#cyber-and-careers

Aha, the developers found impact then?

Only the impact I found, in that metadata for specific content would be disclosed using an IDOR technique.... honestly not sure why it got paid out, they were notified over a year ago that it was a potential problem. My thought was that the disclosed metadata was already available if one viewed the content on the platform via direct URL vs using the web front end to pull from the CDN.... but whatevs, that's not my circus

Okay, I'm a little confuse now, I understand what everyone is saying, but what are the typical clients looking for?

That's an interesting one to pay out over lmao

What do you mean? Client in which perspective?

Just in general

A report detailing the strengths and weaknesses of the system(s) in scope.

Could be Amazon or some startup

They're looking to see if there are any security issues, basically. That's what they want to know. The product is the report.

Not my circus! I did my due diligence, was told 'ok cool man' and then nothing until we saw the bug bounty payment. Half considering it's a payment just to keep the bug hunter engaged tbh

Clients in general aren't really a thing. Web client is different than a customer who is a client, vs a contractor who has a customer that is being paid by a client for the contractor to do work. It gets really really confusing if you want to only talk in generalities

Got ya!

Lets say a client that is looking to have their network breached so that they can patch whatever the fault may be

Let's go with the most basic definition and assume that the customer has engaged you as the consultant (or, your firm) to conduct the pentest

(Not website)

Ok... so time to explore your question from that perspective. A network pentest doesn't really care about applications except if they can be leveraged or pivoted from to gain access to private network or networks behind the secure boundary.

Well, you just answered your own question there.

Chances are they would be looking for an external infrastructure review in that case.
You would look for issues in whatever infrastructure they scope, then report on that.

Lol

So the client is looking to see the exposed ports and IP addresses, what the threat landscape looks like from that perspective, and what the potential consequences are of having those ports be exposed. Network topology can play a huge role in that threat landscape, especially if that network environment is used to be a giant monolith block of somethign like a /10 that has all the internal devices on it.

Then again, if your marketing team are on the ball, chances are you get an internal infrastructure test scoped in as a separate phase lmao

Would you say that, for the most part a client would feel less confidence in your ability to identify a potential breach? Wouldn't this damage your firm's reputation?

Wdym?

You’re being very condescending and that’s not okay. I can vouch for Zumi. I know that he’s an experienced penetration tester that works as one professionally.

I recently did a pentest of 120+ network devices which had specific routing rules to only accept connections on certain ports from specific IP addresses. Would you consider it a finding that we were not able to find open ports on the public facing side of those devices?

Lets say I have a small Cybersec firm and we got a contract by a client requesting a pentest engagement. If I were to take that contract and, after sometime could not find a breach. Wouldn't that make the client feel less confident in me and my firms ability regarding pentests?

Again, not trying to flare up anything, really looking for opinions

You should work for someone else in the industry before you try to start your own pentesting business, if that's where you are going with this. Get the experience of what's reasonable first hand instead of farming theoreticals which may not match reality.

Not my plan, just was for demostration

As a pentester, you should not be finding breaches, you should be causing them (within allowed scope)

I was curious on it eariler today

Any time you have a finding of "I didn't find anything" you should have a caveat that just because you didn't see it today, doesn't mean that it doesn't exist. The test is a snapshot and does not guarantee security either before or after the test is completed.

Okay, I understand!

(Sorry if I was being annoying with the questions)

(Needed some input after reviewing some course work.)

Nah you weren't they just decided to give you the encyclopedia of responses to answer your question

He's been a junior pentester for roughly 6 months last I checked.
Frankly, I don't care about that. It's valuable experience, and that's a good thing.

Where it becomes an issue is if you start spewing rubbish to people with less experience who are looking to learn.
Where I take personal exception is if you then turn around and double down on said shit. Repeatedly.

At the end of the day, the statement was wrong. Worse, it was an easily disproven opinion presented as fact. Any semi-experienced pen tester will tell you that.
The correct response was "oh, yes, those examples make sense. I will bear that in mind".
The incorrect response was "agree to disagree".

I have limited patience, and I do not suffer fools for long.

Pretty much what Juun said, yeah.

If you don't find anything then it's really important to explain what you did, why you did it, and how you reached that conclusion. Basically for that reason.

A pentest starts with a methodology. Most teams will have their own methodologies for specific test types, built out over an extended period of time.
You follow that methodology, and expand on specific issues or points of interest when you find them.

If that methodology doesn't turn anything up then that's okay, as long as you communicate to the client that you have followed it.

Understood! Thank you.

Gave +1 Rep to @undone shore (current: #10 - 862)

And yes, there's always the points that:

1. You have finite time for testing. A threat actor does not.
2. They could introduce a new vulnerability tomorrow.

Both are worth mentioning

You seem to be indicating that completely secure systems, within the scope you check, exist and your inability to find a vulnerability is indicative of the lack of holes in the system. I’m pretty sure all Zumi said is that vulnerabilities that you aren’t able to find more often than not exist.

The way you’re condescendingly disparaging a member of the community without even bothering to understand what he’s conveying is crazy

That's a very naive way to read what Muiri said. There's a huge difference between "we report no vulnerabilities, checking for X, Y and Z at this time" and "there are no security gaps in the software."

The second is actually impossible, as it would require effectively infinit time to test all possible inputs.

He literally said that it's impossible for a system to be completely secure.

There is no way to misinterpret that. And it's incorrect, yes.

He then said (and I quote) "if you truly cannot find a vulnerability of any kind there is some kind of knowledge skill gap that needs to be fixed".

Again, that cannot be misinterpreted. Again, it's rubbish.

R/ the first point, I provided examples of how a test could legitimately have no findings somewhere above in this chat.

Are you referring to this message?

To clear up misunderstandings

R/ the second point: yes, it could be a skills gap. But it's a long way from being the only possible explanation.

That being the message containing the paragraph I quoted, yes lmao

I dont see where Zumi said finding no vulnerabilities due to a skill issue would lead to someone concluding that a system is completely secure.

Oh, and while we're at it, suggesting that's the case is a really good way to fuel imposter syndrome

If it’s not possible for a system to be completely secure, then yes it could always be attributed to a skill gap. Unless you think otherwise

This argument makes sense

It's perfectly possible for the scope of a test to be completely secure* based on the point-in-time snapshot you've taken.

I put an asterisk there for a reason. The key part is point in time.

Let's say, for example, that your entire scope of testing is a single web page, with a few input fields, for one reason or another.

You can check for a whole range of injection issues, including weirder payloads from your methodology, but you find that everything comes back clean.
You can check TLS config, and server headers -- the low hanging fruit -- but you find that they've been hardened. No issues.

So you write up the report.
Based on existing knowledge and your standard methodology, you haven't found any issues at the time of testing.

A week later, log4shell drops and the form is vulnerable.

That's not a skill issue.
The vulnerability was there, sure. Turns out the application wasn't entirely secure.

But pentests are point-in-time. They're a snapshot.
How the hell were you to know about that vulnerability in the backend logging library before it was released? You're a pentester, not a security researcher.

At the end of the day, your point in time snapshot did not contain any vulnerabilities. There was no way for you to know any different.

And that's fine. That's just how the job works.

So it boils down to your opinions on a system being totally secure(at a point of time or in general). Zumi believes that there is always a some vulnerability while you believe that the vulnerabilities you check in some finite amount of time might not exist. Then it can also be argued that you should have been able to know which vulnerabilities to check for at that time. It just becomes a matter of semantics after a while of arguing and I think that’s why Zumi said to agree to disagree

No, that's not the point at all.

There's always scope for something to be vulnerable. That's a given. Your application code base is completely fine, but someone finds a vulnerability in the reverse proxy next week. It happens.

I'm not disputing that.

I am absolutely disputing the two points that Zumi made.

1. It's impossible for a pentest to legitimately return zero findings.
2. It's a skill issue if it does.

Both of those are just blatantly wrong. There's no wiggle room there. No room for debate.

Then it can also be argued that you should have been able to know which vulnerabilities to check for at that time.

Yes, absolutely. Not disputing that at all. If a vulnerability is known to affect the systems you have scoped then you should absolutely be evaluating whether it could apply to the test.

Again, no one said any differently.

It's the vulnerabilities which are not already known which you can't test for (obviously).

Again, using log4shell as an example. I would not expect a pentester doing a webapp review of a Java application in 2019 to have gone and audited the entire log4j library. That would be insane.

I would absolutely expect them to check for log4shell in 2025

You’re misquoting horribly. He did not say it was impossible for a pentest to legitimately return zero findings. It’s by definition possible if zero findings are returned unless you mean that a perfectly done pentest can not possibly return zero findings. And for the second point, you seem to have agreed here

No. That is not a skills issue.

That's the whole point lmao

It's not the pentester's job to go find previously unknown vulnerabilities in third party components, or anything which isn't explicitly scoped. If they happen to find a CVE while doing a scoped test, then that's awesome. It's not the goal though.

I will say that this is an impossible scenario, you will find vulnerabilities...

Which part of that was misquoted?

I think the major divide here is that you seem to be talking about going through a checklist of vulnerabilities and them not existing while @hallow sparrow was talking about every possible vulnerability in general, whether previously discover or not

“It’s impossible for a pentest to legitimately return zero findings.”

Yeah. I'm talking about a pentest, which is what the OP was querying.

God only knows what Zumi was talking about.

So you just made the assumption that he was referring to what you were thinking about and “corrected” him based on that?

I made the assumption that he was attempting to answer the question he was replying to, based on his own pentest experience.

I think that's a fair assumption to make, wouldn't you agree?

Rather than just dumping a random security research answer in response to said pentest question.

Which of those two scenarios seems more likely?

Perhaps but I wouldn’t go condescendingly berating someone without clarifying further

🫡

Also, those are the same thing, with slightly different wording smh

No, they really are not

@hollow falcon Take in the responses you have read on here, compare them to your uni courses. Then, apply it when you get into the field and make adjustments as you navigate the cybersecurity world.

Best advice

Perhaps I wouldn't be condescending if he didn't do this every five minutes (hyperbole, for the pedantic in the room) lmao

And again, clarifying the obvious is just dumb.

https://tenor.com/view/gif-gif-23738466

What's the difference then?

Absolutely this

One is dealing with just the scope of your pentesting while the other is referring to every possible vulnerability

Okay, and what exactly, in that original message responding to a question about pentesting, makes you think that it's not talking about pentesting?

“If you truly cannot find vulnerabilities of any kind”

Okay, and now put it in context of the question. Which, again, was about pentesting.

Making the assumption that a response directly follows the context of the original message is a fair thing to do but completely disregarding the context of the response itself as well as not bothering to clarify further is disingenuous

As a general rule, conversation does not flit about between topics. It is built on context. The first message leads to a response, which leads to another response, etc.

I cannot believe I apparently need to explain that.

