# Guided Learning Paths for Newcomers > **Intro:** Reading order matters. A beginner who starts with obscure tooling details before understanding trust boundaries will memorize commands without building judgment. > > **What this page includes** > > * one 30-day ramp-up plan; > * one 90-day AppSec engineer plan; > * role-specific starter tracks for cloud, Kubernetes, APIs, and Product Security management; > * simple signals that the learner is progressing. ## How to use the tracks * treat each week as **read + review + practice**, not reading only; * pair one content page with one real review, ticket, PR, or tabletop; * keep notes on what felt confusing and what repeated across services; * do not try to complete every page in the knowledge base before doing any practical work. ## 30-Day Product Security Ramp-Up | Week | Primary goal | Read first | Practice | Outcome | | ------ | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | -------------------------------------------------------------- | | Week 1 | Learn how Product Security sees systems | [Threat Modeling Methods and Workflows](/application-security-and-secure-sdlc/index/threat-modeling-methods-and-workflows.md), [API Authentication and Authorization](/architecture-api-crypto-and-identity/index/api-authentication-and-authorization.md), [From Zero to Useful](/learning-labs-interview-and-templates/index-3/from-zero-to-useful-how-to-start.md) | Sit in on one review and write down assets, actors, and trust boundaries | Can follow a review without getting lost in jargon | | Week 2 | Learn release and CI/CD trust boundaries | [GitLab CI YAML Deep Dive](/devsecops-cicd-and-supply-chain/index-1/gitlab-ci-yaml-deep-dive.md), [Runner Isolation and Trust Boundaries](/devsecops-cicd-and-supply-chain/index-1/runner-isolation-and-trust-boundaries.md), [Secret Handling Checklist](/learning-labs-interview-and-templates/index-3/secret-handling-checklist.md) | Review one pipeline or deployment flow with a teammate | Can explain where secrets and approvals live | | Week 3 | Learn cloud and runtime basics | [AWS Networking and Policy Baseline](https://github.com/D3One/Product-Security-Gitbook/blob/main/08-infrastructure-and-cloud-security/aws-networking-and-policy-baseline.md), [Runtime Protection for Microservices](/cloud-kubernetes-and-infrastructure-security/index-1/runtime-investigation-playbook.md), [IAM Review Checklist](/learning-labs-interview-and-templates/index-3/iam-review-checklist.md) | Trace one workload identity end to end | Can explain which identity performs a production action | | Week 4 | Learn review and escalation discipline | [Product Security Incident Response Playbooks](/attack-paths-testing-detection-and-hardening/index/product-security-incident-response-playbooks.md), [Pre-Release Security Checklist](/learning-labs-interview-and-templates/index-3/pre-release-security-checklist.md), [Production Readiness Security Checklist](/learning-labs-interview-and-templates/index-3/production-readiness-security-checklist.md) | Lead a small review using a checklist | Can identify what needs escalation vs what can be fixed inline | ## 90-Day AppSec Engineer Ramp-Up ### Days 1-30: Build the mental model * learn trust boundaries, API auth, object-level authorization, deployment trust, and cloud identity; * join at least two design or release reviews; * practice writing short security notes after each review. ### Days 31-60: Build review confidence * review SAST, secrets, dependency, and runtime findings without immediately escalating everything; * learn to distinguish **scanner severity** from **actual exploit path and business impact**; * shadow one architecture review and one incident tabletop. ### Days 61-90: Build operating judgment * own a small review end to end; * propose one improvement to a checklist, gate, or detection rule; * write one risk summary for engineers and one version for managers. | Phase | Focus questions | Expected evidence of progress | | ----- | --------------------------------------------------------------- | ------------------------------------------------------------------ | | 1-30 | What is the system? Who can act? What data matters? | Cleaner notes, better questions, less confusion in review meetings | | 31-60 | Which findings matter first? What can be exploited in practice? | Better triage and fewer “everything is urgent” reactions | | 61-90 | What should we fix now, later, or accept? | Clearer prioritization, stronger written recommendations | ## Cloud Security Starter Track | Order | Focus | Pages | | ----- | ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Cloud identity and trust | [Workload Federation and Non-Human Identities](/architecture-api-crypto-and-identity/index-2/workload-federation-and-non-human-identities.md), [GitHub, GitLab, and Cloud Trust Patterns](/architecture-api-crypto-and-identity/index-2/github-gitlab-oidc-and-cloud-trust-patterns.md) | | 2 | Provider-specific attack paths | [Provider-Specific Cloud Attack Chains](/attack-paths-testing-detection-and-hardening/index-1/cloud-attack-chains.md), [AWS Provider-Specific Cloud Attack Chains](/attack-paths-testing-detection-and-hardening/index-1/aws-cloud-attack-chains.md) | | 3 | Review discipline | [Cloud Change Review Checklist](/learning-labs-interview-and-templates/index-3/cloud-change-review-checklist.md), [IAM Review Checklist](/learning-labs-interview-and-templates/index-3/iam-review-checklist.md) | | 4 | Detection and response | [Logging and Telemetry Strategy](/attack-paths-testing-detection-and-hardening/index/logging-and-telemetry-strategy.md), [High-Signal Detection Patterns and SIEM