#cyber-and-careers

No I'm good

So you want to go to a community college to avoid taking a test? I mean that's not a bad plan but it still may not me as easy or as cheap as you think

dumb question

so....

@pseudo creekcan i get an associate degree from university? or it is a degree only from college?

Only from community colleges

so bachelor/master only from univeristy then

An associate degree is basically a general studies degree with a few specific classes thrown in

for me could be worth it? i mean where to start since i have 0 basics

Kind of... in the US, there are 4 year colleges that arent community colleges

don't confuse me pls

General studies are also required for the bachelor's degree

So basically no matter your route, your first 2 years of college are general studies. History, English, math, science, social studies. Then the last 2 years of college are specific to your degree

Lots of people fulfill the first 2 years at a community college

hem....

bachelor takes 4 years at leats but if u go for associate first it will take only 2, based on points x h

well because associate is the first 2 years of a bachelors but a bachelors is required at the minimum I believe for immigration to the US unless you pursue other means

and an associates isn't really valued much in the US, it is better than a high school diploma but it is also very generic

In terms of education, an associate degree falls between a high school diploma and a bachelor's degree

it is a pre-degree

yes

we don't have that here

so at the start it hit me like tf is this?how to learn this etc

i was shocked

like an associates seems equivalent to the UKs 16-18 year old education

UK is different from USA?

GSECs is what I think they call them?

very much so

don't ask me that😂

i don't have any idea

nah just statement

also...

how to get associate degree? i mean about grades

they have GPA scales, but we have like number grade e.g 7/8 etc

do i need to meet the minimum req to earn an associate/bachelor?

user comment: Otherwise, if you are going to invest 2 years, you may be better off taking a masters degree in your present field or get an MBA. Though you generally need a GPA in your bachelors of 3.0 or better.

you do, generally its a 2.0 out of 4.0

but if you plan to go for a masters, you'll need better grades than the minimum

lets do in my grade to undertsnand better😅

imagine i have 6 out of 10 in my diploma ok? will it be enough to go to a college/university in USA?

no

but you'd have to talk to someone who specifically knows about how grades are done in your country

wdym how they are done?

6 out of 10 is.... 60 out of 100

which is pretty bad in US terms

GPA 1😐

but

in EU is not bad also

in USA there are people who are bad at school but then go to university

that is why I'm saying, maybe college admissions would look at you differently being from Switzerland

i don't have idea

my grades are not very high in my school

this is pretty much why someone would go to community college, so that they could get good grades / second chance and go to a University / 4 year college... if they got bad grades at the community college, they still couldn't go to a university

ah so

u mean going for a associate degree (community college)

2 years to try to be good

because community college accept everyone while university not

kind of, but you don't even need an associate degree, you just need to meet the requirements of the university

u mean this righT?

so a community college accepts everyone within that community

you just need to meet the requirements of the university........ wdym? if i go to community college and get average grades...it will count college grades not EU grades i got

yes, but you need better than average grades

but basically a university can still reject you if you go to a community college

based on what? they need proof to reject

Community college also has a different goal than a 4 year university. Community colleges focus on vocational training, not preparing the student for further academia.

They don't, actually. Candidates can be rejected for not meeting minimum academic standards, but even good grades isn't a guarantee of admission. Most universities have a limited number of new students they can bring in each year.

you would need to talk to the community college to figure out your best options for transferring... they should help guide you

but you should also target a community college in the state of the university you want to go to

in switzerland we have 12 univerisity, in USA more than 4k

and universities have quotas for foreign students / students on a student visa

we also have 330 million people

that's most for private univeristy, i want to go to public ones

our universities aren't empty

you gonna tell us US university requirements now?

what

public universities reject thousands of people every year

imagine privates

US citizens or foreign students?

both

because?

bad grades?

not meeting academic standards, the university being at capacity, and for foreign students, there is a hard quota of how many students they can accept

people can have great grades and a crappy entrance essay and be rejected

then mostly won't go to university....

yes and most don't

so

i should have been born in USA

....

even that won't guarantee you entrance to a university

....

so half of US citizens aren't graduated?

i mean most of them

don't have any degree

yes most of them don't have a college degree

college? u mean associate degree?

but there are various options available, non traditional schools as an example or for profit schools which are less academically inclined if you pay $$$

any college degree

so, they just ended high school like i will do?

normal diploma i mean

some don't even get that

$$$? 3 times bro i feel bad

i think $ is most important xD

there are 2 options in the US... you can 'test out' and get an equivalency diploma

they can close an eye

which is the 2 option?

you graduate from high school

but lots of people drop out of high school and test out either when they are young or later on

wait

ur saying i should leave my high school rn to go to finish in USA?

only 1 year before my diploma?

oh no no no

you still need to get a student visa

...mhh

my parents will do that

i just have decide what i want to do and how

I mean you have to meet requirements to get a student visa

why do you want to come to the US?

why not,, i like the country

and i would work there

have you been here?

there are US citizens who comes to study here, why i can't go there then?

never

I mean I'm just asking, lots of people have an idealized view of the US

@pseudo creeki would work here (dm)

u can get idea maybe

I told you not to DM me

ok

https://apply.intelligencecareers.gov/job-description/1192843

i thought i couldn't link

instead i can

oh sweet summer child

😐

in order to work for the Gov, you'll need to be a US citizen and go through extensive background checks. Now switzerland isn't a frenemy country but still ties to another country make it tricky to work for the NSA (CIA, FBI, etc)

nah

most of whistleblower where from usa

e.g snowden

they do a background check etc

polygraph exam

ok if you know more than us, go for it

if it is all correct, why would be a problem?

.

are u from usa?

yes

basically the background check includes finding out if you have ties to other countries...

if u don't have nothing to hide

it is ok

no you don't understand

but look, I'm done

pls no

a foreign national with an aim to work for the NSA is a big red flag

ah

i can get what u say

but if i will live there etc, won't be a red flag right?

once u get US citizen

it will take years to become a US citizen but even not all US citizens are eligible for clearances / working for the gov

if u think am crazy or smtgh, i dont get it as an offense

hellooo

so i've almost finished a ba of IT, thinking of shifting towards security engineering.

any recommations for certs/courses i could pair with the ba with a sec ops/ security engineering focus?

was thinking CISSP is probably the one i've heard of the most hoping for some extra input tho or if the extra certs even worth chasing up

I don't even think you can be a naturalized citizen and work for the NSA. You have to be born in the US or born to US parents living abroad while they themselves are on assignment.

Foreign Nationals can get low level clearances but it's an extremely difficult process.

You'll also have to renounce your citizenship to your home country and you're going to put your family through a lot.

can't have dual citizens?

No

You have to swear your allegiance to the US. That goes for just getting a citizenship without a clearance too

I can tell you right now, you're not working for the NSA

I'm not trying to be rude, just realistic

@cobalt reef You might not be aware but there are experience requirements to get the CISSP (https://www.isc2.org/Certifications/CISSP/experience-requirements#:~:text=Candidates must have a minimum,year of the required experience.), even if you pass the test. Have you thought about what exactly you might want to do within security engineering? (Cybersecurity is a very broad field)

You need 4 years experience, since you have a degree, in an appropriate domain in order to get the title of CISSP. Even if you have passed the test. Otherwise, you're an Associate of ISC²

was under the impression security engineering was its own field of cyber and covered the implementation of security solutions or does that fall under the roll of an analyst still

Bigger companies will have the role more defined; smaller companies likely will not. For example, I've held the title "security engineer" but also had to do GRC (Governance, Risk, Compliance) activities. In the real world, it really depends on the organization but the CISO mindmap by Rehman might help visualize the different areas: https://rafeeqrehman.com/2022/04/24/ciso-mindmap-2022-what-do-infosec-professionals-really-do/

@cobalt reef (there will likely be varying, passionate opinions on this so heads up lol)

thanks that's a huge help and makes sense i got place into an "it management role" recently but im essentially doing sys admin and web dev lol

Gave +1 Rep to @clever rain

but essentially since i've done alot of programming informally before my degree and outside of work as well as a fair bit of penetration stuff simply for the fact i wanted to know how it worked was seeing if there was a way to combine them and from what i saw security engineering sort of fit that but ill look through the link you sent me

Sounds like you have the right mindset! The only other thing that I'd add besides focusing in on the area that you enjoy, is making sure that whatever you are doing is providing value to the organization. This way of thinking can become muddy very clearly if you work in a large vs small vs finance vs NPO vs healthcare etc. Whether "right" or "wrong", if whatever you are doing is consistently perceived as "blocking" the business/organization, then there will be struggle/conflict. Of course organizational leadership could be hard headed and fine to accept organizational ending risks so we might have to stand our ground (or leave) but whenever possible, saying "Yes" with conditions will likely get you much farther than flat out "No! We absolutely cannot do that because of <insert valid reason". This becomes a lot easier to do if you working in a part of security engineering that you enjoy while understanding how the organization works. Good luck my friend!

Second this. A big part of getting sign-off for changes to happen is getting someone to be responsible, which can be a huge blocker. It is the job of security specialists to build the bridge for organizational change, not to put up the wall preventing money from being made

"Sure you can do <really dumb thing>. I need you to get sign off from your director all the up to VP for me to approve the change for SNMPv1 to be put on the public DMZ"

@cobalt reef one more final thought...I have degrees and a bunch of alphabet soup and so do most of the folks in my team. However, I hired almost 10 security engineers this year and not once did I screen CVs for certifications/degrees or ask if they have a degree or cert. Obviously this is anecdotal but it "feels" like many of the "good" organizations to work at don't care about certs as much as before (just my observation, I have no data to back up my statement). I'm probably opening up a huge can of worms here so to clarify: I'm not suggesting that certs are worthless (you absolutely have to have them to work for the DoD or consulting for example) but maybe focusing on projects, networking (like TryHackMe forums), and experience might lead to better opportunities and certs are just icing on the cake. Not sure if this helps but food for thought at least. EDIT: Clarified by adding "...I screen CVs for certifications/degrees"

thanks for the help everyone

ill keep those things in mind you guys have cleared up alot for me

its more the fact that most my experience is informal atm that i was considering certs to make up for it, it was essentially the same reason i went for a degree haha maybe i just need to find better ways of presenting projects as formal projects but anyway i appreciate it

I would say that virtualjj's case is unique. I would consider getting your security+ as it will likely make things easier paired with a degree.

Also, idk how I feel about not reading people's CVs. Those people put time and effort into preparing the document and to me at least, not taking a look is kind of not respecting their time. I do however see the flip side of not wanting to introduce bias.