Anyways
That’s about my opinion on the matter

Okay, I ask again. What, exactly, in that message, leads you to believe that the context has been dropped?

Are you aware of how condescending you are to everyone

Because to anyone sensible, this would read as:
“If you truly cannot find vulnerabilities of any kind [in the hypothetical pentest we have been discussing for the last 5 minutes]”

And this is just not true at all. This deterministic view implies that the direction of a conversation is completely decided by the first statement or chain of statements

As I said. I do not suffer fools.

I am perfectly lovely when not confronted with idiotic arguments made for the same of arguing.

Apparently not

And you seem to be arguing for the sake of arguing after I just explained to you what Zumi’s message was referring to

It is.

That doesn't mean that the topic of conversation won't change throughout the conversation, but the new topic will always be linked to the previous one.

Even if that link is something as tenuous as "Oh, by the way, on an unrelated note..."
Which continues the same conversation seamlessly.

That is not how human conversations work at all

Might be different for you

So, what, someone says they think the weather is good, and you reply by saying that you rode an elephant last winter?

... That actually wouldn't surprise me.

There is some relation usually. Hence why Zumi didn’t reply with the mass of the sun to his question

You know full well that Zumi's message was talking about pentesting. You're arguing for the sake of not losing smh

https://tenor.com/view/puppet-awkward-looking-what-side-eye-gif-15476992

As per.

It’s a simple concept. Not surprised you’re arguing

I can’t lose because I don’t have a stance here. I simply explained to you what happened since you apparently couldn’t understand it on your own

As per usual you’re arrogant and confused

🫡

Right. Okay.
Let's clear this up.

What happened was that Zumi responded to a question about pentesting, with an answer which contained zero indicators that it was not about pentesting.

If, in fact, it was not about pentesting -- which I grant you is possible -- then it should have given even the slightest indicator of that being the case. It did not. Therefore it can be assumed, without further clarification, that it answers the question which was asked.

That is a basic principle of communication.

If it turns out that it was not about pentesting then it is up to Zumi to clarify that. He did not.

The only person arguing otherwise is you.
So in this instance you are telling me that Zumi meant something to which he didn't so much as allude to, despite him not giving any indicator of that himself.

Ergo, you're talking shite.
Hope that helps 🫡

The only judge of what Zumi meant is Zumi @hallow sparrow
Ergo, your argument is total bull as usual

Oh sweetie. That's exactly what I just said.

Hope that helps

He can come and clarify that

Wanna re-read that and try again?

Mhm. He is more than welcome to do that.

Reading through your text just once is more than enough for me

Until then, how about we accept the obvious, and indeed socially normal interpretation, rather than spewing a whole pile of bull on his behalf 🙂

I don’t think you’d know what’s socially normal. How about you use slightly more nuanced context and stop thinking your opinions are facts

How on earth is it abnormal to think that the answer to a question should address that question?

It’s telling that you’re being insulting towards not just the original person of question, but someone who is simply elaborating something to you

You're not "simply elaborating something" and you know that full well

typing a novel over here

I’ve already presented my stance. Go back and re read if you want, sweetie

See how you’re arguing for the sake of arguing

And on that bad faith note, I'm going to go and find dinner.

Zumi, if you're planning to make a sensible response, please feel free to ping me.

No, that's actually a much better response imo ♥️
I'm not going to "rip that to shreds".

Now that everything’s clarified, enjoy your dinner

A disclaimer on every post is a bit much lmao.
What I would ask though, is if you aren't sure of something, put it in context, and express it as an opinion.

e.g., basically what you just said.
So in the original context "in my experience with specifically testing hardware systems, it would be very rare to not find anything. I'm not sure about traditional pentesting."

There's absolutely nothing wrong with saying that. No one is expected to know everything, and it's absolutely fine to lean into what you know.

The only time anyone will attack a statement is if it's presented as a fact and it's wrong -- especially in here where we have predominantly people looking to improve their experience.

Hardware based pentesting such as OT pentesting you'll find a lot of vulns speaking from experience

Yeah, lots of things are clearer cut 😄

Pentesting is a good example. There are a wide range of recommendations which we can give for a specific issue. That can make it feel fuzzy, but at the end of the day, it just comes down to experience as to which are actually sensible.

For example, to fix an SQLi, the obvious (standard) suggestion is prepared statements. Only thing stopping you from saying "remove the whole system" is experience and common sense.

pentesting report remediation reccomendtation: Just turn everything off

But on the flip side, I have legitimately had a case where my recommendation has been to decommission and replace the system.

you cant get hacked if its turned off

When I see a windows 2007 server

Simply because it was so broken, and so sprawling, we could have been there for literally years testing it and still not found every issue.

Very true, yes. I did say that earlier lmao

It was too much text, didn't feel like reading

That... is extremely fair

Oh god damnit. It's 0220. Reckon that's too late for dinner. Ah well

It's breakfast

... Now there's an idea

But yeah, I've had experiences with my friends running nmap and breaking a whole production environment cause OT devices can't handle it

Yeah, uh, I know a guy who did that to an oil rig.

Know or "know"

Know personally

More as in, someone else, or yourself

Oh, yeah, no not me lmao

Alumni from uni

Alumnus, rather

Lmao, yeah, there's a reason why I don't deal with OT

Just one small bug is a CVE in OT

Speaking of, I have a whole new network detection system to learn about this weekend

Got a budget of 8 hours

Welcome to consultancy, we deal with budgets in hours

Where you located

Any tips for the SAL1?

I have taken the SOC simulator and I always get a low score the classification section even tho the AI it's good here is my overall analysis by the Ai
"
Your reports provide a detailed analysis of the incident, covering most of the essential aspects of the 5Ws. However, there is room for improvement in how you present this information. The structure could benefit from a clearer distinction between repeated details and unique incidents to prevent redundancy. Additionally, ensure each report stands alone with complete 5Ws coverage to improve readability and precision in communicating critical incidents.
"

Should I make separate report for each distinct alert even tho they are coming off from the same user?

For example:

Data exfiltration with the use of .exe with (multiple same reports)
Access to sensitive files using the commandline

So what should I do is make separate report for each distinct alerts? and did you guys ever use Splunk or any other tools provided in the SOC simulator? I just found myself using their imitation of VirusTotal tool I don't remember it's name.

Thank you for your help!

Copy and pasted from #infosec-general

I'm french

Hello! 👋 Looking for the best starting project. Something worthy of posting on Linkedin or X after completing.

Completed my CompTia Security + cert and want a good starting project

Working through the curriculum on tryhackme

What do you mean by project 🙂 ?

I'm converting to cyber, so I don't have any professional experience at the moment

Want hands on projects is all I am looking for instead of cyber security theory

I have the theory and IT experience. I need cyber hands on projects

Workshops, labs, practice environments

I apply for positions but I need to bolster my experience with hands on so I can add things to my tool box. Try hack me is providing that, however I put it out there so I can get into the weeds and learn core fundamentals

What will get me hired

I thought that was the whole premise of the try hack me methodology

You can check a list of network labs on THM on the link below 🙂
https://tryhackme.com/hacktivities?tab=network

I see all the channels now

I also see the learning paths

Nice, focus on challenges/CTFs and try to learn and practice as much as possible 🙂

On the website is what you are referring to correct?

I have my Security + so the info seems basic however I like completing the rooms and earning the badges

anyone know a good resume template?

google 😉

Security + doesn’t really delve into pen testing at all does it

Is it worth getting all CompTIA A+ certs for a level 1 job

Methodology wise

I’m sure that would look impressive on your resume

I’ve only read the first 3 chapters of sec + but it seems much more theoretical than thm material

AwesomeCV is good

If you don't know or cannot articulate the parts of a computer, their functions, and troubleshooting methodology then I would say maybe. If you can do the above then my answer is no.

There is also only one CompTIA A+ certification, it's just made up of two exams

You're correct in that Security+ is not an overly technical exam and does focus on theory. It's purpose is to ensure you have a baseline level of security knowledge.

how good is AI at translating english to manager speak?

making a new resume

You should look at various websites and tools about the correct way to arrange and formalise your cv. Manager speak isn't really the goal The kinds of content you want are clear, accurate, descriptive speech about your work and educations history, certifications you've been awarded, skills you have, projects you've completed, professional development, related pursuits/hobbies/pastimes/achievements if you still have space. Ultimately, you're just trying to show you have the skills they need to hire for

so i can skip all the fluff and buzzwords?

good

the word spearheaded makes me cringe

Sure, there should be no fluff, or buzzwords. Just accurate records of your abilities. Stating that you did a certain job, and your responsibilities/achievements were x, y, & z, etc. That you hold certification a from org b and it's valid until time c. That you know how to use systems 1, 2 & 3. Including a blog or writeups or other personal projects can help; such as competing in CTFs, building a home lab for various projects, etc...

Medical device

Indeed

Has anyone here ever worked as a Network technician? If so, how is the job? Also, would it be a good starting point for someone who wants to become a network engineer later down the line to advance my career?

I’m applying to tons of cybersecurity internships, still have 1 more year left.

I got 1 interview so far, and was wondering how I could improve and get more faster?

I’ve been using jobscan AI in order to improve my resume to match with the company position description and get through ATS.

Does this method work or do I need to be doing more to get through ATS?

Yes. That why I like try hack me

Hi there is it better to build a kind of all around knowledge while focusing on red teaming for example or to completely focus on red teaming

Imo try to get the resume past the filters maybe finding referrals. Or try to get in touch with hiring managers

I’m interested to know the answer to this too

Personally i'd say completely focus on it so its just that for now. That would work better for me

Has anyone here ever worked as a Network technician? If so, how is the job? Also, would it be a good starting point for someone who wants to become a network engineer later down the line to advance my career?

I guess that makes sense. If you start focusing on other things you might lose focus from the main thing

I worked several years in a data centre NOC, monitoring networks, servers, connections, installing copper and fibre cables in/between data suites, to telecoms providers, installing, maintaining servers, VMs and virtual/cloud platforms. I got to work with a broad range of technologies. If you want to work as a network technician/engineer, you would most likely be expected to pursue the CCNA/CCNP routing/switching certs as you progress. They'll teach you a lot of the skills you need, as most orgs use Cisco equipment, and a lot of non-cisco equipment uses a similar interface. It would also be beneficial to learn about Windows/Linux, scripting with Python or bash and more as you progress, but take your time with it

Comment about Security +. If you actually study the material it absolutely helps you understand the cyber domains and verbiage used. If you are just studying to pass a test then that’s not learning a profession. That is simply showing you are a good test taker.

I am a network technician and the experience you will get working as a technician, working with networking tools/equipment on different worksites would help your understanding as a network engineer in my opinion. I don’t know much about what the network engineers in my organization do aside from monitoring/logical controls of our network but to my understanding yes it will translate. A little of what I do: workstation setups, installing and deploying printers on our network, re-imaging pc's, responding to and closing help desk tickets, repairing ethernet wall outlets, replacing voip phones, installing/replacing WAP's, and using logical tools to reserve IP's for devices like printers on our network.

