I’m Not A Pentester (And You Might Not Want To Be One Either) Part 2 : The Response
Okay, so obviously this thing blew up. I really wasn’t expecting it to go this way but I figured I should probably do some kind of response to some of the comments that have been thrown around.
I would say as you read this, remember that this is a post targeting recent graduates, recent OSCP holders and people trying to get into the industry, as was the first post.
Looking back, the title of the article should have probably been “True Life: I Worked At A Cyber SweatShop.” The top criticism seemed to be don’t judge the entire industry based on a single job. I thought I was pretty clear that my experience was probably not the norm. But with some of the feedback from the post, here’s a follow up.
WARNING: It’s a long one.
Not all consultancies are bad. There are good ones, bad ones, decent ones, lackluster ones. There are all kinds. Obviously, one person’t opinion of a job could be vastly different than another working that same role.
If you’re a new pentester/red teamer and you have an interview, do you know what kind of questions you should ask to determine what kind of firm you’re interviewing with?
Do you even know what a kick-off call is? Do you know what an ROE looks like? Do you even know how many consultants are standard for an engagement?
DO YOU KNOW HOW TO CHECK IF THE IP RANGE PROVIDED BY THE CLIENT IS CORRECT??? This is kind of a big one.
Do you have the ability to plug a domain name into dnsdumpster, look at the listed endpoints and go “this is going to take at least 3 people in the timeframe I’ve been given” even when your manager tells you “you got this one on your own.”
This wasn’t a post looking to “go scorched earth on the industry” as somebody said on Twitter. It was a cautionary article of what could happen to somebody who is so excited to get into the industry that they are willing to overlook very obvious red flags at their firm.
Some of what I wrote didn’t even happen to me. It happened to others that I know and have to become friends with over the last couple of years. I was never asked to bring in clients. I have heard from others that there was an expectation to bring in clients. I have also seen this on more than one job post. Is it the norm? No. That’s very obviously a sales job.
But when I was hired, had they asked me to do that, I probably would have just said “that doesn’t seem like my job, but okay…I guess.”
Offline I could tell you some really cringy shit about what I went through. I won’t do that here. This isn’t about the firm I was with.
It’s about an industry where the product (pentesting/red teaming) and requirements to give a valuable product have changed vastly in just 2 years, but the optics of recruitability have given recent graduates and people changing careers an inflated view of the current market. This view of the market can lead to people desperately taking on a role for experience and spending thousand of dollars for “training” that might never lead to a job; a job that they might not even be prepared for or want.
The work schedule I talked about was absolutely true and I’m not the only one who has described this type of expectation, explicitly stated by the company or not. To say it’s not a common occurrence (not the standard, but common) in the industry is ignorant.
When vetting a firm, ask about work life balance and then determine if they are lying to you. Dig deeper. Ask what kind of programs they have for work life balance. If they say they have unlimited PTO, think really hard about what that means.
Unlimited PTO doesn’t mean you can take a month off whenever you want. It means you don’t have an allotted amount of PTO. Studies show that most people work more when the company has unlimited PTO because they don’t want to seem like they are taking advantage of the policy.
The number one thing I asked for when I was interviewing was mentorship and somebody to go to if I couldn’t figure out why my exploit wasn’t working. Had the hiring manager been honest with me the response would have been “you’ll be doing all engagements by yourself and I’ll be in a sales call when you are stuck.” At that point I could have ended the interview and saved myself a lot of trouble.
The skills I described were also something that is absolutely expected. You will be expected to know various languages. That’s not something new to the industry, or job descriptions. Your required fluency in those languages will vary depending on firms/managers/leads.
Some may want you to be able to write an exploit in python from scratch, others may just want you to know how to change out variables or switch IPs and ports on a public exploit.
The client is going to want to know why the vulnerability was exploitable, how you exploited it, and what the recommendation is to fix it.
