Networking, protocols, deep packet inspection, XML, XPath Injection, XXE, SQL Injection, HTML Injections, privilege escalation, XXS - cross site scripting, API Security.
Understanding social engineering attacks, how to exploit network-based vulnerabilities, and intercept traffic via on-path (man-in-the-middle) attacks, pivoting, known vulnerabilities.
Research attack vectors and how to perform application-based attacks, wireless attacks, network attacks, cloud technologies, and the reverse - how to defend against these.
Virtual Machines, Metasploitable, Damn Vulnerable Web Application (DVWA).
Tools - Kali, Frida, Hopper, Metasploit, Nmap, Dirb, Aircrack, Wireshark, Nslookup, TShark, Nikto, John the Ripper, Medusa, Trivy, Drozer, Nessus, Burp Suite, Immunity Debugger,
Python - for doing things like automating repetitive tasks etc to save you time.
This is a rather random list of topics that may be good for you.
I don't know where you've been learning about pentesting and malware development, I'm guessing places like YouTube. Have you come across people like David Bombal? He covers a range of IT topics and is fairly clear in his instruction. He is on YT and has paid for courses on places like Udemy.com (they used to offer quite a lot of free courses but after a quick search today I couldn't find many, although there were some reduced to $4 or so. Its probably worth keeping an eye out for any offers there). Bombal has some courses for free on
David Bombal Free Courses