P.S. I enjoy my job, as a caveat your enjoyment will likely depend (largely) on the organization you work for.

Hey guys! 👋sorry to bother you but does anyone can guide me that what should i do after JR pentesting path.. i just don't want to stuck in tutorial hell and do something with value

Any suggestions on what to tackle next? Also, when’s a good time to dive into bug bounties or start earning a bit on the side? currently it feels a bit overwhelming

If you're interested in bug bounty check out Web Fundamentals and Web App Pentesting Paths 🙂

Thanks

Gave +1 Rep to @keen tundra (current: #1 - 4297)

Just out of interest, what do you think that "red teaming" actually is?

im curios do you guys travel a lot or it's more of a work at the job rather then hybrid?

It’s mostly traveling to affiliate sites and responding to their tickets

ohhh so im going to have to travel if I wanna be one

was it hard when doing internships for it?

I think it just depends on where you work. You may not be required to travel and I did not intern for the position “)

thanks again sorry for the constant questions btw it's just so hard to choose what field to take 😩 so many options.

Gave +1 Rep to @tall frigate (current: #256 - 29)

No problem at all, I’ve enjoyed discussing it with you. You’re on the right track by asking questions.

hello there, So currently I am a student pursuing my bachelors degree in cyber security and I have learned all the basics and have finished the Jr pentester path on tryhackme and i have solved only like 3-4 ctfs and want to improvise more as currently I am stuck and I do not know what to proceed with next. Which are all the beginner level ctfs i could start and How could i improvise my skills as I have my job placements coming up by the end of the year and I want to be prepared to land my first job? Could anyone help me out on this?

What I meant was pentensting

Hello everyone, please i will like to get your ideas as far as my CV is concerned. Im looking for an internship or apprenticeship in cybersecurity domain. Can I share it here to have your views ?

Do share, we are here to help

Just block out personal info

Alright

I can here

You'll need to verify. Make sure to post it as an image as people don't like having to download files

Pentesting != Red teaming, although my point applies to both.

Remember that any kind of hacking is just applied knowledge from other technology domains.
It doesn't make sense to "just learn hacking". That won't get you anywhere.
You need to learn as much as possible, about as many topics as you can. That's what makes a good hacker.

e.g., for pentesting. Let's say you have a piece of networking equipment, or a web server. How are you meant to identify vulnerabilities if you don't have a good idea how to configure the thing properly yourself?
Methodologies are good, but pentesting should never just be a checkbox exercise.

Hello, we have a Cyber Security Learning Roadmap on the site that might guide your journey: https://tryhackme.com/hacktivities

Do you think the content available on TryHackMe equips you with sufficient skills to have a decent chance at completing bug bounties?

I recently moved to Canada with my family and have been applying for IT support roles to gain local experience, but so far, no interviews. I have 5+ years of experience as a Service Desk Technician II, recently earned my Security+, and I’m working on my CCNA.
I’d love some advice on breaking into cybersecurity here. Do employers prioritise experience over certifications? What’s the best way to transition from IT support into security roles in Canada?

Any tips on positioning myself better and landing a stronger opportunity would be hugely appreciated!

I understand what you are trying to say, it's important to know the ins and outs of systems and networks...etc I can only try and do my best to grasp this vast amount of knowledge. As someone without without any formal learning and a late begginer I can't help but feel as it's abit of a race against time. I've gotten some ideas on how to continue to improve. Thank you for taking the time to answear and help.

Gave +1 Rep to @undone shore (current: #10 - 863)

Yes I am aware of the roadmap. I have completed the penetration tester path but I feel that there is still a lot to learn. I've gotten some ideas on how to continue now, I might complete some other paths too as they also seem interesting. Thanks for the help

Gave +1 Rep to @distant pier (current: #19 - 526)

We don't allow members helping with academic work, sorry.

Hello out there. 3 years as a Geek Squad agent, 6 years as sysadmin, love cybersecurity. IRL tower attack/defense. Just finished BS in cybersecurity, earned a few certs Sec+, CySA+, Pentest+, SSCP, and looking to make a career change. Just started studying for provisional CISSP. (No Endorsement)Any guidance would be appreciated. There are so many directions to go from here. Thanks everyone.

ah ok, im sorry. thanks for letting me know

Gave +1 Rep to @broken idol (current: #2 - 3583)

general question for the helpers in here: In my circle (linkedin etc) many people say that junior positions in tech are in a really bad spot right now, especially in cyber. How do the people in this discord feel "From the ground?"

I've had a really hard time trying to get into cyber at a junior level

You're going to hate this reply.

Entry to cyber- and info-sec is not entry level to IT. For most SOC entry level positions, it's assumed that someone has experience reading logs and at least jr system or network engineer skills.

Right now, businesses are asking "can junior engineers be replaced with AI?" While I think the answer is not really, the businesses don't understand that the ROI for AI for that kind of work isn't feasible in the long term.

Hiring is in a strange state of flux in a lot of places at the moment, with many roles asking for several years of experience and a lot of responsibility with a broad tech stack for a junior position on junior salary. Most people starting out in cybersecurity have some experience in IT/programming or another related area, and many people will start out on helpdesk/tech support before moving into a more advanced/responsible position. You do need to gain experience and grow into the role, and as @flat sedge states, cybersecurity isn't usually the place most people start their career, even in SOC.

Being familiar with Windows/Linux administration, understanding and growing your coding skills (e.g. bash/Python/C), learning about networks (the Net+ or CCNA study guides/courses are helpful here), Also, the SOC 1 & 2 paths combined with a certification like the SAL1, BTL1, etc., can show your abilities. Cybersecurity is an ongoing learning journey

I have IT exp as a dev/engineer and I'm still struggling trying to transition.
I just started getting CNO dev / Vuln researcher interviews and they're hard. I don't really know what to expect

Just for reference; i wrote a working LKM rootkit in C for x64

hello chat i hope every one is doing good. Chat right now i'm looking for a job as a security analyst or intern just too start my career. I have done CEH v13 and master's in cyber security if any one knows any job openings in cyber security please do ping me. It will be highlhy appreciated.

While this channel is a good place to find advice about how to pursue a career, it isn't a recruitment or job seeking channel. You can check out the #jobs-board or your preferred recruitment sites to find roles in your region

It does give you the foundation, but you still need to build on it. By that, I mean you need to create your own methodology on doing recon, enumeration, exploitation, etc. You'll also need to consider which programs and targets to choose from (more competition means lesser chances for you to find a valid bug), among others.

Hello! Actually just had a quick question, but for anyone that actively interviews or knows their stuff, what are some of the entry-level certificates for IT work and SOC that companies nowadays look for? I’m assuming CompTIA+ is a given but since I’m still pretty new to this I wanted to start a list of what I could look at possibly acquiring in the near future

After A+ Sec+ or Net+ would be the next places

CompTIA tri-fecta is always a good starting place but don't get too hung up on certs and try to complement the theory with some experience by setting up labs to simulate specific scenarios in an enterprise environment

Please don't adverise here 🙂

My bad... this is not an advertisement. It's a free program. But I understand

Hello, can you help me with my presentation?

I have a problem with my VBA code

Which presentation

ok help me to guide which domain is suitable and best for cyber security which has lots of available jobs and less competition

Cybersecurity is a highly competitive area. You're best looking at recruitment sites close to your location, or large job sites like LinkedIn

Hey, can someone advise on the best path to take after Pre-Security? I'm interested in becoming a penetration tester/offensive security specialist, but I'm unsure which beginner path to follow next. Options like "Complete Beginner," "Intro to Cybersecurity," and "Cybersecurity 101" seem to overlap with topics already covered in Pre-Security. Given that, what would be the best next step to build on my existing knowledge

Complete beginner is being phased out iirc tomorrow.

There will be some overlap but they go further into the topics a bit

It's all foundational knowledge

There is a Jr penetration tester learning path

Do you think it's better to go directly to the Jr pen tester path or take another beginner path such as intro to cybersecurity or cyber security 101 ?

You could go look through the intro to cyber or cyber 101 and see what wasn't covered in the pre security

Thanks a good point, thanks Thor!

I guess I got thrown off by the overlapping chapters

Cybet101 definitely 🙂

Hello everyone 👋🏻
Is there's anywhere accepting juniors and teach them or any intern position?

Try to check out #jobs-board 🙂

Is anyone well versed in colleges and able to possibly help me pick out what might be a good option/route for me?

I’d thought about doing WGU Bachelors and then switching to SANS for a Masters, but also I could do WGU until I get the 70 credits needed and then finish my bachelors at SANS. Does anyone have an idea on the differences other than certs and what might be the best path?

Hii

Hi everyone!
Can you recommend me a good CyberSec book for beginners ?

Hi , for book recommendations try to ask in #bookclub channel 🙂

WGU has a reputation for good teaching/training, with the expectation that you'll pass a number of certifications. You can just go and get those certifications at the normal cost for an individual independently. While having a BS is an advantage, it's only a slight one. What employers want is knowledge and experience, hands-on ability. If you don't have any qualifications, you can read the study guides for, and do the exams for various CompTIA, ISC2, ISACA certifications, for instance to show you've learned the theory. Cisco has some practical training involved in their certification paths (with software to facilitate it). Hands on certifications like OSCP, CRTO, CRTP/CRTE, and others in the field give you exposure to actual use of the tools you might use in a role.

The SANS training and university are both considered excellent and highly sought, but they're also on the very expensive side, and you'd usually expect an employer to pay for such, but high quality training and certifications are available for much lower cost. The most important thing is getting hands on and learning the theory, tools and technologies. Having resources like THM, building a home lab with spare computers/virtual machines/cloud environments is a great way to learn as well. And there's lots of specialised training available along the way.

I'd suggest reading the Tribe of Hackers books, as they have a series of interviews with professionals in various roles in the industry with excellent info about how to pursue those roles

Thank you! I have the GI Bill along with TA I can use, so SANS is an option if I decide to go that route, just unsure if I should finish my BS with WGU and then look towards SANS master program or do switch to SANS once I get 70 credits and continue from there.

I have both THM and HTB academy as well as in the process of building a homelab using a router and raspberry pi and just making do with what I can until I can upscale and add more.

I just didn’t know what path to consider or which path may open more doors for me later in the future, but your input is greatly appreciated.

Gave +1 Rep to @rugged delta (current: #21 - 488)

If you're doing your BS with WGU, then by all means finish it, and if you can do your masters program with SANS, then do that too. They'd certainly help you get recognised. I've chatted with SANS course trainers and they have an excellent reputation for quality work. The WGU BS is recognised by employers in the US as a quality source of knowledge, so having your piece of paper from there along with one from SANS isn't a bad situation to be in overall

Understood, thank you! Is the WGU BS preferable to the SANS BS? I had thought about doing half of my BS at WGU and then transferring, but wasn’t sure if that would be the right move or if I should just finish it out with WGU to get all of the industry certs and then doing the SANS masters, since both the BS and Masters offer relatively the same certs as well.

