#cyber-and-careers

@midnight sparrow some basic ideas about their approach. i'm new in pentesting
@robust flame I see this was in context with ceh ?

Is the CREST Security Analyst Practitioner cert a decent first one? I'm a software developer looking to specialise in security, maybe become a pen tester full time

Is the CREST Security Analyst Practitioner cert a decent first one? I'm a software developer looking to specialise in security, maybe become a pen tester full time
@real quarry what kind of software dev are you? You could look at playing in your vertical. For examples if you are a we dev, you could look at web app security CWASP or simply look at Sans GWEB or SANS GWAPT

I'm a web dev

this is helpful, thanks

what's the governing body for CWASP?

Not entirely sure but there are many good ones out there.

thanks!

wew the SANS ones seem pricey

Yip... But it's undeniable in terms of credibility. Stick with web based security. What software stack(languages) do you use. @real quarry

I use python and JavaScript on a centos7 vm at work but I also run a production grade webapp in my spare time with React, .net core, and postgres

.net core is on kubernetes and postgres is now on a VM (used to be on kubernetes)

@nova magnet

@real quarry Ah OK... Python would be your bread and butter. Let's stay in touch and let me know how it goes.

Thanks ^^

Will do

another question if i want to be junior pentester or pentester i need to have cert right
or they will accept me when i dont have cert
???

Most employers will look for a cert maybe even a degree with a cert

another question if i want to be junior pentester or pentester i need to have cert right
or they will accept me when i dont have cert
???
@leaden flame Look at junior pentester jobs in your area

Look what they ask for

Aim for those requirements

i dont to be junior pentester of which company

i just ask about most of the companies

@quick forum

@leaden flame a lot of companies don’t care about certs. They will do a technical interview and then have you do a CTF they set up to screen candidates.

i dont to be junior pentester of which company
@leaden flame Look on linkedin. It varies by country, and by location

@leaden flame a lot of companies don’t care about certs. They will do a technical interview and then have you do a CTF they set up to screen candidates.
@lost glen The certs get you past HR

Get you an interview

They're listed as requirements for a reason

@leaden flame Look on linkedin. It varies by country, and by location
@quick forum can u give me more information or send me the link

to learn more

i dont have any idea about pentesting if any-body know about that please dm me and tell me more

https://www.linkedin.com/

@quick forum I’m just speaking from experience. You are correct that some companies won’t even talk to you if you don’t have something that is in the requirements. There are some, fairly well known security consulting firms that rely on a technical interview and CTF.

my point still stands. Check what companies around you ask for

And I agree with @quick forum look what is being asked for in your area.

Find jobs you'd like to be able to get

ok

Look what they want

thx @quick forum for ur help, it was really helpfull

I just searched for junior pentester on LinkedIn worldwide and there are like only like 7500 results have the opportunities decreased or it's only this much?

junior penetration tester

Idk but this seems really less as compared to some other entry level jobs?

Is this just my LinkedIn or I'm searching something wrong shouldn't it be more ? James?

I don't know

Junior prolly thats why

Damm penetration tester shows less results than junior

Why did I even searched that kinda demotivating

oh

F

You also gotta remember that this is 'rona time

Lot of companies are on a hiring freeze

Yeah true

But also checked for like front end dev there were like 72k results...

that's probably work from home

most of them anyway

''it is what it is''

Seeing as everything is now web based, I'd think that web devs are being hired like crazy rn

Every 2nd person I see is doing web dev

Ok one more question like I talked to one of my relatives working in IT only when I asked them about pentesting they were like isn't that automated like all the web devs do that on their with automated tools though they also said that pentests are obviously req by most of the companies but the opportunities are less...

bruh, nah, many opportunities

Hope this is the right channel...

just be good 👀

Idk the LinkedIn results just shattered my motivation TBH😂

But yeah I like this obv...don't wanna quit it just looking at the opportunities...

spacex themselves need like 5 positions in cybersec to fill

dw enough oportunities for you to get ONE job

Hope so

@upper vector The tools used to actually perform penetration and such are all automated- just like how you can hack into a majority of boxes with metasploit and stuff alone. Pentesting encompasses more than just "penetration" though.

Pentesting is evaluating an application and identifying current and possible future vulnerabilities, and providing the information and steps needed to harden the system

always a vuln, never airtight

just the time u put

It's a detailed analysis of the current security policies and features of an application, and also providing consultation on oversights and even finding new vulnerabilities

A hacker can penetrate things, but a career pentester knows how to write a detailed report that anybody can understand and use from their penetration.

Thanks for the answer appreciate it I was really worried thinking about this .... @warm hinge @vivid hedge

Yeah, it's not that pentesting is not in demand or anything

but rather- it's mostly fulfilled by the hackers who are able to market and utilize their skills for a company

yeah

dw

Hello everyone. I currently work as a penetration tester, and over the years I've found it difficult to find a training routine that works for me. Time is definitely one component. However, I'm guilty of trying to learn too many topics at once because I recognize their value in a jack of all trades profession, but there isn't enough time in the day to make any substantial progress when trying to learn multiple topics at once. I've tried to dial it in lately by spending 1 hour / day minimum on my biggest weakness (web app pentesting). I would love to hear if anyone has any advice on how to build an effective training plan.

Idk but this seems really less as compared to some other entry level jobs?
@upper vector well the security industry is quite small...

Ok one more question like I talked to one of my relatives working in IT only when I asked them about pentesting they were like isn't that automated like all the web devs do that on their with automated tools though they also said that pentests are obviously req by most of the companies but the opportunities are less...
@upper vector web devs don't do pentesting... The only testing they do are automated or functional or even manual. It basically bugs/faults in the web site that they either report or fix but breaking a website is not what they do

Alright thanks:)

Does anybody have any sort of experience or insight on Juniper certifications? https://www.juniper.net/us/en/training/certification/

They're free, and apparently somewhat commonly used but how does it compare against other certs? is it recognized?

@warm hinge this is what my friend had to say

ah i see

that really helps tbh

LMAO

free is free

Sweet, might give em a go

i plan on picking one or two up

Yeah

They look super detailed, and I might just really do them for that reason + they're free

• they're used in modern situations/context

They're free, and apparently somewhat commonly used but how does it compare against other certs? is it recognized?
@warm hinge yes it is recognized, but you have to either know Cisco or juniper and stick with it... I suppose you can do both but it a 'master of none' method. Pan, Cisco, juniper etc.... You should master one of em

hmm

Fair enough

How relevant is Juniper in the big five tech giants

In my industry I would say PAN and Cisco are most common and most in demand..

