In light of recent debates and scandals about cybersecurity education and job search, I want to provide my own views and insights about learning pentesting and the cybersecurity job market.

Working in cybersecurity can be a very fulfilling career, but most jobs require some amount of experience or formal training. While there are many great courses and certifications for learning pentesting out there, it might be the case that they are simply above your budget. But that is totally fine. I think it is still possible to get job-ready knowledge about cybersecurity and pentesting from free resources.

A little warning: While I feel like it is possible to spend no money on your way to the first pentesting job, it is the case that some paid resources provide knowledge in a condensed and easy-to-digest form. Having access to those resources might accelerate your learning journey. So I will provide some recommendations on which of them are worth it and which are not.

I also created a GitHub repo with free cybersecurity resources. Check it out and feel free to add some:

https://github.com/her0marodeur/awesome-free-cybersecurity

A few words about my own career

I got really lucky in terms of getting a job. My first contact with cybersecurity was back in my teenage years when I googled “How to become a hacker”. That was back when there were no such resources as HackTheBox and TryHackme. So a lot of the learning was more theoretical and in general kinda slow.

After I finished school, it was time to look for a job. I started out with a student job for a big software company. There I had the opportunity to work with different security teams. During this time I did my eJPT certification and got in contact with the internal pentesting team. They provided me with the opportunity to do an internship and paid for my OSCP. After I finished my Bachelor’s degree, I got offered a full-time job as a pentester.

As I mentioned, I got lucky, but I think there are a couple of takeaways from my own story:

  • The demand for pentesters is currently very high, so many companies are willing to train existing employees. So if you are already working for a company, see if they have an internal pentesting or security team.
  • The most important characteristics of a pentester (hacker) are willingness to learn and curiosity. Getting them does not cost a penny.
  • One of the mistakes I made was focusing too much on the theory and not getting enough hands-on experience. This is really important and you should try to get as much practice as possible.

The role of certifications and degrees

I know you probably want to get into learning right away, but I think we should have a brief discussion about this topic. There is a decade-long ongoing discussion about the difference between certifications and degrees and which is better and a lot more. I don’t want to dive into all that stuff.

Generally speaking, a degree or a certification is a verifiable and easy way for employers to assess the skills of an applicant. The OSCP or a computer science degree does show that the candidate has skills and knowledge in a certain area. If you have to filter through hundreds of applications, they give a good orientation. But there are two big things to take into consideration:

  • There are other ways of getting experience and knowledge. I have friends that have maintained Minecraft servers since they were twelve years old and they have extremely good programming skills, even without having a degree. And their salaries are comparable to some seniors in the industry.
  • Even tho there has been a huge interest in pentesting in the last couple of years, the demand has skyrocketed as well. That means employers are not getting hundreds of applications. Many times it is actually the case that pentesters are getting many job offers just because they have a LinkedIn profile.
  • Certified Ethical Hacker (C|EH): For some reason, this is still seen as a good certification, but from everything I have heard, they provide a really dry course and the exam requires you to memorize a lot of stuff. So you can save your money
  • eLearning Security Junior Penetration Tester (eJPT): I did this one myself and it was fun, the exam was really hands-on and enjoyable. The reason I don’t recommend it is that I don’t think it is really beneficial in terms of getting a job, because I don’t feel like employers are valuing it.
  • Practical Network Penetration Tester (PNPT): I don’t hold this certification myself, but I did Heath Adams courses back in the day. The content is just great and really well explained. It covers a lot of topics. The exam is more relaxed than the OSCP and it has industry recognition at the lowest price.
  • Offensive Security Certified Professional (OSCP): The OSCP has its pros and cons and I wouldn’t recommend that you take a loan to do it or bust your bank account. But in a situation where you can really afford to do it (considering money AND time), I have to admit it has a great course and it is basically a job guarantee. If you want to learn more about it, check out my blog here: https://infosecwriteups.com/methodology-and-mindset-for-passing-the-oscp-d609592a7dcb

Getting the knowledge

To know where you should start, you have to know where you stand. It is a big difference, if you already have fundamental IT knowledge, or if you are coming from a different profession. Because it is absolutely necessary to understand basic computer science concepts like networking and how programs, web pages, and computers are built and running.