Gave +1 Rep to @rugged delta (current: #21 - 489)

The SANS BS is probably more widely recognised, the WGU one is still recognised widely. If you transfer, you wouldn't have a qualification from WGU. I'm not sure about the process of transferring, you'd need to enquire with both colleges about their policies, etc.

Alright, thank you. If the SANS BS is more widely recognized, then I may try to transfer there once I hit there 70 credit threshold and then go for their masters as well. Thank you for your help!

Gave +1 Rep to @rugged delta (current: #21 - 490)

Best of luck with it

Is it a good idea to have a one page resume or two page is still okay

I've heard alot of good things about the sans master. Just letting you know it's very expensive and you might have student debt from it.

Opinions differ. I would say two pages is okay but be aware that very few people will ever read the second page.

Or the second ⅔ of the first page for that matter

It also would depend on how much experience one has

Hey, from a masters in compsci, what certs would be achievable for me to pursue first to aim for a career in cybersec? (I want to be a pentester or a cryptographer ideally).

I'm not sure what certs I'd need given I'm not starting from 0 (no experience at all). I'm wondering what would be pointless to spend money on given my background also. And because of how many there are, its overwhelming/confusing knowing what to start pursuing. Any suggestions? Im pretty sure my lecturer said something about OSCP.

Also, it may sound slightly stupid, but would a criminology degree help me with employers? My BSc was in criminology. I was wondering if it's worth applying to cybersec jobs in the coming few months given I've got both crim+compsci within my background as a competetive edge against others trying to break into entry level cybersec. I want to know if it would be worth sinking more time into certs/study rather than just trying to apply for jobs

So I’m studying cybersecurity principles and network administration right now. I am also using tryhackme to advance my skills. I am trying to earn an entry level position as IT support or help desk. What are the skills specifically associated with IT support?

To the pros out there, genuinely asking, what will be the better OS to rock cyber security in penetration testing? I heard that linux will mainly become the OS, but should I go with mac machine or windows machine to run the linux OS?

I’ve been confused for quite a while, any help will be very helpful. thank you

Honestly doesn't matter. Having a good methodology is infinitely more important than having the perfect distro.

You can build and install tooling, you can only build methodology through experience.

It’s good to know that having the right skills will eventually solve tooling issues.

However, I guess having a good investment will help lessen the confusion since I am still new at this. Maybe from this point of view, any preferences or considerations?

Not really. OS choice might be of more importance for specific devices, but I think it's better to focus on learning how to use one of the OSes (or distros, flavors, etc) for penetration testing. Understanding how the tooling you needs interacts with your OS will also teach a lot about how things work as well. Including drivers and permissions.

I see then, so it is better to stick for what i have now and to learn with it thoroughly, since all OSes work with pen tests on their own ways right?

Will a certificate help me get a better collage?

certificate on what exactly?

Like "Cyber Security 101" 😅

If I am understanding your question correctly, I don't think it will impact your college application.

Oh, alright 😅

Your college application is going to be based on your previous academic performance, and in the US, how much money you have, or can borrow

Got it, Thanks for the information.

But, you can still learn a lot by doing rooms/paths in THM, if cybersecurity is a route you want to pursue academically

Yeah, I am currently starting "Cyber Security 101" as my basic/foundation.

OS doesn’t matter but I would recommend staying away from the silicon chips. I have witnessed and experienced to many problems since they have issues working with .exe files

honestly, you are still new enough to it that you could swap without losing anything really

Any one here that they are already cracked cybersecuruty job in india?

Hi there! I'm getting interested into the GRC analyst role. I don't have any experience in cyber sec or IT field. Do you guys have tips where i should start with? I was considering to do the cybersec google certification but i don't know if is worth it. I will wait for your replies and thank you in advance!!

It does. I'm currently in the 4th module and I can confirm it worth it. I already have Sec+, Net+ and CCNA, and if I have to recommend an starting point for someone without any IT related experience I would always recommend it. Even I'm enjoying it, it's just the way the course is designed, adds a lot of value. Downside of it, is that it is not recognized as much as other entry-level certs, but in terms of knowledge it is the perfect starting point.

thank you so much! im aware of the fact that is not super important as certification but i need that mostly in terms of knowledge. Can i make you some questions in private if is not a problem for you?

Gave +1 Rep to @hardy harbor (current: #1386 - 3)

if you had to refresh your knowledge in the quickest/efficient way for web app security. what would you guys recommend? review of web fundamentals path and OWASP Top 10?

Sure anytime

What’s the quickest way to get a decent job in the tech field ,IT?

Depends. Do you have a degree? Assuming you don't have prior professional experience, in any industry, based on what you're asking

been a train operator for 11 yrs, did 5 years of supervision in those 5/ help desk type/ assignments office stuff.

no degree/ college drop out 12 units from associates

part of accident committee, training team, other bs titles

was thinking the quickest way would be to get the network+ cert, apply for an entry lvl IT job

You wouldn't need any certifications if you're applying for tier 1 helpdesk

You should be able to explain what the parts of a computer are, what they do, how to replace them if necessary, and troubleshooting processes. If you're not able to do that, I would probably recommend A+

The biggest thing that will help you in the long term is to relate your current experience to the job you're applying for

im not sure if tier 1 would pay the bills

Entry level IT is tier 1. That's why I mentioned that it was important to leverage past experience, as it can get you past that entry point.

im thinking 65k a year or a better would be the lowest i could for a couple of yrs

does tier 1 pay that much?

(usa)

Depends on location and a bunch of other factors

california

what other factors to consider?

thanks for your answers btw @stoic cave

Gave +1 Rep to @stoic cave (current: #20 - 503)

You're going to need to do research here. California is still too broad, you're going to need to look in your specific locale. Other factors include what other experience you bring, the organization itself, etc

yep, well not rdy yet still wanna finish thm/ get the sec+ maybe a+ do some bug bounties/ hit HTB

then find a path

Right, but that is in my opinion, spending money just to spend money.

Certifications without a degree or prior professional experience don't really do anything. They're used to quantify said professional experience and don't necessarily stand on their own.

right

You need to build your professional experience if you're not going to do a degree

so

actually the help desk lvl 1 is not bad in my area

You could easily do a LinkedIn survey of what helpdesk jobs pay in your area on average.

See what people ask for and what they want out out a hire and tailor your study to that

Ah ok cool

I'd honestly say helpdesk is like 20% technical skill. Knowing how to talk to people and explain things is more important.

Thank you @flat sedge @turbid walrus

Gave +1 Rep to @flat sedge (current: #11 - 829)

i think you're onto something here, not sure if I'd say its 20% but agree its very important. You may know this, but for anyone that doesn't, how you work with others on your team is incredibly important to management. What some may call "little things", like smiling when passing someone or acknowledging someone's presence is often noticed, and can create a healthier work environment. ")

100%. I had a mentor that told me that it is easier to address a technical knowledge gap than some other skills like empathy, collaboration, kindness, communication, etc.

Sounds like you had an insightful mentor. For most of my adult life (which legally is only about all of 10 years XD) I had a skewed view on what mattered most to employers. Yes it’s important you’re qualified for the job, but there will likely be many candidates that are qualified for the job. What sets them apart is largely the skills you mentioned, and a good hiring manager will notice the “little things”, and choose the candidate with the skills you mentioned over one they didn’t observe with those skills. Which leads to first impressions and interviews, but that’s a whole other story! XD

Good IT interviewers have always asked me technical questions they didn’t really expect an answer to. Just to see how you could talk through it and break down your thought process.

@stoic cave can I dm you a question ?

Been looking into companies in my area and have a friend in one that could refer me , but would like to see your thoughts on the possible qualification w just A+

No, sorry, I prefer conversations to remain here in order to benefit the community.

Anybody here have any experience hiring for entry-level Cybersecurity jobs?

If you have a question, I would just ask it

I will just ask my question but my question is really intended for employers.

I’m new to Cybersecurity and have decided on blue team.

What’s certifications, skills, experiences etc will stand out the best when trying to land an entry-level blue team position?

I have a lot of spare time on my hands and my primary focus is to build a collection of skills that will put me above the competition. I’m not interested in sitting in a pool of applicants applying for 300+ jobs.

Employers, what will make someone stand out who’s trying to enter?

Ah ok - np

people with IT/helpdesk backgrounds or general curiosity/enthusiasm always stand out to me - otherwise I don't look at resumes and just administer technical assessments which gives people a chance to shine regardless of background

probably not the advice you are looking for but generally be able to actually do the thing you are applying to do, which sounds obvious but it really isn't based on the people I sometimes interview

Besides an A+ cert , what other certs would help get an interview ? Sec+?

(Don’t have a degree)

(For IT tier 1)

CompTIA trifecta is always advisable, but if I was in your position (which I previously was) you are much better off spending time attending conferences and networking

What would be the third to complete the trifecta ?

That’s a big ass cup of comp Tia I gotta drink !

https://tenor.com/view/dynamite-thirst-gif-25897410

Any websites good for tracking upcoming local conferences ? I’m in Southern California

infosec conferences is the main one, depending where in SoCal you should almost definitely have some local DefCon/Bsides/hacker meet-up groups nearby

Never heard of besides

Defcon is wen

BSides was created in Vegas to run the same week as Black Hat/DEFCON because a lot of people had great talks that didn't make the cut for those other conferences. BSides refers to the b side of a record... There might be one near you somewhere in the world
https://www.google.com/maps/d/embed?mid=1SVstK4xuz46-3tcOrKlGBzQh_Og&ll=18.035300090585988%2C-53.521324499999935&z=3

This is great info

I'm in the position of being a decade into being an Level 2-3 IT guy looking to convert to Cyber security probably SOC work. Its hard to get anyone to take me seriously as anything but IT

Wow I didn't know about this at all . Thanks for sharing 🙂

Gave +1 Rep to @rugged delta (current: #21 - 491)

This was a really helpful answer, I appreciate it!

Lol 😂

Have you looked into volunteering opportunities? Might be good to get some experience on your resume.

I am anticipating getting the comptia trifecta… right now though, if I don’t pass both a+ tests by September, I am going to focus on network+ and then circle back to a+ when there are more study materials for the new version of the exam

gonna need some certs or projects or do a masters in cyber and intern during that time

I have also been studying python, and worrying that I’m doing more of that than I should be since it takes away from my cert study time

I would love an example of the type of project someone would do to enhance a resume when they have no infosec job experience and want to get hired in infosec

I guess it depends somewhat on what sub-branch you're aiming for. If you just want to get your foot in the door in a SOC, idk what you do, but it probably helps if you used to be an eve online player. Or a triage nurse!

