#cyber-and-careers

Since CEH its 1700$ i would try DCPT(Not know all over the world but here in brazil have a little and the course its just better)

And to be truthful; recruiters won't care too much about "showing the positive things related to CEH" because their business and partners ask for certain certifications. If you don't have it, you won't be considered and if they go against their business often other recruiters will be asked / tasked with finding 'the right candidate'

CEH and CISSP fulfill very different niches within cybersecurity. IMO CEH is considerably worse than Pentest+ or PNPT... it sees fulfillment because hiring managers and HR don't know that there are better alternatives. Because when they were sitting for it, there were no alternatives

it basically seems like HR is 10 years or so behind the times

"US" resumes and Resumes from people I've worked with and resumes ive seen from people around me are soooo vastly different. We put so much more text on paper on what we've done, what decisions we've made etc. Also we use photo's, LinkedIn and other personal information o there (which you want to hide when sharing here)

It's getting better. I wouldn't really consider OWASP top 10 a framework though. Consider looking at NIST CF and walking through all the requirements, starting with the domain you are most familiar with. Similarly, I don't consider ATT&K a framework so much as methodology of analysis

I don't see how a multiple-choice cert could be better than a 100% practical with reporting one, i see those jobs just asking for CEH and i get pretty sad tbh

Should I just remove the framework line altogether?

If don't know frameworks, I would recommend it

I am not disagreeing with you, but I am just talking in the POV from a recruiter / business side of things.

I couldn't have worded it better than how Juun worded it.

Similarly, top10 is the most common application vulnerabiltiies. It's not what any GRC or Operational Security team would regard as a framework

Got it, was told by a QA guy to put both of those as frameworks

"EC Council scandals" is a good place to start to why EC Council as a whole is not well regarded; the CEH content itself, I have been informed, is very out of date and isn't really reflective of what pentesting ought to be

I am a QA guy and I do not consider them frameworks, FWIW

interesting, okay. Good to know

I was also told by someone else just now to remove dirbuster and HTML/CSS

I know I didn't say that because it seems to me to be an impossible market to enter considering that CEH, besides being expensive, doesn't deliver good content.

A framework is a set of requirements that have to be fulfilled; could be policy, could be technical, could be administrative. ATT&K is more like a huge flowchart to determine TTP that an ATP is currently using against your org. The Top10 are the most common vulnerabilities seen in the wild and while you could implement a set of controls based on them, no one says "OWASP 2022 compliant" as a selling point

so that would be like CIS20?

would be a framework

ISO whatever the number is

CIS Benchmarks is a good place to start.

I would recommend starting with PCI-DSS. While it's not a "great" framework and there are lots of weird things, it's relatively accessible and well organized.

Only list relevant skills for something you're applying for. So I agree with removing HTML/CSS. Arguably HTML can be staying there but it's not considered business value

Once you think you have a handle on PCI, NIST CF and the NIST SP 800-53 docs are also really good to know

Got it. Any tools I can’t think of that I should add?

but I'm from the US, so NIST is pretty much the defacto standard for lots of things here

I don't know what tools you know

Don't add stuff you're not (too) famillar with. If it's not on there you will not get questions about it.

of course I’ll only add them if I have experience with the tool, just curious if there are any big ones I should know that I haven’t listed, as well as tools I should probably learn to use

If you add something and they deem you having no or little knowledge about a tool.. you're no longer considered.

Agree with that. If you can't speak extemperaneously about the item for at least 5 minutes, don't put it on the resume

I don't see its a good investment pay about 1800$ and the thing don't show me good content and if i would pay an expansive one i just should go to OSCP since i guess has way way better market share and its a real thing

and that my good sir, is why I have not added SQL yet lol

Anything I should dive deeper into, or back out of in my CV that you can tell?

SQL is really easy; I would suggest relational algebra first, then apply that to a database like postgres or maria

yeah, at this point I only understand basic SQLi type strings, after my PNPT I plan to build a homelab using SQL to gain a better understanding

Which job type i could get with security+? SOC things?

I don't think you need to get certifications and it highly depends on what you're trying to get into. Getting into a SOC analyst role is "easier" than a pen test role.
If you're starting out and have no formal education in IT, try a helpdesk role and talk about certifications.

The thing is; if a 1800 dollar certification gets you a job, paying x amount dollars per month and a 1000 cert does not get you a job I'd say the 1800 dollars is a good investment

How was your python client/server a security tool? was it a C2? Was it something else? Saying it's a server doesn't mean anything. For your mock reports, how did you evaluate likelihood? Quantitatively or qualitatively? Did you assess the CVSS scores for the vulnerability from a single source or multiple? Did you discuss why you agree or disagree with the severity?
"Dissected" is not a word anyone associates with architectual blueprints of any kind. "Decomposed" has a specific meaning in the documentation world, and is probably more appropriate. Know what it means in this context before using it though.

With some things, unfortunately you need to set your own "ego" aside. Ego isn't the right word but I hope you get what I mean

If someone had OSCP and no experience nor other certs, I wouldn't hire them for pentest. I might not even hire them for helpdesk; pentest is very risky and I wouldn't expect someone with just that to understand risk enough to not stray from the engagement scope.

Understanding when not to break stuff is way more important from the business perspective than being capable of breaking stuff.

I agree with you here, but again. Talking from a hiring manager POV

I know and tbh i was thinking in get a other IT career to "make money" to go just forward on OSCP
CEH probably would land me a job but not a job that i could pay the CEH in a year of working

If you can afford it, I recommend taking a year or two and getting an associates in some IT discipline.

Try to find an entry level job where your company wants to invest in you getting certificates.

Often, vocational and junior colleges take cues on curriculum from industry, and many local employers will look very favorably on those graduates

Because they told the college what's important to them, and they exactly what to expect with a new hire with that degree

Alternatively, getting an AD is a good options like Juun mentions. It also shows that you have atleast a certain level of academic level. (Which is communication + writing)

The big value in security is being able to write and communicate. All the technical skill and knowledge is useless if you are unable to effectively explain why a thing you saw is bad and needs to be changed

I will dive deeper into these points

Thank you!

A homelab can also be just a VM; id recommend setting one or two up asap and use it often to build familiarity in the environment

If you're on Windows, you can get pre made hyper V images

I’ve done that already, I just need to experiment with SQL specifically

it’s an area I lack in

Seriously, do the math first.

You said in Algebra?

If you just jump into SQL you will miss a lot of optimization type stuff with how to build and run queries

Relational Algebra.

Do you have any recommended starting points? Resources or stepping stones?

It's a specific thing within set theory

Relational Algebra is the branch of mathematics that all RDB engines are based on. Wikipedia is a great place to start

Sounds good. Thank you so much for your help!

Cpts also has free retake. Neither pnpt or cpts hold a lot of hr value. Cpts is the more difficult cert

wich one do you recommend i tried to find some and all is 3+ years

That sounds like a Bachelors Degree.
An associate's degree is typically vocational training (or prep for a Bachelors) and is provided by a junior, vocational or community college.

An associates degree should be a 2 year program, at least everywhere I've heard of in the US

I found a Data Science but its 2,5years

Don't know if brazil has some type of associate's degree

Definitely enjoying the CPTS course. Don't forget to submit 'a' report or no repeat 😛

True 😄

I’m nearly finished with the path, but going over it again to take proper notes this time

But can’t really focus on it now, 5 sans courses offered by work came up instead

So took that opportunity immediately

I'm about 70% through the path, looking forward to the exam as well

Not sure if this is the channel to talk about it

Yoink on those! CPTS will be there after. It's basically a 20 day exam with a two week study break in the middle

Yup, I hang out in HTB chat quite a bit

Try to help in modules so the content stays somewhat fresh

Do you mind if we switch to #general to talk about the exam format? 👀 I thought it was a one week exam? Must've mixed up my info

It’s 10 days

Yep I keep an eye on that channel over there and help out when I can

Oh that's very nice

You need to get 12 out of the 14 flags within that time and write your report

But most people need the retake

Seems achievable

Hence why he says it’s a 20 day exam with a two week study break

I have heard its a tough exam

Haha interesting

Just came across this.
Perhaps this is interesting to post here.
https://www.linkedin.com/posts/gothamjsharma_accesscyber-10000-cybersecurity-jobs-report-activity-7112495801959870464-0xdV

Yup

Quite a few have said it's tougher than OSCP but the course gives you all the info you need, keep plugging away

I'm taking it slowly, not in a rush or anything. Just something that seems fun to do down the line

I was all set to get some study in today but my laptop decided to have a fit while patching so I've spent most of the day troubleshooting and reinstalling instead. Now freshly reinstalled, that same patch did not cause any problems

Ouch. The joys of troubleshooting

Ah well, all set for more fun tomorrow

Anyone who is an Aspie let me know. We have a Bug Whisperer group for collaborations.

i would think 99% of people here are haha

can cert chasing negatively impact someone when looking for jobs

like getting 3 certs within 6 months or something like that

I'd say yes.

If you're going for multipe certs at a time, I'd think you're just firing through the certs to look good, without retaiing the knowledge learned from each cert.

Definitely. Chasing multiple entry-level certs can be seen as "desperate" by recruiters. Immediately raising suspicion.
If you're doing multiple certs, ranging in difficulty, and you don't have the work experience to back it up that's also not too great.

gatekeeping personal improvement like that just astounds me

especially when it should be easy to find out if the person retained anything during an interview

Jesus can't even strive to get as much education as possible

Without raising suspicion

Exactly you try to see if someone is full of shit in an interview not during selection. Not all of us are in a position to gain experience for an entry level position

literally, I cannot comprehend that attitude

I saw someone on htb discord say 'getting a master's degree straight after your bachelors can hurt your career chances'

Like bro wtf

It can?

