#cyber-and-careers

@median leaf thanks!

Gave +1 Rep to @median leaf (current: #1962 - 1)

eh, I'd wait a few years for ISC2, CISSP is really the one I'd go for there, you could go for the CC but it doesn't have any value currently

Ye I have the CC, for a beginner at least it covers good topics and I got it for free during the UK cyber initiative thing so can't complain

I might consider the SSCP when I've got the job role/industry experience for it but idk

still SSCP doesn't hold much value

Depends on what it is you want to do really, I wouldn't say it doesn't hold much value though

I would listen to Zojja, unless you have direct and contracdictory experiences - Zojja has been in a position to determine what qualifications are needed for a fairly long time

and I could extrapolate, SSCP has existed for a while but really hasn't caught on as what was probably expected. CISSP is still ISC2 flagship cert. Many people will do better to take the CISSP exam and mark themselves as "Associate of ISC2" until they have the job experience. It is actually cheaper (only $50/year) for Associate of ISC2 vs $125/year for SSCP.

Fair enough. I would have considered it as a gapstop/knowledge builder on the way to CISSP, imo but I get it can be supplemented in a variety of ways. That's the way I looked at it at least, considering from what I've read/been told the CISSP is relatively difficult so for a novice such as myself it's helpful to be able to do middle ground certs, at least that's what I would have thought anyway.

Always open to alternative suggestions/to be educated in a better way of doing things, so any insight is always appreciated 🙂

well that is where something like Security+ is a good middle ground cert. And its not as hard as people make it, I barely qualified for CISSP when I took the exam

and Security+ does not have a yearly maintenance fee

It does

$50 a year

damn, I thought it was just a renewal

all these people trying to get extra $$

It goes towards the renewal

So it's either $50 a year or $150 every three

And then 50 CEUs every three years

Dang really? That's news to me and I have security+ lol

Good to know I guess

Yeah, I just have my company pay for it which is nice

yeah my company pays for renewals

I don't have any Comptia certs tho

I was able to make it a requirement for the customer, which means they pay

Looks like I'm on the right track so far then. Last year I did an apprenticeship for level 3 azure cloud, to get me into IT as a help desk role. I also did Microsoft azure fundamentals, security and compliance fundamentals and isc2 cc last year. My plan for this year was to get network+ and security+ while getting another year's help desk experience and practicing tryhackme/a beginners python course I've got. Then hopefully start looking for a security focused company/role next year. Right now I'm at an MSP and they only have the one security engineer and it's mostly like cyber essentials/system admin stuff that he does which doesn't really interest me that much.

Speaking of renewal fees, i found out yesterday that SANS has renewal as well, but you don't necessarily have to redo the course or exam... You can also participate in other paid events

Smh I was too naive and believed it was out of the good of their hearts

Is this for school or work?

University project

Unfortunately we cannot assist you with school work

I’m curious about this

How come

he could have just lied and said it wasn’t and you would be able to help him

Hello everyone! Hope everyone is doing well

Guys I want to ask what are the key points I need to keep in mind as I am creating my own OS based on digital forensics .
Also if anyone have done project related to this please tell me and try to help

the question is why are you doing this?

Hi everyone, I would appreciate your opinion, and be honest no wrong answers^^

I know the first job is the hardest to land, I know about the roadmap and everything else. I'm curious about the "experience criteria". Would 2 years as a Network Manager look good on my CV?

What job are you opting for?

Penetration Tester.

Then 2 years of experience as a network manager would look great. Networking is really useful in PT and when companies hire junior penetration testers they are usually looking for people that have some experience in IT.

Thanks a lot for your insight 🙂

Gave +1 Rep to @fringe spade (current: #391 - 11)

I would wager because of plagiarism rules that are out there.

@pseudo creek @flat sedge @stoic cave Sorry for the mass ping, but might I dm you all for advice on my CV? I don't feel comfortable posting it publicly even with PII censored, but would really appreciate all of your advice (I understand if you'd prefer for it to be here instead)

Go ahead

I won't be online until later or until tomorrow though, just FYI

Something similar to CSI Linux?

is part-timing a pentest job possible/common?

Not common

mk and is bug bounty alone a viable source of income

no

Bug Bounty Hunting to me seems like earning a living as a professional musician: it is possible, because you see people doing it, but only very few seem to 'break through' while a lot of people try

Is it a decent idea to look into bug bounty to obtain a recognition of sorts to then boost a resume?

Yes id think so, especially if you show you have found vunerabilites and bugs no matter how small they are its a good expereince and look for you showing youre capable of finding them.

currently taking a course of pen testing where i live, learning webapp pen testing at the moment, what are the best ways to kick start a career as a pen tester

its not an entry level career you need some IT expereince

such as ? network manager? help desk?

Most people start in helpdesk, maybe junior sysadmin/network admin, qa... I'd suggest you read some of the Tribe of Hackers books because they discuss some of the ways people have gotten into the field

what does qa has to do with it?

I mean, in fairness, you can get into it entry level. It's just rare

where i live its rare period

Don't give up looking, just be prepared to take a longer route in

Well, that won't help 🤷‍♂️

i need to collect certifications aswell

You do not

Collect might be the wrong way to look at that 😆

Collecting certifications just to have them signals certain things to recruiters and hiring managers that you don't want

probably a poor choice of words

from my behalf

If job postings around you want specific certs then you might consider going and getting them for yourself

But you don't want to just do certs for the sake of having them

Every pentester I know who has started as a pentester as a 'first' job had a lot of prior background that made them a good candidate.

That background usually doesn't include a lot of certifications

Not least because they're expensive as hell and you should have orgs paying for them for you

I say usually, I really mean 'In every case I can think of"

Out of curiosity, what kind of backgrounds?

You, James, myself 🙂

you guys type fast xD

Ahah, fair

can u elaborate on the background

Relevant degree, interest in security, solid technical knowledge

Usually projects that can demonstrate working ability and knowledge of the primary domain as well

I mean, in fairness, I did also have certs when I got my first job in industry

i dont have a degree, i do have interest in security and wanting to improve my knowledge

Your certs came as part of your degree program, didn't they?

Nah. 0day talked me into doing OSCP

Ah

Then I got kinda hooked

OSCP is a good resume filler; IMO you didn't need it, and it's really expensive for someone to pay for out of pocket.... especially now

Especially now, aye

i heard oscp is regarded highly in correlation to other certs

Think I got it for about a grand back in 2020

Although yes, it was likely unnecessary

I sat for it in 2019, got really mad that the most foundational parts of the exam weren't really covered in the course material

I hear that has changed though

Yeah. The focus of testing was certainly interesting in comparison to the focus of coursework. Not sure how it is now

I was really angry; I've pretty much washed my hands of offsec training and certs since then

IMO CRTO is better, especially if paired with a less-advanced cert like Pentest+. People bag on PT+ a lot, but from a business perspective, PT+ has a lot more value

I found that the 300 level ones are a lot better, honestly. I liked PWK -- it was useful for where I was at that point in my development -- but the OSCE³ trio are insane in comparison

Because it spends a lot of time talking about why pentests should be done,. and what shouldn't be done in a pentest

Which is what we find a lot of juniors just totally lack

YEah

I'm building a pentest program with my current employer, it's been very satisfying so far

Building out the team / processes from scratch?

im kinda lost 🥲

Top-to-bottom rebuild of the entire pentest aspect of vuln management.

Nice! That's gotta be fun

including change management, policy, tools, everything

TL;DR: comparing some common certs, and now talking about the fact Juun's just taken his org's entire pentest programme to bits lmao

reformatting it essentially

You going for rolling changes or just outright ripping it out and starting again?

ripped out. Previous processes were bad

Blank slate must be fun

can't be reformatted if it no longer exists

lol

i like your approach

So many things I'd like to do with ours that we can't really do because everything's just ingrained into the wider business

That said, even if I were high enough ranked to authorise it, there's nothing serious enough to merit ripping it out and starting again lmao

My boss basically said "I'm tired of dealing with the decisions made by other people, it's now MY DECISIONS everyone will have to live with"

"Go write a ton of policy and we're rebuilding everything"

Also:

I'm getting old and slow 😦

Should be hitting 125 relatively easily

i feel like youll have carpal tunnel eventually

not a syndrome i wish upon anyone

Hey juun did you get my message earlier? ☹️

@flat sedge Regarding what you were saying before about certs and getting them for the sake of getting them. Are there any then that you would consider must haves/definitely worth doing? When I eventually get to transition to a security focused role maybe Sec engineer first and later pen test/red team, I won't have a degree on my resume. Will just be a level 3 azure cloud apprenticeship, MSP help desk job experience and whatever certs I have at the time.

So far I have entry level certs MS SC-900/AZ-900 and ISC2 CC

Which I have done during my apprenticeship last year (due to finish around March)

I would not say any is a "must have" as each org is going to have variation in their requirements, and the emphasis they place on having prior certifications

Thats fair

I guess I'll just go for things that I think will interest me then and see where I end up

I was planning on doing net+ and sec+ this year

@flat sedge

Hm?

#cyber-and-careers message

I don't review things that could have a benefit to multiple people privately

All good, I understand

I'd like to ask you some questions. I just finished my masters in IT, I have 1-2 years of experience (internships, freelance, etc.), I've been doing a lot of CTF recently. I want to start my career as a penetration tester.

• Should I do my CISSP, CEH (or other?) before looking for a job, or is it usually the company that will pay for it during my first job?
• What are the first certifications I should take?
• How many years of experience do I need before I'm no longer considered a Junior?
• Does a good pentester have to be an "expert" in Windows/AD AND Linux? Or do you sometimes specialize in just one?
• Any advices to start my carrier?

Any ressources, ytb channel, tools, rooms, etc. ?

Curious, eager to learn 🙂

Thanks
@

Did you look through the sticky posts?

Oops no I did not

Hi, so I'm currently working as a software QA and I really don't like my career(Have been doing it for over a decade in different companies).
One thing I don't like about QA testing is that it was frequently being treated as the "blaming" department. You won't get praise for finding bugs, but if you missed one you are to be blamed.
I was thinking about changing career to Cybersecurity, but I'm afraid that it may turn out the same. Cuz I heard cybersec is also treated as a thankless job. You won't get praise for blocking threats, but if you missed one, you are to be blamed.

