First off, if this is in the wrong place or something, sorry, and do what you must :b
So, I have a question for people here who are currently, or have ever been working as a Penetration Tester, in any capacity, or anyone in the know I guess. I want to move into this area, but am a little lost as to which route I should take. My background is:
I recently graduated from a CS degree.
I have no previous relevant work experience.
I have been mucking around with hacking on sites like HTB and such for years, but only in the last year have I done so with real focus(not just for fun), making a concerted effort to get better.
I have used Linux for many years and know my way around quite well I would say.
I have a good working knowledge of programming in general, particularly Python and Java.
Currently studying for Network+ cert
Going to go for the OSCP in the near futureā¦ well ASAP really.
Just to round this off, I will say Iām going through various privesc and other pentesting related courses too at the moment, as well as delving into web pentesting. Really trying to up my game in general.
I know there are so many routes a person can take getting into pentesting/security in general. But I see before me, two probable courses. Either the IT route, starting on helpdesk, moving, hopefully before long, to a Network Admin type role, and perhaps Network Engineer, then pivot to pentesting. The other route, would be to get into a SOC as an analyst, and work my way from there. I would very much appreciate any thoughts on this. For instance, perhaps you think one would be better? Perhaps you would suggest something else entirely? Maybe youād share your journey? Anything at all. Thanks for reading!
EDIT:
It seems blue team type jobs may be more numerous these days, and I definitely donāt want to discount that as a path. However, I imagine these require many of the same skills/knowledge/experience, and I think for someone at my level (level 0? experience-wise) that the routes into this may be the same right now.
I am not in an āOfficialā security position (Network Engineer Tech) . Title wise. I am pretty much in the same boat, aside from the CS degree. It sounds like you already have a pretty solid plan thus far. From what I have gathered this passed weekend, everyone creates there own path. Until recently, I thought I was stuck. But the truth is, All you have to do is start. For the longest time, I was stuck with the mind set that you have to follow a certain path.
Iām starting out as a Network Eng. tech. I currently donāt have any certs. I am working on my CCNA then most likely OSCP. I know how intimating it can be to start out. I know that most of the requirements jobs are looking for is : +5 years or more experience and a whole list of certifications.
Donāt get hung up, on the ārequirementsā. Just start, even if the deck is stacked against you. Try anyway. I did not have any prior experience or a bachelors degree.
With all that said, Which would prefer starting out as ? Which interests you the most ? I chose networking because I like playing around on networks. I was confident with my knowledge in that area of CS. I didnāt meet most of the requirements when I applied, but I got the job and 2 1/2 years later I am a senior network eng. tech on my team.
Stay curious
Apply yourself even when you donāt meet requirements
Thank you, thatās inspiring. Youāre right, I should probably take the path that intetests me most. Thanks for reminding me of this. That would really be networking. On the job Networking experience also seems like it would really be necessary or at the very least of great value to a pentester. Regarding your background, 2 1/2 yrs in a networking role already sounds like a great springboard for getting into a security career.
Of course. Thanks. I am leaning to the pentesting side of things as well. That is why I went with Network. I applied to a bunch of places I didnāt meet the requirements for. Setup the interviews, and found my way in. I am currently trying to pivot into a security role at the moment. I feel like I out grew my current position. But I am still excited about what I do.
I just wanted to say thanks a lot for the question and also for the answer. I am new to cyber security and networking in general, and I am currently determined to take the CEH (to catch up) and eventually the OSCP, as I also do want to move into the āsectorā. Reading this was very enouranging!
I am however a bit overwhelmed as I am unsure where to start to get a solid foundation since I do not have any educaitonal degrees related to the field. Do you guys by any chance have any advise on where to start? I do have some basic understanding of Networking in general (very basic), and also with Kali Linux and programs such as Python, Nmap , and a bit of experience with HTB (although only with the help of tutorials).
I understand how overwhelming it can be trust me youāre not alone. I have a few questions (Just so I have a better picture on how to help, If you donāt mind me asking ):
What kind of background do you have ?
What are your interests ?
Do you have a goal in mind ?
I will just say that a degree in something like Computer Science is in no way necessary for what we are talking about, imo. They do feel good to slap on a resume/CV and you can of course learn a lot in 3-4 yrs, but degrees also have a lot of cruft, and ālost timeā mixed in. Though they can be great for making friends and networking, the actual material ( minus all the traveling to and from college and between classes, and holidays and free periods and stuff youāre forced to do but will never need etc. etc. ) could probably be condensed into 12 or 18 months of focused self study(Indeed, thereās a Ted talk I saw once, where a man did just this, watching all the Stanford CS lectures online at 2x speed, then giving himself the exams :b). So, particularly for anyone in a country where degrees are prohibitively expensiveā¦ like the USā¦ I would definitely consider cutting to the chase in terms of getting experience, and probably more focused and relevant certs. Had I personally had a little more clarity before college, I might have decided to go the IT experience / certification route instead, as it certainly seems more direct. I have a degree, but now feel I still have to do all that anyway. On the other hand, people do say they open doors, and I donāt regret taking that route at all. My point here was meant to be that you shouldnāt feel far behind because you donāt have the piece of paper. Itās whatās in your head that will really get you there. I hope if anyone thinks Iām wrong about this, they will challenge it, but Iāve ranted long enough :b I think @MSqueaks has asked some good questions there.
@youngdryas@MSqueaks Thanks again for valuable tips! Self-study and taking some relevant online coruses (e.g. CEH and online CCNA prep courses) finally attempting to take the CCNA and OSCP exams is what I aim to do.
@MSqueaks To answer your question. I do not have any educational background in IT/cyber security but it is rather something I am interested in and have been studying as a hobby for the last couple of months. I am currently trying to shift from working at the NGO sector and have both a Bachelorās degree and Masterās degree that is more policy based and non-technical relevant to the NGO sector.
With that said, my goal is to finally get into the IT/cyber security sector, but I am not sure if some classes here and there + CEH, OSCP and CCNA certifications would be enough for me to score an entry level job. I am also not sure how long this will take. I will soon have almost unlimited time working towards this goal, but would of course appreciate any time-efficient tips on how to best get there
I didnāt necessarily mean educational background. TBH, 90% of my knowledge comes from building stuff and breaking stuff on my free time. Basically, seeing how it works ( What can I make it do? How to fix it? What are the limitations? How can it be manipulated to do something else? ). Personally, I think they push the Degrees and + 5-10 years experience way to much.
From my experience with jobs, Itās more about who you know ? What you can prove you know. Thatās generally where I fall short. I am more of the people watcher type, not a social butterfly. Yay, Social anxiety. Anyway, sorry from the rant. Thereās a lot of great information in this thread. The key thing is to stay curious!
Honestly, thanks to this forum and community, I have been more confident in joining the conversation than just watching, so thank you guys!
Hi guys,
Iām here to confirm that doing some programing, taking CCNA and then going for OSCP works. At least for me for a couple of reasons:
You get to see how computers work before you exploit them (with programming)
You get to see how computer networking works before you exploit a whole network infrasctructure
I would say that learning Linux before taking OSCP is even better since the main tool you use for pentesting is Linux.
By doing all these things before going straight to pentesting youāre making sure you understand the core subjects of pentesting more in depth. After taking OSCP Iād suggest you focus on some CS subjects: how compilers work, and generally the low level stuff.
Ideally I wouldāve taken CS before everything but I am not aged for university yet so I had to take a bit of a different path.