I'm also assuming you said CV meaning resume.

it doesnt sound like a bad idea honestly i just wasnt sure what cert to go for which is why i said CISSP originally since id heard of it the most

but ill most likely get a security+ cert to pair with my degree

Yes, so I think i pinged you earlier, but Sec+ is a fundamental cybersecurity cert

given CISSP needs the formal work experience

CISSP has the work experience requirement

think i only saw the CISSP ping

Yes

Yes, that's the ping I was talking about

oh okay

is there any other certs that i would need at this point or would a degree and sec+ be enough

I only had a degree* and a company took a chance

oh okay awesome

But it would have been a lot easier if I had Sec+

• because I have a clearance

yeah that makes sense

The CISSP is not not a very technical exam. I've heard it described as a "mile wide and an inch deep". I feel that the test teaches you language you need to be able to translate between management and security team. I think its a worthwhile certification and you will likely learn a lot, but I would look into it and make sure its the things that you want to be learning.

If you want see what training I used for passing the CISSP, check out the playlist below. FRSecure runs a CISSP Mentor Program every year and it is fantastic. https://www.youtube.com/playlist?list=PLETKkWHNA3qjMWR61bBseaI1J_3zP5tlp

If you are short on the required experience, you can still take the exam. When you pass you are an "Associate of ISC2" and when you get the necessary experience you will gain the title.

Yes, I know. My initial ping said that

Sorry, I didn't think to scroll up.

apologies @stoic cave - what I meant to write was I don't screen CVs...for certifications or degrees. Of course I read the CVs!. I will edit my post. Doh!

internally should be internal

You are right but thats what i received by mail

Then I'm not sure what you're question is

The thing is, the CISSP title is what is most important about this cert, not ability to pass that exam. This is managerial cert, and 'associate of ISC2' does not do much for you really in this realm. If somebody wants some ISC2 certs, there are lower certs with lower experience requirement. Passing exam, and paying fees for years and not being able to use the cert is pointless imo, especially that it's not a cheap exam.

(CISSP isn't a managerial cert in the US)

Well, yes, a lot of certs lost value in US :D Still, experience is most important part of this cert, and the title. What is the point of spending that money if you cannot even use the title?

well I agree with that

CISSP in the US is good for people once they have been in cyber for a few years, want a promotion / higher responsibilities / etc

I don't recommend people get CISSP until they have the experience requirement

I know that some companies want it for entry level jobs, and I have no clue why. I think ISC2 needs to communicate better or something?

yeah, this

you actually know they want it for entry level jobs or are you looking at mismarked jobs on LinkedIn/Indeed?

I saw with my own eyes CISSP for L1 helpdesk in big enterprise. I need to start taking screenshots. It's was definitely an exception, not rule.

I know that P&G demands having CISSP or doing it up 6 months from employment, regardless of the sec role you have there.

At least it's not prerequisite.

well my company basically wants any mid level cyber person to have CISSP regardless of role

but yeah, mismarked jobs are the problem too

midlevel makes sense, it implies some decent exp

midlevel in sec is pretty far :)

well like 5-7 years in

about to apply to an infosec associate analyst job at a previous healthcare system I worked at, wondering what you guys think of my resume? i have a non-IT background and most my experience is in clinical pharmacy. currently pursuing other certs (Az-900, CySA, net+) and upgrading my computer to virtualize a home lab, but haven't started yet. if i should add, edit, or remove any sections to make it more impactful, any advice appreciated!

So, ok for cissp, exp fullfilled, but demanding it for entry roles or from people straight from college is not really great, imo. Idk... there are other certs to validate people's knowledge. Also, it's a different story when company pays for it too. Just people without exp, even if they pass exam, cannot call themselves cissp, so what is the point to require that?

I suck in resumes, so I back off in that. Check Blue Teams Labs Online, they have solid labs.

i would remove tryhackme from the experience section, i don't think most places are gonna care about experience outside of a real world environment

but it may be worth to put into personal interests/projects

that, and THM boxes are left insecure in some way so as to facilitate learning, whereas real life machines are much more limited in scope and rules of engagement. don't get me wrong, thm is a great resource for learning, but i don't think any company would consider it a valid reason to hire you

that's at your (or their rather) discretion

so your summary basically doesn't mention cyber until the last 3 words... Basically you should focus on saying you are looking at pivoting... like "Healthcare professional ... then you start talking about your interest in pivoting your career and focus on cyber after that or else you lost me"

"professional experience" - I would include some blurbs on how you work on a team, any leadership, etc. I'd drop the internship

"certifications and training" - keep security+ here but drop the other stuff and put in another section near the bottom

"skills" - I hate to say it but no one really cares if you can use Windows, macOs or office... if you can administrate that, its a different story. I'd build this out a bit include things like "vulnerability application testing using tools such as..."

"non-professional experience" - change this title to something like "personal development"

As you are probably aware, your resume is really lacking. Do you have a github or writeups or something you can share? Also, what is your overall goal, what type of position do you want?

no one is arguing with you

Not a valid reason to hire, not, but it shows that you are interested in the topic and learn around. Of course it does not count as real work experience because it's a ctf, at the same time in 'personal development' it can help. It of course depends if hiring company cares about it. Imo, building virtualized environments, even small, treating them as real world projects, hardening and all, and documenting it well technically and from project management angle, may help.

i agree here. perhaps note the doctors in Pharmacy but don't pad most of the resume with your experience in that field, you're going to want to focus on your cybersec knowledge/experience since that's what this resume is for. to be entirely honest, my eyes glazed over for a sec reading the professional experience section

I know :) I am just adding :))

yeah I mean as soon as I got to the second line of the summary, I was throwing this in the (figurative trash)

right. i mean don't get me wrong, it's great that you have a doctor's as it means you're willing to get down and dirty, per se, but you can definitely trim a lot of the fat from that resume @odd sparrow

another tip; i personally make my resume as modular as possible so it's easier to specifically tailor to any job listing i apply to

customer service? emphasis on customer service experience, resolving issues quickly and efficiently, etc. security? emphasis on security, monitoring cctv and security centers, etc

I have a github, but only has a few simple python projects from guided videos and courses (like snake, pong, and jumper frog), nothing cyber related. Only writeup is a reddit post detailing how I passed the sec+

Overall goal is to pivot initially into an analyst role, and to work towards working in a blue team environment, specifically SOC, IRT, or forensics. I have an interest in cloud security as well

yeah, this is a solid advice

thanks, most of it comes from personal experience so im glad it can be beneficial to someone 🙂

Gave +1 Rep to @outer swift

would it be better to just remove the publications section since it's not IT/cyber related?

I would keep that towards the bottom

hmm reddit is iffy unless you have a reddit account dedicated to just infosec, I'd look at maybe transferring that writup to github

My 2 cents: Proficiency means high level of skill, basic or intermediate proficiency makes no sense. Also, don't mix systems and tools into one category. Pick few skills you know best, and focus on them. If you want to go to analysis, consider doing BTL1 - it has a practical exam. BTLO have a lot of investigations, and these are labs, not tutorials, so to some extent they show your skill too. Write few solid reports - employers love good documentation/report writing skills.
Check Jason's Blanchard (Banjo Crashland) job hunting videos on youtube. There is a lot of good advice there for people without experience.

oh which reminds me... this is a pretty solid video on writing a better resume https://www.youtube.com/watch?v=uqhOlOdwavU&t=672s

Thanks for this! Been working on mine recently, could use some advice

Gave +1 Rep to @pseudo creek

Thanks all for the insight, already modified the top couple sections to make it more applicable to the job and removed lots of fluff. Also touched up my github with an Azure Sentinel project I had worked on the side.

https://www.sans.org/scholarship-academies/vetsuccess/?utm_medium=Social&utm_source=Facebook&utm_campaign=VetSuccess 2022 has anyone applied and used this and if so what was your experience with this program

@odd sparrow Many of the fine folks here have given some really good advice. Something else you can consider is that it might make sense to try and get a call/video conference with the hiring manager(s) to explain why you are pivoting before applying. Unfortunately, depending on the job description, hiring manager, and job applicant system, your CV/resume will likely get automatically tossed or passed over in favor of candidates that appear to be more qualified on paper. My take is you'd probably have a better chance by networking if possible. One huge advantage that you have is that you understand and have experience in the industry where in many cases, infosec folks do not. Without seeing the job description of the role you are applying for it's hard to give more specific advice but if you will be staying in healthcare, I'm guess showing/demonstrating that you are up to speed on HIPPA could get you far since healthcare is a highly regulated industry. If you haven't already, try to network with other infosec professionals working in the industry; perhaps you can share you insights on what it was like getting a phd and submitting peer-reviewed publications in exchange for the advice. (i.e. help others and they will be more inclined to help you) Just keep trying and don't get discouraged if folks say no. Just reading between the lines of your CV and what you've written here, you just need that one opportunity to get your foot in the door; if you can stick out a doctorate in pharmacy, I don't see you having much trouble being successful in cybersecurity!

Are you a veteran?

Or your spouse is active duty?

I'm a bit behind in chat but I kinda agree. The whole point of CISSP is to say you have CISSP, which you can't even do until you have the x years of experience

Also learning the concepts covered in the CISSP might have more value after a few years of enterprise experience and being able to apply these concepts into an environment you already understand practically. 🙂

Hey everyone. I currently am in a job interview process for a junior penetration tester position and I have a question. Some backstory on me, I got into tryhackme a lot in the last 2 years and moved over into an IT position and started looking into getting some certs. Because I was hard focusing on certs I had to put offensive studying off for a bit. Fast forward to now and I now have my net+ and sec+ and am almost ready to take my cissp after studying for a while. Well as a shot in the dark I decided to apply for a penetration tester position at a company I would love to work for. I have gotten past the interviews to the assessment portion now. My question is, is it normal for a beginner to not be able to root an assessment given to you by a company? I have found a couple security issues and vulns but just can’t land an exploit to completion. I know I just need more training to get it but I just want to know if I’m just not ready yet?

it really depends what they expect and are looking for. I would an assessment would be how you handle it, regardless if you got all the way. I would wait to see what they tell you

Thank you for the reply! Makes me feel better about it and worst case scenario is I get my first experience interviewing and assessing as a penetration tester. Right?

Gave +1 Rep to @pseudo creek

I need some help. What are roles called when an consulting attempts to get into a companies data center or office in person ? I know this is consulting, but what is the title specifically ? Thanks !

That isn't necessarily consulting.

The action is "physical pentesting", but like most other aspects, it's usually not a specific role. A physical pentester likely also has other, more-frequently used aspects to their job.

Physical pentests aren't massively common.

Thanks ! These roles seem intersting.

Gave +1 Rep to @undone shore

Anybody try Over the Wire ? Is it more advanced then most plaforms ?

