#cyber-and-careers

GRC is highly valued, I know I value them cuz I aint doing it

My meetings are typically status but always devolve into me trying to explain how things work or why Lockheed Martin is wrong

i really don't think you want this

(I joke about not doing GRC, kind of)

100% with zojja on the GRC thing 🙂

I did nothing but compliance for about a year, and it was infuriating

I've never done compliance but I have worked with compliance folks

I don't mind doing some GRC and compliance, but it needs to be at least 50/50 and not all my time. Tracking audit requirements and controls and evidences requires a certain type of personality, and it is not sustainable for me

Cloudddd

thats always my choice but I'm biased

actually is this like a degree choice?

sans?

oh yeah I'm not too impressed by their cloud stuff, I'd choose AWS or Azure over them

of that list, RT and ICS are the most compelling to me

I mean I did some DFIR early in my security career, my only pause was 1) it can be long hours or 2) it can involve stuff you can't unsee

so yeah ICS is niche and needed

RT is completely useless until an org hits a minimum maturity level

lots of security people are like 🤷 at ICS including me

DFIR is always needed, but you'll need eye bleach eventually

SOC will always be pretty stable, IMO. It's a good way to step into an org that has just realized how much security they don't have and aren't sure what they need

overall the thing is, no matter what you choose, that won't define the rest of your life... I mean I specialized in AI in college 🤣

IMO cloud is great for orgs without a ton of money, or for orgs that require lots of scaling up and down of resources on demand.
Cloud doesn't fit every use case, as stable resource usages can cause cloud spend to be significantly more than just paying hardware and employee cost

you could study X and then end up working in something else completely, its all good

also there is a LOT of training for RT stuff out there that isn't too cost prohibitive, can't say the same for ICS

the ICS stuff is basically embedded systems with extra security layered on - many of those devices are still very very immature in terms of network and data transmission

that's sort of true, from what i understand

I'll say a lot what we do for those type of systems is creative networking 🤣

A big part of it is that ICS systems are built to be as minimal as possible, and the security piece wasn't part of the bid

jump boxes everywhere!

Do I see people mentioning ICS?

As far as old, it really depends on who you work/sector

Part of it is also adoption rates. ICS systems typically have a 20-30 year operating life and Asset owners don't really want to change what they have unless they have to. If changes are needed, you have to bring in a Vendor/Integrator like GE, AB, etc

Newer devices definitely have more security, it's just up to the Asset owner to utilize them. DNP3 and OPC-AU, two protocols with more security features than the previous version, have been around a while, but utilization is still low

Right, but that's the timeline for the whole process. In some cases, components do get replaced

Eh

It's a requirement for Safety Engineers to take cyber into account now

But afaik major changes aren't happening like "rip out everything" . At least according to my ICS410 instructor

Yeah, similar thing at Defcon

SEA-TF

Community was really small and inviting when I went to an ICS summit in FL

I'll probably go back next year out of pocket

Not yet, the taste was worth it though

I have limited interaction with actual OT at my current employer. It's there, and we plan with/for/around it but I don't touch PLCs, sensors, etc, or deal with Purdue levels

Speaking of ICS, here are some resources https://github.com/hslatman/awesome-industrial-control-system-security

Hello! I have a question for anyone who may be able to help. I just graduated high school and am about to attend university. I am definitely interested in going for a cybersecurity degree and looking to get a career in that, but my university only offers a masters degree for cybersecurity. Thats great and all, but that means I have to decide what to get a bachelors degree in. Should I just do Computer Science BS or should I go down a different route? My advisor couldnt seem to give me a great answer so im just looking to see if anyone out there experienced a similar situation. My whole thing is, how do I get to the degree im looking for while not wasting my time taking classes that will not benefit my degree I am aiming for.

Computer Science is a great bachelors if you want to go into Cyber, personally, I wouldn't recommend a BS in Cyber security

I would be careful on certain BS Cyber Security schools/degrees. Some of them are huge steaming piles of poo and are just trying to have a nice cash grab to "get you into cyber security". IMO a computer science degree with networking and cyber security electives is a safer option. A lot of schools also have a cybersecurity cert for which some of the electives you'll have to take can be counted as part of the cert requirements as well. In short you can't really go wrong with Computer Sci. You're going to have to do self-learning anyway.

I will also add that you are young. You're wants might change as you go through classes or w/e. Cyber Security is a subset of computer science. So doing computer science will make you more versatile

should you decide to do something esle like software engineer or w/e

Source: I am a Computer Science student who has landed jobs in development and more recently cyber security

Thats actually great to know, so I will ve self taught for a lot of cybersecurity?

you will always be learning in both cyber security and computer science. So school should be for foundational knowledge. Students of both who don't do outside learning are not sucessful in the job market. The plus side is it will massively pay off

In the meantime you can go through the learning paths in tryhackme. They are really good and provide a lot of supplemental knowledge you wont find at your university

VIP is cheap and the student discount makes it cheaper

Remember is a marathon not a race 🙂

Right, thank you! Will tryhackme be something I can use for job applications?

Yes, you would place it as "extra curricular activities" much like hackathons or CTF. It shows employers that you are self-motivated and always learning. It most definately helped me land a security gig. Plus the knowledge from THM lets you be able to talk about stuff during the interview

also many schools will have a cyber security club/organization, join that

Yup what she said as well. Networking with others is a big help when finding jobs

you can also do projects. or hackathons etc with your security club. it helps a lot

Keep in mind there are a lot of people trying to get into cyber. 90% will do bare minimum or slightly more. 10% are the ones that continue to learn and do stuff. That group should be one you are in and is your competition. Whatever slight edge you have goes a long way

You guys are awesome! Literally better than my academic advisor lol. Thank you so much, I will definitely look into these. And yes like you said, I am very motivated just slightly unsure where to start

Start with THM

You got it!

do the pre-security learning path and then the intro to cyber learning path

dont try to rush through the modules

learn and think about the questions and material. All this stuff you can wrap into your knowledge and answers during an interview

I had to do a lot of searching and talking to people to figure out a good path. Heck i still ask more senior people for advice. But I think I can save you a lot of wasted time with the advice above. Good luck. You'll do great

Absolutely. I am very greatful for all of the resources I have. Thank you for your valuable time and help.

I would take a CS degree over a specific 'cybersecurity' degree. CS teaches a lot of DSA, discreet math, and helps improves your skills in general, which i think is very useful for geek/techie guys like us.

ps: sometimes you might enjoy development more than infrastructure.

Just wanted to take a moment and brag a bit. I bested CASP+

yo

whats your thoughts on having twitter to document your progression and shit

twitter is a steaming hot mess but whatever works for you. Better would be a blog

I dont really know how to share a blog and stuff

but i will learn about it

sounds a good idea since elon musk is making a remake on twitter

Any tips on that ?

Like maybe a site or something

You can use wordpress.com if you don't want to spend too much setting it up, but you can also try to build a blog from scratch yourself with for example nodeJS, or just post your writeups and stuff on medium or a similar platform. You can find great tutorials on youtube for any of these

And what are the well potential advantages of it ? I mean I’m already halfway ish through the junior pen testing course so I’ll have to go back ig . Also what do I blog about exactly . Like the rooms?

Hi all. How could I make the jump from an ICT to a SOC analyst in the UK? Most of the employers seem to require 1 year of experience

@drifting crest
Writeup on pretty much all rooms, be curious about the technology you are learning and do a deep dive and blog about that.

Take Firewalls for example,
How are they bypassed by a threat actor? How do firewalls actually work? How can a NGFW detect C2 connections? Etc

When you need inspiration you can also ask ChatGPT or equivalent for inspiration

Benefits: deepen your learning, practice your writing, remembering key facts you learn easier since you are technically "teaching others"

Also looks really good for your personal brand, for example if you want to find a job it will help you, because they would rather hire someone with let's say 100 blog posts than someone with none. gives you more credibility

Thanks a lot man

Gave +1 Rep to @vernal sleet

Thank you too dude

What?!!1! Firewalls can be bypassed by threat actors?? Do you have a link?

Nothing is 100%. It's why patching is important.

Hello Everyone, can anyone guide me from where to start in order to become a hacker

#start-here

Do i get asked technical questions when applying for a help desk job?

If only FWs was enough to protect the entire network, why don't we just put up firewalls and call it a day? Why do we need layered security? Why is it not game over for threat actors after we got NGFWs?

Totally depends on what kind of helpdesk, what role, and expectations/style of the hiring people. Ask your recruitment or hiring contact what you can expect from the hiring process

What is the best way to get into pen testing. seems to be difficult to find entry level roles

What's your current situation job/experience-wise?