I see

It depends. You have to do your research on what networks and infrastructure your dream company is running on and kind of wing it from there....

yeah, true

Anyone online who knows anything about the eLearnSecurity PTS? Trying to figure out if it's worth doing it before doing the PTP. Thinking whatever I can learn from THM will land me with some of the PTS knowledge, and some of the PTP knowledge but not enough to have finished either

@hasty geyser if you can do the offensive path on thm (except the re and bofs), and you follow through the pts course, you’ll be able to pass it easily

haven’t done ptp so i can’t comment on that

Thanks! I'm wondering if the PTP requires skills that you'd need to use the PTS for

Or whether you can skip the PTS, learn the skills just from their training materials + THM and then start PTP

A lot of the PTS looks really really basic

you could just go for the ptp if you’re looking at the pts and the topics seem too easy

it’s up to you i guess but probs better getting input from someone that’s done both pts and ptp

Yeh, and the free materials for the pts aren't necessarily super useful

So it's not like the topics they discuss that I don't know much about are well explained without the videos or labs

elearnsecuritys labs are amazing

definitely complimented the material

So I've been told. For the PTP I'm thinking of going for the Elite Package to double the lab time (and get the information on Powershell stuff)

Can anyone help me please with some soln

Hey

I got the Elite package sLOw. I found the most value in it from the Ruby module and being able to download the PDF's.

I am certified eJPT and eCPPT. Is it possible to find remote job without experience?

erm, its certainly easier during covid times, but lots of big businesses are on hiring freezes right now

these are the number of job references for eJPT/eCPPT on LinkedIn

if you've never done pentesting before, the answer is likely no

if you have, those chances go up dramatically

https://boards.greenhouse.io/thoughtworksreferral

This is referral positions available in Thoughtworks. Hit me up if anybody interested in any of the roles. We have couple of security related positions more will obviously come pro-covid.

What certs do you all think it would be good to go for? I have a comp sci degree and am currently at an entry level SOC Analyst position

Look at jobs you want to apply for

See what they ask for

how do I know when i am ready to prepare for oscp?

What certs do you all think it would be good to go for? I have a comp sci degree and am currently at an entry level SOC Analyst position
@warm hinge there are plenty out there. You need to research in which vertical you want to play in and take it from there.

Look at jobs you want to apply for
@quick forum except for CEH nah ? x)
Saw it was asked for a position a Amazon lmao

@light parrot look likes in this era CeH have no respect .....XD xD

@elder grove Great, you think there are enough resources in the course to pick up certain items from scratch? I'm still not entirely sure I have the prerequisite knowledge when it comes to straight pentesting skills (the programming skills I'm not worried about)

How can you enter a job for cyber security if you haven't got any certs and you're fresh out of uni?

show that you’re passionate about cybersec by doing thm/htb, having a blog, a github etc

Is it often that companies will cover the expenses of employee's certs in order to gain more of an understanding?

Completely company dependent

I see

Anyone have any idea what infrastructure as code is? Is there any specific language tied to it?

https://www.offensive-security.com/offsec/retiring-ctp-intro-new-courses/

haha osce go brrrr

It's being replaced by CEH style multiple-choice questions, where you get 3 seconds to answer each question, when you fail you get an ever increasing voltage shock. It's going to be certainly Try Harder.

It's being replaced by CEH style multiple-choice questions, where you get 3 seconds to answer each question, when you fail you get an ever increasing voltage shock. It's going to be certainly Try Harder.
@distant pier You really dislike OffSec,

@nova magnet If you're interested in more low level or firmware level code, you'll have to learn things like C, C++, Java, or Rust most likely

depending on what level of infrastructure you're dealing with

C is pretty common for dealing with low level applications (also Rust more recently)

is base64 encoding a cover letter a horrible idea?

Yes

Poor poor HR

Anyone have any idea what infrastructure as code is? Is there any specific language tied to it?
@nova magnet check this out, https://www.thorntech.com/2018/04/15-infrastructure-as-code-tools/

IIC is basically defining how you want the infrastructure setup using code or config files

I should say managed instead of setup, but its a really intresting subject and has a ton of practical applications

Poor poor HR
@quick forum yeah your right, thanks for the sanity check

Don't take my word as gospel

But RIP

is base64 encoding a cover letter a horrible idea?
@tardy veldt depends who you sending it to..... I always say, know your audience

TBH, and this is from experience in the field, resumes are usually screened by HR first

whom of which don't have experience in the field usually

I work in HR and be intrigued by it. So like I said, you have to do research and know where your cv ends up.. If you sending it to a job ad then Rip but it's always best to send it to someone you know

Yeah true, but some HR departments do use automated/AI resume filtering, or is reviewed by people with no technical expertise in the desired fields

but yeah, generally it's better to just format your resume to be appealing to all audiences on first glance and you can leave some juicy topics as a small note in there, and then during the interviews/elaboration, impress them with the real technical knowledge

Yeah true, but some HR departments do use automated/AI resume filtering, or is reviewed by people with no technical expertise in the desired fields
@warm hinge true true

but yeah, generally it's better to just format your resume to be appealing to all audiences on first glance and you can leave some juicy topics as a small note in there, and then during the interviews/elaboration, impress them with the real technical knowledge
@warm hinge like most things, it's all about who you know and most of the time, bad hr departments never see good cv/resumé...

Hey. I was told this is the right place.

I've been asked to find 3 security engineers (cloud security) - specifically azure security with infrastructure as code(must be able to code) . 2 - 4 experience. Based in Maryland.. Let me know if you know anyone or if you would be interested...

@quick forum , I've been reading your posts regarding jobs in the UK. I've got a reasonably unusual and possibly interesting background and am looking to career change into pentesting. Would you be able to spare me a few minutes to discuss?

James is asleep 😴

Fair enough in this heat!

Is there anyone else that has experience with UK recruiting who is online now?

Is there anyone else that has experience with UK recruiting who is online now?
@lethal loom what's up

@remote mauve Hey. So I've got quite an unusual background, and am looking to enter the inndustry as a career changer. Is this often done?

depends what you mean by unusual to be fair

Also, I normally have no issues spelling the word industry.

Any chance of a private conversation? Couple of minutes?

yeah, sure feel free to dm me

Is there anyone else that has experience with UK recruiting who is online now?
@lethal loom I've worked the UK market for 3 years... What's up?

To Get CEH certificate we need any work experience?Or students also elegible to apply for CEH?

Any one

If your school provides CEH Training

yes

if not

you need to talk to someone at EC-Council

I would highly not recommend it though.

What about compTia Security+

You can do that without experience as long as you have the right knowledge for it @olive forge

Thanks @unreal arrow

Np 🙂 it’s a fundamental cert so not much is needed

Hi all, im uk based and recently got into the website after graduating with a degree in computer science with security and forensics , still job hunting while trying to get into grad roles for security. Any general advice for how to land my first role.

@shadow compass Just look around for any jobs in your area or somewhere near. Try to reach out people see if they can help and look on linkedin

Has anyone taken the sec+ cert exam?

i wanted to know how hard it is abd what to expect

@wraith crane if you look at the pinned messages theres a blog with the certs that spooks had taken you’ll get a better understanding there

@visual heart Ah, I see you hunted me down. I'll accept. You popped up on my linkedin a while back via tryhackme

@quick forum lol I remember seeing you on my feed as well and meant to add you 😄

@nova magnet Why here, and not say for example indeed or CL or some other HR territorial service?