However, I know that cybersecurity is a huge industry, is there any specific cyber role that don't fall into that "blaming" department/thankless job path?

I find penetration testing to be quite fullfiling in terms of receiving praise from colleagues/clients. I imagine other parts of cyber are less like this, but with penetration testing you are providing a niche service that clients are generally very thankful for if done well

So I'll say cyber security is a bit of a mixed bag. A large part of my job was working with developers and programs on improving their security and there was a lot of push back. Sometimes you would be considered a hinderance to the business. As more and more breaches have occurred, there has been less push back regarding implementing security but it still happens. And really security is ultimately compromising between the business needs and the security needs.

Having said that, my job right now is great. I get lots of praise but I don't work directly with end users. I'm a cyber architect so I work on what solutions we should be creating. I have to still consider the overall business needs and ensure that security is usable but effective.

I think it depends on the company you work for and its perspectives on security. For me, part of the challenge (and joy) is working with the company or individuals to adjust their perspectives and trying to find the middle ground with security controls. I work more in the GRC/advisory space so that could be why.

I do agree that oftentimes it is a thankless area but I think one must have the mindset that if you aren't getting recognition or complaints then you are doing things right.

For pentesters, It's probably not too different from other consultancy business that have to deal directly with clients, most the times they're happy and everything is fine but occasionally you're unlucky and the person you have to deal with is uncooperative to stay polite 🙄. It's probably different for others positions: I can totally see the CISO taking the blame when shit happens.

(not all pentesters work in consulting)

Can confirm

Without breaking exam ethics rules, people that have sat for the RHCE what was your experience? What did you do to prepare, what are some pitfalls that you maybe ran in to and learned from? What's your background? Did you take RHCSA beforehand? I'll probably think of more questions.

I haven't taken the RHCSA/RHCE exams but an up-to-date/valid RHCSA is a requirement before you can be awarded the RHCE afaik

Gracias

I haven't looked in to it too much tbh, haven't gotten access to the portal at work yet.

To my knowledge the RHCSA 9 is the same content as RHCSA 7 & 8, or very similar, at least. Basically a lot of sysadmin terminal commands from basics up to managing things like SELinux and other features of the system. It used to be the case then that RHCE would be mostly application management and security but I think the bulk of it now is Ansible administration

Is a masters in cybersecurity a thing? Or is it a masters in computer science and cybersecurity is part of it

yes its a thing

Great

but in asking that, there are a lot of caveats to getting a MS in cybersecurity

Like what

Yeah, so that's going to be a struggle on my part my environment is different to say the least. So I am going to have to unlearn bad habits

Harder to get a job?

Because it’s one field

you should only get a MS in cybersecurity if you are already working in IT/Cybersecurity

I see

So what’s a alternative then

because no one wants to hire someone with a masters and no experience

you get certifications

and self learning

So certs are the main thing

Makes sense ngl

Well they do teach you all the good habits you should have for running Linux in an enterprise environment. There's a lot of standard tools and scripts to employ these days

What’s the best certs you should get if you going into cybersecurity

Which I don't have because of the environment I'm in

All the fancy scripts the kids these days are using

security+ is usually a good starter cert

For reference, I'm still using service and not systemctl

Plus shouldn’t like jobs say what certs there looking for?

A lot of stuff is cross-platform but the point is more about managing systems as a herd, doing stuff in kubernetes and the cloud, etc...

yes

It's a big change but you'll get the hang of the most common parts of it pretty quick

Thanks azure

Gave +1 Rep to @pseudo creek (current: #13 - 456)

There's a lot more containers in RHCSA v9, and I think VDO has been de-emphasized. I wouldn't say it's exactly the same, but it's not substantially different aside from 1 or 2 areas

if you are expecting to pass rhcsa, get away from systemv and the init.d style of management; RH is systemd

Oh cool 🙂 I haven't been spending much time on RH stuff for a while now 😛 Cheers for the update

Do you have any recommendations onward from Security+ in terms of further certs? I recall you mentioning that going off of how it has faired, SSCP fell short and you recommended CISSP as an associate. What about things like CEH, OSCP, Pentest+ etc?

It depends, what are your goals? pentester? something else?

Right now I have worked help desk for the last year while doing a level 3 azure cloud apprenticeship. My aim was to do network+/Sec+ this year while continuing getting general help desk experience. Then look to go into more of a security engineer role instead of help desk

Continue getting experience as a sec engineer and then transition to pen test from there

That is, in an ideal world the kind of movement I want career wise over next 5 or so years

and what do you think a security engineer does?

ie security engineer is a very generic title that could encompass a dozen or more jobs within cyber security. I'm more curious about the type of role / responsibility you would be looking for

Oh okay so well from my understanding, design/implement/adminstration of security systems to maintain security posture

That's what I thought was like the general jist of a security engineer

Which I thought would be a good role to maintain for a while to garner experience before transitioning to more of an offensive security/pen test role

so you are thinking things like SIEMs?

vs something like firewalls/proxies?

and are you getting any microsoft certs as part of your apprenticeship?

Hmm I couldn't say for certain I'm guessing you could specialise in either of those fields, I would ideally like exposure to a mixed variety of things if possible. Long term I am hoping do pen testing assessments, ie work for an independent organisation that gets employed to do a pen test on an organisation and make a report to the organisations internal IT or IT provider

I did Azure Fundamentals and Security and complained fundamentals and that's it

Compliance*

are you going to do any others?

like possibly SC-200, 300 or 400 could be good

I am planning to do some of the associate ones yes, probably identity and access admin associate first

Cert wise this year my goal currently is net+, sec+ and at least one MS associate level cert

ok then thats a good start, I mean you could do OSCP, it doesn't have a renewal fee and doesn't expire

Oh cool! That's good to know, where would you place OSCP difficulty wise is it beginner or intermediate? Essentially I was thinking of the certs I mentioned this year and tryhackme as practical/supplement stuff

Then something like OSCP etc next year

Essentially

OSCP is beginner pentesting but intermediate IT

Okay, sounds like a good transition then after my learning this year

I was considering pen test+ but the fact that OSCP doesn't expire or need renewal is quite beneficial

Anyway thank you for your insight/time

Much appreciated

It's also way to expensive unless your org is paying for it

It used to be semi-affordable, but with the recent price hike it's too expensive for an individual to pay on their own. imo

Yeah and they bumped up the price for it again this year

OSCP you mean?

That's why I encourage people to consider certs like PNPT/CPTS/CRTO/CRTP/CRTE. But also, primarily focusing on your skills/projects is very beneficial

Yes

Hmm that's a shame but not entirely unexpected

I like this from juun, may end up going this way

Yeah it's about $1650 for the 90 day course or $2600/5500 for the year long subs

Jeez lmao

All in, I think you're still under $1,000 with CRTO and Pentest+

What is CRTO?

Certified Red Team Operator

The problem is that it doesn't have HR visibility

I see

It's so overpriced, offsec is really milking on the brand

Isn't CPTS the hack the box one?

That being said, in my opinion, Security+ and maybe CCNA is all someone should pay for out of pocket

Yeah and it's challenging. Not very well known yet though

yes

After CPTS, I'm hitting up CRTO for funzies 😛

I know of hack the box was actually the first place I came across as a programmer buddy of mine told me about them

Learned about all the other things over the last year

They're a competitor to THM so we don't discuss their platform much here

Anyway always happy to have recommendations or at least be aware of options to look into so thanks

Makes sense

i forget what server i am on sometimes lol

Does anyone get into a rut where you're at times both massively burned out but other times extremely motivated at work?

Almost seems to flip flop for me in year 3 of IT, bit more difficult being remote working at home. Yeah home/life balance is difficult but I at least move out of our home office for relaxation time

I think some of it is MSP things, where there's often so much going on. Also fair it's my first 9-5 style job

I'm incredibly burned out right now, but if something comes along at my job that's new, technical, and puzzle-esque I'll get excited and motivated to do that work.

That's exactly the kinda vibe I have, literally had the boss ask me to look into something new today compliance wise which I've not covered before. I'm interested to dig more into that

But whew I just wear too many hats and do SOC level 1 phishing management on top of security engineering, compliance management and more

Although I won't lie, the more advanced phishing is extremely interesting to dig into

Yee, I'm solo with on my projects with different leads. I do all of the technical work on one and basically an EA (Executive Assistant - basically I do a lot of the issue tracking, report out to senior leadership, present to leadership of all levels, and then fill in when the lead goes on leave) on the other. The problem is I get anxiety over not knowing if I am doing something wrong, not knowing if the quality of work is up to par, or otherwise forming bad habits because I don't have a technical and/or small unit lead to ask questions.

Totally fair, kinda same vibe for me but much smaller org. I don’t always get confirmation things are going well until I’m given a new novel task or low key confirmation indeed

I love projects but they can be very hard to keep up in an MSP environment though which yeah is difficult. I just try for one client at a time

These are my two official projects, I then also help other teams because I technically have the most seniority (at three years) and they aren't exposed to technical work as much. So sometimes people who have mainly been doing documentation or reqs get thrown in to a technical project and I help them out

Interesting, I’m in a pool of all techs, most are help desk but others wear many hats as well.

Just small business things

It's not something they're used to and I don't think it's really fair to them. Very much on board with turning around and helping others up the cliff. At the same time, I'm doing the work of like 3 people if not more.

Yeah training someone when they're apt for it isn't too bad, but when it goes wrong you're just doing it for them.

And yep know those vibes as Win Sysadmin, sole Linux Sysadmin, sole infosec peep, sole compliance manager and I'm sure I'm forgetting some lol

We did have a sysadmin hire go south and it was brutal to train him, he's still around due to short staff

My one reprieve of the year though is evals lol. I've got that doomer mindset but it's always "DYG is a critical part of this organization, make sure he stays with X Org." Getting kudos through the year is nice too.

