Routes for getting into Pentesting

Hi

First off, if this is in the wrong place or something, sorry, and do what you must :b

So, I have a question for people here who are currently, or have ever been working as a Penetration Tester, in any capacity, or anyone in the know I guess. I want to move into this area, but am a little lost as to which route I should take. My background is:

  • I recently graduated from a CS degree.
  • I have no previous relevant work experience.
  • I have been mucking around with hacking on sites like HTB and such for years, but only in the last year have I done so with real focus(not just for fun), making a concerted effort to get better.
  • I have used Linux for many years and know my way around quite well I would say.
  • I have a good working knowledge of programming in general, particularly Python and Java.
  • Currently studying for Network+ cert
  • Going to go for the OSCP in the near future… well ASAP really.
  • Just to round this off, I will say I’m going through various privesc and other pentesting related courses too at the moment, as well as delving into web pentesting. Really trying to up my game in general.

I know there are so many routes a person can take getting into pentesting/security in general. But I see before me, two probable courses. Either the IT route, starting on helpdesk, moving, hopefully before long, to a Network Admin type role, and perhaps Network Engineer, then pivot to pentesting. The other route, would be to get into a SOC as an analyst, and work my way from there. I would very much appreciate any thoughts on this. For instance, perhaps you think one would be better? Perhaps you would suggest something else entirely? Maybe you’d share your journey? Anything at all. Thanks for reading!

EDIT:

It seems blue team type jobs may be more numerous these days, and I definitely don’t want to discount that as a path. However, I imagine these require many of the same skills/knowledge/experience, and I think for someone at my level (level 0? experience-wise) that the routes into this may be the same right now.

4 Likes

I am not in an “Official” security position (Network Engineer Tech) . Title wise. I am pretty much in the same boat, aside from the CS degree. It sounds like you already have a pretty solid plan thus far. From what I have gathered this passed weekend, everyone creates there own path. Until recently, I thought I was stuck. But the truth is, All you have to do is start. For the longest time, I was stuck with the mind set that you have to follow a certain path.

I’m starting out as a Network Eng. tech. I currently don’t have any certs. I am working on my CCNA then most likely OSCP. I know how intimating it can be to start out. I know that most of the requirements jobs are looking for is : +5 years or more experience and a whole list of certifications.

Don’t get hung up, on the “requirements”. Just start, even if the deck is stacked against you. Try anyway. I did not have any prior experience or a bachelors degree.

With all that said, Which would prefer starting out as ? Which interests you the most ? I chose networking because I like playing around on networks. I was confident with my knowledge in that area of CS. I didn’t meet most of the requirements when I applied, but I got the job and 2 1/2 years later I am a senior network eng. tech on my team.

  • Stay curious
  • Apply yourself even when you don’t meet requirements
  • Take chances
6 Likes

Thank you, that’s inspiring. You’re right, I should probably take the path that intetests me most. Thanks for reminding me of this. That would really be networking. On the job Networking experience also seems like it would really be necessary or at the very least of great value to a pentester. Regarding your background, 2 1/2 yrs in a networking role already sounds like a great springboard for getting into a security career.

3 Likes

Of course. Thanks. I am leaning to the pentesting side of things as well. That is why I went with Network. I applied to a bunch of places I didn’t meet the requirements for. Setup the interviews, and found my way in. I am currently trying to pivot into a security role at the moment. I feel like I out grew my current position. But I am still excited about what I do.

1 Like

Hello,

I just wanted to say thanks a lot for the question and also for the answer. I am new to cyber security and networking in general, and I am currently determined to take the CEH (to catch up) and eventually the OSCP, as I also do want to move into the ‘sector’. Reading this was very enouranging!

I am however a bit overwhelmed as I am unsure where to start to get a solid foundation since I do not have any educaitonal degrees related to the field. Do you guys by any chance have any advise on where to start? I do have some basic understanding of Networking in general (very basic), and also with Kali Linux and programs such as Python, Nmap , and a bit of experience with HTB (although only with the help of tutorials).

Thanks in advance!

2 Likes

Hi,

I understand how overwhelming it can be trust me you’re not alone. I have a few questions (Just so I have a better picture on how to help, If you don’t mind me asking ):

What kind of background do you have ?
What are your interests ?
Do you have a goal in mind ?

2 Likes

Hi

I will just say that a degree in something like Computer Science is in no way necessary for what we are talking about, imo. They do feel good to slap on a resume/CV and you can of course learn a lot in 3-4 yrs, but degrees also have a lot of cruft, and ‘lost time’ mixed in. Though they can be great for making friends and networking, the actual material ( minus all the traveling to and from college and between classes, and holidays and free periods and stuff you’re forced to do but will never need etc. etc. ) could probably be condensed into 12 or 18 months of focused self study(Indeed, there’s a Ted talk I saw once, where a man did just this, watching all the Stanford CS lectures online at 2x speed, then giving himself the exams :b). So, particularly for anyone in a country where degrees are prohibitively expensive… like the US… I would definitely consider cutting to the chase in terms of getting experience, and probably more focused and relevant certs. Had I personally had a little more clarity before college, I might have decided to go the IT experience / certification route instead, as it certainly seems more direct. I have a degree, but now feel I still have to do all that anyway. On the other hand, people do say they open doors, and I don’t regret taking that route at all. My point here was meant to be that you shouldn’t feel far behind because you don’t have the piece of paper. It’s what’s in your head that will really get you there. I hope if anyone thinks I’m wrong about this, they will challenge it, but I’ve ranted long enough :b I think @MSqueaks has asked some good questions there.

3 Likes

This post was flagged by the community and is temporarily hidden.

@youngdryas @MSqueaks Thanks again for valuable tips! Self-study and taking some relevant online coruses (e.g. CEH and online CCNA prep courses) finally attempting to take the CCNA and OSCP exams is what I aim to do.

@MSqueaks To answer your question. I do not have any educational background in IT/cyber security but it is rather something I am interested in and have been studying as a hobby for the last couple of months. I am currently trying to shift from working at the NGO sector and have both a Bachelor’s degree and Master’s degree that is more policy based and non-technical relevant to the NGO sector.

With that said, my goal is to finally get into the IT/cyber security sector, but I am not sure if some classes here and there + CEH, OSCP and CCNA certifications would be enough for me to score an entry level job. I am also not sure how long this will take. I will soon have almost unlimited time working towards this goal, but would of course appreciate any time-efficient tips on how to best get there :slight_smile:

1 Like

I agree completely. Those HR filters though.

1 Like

@Dinolilo @youngdryas

I didn’t necessarily mean educational background. TBH, 90% of my knowledge comes from building stuff and breaking stuff on my free time. Basically, seeing how it works ( What can I make it do? How to fix it? What are the limitations? How can it be manipulated to do something else? ). Personally, I think they push the Degrees and + 5-10 years experience way to much.

From my experience with jobs, It’s more about who you know ? What you can prove you know. That’s generally where I fall short. I am more of the people watcher type, not a social butterfly. Yay, Social anxiety. Anyway, sorry from the rant. There’s a lot of great information in this thread. The key thing is to stay curious!

Honestly, thanks to this forum and community, I have been more confident in joining the conversation than just watching, so thank you guys!

3 Likes