What YouTube actually teaches you about hacking (and where it lies)
YouTube is a great on-ramp into offensive security and a terrible place to build depth. Here's how to use it without fooling yourself.
Most people in security started the same way. A LiveOverflow video at 1am, a vague feeling that this was solvable, and three more hours gone. YouTube is the single best recruiting tool offensive security has ever had. It's also responsible for a specific kind of stuck that's worth naming.
The format rewards the wrong things. A good exploit walkthrough is 14 minutes long because the creator cut the four hours where nothing worked. You see the clean path. You don't see the dead ends, the wrong assumption that ate an afternoon, the moment they re-read the source and realized the bug was somewhere else entirely. That edit is good filmmaking and bad pedagogy, because the dead ends were the lesson.
What the medium is genuinely good at
Breadth, and taste. Before you can go deep on anything you have to know the territory exists. Watching someone pop a box on Hack The Box, reverse a piece of malware, or chain three low-severity web bugs into account takeover, you build a map of what the field even contains. That map is hard to get any other way and YouTube hands it to you for free.
It's also good at showing tools in motion. Reading the Burp Suite docs tells you what the Repeater tab does. Watching someone live-edit a request, notice the response length changed by two bytes, and pivot on that, tells you what the tool is for. The muscle memory of "what do I look at next" is genuinely transmissible on video in a way it isn't in prose.
And it's good for motivation, which matters more than people admit. Security has a brutal early plateau where everything is hard and nothing works. Watching someone you respect make it look fun is sometimes the only thing that keeps you in the chair.
Where it quietly fails you
Depth is the obvious one. No video teaches you to read a 4000-line C file and hold the heap layout in your head. That comes from doing it, badly, many times.
The subtler failure is the illusion of competence. You watch IppSec root a machine cleanly and your brain files it under "I understand this." You don't. You understood his path. Sit at a fresh box with no walkthrough and the difference becomes loud. This gap is real and it's measurable: the number of people who can follow a writeup versus the number who can produce one is not even close.
There's also a recency problem nobody mentions. A 2021 video on, say, bypassing a specific WAF or exploiting a Java deserialization sink may be teaching you a technique that's been dead for two years. The mitigations moved. The payload in the video throws a 403 now. You'll burn an evening assuming you did it wrong when the truth is the internet rotted under the tutorial. Always check the upload date, and assume anything security-relevant older than 18 months needs verification against current behavior.
How to actually use it
Watch once for the shape, then close the tab and reproduce it cold. If you can't, you didn't learn it, you watched it. That single discipline separates the people who plateau from the people who don't.
Pause and predict. Before the creator runs the next command, say out loud what you'd run and why. When you're wrong, that's the signal, that's the exact spot your model of the system is broken. Most people watch passively and wonder why nothing sticks.
Pair every video with something text-based. Watch the OSCP-style box walkthrough, then go read the actual HackTricks page for the technique, then read the original research if there is any. Video gives you the intuition, text gives you the precision, and the original advisory gives you the truth. You need all three.
And stop collecting channels. The instinct when you start is to subscribe to forty channels and feel productive doing it. Pick three or four people whose depth you trust, go through their back catalog properly, and ignore the algorithm's attempt to feed you the same beginner Nmap video for the ninth time.
The directory this blog lives on exists partly because of that last problem. Finding the people who actually go deep, in your language, on the thing you care about, is harder than it should be. The thumbnails all look the same. The good ones are not always the loud ones.