Where I Am Right Now
Domains 1, 2, and 3 of the ISC2 CC are done. Security Principles, Incident Response and Business Continuity, and Access Control Concepts — three modules, 96% average across the assessments, and a set of ideas that have started to feel less like study material and more like a working mental model.
I want to be clear about what that means and does not mean. Finishing three modules of a foundational certification does not make someone a security professional. What it does is give you a framework for thinking. And when I look honestly at where my interest points, it points toward the offensive side — understanding how systems are tested, where they fail, and how someone with bad intent would move through an environment. The eventual goal is to be someone who tests security, not just documents it.
But I am also realistic about where I start. That starting point is home networks and small business environments.
Why Home and Small Business Security Is the Right Entry Point
Home networks and small businesses are often discussed as a category of low stakes. I think that framing is wrong. The threat surface is real, the security posture is frequently poor, and the consequences of a breach — lost data, compromised accounts, financial loss, disrupted operations — fall directly on people with limited resources to recover.
From a learning perspective, these environments are also well-suited to someone at my stage. The scope is bounded. The systems are common — consumer routers, shared drives, cloud accounts, Windows and Mac endpoints, basic wireless networks. The vulnerabilities are well-documented. And the ethical path is clear: you only test systems you own, operate, or have explicit written permission to assess.
I am not in a position to claim expertise in penetration testing. What I can do is apply the foundational concepts I have actually studied and start building practical skill in a controlled, legitimate way.
What Domains 1–3 Built That Actually Transfers
It would be easy to think of the ISC2 CC as purely defensive content — principles, policies, controls, response plans. That is how it is framed. But the same knowledge that helps a defender build a secure environment is what helps a tester identify where that environment is weak.
The CIA triad is a good example. Confidentiality, integrity, and availability are the three properties a secure system is supposed to protect. When you test a system, you are asking the same question from a different angle: what would break confidentiality here? Where could integrity be undermined? What would take availability offline? The triad does not change — the direction of inquiry does.
Access control is another area that maps directly. Domain 3 covered the principle of least privilege, segregation of duties, authentication factors, and how identity and access management works across a user's lifecycle. For a tester, those are the concepts that define where over-permissioned accounts live, where authentication is weak, and where access boundaries are not enforced. Understanding RBAC, DAC, and MAC is not just policy knowledge — it tells you what good looks like so you can recognise when something falls short.
Incident response, covered in Domain 2, is relevant in a different way. Knowing the incident response lifecycle — preparation, detection, containment, eradication, recovery — helps me think about what traces an action leaves and why documentation matters in any security-related work, including authorised testing.
What the Real-World Threat Landscape Looks Like Right Now
Spending time on BleepingComputer gives a clear picture of what active threats look like in practice. Supply chain attacks, compromised software packages, credential theft through malicious plugins, ransomware groups adapting their infrastructure to hide traffic inside legitimate services — these are not theoretical. They are the operational environment that any security practitioner, offensive or defensive, has to understand.
For home and small business security, the most relevant patterns are simpler but still serious: default credentials left unchanged, unpatched devices, weak wireless configurations, poor account hygiene, and a lack of any incident response plan. These are not exotic attack vectors. They are the gaps that make the common threats effective.
I am not going to claim I have the tools or the depth to address the enterprise-level threats being tracked on security news feeds right now. What I can do is understand the pattern — attackers find the weakest point in scope, move deliberately, and rely on the fact that most environments are not monitored well enough to catch early-stage activity.
What Honest Skill-Building Looks Like From Here
I am continuing with TryHackMe alongside the ISC2 CC coursework. The practice environment matters. Reading about enumeration or access control weaknesses is useful. Actually running through a structured lab room that walks you through the tool and the technique is different — it connects the concept to the operation.
Domains 4 and 5 of the ISC2 CC cover network security and security operations, and those are next. Network security in particular is foundational for anyone moving toward offensive work — you cannot reason about what is happening on a network without understanding the protocols and the normal traffic patterns they generate.
The home and small business focus is not a limitation. It is a starting point with a clear scope, real applicability, and enough complexity to require genuine understanding. That is a reasonable place to begin.
What I Keep Coming Back To
The best thing Domains 1–3 gave me was not a score. It was a habit of asking: what is this system supposed to do, what controls are in place, and where is the gap between the two? That question is the same whether you are writing a security policy or scoping an authorised test.
I do not have all the answers yet. I am early in a process that takes years to build properly. But the foundation is real, the direction is clear, and the next steps are defined. That is enough to keep moving.