The best web security and appsec YouTube channels in 2026
An opinionated pick of the web security YouTube channels worth watching in 2026 if you want to actually understand how web apps break.
There is a difference between learning to hunt and learning how web apps break. The first is a business: recon, scope, duplicates, payout screenshots. The second is craft: understanding why a parser trusts the wrong byte, why a redirect becomes an SSRF, why two endpoints disagree about who you are. This post is about the second thing. If you want the bounty side, we wrote the best bug bounty YouTube channels separately, and it is a genuinely different list with a different point.
So this is appsec, not the grind. Vulnerability classes. The OWASP Top 10 as a starting map, not a finish line. Source review, request smuggling, the shape of a deserialization gadget. Ranked, opinionated, caveats where they belong.
The channels that make the mechanics click
PwnFunction is the one I send people to first, and it is not close. What he does is take a vulnerability class and animate the actual control flow, the data path, the moment the trust boundary breaks. The XSS videos are the canonical explanation. The SSRF one finally made the "why does the server fetch that" question concrete for half the juniors I have worked with. Prototype pollution, CSRF, the lot. You watch it and the bug stops being a payload you memorize and starts being a thing you understand.
The honest caveat: he posts rarely. This is not a channel you subscribe to for a steady feed. The videos are expensive to make and it shows in both the quality and the gaps between them. Treat the back catalog as a textbook. Watch each one twice.
The XSS Rat is the opposite energy, and useful for exactly that reason. Volume over polish. Enormous amount of hands-on web testing content, XSS first but well past it now, full courses, walkthroughs, technique after technique. If you learn by sheer exposure, by watching someone open Burp and just go, this is a firehose and it is genuinely valuable.
The tradeoff is in the name of this comparison. Production is rough, consistency varies clip to clip, and some explanations are looser than I would like. Cross-check the technique against the more rigorous channels before you internalize it. Breadth, not gospel.
Seeing the patterns in real production apps
NahamSec earns his spot here for the applied angle. Most appsec content is theory at a whiteboard. He shows real web testing against real surface, the enumeration, the "this parameter looks reflective, let me poke it" reasoning, the unglamorous backtracking that actual testing is made of. For an appsec engineer who has read about IDOR and SSRF but never watched someone chain them on a live target, the practical sessions close that gap fast.
Caveat: a lot of his catalog leans toward recon, events, and the hunting lifestyle, which overlaps the bug bounty world more than the pure appsec one. Skim for the technical sessions. The methodology is the value, not the highlight reel.
Bug Bounty Reports Explained has a misleading name for this list, because the value here is not the bounty, it is the autopsy. He takes real disclosed reports and dissects them. Why the bug worked. What the researcher noticed that everyone else missed. How a small inconsistency in how two services parse a URL becomes a real impact. This is the closest thing to a code review apprenticeship you will find for free, and it is pattern recognition against production systems rather than lab toys.
The honest caveat: it assumes vocabulary. If you do not already know what SSRF or an auth bypass is, you will be lost. Watch PwnFunction first, then come here to see the abstract class show up in a real codebase.
The web3 corner, because the EVM breaks differently
OpenZeppelin is the odd one out, and on purpose. Smart contract appsec is a different discipline with the same instincts. Untrusted input, trust boundaries, state you assumed was consistent and was not. Their content covers secure coding for the EVM, audit walkthroughs, reentrancy, access control, the standard library that half the ecosystem builds on. If you are a web appsec engineer eyeing the on-chain world, this is the serious, vendor-grade entry point rather than a hype channel.
Caveat: it is first-party content from a security firm, so it naturally orbits their tooling and their libraries. The underlying lessons about economic exploits and state assumptions are transferable. The product framing, less so. Take the craft, keep your skepticism.
How to actually use this
Do not binge. Pick PwnFunction to understand a class cold, then go find that exact class in the wild on Bug Bounty Reports Explained, then watch NahamSec or The XSS Rat to see the testing motion against live surface. Then close the tab and open a deliberately vulnerable app with Burp in front of it, because no video teaches you the judgment of reading source and knowing which sink is reachable.
YouTube teaches you what the bug looks like. Only hours against real code teach you to spot it before an attacker does.
If you want the wider field beyond appsec, here is the full roundup. And again, if your actual goal is earning on bounty platforms rather than understanding the vulnerability classes, the bug bounty list is the post you want. Different goal, different channels.