Sometimes the fix is as easy as update from Windows 7. Other times it could be extremely complicated. If you’re in a debrief and they ask you how the public exploit works you can’t say “I changed the IP and, uh, I don’t know, shell came back.”
There will also be an expectation to know how to use industry standard tools that you probably don’t have access to. For instance, Nessus, and up until most recently, Cobalt Strike. CRTO offers people a way to get hands on experience with Cobalt Strike.
There is other commercial software out there that people won’t have access to, these are just a few examples.
You will be expected to be an expert is a lot of different protocols, hardware and software. At one point I was asked what BitLocker bypasses I knew because the firm was selling a “stolen laptop” scenario to the client. I had nothing.
As somebody on Twitter stated the other day, get ready for LLMs to be added to that ever growing list also. Can you imagine an interviewer asking you about your methodology for pentesting an LLMs?
On a side note, I never saw anybody from the AppSec or Web App team get put on an infrastructure pentest, but for whatever reason, the infrastructure pentesters were expected to know how to do WebApp and AppSec stuff. Wierd huh?
Again, this is a question for the interviewer. Would I ever be put on a project that I’m not qualified to do, such as AppSec? Their answer might actually surprise you.
I was lucky to have worked in several industries before coming over to IT, so I knew more about corporate structure than most people coming out of college. When you land at a firm, take notice of the different departments and how many people seem to be in upper management.
A telltale sign of a firm that probably has a host of problems is one that does not have dedicated departments for traditional roles within a corporate setting. The exception to this would be startups, companies with less than 5 years in business or companies that have just recently taken off.
Certain companies will have been a 3 person team for years before they started to snowball and need to expand rapidly. Some people love startups. Small team, big impact with the company and large room for growth and responsibility. Others prefer going with a larger company.
But if you get hired at a company that has been in business for almost 20 years and they don’t have a dedicated sales team or they outsource things like accounting, HR, etc, start looking deeper. Do they ask you to promote things on your private accounts like LinkedIn and Twitter? Does something just feel off? If you’ve been there a month and you feel like there’s a chance your paycheck might bounce, it could be time to start getting your resume together…again.
Another thing to look at is the ratio of upper management/C-Suite executives to regular employees. Does everybody besides you seem to be a director, vice president or chief blah blah blah? How many jumps are there in your chain of command from you to the head of the department or the head of the company? This will tell you everything you need to know about growth in the company. If you take that position, where do you go from there?
Again, startups are different!
The Job Market
The market for jr/mid range pentesters/red teamers has shrunk. I know people that have a solid 5 years of proven experience with public open-source projects, advanced certs and industry contacts. Some of them have been out of work for 6–7 months.
As stated before, if you have 10–15 years experience you’re not going to have a problem finding a gig. And the gig that you do find is probably going to treat you a lot better than the 22 year old they hired at 80k. That’s the nature of a lot of businesses.
It’s very rare to find a Bobby Cooke or a Chompie that burst onto the scene and wind up at X-Force Red in a couple of years. Most people that want to do this type of work needed hints to get through Dante. That doesn’t mean they can’t be molded. But in this job market, who is investing in that?
Now, there are a few things that I probably (more than probably) got wrong in my previous post, so here’s a retraction. The vast majority of people doing bug bounty are not making 4–5 times what consulting companies are paying.
I take it back.
But there is a portion of the web/app security community who are skipping the traditional job experience and going straight to bug bounty. Whether this is part time or full time, this is definitely happening.
A recommendation to new graduates looking to get into cyber is get an actual IT job to fall back on as you work through your certs and side projects. Sysadmins, DBAs, Cloud, these are all great skills to have so if you do land at a place like I did you can bounce right back to a role based on your skills while you find another gig.
DevSecOps is another beneficial branch of IT for somebody wanting to get into pentesting. This is also kind of competitive though. Go where your interest lies so you’re at least having fun until you get to have fun.