It is basic but fun

Then check out this as a template, and associated conversation below https://discordapp.com/channels/521382216299839518/707992725646999553/936122225369702461 It helped me a lot ❤️

Ah nice. I think my problem is that I have no experience, so I'm finding it hard to fill up space with useful things

https://www.youtube.com/watch?v=e2h_BreIxaQ

If you haven't had the chance to get that experience via a job so far, maybe you could "prove yourself" via home labs, walkthroughs, skill badges, course completions...

what? is that really what he says because... thats a bit yikes

home labs are great, they can show interest but also home labs these days can be using a cloud environment or virtualization environment. Building a portfolio overall is useful, use something like github, put your write-ups there, put any scripts/stuff you create related to cyber security there

but skill badges? course completions? those are much less useful

do not waste precious resume space with those

Network Chuck is a cool guy and I like his content, but it seems much more focused on learning for fun and enjoyment than learning for roles imho

Obviously that's not a bad thing, and it's good for getting people interested, but a lot of his content is like "look at this cool thing, isn't it cool, play with it!" rather than comprehensive teaching stuff

Hey guys new to the discord! RN looking to change careers into cybersecurity. I have an associates and bachelors in nursing. I have no experience in the field and just looking for info. Has anyone had success in teaching themselves without doing a boot camp and finding a job?

Cybersecurity is not an entry level field in the IT landscape but it is possible to learn a lot using TryHackMe and other resources like books and courses. If you go onto the THM blog, you can see lots of success stories of people migrating from other professional areas. A lot of people use THM to learn as they grow their skills and aim for certifications, either professional or academic but there are lots of paths to take.

Right now, there are two Humble Bundle collections of great cybersecurity books (linked below) that we frequently discuss in #bookclub, including the Tribe of Hackers collection which includes interviews with cybersec experts discussing their various roles and how to go about getting there. Cybersecurity is a fun journey and you should check out the links in #start-here and go on and try the Advent of Cyber, a set of beginner challenges leading up to Christmas

https://tryhackme.com/resources/success-stories
https://www.humblebundle.com/books/hacking-no-starch-press-books-2022
https://www.humblebundle.com/books/holiday-encore-become-cybersecurity-expert-wiley-books

A good start is to get some certifications. Might want to look into the A+ exam, then go from there.

Basically he says you should have a website to showcase personal projects, and provide the url on your resume. He recommends putting homelab stuff on your resume if you have no experience. The sample website he shows off had skill badges on the site. - Though, I'm not sure I'd even want to put skill badges on a website.

The only time a hiring manager would look at your website is if they are really interested in you. It is good to have a portfolio because maybe there is something on your resume that makes them interested and they want to see how well you can write / present topics & ideas.

I guess it wouldn't hurt to put certain courses on your LinkedIn, for instance. Maybe not every single THM room/learning path you have ever done, but there are some courses that can at least add a note to your resume that you are involving yourself with it.
Now, will this help with recruiters? Probably not always, but you may once in a while raise interest and get contacted. From there you might be able to score an interview and then you can use it to empower your own narrative.

What I think is even better: set up a blog, go through courses and write about it. It shows your active involvement with these topics and writing is a seriously important skill in the business world.

Oh, and don't hesitate to promote your blog posts on LinkedIn. That's quite literally what this website is made for.

Hello, good day.
I am a student and will very soon graduate from masters of cybersecurity.

I've been self-learning and focusing towards SOC L1 to get a job in that when I graduate, I've finished CyberDefense and SOC L1 pathes in THM.
I've also watched CEH and Pen+ on Udemy just to get an idea while focusing more on defensive-side.

• I have 2 years work experience as IT Technician
• Have 0 work experience in cybersecurity

Since I've finished all the blue team paths in THM, where should I head now? should I start trying to get a certificates like CySA+? but then I've always heard "Qualifications before Certifications"

Thanks

do you have any certs now? Like Security+? I'd start applying now honestly, I'd also look at the Splunk certifications as those will be of interest to defense/blue teams

No I don't have the certificate Sec+ because it seems not to be needed here in "middle east" and I feel like having master's in Cybersecurity should just cover the need of it, but I've learnt it.
I've been applying recently, and yes I literally have the Splunk page open thinking to start with it.

ahh ok, you mentioned CySA+ which I usually don't see comptia mentioned much outside the US. Also US based masters really wouldn't cover anything much in terms of an entry level cyber position but I don't know about masters outside of the US

No my master didn't really cover the content of Sec+, I meant that Sec+ is kinda a start point and just learning it without getting the cert is enough, and that If I to get a certificate I should start higher on ones like CySA+ or others that on same level I don't know.

that isn't a bad path if cysa+ is recognized in your country for jobs

Ok thanks, I'll be looking to get started for either Splunk Certificate or CySA+/ISC2 certs.

I am alone anyone wanna come in my server

hey so I have just completed the eJPT certification and I was wondering what should be my next step, maybe eCPPT? OSCP? if someone could guide me a little thanks

what are your goals?

probably pursue a job on pentesting? but not 100% sure, atm just want to keep learning

what experience you have now? what country?

studying computer science, completed ejpt to focus on cybersec

oh, spain

I would recommend doing ISC2 cert instead of CySA+. ISC2 is more recognized

What about BTL1? I assume it's the least known?

not worth

better if you get the Splunk

since a lot of SOC uses Splunk SIEM

Alright, thanks.

but the CySA+ cert is more recognized than the ISC2 cert... but not by much

not in the recruiting standing point

most recruiting tools scans your resume, not read by the human eye

uhh ok if you say so, I'm not in the middle east but I do participate in hiring/interviews of cyber peers

they will be looking for CISSP, not for a random cert that I can't even tell you what its called

I mean, i guess it depends on the company

whats it called? do you know? because you called it ISC2 cert

most places Ive seen, they put SEC+ and ISC2

CySA+ is like rarely mentioned

I know our automatic resume filtering looks for certs by name, not by the provider

but also, we hand look at resumes too even if they were rejected sometimes

But i can tell you @slate crag if you do get an interview, make sure you know your steps for incident response

how you would go about dealing with phishing emails

KPI

just basic security stuff

if you take either Sec+ or ISC2, they provide those knowledges

CySA+ is more technical than memorization

Thanks a lot, appreciate this.. noted.

which ISC2 cert are you referring to?

SSCP

Thanks

Do you have any certs in security? if not, i would first recommend SEC+

and then go for SSCP

SSCP is more advanced

Sec+ isnt too hard

I have studied it but never done the exam, was aiming to start with a bigger one. Haven't seen anyone in my country who work in SOC have SEC+
So I thought to start with a bigger one

I have CISSP, thanks though.

Most of them have certs from Microsoft/eLearningSecurity

I would not spend your own money on certs, unless it's to get a junior role. If you can, try to leverage your current job role and employer to pay for the certs so you can make the transition

As mentioned above ^, I have 0 work experience in Cybersecuty (2yrs I.T Tech) and will graduate soon with a Master degree in Cybersecurity and have been self-studying on platforms like letsDefend/Cybrary/THM and now since I've finished blue team paths in THM recently

I was wondering my next move, was thinking of Splunk certificate

A M.Sc in CyberSec can actually be a detriment when you are starting out.

And will overqualify you for many entry level cyber roles.

oh no

So you have 2 years of work experience in IT Tech? Can you elaborate on that

I was in maintenance department for an I.T company, fix hardware/software for the company and clients..

Made sure everything is running

What does that mean? Did you do solder repair on broken boards? Replace malfunctioning equipment? Reinstall software? Write patches for software?

yes except for writing patches

Ok, so that's a decent place to start from.

My advice would be to get an entry level sysadmin or network admin cert (CCNA, RHCSA, Linux+, et al) and transition to systems engineering or IT infrastructure

From there, it's a much easier transition to a security focused role than an IT site support role

Ye that would be great, wish I had a sys eng job before now

I have CISSP too and really SSCP isn't something we look for, I don't know why but its not, we look for Security+ over that

would make it much easier I bet

Hello everyone !!
I need some path guidance..
My goal is to go for bug hunting..
So, I have completed the Jr. penetration Tester and fundamentals
Now, Should I go into bug hunting ? or complete any other tasks/rooms on tryhackme ??

Hello all! I am an army vet and currently in a DEVOPS pathway going for SEC+, CEH, and SPLUNK certs. I am looking to find a good entry level IT job that will apply the stuff I am learning in everyday use on the beginner level as I have no IT experience other than what I am learning now. Are there certain job titles that I should be looking for while seeking this? Thanks for any and all responses!

assuming you are in the US, it varies widely but things like security analyst, security engineer are common titles. You could also look at things like SOC analyst, GRC analyst, incident response analyst

also part of the problems is job titles may be similar whether they are junior or senior so those job titles don't guarantee they are junior, just options that could have junior titles

Question for my UK peeps: how do you tax bug bounties? I've not done any yet, but I've been looking at potentially trying some, for experience, but I can't really find any conclusive evidence on how you tax them if you get rewards. While I doubt that my novice self will get any payouts for any bounties I may find, in the event I do I'd like to know what I'm supposed to do with them.

simply do not tell anyone

Hello fellow British woman. It depends how much you earn in a tax year. If you earn £1000 or less from soley the service you provide as a bug hunter then you don't need to do anything.

But if you earn more then £1000 in a tax year you'll need to fill out https://www.gov.uk/self-assessment-tax-returns

I am a woman, but thank you for the information. I wasn't sure it was so simple, because usually bug bounties are in $ and as I understand it foreign currency is taxed differently, but I'll give that a read to see if it answers my questions

I suppose if it became an issue I could talk to my bank, they should be able to advise (you would hope at least lol)

I made no error 😅👀

You're fine

Mb but if in doubt you can just contact HMRC directly and they can provide advice

That's true, I hadn't considered talking to them directly, just because dealing with govt offices is a pain

True nothing can be worse then student finance though.

Please don't speak of student finance to me, I do not wish to be reminded of their existence \j

I have spent hours on the phone with them, they're ridiculous

Then they give you the wrong advice after all and its actually this form and not this one its just gr

It goes through as a separate form. You need to register for self-assessment. Not sure about online but certainly if you do it on paper (don't ask) you have to print off another couple of pages. It's not a huge deal. Just a faff

If you happen to hold SC... good luck

I don't hold SC currently, so at least that won't contribute to the paperwork nightmare

What are the recommended entry level certs? I mean I get that most times it's about what you are capable of and what you have done.

I'd talk to a CPA or whatever the UK equivalent is

https://tenor.com/view/irs-taxes-joker-money-im-crazy-enough-to-take-batman-gif-16368522

what is your goal? what country are you in?

Always been a jack of all trades. I'd like to do start off with bug bounties and any type of hacking(red, white or blue)

what do you know of computers already?

well you don't need a certification to do bug bounties as that is free to anyone to do

and you didn't say what country as certain countries put certain weight in various certs, although for pentesting, OSCP seems to be accepted worldwide

I could work remotely but with right circumstances I would relocate to wherever

thats not how working 'works'...

obtaining work in a country that you do not have the right to work in is insanely difficult and not worth it to most companies unless you have a very specialized skillset

I can design websites, graphic design, know a bit of python, intro to Dev Ops and I worked as help desk and field tech

Doesn't it depend on your skill?

begin with THM's beginner path then

to build on your current knowledge

reiterate what you already know, etc

not really, I mean if you have a unique skill like you are only 1 of 100 people in the world that can do xyz and a company needs someone that does xyz, that could change the tables but it is very difficult for companies to hire outside their country

Agreed, I have been building up. I'm currently level 7 and I'm learning new and old stuff I already knew just to get a different angle. Once my skills matrix is well rounded I will begin CTF challenges with other hackers

Some countries do not require a work visa like the uk

Well for people from my country

it isn't that, it is because every country has their own labor laws, they have to be able to comply with your labor laws as well as their own

but like I said if you want a cert that is applicable worldwide, OSCP is a solid cert

Ex colony same laws

?