It can make you over qualified for some graduate positions.

Masters are for Supervisor type positions.

Yeah, there is some truth to that

the US is completely backwards it seems

Depends on the country I guess but generally yes, if you have no exp and get a masters it can be harder to get hired unless you have connections

This is not in the US only. There's 'dangers' for putting overly qualified people in place (unless you can explain why you don't think that's the case for you)
I know this is also broadly in Europe a thing.

I feel like the only valid reason I can think of is that they will plan to leave a position as soon as they are offered a higher position

Others are, from what I have heard:

• Companies are afraid that people will get bored because they are overqualified
• Companies are afraid people will be or get lazy
  There's also some communicational fears, especially between someone who is overqualified and their 'superior'.

ah, that does make sense

I volunteer with a local security organization (almost like a local defcon) working with their website specifically, should I add that to my resume in any way?

Yes IMO

Not under experience maybe but under like a "volunteering" or projects section

is an employer that worries about someone getting bored actually just not providing their employees with growth pathways? This sounds like it would be the biggest problem in small companies under 100 employees.

that's the other thing that's been super annoying. There's no clear pathway to some of these roles, job requirements list certifications of varying levels as all equivalent weight, some of the requirement sdon't prepare you for the actual job responsibilities etc...

the only way to know is to just apply for a job and ask the recruiter directly, maybe reach out to hiring team or recruiter on linkedin and chat with them directly to really know

not to mention the competition for these roles. Even helpdesks have had thousands of applicants

Someone told me yesterday that i can buy one month of platinum (HTB) and 1 month of gold to unlock full pentester path

Someone can help me with that? The total cost off full path is 1960 and if i buy both (Platinum 1 month gold 1 month) i'll have 1500

that's crazy to me. on one hand, help desk positions tend to need more staff, but company never budgets enough for it. At one point 5 people quit where I work right now, and then we had a hiring freeze on top of that... "can't afford to hire" ??? we just had 5 peopel leave within a year, and all that work is solely on me, and my salary didnt change....so where did all the money go???

uh do you know who told you that? try pinging them?

Don't look at the numbers on LinkedIn. There's a lot of people applying from outside of the USA, hoping to get a job there.

don't be discouraged from applying because there are so many applicants either; remember, if you don't apply, you have 0% chance

true

Not enough growth pathways is a huge issue in a lot of smaller and medium sized companies.

This is what I always do

@worldly whale Sorry to ping can you help me with that?

You get cubes back for completing modules

Ok ty, when i buy it with cubes i can see it lifetime or just a year too?

With cubes you have it forever

If you get yearly sub you only have it forever if you complete it

this isn’t necessarily the right channel for that

i'll see the book content of CPTS and PNPT and pick one to get

Yeah it started with cpts cert, hence the discussion about the modules there, which are a necessity to take the exam 😅

ah, okay

PNPT is a good cert

I recommend to just ask in HTB server if you have other questions @wicked oxide

haven’t looked into CPTS

currently PNPT has a bit more weight to it though

Cpts is more difficult than pnpt

Yeah I guess it’s coming up a bit more, but still nothing compared to oscp I guess

If you're using it to land a job, check the one mostly asked in job listings.

A lot of college students go into college around 18 and come out 5/6 years later with a Bachelors & Masters. It's absolutely normal for those people to want to do a starter role for the first year but to quickly progress, They're not starting in senior roles but they are the ones being plucked by larger organisations and put on a career path. They'll usually be aiming for the likes of PwC, EY, Boeing, Booz Allen or Lockheed or Raytheon etc

Graduate positions are mostly for allowing both the recently qualified and a potential employer to get on the same page and see if they suit each other. During a graduate year you'll most likely be doing small projects and contributing to larger ones, shadowing full-timers/seniors, learning how to follow processes, maintain systems/documentation, how to follow project planning and communicate with other departments to fulfill projects, breaking lots of things in dev/testing and eating lots of free pizza etc...

neither have OSCP weight

tbh in brazil any of them has market share

It's like 0

Correct👍🏼 I’d say cpts better prepares you for it though, it’s the more advanced cert of the 2. Those who took oscp after cpts, or the other way around, all said oscp was easier compared to it

I’ve heard the same about PNPT tbf

Contact companies that are in the field, connect with recruiters on LinkedIn in your area. Check what alternative pathways they see in terms of certificates etc instead of only OSCP.

I’ve heard pnpt helps with the ad section

but I’ve also heard OSCP is pretty gimmicky though

less realistic, more of a CTF type of test and less of a pentest

I’ve heard oscp was just a matter of finding versions, googling cve, adjust payload and run

I haven’t taken it, just word of mouth btw so take my word with a grain of salt

And I’ve heard people say the ad for 40 points was doable with cme only lol

You're likely better off networking, IRL and online, than to get a certificate that's not recognized in the business
Try to see if there are Meetup groups that host events

There are multiple AD environments so not really

?

They ask to much for CEH

Exam environments for OSCP change each time you’d take the exam

Same goes for the AD section

That’s true

So even if one person could use cme to exploit it, others would have different exploits etc

OSCP is the most widely known pentesting cert by far, to the point someone with CPTS and OSEP couldn't get a job because they didn't have the OSCP. I've spoken to potential employers at BSides and recruitment fairs who want to see that OSCP cert but also want you to be able to discuss the tech and workflow, want to see your dedication on platforms like THM/HTB etc. And I've spoken to hackers who just want to know the cool stuff you're doing, the actual, hands-on work

I mean, you do you. But if CEH is the "standard" certification in your area and gets you a job quickest then that's not a bad path to take, despite the certification having less weight internationally.

The thing with OSCP is that some clients of pentesting companies require OSCP (or CEH sometimes lmao)

OSCP is widely recognised because everyone in the industry has accepted it as the beginner's standard you have to reach. All these other pentesting certs still have to prove themselves to the hackers running pentesting outfits.

Also; back then the people starting out only had OSCP, so that's all they know. Those are the people that are now the hiring managers and team leads.

i'll try cover other IT area and do some security certs in that time, like i have a solid work that i can keep it for years rn so i don't have to rush it like crazy i can do some "cheaper" certs and get knowladge and when i had the money i go to OSCP

OSCP with other certs i think probably will land me a job

I think this is the biggest factor tbh

Not just getting an interview

even if they're "cheaper" or less knewn

Here has some companys that require CEH

But at the same time has lot companys that just want to see that you have a cert

In the field

OSCP used to be the affordable cert because nobody could realistically afford SANS courses without an invested employer or significant loan debt. In recent years, because of the volume of newcomers, Offsec have had to up their price to deal with the volumes of potential students and it's become a highly profitable venture as a result. The other certs that have been coming on the market in recent years, like CPTS, PNPT, CRTO, CRTE, CRTP, etc are doing a service to OffSec by reducing their applicant volume slightly but most of us going for those certs will likely also have to take the OSCP at some point

I have no problem getting OSCP eventually, just no way in hell I can afford it OOP

I mean, that's 'standard' capitalism.

• Business creates a demand
• Demand becomes high due to a requirement
• Demand exceeds supply
• Increase prices
• Because it's a business requirement it will be sold to plenty of vendors and individuals, so it sells itself

Yeah I know what you mean. When I'm back actually working, I'll hammer it out in a few months I expect, even if I have to pay for it myself

yeah. my issue is not having a high paying job, being married, about to have a kid, paying for an almost 2k dollar cert is out of the question

Absolutely, it's a recognised benchmark now. All these other certs are looking for traction in that industry and there is 'some' movement on it but clearly not enough because it's a badge of honour

Yeah I hear that. It's hard to change careers when everything else is changing around you. As long as you're not also moving house on top of that you'll be alright for a while!

Almost same as me, that reason i want to start with CPTS, PNPT or even eJPT if that land me something

I don’t see the reasoning though why one wouldn’t rather hire a junior and then just have them take OSCP than just outright hiring OSCP

hehehe, I move in December lol

It’s because there’s so many OSCP’s right now that it’s just easier and cheaper lmao

you can pay a junior way less and they’ll be thankful

Lots of companies don't want to pay upfront for a notoriously challenging training facility. They want you to pay for it with a promise they'll pay you back or preferably make that a prerequisite of the job

Because there's a risk of someone not passing the OSCP, might still take months for that person to have the 'required' level.

if I had a guaranteed job after paying OOP for it, I’d make the investment, but I can get the cert and still struggle to find a job

Although I’ve seen some offers with the requirement of “Willing to pass OSCP in the near future”

Ain’t it cheaper to have them take a lower salary then have them take OSCP

That’s what technical interviews are for

And there's also people who join a company to get a certificate and leave immediately after because they can get better salary and conditions elsewhere.