Just finished my masters degree in cyber security. I’m AI just now but wanting to do red team stuff

also going through the junior pen testing try hack me to get the basics

Pentesting is usually not the first role in an infosec career, something like a soc analyst could be a good starting point while working on pentesting knowledge using sites like THM or certifications like eJPT. You could also leverage your AI position and try to combine that with pentesting (even as a hobby to start with), after all AI-assisted red teaming is probably the most lucrative thing to invest time in the coming years.

Yeah except with my current ai job there is not much learning in it sadly and the company could go bust again. But I will definitely look for some Soc analyst positions thanks

See stuff like https://blog.google/technology/safety-security/googles-ai-red-team-the-ethical-hackers-making-ai-safer/

Using AI to assist infosec is up and coming, and attacking AI systems is another angle that's very interesting since every company big and small is trying really hard to set up AI systems with profit (and not security) in mind.

Thanks I’ll take a look at that

MadScottishBurd, that's one of the best names I've seen!

Ahahaha thanks. I do love the name

(context, I'm Scottish too, I just don't often see burd spelt that way)

Oo nice which part of Scotland

West coast, you?

Glasgow

I thought so, not too far.

That's where I'll be going to Uni

Nice

I went to uws

Glasgow Cali.

I have a College peer goimg to UWS, was it their Cyber security course?

It was yes

Just finished this year. The uni for hacked badly

Yeah, I read on the news, I wouldn't be confidant on going there.

Think the staff info was stolen and sold on the black market for bitcoin

Did it actually sell?

Not sure but the uni has had to get the government involved

@cobalt escarp

Hey @brittle thicket Keep an eye out in #jobs-board if you’re looking to apply for a job

👋 Hey everyone! I hope you're doing well. I'm currently on the lookout for remote help desk jobs at security-conscious companies. If any of you know of any opportunities or have any advice for someone with no IT work experience, I'd greatly appreciate it. Thanks in advance! 🙏🏼😊

#jobs-board or job sites or recruiters would be a good way to proceed

i just cant bring myself to use it anymore

Is PNPT better to do compared to eJPT, ISC2, security+?

It depends on what your goal is. Also, ISC² is not a specific cert, it's an organizing body for multiple certs.

My background is completing a cyber degree, taking Sec+ soon, working IT 3 years. I got really into my CS programming courses and I am getting into both webapp hacking and malware analysis as I'm a week into THM and about to take the Sec+

How should I approach specializing in one of these domains?

I wouldn't mind doing a CS masters after a few years since I saw some curriculums and they are things I want to know but have been distracted by finishing the non CS/CYB requirements for this 4 year Cyber degree.

Talking about Sec+, are training packs necessary to success Sec+ ? I mean, i don't really know how hard is it

https://www.youtube.com/watch?v=9NE33fpQuw8&list=PLG49S3nxzAnkL2ulFS3132mOVKuzzBxA8&ab_channel=ProfessorMesser might be good to watch or scroll through 🙂

i'll check that, thank you 😉

Gave +1 Rep to @cold dawn

Has anyone taken the Google Cybersecurity Professional Certificate course? Is it worth it?

All I used for Sec+ was Jason Dions videos and practice exams on udemy. Anything I wasn't grasping well or anything I would get wrong on the practice exams, I would watch prof. Messers video on the topic on YouTube

SEC+ was the first cert I did and had no IT background beforehand

people said that it is worth it due to the discount on Security+

I just finished it, enjoyed it for the most part and yes you get a 30% discount when your done. I am watching the prof messer videos now before I take the test.

i wanted to ask if ccna or network + is necessary before security +? like im kinda confused because since i dont have any IT degree a network certification might be necessary

Sec+ assumes knowledge equivalent to Net+

so net + isnt necessary?

It isn't necessary, per se, but Sec+ will be very difficult without knowing the Net+ material.

i mean yeah ofc ill go study the net + material but i dont wanna pay for it unless i really have to

Depending on the org, it may be a red flag to have sec+ without net+

Look at the local job reqs before making any decision to spend money on certs

If you are intent on spending money on something, an AS or AAS in an IT-related degree is a very solid first move that's also very affordable

The thing is

im doing mechatronics engineering already

ive got one year left till i graduate

Then talk to the CS department and see if you can at least audit a security class

i might go for a masters in cs then

theres no CS department at my campus

thats the issue

engineering degrees don't give a lot of free elective hours, but you may be able to substitute a compsci elective

CS= compsci not cybersec

in almost all facets of comparing a cybersec degree to compsci equivalents, the compsci is better

wouldnt it be better to just get a master in CS after i graduate

in compsci? that's a very solid followup

I'm not a huge fan of the cybersec university degrees i've seen, i would recommend compsci over security for academia

i mean i cant take compsci courses rn coz of my engineering credit hours but im 20 and i graduate next year. i am thinking of taking masters in cs then

i wouldn't get a MS if you have to pay for it out of pocket

but i wanna do some courses already before i graduate since my engineering gpa is low too

a good employer will spend that a big chunk of money to help you get that degree as part of your promotions path

CompSci courses probably won't bring your engineering GPA up. Usually electives like that are put into a separate bucket, and it's the engineering GPA that determines graduation

so thats why i wanna take sec+ and/or maybe some network course

graduation isnt the issue. its not that low that it would cause issue with graduation

Then don't worry about it. If you aren't a candidate for valedictorian or salutatorian, what matters is that you got the piece of paper, not your GPA.

i dont want compsci courses coz my gpa is low per say. i was kinda coerced into engineering coz of my dad. never like it personally

so i wanna shift into compsci and then cybersec

yeah ig so

so id best take ccna first and then sec+

Can I ask you a few quick questions about it?

sure

How did the course compare to THM paths? And what paths did you complete if any on THM

Hey folks, I am posting my resume for review at the advice of @flat sedge I would appreciate you reviewing and giving me some pointers, I have applied to over 4k jobs via spray and pray using cybersecurity, soc analyst, security engineer, but I have not had great results. I will focus on adjusting for each job in the future but for now is there anything that stands out as a red flag?

Is this 3 pages or is it actually landscape?

@stoic cave it is 3 pages. I have been trying to consolidate to two but im running out of space. Im thinking of just dropping additional career history in general

Ok thanks for the info

Gave +1 Rep to @river kite

about how long did it take

idk if its small or the font sucks

@static tide its just the png. it looks fine on pdf

Third page is completely useless. I would cut it entirely. One of the major points at the top of page 1 is Project Management, but I don't see any certifications or work that supports a PM type role. Would recommend adding in what agile methodologies you know to the relevant section of systems engineering to build that crossover. Summary of each position you've had is too long. Condense it to 1 or 2 sentences, let the bullet points tie your work to the job req you are applying for. A reviewer should be able to map every bullet point to the role requirements for the job you are applying for

If you have concurrent roles or job titles, they should be ordered with more recent termination first

I did a course each day but I have IT expierience.

Don't go beyond 2 pages, it was painful skimming over all of that, and try to summarize your professional experience even more

@flat sedge thanks, you have touched on some of the thoughts i have had. I am wondering if limiting it to only my last 3 positions is the best bet. I have seen some friends resumes and it looks like a blank page in comparison. The other thing I wondered is if it is too wordy. I find myself looking the descriptions over before interviews and just thinking "get to the point, no one talks like this and if they did you probably wouldn't like them". TBh I have probably been strugling to edit for each job because there is so much to edit. I need an elevator pitch not a novel about my career

Gave +1 Rep to @flat sedge

thanks, I agree. just took a outsiders opinion to come to terms with it.

Your resume should be as long as it needs to be. Remember that it's basically a list of talking points and relevancies; I keep my full resume as a LaTeX set of files, and tailor it for each role I apply for.
Recruiters and managers like that because it keeps my resume to topical stuff for them. They don't have to wade through items that aren't immediately relevant

Best tip for CV's I can give: tailor it to the job you're applying for, put yourself in the position of the recruiter that will compare it to the job requirements.

Also this video might help
https://youtu.be/L-TJVyBdF2M

Leave out stuff that's not relevant, emphasize things that will match up with the position you want

these date confuse me

unless you were doing both of them at the same time..?

@sleek sedge I do small projects here and there over the weekend. I suppose it might look like im working two jobs at the same time (technically I am although it is infrequent) they probably aren't interested in paying 6 figures to a guy that works a second job now that I think about it.

Typos like "Siem" when it should say "SIEM" kill it for. Nmap suddenly being capitalised, Azure being the same

Attention to how brands present themselves and the proper use of grammar is important

Attention to detail...

You've got years but I'd say like... August, 2021 rather than 2021 - 2021

@quick forum You are right. good catch.

Like, "SIEM Support Enginer" is the worst example to me - "that was your job title, how could you get that wrong?" (view as a hiring manager)

Cybersecurity Engineer | Security & Systems Engineer strikes me as redundant?