Another job I saw a month or so ago was for a Red Team Engineer. This was really interesting to me because it was basically red team support. So handling all of the infrastructure for the team, setting up domains, ect. If you can find one of these positions, that would easily help you pivot into a red team/pentesting role.
Ah, the certs. So I guess this portion really ruffled some feathers.
Here’s a list of the certs/courses I did before I was hired.
Offensive Security Certified Professional
Certified Red Team Operator(with Covenant)
Certified Red Team Professional
Sektor7 Malware Development Essentials
TCM Security Python For Hackers
TCM Security Ethical Hacking Course
TCM Security External Pentest Playbook
TCM Security OSINT Fundamentals
TCM Security Practical Phishing Assessments
Seems like a lot, right? This is on top of all of my sysadmin certs and IAT Level 2 certs. If you don’t know what that is, a quick Google search would probably tell you. I didn’t take the CRTP exam, but I finished the coursework and the lab.
I also had a number of personal projects like setting up Rouge APs, custom payloads for Hak5 gear, CTF walkthroughs from Vulnhub and I had my own AD lab with a few write ups.
This is just a snapshot of my resume (minus my actual employment).
All of these courses have great information, an organized syllabus and curated content. At the time, CRTO was the only cert that actually focused on AD. I had to do the course using Covenant since I didn’t have a Cobalt Strike license.
PNPT wasn’t around yet, it was just a course. OSCP had not adopted the AD aspect into the exam, but it was in the course.
There were some advanced certs back then, but not like now. I think OSEP had just come online after they retired OSCE.
I haven’t been though any of these courses in a while but my guess would be that they have actually improved quite a bit since I went through them. And I do sympathize with the people behind them, especially the independent content creators that are designing these labs and running their own certs.
I can’t imagine the balance that it must take to keep your content relevant while also trying to maintain uptime on a lab. Implementing changes has to be a real pain.
When I went through OSCP, Defender was turned off on all the machines. I’m not sure if they have an AV evasion portion in their material now or not.
Most firms will have custom loaders and implants for an operator to use and you would get payload execution as if the defense isn’t there. At that point Defender, CrowdStrike, whatever, doesn’t matter in the context of execution. But additional post exploitation getting detected does.
Saying that current training courses do not prepare newcomers for a real job in the industry isn’t some concept that I dreamt up myself. David Bombal had an interesting interview with Neal Bridges, an ex-NSA hacker, a couple of years ago.
In the interview, Neal said something to the effect of “people who think they are going to exploit a real world web app with 1=1; because they did it with DVWA are in for a surprise.” That’s all I meant.
How many of the attacks taught in courses are detected by EDR? DCSync, LSASS dumping, PrinterBug, etc. That’s not to say they won’t work or that the processes will be terminated before execution, but they will alert. Psexec-ing across a network will get noticed. Could you get DA? Sure. Will you have to sync up with the client for a deconfliction because they saw the alerts on the console? Maybe.
And I get it. You have to crawl before you can walk. I think the disconnect isn’t as much with the certs providing a solid base information, it’s that this type of candidate just doesn’t seem to have a home right now.
When it comes to needing certs, I have never, ever, ever, ever, seen a cert that claimed you would get a job after having it. Let’s be clear on that. What’s confusing to people starting out in the field is the list of certs on every job description.
We all know that OSCP is the HR gatekeeper. Getting a job without it isn’t impossible, but you see it on most pentesting/red teaming job descriptions. That list has grown now and you will see PNPT and CRTO/CRTL out there more and more. eJPT and the other ones from INE have been around for awhile too. But the main cert that every hiring manager wants to see is OSCP.
In the US, it’s actually a requirement for a lot of pentesters working for agencies like the Department of Homeland Security and the Department of Defense.
So, can you expect to get a job if you get OSCP? No. But does it seem like you’re not getting a job without it? Yeah. Especially without industry experience. It’s not that you can’t get a job without OSCP, but in my experience, you’re going to have a hard time even getting an interview without it.
