All roadmaps
Roadmap
DevSecOps Engineer
From Linux fundamentals to shipping secure software at scale — the complete DevSecOps engineer path.
19stages143topics~122hours
Curated from the best — MDN · Kubernetes · AWS · OWASP · Google SRE & more
Senior DevSecOps Engineers command £90K–£150K+ at companies like Cloudflare, HashiCorp, Snyk, and Datadog. Post-SolarWinds and Log4Shell, supply chain and runtime security engineers are among the most sought-after profiles in cloud infrastructure. The FAANG bar now expects threat modeling, IaC security scanning, and CSPM — not just "knows how to run Trivy."
The complete path — 26 of 143 topics have lessons here; the other 117 are marked learn anywhere. We won't pretend we cover everything.
01
Stage 1 / 19 · 7 topics · 0 lessons
Computing & OS Foundations
The bedrock every DevSecOps engineer stands on: how computers, operating systems, and processes actually work.
How Computers WorkCPU, memory, storage, processes, and the kernel/user-space boundary. Wikipedia
Operating System FundamentalsScheduling, virtual memory, syscalls, file systems, and I/O. OSTEP (free book)
Linux as a Daily DriverWhy Linux dominates servers and how distributions differ. The Linux Command Line
Processes, Threads & SignalsPIDs, fork/exec, signals, and the process lifecycle. OSTEP (free book)
Filesystem & Unix PermissionsInodes, mount points, ownership, rwx, setuid, and umask. Linux man pages
Package Managementrecapt, yum/dnf, apk, and managing system dependencies. Ubuntu docs
Binary, Hex & EncodingoptionalBase systems, ASCII/UTF-8, and Base64 as security primitives. MDN
02
Stage 2 / 19 · 9 topics · 0 lessons
Linux Command Line & Shell
Live in the terminal: navigate, automate, and operate Linux systems with confidence.
Shell Navigation & Filesls, cd, cp, mv, find, and absolute vs relative paths. The Linux Command Line
Text Processing Toolkitgrep, sed, awk, cut, sort, and uniq for log and data wrangling. The Linux Command Line
Pipes, Redirection & Streamsstdin/stdout/stderr, pipelines, and composing commands. The Linux Command Line
Bash ScriptingVariables, loops, conditionals, functions, and exit codes. The Linux Command Line
Process & Service Managementps, top, kill, jobs, nohup, and systemd/systemctl. OSTEP (free book)
SSH & Remote AccessKey-based auth, ssh config, port forwarding, and scp/rsync. OpenSSH
Users, Groups & sudoUser management, sudoers, and least-privilege on hosts. Linux man pages
Scheduling with cron & systemd timersrecAutomating recurring tasks reliably. OSTEP (free book)
Terminal Editing (vim/nano)optionalEditing config files quickly on remote servers. The Linux Command Line
03
Stage 3 / 19 · 9 topics · 1 lessons
Networking Fundamentals
How packets move and how services talk — the substrate of all distributed and secure systems.
OSI & TCP/IP ModelsLayered networking and where each protocol lives. Cloudflare Learning
IP Addressing & SubnettingIPv4/IPv6, CIDR, private ranges, and subnet math. Cloudflare Learning
TCP, UDP & PortsHandshakes, connection state, and well-known ports. Cloudflare Learning
DNSResolution, record types, TTLs, and DNS as an attack surface. Cloudflare Learning
HTTP/HTTPSMethods, status codes, headers, and request/response flow. Cloudflare Learning
Routing, NAT & GatewaysrecHow traffic crosses networks and the internet edge. Cloudflare Learning
Firewalls & Load Balancersiptables/nftables, security groups, and L4/L7 balancing.
VPNs & Zero-Trust NetworkingrecTunnels, bastions, and identity-aware network access. Cloudflare Learning
Network Troubleshootingping, traceroute, dig, netstat/ss, tcpdump, and curl. Cloudflare Learning
04
Stage 4 / 19 · 8 topics · 0 lessons
Programming & Automation Languages
Write the code that automates infrastructure, glues pipelines, and builds security tooling.
