I started TryHackMe with a QA engineering background. I knew how to break software from a testing perspective, but I had no idea what a reverse shell was or why anyone would care about OSINT. Fourteen months later, I'm sitting at top 3% globally.
Here's what that path actually looked like.
Why I Started
My CTF results in 2021โ2022 (10th in National Cyber Drill, 7th in RIOT FlagHunt) were mostly luck. I was solving challenges by Googling the specific error message and hoping someone had written a writeup. I wasn't learning the underlying concepts โ I was pattern-matching.
TryHackMe forced me to learn the why.
The Learning Path I Followed
Phase 1: Pre-Security (Weeks 1โ3)
This was the foundation I was missing.
Phase 2: Jr Penetration Tester Path (Months 1โ4)
Key rooms that changed my thinking:
OWASP Top 10 โ Not just the names, but actually exploiting each one. The SQL injection room was eye-opening because I'd been writing SQL injection test cases without understanding what actually happens server-side.
Burp Suite Basics โ I'd been using Postman for API testing. Burp Suite is on another level. Intercepting requests, modifying parameters, repeating with modifications โ this is where my QA intercepting mindset translated directly.
SSRF โ This one hit close to home. I realized I'd missed potential SSRF vectors in several applications I'd tested.
Phase 3: Offensive Pentesting Path (Months 4โ9)
- Metasploit for beginners โ intermediate
- Web application hacking (XSS, IDOR, broken auth)
- Privilege escalation (Linux and Windows)
- Active Directory basics
The privilege escalation content was the hardest. Linux privesc alone has 20+ distinct techniques.
Phase 4: Specialization
I focused on web application hacking because it overlapped with my QA skills. Bug bounty methodology, IDOR hunting, auth bypass โ this is where my existing knowledge gave me an edge.
What QA Skills Transfer to Security
More than I expected:
| QA Skill | Security Equivalent |
| Boundary value testing | Fuzzing / parameter tampering |
| Negative testing | Broken auth / input validation testing |
| API testing | API security testing |
| Defect documentation | Bug bounty report writing |
| Exploratory testing | Recon and manual app mapping |
| Regression testing | Verifying patch effectiveness |
The Grind
Top 3% isn't about being smart โ it's about consistency. I did at minimum one room per day for 6 months straight, even if it was just 30 minutes. The streak motivation is real.
If you're a developer or tester looking to get into security: start with TryHackMe's Jr Penetration Tester path. Your existing skills will help more than you think.