I am not criticizing, i am curious. As i just got my LoE from my employer 😉

https://securityblue.team/product/training-discount-bundle/

has anyone done any of these courses?

was thinking of buying the bundle

sorry i have got a silly question 😆 , is there any certifications that are provided by tryhackme platform that we can add to our CV?

after completing learning paths and different types of training

No

Room development looks good on there though if you get into that

ah thanks, any advice on how to add what we learn at tryhackme into the CV

ah thanks, any advice on how to add what we learn at tryhackme into the CV
@stoic quest put a link to your public profile

You could add your rank. But like I said, since this is a learning platform and not competitive based it won’t mean too much

You could add your rank. But like I said, since this is a learning platform and not competitive based it won’t mean too much
@somber bramble I'm trying to get into this field from a different IT field so its kinda difficult so every little help but worth a try

@stoic quest put a link to your public profile
@pastel gyro thanks dude

Yea it won’t hurt to have it on there

sorry i have got a silly question 😆 , is there any certifications that are provided by tryhackme platform that we can add to our CV?
@stoic quest i would just like to add that you get a certificate for completing networks, if you really wanted a shiny bit of paper 😛

@stoic quest i would just like to add that you get a certificate for completing networks, if you really wanted a shiny bit of paper 😛
@rugged sable solid thanks Ponspector

ponspector

sorry para

i want to get the certfs in the future. What do you guys recommend to do to prepare?
Are there free courses you recommend?
I am aiming for eJPT, eCPPT and OSCP

Juniper have some free certs that are networking focussed

@stoic quest for reference, this is what i have on my cv that is related to tryhackme

@stoic quest for reference, this is what i have on my cv that is related to tryhackme
@static tide Thanks ALOT!

i blurred out the things i have yet to release as to avoid spoilers 👀

i really needed to see osmthing like that

you're welcome :)

this can also apply if you have not made any rooms, but you can list things you learnt as a result of using this platform

i wasnt sure of doing that that way because i havent seen an example but now it makes more sense

honestly thanks 🙂

you're very welcome :)

Oh actually I have something similar on my CV too

Juniper have some free certs that are networking focussed
@quick forum thank you! I will use it.

i'm not sure if it's more effective to have port scanning, directory fuzzing, etc. over nmap, gobuster, etc.

i found it

1000 times on TryHackMe.com.

back when THM had like 5000 people

Ubuntu best font

@tidal maple depending on your existing experience, PTS Barebones (free) + eJPT cert is a nice way to understand the basics of pentesting. If you feel you might enjoy it more then you can look at OSCP

https://www.elearnsecurity.com/course/penetration_testing_student/

is this the PTS Barebones course?

i barely have any experience

That's PTS

Not PTS Barebones

you can get the barebones version free from ethicalhacker

👀

got it. Thanks you.

https://learningportal.juniper.net/juniper/user_courses.aspx

this is a juniper course; got it from james. gonna use it aswell

oh you got it already

yes within 2 minutes

Since it doesn't come with labs, if you feel you get stuck on a topic there's likely a THM room or free resource somewhere else than can guide you

Ok. Thank you for your help

https://www.icsi.co.uk/courses/icsi-cnss-certified-network-security-specialist-covid-19

free network security course due to covid :)

(if anyone has taken this, how good is it? 👀 it has some interesting topics but not sure on the quality)

quite good i can say

not as bad as people think it is 😄

It's not the full version afaik 🤔 or is it

this course is like introduction to CNSS

i am already in

but they dont give you proper cert

(if anyone has taken this, how good is it? 👀 it has some interesting topics but not sure on the quality)
@static tide i've taken it its good

guys, elearnsec has a 35% discount on red team courses right now. does anyone know if this applies to exam voucher purchases? (i.e. if someone buys a voucher without buying the actual course, as in the case of the ejpt where you can get the course for free)

@static tide do you know if that includes the exam? or is it just the training material? I signed up there a few months back but their stuff is expensive

does not include the exam or labs iirc

just the material

Thanks

To answer my first question, no you can't. I just tried getting a voucher and adding the coupon and it said "not applicable to any of the items in the cart". Oh well

you could always email them to double, double check

@pseudo creek well, I might, even though the email I got says clearly that the discount is for courses

But I had to check anyway

@cosmic ingot I looked at that coupon, it seems more restrictive than the 2 coupons they passed out for Defcon... RED-VIL and IOT-VIL

@pseudo creek shit, are those valid rn?

@cosmic ingot ha sorry, they said they would be valid til Aug 31st

@pseudo creek BOIIII IT WORKS

thank you so much mate

no prob

sucks that I can't stack them tho 😛

I bought PTP and WAPT, I really need to brush up on some of the more recent web stuff

My first IT job. I don't do much but it was hard to find a place that would hire a 17 year old lmao

better than nothin!

its beautiful

I dislike that cable management

That tv is a beaut

Can nearly read the note below the monitor

probably all the root passwords

The goggles, they do nothing.

Is that a T110

they let you take a picture of the network room interesting wonder what goodies I can find just from that picture

👀

It's really bad handwriting I can barely read them up close. But I took the pic because everything's being updated and changed so I wasn't worried

yeah we'd get fired if we took a picture of our network room and posted it online...

Jus the careful of what you post a lot of companies have policies on things like that

and generally be cognizant of OpSec

My first IT job. I don't do much but it was hard to find a place that would hire a 17 year old lmao
@tired whale iso 27001 at it's finest

Those things should be locked with a key

Job Holders need some help. Recruiter called from one of the jobs I am currently interviewing for and said the company wants to extend an offer. I haven't seen anything in writing yet and he tried to get me to verbally commit. My next steps should be reach out to the other recruiter right? What do I say?

Scratch that an "offer sheet" just came in as i sent that

All thats on it though is my name and the pay

Those things should be locked with a key
plus it lacks redundancy

i'm not sure if this is the right room for my question, but is there a way to do authenticated scan with NMAP ?

How do you mean "Do an authenticated scan" with nmap?

scan a machine from inside

you do exactly that

run nmap -sT -A 127.0.0.1 on the machine

remotely ?

you need access to the machine

services that are bound to 0.0.0.0 (or a given interface IP) can be accessed remotely

services that are bound to 127.0.0.1 (or local host) cannot be accessed remotely

what if there is a firewall or no port is open ?

then there's no ports open and you can't do anything. You need direct access to the machine.

if traffic is being filtered, it's being filtered. There's not much you can do about that.

if i have to an option to add access credentials similar to openvas for example i think that will help ?

if there's no ports open, you can't authenticate to anything

where do you think those credentials would be used?

the same technique used by openvas or nessus maybe

OpenVAS/Nessus authenticate to the services running on those ports.

there's no place in the TCP/UDP packet to provide credentials while scanning to detect if a port is open or closed.