They don't want juniors on pentesting teams who don't know how to do a pentest and submit a report. OSCP is a recognised minimum standard in a lot of cases

Depends, some time ago with OSCP and soooome experience in other branches you could apply to mid-level positions and now it’s pretty much treated as an entry point for juniors

yeah, that makes sense. But people like me learn hands on. I’d learn much more sitting with someone for a week to a month, then years of schooling

That’s what bonds are for

I’m hoping PNPT gains traction since I’ve paid for the voucher already lol

and frankly, its an employee’s right to find better compensation if their company doesn’t match the market

It’s expensive for the company, because whenever they have interns or juniors the mid/senior has to take their time and introduce the new hacker into the projects

Usually companies make a contract requiring you to stay with them, otherwise you get the bill as you leave

But the learning experience for pentesting is a solo journey. It's challenging. There's no hand holding, except the training manual and the target machines who'll only give up the goods when you're good enough to take them

I’ll take 37k a year and work as a junior if anyone wants 😂

But that still costs the company more money because they need to restart the hiring process.

Hiring process is EXTREMELY expensive

yeah, that’s the thing, so I’m hoping that the PNPT can prove the self learning

Then they should pay their employees their equivalent price

That was the salary for a junior SOC analyst in my town a few years ago. Now it's over 50k

since it’s much more affordable

I don’t mind not leaving a company if they properly compensate me

That’d a mid/senior salary where I live lmao

For a software dev it often takes anywhere from 6 months to 1 year for someone to "up to speed"

literally that is what I make now, if I can keep the same wage and get my foot in the door, I’m totally fine with that

You don't know how much effort some people take into prepping for their technical interviews, where they pretty much learn entire books front and back. Assessments are often used for that regard.

However, if you got 100 applications,You want to ask 10 people for an interview for the first round and 10% has OSCP, then that's a fairly easy seleciton.

or even take a slight pay cut

I've done some of Heath's courses on YT and Udemy. They're high quality stuff and lots of people know his reputation these days

yep, I feel it’ll gain traction, more of a when

where I am that’s not much more than a mcdonald’s employee

Do the SOC stuff on THM (I hear L2 isn't far off) and then keep pushing

btw PNPT has more chance to get traction than CPTS?

unknown

No one knows, it depends on the business

we can only guess

Considering their clients include a bunch of TLAs, gov and large orgs, I'd say it won't be long

PNPT course is more my learning style, the HTB academy is hard with my adhd brain to stay focused and retain info

Wich certs could be land an easy thing on SOC? Sec+?

Again, check job postings. We can't speak for your area.

Considering that 31k a year is the average salary here ;p

USD?

EUR, so like 32k USD

here is 63k USD average salary lol

Ah, I wanna work for international clients so I can finally ditch my shit pay

HTB is widely recognised as a great learning and community environment. TCM is primarily learning/cert focused and got into the cert sphere a little bit sooner but it could go either way. There's now lots of people doing great things at the lower price niche, the sub $1k branch and it's turning out lots of good people. So that just means the bar will be raised at the next tier to maintain that barrier for entry

I mean but it won't cost me a kidney if I'd break my leg over here 😂

yeahhhh lol

Im looking for a job with insurance too if I can

Sec+ is widely recognised for starters in cybersec but also OSCP and CISSP (for some reason frequently requested from juniors, even though it requires 5 years experience or 4 years and a degree)

I would say yes because HTB gatekeeps the cert behind the learning path, it simply cannot gain traction quickly because there's too few people with the cert to make any kind of difference

I'd say the HR doesn't really know what they're asking for

OR

The higher management for security has a different take

What I heard from a lot of recruiters and hiring managers so far is that they think that people should stop seeing cybersecurity as an entry field.

Cause usually, HR would ask the security head what they're looking for and they'll just slap in some certs they know without actually being immersed that anymore into the field (since they've been in a management role)

I wish you all the luck! Where I am from companies stopped off-shoring for the most part and either want to have more internal teams or near-shoring.

Well they're stuck between a rock and a hard place. How do you show that your cert isn't just a cash grab? Make people pass a continuous assessment to show you already know everything, because the aim is for you to treat the exam like a real pentest

I cant even get a helpdesk job because too much experience wanted!

and if it doesn’t require experience, there are thousands of applicants

even locally I’m 1/500 applicants

It's nice to find start up consulting companies and their CEOs still delving into the world of cybersec so they keep it fresh

if you have the confidence and knowledge you can take any cert without completing its course 100%, including OSCP, PNPT, CRTO, etc.

There was a job posting on LinkedIn that were looking for people who had CPTS, CRTO, CRTP, and PNPT besides OSCP

Yeah but that means your level is above those certs, right?

Majority of the applicants will be non-US.
But with the current economic recession, even if it's 'minor', a lot of companies have laid-off personel. So the the supply (people applying) is higher than before. So companies get to make more choices in regards of new hires.

sure, but without a cert, no one will look at you

That is also somewhat true

HR are just people who take suggestions from the teams and also check with professional bodies to make sure the qualifications are legitimate. Cybersec doesn't have a licencing authority like in medicine or law or accounting, at least not yet so the industry kind of builds its own standards. Those are frequently CISSP, CISA, CISM, OSCP and Sec+ in general. CISSP because you need to maintain it to show your professionalism, the rest because they're recognised tests of your effort and abilities

making it almost impossible if you don’t have experience

Most of us in cybersec don't see it as an entry level field. That's why even on THM you're encouraged to learn a minimal standard of Linux, Windows, Networking and other skills as you go. Most cybersec professionals have lots of knowledge in various IT/software engineering roles and cybersec is the next progression. It's not an entry level field. You need to know how computers work deeply and in the real world

Making it definitely more difficult.

yep. job hunting right now is depressing

Agreed. I am a full-stack dev looking to transition into sec

Yes but if you have the knowledge, why are you taking a cert. OSCP demands that you buy the course, not that you complete it. OffSec advertises themselves as a training company, not an exam company

Yeah, I agree with this. The easiest way one could understand this is "How do you how to secure something if you don't know how it works?"

think i'll follow riboo idea, will try contact some recruiters to ask them certs or something like that i would had to plan it

damn maybe i should put my assembly / mips knowledge on my resume if that's the case lmao

I mean there's plenty of people in the industry who collect certs and compare them and those are the types of people who can make a difference as to what their company looks for in candidates, if your cert is behind a path that takes 6 months to complete, there's no hope for traction

there's people like that who've said they'd hire someone with CPTS over OSCP, but that means nothing when there's like a 100 people with the cert

mhm

so many people have gone for PNPT and are going for it, so I feel it’ll help

TCM is a very credible organization as well

Exactly, although it's possible to learn how to hack a Windows or Linux machine and take advantage of it without knowing everything about it, you really should understand a good deal about it

Agreed. The learning path makes it hard to gain traction. In order to get traction it needs to be able to be examed at will.
No company is going to put a person forward to do a certificate that takes 6 months (unless it's like an MBA/Leadership thingy)

im honestly about to call the $300 i spent on ejpt a loss and move on to prepping for OSCP at this point lol, havent seen a single employer mention ejpt

I should have done that research first, but I saw sooo many youtube videos reccommending ejpt i thought it would have been good to get employed

I have seen some posting mentioned eJPT

but really not much

my initial plan was eJPT than PNPT or CPTS

Nah you only need either PNPT or CPTS

The cert is geared to be done on a full time basis over about 40-something days, or 6 weeks full time work, if you have the devotion. In the past, lots of people have said that someone knowledgeable in cybersec should be able to complete the OSCP course in about 45 days at 8 hours per day, or 90 days if you have a full time job doing about 5 hours per day. Obviously if you have other commitments it's going to take you longer. OSCP has plenty of traction because of what you have to go through to achieve it. It's not gate-keeping to have such a challenge. It's why things like the bar exam in NY or medical school are so challenging. If you can't reach that level, you probably shouldn't be doing the job

Yes, that just came in my mind and i was like "i will learn everything that have on eJPT on both of them so why eJPT?"

but eJPT its growing slowly here in brazil i can see some jobs with him rn tbh

eJPT is almost useless if you plan to get a heavier cert right after

It csn be great to show progress

For example in 2023 you’ve completed eJPT and then in 2024 you did OSCP

how many people exactly have the possibility to do certs full-time, I'm not saying it shouldn't be a challenge, I'm saying the exam shouldn't be inaccessible without 100%ing everything, let people fail and be humbled

CPTS has been on the market for a year at this stage. It's very challenging and they're still expanding but they are making progress in sales and speaking with plenty of companies and colleges etc. They'll get there

Looks good on your resume, because it shows the employee that you’re dedicated to the craft

And constantly learning

Eh, i wont pay $300 for “progress”

Because you can say the same with PNPT and CPTS

I think CPTS could be better for my personal thing because they let me pay for like a platinum plan than take part of the course buy gold and do some more and than buy just the vouncher and try it

but its like 386(CPTS) to 399(PNPT)

How do you become a recognised training body without demonstrating you're up to the standard? It's just their method and they have a video on YT about their reasoning. It's just their way of doing things

But that is just my rationale. I only see certs as tickets to get into better career or better at my work. If a cert doesn’t have any ROI, I won’t be taking it.