I'm in a really weird spot where I wasn't even interviewed, I knew someone who worked in the company during covid and proved more than apt immediately.

Never had a single performance review. Would kind of appreciate one

lol probably getting the vibe about how small our org is but I do think I got my venting out for the night.

Thanks so much for the chat @stoic cave

Gave +1 Rep to @stoic cave (current: #18 - 372)

I did at least get "obviously you're our security person" from the boss. lol close enough

You're welcome lol

Company should be doing that on a regular basis as part of policy

Because otherwise, they don't know what performance incentives to convince you to not leave

They do indeed, but us remote workers are left out. It's also done inconsistently only when management feels it's needed lol

I don't have much say in this, my boss is the head of the company. Small and flat org

Shouldn't this be done / norm all the more for remote workers just to make sure you are still made part of the organization or company?

It should be done indeed, but I am not management. There's a perceived (as I see it) expectation that me and fellow remote co-worker are "above this" as we are dedicated sysadmins and etc

We're sometimes left out of the first part of our staff meetings in which it's "Please do better about this internally". idk it's kind of weird

sounds like poor management to me, but it's your situation

I was a manager until like 2 weeks ago (I transferred to a new job)... this is bad management practice and having performance reviews is like one of the core responsibilities... it's also to improve you as an employee and if that doesn't concern you as a manager (it really should though lol), it's also a 'cover your own ass mechanism' because you keep track of people

lol I have zero complaints with the above, and we're literally keeping around a poor fit employee due to being short on staff. I will never claim our business is doing it right 🙃

And then said employee is creating extra work cleaning up after them lol

For you individually it might be indeed just fine if you have access to the resources you want. Where I work, performance reviews are also used to make arrangements bottom-up, for example if you wanted extra training or certifications that can be agreed upon in a performance review and you'd have semi-legalised a promise from your manager

If the situation suits you, all the better for you 😄

I was legally required to do reviews once a year for every one of my subordinates

Whew, I would love paid training and certs like that... or even just paid time off... Yeah we kinda got screwed as just being considered Independent Contractors as the most expedient way to deal with taxes.

Fair my in-office co-workers don't get many befits, but they at least get paid time off

You in the U.S.?

Hi, everyone!

I am a CS student and I'm interested in the cybersecurity area. I've been studying through thm and I've just finished the pre-security and intro to cyber. Now I'm about to enter the specifics. From my understanding, a professional in this field will know how to do it all, both attack and defense, as they're tightly connected and you need to understand one to deal with the other, and you work with whichever path you find more rewarding or prefer. Is this a correct assumption, or should I pick a path (blue or red) and focus solely in it?

An understanding at a high level of both is a good idea, but blue and red team are specialties, so yes, a choice has to be made between them

Hi I was hoping that someone could give me some insight. Im looking for some extra either courses or modules on try hack me i could do that could be aplied to my cv to make it more attractive any suggestions?

It's quite normal when learning the ins and outs of cybersecurity to build a good, standard baseline of knowledge. Following the paths and modules can give you insight into the different roles in the field. It's not just a matter of red and blue teams; there's lots of other roles and plenty of crossover. It's worth learning the kind of things you might see on Network+/Security+/Pentest+ as these are good theory to have as a baseline, even if you delay acquiring the certs themselves until you're more comfortable.

After that, you might find you enjoy the challenges of blue teaming (SOC/defense roles), security engineering (building and managing security systems within an organisation), or red teaming/penetration testing, and other roles like incident response, computer forensics and others; and there are plenty of resources to help you learn these tools and specialties.

\

Try to look at doing projects rather than adding more studying

@dense dagger thank you

Gave +1 Rep to @dense dagger (current: #23 - 326)

Hi. Any Security / SOC Analysts in the chat? I've got a few questions regarding the required skills for the job and such...

just ask your question, there are people who are around that have been those jobs, work with people in those jobs or are currently in those jobs

I was just wondering how much log analysis via powershell and xpath queries are a thing on a daily basis? I would assume that this comes to play more in digital forensics or fringe SOC cases where you'd have to analyse a compromised laptop directly and not via the pretty SIEM interface?

yeah I agree, I would think that is more digital forensics. You should be working in a SIEM (and using their queries)

How far would you go in preparing for a job interview in terms of SIEM? THM offers a view into FOSS SIEM products. If it's possible to get a hand on something like FortiSIEM, would you even recommend checking that out and getting familiar with it if the company you're applying to uses that?
Or would you say that as long as you know how a SIEM system works and as long as you've worked with some, that's usually all the company needs to hear?

I'm talking from a standpoint of a graduate getting into the field, not someone with job experience.

so I am not a SOC analyst but like my company uses Splunk (for a lot more than SOC stuff too) and its pretty useful to know. A company could ask you specifically which SIEMs you have familiarity with and may ask you specific questions, not syntax but generically. I would assume anything on your resume is something you will be asked about as well as anything you say in an interview

Splunk has some free stuff out there if you want to delve into it

thanks 🙂

You would do well to cover the Splunk and Wazuh content in THM, as well as the two SOC paths, as they will teach you a lot about the role and the tools you might use on a regular basis

how would one do projects regarding cybersecurity, can you give me examples so I can move towards it?

There are a lot of roles in cybersecurity. If you're already learning pentesting, you could install your own VMs of the OWASP Juice Shop or Damn Vulnerable Web App (DVWA), build a small network with a couple of machines in it and learn to pentest and secure them. You might do blue team things like learning how to configure and manage Splunk or Wazuh or The HELK.

You might like to read books on cybersecurity. No Starch Press has lots of cybersec books on all kinds of topics, Wiley has a lot of excellent cybersec books, as well as O'Reilly. You might find a project or topic these books prepare you for or help with implementing tools and processes.

You might enjoy following the content on PicoCTF (from Carnegie Mellon, a top tier CTF winning university), or OverTheWire and UnderTheWire (Linux and Windows Powershell wargames sites, respectively).

You might want to see if there's a local cybersecurity conference. BSides is a conference run independently in a number of cities worldwide every year. Here is a map of all of them. Click on a location to find out more.
https://www.google.com/maps/d/viewer?mid=1KBFOZ6eIptZgktZOy53ACycZ9AY&ll=19.096492810287874%2C-52.751742300000046&z=2

There are lots of directions you can choose in the field. Take your time and enjoy exploring and growing your knowledge and skills

Sheesh

Those aren't all mandatory, just suggesions

Yes thanks

Gave +1 Rep to @rugged delta (current: #23 - 327)

And when you mean set up splunk

Do you mean using those VMs you created?

Nice post thanks!

Gave +1 Rep to @rugged delta (current: #23 - 328)

I think you can get a free splunk cloud trial and there's loads of splunk stuff on thm

Hope you find something fun

A lot of it is interesting already pinned the book sites and will deffo have a look at bsides there is one local to me

Keep an eye out on Humble Bundle. They frequently do good offers on tech books. We usually list them in #bookclub

Already on there! Picked up some good stuff on cyber sec beginner, python beginner and Linux manuals

Good stuff. I've picked up a few books... These and more

Oh awesome that's quite a collection of stuff haha

I need to keep an eye on it more often

I would just avoid Packt

We do point out interesting ones in #bookclub and the IT ones usually come out Monday evenings but they're there for about 3 weeks usually

Packt does tend to be the most 'hit-or-miss' of all the tech publishers I've read, but they do have at least 1 book i've found useful in every bundle; definitely recommend the nostarch bundles way more

I see

I'll keep an eye out for the no starch ones then

Any particular one you like?

I think I have one packt bundle are they known for being sub par?

There's usually good bundles from No Starch, O'Reilly and Wiley, and a few others occasionally. My favourite No Starch books include Cyberjutsu, Serious Cryptography and Penetration Testing by Georgia Weidman; a little outdated but the process is still mostly relevant, even though some tools have been surpassed

I’m on there websites

But there’s only ebooks

Ebooks

If you are in college you might be able to get them for free

I have access to all Oriel courses and books

And LinkedIn learning courses

University*

They don't always produce high quality material but you can still learn a lot from them and they do have the occasional gem

Used it in the beginning for come c++ stuff but since I knew Java basics I found that I probably don’t need an entire course for c++ basics and just some video of pointers references . After basics stuff like the STL I might want to go through a course

They do produce paperbacks on Amazon but there's generally better books from other publishers

Cyberjutsu sounds very interesting

Also pulls at my inner anime/Japan nerd side

🤣

Funny names fr

It's a really good read. You'll learn a lot from it

Also what does it mean by print book

A print book is just a book on paper, as opposed to an ebook

I see

I've bought books directly from No Starch, where you get early access versions of books months before they're out

Get this man sponsored

Nice

But can you only buy ebooks directly from them?

You can get them on Kindle but they do print books as well. Go to nostarch.com and check them out. If you buy the physical book from them, they send you the ebook too

Awesome

Can anyone advise what the splunk login info is? Or even where the web interface is, localip:8000 is not it

https://tryhackme.com/room/splunk101

Try #room-help

I wish i could get nostarch directly from their website, but in canada, amazon is the only place to get nostarch

https://e-janco.com/press/2024/2024-01-05-few-jobs-created-in-2023.html

only about 700 job created in the whole IT sector in USA for 2023

Never heard of that site. Sounds pretty BS though

thanks! great comment! Can you suggest some beginner-friendly SIEM boxes on THM?

Gave +1 Rep to @rugged delta (current: #23 - 330)

its true, did you Google it?

It’s literally a random website, I think there are more reputable resources.

i just googled its on multiple sites

Also don’t limit yourself to one source, try and find other reports

^

Even on the report it says ‘net 700’

“Over 21k IT jobs were created in the last quarter of 2023”

yes

‘Net 700’ is not the same as ‘700’

It takes layoffs into consideration

yeah

A buch of companies went under in covid, after that you had a surge of 'oh shit everyone wants to do remote now' and now it is balancing out a little

Also... lot's of companies got government support and now the collectors come knocking some previously unhealthy companies that stayed alive during covid because of support from the state. They are now collapsing

At least, that's what's happening in my country, not sure if that applies to the U.S. as well. Without the context, it's not clear how to interpret that number.

