What to Read After Hacking: The Art of Exploitation
A reading path for hackers who finished Erickson's classic and are wondering where to go next, modern exploitation, web security, malware, and how to pick your specialization.
If you've finished Hacking: The Art of Exploitation and you're wondering where to go from here, congratulations on making it through Erickson's machine-room tour. The book is two decades old now, but the way it teaches you to see programs as instructions for a machine is still the foundation that makes everything else legible.
The honest problem: the book stops in 2008. Modern exploitation has moved through ASLR, DEP, stack canaries, CFI, browser sandboxes, kernel mitigations, and a wave of memory-safe languages. Erickson taught you the floor; you now need to climb up.
Here's a structured path.
Step 1: Modernize your binary exploitation
Your next stop is modern memory corruption, the techniques Erickson couldn't cover because they didn't exist or weren't yet defeated.
The single best resource here isn't a book, it's pwn.college. Free, structured, and focused on exactly the gap Erickson leaves. Their module sequence mirrors the real progression: from heap exploitation, to ROP and JOP, to format string attacks against modern toolchains, to kernel exploitation. Plan on 100+ hours.
If you want a book companion, The Shellcoder's Handbook by Anley et al. is the standard reference. It's old too, but it covers Windows exploitation in detail (Erickson is Linux-only) and the sections on heap exploitation give you the vocabulary you'll need to read modern CTF write-ups.
Step 2: Pick a specialization
After modernized binary exploitation, the field forks. The branches don't compete, pick one and depth, then come back for breadth later.
Web security
If you want to make money quickly, web is where the bug bounty market lives. Read The Web Application Hacker's Handbook for the taxonomy of what can break, then immediately layer on PortSwigger Academy for the modern exploitation details (the book is from 2011, the web has moved on, this combination handles both the foundations and the current edge).
For the deep view of why the web is the way it is, read The Tangled Web by Michal Zalewski. It'll change how you think about origins, content type negotiation, and the layered absurdity that is browser security.
Malware analysis
If reverse engineering hooks you more than exploit dev, read Practical Malware Analysis and do every lab. The labs are the book, they'll build the reflexes Erickson taught you, transposed into the malware analyst's workflow. Then start working through real samples on VX-Underground or MalwareBazaar.
Cryptography
If the cryptology chapter at the end of Erickson's book lit you up, Cryptography Engineering by Ferguson, Schneier, and Kohno is the working-engineer's introduction to where cryptographic systems break. It's dated on TLS 1.3 specifics, pair with the relevant RFCs, but the chapters on how primitives compose into systems are evergreen.
Step 3: Read the political layer
After enough technical depth, you'll want to understand why this matters. Sandworm by Andy Greenberg is the best non-technical book on what state-level cyber actually looks like. Read it after a year or two in the field, earlier, it'll feel abstract; later, it'll feel inevitable.
What I'd avoid for now
Don't jump to red team / pentesting certification courses (OSCP, etc.) immediately after Erickson. They assume you can already operate a target machine, you'll spend most of the course on tooling, not learning. Build technical depth first, certify second.
Same with Kali / tooling books. They teach you which buttons to press; Erickson taught you what's underneath the buttons. Stay underneath the buttons for at least another year.
Final note
The unifying thread across all these directions: read the actual source material. The blog posts and YouTube tutorials abstract over too much. The books, and especially the book you just finished, work because they refuse to.
You earned the next book by finishing the last one.