Seconded, the valuable part of the pentest is in the report. There's a lot of risk in pentest, having juniors who don't understand risk appetite can't be trusted to know where the line is

You can do the CPTS with one month Platinum, one month Gold and the voucher. I don't like their pricing structure. They like being 'gamified' but the whole coupon thing is a terrible practice. I think it's one of the big reasons PNPT is selling faster

I AGREE

ITS SO WEIRDD

Why is it like badges and cubes and whatnot

i initially thought eJPT would be worth because it'd help me get a job, but that doesn't seem to be the case in my area.

it's definitely OSCP as a minimum. I'm hoping because of my documentation and training experience and 7+ years in IT and Help desk will mean something and I can get hired and do OSCP for the job after

anything other than OSCP or PNPT at this point for pentesting seems like a waste. all other prep materials are essentially free

I think my personal case definitely it's about 1.5++ year because I need to grow up network on LinkedIn I need get knowledge for lot CTF on thm and htb vulnhub etc I need to do lot of things qnd study lot but basically I need a cert that probably land me something

The badges are a standard on platforms like THM and HTB because it lets you see things you've achieved at a glance. The cubes thing is the stupidest concept borrowed from video game marketing. It really devalues the platform. If the training wasn't good I wouldn't have paid for it

I personally like learn something and then put it on practice to fix it in my mind don't just like learn all of an pathway and go to other

Especially the module tiering

I would be expected to actually HAVE ALL THE MODULES for their highest tier

You have done CPTS course? Pentester pathway?

not buy it

eJPT is eLearnSecurity's attempt to get more new pentesters into the cert track ideology cos their eCPPT needs to compete with OSCP. They were gathering steam but INE seems to have bought them just to turn them into another cert stamper and still OSCP is running away with it

I would recommend sticking with THM and doing as much as you can on both walkthroughs and challenges. As you progress, add PicoCTF (it's built by Carnegie Mellon who win the world's biggest CTFs on a regular basis) and then choose your certification path.
https://www.youtube.com/watch?v=6vj96QetfTg

Yeah I think a monthly or annual fee like they have for every other part of their platform would be a much better deal

I'm in the middle of the pentester pathway and enjoying it but not ready to do the exam, maybe in another month

Yeah, heck I’d pay $40-60/mo for full access

You don’t even need the cert tbh, if you do the cpts path on academy and then buy oscp, you’ll be fine as well

I think it's certainly worth doing the training for CPTS or PNPT in prep for OSCP but you definitely need the skills and mentality more than the cert itself. That race never ends

Has a good Brazilian cert that provides some job offers and they said it's a good start point to OSCP methodology thinking don't know if this is the right way to describe it

But they say this and they have lot of practical lab and the last lab for you try the cert it'd a practical thing too that you will have do from scratch and report it to the course team

I think it's almost same price as PNPT (converting USD to BRL)

Little be expansive to be honest is about 595$

But that could land be a real thing here lot employers ask and accept him as a reference

Maybe one cert like that and one like oscp could be a good CV or not?

Someone told my boss I was trying to shift into Cyber Security, so now I’m training my replacement… As soon as he’s trained, I’m almost certainly being laid off, and I don’t have a job yet. Stressing tf out

you've just learned a lesson? I guess.

yeah i’m fine learning a lesson, even though I didn’t tell anyone. It was my wife talking and someone overheard her

now that has the potential to screw over me, my wife, and our coming child

hopefully you can get severance? have you been there a while?

“expressed interest in leaving” can make me disqualified, as well as I’m under a year slightly

did anyone even have a talk with you about it? because sounds like they just assumed and took action...you might be able to file unemployment at the least

Is it legal in your state to this? I know there's some states where that's not allowed from reading Reddit.

it is. We are an At Will state, allowing employee or employer to end the job without notice

It's always worth to check your rights in this regard. And if you're laid off, chance on severance / unemployment?

Oof :/

can try, but the law here is a year before you can claim

so, really hoping some jobs get back to me 😅

So take your time training that replacement :p

that’s my plan for now

but you don't have interest in leaving you're just studying some thing

you can't keep stand still on same thing forever

Stay in an IT role at least 1 year. 2 years is better.
Reason is, first year is just learning how to do the job. 2nd year is finding all the edge cases that make the job tough. 3rd year is optimizing your workflow for efficiency.
If you don't stay 1 year in the role, you haven't really learned the role yet.

Someone overheard Derek.

I gotta get into an IT role first, that’s my struggle

they actually overheard my wife telling her mom at a local fair

A co-worker overheard that, right?

yeah

It was probably salvagable, but the fact your employer was relatively hostile, if I heard it correctly, made it worse

I assume. Probably could've gotten away with "doing self study and trying a new field as a hobby"

yeah, but when he confronted me I kinda froze and gave it away

I’m at fault for sure, I should’ve had a defense ready

How confrontational were they?

He went into the meeting planning to fire me on the spot

i was able to salvage my job for a bit by offering to train whoever he hired

I'm sorry you had to go through that.

That must suck :/

yeah, so fingers crossed I hear back from something. If anyone hears of entry level openings, lmk

if it goes much longer I’m just going to have to give up on the industry for a bit

Not that I can help too much, unfortunately. But is relocation possible? Is there any larger consultancy firm around you offering traineeships in IT?

relocation is not an option for religious purposes (long story), Ive looked local, and worldwide remote

Worldwide remote entry level is veryyyy tough.

yeah, I’ve noticed that. 5k+ applications

just would rather take a shot at that with every other application I’ve sent in

Do you tailor your applications? Lik somewhat tailored CV and cover letter?

Yeah, usually

Cover letter 100% of the time

CV I change if the job I’m applying to changes

So, I always check if the job I am applying for is requesting for skills that are currently not included in my CV.
If I feel comfortable enough I make sure to add it specifically.
Cover letters are tailored, but lately with a little bit of help from regenerative AI

Guys i live in brazil and Comptia has that Emergent market price,
Brazil are included on that emergent market?

I googled it and says brazil is one of them but i don't know if comptia accept this

Contact their support / sales I am sure they are happy to help you out

Are SANs practice test just like the actual test?

They are similar to the actual exam yes

I think it's going to depend on the exam; mine felt quite a bit harder than the practice. I believe they say you should have an 81% on the practice exams before taking the real thing

Got it, I’m currently taking the GSEC and got 88 on the practice exam currently

Do you think its valid i pay platinum or gold sub to start it for try the cert in the future? i'm thinking about CPTS or PNPT but its kinda hard to choose one

I'm seeing their material content to see if there is any plus on each one

but can't choose one

someone can help me with one thing? I'm trying to figure out wich one of both maybe some recruiters can accept, can i just dm them on linkedin asking or have something that i should do first (Honest question, never had this linkedin thing before)

You can just contact recruiters and chat with them.

You can also contact hiring managers/other people from companies in your area.

I added and messaged some people telling them I am looking to switch into the field of cyber and asked them if the ycould tell me a little bit about their job activities, what they liked about it and what not. And also about their employer, to see if it's a nice place to work at.

If they decide they're not interested they will let you know or they won't accept. Which does not hurt you at all.

Well HTB Academy has a load of free entry level courses. The Information Security Foundations path is seen as a prerequisite for the CPTS and their other certs as you need an understanding of Linux/Windows/Active Directory/bash etc. They also have a module called Learning Process, which is about learning how to focus and prioritise your learning journey.

TCM has a free 15 hour hacking course, two videos which teach you a good chunk of the PNPT basics. His classes are always interesting and he gives great advice

How much of PNPT streamed on Twitch?

linkedin is like the opposite of tinder for cybersecurity. throw some good experience on your profile, indicate you're looking for work and you just get spammed by recruiters

Make that any IT role.

i hear SWE has had it rough lately

as far as I know that's outdated by now, but the 15 hours on youtube are up-to-date

Depends on your experience and stack.

Was it not only last year?

a lot of the course has been updated since then

Junior (0-3): You're having it rough
Medior (3-5): Not as it used to be but still active.
Senior: you'll be spammed

Also; If you're junior Java you'll still receive more requests than when you're a Go developer or FE dev

Ah, I see.

meanwhile I haven’t gotten a single recruiter reach out to me

Better off to just go searching for the roles you like and apply directly in a lot of cases, though a recruiter is someone who often has a working relationship with an employer and if you get on good terms with one of them, it can be like having someone on the inside. Though you also have to understand that a lot of recruiters are just looking at job postings, the same way you are and have no professional relationship with the employer and are merely looking for a referral bonus when you pass your probation

specialize and you can usually skip the line

for me: reverse engineering and embedded systems is almost always in demand

Specializations are important, but some people specialize too quickly imo.

"T-shaped" > "I-Shaped" to put it in business terms

idk, all of the roles i've accepted were through recruiter outreach, majority of my bad interviews were in roles i applied directly to, as if they didn't even want to do the interviews

not saying theres a direct correlation as the recruiters and the hiring managers and interviewers are obv different people, just my experience

maybe you should hook me up with your recruiter

A good recruiter cares about both parties, because if a person is for a longer time with a company they get paid more. Therefore it's important for them to also check culture fit etc.

Yeah that's fair, like I said, some recruiters have a working relationship with some employers and if they're referring you, they think they can get you into that job

market is a bit stingy atm, but fall is traditionally when security teams do a bunch of hiring. Maybe not this year due to budgets tightening, but maybe next year or sooner

well next year is going to be harder for me

I’ll have a newborn baby distracting me

as soon as budgets loosen a lot a bunch of teams are going to be looking to backfill those who left during this time

I've learned that fall and winter are tougher months because budgets are relatively "done".
In january there's often a lot of new hires due to budgets being released for the next calendar year.

fall is when i see most of my colleagues job hop for better pay

might depend on location though, i'm in the bay area in california

Riboo is Netherlands iirc

so it could be different

I'm Dutch, yeah ;D

Linux/Windows basics i already did on THM but obviously i don't have a problem learn something new, i pretend to try learn also the bash and shell script on THM since i already did Python basics and python for pentesters but i'll check all free resource obviously any kind of good knowladge its worth to do it

Its a good way put the things that i've done on thm on my linkedin account?