• Set up ELK stack / sysmon / veeam / pfsense and log problems and solutions encountered
• Configure nginx until it gets an A+ on ssllabs
• Get an old consumer router and practice cracking WPS and WEP; blog
• Write a script that hashes new processes and queries virustotal
• Explore static/dynamic analysis tools (windbg, pestudio, ghidra, hybrid analysis, joe sandbox) and blog about things that come up
• Explore adversary simulation/emulation tools, stage a security incident in your lab, work through an incident response playbook, and write a report

(I happen to think these are almost kind of cool ideas (or not entirely terrible ideas) but I also have never hired anyone and am guessing)

guys, what do you think about PJPT certification? Is it a good certification for find a job?

These are good ideas. I have my a+ sec+ and some MS certs. Working on the CySA ands the SOC path on THM. Trying to do some experiments on my own with those topics as I go.

Thanks @static heron

Gave +1 Rep to @static heron (current: #243 - 32)

thats alot of certifications. Do you have a job in cybersecurity field or you are trying to get some experience through THM?

I've been in level 2/3 IT support for over ten years. Trying to make a transition.

wow. I graduated in graphic design and recently aquired security+ and trying to get into cybersecurity field. I feel hopeless after hearing 10 years

I mean I've only been trying to transition actively in the last year or two

Hey everyone! It's been 24 days since I transitioned from healthcare to TryHackMe, and I have no prior IT experience. My goal is to work in cybersecurity, but I'm wondering if I should start with certifications like CompTIA A+, Network+, and Security+ to build a solid theoretical foundation.

For those who’ve been through this journey, do you think these certs are necessary before diving deeper into platforms like TryHackMe? Or does TryHackMe provide enough foundational knowledge for someone starting from scratch?

I’d love to hear your thoughts and advice!

Network + and Security + are gonna be some strong ones I personally reccomend
but you can also go through 'Pre-Security' to get a primer on some of those subjects

Also get a cheap raspberry pi and VM Workstation // Virtual Box to play with what you learn

Congrats on the Sec+

hey bull, I think certificcations definetly helps with theoretical knowledge while tryhackme helps with grasping the practicality of projects.

Thanks

Gave +1 Rep to @dusty veldt (current: #2795 - 1)

Thanks

Something I should also add is basically there are not a ton of junior positions for quite a bit that doesnt mean there is no hope
My friend who used to be Chief of sec for a big platform shared this with me and helped me better understand the Cyber job market
https://tisiphone.net/2025/04/01/lesley-what-happened-to-the-cybersecurity-skills-shortage/

I have a question:
I want to learn AI red teaming / AI security specialist and also aiming to use AI tools for hacking. Can you help or guide me on the jobs I could target for in Canada? And any mentors who are active on this field please help and guide me. I'm really passionate about this field and would like to explore the possibilities.

Please tag me when replying.

Not to discourage but I def thing with hardwork we can make it ✊

I understand

👋 yes to hard work

What's the best approach into AI security? And what jobs can be targeted?

AI red teaming is a topic that I am seeing on some platforms
maybe that might be a topic of search

DevSecOps maybe?

Don't rush for the certification straight away , use free resources like THM and try to learn as much as you can for the beginning 🙂

Thanks

Gave +1 Rep to @keen tundra (current: #1 - 4395)

How would the raspberry pi be used?

This sounds promising. How to structure my approach into this field? And what jobs can be targeted?

basic web server, you can play with and reconfigure for vulnerabilities.
Its the start of something called a "homelab" gives you the abilities to make your own network
of devices to experiment and play with to give you that practice experience

AI cybersecurity analyst
GenAI Security Engineer
AI Redteamer

All different specialties but with AI involvement

Thanks @rustic depot

Gave +1 Rep to @rustic depot (current: #2795 - 1)

Is there job possibility without experience persons in this field in Canada especially?

YOU MEAN WITHOUT CYBER SECURITY?

Thank you so much for your insights, really appreciate you guiding me.

Gave +1 Rep to @rustic depot (current: #1388 - 3)

You mean without cybersecurity?

I know... but when I did a LinkedIn search on few job titles I couldn't find any in Canada.

Hi everyone, I have a question regarding the cybersecurity career. I'm currently a rising junior (undergrad) and I'm interested in cybersecurity and plan to look for internships next summer. What would yall recommend as the best approach for preparation? I'm starting with Cybersecurity 101 currently and plan to do Sec+ this summer

I took an enterprise security course this semester at school - planning to self-study over this summer vacation, current plan is tryhackme & hackthebox + cert(s)

Hey guys

Seems like a good progression path. There's lots of stuff in THM to keep you busy. The Sec+ generally takes people 2-3 months to study/prepare for, but do it at your own pace. Keep progressing with what you're doing and you'll be in a good position. You'll see the variety of roles available in the field as you progress, but most people start out doing helpdesk/tech support/IT/programming roles on the way to cybersecurity, and in cyber, most will begin in a SOC role and progress through from there. There are always opportunities to show your growing abilities in other ways, such as project work, blogs, writeups, participating in CTFs, and bug bounties as your skills grow and you progress. Take your time enjoying the journey

Anybody here been to a security conference before? How was your experience? I'm attending one this year because my university is covering the cost of tickets, this will be my first time ever attending one

Should I learn the blue team or the red team, I'm confused I like the red team but there aren't a lot of entry level jobs

Depends in which path do you want to pursue a career . Maybe it is a bit easier to get a job on a blue side 🙂

Dm sir

Blue team is kinda boring for me, but I also have to get a job first

I'm soo confused

What rooms do I have to learn? My college doesn't have a specialization for cyber security, i have to rely on the internet totally and there's a ton of knowledge i get confused

which country are you from

Which field are you interested in the most 🙂 ?

I'm interested in the red team
But entry level jobs are hard to find🙂

You can ask here so users witg the same/similar problem can find solution in the future 🙂

Me?

bug bounty or pentesting ?

Entry level jobs are always hard to find

Pentesting for a job and bug bounty for passive income

Kinda both

they want experience in entry level jobs as well lol

Everyone has manipulated me for a job in the red team you'll have to gain experience and many certifications

I'm from India. The education system is so old and dead. I don't even study the college curriculum a bit there's no specialization in cyber sec

when u thought u are good at sth, theres always an underpaid indian out there better than u

Yes you will need certification but not many'

Indians are fucking genius

Can you tell me which one's?

I agree but not because of their college specially in cyber sec

for SOC analyst ?

I'm not talking about Indians, I'm talking about the education system of India

What should I choose an analyst or pentest, i personally wanna go with pentesting

Cyber security applicants are less, but most of the openings fills internally

ig have to learn both

I see a lot of dudes without skills getting hired because of reference from inside the company

I am in Sales, but want to switch to IT

IDK how many years it will take

You won't believe there was a friend of mine, who don't even know how to put windows 10 in a computer and still secured a job as a soc analyst

Depends how fast you learn

my background is commerece

hahaha

My bg is biology

But I didn't like to do boring stuff like nursing....

yeah i did biology in 12th from UP Board hahah

12th from patna👍🏻

Then i shifted to delhi

Greater Noida

As you said saled, i guessed 80% chances are that you're from greater noida

why

i work in delhi

There are a lot of dude shifting to noida for sales or call centre jobs

sales are everywhere

Ig you live near mg road or iffco chowk

Agree

CrompTIA Security+

Tell me what I should learn first, soc analyst or pentest?

I have taken an Udemy course for this, after some time I will buy the exam vouchers

Idk bro, i just realized 1 hour ago that i can be a Cybersecurity analyst lol

After an hour you'll probably think this was just a mistake, jk

Check out Jr.Pentester path on THM 🙂
https://tryhackme.com/path/outline/jrpenetrationtester

Udemy certifican will not gonna help

Then?

Udemy just for learning I will buy the comptia sec+ exam voucher

I'll check

google which certifications will help

Sec+, Ceh
It costs a lot🙂

yeah good for dollar guys

And my family is not that kinda supportive of this course

i will also purchase but later when prepared with this

okay love you

Same here

Love you too dude👍🏻

i am choosing less coding

and i guess SOC is one

yes but with coding you'll have a upper hand

I dont know anything about coding

it will be like learn from Apple

B for Ball

know one knows coding or anything from birth you'll learn if you want to

hmm we will see it later, Getting inside is tough if backround is not technical

+1

that is why COMptia is imp

if have money

and can pass

certs are always good

if they comes with less price

but they don't

Please don't advertise here 🙂

hello fellas, Is the cybersecurity industry stressful?

im finding my pathway

thank u!

do ctfs give out certs or just an awards

Ohh...I'm sorry I didn't know.

Which CTFs ?

It's ok 🙂

👍

Hi you guys. My work just asked me if there are any certifications I wanted to get and I was wondering what the best ones are. I don't even have security+ right now

You should get the certification(s) that directly relate to your current role first

Best is also subjective

it akes sense that its objective. they are actually asked me what department i was interested in moving into and if i wanted any certifications to support that

so i guess idk i can start with security+ i guess

i know certifications are more for proving what you already know

i guess

i was also considering either software or network engineer too lol its hard to choose so i don't even know if im gonna go this way. this is more of a hobby i thought lol

they said any of the above is possible lol

Its kinda funny that somtimes you get really good at one thing so they start trying to figure out what you should do instead lol

Check out the free professor messer videos for security+. There is also a discord for study groups.

sec+ or network+ will probably apply to jsut about any network or security job

Thanks for this! Would a Sec+ and THM experience be enough to qualify for intern-level positions, or is there anything else you recommend I do?

Gave +1 Rep to @rugged delta (current: #21 - 492)

I don’t have US citizenship as well, I’m Australian. I’m worried that can affect my future internships / jobs as well

Its a bit niche but Australians are great for large international orgs with SOCs/NOCs because of timezone and you will also be able to easily coordinate with any Asian counterparts

I didn’t know this, thanks.

Gave +1 Rep to @ancient prairie (current: #43 - 220)

yes we can

I’m down @ionic shore

That sounds good! However I'm studying in the US and looking for jobs in the US, but open to jobs in AU if things don't work out here

I'm curious as for what level of skills are expected for intern-level roles?

None

Internships are focused on learning and giving a student a sample of what life in that department is like

Interns should be doing a mix of work that is drudgery and fun, so that a balanced view of the life is seen and experienced.

It's also a try out for both the company and intern for who is a good potential fit for a permanent role

Transitioning from software dev to cyber security... currently doing the Cyber Security 101 path on TryHackMe and some CTFs here and there. Any tips or suggestions?