Professional experience would probably be above education IMO

good point

correct about redundancy as well

Have you ran something like grammarly or a spellcheck over it?

why’s the second page got a line under the titles but the first page doesn’t?

what are your thoughts on resume gaps, for instance I have a contracting business listed that I work in between fultime positions, is it better to format it with the dates between relevant jobs or just leave a gap? I don't want it to appear as I was working two full time jobs

@dim gobletalso i dont have much experience with but i'd recommend using overleaf for making cvs or resumes easily using latex

they also look nice

unless you're going for an academic/research position, LaTeX is a bit pointless 🙂

I'd just read it as show-off

unless it was a really nifty-looking latex document, then I might be interested instead how you made it

Using a solution that makes your resume machine readable and presentable is pointless and a show off?

you could write it in your worst handwriting, make a bad photo of it, and machines would still be able to read it in 2023 🙂

so I get your point but it's not really that valid anymore these days

but hey if you know LaTeX and already have it that way, go for it

its quite easy with overleaf

you dont even need to know latex just understand basic syntax

these are just some of the many templates

if ur cv looks good its always a plus. First impressions last

Not debating that, its just tool-agnostic how you make it look good.

Fair point

And on the topic of CV's, its also interesting how many people list specific technologies/vendors for their past positions, can give away quite some security-sensitive information useful for attackers that way..

(or on LinkedIn)

That's very true yeah

Should i list hobbies in my job resume?

I would not list hobbies unless they are related to the job... like if you like doing CFTs but want a job in software engineering.

Hi guys, Does anyone know any companies currently hiring remote SOC analysts and could possibly refer me? Thanks - and feel free to DM 😄

I'm passing the practice exams before studying the material, partly due to being a cyber major.

depends on how cool they are not going to lie. "Free soloing mt everest", "part-time red arrows pilot trainer", "inspiration for Johnny Utah" would get my attention for sure. like, i would interview you just to talk about this 😂

but generally no

Good evening, crew. As I understand it, it's ok to post a PII-redacted image in here for resume critiques?

Sure

Yep. You'll need to verify in order to post images though.

Oh, nvm discord being discord

I'm pretty sure I'm verified. I've quietly been around for over a year now, and have gotten to Level 13, just don't pop into where the people be too much

Alrighty, time and the universe will tell if I ain't as verified as methinks

Not a bad format, experience should go first. You graduated 15 years ago, that is not as important as the work history

Will take a closer look later

Yeah, discord showed you as unverified for me. Then immediately after I sent the message it loaded your role. I'll do the first page now and second later.

-I'm of the opinion that you don't need the career overview. I know others here like them though.
-as juun said, education to the back. You also don't need the giant black bars between the two diplomas.
-certifications don't need the dates. They're either current, which means they're on the resume, or expired. I would also put them on the same line separated by commas.
-too much whitespace in the skills. Like with the certs, go side to side vs up and down. Soft skills don't really belong. Skills should also drill into what you're actually skilled in, not really broad categories.
-for each job, try to do no more than 4 bullets. Resumes are supposed to be your greatest hits, not an anthology.

bit cheeky but i'd remove the years from the certs 🤔

Not cheeky at all, I really appreciate all these suggestions!

hello everyone I am planning to give sec+ soon I wanted to try some mock tests. Does anyone recommend any of them? I searched online but reviews are a little random. really appreciate everyones help

Professor Messer's are the best followed by Jason Dion's imo. Comptia does also provide 7 sample questions that are worth checking out.

thank you so much

Gave +1 Rep to @worthy shoal

this has been really helpful to read through thanks all

guys im getting confused between ccna and network +. since i wanna go into pentesting shouldn't net + be enough or is ccna still the better option. most recommendations are to get net + if u do not want to be a network adminstrator or such

What is your plan for your career?

Do you plan to do network monitoring, administration, engineering, etc. that resembles skills found in CCNA and Net+ ?

I wanna go into cybersecurity. specifically pentesting or red teaming

How are you planning your career? Its seldom that companies hire entry level positions for the roles you’ve said

I mean I'm doing engineering. It's my last year. I'm thinking of getting a masters In compsci next. But I also wanna get atleast security plus and a networking cert and maybe some other before graduating. I was told ejpt is also good but yeah. I mean I wouldn't mind getting a help desk job at first but I'd rather work as a programmer coz well I'm familiar with git and I know c++(c) , python and also assembly somewhat.

I'm also gonna try and do ctfs and stuff and also bug bounties to rack up exposure and experience but I really don't know what my first job should be either

Think hard if you want to actually commit into a Masters degree and if there is any big requirement right now for you. What I see is that having a masters degree without actual work experience could hurt you when looking for jobs.

Security+ is a solid certification, if you can afford it, definitely get it.

A network certification is not that much a requirement IMO unless you are going to be focusing on network admin/engineer roles.

Try to also ask people in the industry around your area and your professors on what are your options outside of college

how about pentest+ ?

I am from a third world country so no one really knows much about cybersecurity here. Youd also be hard put to meet someone with with ever sec + or net + here.

The thing is since I'm doing engineering im only viable for engineering jobs which I really don't wanna do. So I want to switch fields into compsci and I can't do that without a masters in compsci exactly

What engineering are you taking?

Mechatronics

Pentest+ is worth it if you know how you'll put it to use B4 hand. @proper musk

are there freelance or part-time jobs (not full time) for intermediate-level people into malware analysis or reverse engineering?

There might be but you'll have to look

Yeah you have to find out what your purpose of learning networking is.

Not deeply interested in the networking part of security but need to know how it works? Net+

Have the time to invest and want to go deeper? CCNA

thanks man

Gave +1 Rep to @vernal sleet

Even then, do you actually need a certification to learn that?

If you only want to learn and not have any credential/"proof" for it, not really.

For pentesting and stuff like that, what I value most is the experience not only the certs.

certs definitely help but experience is important

Experience is always the most valuable, unless clients require specific certs

definitely

Journey > Destination

Yes

https://youtu.be/VcjzHMhBtf0

Does anyone know what the best way to stand out to recuriters is

Bring them pickle flavoured pringles

that would leave an impression

I mean something to get them to pick my applciation

||blackmail||

https://tenor.com/view/batman-thinking-thinking-about-you-think-thinking-of-you-gif-20503421

Make your application relevant to the role.
Format nicely, keep reading brief.
Use the keywords they are looking for.

Generic advice

I have all that even kept my experience to cyber related

What skills should i list for level 1 help desk job?

• Customer Support (Verbal and written communication skills)
• Technical Knowledge (Strong understanding of OS, software and devices)
• Teamwork
• Problem Solving
• Analytical thinker

Don't copy directly, they are just keypoints you could use

are languages (not programming ones) relevant or nah?

See what the job requires then see if you have those skills

they could be? list them anyway but only if you’re comfortable speaking to locals in it

what do they mean by this?

I presume familiar with things like NFS, SMB for the first part

Get the OSCP. Recruiters love the OSCP. Otherwise, Sec+, CISSP and/or a degree in cyber

I would but can’t afford spending 2k on a cert just now

Yeah it's a very expensive cert. I'm doing a cheaper but similar cert at the moment. There's lots of other options but their impact on the job market isn't huge just yet. OffSec seems to be aiming for business customers with their pricing but lots of people still need to get on the first rung.

There's other options like the TCM PNPT, HTB CPTS, Zero-Point CRTO 1 & 2 and a few others that hackers are recognising but companies don't seem to be paying much attention to, even where the content/exam is a better indicator

I feel like most companies want experience. I’ve even seen graduate jobs ask for experience

Most graduates won't have experience past the projects they undertook and those won't really be at the same level as other achievements like certifications. Being active in the community, going to conventions/meetups, having a blog/github, posting your learning achievements to linkedin can all help demonstrate your enthusiasm. Companies want both experienced people and people who fit in that environment

I’m have 8 months experience in AI so that’s something. My boyfriend is quite big in the pen testing industry so I could ask him

If you have someone already in a position, that can really help get your foot in the door and having experience in applicable technologies can really help your case. AI is going to be a big deal in the coming years for both attackers and defenders

Improving your skills through THM and other resources can really help you improve as well

Yeah and good thing is python is used a lot in cyber so it’s good to get experience with that

Absolutely, it can help out in a lot of ways in pentesting as you go

Yeah. Just been applying to jobs even entry level ones and being told I’m not qualified enough. Even though I have my masters degree and some experience

It can take a while but don't be put off. There's lots of opportunities out there so keep at it

I am

I'm currently working towards the HTB CPTS and enjoying the process and sending out applications here and there

you could take the cpsa which is a multiple choice exam

not hard at all

i presume you’re in the uk given your name

I'm looking at comptia security+

security+ is decent but cpsa will be similar content and hold more weight in pentester positions

https://www.crest-approved.org/certification-careers/crest-certifications/crest-practitioner-security-analyst/

https://www.crest-approved.org/membership/ncsc-check/

thanks

does a master degree make THE difference compared to bachelor degree when applying for a security job ?

most jobs just look for a 2:1 but if you think it will help go for it

Some jobs will pay for your masters degree if they want you to have one for whatever reason just like certification.

it's free in my country 😅

for a what ? 2:1 ?