Python for AutomationThe lingua franca of DevOps scripting and tooling. Python docs
Go for Cloud-Native ToolingrecThe language of Kubernetes, Terraform, and modern infra tools. Cloudflare Learning
YAML, JSON & TOMLConfig and data interchange formats used everywhere in DevOps. json.org
Git & Version ControlBranching, merging, rebasing, and collaboration workflows. Git docs
Trunk-Based & GitFlowrecBranching strategies and protected branches. The Linux Command Line
Regular ExpressionsrecPattern matching for parsing, validation, and detection rules. MDN
REST APIs & WebhooksConsuming and building APIs for automation and integrations. restfulapi.net
SQL & DatabasesoptionalQuerying data and understanding injection-prone surfaces. PostgreSQL docs
05
Stage 5 / 19 · 9 topics · 2 lessons
Security Fundamentals
The core security mental models that make DevSecOps 'Sec' rather than just DevOps.
CIA Triad & Security PrinciplesConfidentiality, integrity, availability, and defense in depth. OWASP
Least Privilege & Zero TrustMinimizing blast radius and never implicitly trusting. Cloudflare Learning
Authentication vs AuthorizationIdentity, sessions, MFA, RBAC, and ABAC. OWASP
Applied CryptographySymmetric/asymmetric, hashing, TLS, PKI, and certificates. Cloudflare Learning
OWASP Top 10The most critical web application security risks. OWASP
Threat ModelingSTRIDE, attack trees, and reasoning about adversaries.
Common Attacks & VulnerabilitiesInjection, XSS, CSRF, SSRF, and privilege escalation. OWASP
Risk, CVE & CVSSVulnerability identifiers, scoring, and risk prioritization. OWASP
The Attacker MindsetrecThinking adversarially to anticipate how systems break.
06
Stage 6 / 19 · 8 topics · 0 lessons
Cloud Platforms
Modern infrastructure lives in the cloud — master one provider deeply and the shared-responsibility model.
Cloud Concepts & ModelsIaaS/PaaS/SaaS, regions, AZs, and elasticity. OWASP
Shared Responsibility ModelWho secures what between you and the cloud provider. AWS
AWS Core ServicesEC2, S3, VPC, Lambda, and the AWS console/CLI. AWS docs
Cloud IAMRoles, policies, federation, and least-privilege in the cloud. OWASP
Cloud NetworkingVPCs, subnets, security groups, peering, and PrivateLink. Cloudflare Learning
Cloud Storage & DatabasesrecObject/block storage, managed DBs, and encryption at rest. Hugging Face
Azure & GCP EquivalentsrecMulti-cloud literacy across the big three providers. Microsoft Learn
Cost Management & TaggingoptionalFinOps basics, budgets, and resource governance. OWASP
07
Stage 7 / 19 · 8 topics · 0 lessons
Containers & Container Security
Containers are the unit of deployment — and a major attack surface you must lock down.
Container FundamentalsNamespaces, cgroups, and how containers isolate. Docker docs
DockerImages, containers, volumes, networks, and the daemon. Docker docs
Dockerfile Best PracticesMulti-stage builds, minimal base images, and non-root users. Docker docs
Image RegistriesPushing, pulling, tagging, and private registry auth. GeeksforGeeks
Container Image ScanningTrivy, Grype, and Clair for vulnerability detection. Docker docs
Container HardeningDistroless images, read-only FS, seccomp, and capabilities. Docker docs
Image Signing & ProvenancerecCosign, Sigstore, and verifying image authenticity. OWASP
Runtime SecurityrecFalco and detecting malicious behavior in running containers. OWASP
08
Stage 8 / 19 · 10 topics · 4 lessons
Kubernetes & Orchestration
Operate and secure containerized workloads at scale with Kubernetes.
Kubernetes ArchitectureControl plane, nodes, etcd, kubelet, and the API server. Kubernetes docs
Pods, Deployments & ServicesCore workload and networking objects. Kubernetes docs
ConfigMaps, Secrets & VolumesConfiguration and persistent state in Kubernetes. Kubernetes docs
Kubernetes RBACRoles, bindings, and service account least-privilege. Kubernetes docs
Network PoliciesPod-to-pod segmentation and zero-trust inside the cluster.
Pod Security StandardsPod Security Admission, security contexts, and privileges.
Admission Controllers & OPArecOPA/Gatekeeper and Kyverno for policy enforcement. OWASP
Helm & PackagingrecCharts, templating, and managing releases. Helm docs
Service MeshoptionalIstio/Linkerd for mTLS, traffic control, and observability.
