Roadmap

DevSecOps Engineer

From Linux fundamentals to shipping secure software at scale, the complete DevSecOps engineer path.

19stages143topics~122hours

Curated from the best, MDN · Kubernetes · AWS · OWASP · Google SRE & more

Senior DevSecOps Engineers command £90K–£150K+ at companies like Cloudflare, HashiCorp, Snyk, and Datadog. Post-SolarWinds and Log4Shell, supply chain and runtime security engineers are among the most sought-after profiles in cloud infrastructure. The FAANG bar now expects threat modeling, IaC security scanning, and CSPM, not just "knows how to run Trivy."

The complete path, 26 of 143 topics have lessons here; the other 117 are marked learn anywhere. We won't pretend we cover everything.

Ready to build? See capstone projects

Stage 1 / 19 · 7 topics · 0 lessons

Computing & OS Foundations

The bedrock every DevSecOps engineer stands on: how computers, operating systems, and processes actually work.

How Computers WorkCPU, memory, storage, processes, and the kernel/user-space boundary. Wikipedia

Operating System FundamentalsScheduling, virtual memory, syscalls, file systems, and I/O. OSTEP (free book)

Linux as a Daily DriverWhy Linux dominates servers and how distributions differ. Linux Journey

Processes, Threads & SignalsPIDs, fork/exec, signals, and the process lifecycle. Linux man pages

Filesystem & Unix PermissionsInodes, mount points, ownership, rwx, setuid, and umask. Linux man pages

Package Managementrecapt, yum/dnf, apk, and managing system dependencies. Ubuntu docs

Binary, Hex & EncodingoptionalBase systems, ASCII/UTF-8, and Base64 as security primitives. MDN

Stage 2 / 19 · 9 topics · 0 lessons

Linux Command Line & Shell

Live in the terminal: navigate, automate, and operate Linux systems with confidence.

Shell Navigation & Filesls, cd, cp, mv, find, and absolute vs relative paths. GNU Bash manual

Text Processing Toolkitgrep, sed, awk, cut, sort, and uniq for log and data wrangling. GNU grep manual

Pipes, Redirection & Streamsstdin/stdout/stderr, pipelines, and composing commands. GNU Bash manual

Bash ScriptingVariables, loops, conditionals, functions, and exit codes. GNU Bash manual Lab

Process & Service Managementps, top, kill, jobs, nohup, and systemd/systemctl. Linux man pages

SSH & Remote AccessKey-based auth, ssh config, port forwarding, and scp/rsync. SSH Academy

Users, Groups & sudoUser management, sudoers, and least-privilege on hosts. Linux man pages

Scheduling with cron & systemd timersrecAutomating recurring tasks reliably. OSTEP (free book)

Terminal Editing (vim/nano)optionalEditing config files quickly on remote servers. Vim docs

Stage 3 / 19 · 9 topics · 1 lessons

Networking Fundamentals

How packets move and how services talk, the substrate of all distributed and secure systems.

OSI & TCP/IP ModelsLayered networking and where each protocol lives. Cloudflare Learning

IP Addressing & SubnettingIPv4/IPv6, CIDR, private ranges, and subnet math. Cloudflare Learning

TCP, UDP & PortsHandshakes, connection state, and well-known ports. Cloudflare Learning

DNSResolution, record types, TTLs, and DNS as an attack surface. Cloudflare Learning Lab

HTTP/HTTPSMethods, status codes, headers, and request/response flow. Cloudflare Learning

Routing, NAT & GatewaysrecHow traffic crosses networks and the internet edge. Wikipedia

Firewalls & Load BalancersStart hereiptables/nftables, security groups, and L4/L7 balancing. Lab

VPNs & Zero-Trust NetworkingrecTunnels, bastions, and identity-aware network access. Cloudflare Learning

Network Troubleshootingping, traceroute, dig, netstat/ss, tcpdump, and curl. Cloudflare Learning

Stage 4 / 19 · 8 topics · 0 lessons

Programming & Automation Languages

Write the code that automates infrastructure, glues pipelines, and builds security tooling.