Lucky, 2:1 is a university grading system in the UK I think it is honours.

https://en.wikipedia.org/wiki/British_undergraduate_degree_classification

Under degree classification

we dont have this system in france, fortunately

ah

hi everyone... I am trying to get in cyber/infosec in London (after dropping out of my PhD) and I haven't managed to get a single interview in 4 weeks. any advice regarding my cv or anything else for that matter would be deeply appreciated. Thank you

I have a tech screening interview for an application security engineer position coming up. This is my first time going through one. It is the last step in the interview process. Anybody w/ experience have some tips for a rookie??

have you played with modsec + juice shop? Also check out the Core Rule Set... know about troubleshooting false positives and blah blah.

When discussing your PhD, don't state you did not graduate. That implies that you failed. Leave it at Incomplete and be able to discuss in an interview why you dropped out but also what you have accomplished (papers, projects, contributions, teaching, etc...). Sorry you didn't get it, I have friends who didn't make it and I know the struggle and the effort you made to even get that far. Keep trying. The cybersecurity industry is a tough one to crack.

A lot of orgs might be a bit nervous about employing a PhD level individual, as they might feel you'd get bored or unmotivated and they might not have a senior position or a progression track that might suit you.

Your other certs are worthwhile. With the Splunk one, consider an estimated date of completion and put it at the top of that section (the Sec+ and Google course cover the same topics pretty much). When I was a cybersec engineer, learning Splunk made my work so much easier. Also, considering the range of your experience, you might benefit from pursuing the CISSP at this stage.

Also, the Diploma in IT should be in the same category as your other academic pursuits perhaps

Hi everyone, I am in a particular situation which leaves me a bit frustrated.
I'm starting my final year of my Bachelor degree with a double major. Initially I never would have thought the IT world would interest me and it took time to arrive to where I am today. I initially started my Bachelor's degree in Liberal Arts with English and Russian as my two majors and Computer Science for the Humanities as a third option (you are forced to do 3 for you first year). After your first year you choose to keep 2 of the 3 majors and I obviously kept the CS for the Humanities major (listed as a Liberal Arts major). My issue is that I found that this field is what I was looking for and especially cyber security.
I cannot do my masters degree in CybSec in my country because the only two universities that offer that degree are very closed and picky. Sadly my English major doesn't give me a perfect GPA which makes things difficult to even dare apply for their masters degree.
My question is if I continue my masters I CS for the Humanities and get certifications, would I still be able to work my way in the CybSec field despite my CS degree being marked under the Liberal Arts section? I really want to work my way into being a pen tester or a red teamer but I'm worried it might not be achievable as a dream 💭
So far it's been hard to even land a simple part time job or an internship as a Web developer or even for a help desk position, even though I have worked on projects to put on my CV and I'm becoming desperate and frustrated. I even have noted down what skills and knowledge I've acquired through my studies but I feel like I keep hitting a wall.
Any advice or info will be greatly appreciated 🙏🏻

It does sound quite frustrating. Can you post your redacted CV so we can have a look and see what you're doing with it?

Of course, thanks a lot!

I cut out my name and professionnal experiences (which is basically just being a waitress, trascriber, and assistant venue producer)

thank you so much for your kind words and your advice. I definitely want to get CISSP, but I am hoping that any company that hires me will pay for it

Gave +1 Rep to @rugged delta

Have been through juice shop but will go over again, and will check out core rule set. Can't seem to find modsec however? Thank you for the pointers!

so modsecurity is EOL but there are other projects that are looking to take up the maintenance. https://www.modsecurity.org/

Outside of open source, other popular WAAPs are signal sciences, F5, Imperva, WallArm, Citrix

https://owasp.org/www-project-modsecurity-core-rule-set/ OSAWP has a project that might take over the modsec maintenence. They are also rebuilding in Go.

You might also want to look into the top 10 for Web App: https://owasp.org/www-project-top-ten/ Thre is also a new one for API: https://owasp.org/www-project-api-security/

(not sure if this is helpful... but I am mostly out of links now 🙂 )

Thank you for all of this! It will definitely help me.

Gave +1 Rep to @royal thorn

Feel free to msg me if you have any more questions. I might be a little more involved in this area than I would like. ha.

Fuck me that's an unreasonable number of languages

Especially with Serbian being in there

I barely manage English most days.

Will do. I should be getting more info around noon ET tomorrow and ill reach out.

Do internships/mentorships generally require you to do a certification along the way?

and they aren't even really related 😂 but that's only due to having a big mixed family for the majority of them

If anyone has any insight on whereas I can pursue a career in pen testing or eventually red teaming with my degree + certifications (currently working my way on it) it would be greatly appreciated 🙏🏻 I worry that my uni decided to group CS for the Humanities under Liberal Arts might hinder me

depends but its a good point if they require it. feel free to ask if u can

For your first job? Yes.
For your second job? No, unless you left your first job after a month 😅

i kinda disagree

if you go into the risk side or wanna step up the ladder i've seen a masters degree do wonders

Higher ed opens doors much faster than working in industry; that said, it can also be a red flag to have a MS in security but not have any experience

if you guys do not mind drop some ideas regarding cyber security projects which i can use for my final year project because it would be perfect asking the community for ideas which i can base it off and there are no requirements it just needs to be tested deployed and a report written on it but thank you in advance!

I wouldn't say so much a red flag. A lot of people won't start working until they're finished their MSc

in computer science, yes. A MS security, I think, doesn't really give a lot of context for the practical things part of that course of study. That's largely my impression from the security grads I've met. IMO, CompSci > Security for almost every career path and person

Well a proper bachelors course should be more rounded than just being about cybersecurity and definitely should cover computer science, software and systems, networks, operating systems, maths, hardware, scripting, web dev, law/ethics and other areas. You really shouldn't be touching much of cybersecurity til 3rd year if done correctly

this isn't really true in the US or at least shouldn't be, generally it is more advantageous in the US to get a job right after your BS

Yes it's true, most people will go into work right after the BS and either never or not for a long time go masters. But for some people, the choice is to go straight to the masters course

and generally they may have a more difficult time getting a job unless they work while doing their masters

Well possibly but most colleges will have some form of channeling into a career path or at least work experience

not in the US

The uni and college I used for my BS and my two postgrads both have departments dedicated to it

that seems very very rare

I think it's more common in EU. There's government effort to integrate courses with the kind of jobs companies need filled, a lot of company interaction with colleges. In Ireland we have EU bases for tonnes of big companies from Microsoft, Google, Apple, Facebook, SAP, Red Hat, Fireeye, Tenable, tonnes of US financial institutions and pharma companies...

so you didn't go to school in the US? it is a huge complaint from US students. in the US, schools may have job fairs and various opportunities but direct helping is rare. Some schools do have partnerships with specific businesses but still it may be challenging for various students

Well the situation in the US is very different. My brother lectures over there and he knows how much his students are paying to go to college and what their expectations are after. Over here, the gov pays for lots of 3rd level education cos they know you're going to probably get a high paying job and pay loads of taxes with it in the coming years and a lot of the colleges are state run or state funded

Usually only the most elite US schools have that direct help - IIRC FIT is one such school, that feeds aerospace engineers to NASA, SpaceX, NGC, Lockheed, etc

ahh ok, I misread your comment above when you replied to my comment about 'not in the US, saying your school in the US does provide those things'

and I work with quite a few graduating seniors from various schools as well as new hires, and it seems like the situation isn't much better than when I went to college

Ah, well maybe I need to phrase some things better 🙂

College is a fairly intense endeavour and yet, the skills and knowledge and the ability to apply them aren't really learned til you get out in the real world. That jump from college to work can be a chasm if things aren't put in place

yup

Wait, subtle, you're not based in US?

No, not based there, though I enjoyed visiting

Huh I always thought you were from the US 😆

It's a common occurrence 😁

Applied for a job I reeaallly want last week🤞🙏

Does anyone know if a recruiter that posts job ads only to LinkedIn will check an applicants profile? Or will they primarily stick to looking at just their resume?

It really depends on how impressed they are with your resume. They probably have a lot of applicants

I was thinking about picking up a cloud certification but I am not sure if should pick aws or azure

do you guys have any recommendations on which one I should choose? which one would you guys say gets used more in the security industry?

azure in my experience

🤨

both, and if you know one, you can learn the other fairly easily if need be

some people find Azure easier due to the naming convention but I found the Azure cloud certs to be harder than AWS

@cobalt escarp

:hammer: cy_cypher#0 has been banned.