Cluster Hardening (CIS)reckube-bench and CIS benchmark compliance.
09
Stage 9 / 19 · 8 topics · 4 lessons
Infrastructure as Code
Define infrastructure declaratively, version it, and secure it before it ever deploys.
IaC PrinciplesDeclarative vs imperative, idempotency, and immutability. OWASP
TerraformProviders, resources, state, modules, and plan/apply.
State Management & SecurityRemote state, locking, and protecting secrets in state.
Configuration ManagementrecAnsible for provisioning and configuration drift control.
IaC Security ScanningCheckov, tfsec, and Terrascan for misconfiguration detection.
Policy as CodeOPA, Sentinel, and enforcing guardrails on infra changes. OWASP
CloudFormation & PulumioptionalAlternative IaC tools and when to use them. Pulumi docs
Drift DetectionrecDetecting and reconciling out-of-band infra changes. OWASP
10
Stage 10 / 19 · 8 topics · 3 lessons
CI/CD Pipelines
Automate build, test, and deploy — the assembly line where security gates get embedded.
CI/CD ConceptsContinuous integration, delivery, and deployment defined. GitHub Actions docs
Pipeline PlatformsGitHub Actions, GitLab CI, and Jenkins fundamentals. GitHub Actions docs
Build & Artifact ManagementReproducible builds and artifact repositories.
Automated Testing in CIUnit, integration, and smoke tests as merge gates. Martin Fowler
Security Gates & Quality GatesFailing builds on vulnerabilities and policy violations. OWASP
Deployment StrategiesrecBlue-green, canary, and rolling deployments.
GitOpsrecArgo CD and Flux for declarative continuous deployment.
Pipeline SecurityHardening runners, OIDC, and least-privilege CI credentials. GitHub Actions docs
11
Stage 11 / 19 · 9 topics · 3 lessons
Application & Code Security (Shift-Left)
Find and fix vulnerabilities in code and dependencies before they ship.
Secure Coding PracticesInput validation, output encoding, and safe defaults.
SASTStatic analysis with Semgrep, CodeQL, and SonarQube. OWASP
DASTDynamic scanning with OWASP ZAP against running apps. OWASP
Software Composition AnalysisDependabot, Snyk, and managing vulnerable dependencies. Cloudflare Learning
Secret ScanningGitleaks and TruffleHog to catch leaked credentials. HashiCorp Vault docs
IAST & RASPoptionalInstrumented and runtime application self-protection. OWASP
Software Supply Chain SecuritySLSA, SBOMs, and securing the build-to-deploy chain.
SBOM GenerationrecSyft, CycloneDX, and SPDX for dependency transparency. SLSA
Vulnerability ManagementTriage, prioritization, SLAs, and remediation workflows.
12
Stage 12 / 19 · 6 topics · 0 lessons
Secrets & Identity Management
Protect the keys to the kingdom — credentials, tokens, and machine identity.
Secrets ManagementHashiCorp Vault and cloud secret managers. HashiCorp Vault docs
Dynamic & Short-Lived SecretsrecJust-in-time credentials and automatic rotation. HashiCorp Vault docs
Key Management (KMS/HSM)Envelope encryption, key rotation, and hardware roots of trust. OWASP
Workload IdentityrecSPIFFE/SPIRE, OIDC federation, and IRSA. OWASP
Certificate Managementreccert-manager, ACME, and automated TLS lifecycle. Cloudflare Learning
SSO, OAuth2 & OIDCFederated identity and token-based authorization flows. oauth.net
13
Stage 13 / 19 · 7 topics · 1 lessons
Cloud Security & Posture Management
Continuously secure cloud environments against misconfiguration and drift.
Cloud Security Posture (CSPM)Prowler, Scout Suite, and detecting cloud misconfigurations. OWASP
Cloud Workload Protection (CWPP)recProtecting VMs, containers, and serverless workloads. OWASP
CNAPP & CIEMoptionalUnified cloud-native security and entitlement management. OWASP
CIS Benchmarks & HardeningApplying security baselines to cloud accounts.
Cloud Data ProtectionEncryption, bucket policies, and preventing data exposure. OWASP
Secure Landing ZonesrecMulti-account guardrails, SCPs, and org-level controls. OWASP
Serverless SecurityoptionalSecuring Lambda/functions, permissions, and event triggers. OWASP
14
Stage 14 / 19 · 7 topics · 0 lessons
Observability & Security Monitoring
You can't secure what you can't see — logs, metrics, traces, and detection.