Yeah it's good you're going through those resources but at least make sure you understand all those topics well

It's good to post the certificates on your profile feed but don't count them as qualifications. They act as indicators to employers that you're studying but don't necessarily confirm that you understand the topic

Where do i get my certs on thm?

You get certificates for completing the Learning Paths

for example i've complete linux and windows fundamentals for that ones i don't get any right?

Do certs from tryhackme have values in job market

Not really

Anyone here willing to provide internships

If there were any they would be on #jobs-board

Does anyone have like a quick guide (10 mins or so) to the rough idea of security compliance regulations (SOX, SOC2, NIST, PCI, ISO)

I do not need to be an expert but a very rough guide like "generally they want to make sure you have an approval process for pull requests" would be handy 😄

Aren't each of those fairly different?

Like I understand there is overlap, but for example, NIST is tailored to US agencies and their needs while ISO is international in scope

NIST is also voluntary, compared to PCI which is mandatory (not by regulation, but by industry when dealing with PCI data)

You got time to jump into a voice channel? What you're asking doesn't align exactly with what you have listed

gonna be honest i read this in a job advert i am applying for and i do not really know these well at all

i am in bed sadly

Not exactly; PCI is not regulatory, PCI is industry specific. If you want to process or store PCI data, then PCI certification means that card companies will let you pay for the means to do so

Yeah, I could have worded it better. I'll fix it

Ok, I'll be around tomorrow. I think you have some faulty assumptions about what frameworks, compliance and regulatory requirements are

I think I should be available from 8PM GMT, ping me after that when you're ready to have the convo

Hi guys,
I know that Cybersecurity is a very big field. Are there any cybersecurity/infosecurity positions that:

-No night shift, No on-call duties (Heard most blue teams have this issue)
-No need to constantly deal with convincing Director/C-level people to enforce policy(Heard this is what GRC does? I'm not very good with talking to people especially with C-levels)
-No heavy coding(some minor scripting is fine)
-Preferably able to do it remotely after gaining a couple of years of experience

Please advise. Thanks

This all depends on the seniority of the position

Usually, the senior or head will do the convincing, not the junior

The junior just provides data and the senior validates it then the head pushes it the next meeting with directors

In my work as a security analyst, there is no heavy coding at all. Only light scripting from time to time

I'll provide my two cents:

1. It's going to depend on the org. SOCs are typically shift work and the younger/newer positions are typically the ones that man the less desirable hours.
2. Cybersecurity requires you to have soft skills and deal with people. Whether it's C-Level, your contract customer, your in-line boss and/or team lead, you're going to have to interact with them in a positive way in order to get things done.
3. It's really going to depend on the position and/or org. You should be making things to make your job easier if the environment allows
4. Again, going to depend on position and/or org. If you're doing government work, depending, you're likely not going to get much if any telework.

Agree with both responses, so far. My thought is that "heavy coding" is very different for different people; what I consider a fun hour of writing code, someone like Moose may start chewing tables and take a week or more to do. As far as GRC policy enforcement goes, that's a top down initiative and culture set by the leadership. If leadership doesn't care about enforcement, no one else will do it. If leadership does care about it, it's a cultural enforcement.
Tech writers, some DFIR, and compliance analyst roles all are mostly so-called "day shift" although depending on what the actual workload is that may be more like 8-6 instead of 9-5. Taht's pretty normal, and I have usually been willing to give an hour or two a day extra to ensure the work is timely and we didn't fall behind.

Not everyone can or is willing to do that, and that's also fine - my managers have always been really good about making sure I have comp time when I worked the extra hours.

sure, thamks!

Just got feedback from a junior (they listed 0 exp required) position with 3 years IT experience as a dev..
"not enough experience"

😂

welcome to my last 3 months

@dense dagger @stoic cave @flat sedge Thanks everyone for your valuable replies 🙏

Gave +1 Rep to @dense dagger

Let me get this straight.
He was head of cybersecurity for one of the biggest gaming companies, but he needs help finding a job?

Sounds a little fishy

Since you have not made many posts in our Discord, and your career post being quite an unusual request, I'm going to preemptively remove it for now. @karmic hare

That’s okay Tim. If you need any proof just DM and I can provide you all the info needed

Us being a hacking server, we’ve just gotta be careful with suspicious requests 🙂

I think I should help him because I have a strong professional relationship with him

Can I get some interview tips?
I have a pre-interview. It's a video recording pre-screen that the hiring manager sends out to selected individuals. It gives 5 random questions along the lines of "When confronted with a problem that requires quick decision making, how did you approach it?"

Each question you have to record a video of yourself answering it, the video has to be 2-3 minutes long per question and you have 60 seconds to think of an answer for each one

And once you finish all the questions and the 2 memory games at the end, an AI will review each question/video answer and score you, scores of 80-100 get auto pushed through to the manager, scores of 70 or bellow need to be manually pushed through

And the position has been open for months because the hiring manager has refused every candidate due to: Not having enough energy in the videos, Not enough detail/too short of an answer, failed the simple memory games, showing little to no expression or emotion in the video answers, and much much more

Oh and you're not allowed to have headphones or earbuds in during the video pre-screen and you're judged if you look online for help

I'd ask for the manager's version of the videos that show the exact way they want the questions answered, with enthusiasm

that doesn't sound like a place I'd like to work at tbh

Also, in the EU, the GDPR allows you to request that your interview process isn't reviewed by an automated service

The manager won't give them, they want to see people at who they really are without knowing what they're going to be faced with

This is also the US and if you refuse AI grading then your application will be refused

The manager sounds like an awfully nitpicky micromanager I wouldn't want to work with

It's an extremely competitive position for a company that has the highest ratings I've ever seen and they're atmosphere is compared to googles laid back/relaxed and supportive atmosphere

Unless he's paying over $150k I wouldn't be bothered with a process like that

Well, they're paying 50k a year and this is a starting base level position

Not worth it tbh

I would absolutely laugh in that managers face if they tell me that's the process

So I'm doing it either way because I need to work to live and passing this opportunity would give me a life-long career, despite the start not being the absolute best

I wouldn't be willing to do that for $200k, AI is not going to understand context

This position by the way, is a help desk analyst/smart bar analyst

So, it's basically the lowest... position

I can't really think of any interview tips for this

You should do an AWS Solutions Architect Associate exam and get a high paying job right away. For Solutions Architect Pro you can be looking at $150k to well over 200k... You'd do those in a couple months

Yeah, that's a no from me

They're either training their AI model or they're looking for a "unicorn"

Exactly. The fact they haven't hired anyone in months for a junior position stinks of dodgy dealings

Yeah, this type of position should be filled up quickly. Senior positions would take more time to be filled out than help desk positions.

I do need a job basically within the next 3 weeks or I'll be evicted and out of the over 50 jobs applications I've sent out I've had 8 interviews and I have 3 second round interviews done for 3 companies who are not guaranteed and 2 of which said I had too much experience listed on my resume

I'd ask them directly why they haven't filled such a position, and it can't be because the manager doesn't like how every candidate expresses themselves on video...

So, I'm willing to do this to avoid homelessness

It's not a casting call for a Spielberg movie

An AWS test that takes a few months to do, is a little out of my time-frame

Maybe once I get hired

Oh and this is also the only manager who uses this AI service and the only one who interviews this way

Can’t really think of any interview tips against AI services

I looked up interviews from executive positions to analyst positions and none of them say anything about this process

And all the interviews I looked up, are for this company

That sounds really sketchy. You should ask to speak to their hr department about the non-standard processes and things you've heard... Most decent companies have a standard hiring process, 2-3 interviews, maybe a video interview over Teams or Skype or something

Idk what your exact situation is, but there are other jobs that are immediately hiring outside of the cybersecurity space. You could use those as a stopgap while looking for a role

I know for a lot of positions, Google has 7 interviews

Yeah, I agree with Moose. One could speculate they are training their AI

This is one of the jobs, but if I can get a link to jobs immediately hiring then I'll take it

Putting this limit on yourself isn't a good thing

That's google, definitely not standard

It's making you consider a role, that everyone has said isn't a good thing

Yeah totally, most would be 2-3. Google isn't a normal place to work, according to everyone I know who's worked there

It's going to suck, but FedEx is always hiring package handlers.

The hours suck, the work sucks, but the pay is actually decent

The only limit I put on myself is "Staying in tech"

When you're looking down the barrel of homelessness, that shouldn't be in the criteria

I've been unfortunately job hunting for 3, almost 4 months now

And I've been applying to basic level IT positions just to get a job

Most of them don't even respond or answer follow up calls/messages

Take anything you can get and then plug away at getting an IT position

I've also had a couple scams

You need to "stop the bleeding" so to say

apart from it obviously being FAANG, whats the major differences?

it sounds like you're depending on getting a job that no one's been hired for in months

Even if it means taking a position outside of tech

A job, any job, at this point is your clotting agent

This is true but where should I look for jobs that are hiring immediately?

Target, Walmart, FedEx, any restaurant, etc etc

Construction also if you can do physical work

I've applied for think geek positions paying $15 an hour, they even asked me why I was applying there because I'm over qualified, and I ended up not getting the job

I can 99% guarantee FedEx is hiring

The whole culture, the work and productivity thing, they pioneered a lot of the things the rest of the tech industry only caught up on years later. They decided in the 90s that all their processes were going to be run on distributed containers and developed a system to do this called Borg. Borg led to the development and release of what we know and love as Kubernetes years later. They came up with Site Reliability Engineering years before DevOps was a thing.

