Field Guide Collection · Start Here

Start
Here

A coordinated set of teaching field guides for IT help-desk and security work — how to think, how to secure, and how the network actually works. Each stands alone; together they build from method to mechanism to defence. This page is the map.

28 guides 3 families 1 shared method

Two disciplines run through every guide: accuracy over confidence — stable facts are stated plainly, but anything version-specific or changeable is flagged to verify rather than asserted from memory — and no blanket security assurances — nothing is called "secure" in the abstract; each control is tied to a specific threat and its residual risk.

Thinking & Method 6 guides · how to reason under uncertainty Security Operations 9 guides · secure, respond, attribute Networking 13 guides · how the network actually works calibration→attribution RCA ↔ IR method ↔ bisection zero trust · segments
Three families, one shared habit — trace the problem to its mechanism, change one thing, and say only what the evidence supports. The dashed links are where the families reinforce each other.
A

Thinking & Method

How to reason about a problem under uncertainty — the base layer the other families stand on.

B

Security Operations

Securing, defending, responding, and reasoning about adversaries — reusing the judgment discipline from Family A.

Identity & AuthenticationProving who you are: the MFA hierarchy and how it's bypassed (AiTM, push-bombing), phishing-resistant auth (FIDO2/passkeys), SSO, Kerberos, and the identity lifecycle. Zero TrustNIST SP 800-207: network location grants no trust; authorize per-resource, per-session on identity, device, and context — assume breach. Access Decision HandbookThe need-vs-restrict decision and the two-gate model for granting access. Companion deep-dive to Zero Trust. Incident ResponseNIST SP 800-61 Rev 3 (CSF 2.0): contain first, preserve evidence, eradicate, recover, and learn — running an incident under pressure. Attack Taxonomy & AttributionKill Chain, Diamond Model, MITRE ATT&CK (v19), the Pyramid of Pain, and attribution as a layered, honest judgment. Email Security & PhishingSPF, DKIM & DMARC (now RFC 9989) and how alignment protects the visible From — why a passing check still isn't a safe message, the bulk-sender enforcement shift, and the social engineering (BEC, T1566) that skips the machinery. Detection EngineeringTurning attacker behavior into rules that fire on the real thing without drowning analysts: the false-positive/false-negative tradeoff, the Pyramid of Pain, illustrative Sigma/YARA/Snort rules — and why an untested rule has unknown rates and covers nothing you can assure. Logging & EvidenceThe record detections and investigations depend on: what to log and where it lives, why time is the join key, correlating many sources into one timeline, and treating a log as evidence — the order of volatility, what a hash does and doesn't prove, and why absence is never proof. Vulnerability ManagementDeciding what to fix first when you can't fix everything: the CVE/CWE/CPE identifiers and the CVSS/KEV/EPSS/SSVC scores, why severity is not priority, the window of exposure, and patch-vs-mitigate-vs-accept — each reducing a named risk, none making you "secure."
C

Networking

How the network actually works — the wired path end to end, then the wireless first hop.