[BAN] User left the discord server.

somehow I missed that

ahh sorry bugging other folks

no worries

Are there any tryhackme content engineers willing to share with me a little about their role/responsibilities etc.?

Probably not the whole answer you're looking for, thought you should look at this

https://tryhackme.com/room/securityengineerintro

Dammit.

I did it again sorry. You are looking for Content Engineering not Security Engineer

Ha no problem

Check out: https://tryhackme.notion.site/Careers-at-TryHackMe-6bd665d7bd3448348d04fa06f4b4ef66

Oh yeah I've read all this. Probably like 5 times 😂

Thanks though ofcourse

I like to think I cover most of this criteria

Best way to move forward on your interest is to submit your CV for the role you would like to apply for. 🙂

💙

Hello everyone I am new to Tryhackme Website I can't understand where I started my career as a Penetration tester can anybody guide me please thank you.

anyone know any companies that do pentester internships or apprenticeship in the uk?

start with the "Introduction to Cyber Security" learning path, then do "Pre Security".

Thank you

Gave +1 Rep to @hot holly

I want to study cyber security and do something related to business also for my bachelor's, what course do I take in uni.

corp sci with a minor in finance or economics or MIS

Got an interview with an audit company next week, any tips for giving myself a crash course on audit standards?

Would I be allowed to put my cv here to get advice on it. Not sure if it’s needs improving or not

Unless they're recruiting you spceifically for your auditor qualifications, they either intend to train you as such or the job doesn't mention it

Yes, you can upload your CV but you should remove any personally identifying information about you or the organisations you're associated with. There's examples of other CVs above in this thread

It's a grad program, was just hoping to study up on things, look a little better for the interview and all

Look on the company's site and see exactly what they do and then look for more information about that using your favourite search engine

Yeah, figured

Doing a course on Cybrary on ISO26001

Social responsibility? Surely you mean 27001

Yeah, typo, good catch

I can still see your Email.

ugh

Use blocks.

better?

No point blanking your surname and leaving your linkedin...

oh well ahaha

your name is also linked on your Discord 😂

ahahahaha

oh well too tired to think just now ahaha

😂

i think that experience is good enough to put above your education

aww is it

Maybe you can put the second paragraph on your professional experience first

So I'm in the US and my perspective will be slightly different. Ideally you could get a professional in the UK to review.
Generally, don't put I's in your resume. Your resume is supposed to be about you but not for you.

1. Your name/title really shouldn't take up 1/4th of your resume. I wouldn't even put the title, just your name but a much smaller font... even better make your header your name and contact information

2. Profile - what is a graduate role? maybe it is something in the UK. I would state here that you are looking for a role that could leverage your schooling as well as personal development you have done.

3. Education - You should really never have to explain what you did in school. There is generally a base understanding of what type of subjects one studies in school. I would drop all the verbiage here.

4. Professional experience. This should be above education. I would also read other resumes to find how people list professional experience. I would drop the first paragraph completely and really focus on your roles and responsibilities. You could weave in that you do testing for threat detection and security monitoring but again, you shouldn't explain what the company does in your experience. Also, do you have any other experience? At your level other experiece would be useful here even if not relevant.

5. Community - this should be at the bottom of your resume but again, drop the I's, consolidate this a bit.

6. I would add a projects section and this is where I would put your Masters project. Also list any other personal projects.

You there?

ah ok

ill try and do that

yeah

If you want to redact your last name, you should also do so for the linkedin link 🙂

ok

So you want to leave this posted in here?
I mean I don't mind, it's just a friendly reminder 😄

ahaha ill delete it i have all the advice i need. thank you

personal pronouns should be avoided in all types of formal “deliverables”

what is a graduate role?

It's the first role you get after graduating university in the UK. You could say junior, you're not expected to know much but just learn.

A lot of grad jobs also have a rotation scheme where every 3 / 6 months for 1 year / 2 years you change into a new team so you can figure out what you like 🙂

Hello guys,

I hope you're all doing well. I'm reaching out to seek your valuable insights regarding a career decision in the field of cybersecurity.

I have a friend who has a unique learning style - while he learns things at his own pace, he excels when given ample time for repetitions. He also possesses strong managerial skills. He is torn between two cybersecurity roles and would greatly benefit from your input.

The roles are:

1. SOC(blue team)
2. Pentester(Red team)

Considering his learning approach and managerial strengths, which of these roles do you believe would be a better fit for him? Your guidance would be incredibly helpful in helping him make an informed decision.

I mean both of those jobs can get repetitive. They also both need managers. I will also say that your career isn't stuck to one area. You may go into X, then go into Y, then into Z. Cybersecurity is a huge field with dozens of roles.

so I'd say go into what you like for now, then maybe you will find something you like a few years down the road and pivot into that

👍

@pseudo creek you mentioned it was a good idea to get sec+ to get into cloud security if i remember correcly?

It's good to have a solid understanding of security, security+ is one way to do that

If you had 2 options. One is to build out a new blue team to support security operations or be BISO, which one would you take and why? Both within the same org.

BISO is a bunch of crap, personally I wouldn't choose that

I mean if you like being a punching bag, choose BISO

Fair enough lol. Just because they take all the flack from other departments outside of security ?

What the hell is BISO?

I had to google it. Its not a real job. If your CISO doesnt understand the business unit they are not an effective CISO. No one needs an additional role to advocate for security. It is literally their job to do so.

Sec+ was a good way to get into contract work under DOD 8570. No longer. 8570 has been replaced with 8140. Sec+ was never a particularly strong certification, but it worked as a bare minimum for hiring. The skill ceiling has risen, and under 8140 the DOD has much more flexibility in hiring.

😂😂 it’s definitely a real role

If I could roll my eyes harder without them falling out of my head i would.

Go ahead, please elaborate on this very real role.

So it's director with less ability to affect operations while at the same time getting blamed for the gap between business and security units.

I would have to be offered c level pay to take on that role. It might be real in the fact it exists, but I don't see any added value to actually having one instead of a couple of directors for grc and ops.

I won't argue the existence of a position, I wont argue the pay level. I wouldn't hire anyone with "BISO" in their resume. I don't see the value in that role. You would have to justify your value.

So to answer your original question: I would stand up and pay the new blue team. The "BISO" provides no obvious value to the org.

I didn't mean to be rude to anyone.. I am sorry if I came across as shitty.

Hi, i am a Lead QA performing manual testing for the past 16 plus years. I decided to get into cyber security and did my CEH certification last year. After the certification i went clueless on what to do next. I was not lucky enough to get a entry level cyber security job. At this point of my career i cant come down too much with the current payscale but i am ready to take that big leap in getting into cybersecurity. It will be great if i get some advice on how to shape my career further to get into cyber security role. Also i wanted to move to UK with cyber security role.

So you’re opinion is basically no?

hi is it fine i message you ? its with regards to pwc. SOrry for the intrusion

I missed this yesterday. 8570 is deprecated, yes. However, there is technically no guidance in 8140 that replaces 8570. Currently, it's on an installation basis and the ones I've interacted with are still using 8570 until further guidance is disseminated. There's no official cert/experience chart in 8140, from what I've seen, and I haven't heard when one is coming.

Sec+ is a baseline cert in cybersecurity and still required on a lot of contracts and listings.

Guys is AWS Cloud Practitioner Foundational any good?

Im getting a 50 percent discount on it so wondering if i should take it or nah

having AWS knowledge is pretty helpful for a career. Generally the cloud practitioner isn't great but it does show initiative. If you wanted an AWS cert, I'd recommend certified solutions architect associate.

So I should ignore the cloud practitioner ?

well it depends, like do you plan to get another cloud cert?

I mean I wanna get into red teaming not cloud computing

Maybe some other time

Not atm no

red teams will need to know cloud

Since I don’t have a job

then if you want to save money, you can pass on it for now

I'd say about 50% of our red teams work seems to be cloud based and that may be an underestimate

I see

As Zojja said, a lot of the work everyone in IT is doing is cloud-based. And if you're going to learn a little bit, the Cloud Practitioner cert will teach you a lot of the lingo and a few of the technical aspects but this is covered in the associate level certs as well. Solution Architect Associate is a great cert to have and if you're trying to get into a cybersec job, you'll do quite well if you first hold a cloud job. People holding the Solution Architect Associate cert get paid pretty well too

I'm very interested in cloud sec and doing red team work on the cloud would be awesome. do you know of any resources that can provide some sort of guided path on getting there? I am currently learning AWS and doing mini projects in preparation for SAA cert

I don't think there is any guided path although Black Hills infosec has a variety of resources

the discord?

Or the website

They do have a discord but I've never participated there

https://www.blackhillsinfosec.com/breaching-the-cloud-perimeter-w-beau-bullock/
referring to this?

well thats one thing, they generally have a few courses and they seem to put out webinars semi-frequently

appreciate it.