Python for AutomationThe lingua franca of DevOps scripting and tooling. Python tutorial

Go for Cloud-Native ToolingrecThe language of Kubernetes, Terraform, and modern infra tools. Go docs

YAML, JSON & TOMLConfig and data interchange formats used everywhere in DevOps. YAML spec

Git & Version ControlBranching, merging, rebasing, and collaboration workflows. Pro Git book

Trunk-Based & GitFlowrecBranching strategies and protected branches. Atlassian Git tutorials

Regular ExpressionsrecPattern matching for parsing, validation, and detection rules. MDN

REST APIs & WebhooksConsuming and building APIs for automation and integrations. restfulapi.net

SQL & DatabasesoptionalQuerying data and understanding injection-prone surfaces. PostgreSQL docs

Stage 5 / 19 · 9 topics · 2 lessons

Security Fundamentals

The core security mental models that make DevSecOps 'Sec' rather than just DevOps.

CIA Triad & Security PrinciplesConfidentiality, integrity, availability, and defense in depth. NIST CSF

Least Privilege & Zero TrustMinimizing blast radius and never implicitly trusting. AWS docs

Authentication vs AuthorizationIdentity, sessions, MFA, RBAC, and ABAC. Auth0 docs

Applied CryptographySymmetric/asymmetric, hashing, TLS, PKI, and certificates. OWASP Cheat Sheets

OWASP Top 10The most critical web application security risks. OWASP

Threat ModelingSTRIDE, attack trees, and reasoning about adversaries.

Common Attacks & VulnerabilitiesInjection, XSS, CSRF, SSRF, and privilege escalation. OWASP

Risk, CVE & CVSSVulnerability identifiers, scoring, and risk prioritization. FIRST CVSS

The Attacker MindsetrecThinking adversarially to anticipate how systems break.

Stage 6 / 19 · 8 topics · 0 lessons

Cloud Platforms

Modern infrastructure lives in the cloud, master one provider deeply and the shared-responsibility model.

Cloud Concepts & ModelsIaaS/PaaS/SaaS, regions, AZs, and elasticity. Cloudflare Learning

Shared Responsibility ModelWho secures what between you and the cloud provider. AWS

AWS Core ServicesEC2, S3, VPC, Lambda, and the AWS console/CLI. AWS docs

Cloud IAMRoles, policies, federation, and least-privilege in the cloud. AWS docs

Cloud NetworkingVPCs, subnets, security groups, peering, and PrivateLink. AWS docs

Cloud Storage & DatabasesrecObject/block storage, managed DBs, and encryption at rest. AWS docs

Azure & GCP EquivalentsrecMulti-cloud literacy across the big three providers. Microsoft docs

Cost Management & TaggingoptionalFinOps basics, budgets, and resource governance. AWS docs

Stage 7 / 19 · 8 topics · 0 lessons

Containers & Container Security

Containers are the unit of deployment, and a major attack surface you must lock down.

Container FundamentalsNamespaces, cgroups, and how containers isolate. Docker docs

DockerImages, containers, volumes, networks, and the daemon. Docker docs

Dockerfile Best PracticesMulti-stage builds, minimal base images, and non-root users. Docker docs

Image RegistriesPushing, pulling, tagging, and private registry auth. Docker docs

Container Image ScanningTrivy, Grype, and Clair for vulnerability detection. Trivy docs

Container HardeningDistroless images, read-only FS, seccomp, and capabilities. OWASP Cheat Sheets

Image Signing & ProvenancerecCosign, Sigstore, and verifying image authenticity. Sigstore docs

Runtime SecurityrecFalco and detecting malicious behavior in running containers. Falco docs

Stage 8 / 19 · 10 topics · 4 lessons

Kubernetes & Orchestration

Operate and secure containerized workloads at scale with Kubernetes.

Kubernetes ArchitectureControl plane, nodes, etcd, kubelet, and the API server. Kubernetes docs

Pods, Deployments & ServicesCore workload and networking objects. Kubernetes docs

ConfigMaps, Secrets & VolumesConfiguration and persistent state in Kubernetes. Kubernetes docs

Kubernetes RBACRoles, bindings, and service account least-privilege. Kubernetes docs

Network PoliciesPod-to-pod segmentation and zero-trust inside the cluster.

Pod Security StandardsPod Security Admission, security contexts, and privileges.

Admission Controllers & OPArecOPA/Gatekeeper and Kyverno for policy enforcement. Kubernetes docs

Helm & PackagingrecCharts, templating, and managing releases. Helm docs

Service MeshoptionalIstio/Linkerd for mTLS, traffic control, and observability.

Cluster Hardening (CIS)reckube-bench and CIS benchmark compliance.

