Where to begin Web Pentest or Network Pentest

Hello folks I have some basic understand on how to carry out a pentest,blue team and have been playing around various challenges wargames,hackthebox etc . I understand pentest is so wide but for a beginner what would be a good start point web app pentest or networking though my main interest is to become a read teamer. More info about my skill current working as Sysadmin, can program fluent in Python,Bash scripting also exposed to C,C++,Assembly,PHP, Java,Javascript , good understand of networking and virtualization.

Any advice will be appreciate and am willing to start crawling before I can walk .


Hey there,
I guess (from my humble point of view) it depends on where you want to go to from here. Do you aspire to acquire a job in ITSec or run your own business in web security? It all depends on where you feel most comfortable I guess.


Thanks buddy, Just want to get experience first in InfoSec related jobs though were I live InfoSec companies are quit a few and it’s kinda hard getting one even the entry level

Having a good looking LinkedIn / CV helps a lot to get past the HR filter. Consult friends and try to give it a “professional, enthusiast, been in the industry for some years, knows what he’s doing” kinda vibe. Small, stupid things like spelling, word choice, the amount of emphasis you put on soft skills (teamwork, cooperation, problem solving, determination) also impact the decision a lot.

Once you’re past HR and want to impress the team / employer it essentially boils down to technical knowledge and skill. Showing them your GitHub, Medium, CTF handle doesn’t hurt either. If you’re actually a passionate programmer and problem solver, once you got to this phase, it shouldn’t be too hard to land a job or two. Good employers don’t expect juniors to know everything, but they do expect you to have a good grasp on the basics and to have the ability and willpower to learn what you will need when you run into something you’re not familiar with.

It’s somewhat cliché but I truly believe that “Learning to learn is the most important thing one can teach themselves, and it cannot be taught”. Programming, doing CTFs, reading the manpage and source code for things you are trying to solve are all valid ways to get better.

If you’re looking for challenges to practice your skills with, look into Exploit excercises, DVWA, Web Security Dojo, VulnHub.

Another thing to keep in mind is - a lot of companies suck. In my opinion, in many cases the culture in the professional world is somewhat disconnected (sometimes stupid people will no skills get valued and promoted, evaluating what people say based on how they say it instead of what they say, involving organization politics in logical decisions, management don’t understand the real problems and deal with imaginary problems, lack of skill / motivation / mediocrity leads to bad design and development workflow that have long-term effects, etc). Try to pick up on those signals. You’re interviewing them as much as they’re interviewing you.


Thanks buddy will work on that; cheers!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.