Look, OSCP has gotten out of control. Even when I went through it the course was way too expensive. This LearnOne whatever is horrendous and even when I was looking at possibly doing OSEP, I gave up after they went to this new platform.
I would not recommend getting your OSCP before getting a job in pentesting. Some (all) may disagree, but that’s my opinion. I know that sounds weird because I just implied that you’re not getting a job without it.
I would say go after other, less expensive certs, make a name for yourself with personal projects, TAILOR YOUR RESUME (skills based resumes get attention) and land at a smaller firm. Get THEM to pay for it. Also target firms that make you do a small CTF before getting hired. Those firms usually put less weight on certs and degrees if you can pass the CTF.
I see the market going much more toward what the physical pentesting industry looks like. How many people do you know that can pick a lock, use proxmark syntax, clone RFID, utilize an under door tool? I bypassed my own home security system so I didn’t wake up the baby when I needed to let my dog out at night. CoalFire has yet to knock on my door.
The physical pentesting industry is really small. You have some dedicated physical people that only do physicals. Others are network pentesters that get to do them when their firm sells one 2–3 times a year. Becoming an exclusive physical pentester will be difficult as everybody wants to do it, but there aren’t enough jobs/demand for it. This is how I see traditional network pentesting going in the next 5 years , but I could be wrong!
Some of these are great. Taking a singularly focused course on lateral movement techniques for $20. Fire. $1000 for an EDR evasion course to learn XOR encrypting strings and process injection with CreateRemoteThread….you decide.
Another highly controversial thing is the college degree. What I will say on this is that it won’t hurt, but it might not help either. I have a degree in Information Systems. I was making well over 6 figures before I graduated with it. This is quite common, but THIS IS NOT TO BE EXPECTED!
I have never been hired off my degree. To tell the truth, nobody really even asks about it. Now, that might because of the 2 pages of my resume, my degree is 1 single line, or it could be something bigger like hiring managers wanting skills/experience rather than traditional education.
Student loan debt is another thing to consider. Thankfully, I didn’t pay for my degree (If you live in the US, care of the GI Bill, you did! So thanks!). Had I actually paid for my degree, I would be pretty upset. But I didn’t go to Princeton, MIT or Stanford either so I don’t have any experience applying for jobs with those credentials.
I have heard great things about Western Governors University. I think you get certs as part of your degree path or something. Look into it!
I’m not saying don’t go to college. I think getting an Associates degree from a community college where the Pell Grant takes a lot of the financial burden off the student is the smartest educational move you can make. RedHat Academy is one of the best options for people to get into Linux admin stuff, but the world always needs Windows and Networking people too.
I don’t see much value in a graduate degree in cyber if you want to be an operator or team lead, but others may have a different opinion. Some companies will give you years of experience based on your education. For instance, a position may want 7 years experience, 3 with a masters. Of course, graduate degrees are a lot of money.
A lot of debate on this one too. If you read closely in this post you probably saw a weird requirement for a certification, IAT Level 2. Those who know, know. Those who don’t can find out quickly. Regardless of what this will signify to people, the salaries I talked about were what I saw in the industry and continue to see now.
I know some people will say “well, if they need IAT Level 2 then that means they have this thing so of course their salary is going to be higher.” That’s simply not true. In fact, it’s harder to find a job that requires that thing, even in this market. And for people that have that thing, it’s really important to keep it.
Also, let me make something very clear. Money is not the only or even the most important factor when I go to look for a job. If it were, I’d be an SAP architect making 140 an hour.
But money is an important aspect of any employment opportunity. In any job, ideally, you want the most money and fun with the least amount of responsibility.
Sometimes this balance is thrown off. Tons of responsibility and very little money. More money, more responsibility. More money, less responsibility. With most jobs, the money goes up as the responsibility goes up. Finding a job with the right balance of responsibility to salary can be difficult.