I would say get on their mailing list to see what offerings they have and when

Hey, i'm early in my career ~2-3YoE across consulting, GRC and blue. Based in AUS!

I'm doing some pivot-jobsearching into more blue/technical roles, and I'm in the interview process for some FAANG and related companies.

They've mentioned that the next round (for a Threat Intel & Detection role) will include "simple scripting and coding on hackerrank, focused on threat detection". Other than one beginner Python course I'm doing right now, I haven't really done much coding.

I understand it's unlikely i'll pass, but if I was going to commit the next 72 hours to maximising my python-security skills to pass, what would you suggest I do and how?

not sure if this design for cv is too much

imo not a fan of the font titling each section, a little too schmancy/dramatic? Also check your kerning on those headers; the spacing is not consistent (and capitalisation)
Community could be more concisely worded and given more space if you feel it's important, and Skills could be given less space since it's just single word dot points.

I think your internship is very interesting, and you should elaborate more on the work you did and the outcomes of your deliverables. And don't say "supporting colleagues on other projects", tell us what projects specifically, and how you contributed.

Not sure if it's normal to write ur CV in prose where you live, but usually CVs are written in dot points, with each dot point talking about a specific project, deliverable, feature, or skill development (with relevant metrics to help measure how well the outcome was)
e.g. for your M.ENG, you could rephrase it to start with this dot point:

• Configured ELK stack for [purpose/context], ingesting [gigabytes] of log data that [resulted in/allowed for/produced... something, just make up an outcome if you had no goal for the project]

someone thinks that the cybrary sec+ course is enough to get a passing grade on the exam?

currently without the labs because i didnt buy the premium

how much IT experience do you have?

if ur not a complete beginner and know some basic networking and did a few rooms on thm u can def get by without buying labs

im taking it rn and just watched all of professor messer's videos then started taking a bunch of practice exams

got a book by gibson too for when i wanna look a bit more in-detail about somethin

u can also ask around in the official comptia discord server, might get some better responses

language-wise i know c#, c and my mainly used ones are python and cpp. i also have good networking knowledge (mostly of the 5 layer module), linux and windows, operating systems. in information security i dont really have any major theoretical knowledge but i have done the complete begginer, starting point, etc.. paths in tryhackme, i have done some boxes which are labled as easy and some medium ones.

i just dont really want to focus on theoretical knowledge so i dont want to really get deep into more books / video series since i also dont plan to take the actual exam, i just want to know the required knowledge and pass some practice tests successfully

the exam's like purely theoretical

u get like 5-6 performance based questions and then the rest of the 90 questions are like this

with this u could pass the test easily with a bit of studying

https://comptiacdn.azureedge.net/webcontent/docs/default-source/exam-objectives/comptia-security-sy0-601-exam-objectives-(2-0).pdf here's the exam objectives if u wanna see what's covered

👍 thanks

npnp

Is this an actual question from the exam?

nah

just a practice exam

would be in big trouble if it was lole

thank you man

Gave +1 Rep to @rugged delta

My honest opinion (!):

1. Too much text, you can provide a lot of information but do bullet points instead
2. Depending on the size of the company, automatic scans are applied to filter stage 1 of applications. If I were you I would check if your CV is machine readable because the design doesnt look like it!
3. Fonts (see 2022-2023) shall be uniform
4. You didnt censor your employer in your subtext 😉

Putting it into bulletpoints now

Feel free to send the updated version 🙂

Better?

Try to add objective goals from your experience like in your first bullet point , how much this did improve the previous workflow when you added AI?

Leader of testing team, you can expand on this a bit more like, "lead a group of 4 engineers for testing which had X impact on company"

Worked with docker and anomalies, what specifically did you work on?

like this

does uni experience count or just actual work

for them i always put personal+professional exp

i have about 5 years of linux experience from uni and loads of personal with windows

yes and personal imo

if u maintain linux for fun i would say that should be included in the calculations 🙂

I did add that

Just a quick query for any THM staff - one Content Engineer job advert was closed for submission recently and another one has been put up. Does this mean that the first job ad didn't result in any successful candidates?

Hey you peeps!

Am looking for a Cybersec Content Creator job. Currently, am working for a Singapore based company as a cybersec training creator. I basically create cyber awareness training and simulated phishing email templates to educate employees.

Help the girl out if you know bout any good opportunities. I will share my resume then.

Thanks!

there’s a website called tryhackme

and they often advertise for what you’re after

Guys if I am only 17 on school and want to find a practice for students…. Where to write? I don’t need any money for it I just want to learn

I am interested in pentesting and reverse engineering

pentesting is not really entry level so your chances to be able to find unpaid internships with that is probably quite low,,, but know quite a few places let you shadow someone doing the soc analyst jobs

Where?

probably not applicable to you as those jobs are in sweden and for local county government and hospitals

Ouch :(

sorry

My country is like 20 years in history

We have only 2 companies I know here but I don’t even know how to ask for internship in correct way, like just say hello I want….. I have skills in….. ?

should i buy comptia pen+ test only or should I buy the one with retake , how hard is it ? anyone?

Does this look like a professional cv ?

i recently took the pentest+, it wasnt that bad. i was getting around 80% on Jason Dions practice exams for that test when i took it and passed first try.

If you have a uni diploma I would also include it, otherwise it looks decent to me!

Hey guys, Hope you are doing well. i had a query which i was trying to find an answer too.

Does someone know any University throughout the world who's Cybersecurity courses (Bachelors & Masters) are top notch and doing a masters there would actually be meaningful. As me or even anyone woudn't wanna waste their time and money.

I do came across a few universities which i heard are great -

1. Eurecom in France
2. Syracuse in USA
   Any feedback on them would be great too if you have any

Do share your valuable response if you know anything!!
Thank you

Carnegie Mellon is quiet popular for their cybersecurity degrees. They also run the PicoCTF

This isn't mine it's from the Google Cybersecurity Certificate and I think they could've done better

You should have included that context in the original post. Honestly, it's fine as example content in a course about layout but the content itself needs to be richer. You really shouldn't bother with emphatic adjectives like 'Effective, Excellent' or' Outstanding' unless they're specifically from an accreditation you received, like if the company's CEO said your contributions on a critical project were outstanding and you received a commendation... As in, the content has to be based on tangible things you've actually got

I'll just save it for my future self

Hi all! Im a little lost trying to navigate career change. I apologize if this has been asked a million times.
Some background information:
Have been in IT for about 10 years now, before, throughout and after university. Mostly customer service, some minor bug testing for one year in the middle. Had a 1 year period where i worked retail food service. Currently a manager in IT help desk.
I completed Jr penetration tester path in december 2022 from Try Hack Me.
I figured i couldnt realistically apply for job with just that, and then started studying with the Google cybersec professional cert this year. Plan to finish that in the next month as well as get the security+ with the voucher they offer. At that point i think I will feel confident to apply for jobs but....

Is it realistic to apply for entry level(?) pentest jobs? Is it better to apply for entry level SOC analyst or similar, stay in that for a year, and transition into pentest position? Should I just be trying to do pentesting on my own for things like bug bounties and CTFs while documenting to develop experience instead and then apply directly to pentesting jobs?

I really love cybersecurity; Investigating and doing analysis, providing reports to help people understand, trying to break into stuff, even cryptography, these are super fun to me and I want to work in this field while having the opportunity to ultimately protect people as a pentester.

TL;DR
10 year general IT experience, want to change to pentester. Do I start as entry SOC analyst, or apply directly to pentest roles?
Thank you very much for reading and responding!!

honestly, I'd apply to anything and everything that looks interesting and you meet the basic qualifications for (like if it asks for 2 years experience in cyber security, I'd totally apply). The issue is that you aren't entry level but don't have working experience in the area so you are going to be in a kind of a limbo. GRC would also be an area good for you if you are willing to work i that area

Hello continuing from #general message

if the certifications are expensive and you're not trying to get a job and considering you already have a cs degree you shouldn't need to pay heaps for one yourself

some companies if they want you to have certain knowledge in certain areas like pentesting will pay for you to complete certifications

if you are just learning because you find it interesting THM and other less expensive resources like books are a good place to look

I would like to clarify that we're talking about certifications if we're discussing Sec+. Certificates are different and don't really mean anything

yeah I meant certifications

mixed up

Do have any prior professional experience?

they have a cs degree so I assume they do

Like are you currently working IT or another area in the computer industry?

I was working as soft engineer for 3 years, and now working as cyber sec for 6 months

what is your role currently

What's the difference between certifications and certificates? I figured they were kinda interchangeable

certificates are from thm learning paths

and are less important

Oh

I see gotcha

My current role is more to GRC area and abit of SIEM

Nevermind

or there are also certificates from schools

in Australia we have Cert 4 in cybersecurity which is well regarded

If you've got the degree, Sec+ should be enough for Security roles. Pentesting is actually pretty niche and requires prior experience, for red team often in multiple domains.