Since I suspect that many readers of this article will have this knowledge, I will not talk too much about learning all that stuff. TryHackMe has some really cool courses to learn the basics and I think installing your own webserver and learning the basics of Python really helps a lot. There are also basic computer science courses on sites like Coursera.

TryHackMe and HackTheBox

As well as for basic knowledge, I think you should really start with TryHackMe for learning the basics of pentesting, they have some really good paths for this. Sadly some of them might be only accessible via a paid membership. I think the paid membership is really one of the best investments you can make because it is quite cheap and provides access to a lot of knowledge.

If you are thinking about what kind of pentesting (mobile, web, network, Red Teaming, etc…) to learn first, I suggest you go with web pentesting, because there are many resources about it and when we talk about Bug Bounty later, most of the targets are available in this area. But if you feel like doing something else, do it, all of this is just my opinion.

Additionally, to do the learning path, you should also do some of their boxes that don’t give you any hints about how to solve them. Also, check out HackTheBox for this, they also have some great boxes, but beware of their rating system, I recommend you really start with easy boxes. When solving boxes I recommend you give yourself a time limit. I recommend something like this: If you don’t have the initial foothold after 30 mins, you should check a writeup. Afterward, you try 30 mins for privilege escalation and if you don’t get it, check the writeup again. It might be true that there is no writeup in a real pentest, but doing boxes is about getting as much knowledge as possible. Also, start pushing yourself as soon as possible and increase the difficulty. It maybe means that you might need a write-up for almost every step, but it also means you learn something new with every box.

Free certifications:

  • APISec University: This one is a must-have, it is just the right mix between great course content and realistic and challenging exercises.
  • ISC2 Certified in Cybersecurity (CC): This one is not really about pentesting, but covers a lot of the basics of cybersecurity. But these topics are important for pentesters as well because they always have to see the bigger picture of cybersecurity. The course and exam are free, but it requires an annual maintenance fee.
  • Skillfront ISO/IEC 27001 Information Security Associate™: Another one that is not directly about pentesting. It explains one of the essential policies of cybersecurity and employers like knowledge about this one.

If you love certifications as I do and want some more for free, please check out my GitHub Repo over here: https://github.com/her0marodeur/awesome-free-cybersecurity

Getting the experience

By now you already hacked some machines and websites but all of them were in a simulated environment and left vulnerable by design. While this provides valuable experience and gives you the ability to learn how to exploit vulnerabilities, it is not necessarily the experience employers are looking for. Therefore I recommend you try your skills against some real-world targets (in a legal way). Luckily Bug Bounty platforms allow you to do this and maybe earn some money.

Bug Bounty Platforms

You can check out the following platforms:

Look at their programs and get familiar with the general topic of Bug Bounty (try to avoid the Twitter and Medium hustler bubble, there is some really bad stuff out there). I suggest you start by looking at Katie Paxton-Fear’s stuff (https://insiderphd.dev/). She has some great videos that are really for beginners. But don’t stress too much about all of it, sign up for a platform, pick a program, and hunt. This is what life as a pentester is going to be like. Also, be careful and don’t bother too much about all of the tools, oneliners, and scanners. Learn about the recon fundamentals (https://www.youtube.com/watch?v=krCsMZfbuB4) and start hunting.

If you get one or the other bug it is great for your CV, because it shows you know how to apply your pentesting knowledge to real-world targets.

Synack Red Team

https://www.synack.com/red-team/

This one really depends on how much time you want to spend before getting a job as a pentester. I am not part of it, but I heard really good stuff about it. It basically is a closed Bug Bounty platform, but they additionally offer some fixed pay jobs like checking default credentials or OWASP Top 10. However, you have to apply to them and this process can take a while. But it gives you the chance to have some experience with a real-world job application, it offers great hands-on experience and looks good on your CV. So check it out and see if it is for you.