The most significant, at least to me, is that unemployment in IT is still below the average.

Also the website looks super wack

yeah it shows only a 700 job growth compared to the previous year its bad.

😦

Still there’s tens or hundreds of thousands of open positions

Yes. In my country, the construction job growth rate is very low, but that's because nobody is expaning or starting

because there is a giant shortage of personnel, so expanding will net you... absolutely nothing

So again, in order to say 'good' or 'bad' to this, context is needed

are you tryna become a soc analyst or pen tester?

Right now I am trying to do my best. I work in an advisory/liaison role. Non-technical

i wish you all the best.

what's the less boring less annoying secjob of them all

It depends on preference I guess. Some may find SOC boring if there aren't that many incidents or if it gets repetitive, some red teamers may not be fond of writing reports, GRC (like in my case) when you need to do a refresh of a particular assessment or review and so on.

I can't think of any off the top of my head, but the nature of any type of security job will require some degree of interaction with other teams or departments.

I am pretty sure helpdesk is the least annoying. Based off of the memes, of course

xd

Ty

Gave 1 Rep to inf0s3cw4nn4b3 (current: #25 - 323)

there are technical and non-technical roles and there will always be cross functional team interaction. most of the time are from teams that are “annoyed” with security policies

lool

wow you have oscp

#cyber-and-careers message There's plenty about things like Splunk and Wazuh and other useful tools on the SOC path

What’s the best way to get a help desk job

Apply

Hlo guys ,I am a beginner in cybersecurity field I have promised myself that I would land a job by the end of this year as a Pentester. So currently I have completed basic fundamentals like networking & linux one and currently I am in the middle of cyber mentor's PEH course on yt
Basically my goal is pass OSCP because without that we cannot crack a good job in pentesting world .
my roadmap is that I would complete cyber mentor's PEH course and then go after PJPT to boost my confidence and then join HTB pentester course after completeing it to crack the CPTS and then to go after OSCP if you have any suggestions and changes I could do comment down below

Do you have any experience in the computer industry or a technical field?

Very nice goals

Good luck to you wtih your chosen certs. In order to be a pentester, you really need to understand the technologies you're working with. You need a good grasp of Windows/Linux administration, networking and perhaps some scripting as well. Most people who want to be pentesters spend time as sysadmins, cloud engineers, helpdesk, qa, programming first to understand how to implement systems/software, follow processes, integrate with an org, etc.

The PEH course is quite good but I wouldn't waste the money for the PJPT exam, since PEH is the first module for PNPT anyway. The CPTS will absolutely prepare you for a junior pentesting position, knowledge-wise but, as you've probably heard, yeah the OSCP is widely requested/recognised by hr departments and pentesting clients.

It's difficult to start your career as a pentester without a solid background in other systems and skills, and while it's not unheard of, most pentesters do have some other cybersec experience as well.

well I'll say goals where you depend on other people are difficult, not impossible. But there are so many factors to getting a specific job, it is better to focus on your goals and what you can do.

You got this

I believe in you

Can anyone recommend a roadmap to become a threat hunter.

Wait so what type of cyber security job is good for a first job in cybersecurity because I want to become a soc analyst. Of course I’ll get certs but is that a job that requires some experience beforehand?

Do you have any prior experience or degree?

If not, I'd recommend looking for help desk positions to build that experience and get reps in, then work your way in to a SOC

So I do want to get a degree

I wanna get a bachelors in cybersecurity

If you can take compsci do that

Computer sci is better

Cybersecurity degrees are very hit or miss

Or computer engineering so you can be more flexible and have a lot more variety. Only thing is to be the best you must do a lot of studying and choose a specialty

By school has a networking specialty in the engineering curriculum

Is compsci very programming based? Because I like programming but I’m not a VERY big programmer

Or is it all about computers like in its name. The science of computers and it has some programming but it talks about different stuff too

Juun probably has a better summary than I do, but it's the science of computers, how they work, and computing theories like data structures etc etc

It's not going down to the "circuit level" and how to design them, at least I don't think it does

study of computation

IMO CE is mostly EE, with a few more architecture and compsci electives

you can go down to circuit level with CompSci, although it's more rare. The engineering classes that I would have had to take to go down that route of "circuit level" were not feasible in my undergrad program

you don't have to be a big programmer, programming is used to enforce concepts

What about an Information Technology degree?

I'm going to do it regardless, but wondering how others feel about it.

I am not interested in the curriculum for CS in nearby universities & I (personally) found that IT would have a cool mix of business/technical courses

That depends entirely on the people I have come to see

imo thats also a good degree , id do it.

I don't know anything about it, what kind of curriculum do you have?

So if I managed to do a Network+ practice exam and get 80% without studying at all, should I just gun for a Security+

They're two entirely different exams and serve different purposes?

I'm completely clueless when it comes to college, I essentially never left my high school. I took a networking CTE course in high school. Some of the network engineers saw my skills and asked if I wanted to intern over the summer I graduated. I didn't have any college plans, so they kept me on part-time until I eventually got brought on as a full-time tech.

Ikr I wanna know more about it

thank you for sharing your thoughts on it 🙏

Gave +1 Rep to @lofty quiver (current: #1967 - 1)

I can message you the specific program I'm doing, but:

Lower Division

- Applied Business Statistics
- Introduction to Information Technology
- Introduction to Networking and Security
- Applications Development
- Database Management for Business
- Big Data Analytics
- Cybersecurity
- Legal Environment of Organizations
- Choose a 3-4 unit math course (Calculus I or a bit lower level)

Upper Division

- Management of Information Technology
- Systems Analysis and Design
- Advanced Networking and Security
- Web Technologies
- Enterprise System Administration
- Project Management
- Applied Communication

Cyber Security Concentration

- Cybersecurity Management
- Penetration Testing and Ethical Hacking
- Incident Handling and Cyber Investigation
- Seminar in Information Systems and Technology
- 6 units in advanced courses/internship/seminar/independent study (I will go for internship!)

It's a CAE-CD designated university, so it unlocks some exclusive government-based internships
https://www.caecommunity.org/about-us/what-cae-cybersecurity

I visited the school as well & am really excited about it tbh

that's awesome, I really think experience trumps everything else,

but I know some organizations will ask for a degree in upper-level positions (or so I've been told 🤷‍♀️)

however, you can get really far (salary & career -wise) in certain technical positions,
so do you really need to move "up" to management? 🤔

I would say that no matter what degree that you go with, studying outside of it will be important. Once you kind of figure what interests you and skill up. Also you should be applying to internships now for summer if you haven't already. I'm glad you are excited

also another tip, if you have choices of classes that are hands on, take those vs ones that are more theoretical. Also get involved with any cybersecurity club at the school

I notice in my country, especially if you work in oublic sector at some level of organisation getting your master's is going to be mandatory, and the recent trend is that in decreasing manner they are asking for a field-specific degree but rather want a 'university-level thinker/worker'

I was in college before going back. I'm currently in my Winter (shortened) session, basically I'm in my first year back. I have this year + 2 years of university left (if I pass everything)

Isn't it too soon to apply? I have taken 0 cyber courses, tons of general ed so far

I can make a basic fullstack app (self taught this), but I'm not interested in being a web developer. I was planning on self-studying cyber, then applying for internships during my 3rd year of school, when I'd have at least some relevant knowledge

Will do my best to fit cybersecurity club into my schedule,
and keeping hands-on classes in mind!!

Thank you for the advice

Here in the United States, I have noticed companies that are becoming more open to people with no degrees,

Some of the major companies include Google, Apple & IBM that do not require a degree like before

Regardless, I think it takes an extraordinary level of discipline to make it without a degree in the corporate world

A degree can also show that you are dedicated and willing to learn and gain more skills. I think it shows that you are eager to increase your knowledge and become more qualified

But it is not the only thing that holds weight. Experience does and if a company takes someone who is a graduate or is currently studying and wants to get their foot in the door, then that's an advantage on both the company and applicant

But as @hearty tree, mentioned, it is better to have some idea of cybersecurity before applying for a job but in the end, it all depends on the company and their requirements

I'm going to try & get the best of both world & gain experience while in school.

I think degree + exp + maybe a cert or two will hopefully make you stand out,
might just quit my job & see if I can land an entry-level IT job that's part-time

That seems like the best

It seems that cybersecurity is the only job, maybe the only one I know, that requires some certification as well as your IT degree

Hello everyone, I'm new in this domain, I start yesterday to check the site (tryhackme) but thing is, let's say I can past some courses, and after what should I do ?
If U don't mind, some suggestions and some help it will be welcome by any of U.
I don't have have, let's say soo much knowledge about this world of "deep stuff for PC" I was thinking about the idea I can try to work if I put some interest.
If U have, let's say some begginer advice, or something like that let me know, even in private or U can let some suggestions down below.
Greatings, Anima .

no, internships generally start with high school interns. It is ok if you have taken 0 cyber courses

internships also look good as long as they are in the technical field, they don't have to be in cyber but it would be nice if they do.

The biggest mistake I see of college graduates is that they don't get relevant IT experience before graduating. Even internships can become picky where if they have a choice of someone who has done an internship before, regardless of field, may be chosen over someone who hasn't.

and if we have an intern who has interned with us multiple summers, some of them are offered part time year round internships, which would be remote unless they are local

whats the difference between pentester and redteam operator
also gm for daylight ppl
also how do u call the job where u're paid for gathering and growing infosec knowledge for a living and only interact with work ppl remotely from time to time
is it r&d ?
how much are u paid lol
and who would be looking for u
any specific requirements?

so there is pentesting and red teaming, pentesting is generally considered short engagements, maybe a week long. Red teaming is when you are working in a group and could be months long depending on the engagement

wich one do u prefer

neither? but if I had a choice, red teaming is more interesting

nice

ok ty

and when you say you don't interact with people, do you mean like no one? no team members?

i meant more like, being free from day to day schedule or agenda, or keeping it to a minimum to manage the work my way, like working at nighttime for example for the most part since it's my lifestyle working & studying routine for a while now

Gave 1 Rep to .zojja (current: #14 - 457)

guess homeworks and pain is a must at first, but i'm looking forward to the future. Like in 10 years, could I be free if i choose the right specific career in anticipation

brb

well there are a lot of jobs in cyber that have some level of freedom although if you are working for a company, usually they will want you to work kind of similarish hours as your coworkers/management

or at least the bulk of them

Look for a work from home setup with flexible time and a great company culture and boss

still I work from home and have flex time, a great boss and company culture but I also have meetings with team members and have a general expectation to be available when other people on my team are

It is more interesting, but will definitely be more stressful. You can fail an engagement by making some mistakes

You're not far off from asking for a unicorn

fail an engagement? what do you mean by that?