Thanks I will look into it

Gave +1 Rep to @pseudo creek

if you have the right to work there, then you are golden... it just isn't that easy to find remote work outside of your country (or outside of region where you have the right to work)

like even in the US, a lot of remote work is still tied to a specific region / timezone and most companies won't allow remote work from foreign countries (even for US citizens)

I'm too much of an optimist I guess 😂😅 it's probably because I managed to get a few graphic design jobs in the US and UK once in a while

I believe in being the best in the room and if I'm not I shoot the guy who is, jk 😂

@little gust please don't send me unsolicited friend requests

Oh my bad, I'll cancel no stress bro

it's in the rules

#1

Just networking and knowing like mind folks, no big deal. I canceled the friend request

i understand the intention but just sending random friend requests isn't necessarily the way to go about it

I'd recommend to read through the #rules anyway 😄

if you havent yet

Like I said no harm, no use further discussing it, no?

Yall are mean, I'mma tell my mom 😭🤣 thanks Dolphin, I appreciate that

Gave +1 Rep to @carmine jolt

haha, it's just good to be aware 🙂 that counts for everybody here!

I got adhd too many rules for me to read through all at once. I'm new here, I'll get there eventually or just keep to myself 😊

Well it's actually ADD but ADHD is more well known

your risk 😉

I have a condition, takes a while hope yall bare with me

Small suggestion, you should make the dyslexic and other impaired friendly version 😊💙

I'll pass it on to the admin ✅

do you have any suggestions on what you'd want to see? I dont decide on this matter but it would be good for Hydra to have some suggestions. If you want, drop a msg in #general as this is not the right channel for these kinds of things

A short to the point list would work for me, video or audio too.

phoenix please leave it 🙏 not everyone experiences things in the same way

Ty

Gave +1 Rep to @carmine jolt

Wasnt sure where to ask this,

but does anyone know how to add the profile embed into linkedin?

this : <script src="https://tryhackme.com/badge/664929"></script>

Hell just put it in with the certs they let you link to anything in there. Pornhub doesn't work we tried, but yea according to hacker1 it's a best practices issue.

pornhub 😭 ???

yh but i want the embed

i need it to look good

We were curious if they filtered anything TBH they blacklist instead of whitelist.

or should I use denylist instead of allowlist

https://www.reddit.com/r/tryhackme/comments/ntkp8i/how_to_insert_thm_profile_badge_id_to_social/

unless something has changed in the past year take a picture it will last longer

ty

linkedin is all about who you know as well. Network with people. Join study groups. Branch out.

The absolute hell would I write in these boxes as an unemployed person, with only customer call centre experience?

dealing with clients

Write as you if you have done the job you applying for as someone who does freelance work from time to time

hi

what's difference betwenn cyber defense and cyber operations?

can you relate aspects of your house husband life to the role? Ie, deadlines for chores, meal prep, child care and herding, etc

@misty musk Call Centre experience is quite good since being able to talk to people is arguably more important than tech skills in some cases. Perhaps use examples of your experience that might help on the job. As for how to relate your current role...perhaps this is an opportunity to take a chance and show some humor and/or personality? Or, ChatGPT is all the rage so you could try playing with that for inspiration. I put in the question of:

As a stay-at-home dad, in two sentences please tell me how your current role relates to a job in cybersecurity?

and the answer I got wasn't terrible IMO:

As a large language model, I do not have a current role or personal experiences. However, as a stay-at-home dad, you can still play a role in protecting your family's online security by setting strong passwords, educating your children about online safety, using parental controls, keeping your devices and software up to date, and using a secure connection when accessing sensitive information online.

Edit: Formatting and tagging OP

Hi guys
Do you need to work as a pentester first to become a malware analyst?

It's a bit different fields.

But you need some sort of offensive skills right ?

1. I am helping people making informed decisions in IT, so I acquired good experience in consulting and broad technical knowledge.
2. IT consulting

As far as I am concern, you sit on the computer, open new malware samples in VM, run them through a few tests, also check something manually (F8, F8, F8, F7, F8, F8, like woodpecker), then make some signatures from malware behaviour and that's pretty much it. After this you open other sample and repeat it all again

What you really need is knowledge of ASM, patience and love for forensics. Otherwise, it will be boring as hell for you, because it's quite tedious - to check through so much obfuscation, antisandbox techniques etc. Some malware you will probably know "in face", some can be a bit sofisticated, APT-related, some you might even miss.

And if you are really into it, then just reverse, reverse, reverse. Learn ASM deeper, learn Anti-Debug and Anti-Anti-Debug techniques, learn your toolset, check out some courses, check new malware from "the wild"

Thanks

Good day All, when someone finishes a path for instance the security analyst where one would do the three course (pre security, SOC1 and Jr pentester) , what else should some one do before trying to get a starting job in cyber security? Looking forward to a response from who can answer

The default answer is get certified

you are talking about some dynamic analyst testing but that isn't all that is done, there is static testing and sometimes there is programming involved to interact with the malware

Hello pen testers, I would like to ask a few questions. What is your day to day like as a pen tester? What educational path did you take and how did it work out? What is college like for a computer science degree? And how much is entry level pay as a pen tester?
And another question, what is the day to day life in cyber Forensics?
I start college next fall and I would like to know what I will be expecting.

wow... that is a lot... it also varies by what country you are in, even pen testing in EU is different than US, degrees are different and all that and pay is drastically different

I am in the USA

My point was that it's not related to offensive part. But thx for addition, it's true.

Gave +1 Rep to @pseudo creek

ahh so I can start with computer science degree (to an extent), there will be a lot of programming, but it basically builds a foundation for other careers which you may embark upon.

Entry pay in cyber security varies throughout the country but someone with a college degree is usually in the $60k-$80k range

I'll leave day to day life for pentesting to someone else although I work with pentesters and red teamers. I deal with them on the reporting and presentation side as well as prioritization of issues.

For forensics, it can depend on what type of forensics. I've done some intrusion forensics in the past and it is really tracking down what was done, when to what by whom. It can mean sifting through logs, it can mean evaluating system images and using various tools for that. It should be a team effort.

yup, it is a definite blue team activity

thanks for the response, what security analyst certification would you recommend

Gave +1 Rep to @hexed magnet

Humble question @warm hinge ...why are you thinking about being a pen tester and/or forensic analyst? Said another way, why do you think that those roles are for you?

Assuming no exp/background in IT, you'll need CompTIA's Security+. But you also need to figure out what team/specialization you want to be in, Red/Blue. That will determine the next certs you'll need to get.

I have always wanted to be a ethical hacker since I was 10 years old. And I want to explore the opportunities in cybersecurity. I want to become a network engineer to learn more about networks, then a malware analyst to learn about malware and how it operates then digital forensics to investigate cyber crimes and learn what hackers are up to, then I will be a pen tester for the rest of my career. I will have a complete foundation.

@warm hinge I see - sounds like you really love it! Okay, for your original question(s), you're going to get a lot of varying answers but here's mine, as a dude that manages 6+ pen testers. Typical day is going to be similar but very different depending on the organization. Educational path might be different too; many organizations require degree + certs, some don't. I got folks on my team with no certs and some with advanced degrees + certs but since you are just starting out, try to get a few foundational certs and keep networking and reaching out like you are now. But more than anything, make sure you have a solid understanding of business and can communicate well. Communication is super important when explaining what's on those forensic or pen testing reports. Doing what you love is one thing but doing what you love to make a living is another; Ideally you want to make a living doing what you love but you might have to take some jobs that aren't what you want but you need the financial support. If you end up in that situation, don't be discourage and still learn what you can. And it's okay if you get knee deep in forensics and/or pentesting only to decide that it isn't what you want to do for a living. If you aren't already, I highly recommend following what Heath is doing at TCM Security and keep hacking away here at THM. Good luck my friend!

Thank you, and that works perfectly because I am taking business as a minor.

Gave +1 Rep to @clever rain

How did u get started then?

Consider what kind of freedoms each job has and whether there is room to grow or move around within each company.
During my first job as a sys admin (with 0 security functions in my job description) I went out of my way to suggest and implement various security controls every chance I could. That beefed up my hands-on experience (and resume) enough to land a full-time InfoSec job. If Cybersecurity is what you want to focus on, you'll find a way to make it happen.

How did u get started as a sys admin? Did u get a degree or?

I got the job about 4 months before I got my degree. So technically it went Job>Degree>Certs. I did a lot of self-learning between courses, mostly from content creators like Professor Messer, ITPro TV, and TryHackMe. Between all of this, I was able to confidently hold technical conversations during interviews.

sorry if this is a dumb question but what degree was it?

Just an Associate Degree focused on IT.

thank you!

Looking for some help. Master in Computer Science with Security+ cert and top 1% on HTB. looking for a SOC analyst role. Currently bartending. Thinking about taking the CEH even though I hear the cert isn't great for anything except getting past HR. I have a small SIEM for my home network and my web server, but other than that I have not SOC experience. My IT experience was a job as a Systems Analyst that started as an internship and moved to part time when I was completing my Masters. I finished in 2018. There's a gap because I had a family member who was terminally ill so i took care of them. Moved cities and couldn't get hired so I've been bartending since about 2019. Any advice or is this a thing that's "damn, that sucks" kinda thing?

@bleak pine I had certs and a degree, had been using computers all my life (e.g. building, fixing, etc.) but nobody would hire me because my professional experience was only in music and at the time, paper MCSE's (Microsoft Certified Systems Engineer) had flooded the market. This was during the dot com bubble. I had to take a job in accounting and others but kept applying, applying, and networking. I finally got a job as a sys admin for a school. Then moved up to help desk as a military contractor, then sys admin again and then networking, virtualization, and other jobs before I even started full time in cybersecurity. Everyone is different and of course things are different in 2022 (e.g. housing issues, crappy market, layoffs, student loans) but my path was not easy. It took me 10 years to pay off a student loan for a degree that wasn't even in IT. lol However, IMHO, the two things that haven't changed and likely won't anytime soon is communicating well and people networking. Those two skills help with any career and it's tough for techies like me that tend to be introverted. All the "crap" jobs I got (IMO anyway) were from applying online; all the fantastic jobs have been through people networking. (This is just my experience, note that I'm not saying that jobs applied for online are always crap)

Thank you!!
So what exactly would u suggest for a path for a person trying to become a pen tester? Would you say college would be better or certs or trying to go down a similar path with going through the online jobs like you did?

Gave +1 Rep to @clever rain

@warm hinge

My coworker is actually moving to a cyber job without a cert. It's not about the cert.. It's about your knowledge.

