@munin most appsec stuff being done at generalist pentest places is gonna be Windows, so for RE skills I'd tell them to start with grabbing dnSpyEx or ILSpy and pulling some .NET programs apart with it, figuring out how they do stuff, modifying them to have different behaviour. single player Unity games are great for this cos you can load up Assembly-CSharp.dll and see ~all the game code. don't worry so much about looking for security bugs specifically, the core RE skills are more important.
@munin I don't have much in the way of advice for the infra side since that's never been my bag.
@munin I threw together a list of 100 keywords to search. should be useful for just learning a bunch of different concepts and tools and such that come up frequently.
covers web, desktop/server apps, infrastructure, cryptography, a bit of cloud, and code review.
https://gist.github.com/gsuberland/dc3656eb0146adfeebef7b02b0d70a0b
Edited 1d ago