Getting the job

If you are following this blog (btw. please read more resources than just this one, there is a lot of great career advice out there), I hope you don’t think of it as something that has to be done in chronological order. You can skip things, and do them in parallel or however it feels right for you.

Writing a CV

Before you go out and look for a job, you should write a CV. This really should focus on showcasing skills that you can apply to your pentesting job. So if you have worked in another job, think about how you can translate the skills you gained to pentesting. If you are a programmer, tell them you have a deep understanding of technology and for sure you had to implement security measures in your code and probably you know how developers think and fail. If you have worked as an executive assistant, you have probably done a lot of writing and have clear communication skills, which is also really beneficial for pentesting.

By now you have done at least some certifications and courses, but be careful what you include in your CV. I think, if you have done the three free certs I mentioned, you should include all of them, as they really showcase skills and knowledge needed for your job. But you want to be careful to not include every little thing. Rather than including the certificate of completion for every TryHackMe track you did, you should just include your TryHackMe profile. And for bug bounty profiles you only want to mention the sites, where you have at least one accepted submission. If you put too much basic stuff in there, it probably seems desperate.

For writing the actual CV, you should not get too creative. It is best to either download a Word template and fill it in with your experience and skills or use one of the online generators (consider privacy implications). Be aware that your CV is often times read by machines, so make it “machine-readable”

Getting yourself out there

Being visible can be really helpful if you want to get a job. I think having a well-maintained LinkedIn profile is crucial. So create one, put a nice photo and some experience on it, and maybe include “aspiring pentester” in your bio, to make yourself visible when recruiters search for possible candidates in this area.

You can also do a little bit more, to increase visibility. A nice thing to do is to start a blog. Like this one, you are just reading. Even tho you might not have a lot of expert knowledge, you can talk about your journey and experiences, or write a tutorial for a tool or a writeup for a box you did. But please don’t go down 1337 Hacker Road. I don’t think that blogs like “Hack a webcam with only three steps” “Hacking Instagram password” and other clickbait help find employment. Other things you can do is contributing to GitHub projects (for example Nuclei and Spiderfoot allow you to contribute new rules and templates), create your own tools, or speak at a conference. All of these things will increase your network and look great on a CV.

Applying for jobs

Go for quality over quantity. The job has to be a match for you as much as you have to be a match for the job. So really try to find jobs that are matching your expectations. While I say that, it is also true that it is probably easier to pivot from one pentesting job to another than getting into the industry, but I feel bad advising anyone to take a job they don’t enjoy.

I highly recommend you reach out to recruiters/headhunters. You can easily find them on LinkedIn, add them to your network, and ask if they have a role that fits your profile. It will not cost you a penny, because they are being paid by the employers. They will also be a big help with streamlining a lot of the process. They know their clients and where you have a good chance of getting hired and most of the time allow you to skip steps like writing a cover letter. Even if they are not able to offer you something right away, they will add you to their contact list and reach out in the future.

Interviews

There are just better resources than I am, so I will link to them:

  • The Cyber Mentor- Mock Job Interview: https://www.youtube.com/watch?v=IDpjaS6OYPU
  • The Cyber Mentor - What to Expect in an Ethical Hacking Job Interview: https://www.youtube.com/watch?v=nrewE1mLlaU
  • Security Interview Questions: https://github.com/justinltodd/security-interview-questions

Conclusion

While it should be entirely possible to get a pentesting job without spending a dollar, it will still require a lot of work. Spending at least some money, can make the process, if you spend it right. I also have to mention that all of this is just my personal experience and perspective, your mileage may vary.

If you liked this blog post you can follow me on Twitter @Secbyaccident or read my other stuff over at https://security-by-accident.com/.

And if you have read this far, I want to offer you a little Thank You. My DMs on Twitter are open and you can reach out to me if you want me to review your CV, help you with some studying, or set you up with some recruiters. I will do all of this for free but expect a little delay in response time.