Assuming you get a chance to demonstrate that knowledge.
You need a way past the HR gate. That either means knowing someone in the company who can vouch for you (i.e. good networking), or having certs / a degree / relevant experience to back up your CV during the application.

If you don't have any of those then you could be the most proficient cyber professional on the planet and still be rejected.

Yep. I agree. I have a 2009 A+ cert.. and a lot of experience.. That's about it.. oh. and trade school.

Cert got my foot in the door into IT. That's it.

Aye.
It's worth getting a couple of the entry-level certs if you're trying to move into cyber / get your first job in cyber. Provides a baseline proof that you probably know what you're doing

That ^^

Can't complain there 🙂

Even if it's the most horrible company you've ever worked for in your life... I stuck it out for 2 years...

then cut

Heh. That's where lots of certs come in handy
I got to pick and choose my grad job a bit.

Rephrase on my "coworker without a cert" thing.. oh no.. he has several certs.. just not in cybersecurity..

On which note, I should really get back to WUMED 😆

Let me be very clear.. He has Azure, MS, AWS lots of things. lol.. just not related to cyber field.

Tbf, proprietary cloud certs are pretty much all that's available for cloud cyber, so they're still very good / relevant if you're getting a cloud pentesting job

Heck, I'm working on the AWS stuff rn

I mean.. I can probably hit him up on Teams to ask exactly what certs he has on Tuesday when we go back to office/remote/mostly remote/i have to go into the office that day.

I'm still looking for good cloud pen relevant info. I cannot find educational material.. Maybe I'm just not searching the right terms...

Nah, there are very few cloud pentesting specific courses / training

You need to get just the regular in-house stuff from the providers

AWS has a security architecture course iirc, for example

https://aws.amazon.com/certification/certified-security-specialty/

You'd be best doing the earlier ones there first though

@pseudo creek is also the person you wanna talk to about cloud security stuff. It's... far from my speciality

Also interested in Azure

SANS has SEC588. 🙂

Logged

Oh.. Take notes on stuff. 🙂 good career advice.

nite all

@bleak pine it depends. College first? Depends on the college and program as well as the cost of the school. Certs? OSCP might get you some interviews but depends on who is hiring and if you have limited experience (I know, I know...catch 22) you'll get filtered out at the interview. Applying to anything you can find online will be a numbers game however, will be good practice for interviewing and you'll eventually be able to talk yourself into a job. If it were me starting over today, I'd focus on getting any job in IT and I would be working on all college/degrees/experience at the same time...Get a few certs while you're in college (some schools like WGU I believe have certs as part of the curriculum) and apply for internships and/or jobs along the way. If you happen to find a job while you are still in school; take the job and finish your degree part or quarter time. Whatever you do, please do not go into debt for a degree for a career in cybersecurity. At the end of the day, you'll learn a lot from school and studying for certs but companies are hiring for these pentesting roles (and other cybersecurity roles) to manage risk and become/remain/increase profits/value which is why they tend to favor folks with experience. Remember @bleak pine I'm just some dude on the Internet and I don't know you so please take my comments with a huge grain of Himalayan salt but I do think that answers to questions like yours are usually going to be some form of "it depends" because there are just so many variables to consider and luck, for better or worse, is one of those variables in getting good, meaningful employment.

I've held a few of the professional level AWS certs, the associates ones, as well as the security one. A friend had me consider interviewing for an AWS job and guess what? AWS didn't even care about the AWS certs. They were still going to have my take a basic IT skills online test and whatnot so I didn't even bother continuing. Note that this is in Asia; perhaps it's different stateside but from my own anecdotal experience, AWS didn't seem to care about it's own AWS certs so unless you are going into consulting or a role that requires these certs for AWS enterprise agreements ( need to have x number of professional level certified staff), I wouldn't lose sleep about not being certified. As a matter of fact, I'm letting all my AWS certs expire. (if you are just starting out however, they might have some value of course; my situation is different so huge caveat) If you haven't already and if you want to focus on AWS, check out the AWS Security Digest; there is usually a lot of information about AWS cloud pen testing: https://app.mailbrew.com/zoph/aws-security-digest-HrkhwqNrwBBk/97

Black Hills InfoSec / AntiSypohon has some good (inexpensive) stuff on pentesting cloud. Basically, if you know security, you should be able to apply that to whatever technology. I have never pursued security focused cloud certs but just cloud certs. Cloud certs do go a long way in the Cloud Security realm if you can show you know security on some level as well.

I'd peruse the AntiSyphon site on various cloud specific security training
https://www.antisyphontraining.com/

Wow - I've worked with Black Hills before (they are super awesome!) but didn't see Antisyphon. Checking it out now - thanks for sharing!

Gave +1 Rep to @pseudo creek

so is it a good idea to go around small businesses asking if u can do a small assessment of their website to see for any vulnerabilities ( kind of like mini pentest) just to get some experience and so i can put that on my resume

and its also helping them as well

No, absolutely not. If you're conducting a security assessment, you're essentially performing acts that would otherwise be illegal and you might not be qualified to properly detail and agree the extent of a penetration test and the consequences of your actions. You would be advised to join an organisation who can arrange the penetration testing activities, as you would likely need the assistance of a lawyer/solicitor to define to what extent you are liable when you might make a mistake and bring down or otherwise negatively affect their service, gain access to information they were not aware was exposed, and you might also need help discussing/defining the scope, etc...

You might gain some experience by learning how to properly undertake bug bounties (don't expect to make a lot of money at this, at least initially, and join reputable orgs like bugcrowd/hackerone/synack, for instance)

thank you for keeping me out of prison ( not being sarcastic, honestly thanking you) ❤️

Gave +1 Rep to @rugged delta

If you're learning to conduct a security assessment, you'd be expected to be part of a team who would have the knowledge/skills to conduct all of the task around it. A normal third party pentesting company would have expertise in the various aspects of performing a pentration test. I know you mean well by encouraging small companies to improve their security posture but it does take a large amount of effort. It's why a lot of companies recruiting cybersecurity talent are looking for you to hold professional certs like Security+, CISSP or OSCP etc., and why you gain knowledge and experience in a regular IT field performing security duties like secure coding, network security architecture (installing firewalls, IDS/IPS, proxies, systems security etc and the policies and procedures around these things.

There's a lot to consider and that's why, when you're doing cybersecurity work, it's good to have plenty of experienced people around you and a good legal team 🙂 When you're learning, you need places like THM, HTB, etc. to take care of all that for you and as your skills grow, you'll find other resources like PicoCTF or other platforms specialising in learning other aspects of cybersecurity... Plus there's all the books, courses, certifications to help you learn and demonstrate to employers that you are learning valuable skills. You're at 0x8 H4CK3R level on THM. You're doing well. Keep pushing and you'll get to where you want to be

thank you my dude i think i just needed to hear that ❤️

Gave +1 Rep to @rugged delta

I'm hesitate to suggest this but setting up a legitimate business (e.g. LLC), cold calling, and offering your services BEFORE doing any assessment is a great way to learn sales, communication, and business, so I'd say yes for that. Don't sell yourself short and offer "free" because free is typically associated to "no valuable". Set a reasonable price, be upfront with your potential customers of your intentions and emphasize the win-win, and work from there but be prepared for a lot of "nos" and/or "f* off", assuming you get a reply at all. You will need to learn about contracts and in your contract, you'll need to be very clear that your service is just a mini-assessment and is not meant to be used for the customer's 3rd party vendor contracts, assurance, etc. If what I just wrote doesn't make any sense at all, then I would avoid this route so that you don't end up feeling defeated or worse, sued. Doing an assessment without permission (even passive scanning) would be a big no no and will almost certainly put one in legal trouble so definitely not cool as already mentioned by @rugged delta Again, I'm hesitant to offer this advice but entrepreneurship and following through on your ideas is really, really valuable. If you try this route, please focus on really, really small companies and limit the scope of your service to something like DKIM, SPF, and DMARC because that's almost always a problem. lol @rugged delta just posted more good advice above, especially the legal team comment, so keep that in mind.

thank you but i think doing all that and setting up a legitimate business is kinda out of my scope right now( im still new to all this)

No worries! I'm sure you'll be successful. You seem to be hungry which is good! I'll be rooting for you fine sir!

Basically, everything we do outside of our learning environments (our own personal labs, THM, etc.) requires some legal expertise, whether it's vulnerability assessments, pentesting, storing information for a client, hosting a server, etc) These days compliance is a huge aspect of everything we do. In my prior job, we couldn't even discuss some activities in relation to the workplace without first having our boss get a representative from legal to review and approve the topic, for our own, and the org's protection

Oh Dear God do not offer to do technical assessments without legally binding authorisation documents.

No matter how small a scale. You will end up sued.

Or otherwise prosecuted. Doesn't have to be the business complaining about it -- computer misuse laws still apply.

Also, cold calling is just shitty smfh

Pretty decent way to make sure you end up on do-not-hire lists if you make a name for yourself by pissing folk off

was going to my old bosses( really chill ppl btw) and ask but following @rugged delta advice and not going to jail seems pretty nice 😂

Yeah, maybe avoid going to jail. That's another thing that can often put a dent in your employability...

idk, free boarding, free meals, networking, seems kinda nice

sorry going off topic but yea @rugged delta and @clever rain are right not work the legal trouble and not really there yet but i will get there 😄

@undone shore nobody has offered advice to do assessments without authorization, and I don't think that was the OPs intention. "You will end up sued" is not an absolute but yes, point taken that it's risky which is why I wrote "hesitant to advise" and other caveats, specifically contracts. Yes, cold calling sucks but there is a right and wrong way to do it. You do understand that businesses have to find customers and sometimes that means reaching out. As a CISO, I have to deal with cold calls every single day and the ones that are honest in their intentions, usually get my time, even if it doesn't lead to business. As for this case, yes, probably not a good idea, hence all the caveats. As for do-not-hire lists, sure, if one is a complete a**hat in their approach (e.g. annoying, persistent, dishonest) but as I mentioned, the OP is probably going to get rejected anyway however, if his approach is good, he might have some contacts for later down the road when he is ready. Anyway, I think the conclusion is clear that for the OP and agreed by the OP, this is definitely a no-go so the world will be fine!

Learn about contracts
Does not a lawyer make
Hence the "legally binding" caveat.

That said, you have more patience than I do for cold callers. Personally, if you're calling me to sell me something which I do not want and haven't requested then you're taking up my time, and interrupting whatever I had my mind on before. i.e., you're a nuisance, regardless of how respectfully you're doing it (though respectfulness would certainly play a part in no-hiring, fair). Although I do agree there are better ways and worse ways to do things... email, for example.

it wasnt really going to be cold calls, it was going to be ppl that i know and are willing to help out, im not randomly choosing ppl out of google maps or anything, it was going to be ppl i trust and have known for a good while. sorry for not clarifying

Aha, all good -- I think we're on the theoretical at this point 😆

@undone shore man the times have changed. When I write "cold call", I was actually referring to emails. Nobody calls these days. lol Regardless, good discussion points and I think these points will help others! Thanks again for the points!

