Phase 1 done: 8 weeks of pentesting, what I'd do differently
That's it, it's done
I wrapped up last night. Not in any official way with champagne and fireworks, I just validated the last Root Me challenge from a series on obfuscated JavaScript, closed the browser, stared at my screen for two seconds and thought: ok, phase 1 done.
On February 18 I was opening a Linux terminal wondering what chmod meant. On April 12 I'm modifying cookies in Burp to escalate privileges on PortSwigger labs. In between, 8 weeks, 34 effective days out of 56, two projects on GitHub, and a quiz that knocked me back in the middle of it all.
I wanted to put this in writing before starting phase 2, because otherwise in a month I'll romanticize the whole thing and forget what actually went wrong.
Numbers, since we need some
| Thing | Value |
|---|---|
| Days worked | 34 / 56 |
| Total time (rough estimate) | ~54h |
| TryHackMe rooms | ~14 |
| OverTheWire Bandit | 0 → 25 |
| Root Me | 11 challenges |
| PortSwigger | 7 labs |
| GitHub projects | 2 |
| Cheatsheets | 3 |
| Blog posts | 3 |
60% attendance. I was aiming for 7/7. I held 7/7 on two weeks (3 and 4). The others were more uneven. Week 6 I did three days. Week 8, two. And those weren't because I was sick or had something urgent, I just let it slide.
Week 7 saved everything else
End of week 6 I was on a roll. PortSwigger, Burp, all that. And somewhere along the way I got a feeling things were starting to blur. Not "blur I don't get it", more like "blur I'm not sure I actually know this".
So instead of pushing forward, I built a quiz. 45 questions I wrote myself, going back through my notes from the first 6 weeks. 31/45. 69%.
Stung a bit. I was staring at the screen like, seriously? I really thought I was above that. And what shook me wasn't the score, it was what I got wrong.
I was mixing up filtered and closed in Nmap. I thought * * * in traceroute meant "network cut" (no, it just means the router isn't answering ICMP TTL Exceeded, the packet keeps going). I couldn't really say what the Semaphore was doing in my own port scanner that I'd written two weeks before. I said IDOR was "a flaw in the URL", when actually it's an authorization flaw server-side, the URL is just the vector.
Basically I had empty space in my head and I thought it was solid ground.
So week 7 I didn't learn anything new. I drilled the common ports until I could spit them out without thinking. I rewrote the Python port scanner from scratch, blank file, no peeking at the old one. I redid two PortSwigger labs without notes. And I launched an OSINT project on GitHub so I'd have something concrete to show.
Probably the most useful week of the eight. And it's a week where I didn't "advance" anything on the roadmap.
The two projects I keep
The Python port scanner. Socket, threading, Semaphore so we don't flood the OS, argparse for the parameters, banner grabbing after connection. Nothing crazy, but I broke it three times before it worked cleanly. And now I can explain it line by line, which wasn't the case in week 5 when I wrote it the first time.
osint-domain-recon. OSINT recon tool. WHOIS, crt.sh for subdomains via Certificate Transparency, DNS records (A, MX, TXT, NS). It outputs a Markdown report you can open directly on GitHub. Works on any domain with one command.
This isn't advanced security work. But it's public, it runs, there's a clean README, a requirements.txt, the code is readable. The difference between "I followed a course" and "I have projects to show" comes down to those two hours of polish I almost didn't do.
What went wrong
The pacing, I already said. Two weeks under 3 days is too much. What happened every time was the same story: I'd miss a day, tell myself "tomorrow", miss that day, and from there the week was burned in my head. Next time I'm setting a floor: 30 minutes minimum every day, even if it's just re-reading a cheatsheet. Mental circuit breaker.
TryHackMe subscription expiring right at week 8. That really cut my legs out. SQL Injection, Content Discovery, everything I had planned, scrapped. Need to plan better next time. Either take 3 months at once, or have free alternatives ready.
Burp Intruder and Decoder. I can define them now (fuzzing/brute force for one, encoding/decoding for the other). But I've never actually used them in a real lab under pressure. That's the kind of thing that might show if someone asks me a hands-on question in an interview.
What I actually take from this
If I had to give ONE piece of advice to February me, it wouldn't be "work more". It would be: "test yourself earlier". I waited until the end of week 6 to do a real review. If I'd done it at the end of week 3 or 4, I'd have caught my networking gaps before they set in. Instead I spent 3 weeks stacking content on top of fuzz.
Build something shippable > do 10 more rooms. That came naturally with the two projects, but I could have started earlier. One concrete script per week, even a small one, consolidates way better than one more room.
And publish. Even ugly. My osint-domain-recon has a decent README but not perfect, no tests, the code could be better organized. I pushed it anyway. The perfect version never arrives. The one that's online, it exists.
What's next
Phase 2, web applications. April to June. SQL injection for real (not just "I know what it is"), OWASP Top 10 properly, Burp Intruder finally used on real labs, and BSCP hanging around in the back of my head for later.
The idea is to stop hopping around. In phase 1 I touched Linux, networking, Python, Burp, OSINT, client-side web. That was necessary to get an overview. Now I want to drill one vertical, web, that's it, and come out of it with a level that actually feels like something.
Concrete goal for end of phase 2: a third GitHub project. Not decided yet what exactly. Maybe a minimalist web vuln scanner, maybe a tool that automates part of the recon I'm doing by hand today. We'll see what emerges.
That's it
Eight weeks isn't enough to be a pentester. But it's enough to know what the discipline looks like, to have broken and fixed two or three things, and to have two projects on GitHub that exist.
I'm keeping the daily notes, the weekly reviews, the monthly ones. Takes 10 minutes a day, nothing, and at the end you have a trace of what actually happened instead of a vague feeling. If you're starting out: do this. The rest will come.