No, they are not. At a high level, certifications both test your knowledge and also verify that you know the material to a certain level of competence. Certificates don't actually verify knowledge, they just say "I did a thing"

they can verify knowledge

the cert 4 here is a full 6 month course

with assessables

What cert 4 here?

^

I guess it would depend on location

Yeah see that's where I was kinda curious as well

Because I'm also aus

Okay, ill focus and request Sec+ certifications, hopefully they will pay for it
Im also trying to specialize into pentest area.

Yeah

I would recommend a degree in IT

I've got my bachelor's in business and I'm working in IT atm for the last 1.5 yrs

heard that cert 4 is more like preparation for a support desk role

nice

Useless degree but I graduated like 5 yrs ago now

any degree is better than no degree

So I figured security certs probably would help. I definitely don't want to go back to higher education though

except maybe communications

How did you get your job in cybersecurity

Seems like this is more a regional thing. Typically, when discussing certificates as a whole, they do not usually have an organized certification body behind them

yeah

thats why I said it would depend on location

I'm just help desk and do some security and NOC stuff as a part of my job currently but I got the in via networking

I did some business networking as a part of a previous job

nice

I knew a recruiter who had some IT positions

I was guessing it was from networking from past experience

Got 3 job offers despite previous experience

So that was cool

yeah

Turns out networking is a huge help, huh?

in anything

Aside from certifications
If im gonna study pentest, how do i know if im eligible enough to get a pentest job ? Most of pentest job have req of CEH / OSCP

If you meet the requirements then you are eligible

try some practice exams and see if you can complete them then if you get a interview you are able to answer questions even if you don't have the certifications and see what happens

I finally landed an interview for a part-time job in IT support and data verification, I hope it all goes well 😭

hopefully it serves as good experience for entering the cybsec field later

Thanks for the confirmation!

Gave +1 Rep to @hallow hound

.

random question: is the aws cloud practitioner essentials course enough to pass the exam?

@solid star I very much doubt it will cover enough to pass the AWS cloud practitioners certification. As it does not look like it covers how to configure and use services such as security groups, alb's, ec2 instance and databases and such. Which is something you will need to learn for the AWS cloud practitioners certification.

gotcha - are there any resources you'd recommend then?

yep if you look on UDEMY for either Neal Davies or Stephane Maarek I can highly recommend them. As I have used them to pass all my AWS certifications @solid star

Thank you so much!

not a problem

Did you use them in conjunction or did you do 1 course from Davies for X cert and 1 course from Maarek for Y cert etc

for the cloud practitioner and solutions architect I used both of them. But just used Neal Davies when I done my AWS security specialist certification

do you think that you needed both for the cloud practitioner? or was one fine

either of them would get you through the certification. It's just when I study. I personally prefer to use different instructors. As sometimes you find they one will teach things in a different way and you might pick things up you missed or didn't understand with the other instructor

i see, that makes sense

Thanks dude I really appreciate the help

not a problem 🙂

'

Hello everyone, I currently work as an IT Support Analyst and am applying for roles in cybersecurity (SOC analyst, risk analyst, cybersecurity analyst, etc.) however as I submit these applications I find that no one is calling me back. I have my security+ and actively working for my network+ and Pentest+ but do not know if I’m taking the right path? I’m active on tryhackme and also have a BS in CS but I’m at a loss 🥲 do y’all have any advice on how I can get results or if the certification route is a waste of time? Thanks!

If you aren't getting call backs, it's likely something on your resume is not letting it get past the HR filter

You can post screenshots of your redacted resume and there are multiple experienced people who will likely take a look and give feedback

Thanks @flat sedge!

Gave +1 Rep to @flat sedge

Here is my resume, thanks for the help everyone 😄

When you apply for a role, you ought to revisit every bullet point and map that job function to support security in some way, preferably as close to what that security role does as is possible without being dishonest

You mention compliance, but don't specify any frameworks or what controls were satisfied as part of that tasking

In my role, we are usually tasked with remediating issues and don’t use frameworks, we’re told how to fix the issue with the user if the machine is out of compliance with company policies then we send it to the designated team for them to freeze the laptop. I’m not sure how I can make that more revenant to the positions I’m applying to. I’ll definitely keep that in mind as I revise it

if it's compliance, it has to adhere to something; if you don't know the framework that's fine, but try to specify what the control is and how what you did enforced compliance to it

Will do, thanks for the tip! I’ll definitely work through this tomorrow 😁

Gave +1 Rep to @flat sedge

I think this has been mentioned before in here, but I don't think the dates are necessary?

i’d get rid of your spoken languages

unless you can communicate with natives they likely don’t care

The AWS Cloud Practitioner's exam is rudimentary knowledge about the platform, intended primarily as an introduction for techies, managers and sales people. There's not much real technical knowledge required. You're better off going for the Solutions Architect Associate

Yeah i'm inexperienced with AWS, i think i'll try to bang out the CCP in a week or so and then move on to the Solutions Architect Associate

Anyone here ever have to take a polygraph as part of a job interview or for clearance? I am curious what that experience is like.

yes, a few of us have. I had one after I had the job. Honestly it wasn't bad. They put you in a chair, put the connections on you and just ask questions. You just have to be honest.

It depends who you're doing a poly for from my understanding

Have not taken on personally

the other thing to remember is that polygraphs are little better than a coin flip at determining the truth. So don't let it stress you out

Also, there are different types of polygraphs

CI and Lifestyle and full-scope

pretty much

but for certain clearances, they still want them. My poly took a little over an hour, I know other people have said theirs were much much longer.

Yeah, my roommates was 8

A lot of government positions require it

Don't ask

That can get you kicked, afaik

Don't ask about the questions?

Correct

Gotcha

Hello, everyone! I've just moved to the Washington D.C. area and I'm trying to break into cyber. Is there someone around the area willing to have a chat? Since I am new here, it has been hard to find jobs and connect to people. I've got a few certs and some work experience.
Please reach out to me, even for a virtual coffee. I love connecting with new people!

This is my LinkedIn, by the way:
https://www.linkedin.com/in/aka

Btw, I just reached top 5% on tryhackme 🙂

If you have certifications and previous work experience, there may be an issue with how you're presenting it on your resume. You can redact it, post it here, and then people can review it.

i have never known anyone with SC or DV to get polygraphed and it was never mentioned as a possibility in any documents pertaining to SC for me 🤔

I would use meetup.com to find local tech groups and talk to people 😄

there are a ton of local groups in the DC area as well as con. Watch for Shmoocon, tickets sell out fast but get on their mailing list. Look at Meetup.com. Attend Bsides, there is both Bsides DC and Baltimore. I am no longer in the DC area but was there for many years

Hey everyone! Im currently seeking IT employment opportunities in the Hoover/Birmingham AL area. Self-studied, have Sec+, set up homelab to develop skills and learn tools. If anyone knows of any opportunities to get my foot in the door or advice let me know. If you'd like to connect on LinkedIn : https://www.linkedin.com/in/john-welsh-098108265/

People prefer pictures, so we don't download files.

And am I right assuming that's your name in the filename?

Indeed

But all that info provided here is also on linkedin

so no threats whatsoever

How's that?

so, I'm not sure where to start. The bolding and unbolding is annoying and makes it harder to read. Like in languages, you bold C++, Python but not the rest. If you don't feel confident in the rest of the languages, why include them.

Education, you mention Google Developer Student Club, but then mention it again under Leadership experience. I would break out your actual work experience and possibly create a section called "Extracurricular activities" and put the Google Developer Student club there. Also, I know you are trying to hit keywords but if I read someone is studying for 3 certs, I basically assume that is aspirational and they aren't really studying for them.

You have a Skills & Certifications section without any certifications. Your skills section is a bit of a mess. You are trying to group them but you aren't really. You have Malware analysis and Reverse engineering section, why not combine them? Also FireEye FLARE is just a Windows VM with a bunch of tools added to it, that isn't really a skill. Similar with Penetration Testing, Kali Linux is a Linux OS with various tools. That isn't saying much by listing it. Wireshark really isn't Penetration testing. I would really look at your skill section, get rid of some of the annoying bolding, make it more concise and more logical groupings.

Git rid of prepparing for

If someone asks about your interests, bring it up otherwise it doesn't belong on your resume tbh

same with the GPA, especially when you already have experience

Like @pseudo creek said as well, I question if you have any of these skills because theyre all over the place.