This is all basic networking fundamentals topics that you should know before moving into security.

yes i agree but in some paid scanners they do that without openning any port all the time

that makes no sense.

for me too i'm trying to understand that

I think know you need to go back and learn about networking fundamentals.

thanks.

i'll

For anyone interested, I got an email that OffSec will have a "ask me anything" webinar next friday, which includes how to get started in the offensive side of security. they say they will send you a link to the replay if you sign up https://learn.offensive-security.com/ama-webinar-aug-2020

AMA: when are you gonna send my cert that I passed 4+ months ago

I just got my cert and I passed in Feb, guess they're going through the backlog now

yeah they said they use an external company to print them and there are issues there

In this article, I tried to give you information about the SIEM product. I hope it helps anyone who wants to improve themselves in this topic. Thank you to everyone who reads. https://medium.com/@fatihturgutegitim/what-is-siem-what-does-siem-do-what-do-we-know-about-siem-1-dda3a6760260

How does the THM leaderboard work for custom rooms? Is the rank based on how quickly a challenge was solved?

#general 😉

Dammit, my mistake lol - wasn't paying attention

I’m impatient and just wanting to get out of my job because of all the racist overtones but I’m seeing just how hard it is when I don’t even have my A+ and my resume seems paltry

A+ is super meh. Like going over the content is nice for foundational knowledge, but having an A+ cert is... uhhh... yeah.

You should aim for the certifs you need for the job you want.

A+ is good if you are literally brand new to computer technology and operating systems as a whole

but as a resume item, it just only demonstrates that you took a certificate to know how a computer is built (consumer-wise) and how to do a lot of basic and advanced functions on the computer itself

you don't need A+ necessarily if you can demonstrate computer literacy via your experience/projects/other certs

Not dissing the certificate- like I said, it's great if you literally know zilch about computers and stuff, but you want to prove that you can fully understand them

Also A+ expires every 3 years

😅

SEC+ or CCNA are most sought after certs for employers

Depends on location and position

A+ is also good if you want to be a field tech and actually repair hardware. but anything software id skip the A+

also CCNA isnt in all areas, thats more of a specific field of work, as juniper is the main company in certain areas.

but CCNA is still about 80% of that field, it still depends on your location

very true but most companies that are hiring for L2 or NOC or cybersec want SEC+ or CCNA at least from ive seen

where im at if you are working in NOC they look for the N+ and not the SEC+ but thats my area

CCNA if they use cisco. but if they dont use cisco... CCNA is irrelevant

granted most do use cisco. so you most likely will be better off with a CCNA compared to Juniper, etc

very true but most companies that are hiring for L2 or NOC or cybersec want SEC+ or CCNA at least from ive seen
@nocturne sable Not if you're aiming for a pentest role

Pentest role is going to be stuff like OSCP

obvi but for NOC in my area they wanted SEC+ or CCNA and CEH would be easier instead of OSCP right? @quick forum

CEH is not worth it

At all

no??

CEH is a meme

Unless you're going for a DoD job, but there are still better certs that count for DoD

guessing pentest + is off the list too huh lmao

CEH is like the A+ equivalent to security certs

maybe less

lmao

CEH i heard ws good back in the day, but its just outdated now, but i could be wrong. i wasnt around back then

Kinda yea

I only see it required in like, government cybersec job postings tbh

Is comptia relevant?

I would say so. I got my current gig with nothing but the A+

I would say it probably depends on the employer.

What they are looking for.

Ah fair enough. Is there any general certs to have that anyone would know would be good to have for someone based in the UK

what do you mean general certs?

Certs that are widely applicable I suppose

uhhhh

depends on your field?

networking is going to be needed in most it positions

so net+ or ccna if you feel like going deeper and challenging yourself

Is PenTest+ worth? Had an interview where hiring mgr asked about it

It's not recognised that well but i've heard it's a pretty decent cert

@south nest

comptia are trying to get it recognised tho

ty

and in general, I think Comptia is regarded decently (I personally have no experience with them and generally not mentioned by people I work with) but sometimes certs can give you an edge over the competition/help you get a foot in the door.

PT+ covered a lot of topics that you're likely not familiar on

a lot of managerial topics, process if you discover IoC, etc.

I see..

hmm im not sure what to strive for since i just got layed off and now have a lot of time on my hands

Look at jobs you want to get, see what they ask for

good point will do

yes, that is a great strategy, look at job listings and see what they ask for

In this article, I tried to give you more detailed information about the SIEM product. I hope it will be useful for you. I recommend that friends who are interested in network security read it. Thank you to everyone who has already read 🙂 https://medium.com/@fatihturgutegitim/what-is-siem-what-does-siem-do-what-do-we-know-about-siem-2-3e44314eb412

they'll probably be better posted in #resources ^

@languid hearth out of all your certs, which would you say has been the most useful in real world scenarios?

Zero Point Securitys red team ops course has been the most valuable to me. I didn't get the cert that goes along with it (yet) but it was by far the most Educational for real life applications.

same with Pentester Academy's 'Advanced Red Team Ops'

I think those have been far more educational than any cert I've taken.

Alright, thank you. I'll definitely have to look into them

Zero point is always full 😢

theres a reason why

I figured

I feel like most certs are HR filters really. Even the good ones have so much content that you spend a month labbing it but a month after passing the exam you've probably forgotten most of the content

the 25th is when some more spots should open up

if im hiring someone, this is what I want to see them have;

• CCNA
• Security+
• OSCP (or some alternative)
• Understanding of AD and attacking it
• Community Involvement
• Passion

I'm not a hiring manager, just a lowly network and security engineer. But usually when it comes to entry level roles they're mostly looking for drive and a good attitude. They can teach you technical but they can't teach you a good attitude and eagerness to learn

if im hiring someone, this is what I want to see them have;

• CCNA
• Security+
• OSCP (or some alternative)
• Understanding of AD and attacking it
• Community Involvement
• Passion
  @languid hearth Spooks, let's say my grad job falls through (which I am worried about), what are the most important things I should be doing rn? I can't afford certs 😦

your open source contributions to the community would stand out the most to me Bee

you would certainly be the exception.

the easiest way to tell if a person is a good fit is to talk to them. If I have someone who has a portfolio full of open source security related projects, you bet your ass I'm giving them an interview

is anybody hiring ? I am looking for the Job

we only have 1-2 job postings in here once every blue moon

LinkedIn would probably be your best bet.

Try to be a real human in an interview. Most people want a good culture fit and somebody who will fit in with the team. Usually I'd say it probably doens't matter how good you are if you can't hold a casual conversation or look somebody in the eye. Nobody wants to work with a goblin sitting in the corner hammering their keyboard and not interacting with the team

Currently trying to get through ATS to get the Human Interview

thanks!!1 I'll focus more on my OSS projects 😄

you just need to get those in front of the right person tbh

you've got a ton of potential Bee

I see a lot of people who will take CYSA+ as a level 2 cert!?!? but sec+ as a level 1 cert.