As someone who is currently in a role doing pentest, I too would like to know what it means to fail an engagement

Well, with red teaming you usually have an objective of simulating a real threat/attack. Even with a smaller mistake like missing a byte from schellcode, you could lose your chance to perform any other forms of an attack

That doesn't mean an engagement fails. That means you don't have as much to write up in your report. Making mistakes like that doesn't mean the engagement fails, and that kind of thing is typically waranteed as part of the the disclaimer of applicability and statement of confidentiality. Failing to bust a functional control it's a failure, it's a verification that it does work as intended.

Maybe it’s not the best choice of vocabulary for that, but a client will certainly not be happy when you specify this in a report

That you were unable to get a shell with a known vector? Usually not having a finding makes them happier

Depends on the client honestly

For the most part - I'd agree that finding things makes them happier. Most clients are not actually looking for an honest assessment, in my experience. It's almost always a compliance checkbox for them

I mean whats the difference if you go into a pentest and miss a vulnerability?

And really you are thinking too much into this, a red team engagement is usually to find holes that a simple pentest may not find, it can include social engineering, it could include other aspects

In a red team engagement report you are expected to specify why the attack didn’t succeed and writing “the exploit worked, but we made a mistake” might be a bit frustrating

what?

I think you are worrying about the small things

I've been on both sides of a red team test, its not that stressful

Definitely more than a simple pentest, which gives you more freedom in terms of attacking a certain service or any other vector

maybe you don't know what a pentest is?

I mean, not judging, but pentests can encompass multiple systems, could take a few weeks

My org separates pentest and red teaming by the types of controls they are assessing. Pentest is typically functional controls, red teaming is operational/monitoring controls

Yes, but still you don’t have to worry about social engineering attacks or other factors

Where in red teaming you most likely are

but again depends on the engagement and often they simulate what an attacker would do... what would an attacker do? most often it is phishing emails

now you may have physical assessments but physical assessments include people that are trained in that

and are more rare

Not necessarily. SE does have a place in pentesting, and it's not really uncommon for external engagements to allow qualified SE at least as part of the initial phases

I think mostly our red team, at most, does phishing emails but yes thats at a later stage in the engagement

there is a lot of OSINT that goes into it before trying phishing

With the companies that I worked with it would usually become a social engineering or red team engagement if SE was a part of it

Yeah it’s also the most common method here and I entirely agree with you both, but what I meant is that all of those things are more demanding and stressful than a regular penetration test. The human factor plays a major role, and you might not yield the expected results due to your mistakes that are harder to avoid.
If you failed to deliver working malware for example, and you specify that in a report then it looks like you are incompetent

I mean if you send out phishing emails and no one responds, thats a good thing?

I think you are overthinking it

I meant the case that someone does respond and launches your program and it does not work because of you for example. Same goes for physical engagements.

so again like that is an attack vector that requires multiple steps... step 1 works, step 2 doesn't, that means a good thing, no?

also you really trying to launch malware on a users system? probably not, you are trying to get user to click a link

and if I was a company and you tried to launch malware on one of my users systems, we would have a problem

If it’s due to a small mistake that you made, don’t you think that a real threat wouldn’t be able to exploit this?

That’s what the scope of engagement is for tbh

Not sure what you mean here. You can demonstrate impact without launching something malicious

I meant a revshell for example

well again, if you went to do a reverse shell and it failed, sounds like a good thing

You still should explain why it failed and that might be your fault

now the question would be... did your SOC see the reverse shell attempt?

which would be monitoring and not functional 🙂

yes exactly

I'll say our red team engagements are a mix of functional and monitoring

Also I supported a program that had a red team test run against it and it was an interesting experience. We had some findings, nothing horrible and overall was a learning experience. Users clicking links was still a problem but we also had others who recognized them right away and started notifying their peers.

That’s really cool, I think that the combination of a phishing/red teaming test and then showing the results to employees and explaining how they can protect is a great approach in spreading awareness

And I was part of a red team engagement against a program, we had a number of findings but there also nothing horrible Le. No social engineering involved there

I'll definitely look into it, thank you tons for your advice!!! 🙌

Azure what happens if you didn’t learn enough. What’s the alternative?

I don't understand your question?

So if you graduated college and it turns out you learned nothing from it

What happens then?

Do you take extra classes?

You do things on your own during college to make sure this doesn’t happen

well so employers understand that graduates from college need to learn the job, a degree is usually for you to learn the basics and help get your foot in the door

That's on you for not picking a good program, or more likely from what I see in industry, not paying attention and memorizing the test without actually integrating the knowledge

but also yes you should be doing self learning

I see

60% of what you know should be from the proffesor and 40% or more should be on you

and yes, that is why I say if you have a choice between a technical/hands on course or a theory, choose the more technical course

There's always things to learn in any class, even the bad ones.... sometimes that is just learning how to deal with a bad experience

If you passed uni with decent grades but didn't retain any of the knowledge, it'd be very hard for it to be the the college's fault considering in a lot of countries they are usually audited for quality

I’m in my final year of university. University only taught me the fundamentals. I had to supplement it with a bunch of outside learning.

This is common. University is not some golden ticket to some dream job. It’s an HR checkbox and a small piece of your learning journey. You will get out what you put in

Exactly

That being said employers looking at college grads might not see any work experience. So they make a conjecture that during school since you had assignment, deadlines and worked in team settings that can act as a substitute of how you might be on a job

University degrees generally do a little more than fundamental understanding, but yes, practical experience, even in basic sense would help a lot

New fresh hires are a risk that a company is taking. The more you can convince them you are lower risk via school, outside learning, internships etc the more likely you are to be hired

Be wise and use your time there intelligently. You already know most people are going to get a degree at the end of it. That is not gonna set you apart. What is? It’s what you do in addition to that

Does that sound like a lot of work? Well it is and just because you graduate you are still going to have to learn security stuff or face becoming obsolete fast

There’s a reason tech/security pays well. Because it’s tough and not everyone can do it. If it was easy anyone could do it and we wouldn’t get paid well

My boss compared this to driving recently, which I think is a pretty good analogy.
Not sure what the driving test is like wherever you are, but in Britain it's strict and comprehensive. You need to get things exactly right, by the book, or you fail. You play exactly to the rules of the highway code.

You pass your driving test and then you start learning how to drive in real life, because driving in real life isn't like the test. Yes, you have to follow the rules, but shit happens and you need to know how to handle that.

It's exactly the same with offensive cybersecurity (and I would wager cybersecurity in general). No course, no matter how good, will ever teach you what it's like to work in enterprise, or even just on live systems / real world environments. There will always be an element of teaching required when taking on a new graduate.

I.e., don't worry about it. As long as you're able to learn on the job and have a baseline technical knowledge that's roughly commensurate to the expectation of having a degree from your course, they will expect to need to teach you how to work irl.

Love it, really good analogy. It could be applied to any job role/industry and not just offensive cybersecurity

Thanks for sharing!🙌

Gave +1 Rep to @undone shore (current: #9 - 727)

Wow thanks muiri

Gave +1 Rep to @undone shore (current: #9 - 728)

Matter afact I love that analogy so much ima copy it

Hi Guys, I'm new to the community. I'm @potent eagle . I'm happy to be here.

#intros

If university is only HR checkbox, then either there is an issue with the university, or you

University can’t teach everything, but usually, as part of your degree, they will teach a core foundation that is useful and allow you to go further from there

im not saying it is ONLY a checkbox... i said it is A (meaning one) checkbox for HR in a fair amount of places ie 3 years of experience or CS degree etc. In my other comments I already mentioned that the degree is for fundamentals and you have to do outside learning

catch 22 - a ton of the jobs in the goverment security sector require a security clearance already - private citizens cannot request a security clearance (this is the USA fyi) , they need to be sponsored. - so cant get a job without clearance , cant get clearance without a job.

you can get a job without a clearance

Hi Folks, I have been first founding engineer at security startup E8Security that got acquired by VMware. Since then, I have been in leadership roles at Mesosphere (D2iQ), NIO (Self-driving car), Motive (Autonomous Fleet-Management) building their AI, data, infra, and security products. I would love to connect with folks who are L1, L2, and L3 analyst for the products and services we are building. I am also looking for anyone who can share some alert samples and investigations that I can learn from - preferrably cloud security, EDR or Network.

hello champs

hi

Hello 👋🏻 this may have been answered already, but has anyone completed the Google Cybersecurity program via Coursera? If so, wanted to know your honest thoughts about it.

I have not completed it but I have gone through it I am on course 3 there is 7 courses with 4 modules. They have good amounts of videos

They also have in-depth readings on concepts. So far they give a good entry to cybersecurity topics

Thank you! I’m currently on that program and so far, I do like the material. I use THM to supplement and practice on what I’ve learned.

Same on everything. I try to find THM rooms similar to the course im on and learn more

What's up community, I need help to access a Facebook account $$$ or someone to teach me about the subject, please

hey guy im thinking about getting into cyber security i was wondering if its a good idea to take a certificate course to get a job in this field

@cobalt escarp

i haven't completed it but if you are doing it to get a certification the Security+ is a much better option mainly due to it being more well known as well as fufilling DoD requirements. the Google cert I have not seen on job postings. That being said you can probably learn some good things ( I have the Google IT support cert). however my recommendation would be to go through the recommended path list for THM and then get the security+. Time is valuable so better to spend it on things that are a bigger bang for the buck

Need feedback on this: I worked as a cybersecurity consultant for 7 years with great technical experience, I like moving to sales department and I got opportunity to work as sales in SANS Institute which is a big name, would you take this path or stay as a consultant?