I assume you have programming projects from your time (this would be a place to include them)

but I wonder about your whole pentesting section, especially without any certifications in pentesting

Without the OSCP, whether people like it or not anything you have resume why on pentesting falls flat

CeH has a lot of recognition too despite it's bad reputation but it at least also would back up some pentesting skill sets (which you would elaborate under the certification(s) if you had them)

What are you trying to go for and start focusing your resume in a more narrow perpsective

initially you look like a developer guy which is fine

maybe you wanna be a cloud dev guy which is also fine

than drop the pentesting stuff and strengthing up your cloud skills in your skills section

If you have used these pentesting tools during your internship, put them there

Organize your experience & achievements by date too

so we have a chronological stream of events going from most recent to oldest

I see

Alright so how do I set up my ethical hacking section if I don't have any certs?

Also that bolding and unbolding is kind of an emphasis, that does not mean I'm bad at the unbolded ones but to make a point that I'm exceptionally better at the bolded ones if that makes sense

Maybe bulk up your IT security job if you used those tools

I'm still a 3rd year undergrad and it was already hard to get a shot in BHIS

Pentesting is not a beginner friendly environment, without the OSCP or CeH (again despite its bad reptuation) pentesting really doesn't add much into your resume

Get work experience related to security

if someone is asking about personal projects, or anything about that then feel free to mention it

but honestly until you have the OSCP you might as well have zero pentesting knowledge

unless you have a job doing security work

Alright, so what if I mention some tools as projects like an anti-virus, a network mapper and a honeypot emulator

Projects are good

Hard disagree on this

I mean does that make my pentesting section a bit better?

Not really

That's fine, but its the case for 99% of people

Hmmm

I wouldn't say someone has zero pentesting knowledge without the OSCP

I didn't say that

I said as far as a resume goes, they might as well have zero knowledge

i;e from an employeer perspective they don't care without the OSCP by enlarge

unless maybe you have a degree

Alright

That still is something that is debatable

I wouldn't say you need OSCP to get a pentesting job, but its way easier to get one with it

I agree

So I might have to get a job in software dev sec to earn more than what I will in a starter cybersec job and save up or maybe make the company back me up on OSCP

How does that sound?

I would say though, right now @onyx brook would need the OSCP to have any reason to put pentesting on his resume

unless he already has other security based work

This I can agree with

yes

A job is always better than no job

True

job -> certs

is fact

Does it do good if I keep Rev and Malware analysis on the resume?

In your case I would almost say get Sec+, maybe get like SPLUNK certification and if you like cloud deving start looking over there

Did you do this at your IT security job?

Yes actually

Put it in there

Not the malware analysis though

But I did rev

than theres your answer

Aight

if you want to focus on security

bulster up that section

with more details on what you did

as a general rule of thumb

the largest portions of your resume should be the most relevant or the most important

I would maybe elaborate a little more on EzyLabs

but Black Hills InfoSec above Google dev club

and bulster it up

That internship should scream on your resume

"I got to get inside a real infosec enviorment and these all the things i got exposed to"

Aight, should I cut short the Google Developer Student Club or just make a section out of it?

I think it's good right now

if your InfoSec part gets too big than we revist it

And how about the bolding/unbolding?

I only got BHIS

Bold categories

unbold parts of categories

keep it consistant

That too was a dev role on the face of it atleast

Aight

If your BHIS part gets too big

is what im talking about

I can make it bigger, as big as Google Dev Club one

just make it the same size if it's equally valuable

Alright

Does CTFs count as project?

Hobbies

Hmm any section I should add or reduct?

focus on that part first

as I said remove the "preparing for", and the GPA

Done

How old are you

20

Okay cool so

when youre getting to the work force

no one cares about anything besides

what qualifications do you have

are you difficult to work with

and most importantly, are you experienced in what youre applying to

I see, I do well leading teams I'd say

I mean difficult to work with is for people to tell

I've seen people put, Tennis, Black Belts, MMA or other stuff on resumes before while apply to like IT help desk

youre kinda doing the IT equivalent with your stuff

I got your point

But I should keep the JLPT cert there right?

If im a recruiting I initially think;
You're a student
You're trying to get into... hacking and networking

who is actually a developer

who also does database and cloud

Yeah something like that

yes keep your language in there

I'm actually about to get a officially revognized Microsoft cert on cloud too

Being duel lingo is huge

DP420

Same thing

duel than duel again

only if you win ofc

My initial question is "if you wanna be into infosec security, why werent you in the CTF club or something"

I'm a beginner at German so I should refrain putting that on my cv right?

are you fluent?

I have to think before speaking each word

Like half a second gap

If you go to a gas station

can you ask where stuff is

and get through paying

Yes I suppose

than sure

Alright if that's the bar then I got Spanish too

If you wanna mold your resume

keep doing dev stuff

start doing cloud stuff

and get into little bits of security

like security+

that’s not the bar for a resume though

Hmm I'm already into intermediate stage with Stack Buffer Ovs, Advanced Rev and ROP

if a client called you asking for help with their computer, can you understand them and speak to them with all the technical jargon in that language

That's just wrong

maybe if you're applying to be a translator

Now that I can do with Spanish but German? Nah

He's just featuring that he can speak languages

He probably can't do that in Japanese either

if you list a language it’s expected you can use that language for whatever role you’re applying for

Only if you're applying for a language based role

Nope I can do that in Japanese

It was the worst part of the exam

You can explain developer concepts in japanese

in a fluent manor?

Yes

And I boast about that with utmost cockiness

Okay well thats impressive

but id still include german if you can walk around in a city

even without technical jargon

Alright gotcha time to patch it up

Not like youre going for a translator position anyways

I got the point

but yeah you look like a yellow teamer if you get some security under your belt

and cloud is only getting bigger

Do yellow teamers get paid good?

Yes

And you need more than you need in hackers

Wut

What is yellow team? Is that actually a thing?

I mean I don't really like building even though I'm good at it

But I shall expand on the breaking side slowly as I earn

white team

which is basically the overseers of red teaming vs blue teaming engagements

What part do you like

This is for actors in the cyber space

We have a whole rainbow chart now

This channel doesn't seem to allow links

I'll DM it lol

I like the logic building

Not the software building

What is "logic building"

Making logic to make stuff work and not do the connecting development such as gui building or connecting backend to a framework and stuff

For example I'd love to make a script for traversing networks since it's all a graph but making it into a software?

Nah

Sounds like yellow team to me, architect is counted in that

How your SaaS/PaaS/IaaS work together is part of yellow team

That's falls more into engineering than developing

yellow team is not an adopted standard, I mean I've seen one website reference it. The entire story should be that there are cyber jobs outside of blue/red team. I've worked outside of red/blue team almost my entire cyber career

In all honesty, I think that almost anyone using color designations for a security team outside of ops are just parroting marketing nonsense and don't understand

thats a good way to put it

but also some people seem to think there is only red team and everything else is blue team

Hats are white or black
Teams are red or blue

Would you agree? ^

Oh and redhat deserves an honourable mention.
A redhat hacker is someone who's good with RHEL

Possibly even a hacker who works for Red Hat in some capacity 🙂 I know there were at least 3 RH employees at DefCon 🙂

@vestal egret Suspect that might have been the wrong chat window for that pastem deleted it to be safe

for what

I would consider a list like this to be marketing nonsense, even if there is some truth to it. In terms of hat color, I think there are really only two colors, white hat and black hat. And which one depends on whether the hacker is acting ethically and morally within the bounds of the law.

That sounds kind of like bullshit, but either one is ethical or one is not. Some gray areas exist, but they are way less common and much more niche than media likes to portray

red team = ~5% of cyber positions
blue team = ~15% of cyber positions
rest of cyber = neither red nor blue team

those numbers may eve be high

Isn't GRC one of the most populous areas of cyber? An org may not be able to afford a 24/7 SOC but they will damn well afford at least 1 compliance analyst

Humans like to categorize things into boxes; it's part of the pattern recognition hard wiring in our brains. My point is to go beyond the easy categorization and encourage those paying attention to think about what the context is before making a decision of what 'box' an activity belongs in

It is but I was thinking all those MSPs that are just monitoring, within an org, they would have their own breakdown

Also true; contracting all that out seems like a bad idea to me, but that's why I'm not a business monster

like our org is more like 1% red team, 5% blue team, then everything else

Which roles might come in the “everything else” ? I started recently & have been learning about blue and red team only (red: offensive & blue: defensive from what I’ve learned)

GRC, Security Engineering, Security Architecting, Network Security, IoT Security, OS Security, Vulnerability management, etc, etc. Generally Blue is defensive but also generally associated with detections such as you would see in a SOC. DFIR is usually considered blue team too

It's very rare that a role is purely one team or the other, and there's a lot of crossover of skills and activities. Red and blue teams ought to be security operations for threat emulation and protection, respectively. Everything else would be all the supporting business functions, such as GRC, vuln management, remediation management, change management processes, authentication/authorization access controls. And I'm sure I'm missing many other functions and roles that don't fall neatly into a bucket.

Initial triage rolls up to the SOC in a world that makes sense, as they have access to all the monitoring tools