Peter Kim. The Hacker Playbook 2: Practical Guide to Penetration Testing (2015). A practical guide to basic pentesting techniques, focusing on penetration testing methodology. The next book in the series dwells on red team strategies.
Peter Kim. The Hacker Playbook 3: Practical Guide to Penetration Testing (2018). A follow-up focused on more advanced attacks and red team scenarios.
Jon Erickson. Hacking: The Art of Exploitation (2nd ed., 2008). A classic book on the "art of exploitation," exploring unconventional approaches to complex security problems and teaching you to think as a hacker. Erickson teaches programming in C from a hacker's perspective, showing how to search for vulnerabilities and write exploits. Despite being over a decade old, this book is still highly relevant for understanding vulnerability exploitation.
Dafydd Stuttard, Marcus Pinto. The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws (2nd ed., 2011). A definitive guide to web application security testing.
Red Team Field Manual (2014): a handy pocket guide for red team professionals. Instead of being a traditional manual, it's more of a concise cheat sheet filled with commands and techniques for penetration testing scenarios.
PortSwigger Web Security Academy: a free online academy created by the developers of Burp Suite for learning web hacking. It includes theoretical educational content, interactive labs, and video tutorials on all major types of web vulnerabilities. The academy is regularly updated to include the latest attacks and techniques, making it a dynamic follow-up to the renowned The Web Application Hacker's Handbook. An excellent resource for learning web application security on your own—covering everything from SQL injection and XSS to SSRF and deserialization.