Like you must have 2 from column A, or one from column b sort of thing... but these are Land of the Free based companies hiring people for work with a def contractor

Is there a place that offerers test exam questions with a higher credibility rating for realism/coverage. Even better if they do blind grading

CompTIA, ISC2 and SANS cert are good for DoD if that's the interest

https://www.comptia.org/blog/what-is-dod-8570-certifications

CCNA or compTIA Network+

Which cert is good to enter in network field

If the company that you want to apply uses Cisco or specifically mentions CCNA in their job postings, then CCNA is good. Otherwise, if you're not sure, Network+ will make you versatile for most companies

But they both teach you the entry level stuff

CCNA goes more in-depth into actually setting up, operating, and maintaining Cisco hardware/software

Tq @warm hinge

anybody here

working as a cyber security analyst?

got few questions about

practical things u guys do day to day

They analyse ig

@dawn raptor I suggest you just ask, rather than asking if anyone has that job title first

@quick forum well i just wanted to know what are

day to day thing these guys do

as i want to apply for that job

Have you looked at job descriptions online? Or for the specific one you're applying for?

from working in security and IT in general, I can tell you that job titles don't usually match up to an exact job... Cyber security analyst in my company could mean almost anything

Then the job that you're applying for should really have a description

and if you want to be even more confused, look at the NICE Framework that does try to match job titles to duties... there are still a lot of genericshttps://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/workroles#

What are some good security / IT LinkedIn groups?

all my regional ones are very dead

I think twitter is where its at for some of that but I'm not on twitter

I've joined a few on LI but all of them largely have blogspam posts. Better to just use something like Twitter as suggested so you have a better filter

oh I'm not interested in the content of the groups, I want to interact with a linked in group so I'm more viable to recruiters

totally agree that Twitter or any other platform would have better content

I meant visable but viable works too

When i got absorbed into the last employer, they just stacked the wrod Manager in front of my job title.. no job description to speak of

Hey guys!
I need your advice with understanding web penetration testing.
I am studying from PortSwigger academy https://portswigger.net/web-security
The problem is there are some topics I cannot understand them well, like XSS, and CSRF.
I wonder if the problem is I do not understand JavaScript enough.
If this is the problem, can you please recommend a good source to study JavaScript

for javascript follow mozillas dev page: https://developer.mozilla.org/en-US/docs/Web/JavaScript , understanding javascript in depth needs lot of effort...which is not requried for pentesting though...

Phone number tracking ?
Spying? Help

Phone number tracking ?
Spying? Help
@deft delta lmao nah

I'm in the industry and I cant think of one valid reason you'd want to track someones phone. So yeah, no.

Cuz someone’s tracking my phone so I wanna be petty and track their phone

bad

my girlfriends is cheating works better @somber bramble

also, STOP CHANGING YOUR NICKNAME getting hard to keep track

I DONT CHANGE IT THE MODS DO 😭😭😭😭😭😭😭

@somber bramble no we don't!

😡😡 🤬

😁

😝

....

@undone shore

I am perfectly content with my life tyvm

@tepid pilot when I was studying the material in portswigger I remember it was extremely good, so if you're still struggling with understanding some of those concepts, you should look to more beginner oriented resources like this https://www.hacksplaining.com/lessons. googling the terms is also an option, you'll find answers to a lot of basic questions this way. even wikipedia has some nice descriptions for a lot of the terms.

I also have the web hackers hand book that I'm starting to read as well on top of portswigger, owasp top 10 site, etc., honestly TryHackMe has helped me out a lot especially with their web fundamentals path.

Is anyone here in a application security role?

Thoughts on this job title? I have no idea how to make this into a job title & sound impressive 🤷

@pallid flower Yes, what's your question?

@rugged sable Assuming you have this under a job experience section, would it make things easier to put this under a new open source section instead? Unless a company is sponsoring you to work on those projects it may be a bit misleading to put that under an employment section also.

@pallid flower you don't need the book, the portswigger academy was built as an always up-to-date version of that book

What resources or methodology do you use to learn a programming language enough to be able to do static/dynamic testing ?

I personally use SoloLearn to learn the syntax of a language

Then mess about with it for a bit to get comfy

Learning just enough about a language so you can start working on projects on your own - don't worry if they are crude - and then looking at them from an adversarial/security perspective might be a good idea.

Cavaet: I went from programming to security so I’m just guesstimating what I would do if I had to start from scratch

making intentionally vulnerable programs is good fun too

But that quickly becomes box dev which you should try out, you might like it

Thank you guys. I been looking at the sololearn and it seems fun.

I'm in school and had 2 classes in Java, I've learned other languages on my own.

The good thing is that I was told if I can brush up on my java skills I'll know about 70% of the work as most apps there are in java. So that's what I'll mainly be focusing on.

It was definitely a tough first language to learn but made it easier to understand like python for example.

@rugged sable Assuming you have this under a job experience section, would it make things easier to put this under a new open source section instead? Unless a company is sponsoring you to work on those projects it may be a bit misleading to put that under an employment section also.
@meager hazel it comes under "experience" which mostly includes voluntary work / unpaid work (such as TryHackMe) since I'm a student and have little paid work 🤷‍♂️

This resource might help: https://trendmicro.github.io/SecureCodingDojo/codereview101/

Also Secure Code Warrior does some free tournaments during conferences and the objective is to find code vulnerabilities (they support Java and a lot of others… COBOL). Maybe watch to see when they have their next tournament

@rugged sable Ah… the title is fine then I guess

Like, saying you're an inventor & architect is impressive enough as it is

Like, saying you're an inventor & architect is impressive enough as it is
@meager hazel Honestly I just went through my experience, none of it is paid 😂 The joys of being a graduate student

Haha, fair enough

The Cyber Mentor roasts viewers resumes https://www.youtube.com/watch?v=vZkVY4DSAHc&feature=youtu.be

I actually don’t like his resume unless it is meant to show what someone with zero relevant experience should do. An objective should be 1 or 2 lines max, your degrees should be towards the end (unless again you are a recent grad with relatively little experience)

And even certifications I’d put towards the end

@pseudo creek correct, your resume should be structured similar to most job postings...

Thanks for the comments! I'll change my CV to match these 😛

How long did it take any of you guys from industry to get a job? I know it's relative/subject, just curious

Hey guys, I am looking for some advice/opinions. I am currently doing googles helpdesk course and studying to get A+, trying to get my foot in the door(complete career switch). I plan afterwards to do network+ and security+, but I noticed google also do a cert for python and automation and I am wondering would this be worthwhile or relevant if the goal was to get into infosec in the future? (however long that takes)

the cert itself probably isnt worth it, but the knowledge, yeah

@languid hearth awesome thanks for the reply, yeah I am not too worried about the certs it's more about the knowledge, I'd prefer to have a wide fundamental knowledge base as long as it can be helpful and relevant.

At what position i can see myself after studying computer networking and linux

If anyone here is into / working in cybersecurity engineering please PM me!

Generally, it's best to just ask the question here

yes please ask and depends how you define cyber security engineering..

@green cloud there are a number of positions, WAN/LAN administration or if you study AWS/Azure/other cloud vendor, you could go into cloud operations

Oh sorry, sent this in the wrong chat

I'm about to start studying for the CompTia Security+ - My first real cert, any advice?

Professor Messer does a really good job of covering the essentials.

