How I Reached TryHackMe Top 1% from Kathmandu, Nepal
Reaching the global top 1% on TryHackMe was not an accident, a stroke of luck, or the product of some exceptional innate ability. It was the outcome of deliberate, sustained, daily practice over approximately eighteen months — and the mindset that made that consistency possible. I am sharing this account in detail because I believe it will be useful for other aspiring cybersecurity practitioners in Nepal and beyond who are at the beginning of their journey and wondering whether serious practical security skills are achievable from this corner of the world. The answer, unequivocally, is yes. But the path requires honesty about what it demands.
What TryHackMe Actually Is
For readers unfamiliar with the platform, TryHackMe is an online cybersecurity learning environment that delivers practical, hands-on security education through a system of "rooms" — self-contained lab environments, each focused on a specific vulnerability class, tool, technique, or concept. Unlike video courses or textbooks, TryHackMe rooms require you to actually perform the actions being taught: you connect to a virtual machine over a browser-based terminal or VPN connection, and you must actively exploit the target to answer questions and complete the room. This active learning model is fundamentally more effective for developing security skills than passive consumption of information. You can read about SQL injection for hours; actually injecting a payload into a live (intentionally vulnerable) target and watching it return database contents you were not supposed to access is a different kind of understanding entirely. TryHackMe tracks your progress through a point system and a global ranking that updates in real time, providing continuous feedback on your position relative to the platform's global user base.
Why I Chose TryHackMe Over Other Platforms
When I began my serious cybersecurity education in 2022, I evaluated several platforms: Hack The Box, PentesterLab, PortSwigger Web Security Academy, and TryHackMe. Each has distinct strengths. PortSwigger's Web Security Academy is arguably the best free resource specifically for web application security. Hack The Box provides more realistic and challenging machines that better simulate actual penetration testing engagements. But for building a broad, structured foundation across all major security domains, TryHackMe's learning paths are unmatched. The beginner-friendly design — the fact that rooms provide explicit guidance and hints rather than dropping you into a system with no context — makes it possible to build momentum and confidence before tackling the more unstructured challenges of platforms like Hack The Box. For someone at the beginning of their journey, momentum and confidence are not secondary concerns: they are what keeps you practising when the material becomes genuinely difficult and progress feels slow.
The Learning Paths That Built My Foundation
I worked through TryHackMe's structured learning paths sequentially rather than jumping between rooms arbitrarily. The progression was deliberate and important. I began with the "Pre-Security" path, which establishes networking fundamentals, the basics of how the web works, and an introduction to Linux — the three prerequisite knowledge areas for virtually all security work that follows. From there I moved to the "Complete Beginner" path, which introduces web application hacking, network exploitation, cryptography basics, and introductory privilege escalation. The "Jr Penetration Tester" path followed, covering the full penetration testing methodology from reconnaissance through exploitation and reporting, using industry-standard tools. This path is where the practical skills begin to feel genuinely professional rather than academic. I supplemented these guided paths with targeted individual rooms in areas of specific interest or identified weakness: active directory fundamentals, buffer overflow exploitation, advanced Nmap techniques, and OSINT methodology.
The Daily Practice Routine That Made the Difference
Consistency mattered more than intensity. I did not practise for eight hours on weekends and nothing during the week. I practised for one to two hours every single day, without exception, for approximately eighteen months. This daily consistency had a compounding effect that periodic intensive sessions cannot replicate: skills practised daily become reflexes; skills practised occasionally remain deliberate and effortful. My routine was structured: I would begin each session by reviewing notes from the previous session, warm up with a familiar tool or concept for fifteen minutes, then spend the majority of the session on new material. I kept detailed notes in a personal knowledge base documenting every technique, every command syntax, every tool configuration, and every lesson from failed attempts. Those notes became an invaluable reference and, more importantly, the act of writing them reinforced retention far more effectively than passive reading.