That is something completely personal man, it really depends on what you want and wh you are

true, what would you do?

I mean... Why do you want to move to sales?

Personally I would never want to work in corporate sales

But that's because 'being the best salesperson I can be' is just not my taste

You lean more towards the technical aspect is it?

Personally corporate doesn't appeal to be at all. I work in government.
But if personally I had to choose between a technical security job and a sales job I'd go for the former

But that is because of what my motivations are, and doesn't necessarily reflect who you are

Yea true, I am getting ideas at this point

I don't mind sales job but don't know how much I like it yet

In the end it comes down what drives you and what you want in a job

If you wanna hack shit then sales is not a thing for you haha

Thing is I feel like moving away from tech stuff, I like tech stuff but feels like its enough

I am still in the domain but as a sales

but still hesitant, I think I will decide on SANS 👌

That's fair enough

Other fields you can consider would be policy, QA or compliance or something that that. Management if that's your forte

Will sales also be customer relations?

I think so yea

I worked a lot as a sales engineer, but still feel like moving to sales for cybersecurity products

thanks for insight

Yw 👍

If you want a lighter workload, sales seems pretty nice, especially if you've been a consultant. The technical and soft skills will carry over and you'll be better suited to face potential business partners to form relationships and sell your product/service. The commissions you'll get once you land partnerships and rack up the sales will be good too if you're thinking of retirement or other plans in your life.

Yep, thats what I think, thanks for the encouragement

Gave +1 Rep to @dense dagger (current: #25 - 329)

Thank you 😃 this is helpful ☺️

Gave +1 Rep to @blazing wyvern (current: #426 - 10)

I’ll have A+,network+, security+, and cysa+ all by February 26. I haven’t test for cysa yet. I have 3 years experience with analog/digital telephone systems. What do you think my possibilities with the experience I have and the certs I’ve earned so far with getting a SOC or any type of security job?

if you have all those certs then I wouldn't get further ones yet. you need experience now. You should be able to get a SOC job. However you didn't mention you have practice/experience/familiarity with any of the tools. Have you done any of the THM paths? SOC1 would be good. You'll get to familiarize yourself with a lot of processes and do investigations ect.

At this point any further certificates or certs id get would be for vendor tools such as Splunk

Also you will need projects to speak about. how you built it, what problem were you solving/addressing, and what did you learn from doing them. that will fill up your resume and give you talking points during an interview

SOC roles or jobs at an MSSP should be doable. cut your teeth their and get experience and then look to move upward to to a different role

@static holly going through the recommended path and blue team route up to SOC1 will get some experience

Hello, is there anybody that i can talk and get information about latest open position (Content Engineering Manager) on TryHackMe? Thank you so much 🙂

anyone have a ccna or know much about cisco in the 2020's (my ccna is from 2000 ) im looking at job apps and "cisco" is listed but that tells me nothing so i want to know how much has changed in 20 yr

Kind of funny they put engineer infront of any job position nowadays

Kinda tradition this days

Uhhh

@cobalt escarp

:hammer: waterisalife_67897#0 has been banned.

Can anyone help me with paid vpn

not in this chat. go to #infosec-general and explain what you're wanting help with more

why would companies pay for ur oscp if u could leave them at some point (right after for example?) , is it just free for them or are u expected (contracted) to stay for a while after that

Sometimes the client requests OSCP, also they can just show off on their website etc

ah ok

most companies wont pay for that unless they think the employee is worth keeping - also having a piece of paper (oscp) means much less than you think - experience and ability to think on your feet is more useful.

Gave 1 Rep to vertey (current: #308 - 14)

ahh I see

truuue

Some companies will also have a

"We'll pay for this, you stay with us for x amount of x, or pay us back"

Tought so xd

kind of reminds me of the position i find myself in - about 50 goverment jobs in my field/area and they all require sec clearance - yes there are a few that dont require it - but the salary differences are in the 20-40K range (ie with clearance you make 120 , without you make 80) - very few companies willing to payfor the sec clerince either

erf

Many companies have a requirement to demonstrate competency and expertise of their employees within the domain and role they perform. 3rd party accreditations are used as that competency baseline, so that auditors are not reliant on companies making the claim that "they are totally experts trust me bro"

Some companies also care about the development of their employees

I mean the idea that companies won't pay for someone to get a clearance is a silly idea. Yes, it is definite a nice to have if you have a clearance but plenty of companies will pay for someone to get a clearance.

Highly likely this is a budget constraint or project planning. The onboarding and on-ramping time increase might simply not fit the projects or effort required to get it. It is not uncommon for companies to avoid that potential risk.

ya geting clearance is a pain the first time - takes over 6 months and costs the sponsor company over 30K - kind of screwed up that any grunt can get clearance - the lowest ranked army enlisted has clearance and will always be fast tracked in the cooperate world - but those of us that decided to goto collage get screwed

I know it was a while back but took me a month to get a clearance, never in the military

? thats fast

normally all the background checks and interviews takes months

I mean when I went to my briefing, the timing varied. One guy who was 60, it took him 18 months but he was the abnormal situation

age could have a bit to do with it - after all it's much eaiser to interview a school professor than the 15 managers you have had in the past 30 years

they don't quite do that, they pick and choose

I just wish more jobs didn't require it - more than a few places around here (wash is only 2 hour drive for me) - BUT i did get a letter from Lockheed asking for my resume from HR (form letter to anyone that matched their search terms) so at least 1 major gov contractor has my info 😜

point is there is a ton more time they need to look into - leagal records , people met over the years , clubs your in etc ..

yes especially for those that have moved around

I mean you can still apply to jobs if they ask for clearances, depends how desperate they are

I will also say we hire tons of college graduates every year for cleared and uncleared jobs, and if they don't have a clearance, they work on other things til they become cleared

how old were you, and what level of clearance? TS/SCI is way longer and way more expensive.... even for younger people. One of my cohort took 12 months to get their TS from the time initial interviews for clearance began

Ever had an employee refused SC, what happens, are they released or do they just work somewhere else in the ORG if they can?

If there is room in an uncleared program, usually the employee gets moved there.

I've seen it happen once

I was late 20s, my TS/SCI came a day after my TS DoD

(I don't have a TS/SCI anymore)

That's pretty wild. My cohort friend was hired by a big-5 prime contractor, and it took 12 months after the paperwork was submitted to start the interviews. This was 2016-ish

they have to find another job within the company or they are let go

now the good thing is usually if you are hired without a clearance, you will support programs that don't require a clearance on an ad hoc basis until your clearance comes in. Those teams may choose to hire you

Ah so it may all not be a bad thing then.

it depends if there is funding

Have you ever had any where SC was rejected/denied?

I know people who have had that happen

and they won't tell you why

I work in the military, depending on the country security clearances are a pain even for DoD personnel. Mine clearance came relatively quickly because I had done my renewal only 2 years prior

we were talking about initial clearance

Yes I know. Those are the same processes where I come from

It doesn't matter if it's the 5th or the 1st time. It's the same check

I'm going to assume that was in reply to Zojja

That second one was yes

Kinda funny cause in many Country/State, Engineer is a protected/reserved title (Protected by law) that only someone part of an engineer order may actually use. About 1/3 of the state in USA, and many EU country and in Canada is it a protected / reserved title

In Canada, Microsoft had many lawsuit, at both, Civil and the Professional order (they have their own court... We have criminal court, civil court, professional order court(that can do lawsuit on the behalf of other order court), and then each professional order has their own specific tribunal where their member can have lawsuit also (Engineer order tribunal, Lawyer tribunal, Medical professional tribunal, etc..) for the usage of "Microsoft Engineer" title... cause people that did the certification from engineer where neither part of Engineer order nor had an engineering degree

Ontario Engineer act ; https://www.ontario.ca/laws/statute/90p28
Quebec Engineer act ; https://www.legisquebec.gouv.qc.ca/en/document/cs/I-9
Quebec win against microsoft ; https://www.canadianconsultingengineer.com/engineering/quebec-order-of-engineers-wins-legal-battle-with-microsoft/1000018197/
Alberta also taking step to fight some tech company using Engineer title without authorization ; https://www.cbc.ca/news/canada/calgary/tech-companies-alberta-premier-software-engineer-title-1.6617742

I know the most about Canada, cause its my country, but as I said, this apply to many country and state. Before using the word engineer or saying you do engineering, better check with your local laws to check if Engineer/Engineering are protected

in the cooperate world in the us (as far as i have seen in my 25+ years in it) titles are more tied to salary than what you acctully do - more than once i have seen someone switched from a "senior administrator" to a "solutions engineer" because the national average salary is X for the admin and Y for the engineer and they wanted to pay the person more without having to raise the salary of ALL the admins in the company. its like DevOps - its a term that has many faces

Except that doing so can be illegal in many place, cause protected title

Except that those people are not being employed as civil or electrical or mechanical engineers. They're computer engineers, a group of people who don't subscribe to and are not governed by the bodies that encompass those engineering professions

Dosen’t matter, they use the word “engineer”, a protected title is protected by law. So in any country where they do so its illegal

And computer engineer is actually a thing, computer engineering degree -> join engineer order

In canada, there is only one exception to the engineer title, and its train engineer for historical purpose. Those are the only non engineer that can use the term “engineer” and it was because train engineer was there before the engineering became regulated and engineer became a protected title

https://engineerscanada.ca/become-an-engineer/use-of-professional-title-and-designations#

Yes but computer engineer is not a protected title because you're not a licenced engineer of computers. you can even do it without holding a degree or any qualification at all. There's no protection in the title

If it include the word engineer, it is protected

Misuse of the title engineer

Claiming to be an engineer without being licensed is against the law. Titles such as Professional Engineer, Professional Licensee (engineering), P. Eng., P.L. (Eng.), or any title including the word engineer or a related abbreviation can only be used by those who are licensed. This also applies where such terms and abbreviations are combined with any name, title, description, letter, symbol, or abbreviation. The use of terms or abbreviations that imply someone is licensed with a regulator when they are not can result in legal action.