Awesome, Tyvm - I

I'll have a look at his stuff, how long did you guys study for before taking the Sec+ exam?

I don't know if that one is on Udemy, but they are having one of their better sales right now

Not sure about exact hours but it took me a month to prep for Sec+, using Mike Meyer's book, Professor Messer's course notes and Jason Dion's practice questions on Udemy

If you look at the CompTIA subreddit it seems most just use a book and/or Prof Messer's videos + a set of practice questions

Hey, do you think eJPT is a good choice for the first certificate?

@meager hazel Thank you! - It's my first cert and im kinda on the fence about doing it but it's on sale from £490 to £350 and you get 12 months to take the exam right?

I’m not sure about the exam take deadline, but it is a good foundational cert before you decide on where you want to niche-down within cybersecurity

@meager hazel I just saw that you have both sec+ and eJPT. If you must choose between the two, which one would you suggest?

I'm not ESWAT however it depends on where you want to go sec+ can be a good general cert that allows for many opportunities the eJPT while a very good cert is somewhat not respected as an industry standard yet and is more specific to penetration testing. If you want some more opportunities I would personally go with sec+ but that doesn't mean that eJPT cant give you the same opportunities

@polar rock thanks for the detailed answer!

I’m not sure about the exam take deadline, but it is a good foundational cert before you decide on where you want to niche-down within cybersecurity
@meager hazel This is exactly why I think i'm gonna go for the Sec+, thanks for the information!

also in general, even generic IT certs are good first certs, need to know what you are securing before you can secure it

@solemn arch I learned a lot from both. But in terms of landing a job I think Security+ was more useful; my current employer (both on the technical recruiting and hiring manager side) didn't know what eJPT was

That being said I didn't mind paying the price I did for Security+ and the study materials. I wouldn't have paid full price for eJPT (I did the free barebones package through ethical hacker and paid for the cert attempt)

Thanks!

@marsh crag Buy the voucher where u get two tries

And it comes with a E-book as well for studying

I've used CompTIA's material and it's meh at best

Professor Messer

as much of a dick Messer is, his material is good.

Well if u have no knowledge then yeah it’s meh

But if u taken a college class or something it’s good

I have kekw

and it's still trash

I see nothing wrong with the material

and I do :L
Messer's material is far more comprehensive, he does a good job explaining it in easy, digestible way.

Okay, I never saw Messer's before.. Ill check it out

Any reccommendations on the best video course for CCNA?

https://www.cisco.com/c/en/us/training-events/training-certifications/training/digital-learning.html

peep this

The one on Udemy is pretty good (my husband used that for his CCNA)

This one https://www.udemy.com/course/ccna-complete/

Thank you both 🙂

If we take this online CCNA Course ,is there virtual labs to practice or one should buy required hardware to setup Lab?

Packet Tracer can be used for a majority of it

gns3! gns3! gns3!

legit ISOs wya

Iam planing to prep for compTIA Sec+ But present version is SY0-501 , there Going To update it in November to SY0-601

if i prepare for SY0-501 Is similar Topics will included in Updated version.

Should i wait until November To get access to New version materials ,or should i start preparing Now with old version materials and video courses

FYI 501 won't retire until July 2021, so after November you can take either of them until that retirement date

@solemn arch
eJPT is a nice cert a few people I know have taken it and I got the barebone version for free.

Cert wise I plan to go: ejpt then ewapt, then other testing certs but thats cause ewapt will help me out in my future role.

I'm in school for cyber and studied for sec+, but don't have the cert.

I'll probably get both net+/sec+ before I ever move on to more advanced certs like oscp tho. I want to make sure have that foundational knowledge.

@pseudo creek that is absolutely correct!! I'm glad I learned that concept earlier on in my college time. [About the knowing what you're securing before you can secure it.]

How do you guys keep your Sec+ and Net+ certs 'up to date' i'm buying the sec+501 today but in a year it'll be retired, do you just do the online training stuff to keep the certs?

usually with any vendor, they will provide guidance. I don't know about net+/sec+ but things like CISSP require some type of continuing education plan. then there are things like AWS where you have to retake test (although honest with things like AWS, it changes so fast they have to require that)

Yeah I don't want to have to re-take my Sec+ every 3 years so i'm planning on doing the 'continuing education' thing to keep it going

You don't really have to re-new the sec+ cert

ideally you should be able to get a job and start earning some professional experience, which outweighs the sec+ and opens you up to more specialized and higher-tier certs

CISSP is more of a experienced cert, and also not necessarily focused on security, but more about management of security staff and policies

You also have to continue taking tests every year for your CISSP cert and still renew it every 3 years too

It's like $125/yr lol

I let my CISSP lapse but when I had it, I didn't have to take any new tests, just continuing education credits

and yeah you have to pay, but that is what work is for, they pay. Also when I took it, it wasn't anything about management of security staff, it was a lot of stuff unrelated to my job as a lot of it was government security focused and things you don't really have to worry too much about in the corporate world unless you are working classified programs

I’ll decide in 2 years when my Sec+ expires whether I should renew it or not. Hopefully by then my experience and community contributions will make up for not having that updated (and will likely not get the $50/year in value I give to CompTIA in return)

Oh, and yeah 601 doesn't play into that. You don't need to retake newer versions to maintain CompTIA certifications AFAIK. Just pay your annual dues and earn the CEUs

Just buying the Sec+ now and god damn £350 for the exam (which is fine) but £69.80 in tax too

if uou hsve a student email you should be eligible for academic pricing

Should tag them if they haven't bought it yet
@marsh crag

There's a thing in my country called Cyber Centurion and if there's an opportunity to go there, should I?

guys no no nkp no no n o

i actually remembered something useful from the ceh curriculum

im sorry

ive failed you all

There's a thing in my country called Cyber Centurion and if there's an opportunity to go there, should I?
@loud loom Yeah, if you have an opportunity to go and do something, do it.

guys no no nkp no no n o
@languid hearth wait what

CyberCenturion is really good @loud loom

Definitely if you have the opportunity

CyberCenturion is really good @loud loom
@quasi stream Because I'm going to college next month and you know the usual 'if you want to get into Oxbridge you should do extra curricular activities', and I heard they competed a few times so I might ask my CS teacher about it when the time comes

Imagine being smart enough for oxbridge

Hey guys, dose anyone know if EC-Councils certs are worth it because i havent been hearing the best of revievs. Apparently CEH is a bit out of date and its SOOOO EXPENSIVE. And if you think it is dose anyone suggest what reading material(BOOKS) are good to study from(Hearing Matt Wlkers are good) for the PenTester oath. So CDN->CEH->CEH Master-LPT.

Thats the path thats interesting to me

They really aren't worth it.

CEH is widely regarded as a bit of a meme

Haha rly....why? 😂

It's only useful if you fancy working for the American DoD

So CompTia all the way?

Because it's outdated, apparently inaccurate, and generally a waste of money that could be put towards something relevant

I mean, Mayor will recommend ELearn

Please, please do not spend your money on EC-Council if you don't have to.

Bruh it 1200$

I'm not your bruh.

