Over the last year I have transitioned from a ‘Junior Support Technician’ to ‘Security Analyst’ to ‘Junior Penetration Tester’. This is how it happened:
Starting my IT career as a ‘Junior Support Tech’ I learned how to become a functioning member of an IT department. I was responsible for tickets, backups, server/workstation builds, etc, the low-level stuff. During my third year in this position, I realised that I wanted to work within security, so I set my goals and started studying using Hackthebox and Vuln Hub. I had always been one of those skids playing around with WIFI in my area and reading up on exploits/honeypot statistics but had *never exploited live systems for the fear of the obvious. So I set my first goal, to pass the OSCP.
I had heard that this certification was sought after in the industry and without it no one would accept the CV of a junior guy with a few years under his belt.
So, I saved up and purchased 30 days lab time with the PWK course, months of Hackthebox had helped massively, getting a feel for exploitation and learning the importance of fully enumerating targets and services. HTB helped a lot.
After a 30-day lab extension I passed the OSCP exam, I was thrilled! I returned to work, told everyone in the IT department! Then reality hit and I continued changing keyboards and explaining basic machine use to telephony agents. For some reason I expected my day job to level up after completing this goliath of a goal. Now I felt empty, completing a goal I held so high. So, I pulled together some savings and purchased the OSWP three days after receiving my results.
I started writing my CV, OSCP right at the top of the page next to my name, wrote a load about my previous positions and got a call back within 30 days. Security Analyst for a global SOC on the same business park as my current employer; No brainer. I applied, interviewed, and presented a “Current Security Threats to a Business Operating in Cyberspace” presentation to the Director of Security and got the job.
It was a shame to leave my initial junior job, the guys I worked with shared their wealthy experience within the IT industry and were more than happy to explain anything I did not understand, however, it was fundamentally necessary for me to leave and progress towards my goal of hacking for a living.
My time working as a security analyst was decent, I was given a lot of time to investigate treats and research. My employer understood that I was an offensive guy in a defensive position. They tried to cater for that with small amounts of internal testing and allowed a lot of time to study but ultimately, I was employed to patch systems/discover vulnerabilities to pass down the chain.
I had a lot of free time during this role, and a training budget* (on management selected courses).
So I was able to complete the following:
- Qualys – Vulnerability Management.
- Qualys – Web Application Scanning.
- Symantec – Endpoint Protection 14.0 Maintain and Troubleshoot.
I also sat my OSWP exam during this time as I was getting close to the 90-day limit period and passed! It was around then that I realised that I had gathered reasonable experience with Offensive Security and had the certs to back it up. Granted It was only six months in a professional environment, but If I could get an interview with some likeminded, enthusiastic security people. I may be able to convince them to give me a job working as a Penetration Tester.
So again, I started writing my CV, added OSCP and OSWP to the tag line and searched for jobs. Around this point I started questioning my luck, Penetration Tester vacancy at * – 10 miles from my home location. It’s worth noting that I live in Wales; Wales has very little security roles and I’ve managed to find two perfect roles within 6 months..
So here I am, working as a Junior Penetration Tester for a comfortable sized company with fantastic colleagues. I have a training budget that is much more relaxed and enables me to set goals and gain experiences that helps me and my employer. I understand completely how lucky I am to achieve this goal in such a short period, however I have worked almost every day to achieve it.
Id like to note a couple of goals I have for 2019:
- Get content on this site
- Fluent in python
- Learn C (ish)
- Crest CPSA & CRT
Thank you for reading!