Examples](/attack-paths-testing-detection-and-hardening/index/high-signal-detection-patterns-and-siem-examples.md) | ## Kubernetes Security Starter Track | Order | Focus | Pages | | ----- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Cluster baseline and workload identity | [Kubernetes Baseline and Hardening](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-security-baseline.md), [Kubernetes Deployment Review Checklist](/learning-labs-interview-and-templates/index-3/kubernetes-deployment-review-checklist.md) | | 2 | Network and runtime controls | [Kubernetes Network Policy Patterns](/cloud-kubernetes-and-infrastructure-security/index-1/network-policy-patterns.md), [Runtime Investigation Playbook for Kubernetes and Containers](/cloud-kubernetes-and-infrastructure-security/index-1/runtime-investigation-playbook.md) | | 3 | Image and build trust | [Container Image Signing and Verification](/cloud-kubernetes-and-infrastructure-security/index-1/trusted-images-harbor-and-signing.md), [Dockerfile Review Checklist](/learning-labs-interview-and-templates/index-3/dockerfile-review-checklist.md) | | 4 | Practice | [Worked Example Tabletop: CI Runner Compromise Before Release](https://github.com/D3One/Product-Security-Gitbook/blob/main/22-learning-paths-and-labs/worked-example-ci-runner-compromise-tabletop.md) | ## API Security Starter Track | Order | Focus | Pages | | ----- | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Core risks and auth model | [API Design and Contract Security](/architecture-api-crypto-and-identity/index/api-design-and-contract-security.md), [API Authentication and Authorization](/architecture-api-crypto-and-identity/index/api-authentication-and-authorization.md) | | 2 | Abuse and resilience | [API Abuse Resilience and Rate Limits](/architecture-api-crypto-and-identity/index/api-abuse-resilience-and-rate-limits.md), [Rate Limits, Quotas, Friction, and Abuse Detection](https://github.com/D3One/Product-Security-Gitbook/blob/main/19-business-logic-abuse-and-product-abuse/rate-limits-quotas-friction-and-detection.md) | | 3 | Review discipline | [API Review Checklist](/learning-labs-interview-and-templates/index-3/api-review-checklist.md), [Worked Example API Review Lab](https://github.com/D3One/Product-Security-Gitbook/blob/main/22-learning-paths-and-labs/worked-example-api-review-lab.md) | | 4 | Observation | [API Testing, Observability, and Release Gates](/architecture-api-crypto-and-identity/index/api-testing-observability-and-release-gates.md) | ## Product Security Manager Starter Track | Order | Focus | Pages | | ----- | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Operating model | [Operating Models, Intake, and Ownership](/strategy-governance-and-leadership/index/operating-models-intake-and-ownership.md) | | 2 | Metrics and communication | [Product Security Director Metrics](/metrics-audit-risk-evidence-and-compliance/index/product-security-director-metrics.md), [Stakeholder Communication and Executive Narratives](/strategy-governance-and-leadership/index/stakeholder-communication-and-executive-narratives.md) | | 3 | Risk and exceptions | [Risk Acceptance, Exceptions, and Decision Records](/strategy-governance-and-leadership/index/risk-acceptance-exceptions-and-decision-records.md) | | 4 | Review and prioritization | [From Zero to Useful](/learning-labs-interview-and-templates/index-3/from-zero-to-useful-how-to-start.md), [Production Readiness Security Checklist](/learning-labs-interview-and-templates/index-3/production-readiness-security-checklist.md) | ## Recommended training environments When the learner is ready to move from reading into controlled hands-on practice, use: * [Vulnerable Learning Labs and Goat Environments](/learning-labs-interview-and-templates/index-2/vulnerable-learning-labs-and-goat-environments.md) * [OWASP Juice Shop](/learning-labs-interview-and-templates/index-2/owasp-juice-shop-web-and-api-lab.md) for web, API, session, and browser flaws; * [CI/CD Goat](/learning-labs-interview-and-templates/index-2/cicd-goat-pipeline-security-lab.md) for release trust and pipeline abuse; * [Kubernetes Goat](/learning-labs-interview-and-templates/index-2/kubernetes-goat-cluster-lab.md) for cluster and runtime thinking; * [AWSGoat](/learning-labs-interview-and-templates/index-2/awsgoat-aws-cloud-lab.md) and [CloudGoat](/learning-labs-interview-and-templates/index-2/cloudgoat-cloud-scenarios-lab.md) for AWS attack-path understanding; * [TerraGoat](/learning-labs-interview-and-templates/index-2/terragoat-iac-misconfiguration-lab.md) for IaC review and policy-as-code practice. * [Secure Coding Training Platforms for Developers](/learning-labs-interview-and-templates/index-2/secure-coding-training-platforms-for-developers.md) when the learner writes production code and needs repeated language-specific practice. ## Progress signals The track is working when the learner can: * summarize a review in one page without drowning in detail; * tell the difference between **“this is broken”** and **“this is risky if these conditions exist”**; * name the identity, data, and blast radius in a workflow; * ask which logs would prove success or abuse; * explain a recommendation differently to engineers and managers. ## Related pages * [Reading Paths](/appendices-assets-and-reusable-artifacts/reading-paths.md) * [From Zero to Useful](/learning-labs-interview-and-templates/index-3/from-zero-to-useful-how-to-start.md) * [Break-Fix Labs and Tabletop Scenarios](/learning-labs-interview-and-templates/index-2/break-fix-labs-and-tabletop-scenarios.md) \---*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/learning-labs-interview-and-templates/index-3/guided-learning-paths-for-newcomers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.