Im a tennager my salary is 800/mo

Month and a half saving then 🤷‍♂️

Yea, things are expensive.

Yea ik

It's tough for people to get into this field unfortunately.

What certs do you suggest

And I'm telling you that EC-Council is probably the worst way to do it.

I did the CCNA CyberOps and it was a bit of a meme 2

if you ask me

if you want to waste your salary with EC-Council go right ahead

Their marketing has A-game somehow. Not sure how it's readable being as their tests and materials are half english.

Then what CyberSec certs do you suggest. Hearing CompTia isnt half bad or am i half wrong?

It depends what you want to do.

If you want to break in to government contracting in the US, the Comptia certs are the cheapest way to do that.

A starting point would be Net+ and Sec+

skip net+, its equally as memey

You don't need Net+ or Sec+ for pentesting. The knowledge from them could help, but the certs don't necessarily matter.

you have a Cisco cert, no one will expect you to have a networking cert tbh. Cisco isn't really a Cyber company, they're a networking company.

Yea i have CCNA R&S

all the more reason to not get Net+

But Cisco is a company with a mental defficiency so they can be special. Not that all of it is bad but fuck me

That's not cool to say.

Its a joke. Sorry if i offended anybody

We don't talk like that around here or joke around like that.

Ok ill stop. But what i meant is Cisco has their own Net protocols that dont work on other Routers or switches. So it isnt something that would be a standard in a wider range of devices.

no matter what network you step in, you'll find Cisco gear/protocols

Thats true but they wont prioritize those protocols on the configuration or have them mostly speak on what they did or didnt do.

there's a reason why companies buy Cisco gear and not Huawei

and their protocols are because of it :U

EIGRP is a damn good protocol that companies still haven't been able to replicate

let me put it this way, the amount of protocols that have been modeled off Cisco proprietary is insane.

I understand why and i get that they are good but having a Cisco point of view on networking is how they see it. Just wondering if Net+ has a view on Junipers, Ericsson...so on.

nope

It's 100% generic

Yea ik that they are good and are very usable

What do you mean by that

They are vendor neutral.

yes but to what depth do they go besides of how a packet is formed and what protocols exist so on...

two miles wide, an inch deep

you're not going to find the depth in a CompTIA exam, that you will a vendor specific exam

Ok what about the width? What can you fidn in the width of CompTia Net+ besides what all other vendor speceific exams have (the network basics).

https://www.comptia.jp/pdf/comptia-network-n10-007-v-3-0-exam-objectives.pdf

if you thought Cisco was bad, you'll be severely disappointed by Net+

I was able to pass Net+ with 4 days of studying if that tells you anything.

ccna is far from bad 😳

Hey guys, do you think that the ejpt cert is worth it? Does it add value to your resume when applying for Cybersecurity jobs? Thanks!

@static tide cisco packet tracer is a bit bad if you ask me and a lot of the things in the course were describing Cisco as the god of networking/saying theyrw the best. On CyberSec awarness month i was at their conference and all the presentations were how theyre top in this game. When you asked them questions about their achievements they would boast and when you asked them about faliures or in other words mistakes they made they would say confidential(they would describe everything while boasting). So yea you can get tired from their ego a bit. Its not bad i agree on that but after a while you can see some ego(not trying to be offensive).

@elder grove I see how you did it in 4 days studying but i still see a lot of things i dont know in net+. A lot of good protocols.

good protocols

90% of the stuff there is useless and trivial

Hey guys, do you think that the ejpt cert is worth it? Does it add value to your resume when applying for Cybersecurity jobs? Thanks!
@vital herald
I enjoyed gaining the cert, learnt a bit and solidified by understanding of principles. The exam is fun too, I personally think it's well priced for what it is and a good starter cert. As for jobs asking for it im unsure, though can't hurt to have it. The more certs the better I guess?

Job prospects aren’t the point with that one I don’t think. It’s more a foundational course with good lab environments.

Plus the exam requires network pivoting, unlike another well regarded industry certification.

@tropic urchin maybe that’s the people at cisco, but their gear and everything they make is amazing imo

I dont think that pivoting is something that should decide one cert is better than another

Fun though it is

sure its fun but I wouldn't pick one cert vs the other over it

I’m making subtle digs at OSCP. 😂

Make sure you have the word OSCP in your resume, even if you don't have the certification, to pass the HR filter algorithms.
Example: PTP (OSCP equivalent or better) 😄

Hahaha

PTP (Not a CTF)

It’s true.

Certifications: OSCP (Udemy prep course certificate)

The only thing that doesn’t make sense is the “expected” certs like sure if you have an exam scheduled put it on there but if you’re not going to get the cert for a year or two don’t put it on your resume

So, to get a job you must get the OSCP right?

Can't tell if that's sarcasm, but no

You don't have to have it to get a job. But a lot of employers use it to gatekeep.

the company I work for employs thousands of security people in all sorts of positions, only a handful have OSCP and as far as I'm aware, they got it after being in the position

the company I work for employs thousands of security people in all sorts of positions, only a handful have OSCP and as far as I'm aware, they got it after being in the position
@pseudo creek would they employ me? 😅

@pseudo creek would they employ me? 😅
@toxic portal I don't think we are different than most companies in the US but if you have a BS/BA or military experience and (preferably) US citizen... they might? 🙂

Oops 😬> @toxic portal I don't think we are different than most companies in the US but if you have a BS/BA or military experience and (preferably) US citizen... they might? 🙂
@pseudo creek

Anyone know how big the gap between eLearnSecurity's PTP and PTX is? Like, could you continue doing the PTX after finishing the PTP right away or would you need to do something in between?

I think you could.

Don from eLS told me I might take a look at more Active Directory stuff before doing PTX. You happen to know how accurate that is?

Trying to get a couple opinions on this as eLS might be a bit biased towards selling me more courses :p

Download the PTXv2 syllabus to see the table of contents.

AD Stuff isn't really difficult, its about knowing the tools and attack methodology behind it

I'd highly recommend Zero Point Security's Red Team Ops course

That's a good idea @distant pier but I was mostly worried the PTX would assume certain skills I won't have after PTP

Thanks @languid hearth - Gonna take a look at that

availability is limited unfortunately

but lab time should be expiring soon for some

PTXv2 seems to be about red teaming, so the added skills of evading defenses and staying undetected on the network.

Or purchase throwback

It’s an entire lab environment and ad course

Have a link for that?

😛

Drops today 🤷‍♂️

👀

gib networks

That's my line!

Is it better to do a CompTIA cert online or in person? I'm just booking Network+ and can't decide which option is better.

On the cert would it state weather I had done it online or in person?

Nope

Online it is then, ty.