Innovation in that place for all kinds of things was crazy. Not that their general business wasn't just about being marketers for just about anything, based off of data hoarding but I know lots of people who worked there long term who found it mostly a great place to work

i like the free lunch and food when i watch "day in a life" videos

top tier

Can't forget the grandad, chroot

Yeah that would be a great benefit, like literally any time you want. Most large orgs these days at least provide a subsidised menu, the occasional night on the beer and an occasional pizza party

i think my biggest factor when looking for jobs is if its remote or not

the time i lose in commutes range from 5-6 hours every day

I would prefer plenty of remote work. Commuting is dumb and expensive, especially if it's not practical. Companies are renting huge offices though and they want people in seats. Office parks are the High Street of the business world though. The internet has provided a more practical solution

In my last job, my work desktop was a virtual machine on a server in the US and my work laptop was a very basic machine with a VPN program. I don't need to go to the office to use that

One of my cousins was a dev and PM for google, her experiences changed drastically from when she started to when she left

I agree, the commute itself is not expensive (unless you are travelling by private car or Uber whatnot), its the stupidly expensive stuff around the office

I have no doubt things swung in plenty of different directions and it's not as rosy as it's often portrayed

What security work is required to be physical

her husband was a chef in the execute cafeteria, his experience was absolutely terrible

I can think of maybe... auditing data centers?

I'm much happier in my home office with my own food and water and a bit of quiet

Wow that's awful! I'd hate to work in a place that made me feel that way

Apparently the pre-interview screening is being done by Hirevue before it gets pushed to the hiring manager

And the company I'm applying to, isn't Hirevue

So why hasn't the hiring company picked someone, apart from not liking how uncomfortable they look being surveilled by Skynet?

I have no idea

This is through a hiring agency as well, so if they don't know, I don't know unfortuneately

That sounds like a company propped up to invent a problem that didn't exist before

And the company I'm applying to through this company, hasn't responded to any of my attempts to reach out

They're an analytics company, think data scientists and such

And I may as well do this and give it my best, I have the interview screening link so not doing it would be more of a hinderance than doing it

Well data scientists don't need to do that kind of work. HR are alreadyincompetent enough to mismanage a company's staff turnover

You should do it but if you don't get the job, tell them you want your data returned to you and deleted from their systems and a letter from them stating that was done

That's fair, although I don't know what I'd do if they just said "no"

Declare copyright ownership and threaten to take complete ownership of the platform and ongoing royalties in perpetuity

That.... Sounds a little uhmm

First, get a job in a pizza place or delivering packages. Not with Amazon though

A bit much, I also don't know if I can claim copyright ownership without a registered claim

Even if it is of myself, as it was my choice to take the pre-screen

If you created it you automatically own it

I think you should read the terms and conditions, privacy policy, data policy, etc. of the company

not lawyer advice tho

I'm going to guess that by accepting the interview and using the platform, you're consenting to you being recorded and the data gathered.

They also aren't creating anything, they are using service created by a company and their platform is creating the content

They're specifically asking him to create and submit the videos. Copyright law trumps a contract in this case, contracts aren't above the law. In the same way YouTube doesn't own its content, except what it creates; and as a US judge declared recently, the output of an AI doesn't have copyright protection (creative works can only be produced by a person); so I don't think the creators of this tool can claim copyright ownership of their content.

If you write a poem, you own the copyright of that poem automatically. You register a work under copyright with a government authority in order to ensure protection of your work, but the work is yours, unequivocally. There are things that can't be copyrighted, like recipes and some other things (which is why you always see recipe books and websites full of stories and pictures) but you can protect things like trade secrets, designs, books, etc. The documents themselves are automatically copyrighted (unofficially or not) but many things can also then be trademarked (like Big Macs in the EU aren't) or patented, once they demonstrate a certain level of complexity and uniqueness. (I'm only qualified to speak on this to the extent of my cybersec postgrad module but you'd need a lawyer to square it with the proper authorities)

What is PNPT?

PNPT is a penetration testing certification produced by TCM Security. It's intended to teach you ethical hacking and penetration testing through their course and exam process

https://certifications.tcm-sec.com/

Thank you for this, I will check the attached link, I just joined this discord through TryHackMe to develop my Cyber Security skill. Hopefully I can come across company recruiting for entry role.

Gave +1 Rep to @rugged delta

We're happy to discuss how to progress, the skills you need to develop, the resources that can benefit you, certifications you might benefit from. PNPT has a growing reputation but isn't widely recognised yet by a lot of recruiters. Similarly the HTB CPTS, Zero-Point's CRTO and others at a similar price point; gaining traction among learners but not yet by employers to a great extent. OffSec's OSCP is more widely recognised but is also increasingly expensive.

Unless you're focused on pentesting as a way of life, you shouldn't be considering it as a job just yet. You have a long road to get there, requiring many hours learning a variety of technologies, tools, techniques and processes. Keep practicing on THM and growing your skills as you go. You can verify your account through the below link if you want to

!docs verify

I just completed 16 weeks boot camps, pass my CompTIA Security plus and ISO27001. I have THM account which is helpful. Thank you for the info.

Gave +1 Rep to @rugged delta

Cool, keep plugging away and best of luck

Thank you

Do you have any IT experience? Working helpdesk, (professional) development etc

Yes please

Service Desk

Woow crazy congratulations

Thank you mate

Gave +1 Rep to @south monolith

@river scaffold where are you based ?

What are good internship positions to get experience in infosec whilst planning to move forward to pentest/redteam?

So, I have read your response but I am not at a computer to effectively respond. I will do so when i am able. I went back to the original question and their explanation neither confirms they're uploading videos they recorded themselves nor does it confirm that a platform is recording them.

This is the initial post on which the discussion was generated #cyber-and-careers message
It details that it is a video recording prescreen the participant has to record of themselves and that an AI will be used to interpret the responses. I look forward to your insights

Yep, that's the message I went back to

pentesting internship would be great but really.... no internship < any IT internship < any cyber internship

that’s how I feel for a job rn. Even helpdesk will get me there better than my current job

Hi, I’m new to cyber security
I just need a friend to put me through 🤨

don’t gotta send it 20x

Hi guys, can I please have some feedback on this? I'm going to start applying for graduate roles soon. what should I change

Wheres the line for IT and cyber internship?

what jumps out at me most is the “built a SIEM…”

almost feel like you should use the bold as a title, like “Custom SIEM made in Azure”

So what I immediately see is that you mention webdev and secure software development but you don't have the projects or work experience that backs that up.

Everything you put on your CV should be 'proven'

That was done in uni

Check :) If it's in the official curriculum you're fine on that regard then. Just double checking with you

one includes cyber responsibilities as a major component of the job and the other doesn't

Ah okay, I'll look out for the responsibilities and not just the job titles, thx man

Gave +1 Rep to @pseudo creek

Based in UK

Get on Linkedin , a major skill gap in the UK currently , tons of vacancies to be filled ,you'll get something 👍

Thank you, I am already in Linkedin.

Gave +1 Rep to @mystic lava

Sorry it took so long, finally got a computer. The view I am looking through is that they are using a web portal provided by the company to complete the interview.

As always, IANAL.

I'll start with what is not copywriteable:

Copyright does not protect ideas, concepts, systems, or methods of doing something - Copywrite.gov

The next thing would be what does the terms of the interview say? Anywhere in the EULA/TOS/etc does it say that the copywrite is transfered? Here is current guidance, not legal precendent or law, from the Copywrite Office as well:

The U.S. Copyright Office will assume that the interviewer and the interviewee own the copyright in their respective questions and responses unless (i) the work is claimed as a joint work, (ii) the applicant provides a transfer statement indicating that the interviewer or the interviewee transferred his or her rights to the copyright claimant, or (iii) the applicant indicates that the interview was created or commissioned as a work made for hire. 

After that, we do have legal precedent set by organizations conducting interviews for publication, which sided with the Interviewer. I have listed a couple of cases, each with varying outcomes:

Rosemont Enterprises v. Random House (1966), Quinto v. Legal Times (1981), and Taggert v. WMAQ Channel 5, Chicago (2000)

Taggert specifically stated that the interviewees quotations were not subject to copywrite because they were not "expression", but ideas. I am also not going to delve into State Law, because that opens another set of worms.

At this point in time, my current assessment (couple of hours reading) on the matter is that the interviewing organization would hold the copywrite to the interview. Here is why:

1. The platform in which the interview takes place (assumption). For this counterpoint, it is being assumed on my part that the interview is being conducted on a web portal owned by the company. Personal annecdote, I have used one of these platforms before and the platform does all the work. It provides the questions and also makes the recordings. Using a platform like this also comes with a TOS and there could a section on copywrite written in.

2. The questions generated by the company for the interview are copywrite of the company.

3. In this case, I am not sure the interviewees responses would be condsidered "expression." If they were, at a minimum they may be able to claim copywrite via the dual approach. However, in my personal opinion, responses to generic technical interview questions would not be "expression", but "idea" and or "methods of doing something."

4. At least from the information presented, AI is not being used in the direct interview, but in the analyzation of the data. This removes the "you can't copywrite AI stuff" from the cards.

This is all I have for now, spent way more time than I expected. Will probably dig in to this more later because it was kind of fun doing the research.