Gave +1 Rep to @undone shore

Bahaha, well, that's fair. I think we're in agreement then

And same to you 🙂

@undone shore now if we are talking about actual phone calls...then let's not talk about recruiters. lol

if were going theoretical then im definitely cold calling bill gates

Christ, yeah...
Between recruiters and PPI firms...

PPI firms??

TL;DR:
https://www.financial-ombudsman.org.uk/businesses/complaints-deal/ppi/ppi
Was a big thing in the UK

In theory the claim backs have finished, but I still get the odd call about it. The calls are just scams at this point though

Oh, and injury compensation calls...

True about the lawyers When doing my cybersec postgrad I had to do a project on the GDPR during my Law and Ethics class. I did tell my solicitor about it at a family gathering and she said ' better you than me', but I'm by no means a solicitor. The only legal advice I'm qualified to give is 'Im not a solicitor, go consult your own one to continue this conversation'

@undone shore but ur car warranty is about to expire

Yeah, that 😆

In Japan it's a bit more tricky as the "law" in regards to cybersecurity is well....tricky. On one hand, things are really relaxed but on the other hand, you can get smacked unreasonably hard. My meetings with chief legal counsel are often hazy on what is okay vs not okay. And then there is the language component of interpretation, intent, etc. I love this country but man, lots of mental gymnastics sometimes. lol

In many pentesting exercises you would tend to plan out the extent of your actions, down to the commands and switches you're going to use, in a lot of cases. They'll all end up in the report afterwards if you do the report correctly but it's generally part of the legal agreement of any pentesting activity that the scope of the test is part of the legal agreement and the procedure should always include having a 24/7 contact with your client and gaining specific, signed approval for the activities you're undertaking. This could also include stop-and-confirm steps in the process, whereby, after you have gained signed approval, you would still pause the testing and contact the client, getting further written verification (such as an email from an approved individual) to proceed with an activity.

Your intentions are generally to not interfere with the normal functioning of an operation but some of the techniques used could potentially cause a Denial of Service (intentional or unintentional) by interfering with network operations or bringing a server down or other production interference. This is something you try to avoid. A lot of pentesting work can be conducted on pre-production systems and red teaming is usually attempting to be discreet as well but you would only conduct that level of assessment in an organisation that already is expected to have a mature and refined security infrastructure in place.

This is why THM is such a great platform, you have the ability to conduct your activities to any extent on your assigned targets and can learn the effects of your actions in a controlled environment where the worst that can happen is you'll need to terminate and launch a new copy of a target you've broken

Very true however, this is not necessarily done across the board in my experience. I'm currently responsible for a number of pen testers (e.g. in house and outsourced) and I've of course used external pen test services from the likes of Black Hills etc. Correct me if I'm wrong but your points are related to outsourced, external pen test organizations providing services to a customer, correct? In that case, the methodology is applicable to Japan as you highlighted but mainly because I know it's the right thing to do (hence one of the reasons why my org pays me a paycheck every month). However, believe it or not, for my internal pen test team, a lot of what you wrote is not necessary or required to explicitly be written in legalise; I don't require full blown reports but I do require tickets and walkthroughs with the affected teams. Of course many of the fundamentals still apply–don't disrupt business for example–but in regards to an internal pentest team, they have the luxury/privilege of actually understanding the intricate details of our service as well as how our teams work so the reporting requirement has been loosened and other requirements to stop-and-confirm are universal for all teams. I'm actually lucky to even have an internal pent test team so there's that. lol THM is absolutely fantastic however, and again using my own anecdotal experience, none of the THM exercises that I've seen so far are applicable to my business and tech stack so while great for training and indemnification for legal action, much is out of context. Huge caveat, I'm only here for Advent of Cyber and to make sure I don't lose touch on much of the technical stuff. If I find things relevant I will work with my team but I think the biggest value here is the mindset of solving problems.

Oh of course if it's an internal pentest, you won't need to go into all the ins and outs of the legalese in every encounter. There'll be rules and processes and definitions already in place and in-house legal will already have an understanding of the extent of your activities and its impacts on the business, there'll be a chain of reporting up through risk management and legal and up to the CISO and other executive officers, since cybersecurity should be an executive concern. I'm sure the involvement of the pentesting team is part of the development/production process and yes I hope they would be familiar with the infrastructure to a great extent, and possibly a greater extent than the administrators in many cases. How you manage internal assessments has a great deal to do with the internal culture of the organisation, and the security environment and it seems your work is we-embedded in that.

I'm sure as you go along you'll find more things relevant to your specific environment, there are about 600 objectives on THM and yes, the mindset is a very important aspect of learning this skillset. The AoC is great, especially from a beginner perspective and much of the content on THM is aimed to get people interested in cybersecurity from a basic level up to a moderately competent level where they can understand and pursue certifications/careers and potentially up to an advanced level. It's a great community to learn various skills and competencies and many go on to other specialist environments too based on what they learn here

Oh, that's not true. I have recieved multiple cold calls from vendors to do an assessment for the org to purchase their products; however, I have not been in the role they thought I was for 4 years.

Thanks for the info @pseudo creek and @clever rain . Bookmarked both sites and will check them out.

Gave +1 Rep to @pseudo creek

The lol I wrote was in jest; of course there are still actual phone calls, just not as much as before.

Hi

Heyo! Which path is the hardest/most directly relevant to a career in security? I'm graduating soon and wanted to brush up and maybe learn some new helpful topics to prepare for some new grad roles in security

I started the red teaming path yesterday and so far it's been pretty helpful but I wanted to check in and make sure that's a good path to pick

Probably not a good fit company, but either just that (unemployed and service). Try to relate the exp to the role. Or, ignore the details and put hobby exp.

try to learn networking basics and do fortinet courses for new technologies such as SASE, ZTNA, WPA etc

Hello everyone Namaste
I'm beginner in cyber security and I'm having lots of problem while starting and don't know how to start and what to learn . So is there anyone who can guide me to learn the cyber security ?? I really wanna study it but having lots of problem

Awesome thanks for the advice, I'll look into the different techs! Haven't taken a networks class but have learned a lot from my other CS coursework so I'll try to review and solidify that stuff before interviews this break

Gave +1 Rep to @glossy tree

Hello Computer geniuses, I would like to ask a few questions and this is for the experienced. What is one class you regret not taking in college and why? What classes should I pay attention to that are important that most people don’t? For example an analogy “before I can run I need to learn to walk”. What advice would you give to someone going to college for computer science? What was your biggest mistake in college and how did it affect you? What would I expect in computer science major? And what is the hardest class that most people hate that has the best outcome and how could i prepare now? I am in high school I start college next fall so I want to be prepared.

hardest class that has the best outcomes is probably algorithm theory...

I wouldn't worry too much about undergrad, try to choose classes you think you'll enjoy. In the end, it is the degree that matters because Comp Sci programs are pretty standardized. There is some variation but not a lot. Take chances if you can to learn more about networking and operating systems.

What books do you recommend?

Todd Lamle for networking

I'm also studying for the CYSA+ -- any recommendations of TryHackMe rooms for practical experience ... already tracking NMAP...thanks much!

The Introduction to Cybersecurity, Pre Security, SOC Level 1 and Cyber Defense paths should be on your radar if you're working towards a SOC/Analyst role and the Investigating Windows series, which can be found in the Practice area of the Learn section

Any toughts on Red Team Certified Operator by Zero Point?

I've heard really good things about the certs. From several reviews, the training is quite high quality. The guy who created them intends for them to be affordable certifications for people learning the trade. There's a few people here who have done one or both of the certs

just a quick question : What is the better qualification , CPENT Master or OSCP ?

OSCP

thanks

Unless you're in India, you should probably avoid EC Council altogether. There are problems with that company and there are much better organisations out there

I am in zurich

Then best bet is probably OSCP. Search on LinkedIn and other job sites and see what companies are asking for. Sec+, CISSP and OSCP are generally the 3 most requested certs where I am

Anyone with network+ can give me a basic idea of what the test asks you and how it’s like?

And some important things that are recommended to know?

Check out professor Messer's content for Network+ and a few other certs

OSCP is awesome, if you have the time and the money you will not regret it

Could healthcare informatics or EHR analyst roles be considered IT experience? Also if I keep my full time non-IT job, could a per diem/weekend helpdesk job still expose me to IT concepts and experience that could get my foot in the door to go full time for cyber or a senior IT role?

Don’t think I can take a pay cut going from my current pharmacy job to full time help desk due to mortgage and family. So was thinking of keeping pharmacy full time and help desk per diem, or vice versa if the total income is good enough. Then would pursue full time IT/cyber once that salary is decent.

In my opinion, your best bet to get into a cyber role is to leverage your understanding of HIPAA/HiTRUST and medical compliances into a GRC role.

Understanding how to maintain compliance is huge and a very valuable skillset to have

Some of the ISACA certs like CRISC, CISA or CISM can really help, the remuneration for these certificate holders tends to be about 150k and the exams are reasonably priced

The idea of GRC sounds great. What should I aim to get out of a grc role if I want to eventually work in a soc/MSSP/blue team environment?

That would be a transition into technical work - that requires a much deeper understanding of the tech stack than you would need for GRC. GRC is just as well paid (often moreso) and honestly, going into the SOC from a GRC is more than likely at least 2 steps backwards

Interesting. What roles should I expect to work up towards if I happen to break into GRC?

Compliance Analyst is a good one, and can cover a huge variety of controls.

A large part of that job is checklist management, ensuring that the organization has appropriate controls for framework requirements and that evidence is gathered and stored for ongoing and future audits

Anyone here that has taken the network+ can give me a idea of what’s it like?

Or what they ask you?

Oh thank you I didn’t see this

Gave +1 Rep to @rugged delta

I will check him out

The certs sound great, although I don’t think I would meet the work experience required atm, but I’ll definitely keep in mind for the future

Hi,

Anyone with resources on OSINT or any Career roadmap on Cybersecurity (Grey team)?

grey team? what is grey team?

Oh. It's Pentester.

In terms of OSINT, someone recently mentioned this course being really good https://inteltechniques.com/training.html

I think you are mixing terms, generally pentesting is considered red teamish although red team is a specific term

I'd look at the junior penetration testing path and then the red teaming path https://tryhackme.com/paths

Guess so, but I saw a documentary recently that classify those in the pen-testing team as grey. 🤒

no, they must not know pentesting

so there is the idea of a black hat hacker, someone who hacks for various reasons but does so illegally, then there is white hat hacker, someone who hacks legally and professionally such as a pentester... then there is grey hat hacking, someone who skirts the edge of legality

Hi guys. I'm looking for a team in workspace on the tryhackme. I want to improve my knowledge in the team, and maybe even create my own project. Who does not mind write to me in private messages!!

