gear.

Entry conditions: - Phase 1 first-pass complete. - Cryptography at least through hashing vs encryption vs signing — IAM and keys reasoning depends on it.

First-pass path (6 of 10 notes):

1. Cloud Security Basics — shared-responsibility model and what the cloud provider actually guarantees vs what you own.
2. Cloud IAM Boundaries — IAM is the cloud security primary control. Everything else is downstream.
3. Cloud Metadata Security — the metadata endpoint is the single most-attacked cloud surface; SSRF + cloud metadata = compromise.
4. Cloud Network Boundaries — security groups, VPC peering, transit gateways, and how networking trust translates to cloud.
5. Cloud Secrets Management — short-lived credentials, KMS, secret rotation, why hard-coded keys are the canonical cloud failure.
6. Public Cloud Storage Exposure — S3-bucket-style misconfiguration, by frequency the most-found public cloud finding.

Extended (4 more): Cloud logging and detection, Cloud DNS and Certbot, SSH access to cloud hosts, Cloud lab infrastructure.

You are done with first-pass Cloud when: for any cloud workload, you can walk its IAM role / network exposure / metadata reachability / secret-handling / storage exposure and assess each in under 10 minutes against the 6 notes above.

Track C — DevSecOps

Pick this if: you own (or contribute to) a CI/CD pipeline, release process, container build, or supply-chain control. This track is increasingly non-optional for backend / platform / SRE roles.

Entry conditions: - Phase 1 first-pass complete (especially Digital signatures for artifact integrity reasoning). - Phase 2 first-pass helpful but not strictly required.

First-pass path (7 of 12 notes):

1. Secure by Design — the philosophy that drives every other note; without it the rest become checklists.
2. CI/CD Hardening — the build pipeline is part of the attack surface. This note names what to harden first.
3. Secrets Management — the canonical CI/CD failure. Hard-coded keys, exposed logs, leaked tokens.
4. Supply Chain Security — the threat model that motivates SBOM, signing, and provenance.
5. SBOM and Provenance — how to know what you are actually shipping. SLSA, Sigstore, in-toto.
6. Dependency Risk — the open-source dependency surface as a first-class threat.
7. Container Security — image, runtime, and orchestration layer threats.

Extended (5 more): Artifact integrity, Image scanning, Branch protection and release controls, NIST SSDF, ASVS as dev process input.

You are done with first-pass DevSecOps when: you can threat-model your own CI/CD pipeline end-to-end and name the controls that protect each stage (commit → build → test → publish → deploy).

Track E — Identity and Active Directory

Pick this if: you do red-team / pentest work in AD environments, you administer AD, you respond to identity-based incidents, or you work on identity-platform engineering (AD, Entra ID, hybrid). High-frequency relevance for enterprise security roles.

Entry conditions: - Phase 1 first-pass complete (especially password hashing and symmetric encryption modes — AD credential attacks are KDF/encryption-economics problems). - Phase 2 first-pass complete — AD attacks have no useful signature-based detection; behavioral framing is mandatory.

First-pass path (4 notes, read in order):

1. BloodHound and Attack Path Analysis — the visibility layer. Tells you which AD attacks are worth doing and which defensive ACLs to fix first.
2. AS-REP Roasting — the pre-foothold attack that requires no credentials, only usernames.
3. Kerberoasting — the post-foothold attack against accounts with SPNs.
4. DCSync and ntds.dit Extraction — the endgame: recover every hash including krbtgt, enabling Golden Tickets and permanent domain compromise.

Extended (seeded future notes): Golden Ticket forgery, Silver Ticket persistence, Pass-the-Hash, DCShadow, krbtgt rotation, Exchange permission legacy, UAC flags, shadow credentials / PKINIT, Tier 0 administration / PAW.

You are done with first-pass Identity & AD when: given any AD environment, you can collect with BloodHound, identify the shortest path from any unprivileged user to Domain Admin, name the cheapest two ACE edges defenders should remove, and execute one offensive chain end-to-end against an authorized lab.

Track D — Wireless Security

Pick this if: you work with Wi-Fi networks at any depth — corporate Wi-Fi assessment, branch-office security, wireless penetration testing, or building wireless products. Pick this last if your role is web/cloud/API; wireless is genuinely a specialty track.

Entry conditions: - Phase 1 first-pass complete (especially TCP/IP basics and Ports and services — Wi-Fi is L1/L2 underneath the same TCP/IP). - Hardware: a Wi-Fi adapter that supports monitor mode is required for the labs in this track to be useful.