Dammit, forgot to fill out 1. Give me a minute. Fixed

Excellent points. The hiring manager did make boundless claims to a lack of expression by other interviewees, as in, their performance was not up to standard. It may well be the case that the platform has certain caveats and terms favouring the interviewing org and/or the system creators. It still sounds like the intention is to get data to train the AI, rather than hire someone to do what appears to be a junior position they're having trouble filling. Based on the remarks of the hiring manager and a lack of evidence of attempting to hire someone for a position, it looks like they're trying to get free labour to produce performant data to train an AI application, and therefore, they're misleading the performers and stealing their works (which are defined as works of performance by their remarks on such)

I just want to clarify, I'm using expression here in the legal context and not the "you're not being expressive" meaning

would you mind reposting a screenshot or screenshots?

@lean cradle you sure you are comfortable with posting your phone number + email?

Sorry

IT was a mistake

no problem, I posted a screenshot of the rest of it for you

I was about to comment on the CCNA cybrary, then I realized it said coursework, not certifications

Did you have any internships?
If this is an international CV for remote work or work outside of Egypt. Whats "good" behind your education?
What year did you start?

There's a * at experience that's blank.

I'd much rather see the skills, relevant courses and projects you've had at university over free / paid courses on Coursera and Cybrary.
Your bachelor gives you a good baseline, stronger than listing free courses or coursera courses (or Udemy for the matter)

Free courses and free certifications (like LinkedIn) show that you're interested in your field but nothing more. It does not add a lot of business value.

Are you familliar with ALL skills you're listing and can you talk for 5 minutes or longer about ALL of them. Use cases, when not to use, downsides etc?

Make sure to have proper capitalization. You write "Junior cybersecurity Engineer" and "Cybersecurity Engineer" in the same line. Also SIEM instead of Siem and problem solving without the -.

What's the difference between eJPTV2 and eJPT, it's the same but updated right? What does your certificate list? eJPT or eJPTV2?

eJPTv2 is the name of the newer certification

with updated material

Gotcha :) Just making sure.

that is good as it is listed

And if you want to be more nitpicky; List your proficiency with your languages. Not just Arab, English. Arab (native), English (Proficient or Fluent)

Thanks bro

This coursework section is not.... good. "Coursework" without an accompanying degree or accreditation is pretty worthless. As you've listed these, it's basically a participation ribbon: might be pretty, but has no weight.

I tried to say that a little bit less direct :p

can I please get feedback on this

How proficient are you with all of these technical skills? Can a technical person ask you about any of these skills where you are comfortable explaining in detail what they do and why they perhaps should not be used in some cases?
There's a , at the end of the last skill.
List CompTIA Network+ with the "proper" name.

And List AD as a skill since you've mentioned it quite a few times.

Okay

If I've gone through the training for a certification but haven't actually tested for it, do I include it in my resume

Personally, I would not. Things can always happen and you haven't passed yet, so you haven't earned the title

Unless it’s a sans course without cert I guess

Right, but that's different. They're asking if they can put the certification on their resume before they pass or even sit for the exam

That's fair, I want to somehow demonstrate that I have the knowledge attributed for them but right now getting the certs wouldn't make any sense for me

Ah yeah don’t do that

You can demonstrate it by passing the cert, or pray you get an interview and show it there, or post blogs I guess

It's weird seeing CEH a lot more in the Netherlands as a requirement. But it's listed in the same list as OSCP and OSCP is fair bit harder right?

CEH is multiple exam with the option to get CEH Practical which is an 8 hr (?) CTF which gives you the title of CEH Master

Which is fairly stupid considering CEH is their entry level cert

But yeah, what you are saying is correct. I just wanted to rant about CEH

Gotcha.

Hey There All 🤗
I'm new here and wanted to be An Ethical Hacker. I need guidance in starting my CyberSec career.

#start-here

It’s listed, but to my knowledge oscp is more valued

in your professional opinions, what holds more value: cybersecurity certificates (Sec+,CISSP,etc) or a cybersecurity degree?

I currently have a BS in Computer Info Systems and have been a cybersecurity analyst for abt a year. Im debating on going back to school for an associate or masters in cybersecurity, or continue to study for the Sec+ or other security certs.

If you are already in the industry, I'd say focus on certifications.

experience will even out with university pretty soon if not make you grow faster. if you're in the industry focus on certifications.

Okay, thank you!

are there any free threat intelligence courses with labs

what shuld I change

every now and then i'm looking for cyber security jobs in germany (pen tester, but really looking for everything) but i can't seem to find any junior positions. I'm currently a software developer. any tips on where to look/how to find anything in germany?

LinkedIn?

Are you in contact with recruiters on LinkedIn? Also junior positions are very hard to get at the moment. I'm in the same boat in the Netherlands. Also a software dev switching :)

Good LinkedIn tip. Find the companies you want to work for. Go to their about page and scroll down to ‘I’m interested’ and select it that alerts their recruiters that you’re interested in working for them without reaching out to dozens of their internal recruiters hit and miss. Also optimise your profile with relevant keywords and a good summary. Don’t spray and pray be more selective 👍🏼

Would putting a few of my retail experiences on my cv be a good thing. some jobs do ask for it and shows i know how to deal with any customers

i dont have a linkedin. not a huge fan. but i might need to create one :/ then i need to get professional photos done

I'm not a fan of LinkedIn either. But for business practices it's standard nowadays for anything "higher education".

If you have no IT experience, definitely put it on your CV.
When I was looking for my first and 2nd dev job I'd put my experience working in restaurants on there.

I have 10 months experience in ai but when i worked at tesco i gained some leadership skills so was wondering if that would be good to put

Definitely good to put it on there.

Any IT Risk Analysts in here? What do you do?

Anyone have advice on how to get a cyber security job? I have 5+ years of IT systems engineer experience, 2 years of Incident response / general cyber security experience too. I've been applying my face off all over linkedIn and directly on websites and I am getting nothing but denials ( no reasons given). Any help will be appreciated! ty!

Could be you are over qualified for what you are applying to as you do seem to have quite a lot of experience. It could also be a bad resume or just a resume that is not good at getting through automatic filters

Best to post your resume with redacted PII for feedback

What does iso 27001 certified mean?

In summary, that the company has established and maintains the requirements set forth in the ISO/IEC 27001. Which means that they have implemented security controls and procedures to ensure CIA (confidentiality, integrity, and availability).

misread the question, sorry

I wasn’t trying to be a jackass

If you post it as an image, you'll get more responses

People don't want to download things from a hacking server, even if it's ethical

gotchya, and thanks for the tip!

Gave +1 Rep to @stoic cave

Ah okay thanks so its not like a certification a person can have right?

Gave +1 Rep to @green quiver

Starting at the top:

This is personal preference on my part, but I don't like paragraphs in resumes. Others disagree here, but imo, that is what a cover letter is for.

If the IR position is your current role, put present and not the year. 2022-present

I would drop down to 3 bullets for each job unless you really really think you have a greatest hit at that position that would add to the resume.

Right hand justify the dates on the same line as the company name.

Say what your degrees were in education.

Go side to side with your skills and separate them out into programming/technical/etc

Soft skills don't belong in skills. Every skill you list make sure you can talk, in detail, to every item for 20 minutes or more. SOC Engineer and Helpdesk are roles, not skills

Correct, it's for businesses to show they meet those standards set forth. I have not looked into certs for it, most of what I've came across is auditor certs that cover it. I believe there are some places that provide just ISO 27/31k training though. For GRC/auditing I could see it being vital.

I see, thank you

Gave +1 Rep to @green quiver

Honestly, waaay too much text. Look for a more modern template, those work wonders.

And what kind of jobs have you been applying to? I think that's also pretty important.

Switching fields means often a cut in salary. Even if there's plenty of overlap.

Do internships generally have you work towards a certificate?

they may, it really depends. I’ve seen one that gets you certified specifically in something Microsoft Support, but it just depends on the company and the internship

Internships are a trial run for you and the company, doing actual work. If they're having you do certificates, I would have questions. Same for certifications, unless they're having you do the certification alongside regular work duties

I saw one that's just mostly certificate work and a bit of the actual work duties, i'm considering applying for one but i'm having doubts

Its this one btw https://www.megt.com.au/jobs/rms/jo000076294-0

@mystic lava We don't do such inquiries here 🙂 So please refrain from that.

Where can I post it then ? 😂

Not in the server

It's a legitimate Career proposal ...

Because there’s no accountability, no proof of a legit proposal, and kinda sketchy

Sketchy as in, not an official job posting

If you say so ... Upwork is a legitimate freelance platform and I got a publicly visible profile there where you can see all the projects I finished and my earnings ..

You are better off just pinging a mod.

If it's legit career opportunity and not hustle culture bullshit, you can talk to @distant pier about verifying your corporate email account to post in #jobs-board

Thanks mate 👍

Gave +1 Rep to @flat sedge

can I please have some feedback on this? applying for graduate positions, ideally in cyber sec

Try more modern approach to your resume. This is wayyy too much text

Hiring managers and recruiters don't want to spend more than 2 minutes looking at your resume these days

https://www.canva.com/templates/?query=resume for example @sturdy scarab

im sorry but you are the first person ever to say its too much text

its the bare minimum

1 page

I had way less text than you and I had multiple recruiters give me a tip to use less text ;p

Hey guys, I wanted to share something with you all. After spending a considerable amount of time in TryHackMe and Hack the box, I tried to do bug Bounty. It seems that this is an incredibly difficult gig to execute, or am I just lacking methodology or knowledge?. I don't know how many times I will fail in submitting my first valid bug. I want to know your stories if you ever did bug bounties, what was your first experience like. I totally don't think I am the only one struggling. Any feedback and stories are appreciated.