Networking — Follow the PacketThe teaching core: addressing & the mask, DHCP, Layer 2, routing, DNS, TLS, the troubleshooting method, and design discipline. Subnetting & CIDRThe addressing math beneath the mask: prefix and mask, network / broadcast / range, the interesting-octet method, VLSM and summarization, reserved ranges, and IPv6 prefixes — the deep-dive behind Follow the Packet's overview. IP Routing & Route TablesHow a packet is forwarded hop by hop: longest-prefix match, the route-table fields, route types, tie-breaking (LPM then administrative distance then metric), RIB vs FIB, and how to read a real routing table. DNS — Name ResolutionHow resolution works and how to troubleshoot it: the caching path from stub to authoritative, why "propagation" is really TTL expiry, the record types, resolver topologies, and the security split — DNSSEC proves the answer, encrypted transport hides the query. TLS & CertificatesWhat TLS does and doesn't secure, the handshake and the chain of trust, why a wrong SNI or a missing intermediate breaks things, the current version rules (1.3 preferred, 1.0/1.1 dead), and the shrinking certificate lifetimes now forcing automation. Networking MisconceptionsThe common network myths paired with the mechanism that refutes each and the wrong root-cause call it causes: ping ≠ working app, "always DNS," expired-cert-vs-clock, HTTPS ≠ safe, NAT ≠ firewall, reachable ≠ allowed, slow ≠ bandwidth. Network Sage-AdviceThe veteran habits that decide whether an incident takes ten minutes or all afternoon: blame is a hypothesis, ask "what changed?" first, bisect don't guess, measure don't assume, protect the evidence, change one thing reversibly, and name the threat model. Firewall & Rule CreationRule anatomy (match → action, default-deny), stateful vs stateless, and why both order and zone/direction placement decide whether a rule matches at all — then what it sees under NAT (post-DNAT destination, pre-SNAT source) and behind proxies/load balancers, plus Layer-7 app-ID's false-positive/negative tradeoffs, anti-spoofing (BCP 38 / uRPF), ICMP and IPv6 parity, and rule lifecycle. Visual ReferenceThe family's core mental models in one gallery — encapsulation and the layers, the end-to-end-IP-vs-hop-MAC path, the subnet split, the routing funnel (LPM → AD → metric), DNS resolution, and the TCP and TLS handshakes — each redrawn to a common style with a pointer to the guide that develops it. Wi-Fi — Working the AirThe wireless first hop: bands & channels, RSSI vs. SNR, WPA2/WPA3, roaming — and the tickets that blame the Wi-Fi but aren't. VPN, IPsec & TunnelingThe encrypted tunnel across hostile ground: IPsec (ESP/AH, IKEv2), WireGuard's fixed modern suite, and TLS gateways — plus why a tunnel encrypts the path but never makes the endpoints, or the concentrator itself, trustworthy. HTTP & the Application LayerThe top of the stack: requests, methods, and status codes; HTTP/1.1 vs /2 vs /3; why HTTPS authenticates the channel but not the site; and the application-layer attack surface (OWASP Top 10:2025) that lives up here. Reading a Packet CaptureOpening a pcap and cutting it to the conversation that matters: capture vs display filters, following a stream, reading the TCP handshake and its failure signatures — and staying honest about what an encrypted, single-vantage capture can't prove.

Reference & Aids

Not topical guides but tools for use alongside them — quick reference that spans the whole collection.

Suggested Reading Paths

New to IT support

  1. Troubleshooting — learn the universal method first.
  2. Networking (Follow the Packet) — then Wi-Fi for the wireless first hop.
  3. Root Cause Analysis (+ the Methods Handbook) — turn fixes into understanding.

Security analyst / SOC

  1. Critical Thinking — the calibration and ACH that everything else leans on.
  2. Attack Taxonomy & Attribution — describe what happened and reason about who did it.
  3. Incident Response — run the incident; Identity & Authentication, then Zero Trust + Access Decision — the credential and the authorization behind every access.

Leading an incident

  1. Incident Response — contain, preserve, recover.
  2. Root Cause Analysis (+ Methods) — the disciplined "why" for the after-action.
How the families reinforce each other

The diagnostic method in Troubleshooting is the same loop as the packet-bisection in Networking. Critical Thinking's ACH and probability/confidence discipline is exactly what keeps attribution honest. RCA is the "why" you run after an Incident Response is contained. And Zero Trust / segmentation is where security and networking meet. Read across the families, not just down them.

Keep all the guide files in one folder for the links above to resolve. Each guide is a self-contained HTML page (open it and use its Print / Save-PDF button for the display fonts) and also ships as a paginated A4 PDF and a single-page "continuous" PDF. Standards and version-specific facts (framework revisions, ATT&CK version, Wi-Fi generations, vendor defaults) are current as of mid-2026 and flagged within each guide to verify against the primary source before formal use.