Aka the NSA

no

I mean the stuff I did there on some teams was pretty cooked lol

Was referring to the part about Grey hat hackers.

so am I

None of them are black hat.

so things you do on behalf of a government should still be in line with the legality of that country, that isn't grey hat hacking

It is because it's from the other perspective

and various government entities would be allowed to do some things that citizens of that country would not be able to do

when we talk about grey hat hackers, we are talking about individuals

Yes and they still are

if you are doing something on behalf of a country, that isn't being grey hat

if you are off doing something on your own without authorization, outside of scope, etc, that would be regardless of employer

Sure it's legal to do it in in the country but it isn't persay legal to execute in the target country

yeah but still thats not being grey hat

https://www.linkedin.com/in/telma-tavares-30897225b/ Let's connect ❤️

Grey hat is illegal hacking with a "moral" justification -- also referred to as "hacktivism".

It's no less illegal than black hat activities. The "hat" a state-actor wears depends on your perspective. In their home country where it's legal they are undoubtedly considered to be white hat. Their targets undoubtedly consider them to be black hat.

When it comes down to it these are very loose terms to quantify human behaviour -- they don't matter. The actions are what matter.

maybe shadow has a job as a candy taste tester in their future

which would fullfill the human behaviour of wanting to eat sweet tasting things

Referencing you in my report, hold up

I can't wait to see the grade you get including an informal discord screenshot as a citation reference

I'm just going to insert the message link in the middle of the sentence

well that is going to be fun

According to #cyber-and-careers message (Muiri, 2022)

You outright know my real name lmfao

Yeah but if I'm going to be unprofessional, might as well go the full length

BRB, will put that in a blog post for ya

Does this job sound like it could be used as IT experience? Pharmacist: Supply Chain and IT

[redacted] is recruiting for a Pharmacist to assist the Supply Chain and Pharmacy IT needs with data base management, information technology and automation. In this position, you will also help to optimize medication purchasing, inventory, supply, distribution, and control processes.

Principal Duties and Responsibilities:

Support the creation, management, maintenance, and troubleshooting of all formularies and databases
Support data extracts including requests regarding medication usage, location of inventory, monthly cost transfers and systems activity
Primary pharmacist involved with checking medication output distributed from, the Pharmacy Consolidated Service Center (PSCS) including PillPick®, Boxpicker® and other automated devices as well as technician prepared kits and/or packaged medications

Serve as the resource for requests related to pharmacy system changes to find opportunities for optimization, including participation in drug shortages, formulary maintenance task force and pharmacy event review team
Coordinate the assembly and configuration of the new automated dispensing cabinets (ADC) upon arrival as needed
Assist in configuring and optimizing new ADC hardware including which drugs should be stocked, how the drawers should be arranged, setting up max and pars and assigning medications as needed
Assist with the testing automation changes to hospital applications that affect pharmacy
Perform drug stability evaluations or reviews as needed
Assist in creating satellite and office practice inventory ordering procedures and templates

Assist in monitoring, adjusting and follow up of refrigeration equipment and events
Ensure all hazardous medications are being handled correctly in accordance with policies and procedures as it pertains to the PCSC and Pharmacy Supply Chain
Collect and document system problems identified by staff and refers to Supply Chain Leadership for direction and resolution
Communicate, plan, and implement utilization strategies to prevent excessive stock and reduce expiring medications and coordinate with formulary maintenance task force as appropriate
Participate in tasks relating to drug shortage mitigation
Help to determine appropriate outsource supply options to ensure the availability of needed medications, to reduce cost and/or to improve medication safety
Serve as a resource for supply inquiries involving drug utilization, availability, or alternatives
Coordinate pharmacy waste program in collaboration with Public Safety, Nursing, and Occupational Safety
Serve as a backup pharmacist for controlled substances ordering

(Sorry for the huge wall of text)

@odd sparrow you've missed a redaction of the company name btw

Oh

Not sure what you’re talking about 👀

I thought hacktivism was still blackhat because it is illegal entry. Grey would be using an emulator for a sega Genesis game, but you own the game. Technically legal, but right on the line.

It says it wants a pharmacist, which I think means it would require cert/degree.

I think you can use almost anything as IT experience. People post some wild stretches, like IT support if they do any job but have ever fixed an issue themselves that other teammates would make an IT ticket for.

I think you would have to stretch if you wanted to call that an IT job, but that it wouldn't be hard. I see data entry, possible database, but a lot of logistics. Kinda looks like a misc bucket of tasks and likely a place that wants a lot more than they are willing to pay for, but I could be wrong. Can you share the pay range and the requirements/softwares mentioned?

Naw, and pretty sure that's a ToS breach (i.e. theoretically prosecutable) as well.

Sorry, forgot to mention I’m a pharmacist pivoting to IT/cyber. lol

I’ve been looking into GRC and entry level help desk lately and this job popped up at my older job so was just curious

The job uses swiss log and the supervisor told me the job would be in charge of more buying and inventory of medications and supply in the hospital’s logistics center. Realistically not as technical as help desk, but on paper could it be perceived otherwise?

My wife actually works at the hospital and she said I might be miserable at the job, so I may pass anyways.

reading about it, I wouldn't say it is technical at all... I dunno sounds just like what you said, in charge of buying/inventory

Anything could be stretched to look IT. But I was thinking just on the desc, that it was 3 or more jobs dumped in one. Those usually pay poorly and have unreal expectations.

For those who’ve taken the PNPT, how long did you study/practice before taking it?

What's the best certi to do for Active Directory after you pass OSCP?

https://www.linkedin.com/in/telma-tavares-30897225b/ Let's connect ❤️

Im not the best to answer but maybe CRTO, CRTP or OSEP

CRTO is a good bet immediately after OSCP.
That was my path:
OSCP -> CRTO -> OSEP. Gives you a nice smooth development path.

Can I send you a PM?

For what purpose?

A question about career and certificates

Aye go for it

Thank you! It seems we need to be friends first

Gave +1 Rep to @undone shore

My DMs are on for this server -- that will be at your end 🙂

Working now

Would it be a good move to niche out in this field and focus exclusively on Cloud Security?

Cloud security is in huge demand. As well as the major cloud orgs' security certs, learning other cloud skills is very important

I don't think cloud security is niche anymore... I've being doing cloud security for 6ish years although we still do struggle to find all the people we need... most of our security people in general are expected to know some cloud

in saying that, I think its a great move to learn it

As someone in the field, how do you recommend for me to get started? I’m currently working on the CTI side but would like to transition

I would pick a cloud and learn it.. I started with AWS which is still a solid start and look out for various job listings and see what they are asking for.

Also, how are you liking it so far?

Got it, thanks!

Gave +1 Rep to @pseudo creek

we have all sorts of need for cloud security people from those that are building automation, to those that are designing cloud solutions, to those that are doing pentesting on cloud, etc, etc

I love doing cloud stuff, it is so easy to prototype and try things out and better than working with outdated systems

Thanks for all of your input @pseudo creek

And you as well @rugged delta

There's a lot of good resources these days for learning cloud skills. The major clouds have some good resources available. There's other platforms that are reasonably priced. I used A Cloud Guru but there are others. All the major cloud platforms give you access to a free tier of their service so you can learn and play around with their tools as well. There's lots of books but the cloud cert tracks tend to move a little faster than the books. There's also tonnes of documentation online for a lot of the theory you'll need.

Helps to have knowledge of networking and operating systems when going in but you can learn these as you go as well.

I’ll get started checking those resources out, thanks!

Cool, and ask any questions that might pop up

What do you think about the CRTP and CRTE? I am keeping CRTO in mind however. I still feel like I suck at Active Directory.

Also btw. I love the rooms you make/co-create @undone shore. Thanks for all your work

Gave +1 Rep to @undone shore

I haven't done either of them so I can't really comment I'm afraid

Ah. Thank you anyway. Have you tried your hand at OSED btw?

Muiri is doing it now cuz he crazy

Hey guys, just have a small doubt is professional certification mandatory for a entry level cybersecurity job

??

Professional certifications are used to quantify knowledge learned in a degree or on the job. In order to get into cybersecurity, you're likely going to need a degree, some professional experience, or a mix of both. Cybersecurity itself isn't exactly an entry level field within the computer industry.

Can you recommend some professional certification for a 3rd year btech student.... Like i have no experience I'm still learning so

Can you please tell me how to prepare for the certification too @stoic cave

@stable oasis If you are looking for an entry-level cybersecurity certificate, I would recommend CompTIA Security+ as a good starting point. It may not be the most highly sought-after cert, but its comparatively cheap, covers a lot of material and the process of getting it is a valuable learning experience.

There are lots of ways to study for it, I’d recommend buying a Udemy course that goes through it, take practice tests, and book an exam date early so you have something to work towards.

Thanks a lot

Gave +1 Rep to @keen compass

👍👍

Although based on your terminology, I'd guess you are in India? I'd double check with professionals in your area and/or job listings to see if Security+ is an accepted cert. in India, CEH seems to still be very popular as a cert for cyber jobs

It still recommend Security+ as a good thing to do even if it isn’t recognised where you live. Its cheap enough that the knowledge you can gain from it is worth the cost IMO, even if it doesn’t land you a job.

If you are a student, you can also get a discount on CompTIA certs. I imagine you can with other providers too but I wouldn’t know first hand.

Yeah I'm from India .... Yeah comptia is accepted here

So ceh is hard right ... So where can I get some good training for that

It's nearly a months income for India, but lots of providers have special discounts for India since their income is so low. Comptia may be one

What is the best way to get your first IT job.

Everything on Indeed in my area wants years experience.

hiii teammm

Apply anyways. Wants are always hopefuls for the HR team to post. Also A+ cert will get you in a lot of doors, even if the cert is extremely overrated.

What are some entry level positions in IT?

I mean like jobs can gou use to gain experience or pivot to cyber security without a degree?

Anyone have any experience working or hearing about Allied Universal soc analyst roles? Feel free to DM me if you can’t discuss publicly

Most people start working in tech support or QA or similar but you should apply to jobs you're interested in or feel capable of doing. If a company believes you'd benefit them they might give you an interview

Thank you for the advice. I have an eJPT and just scheduled my first A+ exam. Hoping that's enough to get an interview. Certs look nice but don't compare with experience.

Gave +1 Rep to @rapid ice

I completely agree. A+ and Security+ do provide some knowledge but really they are just to get past HR. That can be said about diplomas too though.

A+ and security + show up the most on jobs in my area. Rest of comptia certs very rare to see.

What if I did a complete FullStackDev training (Zero2Mastery) and then applied to Cyber jobs... is that a thing? And land a job? I see a lot of CS grads landing jobs in Cyber because of the coding experience they have through the degree ... why not just go through a code camp and apply to cyber jobs?

Comp Sci isn't coding experience, it is laying a foundation of what computing is, often with coding behind it... having said developers can often move into application security easily enough

no one is going to see a coding bootcamp equivalent to a comp sci degree though

Copy that - just a gnarly thought I could be on to something there

Maybe off topic but I'm making a personal website. Is it better, as a cyber security professional to use a specific platform? I.e. Squarespace, wordpress etc.