Keep going with your studies. The paths are a great way to develop your skills in a gradual and guided way. Take a look at roles in your region to see the kinds of skills and qualifications they're looking for and gradually work towards them. While I believe it's an employer's duty to provide education/certifications, some organisations may require you to hold certs for various roles. You may still be expected to have pursued a particular cert with your own effort

thank you for the guidance... i'll consider it surely

Gave +1 Rep to @rugged delta (current: #21 - 493)

If I complete jr penetration tester path on thm, how many chances do I have to find job?

Not likely, unless you have a good network.7

i am going to do this path, then CPTS and then apply for jobs

Same here, 3 yrs as software dev switching to cybersecurity. I did the google cybersecurity cert. Thinking of doing one of the compTIA coz it seems HTB and google cert is not enough for job 😦
May the force be with us

I agree with you, in interview they want hands-on-experience but most company ask for certs so without them we don't get shortlisted, interview comes next. Right ! Maybe HTB or Home labs comes next. Maybe I am wrong

Yea, I was thinking of preparing for sec+ (I started blogging my sec+ journey with notes, might be helpful to others: https://gourabdg47.github.io/) then prep for SAL1 coz of hands-on soc experience, lets see where the universe takes me. Cheers

awsm, do share once deployed

Guys will certifications from IBM get u a job?

Dam, this is really great

Do you know where I can build cybersecurity projects from?

I had heard that Forage is a good way to get some experience, as it offers like intership experience, but I haven't try it yet.

is that like a remote thing?

@stable coyote @willow gate is there someone I could chat with about potential podcast sponsorships?

Reach out to support.

I’m asking about the OSCP can anyone here give me a good path to pass the exam !

Thanks!

Gave +1 Rep to @broken idol (current: #2 - 3609)

For someone who doesn't have IT experience and want eventually to work in cybersec field, should i start from comptia A+? i'm reading a lot of roadmap on internet but im so confused from the different opinions haha

Do you have any experience with cyber security 🙂 ?

I started tow months ago and about to complete the jrpenetration tester path

Hello, I want to be a Cloud Security Engineer and I started with the red team part of the job, but I know that I need to look at the blue team and cloud technologies, are there any resources you can recommend?

Don't know if anyone has looked into the isc2 website, but they're offering free training and exam for entry-level in cybersecurity if anyone is still at beginner level. Definitely worth looking into! (https://www.isc2.org/landing/1mcc)

Check out SOC 1 and 2 paths 🙂
https://tryhackme.com/path/outline/soclevel1
https://tryhackme.com/path/outline/soclevel2

@keen tundra

You're on a great path , keep up the good work 🙂

up

I have completed the jr pentesting path in tryhackme , made numerous python scripts regarding keylogger , port scanner but Im still unable to get an internship can someone guide me??

Is Soc2 path really required to become a Cloud Security Engineer?

If so, I'll learn it, no problem.

But wouldn't it make more sense to finish the cyber security engineer and devsecops paths first?

It isn't required but it is a great resource to learn from 🙂

I'd try getting a cert or even completing other THM paths to continue gaining knowledge until one intership lands.

Hi guys, I’m sure this is asked often but: I’m 20, a few years ago I went to a semester of college but due to family issues had to drop out. I started self-studying security a few months ago and am currently on the jr pen tester path. I’m thinking about going to college next Fall, but at the same time if I could land a relatively well-paying job by the end of this year I feel like that might be better overall for my future.

Would starting college severely slow my career progression compared to just studying and going for certs? As of right now I’m studying 16+ hours a week minimum and I feel like I have a decent grasp of all the info I’ve been exposed to so far

I should say that I would prefer to go to college as I do want that life experience, but my main goal is for the quickest progression of my career.

Thanks for this!

Gave +1 Rep to @flat sedge (current: #11 - 831)

Thoughts on getting a masters in Cyber Security? I'm a veteran (U.S.) so it's paid for. I have an IT and tech background and am concurrently working on getting my CEH, OSCP, and a couple of other certifications.

Once someone told me, if you want to be a practitioner go for certs and if you want to become a manager in this field go for the Master. Hope it helps

Sorry if this comes off as whining or anything, but I just wanted to throw this out there and see if I can get some advice or responses. I have an associates and bachelors in cybersecurity and networking. I put going for my masters on hold for right now, but do plan on perusing it. I have a few certs (still studying for CySA+ since I have a voucher) and have hands on SOC experience through my college. I am struggling with finding anything in the field though. I know that it is saturated, but after hundreds of rejections I can’t help but feel like maybe it’s me or partially me. Has anyone else been experiencing the woes of the job hunt and if so what are you doing to get past it? For those who did find an opportunity what advice do you have for us still searching?

Well shoot

My degree is not fully related but I’ve been struggling to find an internship too

What about projects, IT work?

If you are getting hundreds of rejections then yes, it is most likely you. If you are getting interviews but not making it past those, you likely need to work on your interviewing skills. If you are not getting callbacks/interviews at all you need to either work on your resume (maintain a master copy and tweak on a per-job basis) and/or apply to more entry-level type roles (SOC, NOC, helpdesk, desktop technician, etc..)

Failing those factors work on networking and putting yourself out there; maintain a technical blog, contribute to notable FOSS projects, attend conferences/local meetups

You can post your resume here for review. Upload as an accepted image format as people don't want to have to download files. You will need to verify.

What was your MOS/Rate? Can you expand on your IT/tech background?

If you have the ability to complete an accredited bachelors degree, I would do that. Degree holders generally make more than their non-degree counterparts, won't have issues applying for jobs where a degree is a contract requirement, etc etc. The thing with certifications is that they don't really stand on their own. They are meant to quantify professional experience. Your two best courses of action are likely going to be getting that degree or going out and getting a job now, ie on a Helpdesk, to build professional experience.

Oh I was infantry but I landed a help desk job right when I got out worked there while I got my degree in information systems and somehow pivoted to product management for a couple tech companies.

Yeah I agree. I should state, I’m getting a masters degree either way. I’m just wondering if the value is there to get it in Cyber Security

I personally don't know that I would get a Masters in Cybersecurity, there is too much variability in the curriculum between schools. You can definitely get a not great experience.

I'll defer to Juun, if they pop in, for your case.

Gotcha, I think I'll stick with the degree for now then and maybe find some type of part-time tech support role (though those seem rare). I just didn't know if I'd be slowing my career progression down drastically if I were to go for a degree

Nope

Look to see if your school offers a work study program

I'll be doing community college for the first 2 years, but I know the university I'll be going to for the last 2 years has a very good work study program

The link says it is free only for U.S.

or is it merely stating the price is $ 0.00 ... ?

Any cybersecurity related jobs in India, please let me know
Thanks

Try to check out #jobs-board 🙂

Oh yes I tried their simulation

For IAM SOLUTIONS

Thankyou

Hey I have a question. I found a Boolean-based Blind SQLi on a prestigious target but I couldn't extract any data because of the tough WAF. sqlmap constantly failed and none of both intermediate and advanced payloads worked. The web page crashes on true condition after 6-7 seconds delay but it loads normally on false condition. Do you think reporting this would get me recognition? I don't even care about money, I just need an LOR or something like that for reputation. What are my chances? Should I keep trying exploiting?

Do you have a permission to test it in the first place? Depending on where you are and your target, they might get back to you legally (which can land you to jail).

If it is a part of a bug bounty program, try posting it in #bug-bounty .

Wanted to ask if Security+ from CompTIA would be something I should get? I have an A+ already, problem is, no hiring manager so far that I went for job interview knew or ever heard of CompTIA, or thje A+/Sec+. Dunno if I should learn for knowledge and not get the cert, and instead pursue something more valuable, like oscp (and still learn for Sec+ for knowledge), or forget the certs all together. I live in Eastern Europe if that makes any difference.

Yeah I'm participating in their VDP, using their specific header in my requests with my own special token they gave me.

It is surprising to hear that HR hadn't heard of those certs. They are pretty standard baseline certifications to enter the IT and cyber fields around the world from my understanding.
I know certain certs are more valuable in different areas so perhaps check with people in your country before dedicating time and money to a specific one. I can't imagine sec+ would be a waste of time though.

I actually once asked pros from my countries about how I can approach this. They mentioned oscp as a choice. Though I realize that that exam is pretty though, hence why I wanted to "achieve" Security+ beforehand

because literally, so many hr people and people who are from cybersec I've talked about, never heard comptia certs, only 1 or 2 ppl

even people in the field hadn't heard of CompTIA? that's kind of unbelievable.
Mind sharing what country you're from?

yo is "Tryhackme" an actual good source?

like if i finished the courses there

am i atleast average

in cybersec

Yeah it is

HTB is definitely more advanced than THM in terms of machine difficulty

Both platforms are good and worth studying for

THM will teach you more or so from the ground up

for HTB, its better to go for it a little later

or you can just go for it from beginning, your choice

The feedback I keep getting is that they love my resume, they like the certs and degrees, but they don’t like the fact that I do not have any paid IT experience. Across the board that’s been the unanimous answer so far.

Hey guys I'd like some feedback if possible.

So I'm about 2 years into my first IT Job, Helpdesk role.

I have Network+ and CCNA that I studied for during my time here, and now pursuing Sec+, I'll have it in about 2 months I think.

in the mean time I've been applying for non helpdesk roles (mainly looking for network related roles and also browsing / saving SOC roles for future reference) and also just started doing home labs.

I just finished setting up Splunk and Sysmon on a Win10 VM and tried delivering reverse shell payload via a Kali VM, then checking out the logs generated in Splunk.

My question is should I put this in my CV, it feels like a tiny project where I didn't do much, perhaps I should expand on the project and cinfigure more stuff / add to it before I do so?

I would still definitely put it on your resume as a project. The easiest thing to do would be stating it and leaving it more as a talking piece in interviews so that you show you know what you are talking about

aye that makes sense. shouldn't sell myself short i suppose

you can create utilize a "Personal Development" section in your resume for things like this - and yes I would definitely try to expand on this project a bit more, try to stand up a full AD environment and begin running through common exploits and full triage afterwards, then document your findings in a technical blog somewhere to solidify your knowledge and work you put in

Can anyone help, and suggestions for my resume??

And I'm looking for an internship, does anyone have any lead

??

Hello all i want to ask that How did most of cyber security analyst/engineer got in the field through certificates or degree

Hey guys, I'm currently studying for the the CompTIA Sec+ after having completed the Google Cybersecurity Pro Cert on Coursera and passing ISC2 CC Exam.
Would it be better for me to start with the Network+ or CCNA to get a strong foundation in networking? Or is the Sec+ not that heavy with the networking stuff. My networking experince just stems from a LinkedIn short course and some coursework. I would appreciate any feedback I could get.

might be replying too late but i know python fundametals , lua and ive gone kinda deep into game development using gdscript which is very close to python do u think all this past knowledge might help in this field?

Anybody here help with resumes at all?