You should check out the #bug-bounty channel, but yes, bug bounties are going to be challenging, since you are performing a penetration test in a public environment usually. Bug bounties can be an educational experience, but you must make sure to stick to the scope. There are a lot of bug bounty programs you can join, through the likes of HackerOne and Bugcrowd and others. You'll need to work hard to get your standards up, don't consider bug bounties a reliable source of income, at least until you're familiar with them, just use them to learn more effective web pentesting skills

👍🏼

I just get demotivated when I see the app behind cloudflare and akamai, it's like a dead end to me, can't think straight after seeing them

cloudflare isn't going to stop a logic bypass

I would disagree. Formatting looks good to me.
Rule of thumb is that they won't look past the first third of the page. Seven seconds or so is your average time available to hook them before they discard.
You definitely need to consider design and how the document flows (I.e. you want to force them to use those 7 seconds on things you want them to see), but the whole point of a CV is to convey information, albeit succinctly.
A page of text is good. Mine is a page and a half, and has got me every job I've applied to so far (four and counting).

Although in that specific case I would say that the section order is wrong. Education below experience, missing a profile at the top, and I've never been a fan of "skills" as a section personally (although opinions differ there).

Also not a fan of how wordy a lot of the bullet points are (or the long form for the projects, ew). Make every word count. Lots of words, fine, but only if they're actually making a point. Space on a CV is at a premium. Don't be flowery.

cc @sturdy scarab

thank you very much, I'll make some changes

looking for conferences happening in Q1 next year.

this is very much a case of “i am looking to basically go on holiday”

any suggestions?

Zero Trust World looks like it might have some interesting talks

Education below experience if the experience is more relevant

Indeed, which in this case I would say it is

december 2021

ya donut

2020 actually

oh ye

God I need to rebuild this blog

Hi everyone
I'm 22 years old and have 3 years of experience (and counting) as an IT support specialist. I'm currently studying Computer Science in a university and I'm thinking about dropping out and doing certs instead.
I'd love to hear your opinions if it's a good idea or not.

Pentesting sounds like something I'd like to do and I'm already looking into certs in the cybersecurity field.
It may sound lazy, but I just feel like my studies take too much of my time for things I couldn't care less about, I'm a technological person but I'm not really into programming and can't stand math. Besides, when looking at people around me in my current job, a lot of them only have certs and they're doing fine. Even my department manager.
However since cybersecurity is different from IT support I don't know if certs would be enough for that.

What year are you in?

Finished my first year a few months ago

If you have the possibility of growing into an info sec role at your workplace and have your employer to pay for your certificates that's amazing.
However, it's tough to break into the field with certificates alone. Either previous work experience at higher education equivalent ability or a degree is necessary.

Hey guys, what do you think of this?

https://youtube.com/shorts/Kqapw1ggc2Q?si=lHA4tA7m8M9VaJjP

Not sure what to think, but I would lean towards that not actually being an internship

Or in anyway a replacement for professional experience

just stuff to add to the project section at most

I feel accounts like this want to give spoon-fed type answers, without them being viable. If people get hired with their advice, they lose their audience

just my view on the whole thing

@stoic cave @fluid trench thanks for your input

Gave +1 Rep to @stoic cave

There's just no way it can cater let's say 1k people with personal guidance.
It's a virtual internship, a simulation as they put it. There's no way you can use this s as actual experience.

Hey guys I have a question. I want to be a red teamer. I'm doing Jnr penetration tester path. But I'm having trouble grasping the full concept. So can I do security engineer and coc path first practice it a little then come back to penetration path.

What I'm trying to ask is that can I become a red teamer later by first learning blue team

Yes, there are blue teamers that also pivot to red teaming

Its possible. There are even jobs that specifically look for people that have had prior blue team experience for their red teams

Would there be any discrimination. Like most red teamer start with red team directly. And will I still be able to do oscp

That depends. There are jobs which will ask you to get OSCP while working under them or would require it (or other relevant certs) as a prerequisite before hiring you.

I don’t think there would be any discrimination.

When I do say red team, what I mean here is jobs under red team so that also includes pentesting.

Oh my God! This is HUGE! Is this Forage Plattform new? This is exactly what students/young professionals need in the early career or for a career switch. Thanks a lot!

Gave +1 Rep to @elfin spruce

I don't think it is :)

What do you think are the downsides? I like that it offers practical experience with tasks straight from the industry.

It's just as practical as THM arguably.
The major red flag is that they offer it as a virtual internship, yet there's no personal contact between you and company. Which is impossible since thousands of people can do the simulation.
Hell, you can't even be sure it's actually from companies like PwC.

So in the end it's just a simulation of possible cases you can face whilst working in the field.

Which you cant even fact check.

Many people come to pentesting and red teaming through blue team. It's one of the most common career progressions in the industry from what I've seen.
So no discrimination -- quite the reverse, it will probably work in your favour.

There are no job restrictions for offsec certs either

shadow wanna keep the red teaming as a hobby and do blue teaming as a job

dunno how possible and achieveable that is but eh

I would suggest you don't do red teaming as a hobby. Something something rules of engagement something something prison time.

ah... meant it as doing ctfs on tryhackme that are more focused on a redteaming or pentesting approach

worded that porly above

Good luck with that. I can think of very few that are useful for pentesting, and even fewer that are useful for red teaming lmao

Techniques, sure

fair

I can't even imagine what a CTF would like that that wanted an actual red team skillset

closest might be something like the social engineering village contests

hmmm closest shadow can think of is red team capstone

if we are going by the ones shadow has done

Right?
It's pretty much impossible to get the scale of the environment right, let alone the thousands of moving parts that make the exercise worth doing in the first place.

The only thing I can think of would involve manual answer checking, like they have to write a report and it get graded

maybe asking them to find vulnerabilities and grade them based on CVSS

That would be as well being a pentest

oh shoot y’all said red team. I was thinking pentest for some reason

yeah Idk honestly

unless you had paid actors pretending to be a company for the purpose of a challenge lol

make it a paid and scheduled CTF haha

If you are Dutch the government has a permanent RD

And, how would flags be gathered? Unlocked files at specific time intervals, assuming the connection hasn't been killed by the automated blue team defenders?

right am I seeing things or does Muiris pfp keep switching between a butterfly and his usual one

I think it's just you

#hashtagnotgaslighting

I mean, you'd probably need to go with the data exfiltration end goal, or possibly do it off event logs, if you wanted it to be vaguely realistic

Maybe; I think it depends on who the CTF is actually for. Is it for infra? Is it for monitoring? In my mind, red team is about emulation of a real threat. So evasion, persistence and pivoting ought to be the key skills. Contrast to pentest where the goal is validation of specific functional controls

iirc the way the red team capstone challenge did it was clever

I haven't done that one yet

Neither have I, but I read through the info on the flag system

Been busy doing nothing on vacation and sort of studying for CRTO and CSSLP

twas a very good system

TL;DR: once you pivot, connect back to a validation machine to prove that you did it

I’d like to do it, I have a business email, but it’s for a non profit org, so not sure they can afford business accounts lol

That's an interesting thought; that flags are granted by the C2

Oooh, yeah, that's an idea as well

Personally I would like to see them granted by the EDR lmao

'your beacon from target 1 checked in, here's a flag.'

Aye, absolutely

If the EDR grants the flag, doesn't that mean it's a red team failure?

Yeah, was about to say, there's an issue with that one...

kek

What is the Canvas RTO exam consist of? is it practical? Maybe the CTF could resemble that in a way

Having said which, doing it with the beacons and an outbound proxy could be very cool.

if you want to collab on a room like that muiri, let me know. I'm pretty new to red team but I think it would be valuable

assuming you aren't already so underwater that you don't have time

(also i will be away next week)

Target system makes connection to X IP == owner of IP gets an automatic flag

https://badgr.com/public/badges/TgH86o9zQsSqDOJ5MLREIQ

Hmm. Hmmmmmmmm.

Yeah, I'm pretty swamped I'm afraid, but will definitely keep that in mind 😁

I wonder how this practical exam does it

If the whole CTF was a shared instance, what would be in place to stop the target system connecting to multiple IPs to get the flag for each of them?

AD network with literal flags needing submitted.
It's a good AD / C2 challenge, but nothing like a red team op in terms of scale or environment. Not ZPS fault -- it would be virtually impossible to do that.

Ah, that sucks. Yeah, I see the issue there

What, like one person compromising the machine and unlocking the flags for everyone else?

yeah

Nada... exactly the same as the protections against flag sharing around here lmao

If you wanted to stop them from doing something like a sweep across the client subnet (I.e. spoiling the thing by forcing the flags to open), you could do something clever like require outbound C2 connections to use a unique cert generated by the flag server and given to the user to import into the C2

That said, the other problem with this whole strategy is peer-to-peer C2 connections -- e.g., over named pipes. In that instance you don't actually have any direct connection from machine 2 to the C2 server -- it all goes through machine 1

I liked the way the RTCC handled flags.

The CRTO exam is definitely more in line with what the networks in THM and the Pro Labs in HTB look like. It's just a bunch of machines grouped together in an environment, and you have to evade defender to get a shell/beacon

Just to add onto the exam discussion earlier

Should I start looking to getting certifications? And which should I start with?

It really depends what you want to do, career wise; what your skills and interests are, how much you enjoy learning and studying, and what your budget is. You don't necessarily need to get certifications but they are a good way to show your interests and dedication