Specific Skills Developed — By Domain
The breadth of domains I covered through TryHackMe was significant. In networking, I developed solid operational understanding of TCP/IP, DNS, HTTP/S, FTP, SMB, and the protocols most commonly targeted in penetration testing. In web application security, I practised the full OWASP Top 10 against intentionally vulnerable applications: SQL injection in multiple forms (error-based, blind time-based, UNION-based), XSS (reflected, stored, DOM-based), IDOR, CSRF, SSRF, XXE, and broken authentication. In Linux privilege escalation, I learned the common escalation vectors systematically: SUID binaries, sudo misconfigurations, cron job exploitation, weak file permissions, kernel exploits, and PATH manipulation. In Windows and Active Directory, I covered pass-the-hash, Kerberoasting, AS-REP roasting, SMB relay attacks, and basic Active Directory enumeration with BloodHound. In cryptography, I studied classical ciphers, hash functions, symmetric and asymmetric encryption, and common implementation weaknesses. In forensics and OSINT, I practised metadata extraction, steganography analysis, and structured open-source intelligence gathering from public sources.
The Moments That Almost Made Me Quit
I want to be honest about this, because accounts of achievement that omit the struggle are not genuinely useful. There were multiple periods during my TryHackMe journey where I was completely stuck — spending hours on a room that I simply could not progress through, feeling deeply frustrated by the gap between my current capability and the level the room demanded. The buffer overflow rooms were particularly difficult in the early stages: the combination of assembly language understanding, debugging tool proficiency, and memory management knowledge they required felt genuinely overwhelming at first. I spent three days on a single buffer overflow room before the concept finally clicked in a way that felt genuinely internalised rather than mechanically followed. Those three days tested my commitment seriously. What kept me going was a simple principle I had adopted early: being stuck is not failure, it is the specific condition under which learning happens. Quitting when stuck is the only thing that actually fails. Every moment of genuine confusion, resolved through persistent investigation, produced a correspondingly durable understanding. I still remember those hard-won lessons more vividly than almost anything else I learned on the platform.
What Top 1% Actually Means — And What It Does Not
Reaching the global top 1% on TryHackMe means that my point total and room completion statistics place me above 99% of the platform's registered users. It is a meaningful benchmark of broad, hands-on security knowledge. However, it is important to be precise about what it does and does not indicate. TryHackMe's guided room format means that the skills it develops are strongest in known vulnerability classes — CVEs with established exploitation paths, common misconfigurations, and technique categories well-represented on the platform. Real penetration testing engagements involve a higher proportion of novel situations, complex custom application analysis, and the kind of creative, first-principles problem-solving that guided labs do not fully develop. TryHackMe was my foundation, not my ceiling. The platforms and projects I have engaged with since — Hack The Box machines, custom vulnerable lab environments, real-world security projects — have pushed my capabilities significantly beyond what the TryHackMe ranking reflects. I share the ranking as a data point, not as a complete characterisation of my security capability.
Advice for Aspiring Practitioners in Nepal
If you are in Nepal and considering starting your cybersecurity journey through TryHackMe, here is the most important advice I can offer based on my experience. First: start with the fundamentals, even if they seem basic. Networking, Linux, and how the web works are the prerequisites for everything else, and gaps in these areas will slow you down repeatedly. Do not rush past them. Second: take notes on everything. Your notes are your personal knowledge base, and building it from the beginning will pay dividends throughout your entire career. Third: embrace being stuck. The rooms that take you the longest to complete are precisely the ones you will remember and benefit from most. Fourth: supplement TryHackMe with other resources — YouTube channels like IppSec for Hack The Box walkthrough methodology, PortSwigger's web security labs for deep web application skill development, and reading actual CVE reports to understand real-world vulnerability disclosure. Fifth: engage with the community. The TryHackMe Discord, cybersecurity forums, and local communities in Kathmandu are sources of motivation, mentorship, and the kind of tacit knowledge that formal platforms cannot transmit.
Nepal's Growing Cybersecurity Community
When I began my TryHackMe journey in 2022, the Nepali cybersecurity community was small and relatively invisible online. That is changing rapidly. More Nepali students and young professionals are engaging seriously with security learning platforms, participating in Capture The Flag competitions, and building practical skills. This is important for Nepal's digital future: as the country's economy increasingly depends on digital infrastructure — banking, telecommunications, government services, healthcare systems — the need for qualified security practitioners who understand the specific context of Nepali technology environments grows correspondingly urgent. I am proud to be part of the generation of Nepali technologists building this field, and I am committed to making my own journey as visible and useful to others who are following a similar path as possible.