First-pass path (5 of 10 notes):

1. Wireless Security — the branch-level mental model: Wi-Fi as radio + frames + association + authentication.
2. Wi-Fi Monitor Mode — the foundational capability; without monitor-mode capture the rest is theory.
3. WPA/WPA2 Handshakes — the canonical capture-and-crack target.
4. Wi-Fi Deauthentication — the move that turns "wait for a client to connect" into "force one to reconnect now". Foundational to handshake capture and evil-twin attacks.
5. Evil Twin Access Points — the rogue-AP attack that converts wireless surface into credential / session compromise.

Extended (5 more): Wi-Fi wordlist attacks, WEP security, MITM on local networks, ARP poisoning, Bettercap workflows.

You are done with first-pass Wireless when: you can capture a WPA2 handshake from an authorized test network, crack it against a controlled wordlist, and articulate why your corporate Wi-Fi is or is not vulnerable to the same workflow.

Track F — Binary Exploitation

Pick this if: you do vulnerability research, exploit development, security engineering for low-level systems software (OS kernels, hypervisors, browsers, language runtimes), CTF pwn-category competition, security-tooling authorship, or you maintain memory-unsafe code in any production context. Strongest non-vault prerequisites of any track — this is the deepest technical specialty in the vault by ladder distance from source code.

Entry conditions: - Phase 1 first-pass complete. - C/C++ programming literacy — the branch assumes you can read C, have a working mental model of stack frames and heap allocation, and are comfortable with a debugger (gdb / lldb / WinDbg). If not, work through Practical Binary Analysis or OpenSecurityTraining x86 / OS-internals first. - Linux + x86-64 baseline. Most labs target Linux on x86-64. aarch64, macOS, and Windows specifics are called out per-note as they come up. - Phase 2 first-pass useful but not strictly required (exploit detection lives mostly inside the branch's own mitigation notes plus the EDR / process correlation cross-link).

First-pass path (2 notes, read in order):

1. Memory Corruption — the root concept, the 6-class taxonomy (stack overflow / heap overflow / use-after-free / double-free / out-of-bounds read / integer overflow), and the chain from bug to exploit primitive to code execution.
2. Stack Buffer Overflow — the canonical worked example of class 1. The deep-dive that introduces stack layout, return-address control, the mitigation chain (canary → ASLR → DEP → CET → MTE → PAC), ROP-style reasoning, and the pwntools-shaped exploit-development workflow.

Extended (seeded future notes): Heap exploitation, use-after-free, double-free, info-leak primitives, ROP / ret2libc, ASLR / PIE leak chains, format-string bugs, exploit mitigations (the full landscape), stack canaries / shadow stacks / PAC, ARM MTE, CFI, ELF format, reverse-engineering loop, fuzzing with libFuzzer / AFL++, sanitizers (ASAN / MSAN / UBSan), symbolic execution with angr.

You are done with first-pass Binary Exploitation when: given a vulnerable C program, you can identify the bug class, locate the saved return address (or equivalent control-flow primitive), build a working exploit against an unmitigated build, articulate which mitigations defeat that simple exploit, and name at least two primitives you would chain to defeat them. The pwntools-shaped exploit script for a basic stack-overflow CTF challenge should be a 20-line task, not an afternoon.

How Phase 4 connects back to earlier phases

Pick the track whose dependencies you have already covered; that is the most efficient path.

Picking more than one track

The Always-on parallel discipline of Privacy, Anonymity & OPSEC is your fifth track in spirit — it runs alongside every other one and never stops being relevant.

If your role demands two specialties (e.g., API + Cloud is common in modern backend engineering), do them sequentially, not in parallel. Finish first-pass on one, then start first-pass on the other. Parallel reading produces shallower retention in both.

What's after Phase 4

There is no Phase 5 in this vault. After Phase 4 specialty first-pass, you are operating as a specialist with full breadth across Phases 0–3 and depth in one (or two, sequentially) specialty area. The next learning move is outside this vault:

• Real engagements under authorization — bug bounty programs, internal red/purple-team exercises, IR drills.
• Defending a real system that uses your specialty — building or operating one is the highest-leverage learning context.
• The suggested future branches in Cybersecurity Index (mobile, reverse-engineering, social-engineering, AI/agent-security) — open when they become job-relevant.

The vault structure ends here. Everything else is depth.

Related navigation

• Start Here — persona-driven triage page (the personas there map onto the four tracks here).
• Phase 1 — Substrate · Phase 2 — Offense / Defense · Phase 3 — Operator surface — prior phase entry pages.
• Phase 0 — Foundations — mental models all four tracks assume.
• API Security Index · Cloud Security Index · DevSecOps Index · Wireless Security Index — full branch listings.
• Privacy, Anonymity & OPSEC — the parallel always-on discipline.
• Must-Know 30 — cross-branch must-know list.
• Cybersecurity Index — full vault roadmap.