Centralized LoggingELK/OpenSearch, Loki, and structured log aggregation. OpenTelemetry docs
Metrics & MonitoringPrometheus and Grafana for system health. OWASP
Distributed TracingrecOpenTelemetry and Jaeger for request-level visibility. OpenTelemetry docs
SIEMSplunk/Sentinel for security event correlation and alerting. OWASP
Audit LoggingCloudTrail, Kubernetes audit logs, and tamper-evidence. OWASP
Detection EngineeringrecSigma rules, alerting on anomalies, and reducing noise. OWASP
Alerting & SLOsrecActionable alerts, on-call, and error budgets. Google SRE Book
15
Stage 15 / 19 · 6 topics · 2 lessons
Compliance, Governance & GRC
Translate regulatory and contractual requirements into enforceable technical controls.
Compliance FrameworksSOC 2, ISO 27001, PCI-DSS, HIPAA, and GDPR. Google Cloud docs
Security Control FrameworksNIST CSF, NIST 800-53, and CIS Controls. OWASP
Compliance as CoderecOpenSCAP, InSpec, and automated control validation.
Audit & Evidence CollectionrecContinuous compliance and audit-ready automation. OWASP
Data Privacy & ClassificationrecPII handling, data residency, and retention policies. Google ML Crash Course
Risk Management & GRCoptionalRisk registers, acceptance, and governance processes.
16
Stage 16 / 19 · 7 topics · 2 lessons
Incident Response & Resilience
When prevention fails, detect fast, respond decisively, and recover gracefully.
Incident Response LifecyclePrepare, detect, contain, eradicate, recover, and learn. Google SRE Book
Playbooks & SOARrecAutomated response runbooks and orchestration. OWASP
Digital Forensics BasicsrecEvidence preservation, chain of custody, and log analysis. OWASP
Blameless PostmortemsRoot-cause analysis and continuous improvement. Google SRE Book
Disaster Recovery & BCPRTO/RPO, backups, and business continuity planning.
Chaos & Resilience EngineeringoptionalFault injection to validate system robustness.
Threat IntelligencerecIOCs, MITRE ATT&CK, and adversary tracking. OWASP
17
Stage 17 / 19 · 5 topics · 1 lessons
Offensive Security & Testing
Validate defenses the way attackers do — pentesting, red teaming, and bug bounties.
Penetration Testing BasicsrecRecon, exploitation, and the pentest methodology. Martin Fowler
Vulnerability ScanningNessus, OpenVAS, and nmap for surface discovery. OWASP
Red, Blue & Purple TeamingoptionalAdversary simulation and collaborative defense. OWASP
Cloud & Container PentestingoptionalAttacking cloud IAM, metadata, and container escapes. Docker docs
Security Chaos EngineeringoptionalInjecting security faults to test detection and response.
18
Stage 18 / 19 · 7 topics · 3 lessons
DevSecOps Culture & Practices
The methodology that ties it together — shifting security left and owning it as a team.
DevSecOps PhilosophySecurity as everyone's job, integrated not bolted-on. OWASP
Shift-Left & Shift-RightEmbedding security early and validating in production.
Security ChampionsrecScaling security expertise across engineering teams.
Agile & Cross-Team CollaborationrecWorking within sprints and breaking down silos. OWASP
DevSecOps MetricsrecDORA metrics, MTTR, and measuring security posture. OWASP
Secure SDLCIntegrating security into every phase of development.
Maturity ModelsoptionalOWASP SAMM and BSIMM for program assessment. OWASP
19
Stage 19 / 19 · 5 topics · 0 lessons
Career, Certifications & Job Readiness
Package your skills, prove them, and land the role.
Build a PortfolioHome lab, IaC repos, and documented security projects. OWASP
Relevant CertificationsrecAWS Security, CKS, Security+, and CKA pathways. AWS Certification
Interview PreparationSystem design, scenario, and security deep-dive questions. GitHub
Staying CurrentrecCVE feeds, security communities, and continuous learning. OWASP
Communication & InfluencerecWriting, threat briefings, and selling security trade-offs. Google Technical Writing
You're job-ready.
Clear every stage, earn the certificate, and walk into interviews prepared. The complete path — nothing hidden, no gaps.
Destination reached