Stage 9 / 19 · 8 topics · 4 lessons

Infrastructure as Code

Define infrastructure declaratively, version it, and secure it before it ever deploys.

IaC PrinciplesDeclarative vs imperative, idempotency, and immutability. Terraform docs

TerraformProviders, resources, state, modules, and plan/apply. Lab

State Management & SecurityRemote state, locking, and protecting secrets in state.

Configuration ManagementrecAnsible for provisioning and configuration drift control.

IaC Security ScanningCheckov, tfsec, and Terrascan for misconfiguration detection.

Policy as CodeOPA, Sentinel, and enforcing guardrails on infra changes. OPA docs

CloudFormation & PulumioptionalAlternative IaC tools and when to use them. AWS docs

Drift DetectionrecDetecting and reconciling out-of-band infra changes. Terraform docs

Stage 10 / 19 · 8 topics · 3 lessons

CI/CD Pipelines

Automate build, test, and deploy, the assembly line where security gates get embedded.

CI/CD ConceptsContinuous integration, delivery, and deployment defined. Atlassian

Pipeline PlatformsGitHub Actions, GitLab CI, and Jenkins fundamentals. GitLab docs

Build & Artifact ManagementReproducible builds and artifact repositories.

Automated Testing in CIUnit, integration, and smoke tests as merge gates. Martin Fowler

Security Gates & Quality GatesFailing builds on vulnerabilities and policy violations. SonarQube docs

Deployment StrategiesrecBlue-green, canary, and rolling deployments. Lab

GitOpsrecArgo CD and Flux for declarative continuous deployment.

Pipeline SecurityHardening runners, OIDC, and least-privilege CI credentials. GitHub docs

Stage 11 / 19 · 9 topics · 3 lessons

Application & Code Security (Shift-Left)

Find and fix vulnerabilities in code and dependencies before they ship.

Secure Coding PracticesInput validation, output encoding, and safe defaults.

SASTStatic analysis with Semgrep, CodeQL, and SonarQube. OWASP

DASTDynamic scanning with OWASP ZAP against running apps. OWASP ZAP docs

Software Composition AnalysisDependabot, Snyk, and managing vulnerable dependencies. OWASP

Secret ScanningGitleaks and TruffleHog to catch leaked credentials. GitHub docs

IAST & RASPoptionalInstrumented and runtime application self-protection. OWASP

Software Supply Chain SecuritySLSA, SBOMs, and securing the build-to-deploy chain.

SBOM GenerationrecSyft, CycloneDX, and SPDX for dependency transparency. CISA

Vulnerability ManagementTriage, prioritization, SLAs, and remediation workflows.

Stage 12 / 19 · 6 topics · 0 lessons

Secrets & Identity Management

Protect the keys to the kingdom, credentials, tokens, and machine identity.

Secrets ManagementHashiCorp Vault and cloud secret managers. Vault docs

Dynamic & Short-Lived SecretsrecJust-in-time credentials and automatic rotation. Vault docs

Key Management (KMS/HSM)Envelope encryption, key rotation, and hardware roots of trust. AWS docs

Workload IdentityrecSPIFFE/SPIRE, OIDC federation, and IRSA. SPIFFE docs

Certificate Managementreccert-manager, ACME, and automated TLS lifecycle. cert-manager docs

SSO, OAuth2 & OIDCFederated identity and token-based authorization flows. OpenID Foundation

Stage 13 / 19 · 7 topics · 1 lessons

Cloud Security & Posture Management

Continuously secure cloud environments against misconfiguration and drift.

Cloud Security Posture (CSPM)Prowler, Scout Suite, and detecting cloud misconfigurations. Microsoft Security 101

Cloud Workload Protection (CWPP)recProtecting VMs, containers, and serverless workloads. Microsoft Security 101

CNAPP & CIEMoptionalUnified cloud-native security and entitlement management. Microsoft Security 101

CIS Benchmarks & HardeningApplying security baselines to cloud accounts.

Cloud Data ProtectionEncryption, bucket policies, and preventing data exposure. AWS docs

Secure Landing ZonesrecMulti-account guardrails, SCPs, and org-level controls. AWS docs

Serverless SecurityoptionalSecuring Lambda/functions, permissions, and event triggers. OWASP

Stage 14 / 19 · 7 topics · 0 lessons

Observability & Security Monitoring

You can't secure what you can't see, logs, metrics, traces, and detection.