I’ve been working as a Behavior Technician the past 6 years and don’t necessarily feel that my skills are applicable to cyber for future entry level work. How do I go about incorporating the fact that I do in fact have many years of professional experience without listing work experience not relevant to cyber?

hmm alright I'll do some research tonight. cheers for the guidance

I believe you can post a redacted image of your resume here for review - I dont really know what a Behavior Technician does but I would wager you have developed some soft skills or maybe have led a team/project/initiative all of which can translate into cyber

Have you tried working with ChatGPT ? It does wonders

To expand further. Cyber is something new for me but I fully plan to get relevant certifications for blue team and “hands on” experiences that I can add to my resume to help land entry level.

@proud bison I did try ChatGPT but the answer I got there was very much along the lines of “yes of course you can add new skills on your resume!” Which was not helping much lol

That totally sounds like it translates into social engineering aptitude or something, so if it doesn't, just remove details until it does, lol

sorry for not responding, I live in Lithuania. The only people who heard about CompTIA certs were my cybersec teacher in the university and everyone else was like "What's that?"

Hi @sleek abyss we don't allow help with acedemic work, or survays to protect the our members, also helping with acedemic work is against our community rules.

Yes, everything is under HIPPA compliance. Six years, no violations. Never occurred to me that might be valuable. That was helpful, thank you!

Gave +1 Rep to @cunning warren (current: #1121 - 4)

is comptia A+ important for cybersec or should i skip it and go for security +?

If you're new to IT, you should definitely understand all the content in the A+ study guide, as well as the Network+ and Security+. You can cover all the content in Professor Messer's free content, for instance. CompTIA certs are good theory sources. While the certs are not essential, being able to demonstrate an understanding of what they teach can be important to particular recruiters. CompTIA certs are considered junior level theory in most instances; essential knowledge in the space but you'll be expected to go much deeper as you progress

thank you so much for your time! 🙂

Gave +1 Rep to @rugged delta (current: #21 - 495)

what is the current situation of job market in cybersec

hey I'm looking for some honest opinion/advice... I'm aiming towards a carreer on DFIR and I'm a beginner in the subject. Is the THM premium subscription the way to go?

Anyone have any advice on how to go about taking certifications if you can't afford them?

Get someone else to pay for them. i.e., your employer. Most certs are priced for companies, not individuals

The thing is that I'm not employed at an IT job atm and I don't think my current job will pay for them but I'll check.

Well, you might be out of luck then.
I would work on getting an IT job and using that to pivot into cyber, potentially via certs.

Anyone has any advice about the CompTIA Sec+ and Network+? I'm currently studying for the Security+ but am still deciding between getting it first or the Network+ first. I've watched NetworkChuck's video about Cybersecurity roadmap in 2025 and he recommended on taking the Security+ then the Network+. Does anyone have any suggestions about that?

do you really really ned it?

I heard it's really beneficial to get for ppl starting out in the field so I'm aiming to get it.

just get a lot of experience first(not in jobs)

I'm pretty new to the field but I have received the Google Cybersecurity Cert from coursera and passed the ISC2 CC exam, also been doing TryHackMe here and there.
But how would you recommend that I do that, to gain more experience?

oh dude, if you're new to the field, i PERSONALLY would advise you to not reach for a job yet.. but rather get your hands dirty with hacking(just do a lot(whatever it is, just do it so you can learn from mistakes))..
either red or blue team.. or maybe you want do go another route in this field, such as reverse engineering or whatever..

but keep in mind that there is no "right way" to do anything.. you kind of have to find a way to do how it's best for you

I appreciate the feedback. I'm aiming to get into the red team with the pentesting. I know that cybersecurity is a vast field and there are so many stuff to learn, but i'm really passionate about it and want to reach my goal. Thanks again!

Gave +1 Rep to @sharp torrent (current: #2798 - 1)

Thanks Triv! I have been watching some of his videos and they are really beneficial. Also I have heard a lot about Jason Dion so I'll definitely check him out as well.

no problem 🙂 and just so you know, THM has A LOT of good stuff!
i've started getting active on THM 2 weeks ago to refresh a bit here and there and as i do some of these rooms, i keep thinking to myself "oh wow, this is really insightful! beginners are gonna need and love this"

Tell me about it! Icl, THM has really helped me become familiar with many of the core topics at the beginning ever since I got into cybersecurity. The gamification of the modules really makes it fun to learn and definitely a valuable source for beginners.

hey, starting last year i got very eager to learn about itsec and get a job in cybersec at some point.
i am currently a sysadmin with focus on network and itsec in germany, started working at my current role a bit over 2 years ago and finished my apprenticeship in 2022.

as for now, i can not decide what exactly i wanna do for a living.
red teaming, blue teaming.. equally interesting for me. how did you decide?

Has one used or heard of ITcareer switch?

can someone tell me how's the every day life of a penetration tester or blue teamer?

Most people entering the cybersecurity profession will move from a role like yours into a SOC position to begin with, as many orgs are required to perform risk management and security to a certain standard. The knowledge in the SOC 1 & 2 paths are good for beginning in such a position. Certs like the SAL1, BTL1, etc. can be good indicators of your ability to operate in such a role.

Red teaming/pentesting is a highly competitive area, usually requiring a lot of knowledge of Windows/Linux/networks and various applications/systems. The OSCP certification is usually considered a good demonstration of your abilities for a junior pentesting position, but you will have a lot more to learn as you progress.

While certain certifications like OSCP/CISSP/CISA/CISM might be frequent prerequisites, they can be quite costly and some employers will facilitate your training/certification. Many others will expect you to have a certain minimum level of qualification before that stage. You can also do things like making a blog about your activities, having a home lab (some old computers/a few virtual machines/cloud environment, etc.), participating in CTFs, bug bounties, conferences, meetups; various activities to help show your participation in the community.

Meeting people working in the field, or in organisations that have a cybersecurity division can help significantly in your job search. The skills you learn in red/blue roles can facilitate moving to other roles in the field as you progress. I'd suggest reading some of the interviews with cybersec professionals in the Tribe of Hackers books by Marcus J. Carey, or reading some of the success stories from the THM blog:
https://tryhackme.com/resources/success-story

Okay people need your opinions here-
I have an electronics degree from a tier-1 college, but with a low GPA due to disinterest in circuit design. After graduating, I aimed to get any job and, thanks to a Python-heavy internship at a startup, landed a role on the blue team at a financial firm. Since there was no prior cybersecurity setup (everything was managed by a Big4 consultancy), I got broad exposure across InfoSec and discovered I really enjoy the field.

Over 2 years, I went from not knowing what an IP address is to conducting secure architecture reviews. I’ve earned Security+ and CEH and handled policy fine-tuning for DLP, EDR, proxy, firewall, and other security tools. However, the team relies heavily on MSSPs and has limited technical depth, so I feel I’ve outgrown my current environment.

Now, I’m applying to mid-level roles, but most require 24x7 SOC experience, which I lack since our MSSP handled that. I’m torn between quitting to fully focus on advanced certs like CySA+ and OSCP, or staying until I get another offer. Early in my career, I could manage studying while working, but now with more responsibility and tougher material, I think taking a break to upskill might be more effective—even without a job lined up. What’s the better move?

For a start, I'd avoid calling CySA+ and OSCP "advanced certs" when you're interviewing...

Noted👍

If you've been doing sec architecture in your current role then I would suggest aiming for those roles when you move. See if you can get your current org to put you through your CISSP (assuming you've got the prerequisites). That should help there.

I'd usually ping Zojja here, but uh, she's taken the mod strike one step further and outright left lmao

My CISO actually offered me the same, but I am 23, don't wanna get into management so soon and without having any hands on red-teaming experience

Why would CISSP force you into management?

imo CISSP is generally done by those aiming for CISO position

Pursuing the OSCP would be a good thing to aim for, it's mostly a prerequisite for many pentesting teams. You'll likely need to do more to get into pentesting; perhaps participation in CTFs, maintaining a blog, partaking in conferences/meetups, or networking with people in the field. OSCP is a junior pentesting cert, but yes, there is the expectation you have a lot of IT knowledge already, which your current role indicates, at least up front.

I mean, it can be used for that, but that's not its only purpose.
It's good for demonstrating a mile wide, inch deep knowledge of cyber. That's a good foundation for security architecture, which you then build on with specifics -- e.g., AWS / Azure / GCP security certifications, or equivalent accreditations in other areas (kubernetes, VMware, etc. Whatever you're using).

Anyone knows a good place to look for remote junior pentester jobs in EU? I have tried few platforms and there is nothing there.
Yes I have checked LinkedIn. There are no entry level positions and searching on it for positions outside of the country of residence is a true nightmare.

agreed, now that I have started to follow more content about offsec I see that college sophmores are getting OSCP. So the bar is high

Gonna struggle with that one I think.
Local conferences are probably your best bet. People are less inclined to hire remote juniors than they are to hire remote seniors though, for obvious reasons.

Do you have previous IT experience?

Yes I have. I just need a chance :/

Well OSCP level knowledge is going to just be expected, and having/maintaining the OSCP+ will be an expectation for a lot of organisations. A lot of orgs will help facilitate the expenses of such things, but you might be expected to contribute, and/or remain in a role for a certain period as well

I did go to few conferences but companies there mostly advertise themselves and do not look for workers

Doing what?

Administrating, DevSecOps, Programming( a bit) and some risk management.

oh and testing

Okay, that's a good basis. So how are you presenting that when you apply for pentest jobs?

I don't, because there are no entry job positions and for mid and senior everyone thanks me without even inviting me to interviews.

Gave +1 Rep to @undone shore (current: #10 - 868)

You know the drill. Thank you for reaching out but we look for someone more experienced, blablabla automatic emails.

That's what I get when applying for mid/senior roles because that are the only ones visible on job platforms.

Are you only looking at remote roles?

No

which ones? every b-sides I've been to typically has resume review/mock interviews and have found a lot of folks practically begging to fill roles in their company

Its a bit hard to say where you might be going wrong without seeing your resume and knowing what are the exact job titles and roles you are applying for

ah nvm I saw you are applying in the EU for junior pentesting roles, all I can say is good luck, its a small market over there with a ton of regulatory oversight and knowledge needed which makes things more difficult - it may not be what you want to do but would highly encourage you to look for entry-level SOC roles within an international org, follow-the-sun models of operation require competent EU folk so the US counterparts can sleep soundly lol

im making a career change from mechanic to it, im currently a master diagnostic tech that my body is giving out on me, ive been kinda a foot in & foot out with trying to become a soc analyst, i understand that i would have to work my way up again but would it be better to go back to help desk and work my way up or get a bachlor's and try to go into it with no experience? any advise would be amazing 🙂

confidence, sekurak

Is SAL1 interesting for a lot of big names?