Germany, Chile and Turkey has similar law in place to protect the title

Brazil and Argentina the same

It's not as clear cut as that. You don't need a licence in most states to do a lot of jobs that have the word 'engineer' in the title. Automotive and spacecraft engineers don't necessarily need a licence, and their titles aren't protected, nor are they legally in question

Depend on the state

Seem texas also regulate it

With regard to the term "software engineer", many states, such as Texas and Florida, have introduced license requirements for such a title that are in line with the requirements for more traditional engineering fields

ive been doing this fort over 25 years and i have never heard of this - yes there are some laws that need to be followed when you have international business - but it's more where your company is based and lass where your working (like taxes on stuff bought online)

Oh around here engineering order are very aggressive about that

Cause its almost instant easy money for them

Its auto win at the court

Law in place since the 1965

No excuses possible for the misusage of the term engineer

Big tech company have removed the word “engineer” from most job offer title

Except when they are truly recruiting an accredited engineer

but that's the thing, in most countries, certain kinds of jobs, like electrical engineer and civil engineer are licenced and regulated and you need to hold particular qualifications for them. But other roles, such as computer engineer are not. I have several degrees, lots of other people in professions that don't require licences have degrees but it doesn't mean that the state doesn't understand applicability or classification on various scales. I would dare anyone in your country to pursue me over my title of computer or cybersecurity engineer over the appropriation of the name. They'd be laughed out the door

Because I'm not in any way claiming to be able to do the job of a licenced engineer in their field, and nor am I trying to, and therefore they have no authority

If you work here, and use the word engineer as part of your title, and are not accredited member of the local engineer order, you are illegal

Saying “but compute engineer is not regulated” mean nothing

I'm sure every IT engineer in your area is not accredited at all

The word engineer is protected by law

Not for computing. And nobody bats an eyelid about it

Literally, the dictionary word “engineer” is protected by law

Microsoft had to rename all its it certification cause of that

Microsoft Certified Systems Engineer -> Microsoft Certified IT Professional

Funny part is half of the example on the illegal use of the term engineer on that page is about IT and computing

And when I consult microsoft website from here, it does not show engineer

where is "here"?

Canada

also google has a few "Engineer" certs

ahh yes, different countries have different protected terms

like in the US, protected titles are wider such as "Civil Engineer" would be protected here

It was the whole point of what i was saying…

and also like "Dietitian" is protected in the US, "Nutritionist" isn't. But in Canada, "Nutritionist" is protected I believe?

Canada, chile, turkey, germany, Argentina are some of the country where it is protected, and in USA, depend on the state

I hold an engineering degree, but I am not part of the order, cause I don’t want to fill the paperwork to be accredited and pay yearly fee, so can’t use the word engineer to describe me, my job position or what I do, can only say I own a degree in engineering but not more

hello

i am new to cybersecurity

Welcome. check out #intros, and #start-here

Try to help me in the path of cyber security

Need to give more info

Are you a member of Try Hack Me? If not, go to #start-here and read it

i just read it

What are your goals / trying to accomplish, where are you currently in your path, and what is your background

cybersecurity is a very big world

i am just beginner i am starting from very beginning

What is it you're trying to do? If you're just starting, you read the #start-here channel and do what it says and you'll be on the website where you can get started

You need to learn some things about Linux, Windows and networking, as well as other technologies and that site is built to help you

should i subscribe the thm or just use the free content available for now

Yeah, cybersecurity is something that cannot be learn standalone, it is an extension of the other knowledge in IT/Computing field

The more stuff you know in other related IT field, the better you are at cybersecurity...

Over 75% of the content is free and you can use that as much as you like. when you're comfortable, you can subscribe. Subscribers get access to the paths and all the networks, faster AttackBox and VPN servers. So there's an advantage in subscribing, but it's not necessary right away if you don't want to

i dont know anything related to networking but the content available there uses networking content a lot how can i learn it specifically for cybersecurity'

There are pages that teach you everything you need to know

Like if you go into the search page and search for network, there are loads of rooms available:
https://tryhackme.com/hacktivities?tab=search&page=1&free=all&order=most-popular&difficulty=all&type=all&searchTxt=network

A lot of YouTube resources too tbh

how much do you know related to hacking ? Can you hack anyones webcam if they allowed you within a LAN?

I saw thm as a guide/path with practice and anything I didn’t understand from reading I would watch a video about it

The purpose of Try Hack Me is to teach you ethical hacking and cybersecurity, not to do harm. That would be illegal

if anybody allow you to do so ?

Organisations employ ethical hackers to test their systems. They would do so under contract, with the backing of a lawyer

Most S tier hacker and OG hacker didn't learn hacking on tutorial about hacking or cybersecurity learning platform, but simply cause of their mastering of the core knowledge in IT, and finding loophole in some of the concept, and exploiting those

Most learning platform do it in ethical way, whitehat stuff

Dont take it as wrong way I just wanted to know your skills guys?

If you want to do illegal stuff (Not saying you should), its not by doing try hack me you will learn that... better learn all you can about IT and build your knowledge base, cause little public learning platform would teach you evil stuff

Goal of platform such as THM and hackthebox is to have more ethical hacker AKA people that understand what are the attack vector in the goal of helping enterprise defend against it

So we have more protector... not to have more evil force in this world

I also don't want to do illegal stuffs but don't thm teaches like this after covering a lot of content available in it

THM teaches you to be an ethical hacker. A lot of these skills would be illegal to use in other places without a contract, as if you were working for a company that does penetration testing/ethical hacking but you'll learn about that as you progress through the content

okay

Else if all you want is to do some bad taste "joke" on friend... and do some trouble, maybe what you want is a "certified script kiddies"
AKA people that think its cool to cause trouble and just try to do stuff from quick tutorial without understanding...

Basically, what I just pointed out in a weird funny way is that it is not well perceived around here, or around the general hacking community, thus why the pejorative term "script kiddies"

It's not that there's a "talent shortage" issue. It's that there's a hiring issue. That hiring issue is plagued by non-cyber security people that don't know the ins and outs of cyber security. Would you agree with this assesment? If so, how can one circumvent this? How can one get passed that fire wall, aka that HR person with no background in cyber security but somehow has been authorized to list requirements for an open position?

@sharp tide I think that when you're done with the Google Cybersecurity certificate,
they give you a 30% discount on Security+

please do your own research as I don't trust my memory, but I'm confident it's around 30% off

HR actually get their requirements from their technical team and just add a little bit more when they look for stuff. The hiring issue is no one wants to get someone who has no experience in cyber.

Bigger companies can hire more entry-level people because they have the necessary maturity in their cyber team. Smaller companies will tend to hire people with experience because they want to setup their cyber team or they’re in that process and looking to solidify their roster.

Yeah it's worth something like 50 bucks off. I completed the Google cert in about 18 hours over the free week at the start. You're better off just getting the Security+ guide or using Professor Messer or a Udemy course (Google course is not sufficient) and just paying for the exam

Rather than just doing the final exams in each module of the Google course, I did everything, including the optional quizzes and exercises

Thank you ☺️

Gave +1 Rep to @hearty tree (current: #678 - 5)

so you don't think the google cybersecurity cert is worth it?

it gives you a hefty discount on Security+ tho, right? that would be the only reason I'd recommend it

oh which I see is mentioned above

someone said it was 50% off security+ but if they changed it to only $50 off, that may not be worth it

I definitely wouldn't pay for it but it's good to complete it if you do it quickly and are considering the Sec+ cert for the money off. It shouldn't take you 6 months. Depending on your skill level it should take you one or two months

Yeah it's about $50 off. Basically the cost of one month of doing the Google course. And the Google course is not sufficient to cover Sec+, spends lots of time discussing CISSP and insisting on learning SQL and Python basics. (not a bad thing overall but probably a bit much for very new entrants)

I'm seeing redditors report 30% off as of 8 months ago
https://www.reddit.com/r/cybersecurity/comments/13dmb6t/googles_cybersecurity_certification_on_coursera/

the exam is $392, so about $117 off
= $275

the student discount brings it down to $254 so absolutely NOT worth it for me, personally

I think I'm going to do the microsoft security cert instead, it covers Azure too

eventually of course

maybe they reduced it now,
making it even less worth it

I think it actually contains the official MS training for one of their certifications on Azure. The Google and IBM courses are perfectly fine introductory material and good to get if you can do them quickly and cheaply, as having the IBM or Google name on your CV/resume might impress. Similarly with the MS one. They at least show interest, and at least a good level of beginner knowledge but the MS one has the advantage of preparing you for a full certification credential

It’s only “worth it” if you can complete it within 2 months or less.

Any more than that and you’re losing money since the value you’re paying for the google cert is way higher than the value you’re getting for the discount voucher.

wow, this is really cool, I somehow missed that

it gets you ready for Microsoft's SC-900 "Microsoft Security, Compliance, and Identity Fundamentals" certification,
I'm definitely going this route

the whole cert isn't based on Azure, but it is indeed covered

thanks for the heads up, I was actually debating between Google's & MS's cert for a good while

Gave +1 Rep to @rugged delta (current: #23 - 334)

one of the subjects covered:

this cert would be very basic, I mean its good but I'd recommend a non-900 cert if you want something that helps you with getting a job

and there are lots of free resources for the Azure certs. John Savill on Youtube has some great stuff (he works for Microsoft)

hello guys! i have recently been interested in cybersecurity and i am currently doing a free course given by Google Cybersecurity Jam, after I finish this course can anyone give me a website of possible roadmaps or any information regarding any cyber security path? would love to talk in dm if you are a cyber security professsional, Thanks for reading this.