Would a hiring manager or recruiter deduct marks if you were using a wysiwyg platform like squarespace?

Hello

Hello guys can you tell me which certification in comptia is good and has value for students who are yet to get jobs

Could you please pass me the link 🙂

:hammer: CryptoH4ck3r#8692 has been banned.

Please don't ask for pirated books

The most basic will Security+ and the Network+, in case if you wanna start with something easy and then you can go further advanced.

Did you do any of those certifications, if so can you share how you prepared for them

I am currently pursuing the Security+, and in that you can starting learning from mike chaple from linkedin learning and the professor messer is also a good one.

thank you

Gave +1 Rep to @last monolith

professor messer on youtube is very popular

Hi, anyone know what CREST is?

Im looking at jobs and I need a CREST Certificate?!

Have you done a search using your favorite search engine?

no sir/mam

Yes.

Googling "crest certification" is all you need here - it spells them out exactly

CREST is an organisation that performs security certification in various areas; pentesting, threat intelligance and incident response. They're recognised globally by various organisations. You should check out their website and yt channel and the various other yt channels that discuss them. There are a lot of training and certification options available in the industry but it is usually a good idea to pursue qualifications that are highly recognised in your region

Hello everyone, Im currently taking classes for my bachelors in digital/computer forensics. Does anyone have any recommendations on what courses to take? Or what else i can add to resume for internships would look my way?

Anyone here taken ISC2's CC and Sec+? How do the exams compare to each other?

Any specific of area of Cyber you're looking to get into? Putting in your work on THM/HTB would be a good way of showcasing your dedication to self-learning outside of traditional education. HR will typically screen resumes for specific certifications/experience and that would depend on what area of Cyber. Security+ is a very broad security certification that's often required (Even the US government require it to work on some projects I believe).

Is network+ worth getting? just got my security+ and wondering if I should aim for something higher security related (sscp?) or do my network+ first.

depends on your goals, experience and where you are located... I personally wouldn't recommend SSCP, I'd recommend something like an AWS or Azure cert over that or even something like Network+ but again depends

CC is just a very basic entry level intro to cybersec knowledge. It's free to take the course and exam because they want to push you towards the SSCP, CCSP and CISSP eventually. As @pseudo creek says, Net+, Sec+, and some cloud certs from AWS or Azure or GCP can go a long way. Depends on where you see yourself

Well my bachelors degree that I will get this year is Computer Forensics & Digital Investigations. What is THM/HTB?

TryHackMe/HackTheBox - Essentially you'll want stuff on your resume in addition to your education that show's your willingness for self learning. I would imagine that's especially important if it's an Internship. Maybe focus on some general Cyber certifications like Sec+, then look into some specific Blue Team oriented certs since most Computer Forensics teams will operate under SOC/CSIRT. Along with your degree you should be able to walk into a job with all of that.

Do some research of Internship/positions that you'd like to hold in the future. The majority of the time they will tell you what certifications, skills and experience is most desirable to them. Some of it may be difficult to get without the job itself, but the beauty of the cyber security industry (and the majority of IT in general) is that almost everything is available to learn on the internet, and a lot of it for free.

hi everyone I wanna make the switch to cyber security and the field I liek the most is pentesting and malware what are some of the best advice tips you can give

Thank you for all that information. It really does help! Just been lose, I've applied to internship but they always turn me down because of no experience. So I was looking to put more experience on my resume so company's would be willing to give me a shot.

Gave +1 Rep to @ashen cairn

If an internship is requiring industry experience, I would say they are doing it wrong. Also, none of the things mentioned would be considered professional experience. Professional experience is gained through working in a professional environment/or jobs requiring a W2 or 1099 (or foreign equivalent). As an intern, I wouldn't expect you to have any certs either. I saw earlier that you mentioned you were receiving your degree this year. That would put you in your senior year, which is too late for the majority of internships as they are meant for current students(there are always exceptions and doesn't necessarily apply if you're going to postgraduate).

With that being said, and if my assumption of you being in your senior year is true, I would look for full-time employment. Open up your search to IT/Helpdesk positions or really any computer industry position in order to get a job. That will allow you to start building your professional resume and gain that professional experience. Once you have some experience, look at jumping into the field you want to be in.

Yup I should be graduating half way through this year. That's the crazy part, I have been looking for internships since the beginning of last year and they say I'm not a great fit. I applied to internships because I have no real world experience but I get turned down because I have no real work experience. I will take a look at IT/Helpdesk positions, would you still recommend taking courses in TryHackMe/HackTheBox to build up more experience?

THM and HTB are extracurriculars to show you're self learning. They are not experience.

So i should be looking at it/helpdesk jobs to start adding it as experience? Do you recommend any other kind of work that would fit for a beginner? Only experience I have under my belt is construction so there's no correlation with my major.

Guys, got an Associate of Science Degree in IT, and now pursuing a bachelor’s degree in IT, and also plan to go for a master’s degree in CyberSecurity, are there any ways to get straight into Cybersecurity jobs?

What country are you in? Best way to get into cybersecurity is generally to get certs as well as build up an online portfolio

US

By building up an online portfolio in cybersecurity, what do you mean by that?

And what could you say about getting started with internships at university?

Thanks. I'll still want to take because of thr novelty of the thing. I still have plans to do security + in a few months anyway.

Is network+ and security+ and 1-2 years support engineer (helpdesk) experience enough to get a junior / entry SOC analyst position?

possibly, maybe, yes? sounds like a solid foundation to me

Hey what if I don't go for job right now and select to do my masters in cybersec would it be helpful to land me a good job in this field?

Like I wanted to study abroad for masters in cybersecurity as in my country I'm not seeing that much opportunities/good packages for this field

Some universities have internships as part of their cybersecurity programmes and other courses. You're generally expected to be doing one of these when you apply to a company's internship programme. The US has by far the largest cybersecurity industry. There are a lot of opportunities for certification and learning. Looking on job sites like Indeed and LinkedIn will show you the certs in demand in your area. Lots of people here will give advice on what certs they have or are popular or usually considered a good thing to have for an application. Maybe check out the Tribe of Hackers books, they give good advice on how to starta career in various areas of cybersecurity.

I would not do a masters if you don't have professional experience. It prices you out of entry level positions.

@rugged delta Thank you for replying, bud. Also, I also struggle with the question, what If I get my certification(Sec+, Network+, etc.) now, and get a job later, will those certs still work for me and my employer? For example, they might say that I passed the exam 1 year or so.

Gave +1 Rep to @rugged delta

Or they are just curious about the knowledge that you took from those certifications?

Gaining the certification is what matters but they will ask you to demonstrate that you didn't just cram for an exam and actually know what you're talking about. CompTIA certs are aimed at people starting the IT profession and it's generally expected that you still have some way to go to be considered an expert in your field. HR will recognise your cert but as part of any interview process there's going to be a technical test, especially at entry level or if you don't have the professional experience to perform those tasks yet

I'll tack on to that, that having too many certs without relevant experience isn't a good look from technical managers or recruiters. Having a huge letter salad of certs only brings value if the candidate can relate it to work experience and what they want to accomplish in a given role

Absolutely great point, and an applicant should tailor their resume/cv to the role/org they're applying to where relevant

hey guys so im already a month of learning with tryhackme, i did : intro to networking, intro to cyber security , pre security, bash scripting , and im half way on Jr pentesting . a friend that working on the industry for long time told me i should split my study method to half learning with tryhackme and the other half to already start doing CTF's , so i wanted to ask what you guys think about it and also if anyone have a good resource for beginner CTF's ?
ty in advance 🙂

picoCTF is a good beginner CTF resource

hey just a small question... how can i get an unpaid internship either remote or in my location?

related to cyber sec ofcourse

This would vary by country, I know in the US, unpaid internships arent a thing

India... I don't even know where to look

Yeah I have no insight to India, do you know any cyber professionals there? Are their Indian LinkedIn groups you could ask?

prolly imma look

I'd take that with a huge grain of salt. Generally if you have the funds, certs are going to get you much farther than doing things like but bounties which aren't looked at as experience on a resume. Some people spend time doing bug bounties when their time could be better spent. Now this does vary by country because poorer countries, sometimes bug bounty hunting does make sense.

(Also I had to verify who the interviewee was, and confirmed it is someone who was not a hacker for the nsa but may have been involved in some work there for a very brief period and overstates their qualifications)

Well for professional experience I'm doing internship at a company as a security researcher

Still not enough to consider a masters

So like is it okay to join as a software developer for 2-3 years and then go for cybersec? Cause that's only field I can get from on campus placements

Masters typically make sense around 6ish years into your career and only if you're receiving an education stipend

Ohk...

I have crowdstrike interview tmr. I wonder if anybody here have experience with them?

Couldnt find interview information anywhere after hour of searching

I interviewed with them for an internship. It was a pretty standard interview format, but make sure you know whatever you applied to back to front

How many round?

Internship might be different, but it was a phone screen and then a technical interview

i'm applying Security Research full time. Yeah it can be different

when you say technical interview

Is it practical or verbal ?

Are they give you a problem to solve on your PC or it is just technical knowledge?

Usually both a verbal and practical part. you have to be able to comfortably talk about numerous topics you have experience in and also answer technical questions verbally, in writing and perhaps in a practical demonstration

Hello everyone, I am a high school student working on a project and I am looking to interview someone in the cybersecurity field, such as a security engineer or penetration tester. If you or someone you know would be willing to participate in an interview, I would greatly appreciate it. Thank you.

Sorry, we don't help with schoolwork here

It isn't just for school work, It's something I was planning to do for my self as well.

as well?

But okay I understand thank you

Gave +1 Rep to @cobalt escarp

is it like a QA interview?

Yes

Random question, I am studying for my CEH cert. Someone near me has a Matt Walker practice test book and study guide. Would they still be relevant to the new test?

It’s good but
Try to read multiple resources… this will help u much more to pass the exam

Thanks! Yea I have several, just wanted to make sure it was going to be relevant.

Gave +1 Rep to @swift mist

Hey I have a question, how hard is Security+ and is it worth and how far can you get with it

Hi there

Exam is all multiple choice and pretty much a slightly harder Sec+. Go through a few study guides and some material im sure youll pass

You can get some practice tests from Dion on Udemy or Professor Messer

Don't do CompTIA certifications

Ine is better

Don't do INE certifications

SANS is better

Don't hear about unkown people

do what you want

Anyone wanna help me in CTF?
Have found the target but having trouble in getting the foothold

Youre in the wrong channel, but we dont help with CTFs generally. If you need help for a thm room, please move over to #room-help

Can i delivery a Message for the tryhackme owner its urgent

Uh..

@cobalt escarp ?

(Not the owner, but probably the best person to ask for your to converse with)

Send me a DM please

Thanks Scrubz