I kinda want to get SAL1 after Security+

And then maybe CCNA

Does that sound like a asolid plan?

apply for both SOC positions and helpdesk/desktop tech/junior sysadmin, realistically general IT jobs will get your foot in the door to security either but theres nothing stopping you from "jumping the line" as long as you have the technical knowledge and ability

as an aside I see that seasoned mechanics generally have excellent analytical skills so you will fit in nicely with whatever role you find in cyber 🙂

Other then App Sec what other roles mix well with transitioning from SWE? Id still like to code and it looks like detection engineering is a good area?

DevSecOps is generally a good transition - DetEng would be a good fit too depending on the maturity of the team and if they are already utilizing some sort of Agile practice

I've been recently working on a small little SaaS that monitors webhooks and slowly adding security driven features like HMAC verification log auditing with logflare/vector all containerized to be built up with Docker. And its been pretty fun so far

Idk if its a good "highlightable" project

I am just unsure if it comes off as odd since I have about ten years of exp. half as IT/SysAdmin and the other as a dev. So I am not sure where I fit in exactly.

You have an ideal background to transition to cyber so your success will really be dependent on your actual skillset - as for that project it doesn't hurt to file in a "Professional Development" section but is probably overkill given that you have enough experience to build out a respectable resume that will generate callbacks

Sounds good! People usually starts with Networking skills, but there are no rights or wrongs in this. Whatever works for your goals.

I am working my way through security + but I am not really sure what to work towards afterwards and what recruiters/potential employees look for with my skillset?

Sec+ is helpful but not totally necessary with your experience - assuming you apply for a DetEng role you most likely will be fine from a SWE pov, there is a lot of overlap, however you will need to shore up your incident response skills to really be effective

I dont keep up with certs and typically dont really look at resumes much since I typically administer technical assessments for candidates so I'm not really the best informed on what you need nowadays to get past the initial screening

I would assume GIAC certs are still the gold standard in that regard, I don't know of any other hands-on certs that really cater towards blue team and have widespread name recognition - hopefully SAL1 will get there

I guess I can start by looking into the Incident Response related rooms on THM. Is there a good source on building your resume in how to format/ what recruiters are looking for?

My current resume is mostly tech stacks and development related projects and I think I need to better highlight my IT experience now.

hi guys was hoping i could get some guidance. i’m currently a second year studying comp sci, but i realised i wish to pursue cyber. any tips in starting out you can share with a friend? any help will be appreciated 😊starting from 0 here as i have no prior experience

It is pretty new certification , we need to give it some time to gain recognition 🙂

You can follow this roadmap from TryHackMe 🙂
https://tryhackme.com/hacktivities

thanks alot 😊

Gave +1 Rep to @keen tundra (current: #1 - 4466)

Finish your degree, do some THM, and work as a developer for a year or two. Then you’ll be in a great position to be an Application or Product Security Engineer.

hey guys I'm pretty new to cyber security right now im taking the google coursera cyber security course im a little over halfway finished im wondering what everyone thinks of it and additional steps i should be taking to get into a cyber security position thanks guys

hey guys newbie here & too in cyber sec learning

i have recently made a noob kinda direnumerator tool

would like suggestions and improvements -

Honestly at its base its just automatic memory management(Garbage Collection) is something done for you in high level languages and in low level languages you can control the allocation/deallocation for performance gains. This is the way I've always looked at it because the only other big difference is direct hardware access(low level) vs not(high level)

Beyond that its just levels of abstraction

Well, at least I'm sure it will verify my practical skills

Cause Comptia Sec+ theoretical

Given how good THM is in general

Hey everyone I’m in the middle of a career pivot from a non technical field. I passed my sec + recently but I think I eventually want to end up in a more technical devsecops or security engineering role however as we all know, entry level roles don’t exist in this space.

Ive been wondering if I should shift my focus to learning AWS and getting a AWS developer cert. I do a lot of python projects on my own, would switching to cloud now be a better way of getting an entry level job where I could eventually pivot to a security role?

If anyones familiar with cyber careers in the military I could use some advice here.

I am looking at the DOD 8140 Directive that outlines these qualifications needed for a cybersecurity role as a comissioned officer. I plan to USNCC my associates in CyberSec from WGU and then STA21 the rest to a bachelors degree with a focus on Cyber Analysis as this would keep me primarily shore based, however want my package to be as competitive as possible so I would like to go after qualifications as well.

Looking at the qualifications required as only certain partners meet the guidelines set by the DoD for the qualifications, who would I go with in this instance? as the DoD doesn't offer there own course, the certifications I would need are:

CEH (Certified Ethical Hacker
CFR (CyberSec First Responder)
GCIA (GIAC Certified Intrusion Analyst)
GCIH (GIAC Certified Incident Handler)

Note I only need one of these coupled with my bachelors to comission the route I want to take.

Need some SANS advice from y'all.. these are the 4 I'm considering getting, ordered from most desirable to least.

SEC511
SEC573
SEC598
FOR498

This will be my first SANS cert.. any advice on which one to pursue or any other really solid courses I might have missed?

Who will pay for the exam / training fee (as SANS / GIAC ones are too expensive to pay out of pocket)?

is bug bounty hunting a lucrative career choice?
how difficult is it for a beginner to get started and start finding bugs?

Before looking at certifications, can you give a brief overview of your background and interests? It's hard to say without really knowing anything as context is just as important

Sure, I'm a security engineer in purple team threat hunting/incident response space. Interested in upskilling think AI attack chains, mitre frameworks, any kind of "new" threat landscapes. I have a background in netsec, appsec and a fair bit of reverse engineering.

Will your employer be footing the bill for you if you happen to select one?

Yeah

sup , im currently 14 yo trying to get into the field early , i have prior experience in game dev which prob helps a bit after searching a bit about cybersecurity , im kind of into pen testing (i know this might be cringy and every single beginner prob thought the same but ye i jus like it)

im thinking of going with the pen tester thm roadmap , but alot of youtubers said its just not enough and idk they just said these companies are scams etc , also i thought about doing pre-security and then the secruity+ course but yeah i cant even take the exam at my age lol.

any suggestions?

First suggestion is always stay ethical, don’t get you or your parents in trouble. Second just go through the THM paths and pursue self learning, you have 3-4 years of YouTube university & internet learning before you can do much else.

Bug bounty hunting is a good way to learn and develop your web pentesting skills, but pay is unreliable. While you will see that there are people who have earned millions, you need to take into account that competition can be quite fierce at times, and there may be a lot of people trying to find the same bugs you are on the same targets. When you do find a bug, you might not be the first to submit it, your submission might not be up to their standard, or they might just lie to you, tell you it's already been claimed and use your findings to claim it themselves (so there can be some dishonesty out there).

Also, many bug bounties have low payout levels, so expect to need to make several submissions per day (5-10 perhaps) to have a decent chance of payouts, and some bounties only become available once youi've achieved certain reputation on a platform like HackerOne, or Bugcrowd

So you're not currently in?

No and very difficult. The vast majority of people participating either don't see money at all or very little. It's a very unstable source of income.

Is thm paths worth the time tho ? I'm kinda scared of wasting time on it and then realising it's not useful

Finish school and be a kid. You're not going to be able to work in the field since you're under 18. You can't sign contracts. Pentesting also isn't entry level to cybersecurity, which isn't entry level to the computer industry, so you're going to need to work your way up in the industry once you're the appropriate age. Do THM and some other learning for fun, but you need to focus on the near term which is graduating high school and being young.

But he could just do bug bounty hunting on hackerone or similar sites?

And say he didn't get a job, he can spend his free time doing CTF competitions, which isn't only fun and helps in the learning process but he can also get prizes from it

The idea of "you're too young to start learning" is just broken, there's no age limit for learning anything, if he understands it then why not

You're talking as if the life of a human starts at 18, if he already has experience in bug bounty he doesn't need to start his career from the absolute bottom.
Also how is cyber security supposed to be entry to the computer industry anyways?

reaching a point where you're finding 5-10 bugs a day sounds difficult

Reaching a point where you're finding 1 or more bugs a day sounds difficult

Yes, of course it's going to be challenging. Sometimes you'll find a lot of the low hanging fruit, but since you're working with real, active client systems out there in the world, and you are on a bug bounty, you can expect that the target organisation is instituting the bug bounty because they have made significant investments in security, but in the tools and systems that they roll out, and in the polocies they have in place to make their environment secure. They want it to be hard for you, because they want to know whether they're actually secure. If you can pick apart their web apps, the know they're very vulnerable. You'll only have a limited scope in most cases, because they'll have similar bugs throughout their enterprise and knowing a certain insecure behaviour exists means they'll have to probably stamp out the same setups in multiple places.

If you find bugs, you might get a reward, and some people do, but those people who do get multiple payouts, and who do hit the million dollar mark are working at a rate where they can comfortably deliver 5-10 results in a working day, probably within 5-6 hours, which is about the amount of time you'd probablty spend hacking as a pentester several days a week, and how much you should probably be studying if you're doing a big cert

That's some awful piece of advice... If they want to start early, then why not? In multiple countries it's possible to work with parents permission, so scoring any type of job or an internship before turning 18 is a huge headstart.

that was my line of thought as well
that if they're rolling out a bug bounty, they probably think about their security quite a little bit, and so finding a bug would be difficult

however, how often do you find low hanging fruits still?

you're likely to get helpful advice for this in this channel

@tame lagoon do you have a list of the job responsibilites/duties/skills required? Is it hardware or logical based IT work?

yes i know what the responsibilities and skills are, like laptop imaging, IT asset management etc. its IT hardware. i have hands-on experince of months on IT hardware, configuration and troubleshooting. but im afraid ill forget evrything

i dont think this is solely IT hardware. there will be a panel interview. i know i can do the job but im just nervous about the interview

my advice as someone whose interviewed multiple times with different HM's in the past 6 months: dont overcomplicate things. Bring notes. Smile, greet everyone, even if just a smile/nod. Be familiar with PXE boots since you'll likely be doing that for imaging laptops. Try to discover what software they use for asset management. Do something that gets you active and blood pumping the day/night before you interview, it will help stimulate your brain and relax you.

always expect the obvious, use the OSI model for troubleshooting (layer 1 physical, layer 2 data link, layer 3 network, etc.)

be able to talk about the boot order in BIOS, some laptops may not image properly if the boot order isnt correct. In my current position I do a lot of reimaging, so not exactly the same - but being able to talk about it will help you stand out of other interviewers

ngl thats some solid advice.

are they chromebooks?

most of reimaging i do is related to problems due to low storage, so knowing how to do a powerwash of a chromebook may prove useful - ctrl+atl+shift+r

but i dont know anything about laptop imaging, my role is more like asisting them with (Re)imaging and IT asset management, distribuition, etc. and i didnt know i could bring notes? wouldnt it be awkward to looka t notes and then like look at them or turn pages or something ?

not chrombooks, they are dell and microsoft laptops.

from my experience, having notes is a good sign to HM's - shows you are trying to be prepared. Don't look at them while theyre talking tho