For me personally, being able to leave my cyber role to go back to being a sysadmin as a fallback was a safety net that I had put in place long before I took that position. I needed a job! I wanted less stress so I went back to being a sysadmin. Turns out it just paid more.
Had I been really happy at my firm, been having a ton of fun pwning the CIA with little stress and a great team and then been approached with that sysadmin role, I probably would not have taken it. And that’s the truth.
In my previous post I wrote about being approached about a web app job that paid 120k. This was a few years ago and I suddenly remembered that the actual pay was 100k, 120k all inclusive. So the cash value was actually only 100k. The reason I didn’t take that job was because of money, but also because I’m the least interested in web apps of all the security topics. Had that been a job doing physicals…maybe, like seriously maybe. The money is important, but it’s not everything.
In fact, just last year, I was offered a job (not in security) with a starting salary of 240k, but it meant being in the office 4 days a week and a 1 hour drive each way. I said no. They even talked about putting me up in a hotel for those 4 days. I said no. I decided to stay at my lower salary, work my fun little job and be able to do the laundry or write shitty loaders in C# while also on a daily stand up call.
People get touchy about jobs, salary and job advice. IF THIS IS YOUR DREAM, GO FOR IT!!!! You can even reach out to me on Twitter or Discord if you have a question about a job or putting your resume together.
And you should expect a higher salary because pentesting is a highly technical role. But higher salary doesn’t mean 150k. I would say if you’re not offered 100k or higher try to determine why or negotiate with the hiring manager for an early evaluation and salary review.
Take that position at 80k with a salary review after 90–120 days. Get it in writing and have measurable benchmarks on your progress with the company to negotiate a higher salary. And if you reach those goals at 90 days and they don’t give you the bump, make a decision then.
I’m not going to get political, but what I will say is that in the US, 100k doesn’t go as far today as it did even a few years ago. We all see it and we all know this. It’s 2024 and inflation is on the rise. Wanting more money is not evil, it’s expected. Things cost more now, shouldn’t your work?
The Veteran Influencers
Most of the criticism I saw to the former post was from people who had 10–15 years into the industry. For the life of me, I never understand why anybody would care what any of these people have to say about breaking into cyber (the obvious exception being a hiring manager).
A lot of them can probably give you really solid advice on how to create your own course/cert because that’s what a lot of them are doing right now.
If you want to know how to break into cyber, ask the person who just got hired at their first position if you can take a look at their resume. Many will gladly DM it over to you. If you want to know how to break into cyber in 2008, ask an industry veteran influencer.
And that’s really all I have to say about that.
Would I Go Back?
Surprisingly, I have not had one person ask me if I would go back or what it would take to go back. I’ve stayed up with the current trends, documented current attack methods and I have a fairly well known blog series/github repo that I’ve maintained. Five or six months ago I even bought a MalDev Academy lifetime subscription and have worked through most of the modules.
So would I go back? I don’t know. Maybe. That would depend on the firm, team, culture, all the things I talked about. It would also depend on the salary. A lot has changed for me personally since I left cyber and with family considerations, money/insurance can make a difference in these decisions.
I don’t think I would go back to network pentesting, but I would be interested in a physical or social engineering job. And even if that perfect job comes along, I would really have to think about it. I still get anxiety thinking about report approvals, irate CISOs and last minute client update PowerPoints.
I love security. I think I probably will always love security and I’ll probably always be tinkering with labs, loaders and whatever iteration of Havoc or Covenant or Sliver comes next. In 50 years, I guarantee you I’ll be babbling to some grandkid that doesn’t care about how I was there when the AD-CS craze was going on.
So I think I’ve addressed everything that I wanted to. To sum up, vet your potential employer, a cert doesn’t mean a job, a cert doesn’t mean you’re ready for a job, Cs get degrees, you should make a livable wage, the person with 15 years in has no business telling you how to get a job, SECURITY IS AWESOME!
Smell ya later!