Centralized LoggingELK/OpenSearch, Loki, and structured log aggregation. OpenTelemetry docs

Metrics & MonitoringPrometheus and Grafana for system health. Prometheus docs

Distributed TracingrecOpenTelemetry and Jaeger for request-level visibility. OpenTelemetry docs

SIEMSplunk/Sentinel for security event correlation and alerting. Microsoft Security 101

Audit LoggingCloudTrail, Kubernetes audit logs, and tamper-evidence. Kubernetes docs

Detection EngineeringrecSigma rules, alerting on anomalies, and reducing noise. MITRE ATT&CK

Alerting & SLOsrecActionable alerts, on-call, and error budgets. Google SRE Workbook

Stage 15 / 19 · 6 topics · 2 lessons

Compliance, Governance & GRC

Translate regulatory and contractual requirements into enforceable technical controls.

Compliance FrameworksSOC 2, ISO 27001, PCI-DSS, HIPAA, and GDPR. Google Cloud docs

Security Control FrameworksNIST CSF, NIST 800-53, and CIS Controls. CIS Controls

Compliance as CoderecOpenSCAP, InSpec, and automated control validation.

Audit & Evidence CollectionrecContinuous compliance and audit-ready automation. AICPA SOC 2

Data Privacy & ClassificationrecPII handling, data residency, and retention policies. GDPR.eu

Risk Management & GRCoptionalRisk registers, acceptance, and governance processes.

Stage 16 / 19 · 7 topics · 2 lessons

Incident Response & Resilience

When prevention fails, detect fast, respond decisively, and recover gracefully.

Incident Response LifecyclePrepare, detect, contain, eradicate, recover, and learn. NIST

Playbooks & SOARrecAutomated response runbooks and orchestration. Microsoft Security 101

Digital Forensics BasicsrecEvidence preservation, chain of custody, and log analysis. SANS DFIR

Blameless PostmortemsRoot-cause analysis and continuous improvement. Google SRE Book

Disaster Recovery & BCPRTO/RPO, backups, and business continuity planning. Lab

Chaos & Resilience EngineeringoptionalFault injection to validate system robustness.

Threat IntelligencerecIOCs, MITRE ATT&CK, and adversary tracking. MITRE ATT&CK

Stage 17 / 19 · 5 topics · 1 lessons

Offensive Security & Testing

Validate defenses the way attackers do, pentesting, red teaming, and bug bounties.

Penetration Testing BasicsrecRecon, exploitation, and the pentest methodology. OWASP WSTG

Vulnerability ScanningNessus, OpenVAS, and nmap for surface discovery. Tenable docs

Red, Blue & Purple TeamingoptionalAdversary simulation and collaborative defense. Wikipedia

Cloud & Container PentestingoptionalAttacking cloud IAM, metadata, and container escapes. OWASP WSTG

Security Chaos EngineeringoptionalInjecting security faults to test detection and response.

Stage 18 / 19 · 7 topics · 3 lessons

DevSecOps Culture & Practices

The methodology that ties it together, shifting security left and owning it as a team.

DevSecOps PhilosophySecurity as everyone's job, integrated not bolted-on. DevSecOps Manifesto

Shift-Left & Shift-RightEmbedding security early and validating in production.

Security ChampionsrecScaling security expertise across engineering teams.

Agile & Cross-Team CollaborationrecWorking within sprints and breaking down silos. Atlassian Agile Coach

DevSecOps MetricsrecDORA metrics, MTTR, and measuring security posture. DORA

Secure SDLCIntegrating security into every phase of development.

Maturity ModelsoptionalOWASP SAMM and BSIMM for program assessment. OWASP SAMM

Stage 19 / 19 · 5 topics · 0 lessons

Career, Certifications & Job Readiness

Package your skills, prove them, and land the role.

Build a PortfolioHome lab, IaC repos, and documented security projects. Hugging Face docs

Relevant CertificationsrecAWS Security, CKS, Security+, and CKA pathways. CNCF

Interview PreparationSystem design, scenario, and security deep-dive questions. GitHub

Staying CurrentrecCVE feeds, security communities, and continuous learning. Hugging Face Papers

Communication & InfluencerecWriting, threat briefings, and selling security trade-offs. Atlassian

You're job-ready.

Clear every stage, earn the certificate, and walk into interviews prepared. The complete path, nothing hidden, no gaps.

Destination reached