You can join Try Hack Me by reading the details in #start-here and ask your questions in the channels on this Discord. Lots of us would be glad to answer here and you can search previous queries using the search function in the top right

unpopular opinion alert 🚨

in 1.. 2.. 3..

im scared of dedicating too many hours to a field, just for it to show as overated at the end. Neither as smart as maths and physics neither as lucrative as finance. When was it that the technical side made lots of money without constantly overworking that a** for someone else. The skill matrix is not fair. Might as well buy restaurants

also constantly changing, must end up being all old and obsolete knowledge.

change my mind plz!!

brb

When it comes to a career in cybersecurity, it can be a challenging field to get into, and the level of knowledge required can seem to be overwhelming. Many of us will say that it isn't an entry level field, and by this, we mean that generally those of us who find security an interesting topic, generally have a high level of knowledge about things like computers and operating systems, networks, programming or other faculties within the general computing realm.

Many of us will have spent a number of years building a strong base in our preferred area, such as Windows or Linux or coding or web development, etc. Others are curious right away about how broken things are and build up their skills by learning the systems and then the security issues with them. When people in the industry say things are constantly changing, they don't mean that everything that was relevant two years ago can just be thrown out the window and all your old knowledge is useless and you have to keep starting over again and again.

What they mean is that there are certain standard technologies and skills, but that new techniques and technologies are developed and new exploits and ways to break things come along and we need to keep refreshing our knowledge of these things. It's like how for many years there was a focus on buffer overflows, a means of exploiting an application by feeding it data to cause an error that allowed you to make a computer do something it wasn't intentionally programmed to do. While those things do exist, there's more of a focus these days on things like Active Directory and web app issues, new ones of which keep surfacing.

Also, organisations need to keep making decisions about the tools, techniques and technologies they implement to both carry on doing their business and also protecting and configuring their systems to ensure ongoing functionality and quick recovery from issues encountered...

But when we say it's not an entry-level field, we don't mean to discourage new entrants from trying. We just try to encourage them to keep investing in themselves by encountering new technologies and learn as much as they can about them in order to improve the way they can offer protection to an organisation through these systems.

So it's very important that someone new to the field has an environment they can learn in, where it's fun, engaging, challenging and encouraging and makes them believe they have what it takes to explore further and develop their own skills using the tools and facilities provided to them; and also lets them consider what they need to invest in their ongoing endeavours to achieve their goals.

good insight ty for complete answer

Gave 1 Rep to so_much_for_subtlety (current: #23 - 335)

just to clarify, it's just kind of included with the Microsoft Cybersecurity Analyst Professional Certificate

I'm not sure if I would actually go for the SC-900 after that,
but I've got my scope on the MS Cybersecurity Cert for sure

just gotta wait, as I'm doing winter school & the classes eat up most of my time right now 😛

I'm confused, what certificate? Microsoft has certifications

Yeah but they have a cybersec certificate on coursera now the same as IBM and Google

Why would you do that though?

Just for absolute fresh folks to show they're learning something... I flew through the Google one in a few days last year just to see exactly what was in it and whether it was worth anything. It's good to show you have an interest in the field but it's not going to get you up to entry level for a job

Microsoft learn is pretty extensive and provides training for the Microsoft certs

It just seems pretty useless

And employers don't place value on certificates

For real? I was trying to get OSCP and so on...

OSCP is a certification not a certificate

Certificates are usually offered for an online course

Oh, alright.

But like you can find answers online for certificates and super easy to learn nothing and gain a certificate

I think the THM certificates has some pretty values on them... but yeah. You can do the "easy way" trick to get them.

At least for me, you can learn a lot from them.

You can learn certainly

Many entry level jobs don't require any certs or job experience, but they do require you to know the fundamentals. THM gives you that solid base to answer any question that they throw at you in an interview. Be prepared to answer anything with confidence.

No point wasting money on any particular certificate if the jobs you are applying for don't require that cert. Always be cert ready for whatever certificates that they require. Let them pay for it.

again trying to make the differentiation between certification (this is something that employers value) and a certificate (which is really a certificate of completion)

and also it can be wise to spend some money to get a certification to put yourself ahead of others. And entry level jobs will want some job experience, whether it is internship or something else

Entry level jobs don't require certification. Once you have a job they will pay for that.

for a friend who doesnt have a college degree at 30, is ejpt valuable in his case or not even since they will say the degree is lacking?

I didn't say they require a certification, I said it is something that can make you stand out. I'm not talking about 20 certifications, but 1 or 2 can make the difference between you getting a job or not

ejpt isn't really recognized and from my understanding it is super basic

I see

Ideally, but employers want more from entry-level positions such as X number of years of experience which is really strange.

Having certification with no job experience isn't any help, when they want someone with years of experience.

too bad

Thanks

Gave 1 Rep to .zojja (current: #14 - 459)

basically you should remember when you are applying for a job, you aren't trying to meet the base requirements, you are trying to be viewed as the best candidate

Aside from what Azure has said, it depends which area within cybersecurity do you or your friend want to specialise in.

he prob just want a substitude for a degree, not sure what his job title is, will ask

Like I said, many entry level jobs don't require certs or experience. They want you to know the fundamentals.

Agreed, but as the market gets more competitive, you have to be able to set yourself apart from others just to even get an interview.

but like I said, if your competition does have certifications, that can make them stand out and be considered a more valuable candidate

Knowledge is the key to doing well in any interview.

and saying an entry level (IT) job doesn't require experience is a bit misleading, they will generally want you to have had some job previously and if you are graduating from college, they will want you to have an internship / part time job

you won't get to an interview unless your resume stands out

There are a lot of jobs going at the moment stating no certs or experience needed.

stating that is one thing, actually getting an interview is another

People just want to jump in at the deep end. Which is not the way to go about it.

I'm just stating the market is tough, when we do job listings we get 50-100 candidates for a single job, we only interview 3-5 people

I hear you.

Some jobs go unfilled for months. They are screaming for workers in this field.

and you should see some of the candidates that we get, they are certified, they have home labs, some are involved in the cybersecurity community, giving presentations at cyber security conferences, and these are people fresh out of college

well senior level jobs are certainly hard to fill

The biggest problem is that entry level to security specific roles often depends on someone's knowledge and history in security-adjacent fields

Plenty of free online courses will give you that knowledge and history.

Online courses may give you the knowledge, but not the history

I'm just trying to save people new to this from wasting their money on certs that won't get them a job.

There are also a lot of soft skills that are very often learned in other fields, but are absolutely critical to having success as a security engineer or secops engineer

Re-enforcing they shouldn't spend money on certs, except possibly the basic HR filter ones, is one of hte major things that those of us who hang out in this channel say quite a lot

Proof of years of study is history.

If someone can't even get the interview, my first advice is to check the local job reqs and see what employers are valuing

I mean we have a lot of beginners that are looking for work if you are hiring based on the qualifications you have set forward

if that proof is an accredited degree, I would agree. "proof of years of study" from anecdotal evidence won't really be valued

my linkedin, this channel and even whole discords are full of people who have put forth study and trying to find their break

Entry Level jobs stating no experience needed won't have people with degrees going for them.

sure they will

You'd be surprised about that

One of the previous SOC jobs I worked, we had an opening for an entry level analyst. We had candidates with 20+ years of IT experience and others with M.Sc in Cybersecurity applying for Analyst I positions.

we get a ton of people graduating from college applying to our help desk positions and thats why we have so many people in our help desk with college degrees

You both make it seem a lot harder than it really is.

the reality is that it is hard and what makes it harder now is there are a lot of people who got laid off from various tech sector jobs who had 1-3 years experience in other areas and some of them did decide to look into security

I agree that you should make yourself stand out. But that really comes down to confidence and how well you present yourself.

but we are going to have to agree to disagree, it would be nice if the job market was more friendly to people with minimal experience, its just not

Where I am there are at least 70 new job listings a day. Thousands are sitting unfilled for months.

Maybe we see things differently because of where we live. I generally agree with what you are saying.

Sadly, this is the truth.

I'm spending a lot of time trying to get a job and it's been a while. I worked a lot trying to "standing out", but what can I do more than keep trying?

There's no "get more confidence" pass or something like that to get the real job in the end.

I'm set on doing the Microsoft Cybersecurity Analyst Professional Certificate
https://www.coursera.org/professional-certificates/microsoft-cybersecurity-analyst

I very briefly applied for (web) developer positions, one of the companies where I interviewed literally had 17,000+ applicants for an internship position 💀

it was remote, but still,
the competition is ridiculous out there

Web developer jobs are almost impossible to get. I am a certified in it. Cyber security jobs are a dime a dozen. Completely different.

I think most people's experience is the opposite
I see few cyber jobs in Europe
Even internships ask for prior experience

Companies prefer experience to certs, here at least

I was getting close, but I realized that even though I absolute love coding, I'm not sure that I want to be programming 40 hours/week.

I still enjoy it, but I prefer to change things up. Even at work, I loved crossing departments & helping everyone out

keeping my fullstack skills alive at least as a hobby

@hearty tree when I was doing the course they told us that it was insanely hard to get a job. I was just doing it to learn coding for cyber security.

So when we say no experience are we talking about someone with a bachelors ?

it makes sense because you're trying to get into a field with an arguably low entry barrier

so you need to stand out really well from the applicant pool

You will most definitely not be programming 40 hrs/week that’s for sure.

Depends on the context. E.g., someone from a non-IT sector pivoting into IT

I figure in a professional setting there are meetings & general discussions that aren't strictly programming,

but if not programming/discussing business features, what other things would you be doing as a web developer?

even though I'm just learning, I maybe felt burnout from trying to develop my skills & build projects
(haven't done anything really cool, but my Github's on my profile if you're curious)

@clever lagoon I found an internship in England for a cyber engineer in a few seconds, that doesn't require any prior experience. Jobs seem to be available.

Remote?

Or presencial?

@odd ice I think it was hybrid. I could be wrong.

Oh, ok. I could try to search there then. Here in Switzerland at least, it's a little bit harsh for me.

@odd ice I just checked, they said they were embracing hybrid working.

@warm hinge your resume should be specific to every job you apply for and list the skills that they require in it.

I'm no hiring manger,

but I'm sure you can phrase things from your work experience that could help you in an IT support setting

I don't know what unrelated job experience means (in your case), but it's a huge difference between someone who has worked versus someone who hasn't had their first job yet