Hi guys, can i get some advice on something please. Ive been looking at certification and course and all sorts to get into Cyber with a job once i leave the army, i found a company call RobustIT.co.uk, it seems legit, and was in one of the army magazines. does anybody know if these things are any good? or are they super over priced. i have £2000 free money from the army for courses, so all this in the picture will only cost me £1000. if anyone got any advice or opinion id love to hear it before i make any commitments. feel free to PM me

CEH is a meme

CEH is a meme

MTA is an even bigger mme

I actually hold MTA in security (along with 2 others)

half an hour exam, you can google the questions, 100% multiple choice 😆

If you want to stay in military stuff and go into department of defence, CEH is good from what I've heard

but otherwise it's better to spend that £2000 on OSCP or something 😛

US department of defense

Not even UK

oh you're right

yeah

And I'm pretty sure the US DoD don't like hiring non citizens

this was my favorite CEH meme https://pbs.twimg.com/media/EeIWiwYU4AALVel?format=jpg&name=medium

hmmm ok, i am looking at leaving the military, thinking certifications will be easier for me to land my first job, maybe CEH isnt the one then? =/

Definitely not

OSCP is the go to cert

£999 for 30 days of access to labs + exam

OSCP is also a 4% pass rate on the first round...

although know I do not hang out in here much, so someone will probably correct me

cough cough Ninja

Be expectant that you will need to be able to write a custom exploit to get full marks...

Is this a good path to choose, Network+ then Sec+ then Pentest+ then OSCP? Or should I sack Pentest+ and go straight for OSCP? Ideally I want Network+ so I can jump straight in a IT job and work towards the rest whilst working.

OSCP is also a 4% pass rate on the first round...
@flint yoke Where the heck did you get that statistic from? Given Offsec don't release it themselves 🤔

Yes that's a good start, but OSCP is VERY tough..

I understand it is very tough.

@undone shore Acquaintances with the Founders of OffSec...

Met them trough a mutual friends and at thier party at DefCon22-23

If you can provide some evidence to back it up I'd be willing to believe it; however, I personally know more people who passed first time than didn't 🤷‍♂️
Taking into account the fact I know relatively few people, at minimum it must be closer to 40%

By all accounts the exam is relatively luck based; you get a good set of boxes, or you don't, but I can't imagine it's anything like that low

Last time I talked to Mati was about 4-5 years ago, and that was the stat he gave me...

Well, perhaps 🤷‍♂️
If I get slaughtered on Monday I may be inclined to believe it, but having spoken to a fair deal of OSCP certified people, and done the PWK myself, I'd be inclined to take that with a pinch of salt if I were you

Tests may have changed in the intervening years, but that was the stat about 5 years ago... They may have gotten easier on people.

and again, that was said to be only the First time test taker percent, once you repeat, it's easier.

This is wrong

@flint yoke It is absolutely a higher success rate than 4%

You're saying for every $100,000 they make, only $4000 of people get OSCP?

The biggest take away that I can tell people, is create a checklist and follow it, DO NOT Go down Rabbit holes too deep as they take time, make sure to try and cap as much of the infrastructure as you can, and document as much as you can while your doing the work and don't think about "going back" to get images etc..

You think people would still pay to do it?

Don't think about going back to get screenshots?

Take Screens as you go...

Your not allowed to screen record for oscp any more?

Most people I've talked to that have taken it either worked too hard to get a system they couldnt get and ran short of time to get others, or had not enought screen shots as they were working and had to take time at the end to go back and get some to cover the Documentation requirements...

@warm hinge not sure, havn't taken it in 6 years...

@warm hinge No you're not allowed to record your screen

got it.

Used to be able to but changed I forgot where I read it

Well, gotta go back to work...

Cya

honestly, trying to get into cyber security is so confusing haha, so many certs. i know stuff like comptia A+ is VERY basic and id like to think id do that with my eyes closed, maybe i should look at going network+ and security+ then go from their, ideally tho i want to be able to start a job at around £35k a year, and im trying not to take a pay cut when i leave the army, i live 20mins from London so if it pays more in the city i dont mind working there

From what I've seen lately on LinkedIn, OSCP+(degree || experience) can net you that money quite easily on an entry level pentesting gig

35-40k was the one I saw most recently

think im just going to have to take the leap, just pick a few certs and go for it,

its scary changing careers, i just hope its easy enough to find a job

I don’t know differences in salaries between UK and US but I’ll say in the US, security pays very, very well

network+ and security+ good enough to land a half decent wage job?

entry level job, sure

it might not be in Security

i know im talking about money alot, i got 2 kids and a mortgage so kinda important i dont leave myself short

you need a bit more than that to land a security oriented role

I’d say it depends if you have a BS/BA or not, our entry level security people never have carts but they have a BS normally

But help desk is a good jumping point , I wouldn’t shun any entry level IT job even if it isn’t in security

Get your foot in the door, then build from there

That is my plan @pseudo creek

i only seen entry level jobs around 18k a year, i wont be able to go that low 😦 wish i done this when i was young

Lemme see if I can find the one I found yesterday

Linkedin is broken...

@errant maple you could always take an entry level position and have a side gig to compensate?

yeah, that may be what i will have to do, i got some thinking to do

T1 tech support is like 35k

Who's paying 18k for entry to security? Haha

honestly its a bit easier around me to get jobs with certs alone as at least 90% of IT job listings around me name one of CompTIA's trifecta. People say the A+ is unnecessary but from personal experience it has led to a lot of foot-in-the-door opportunities. Def go for either Net+ or Sec+ they are very valuable. Maybe start with eJPT as well for a pentest/red team path. There's also some small certs you can get for free like some Splunk certs, junos (cisco competitor), fortinet

tbh I like the cert path better bc my college degree sucks but it depends on your college opportunities as well

if you're just starting out in IT but don't have connections it's going to be really tough getting a good-paying job out of the gate, most people pay their dues on help-desk/technician roles

Who's paying 18k for entry to security? Haha
@marsh cosmos Not security but entry level IT jobs in the UK are around that. Entry level security would be low to mid 20s

Jeeze

That's depressing

@warm hinge Huh? I've just looked and they're like 35k easy

For sec

For junior/entry level security positions?

For no experience required positions

yes

Cert + degree

in what cntry

What area?

I'm in Scotland and wages aren't that high for entry positions even in edinburgh and glasgow

Just searched for whole UK on Linkedin

It really depends on cost of living

Maybe London I would expect that. At least where I am that's not what people are being paid for entry security roles. I'm probably ignorant though

Even London I'd expect it to be higher than 35k

There’s one in London

Yeah that's a rip off

That might be low
That’s the first I saw when i searches junior security engineer

Can you even pay bills with that?

Not in london if you don't live with your parents
In the rest of the Uk that's an okay entry level salary

Not really a graduate salary tho

That's what I was thinking

Okay I'm ignorant and underpaid it seems lmao

Well, there are better ways to find out

Back when I was looking for work I use to email low ball companies like that and say "good luck"

Their IT budget is probably horrible

i'm on double that with no degree and only ejpt/ccna 🤷

Experience?

did a levels then had a level 4 apprenticeship in network engineering which lasted a year before i was made redundant

So with a year of experience, interesting

I'm on 30k in Scotland. It's my first security job but I've got infra experience before that

2 years infra experience then moved into security

actually, the cv they had didn't even have my ejpt on it, just ccna

I found some 35-40k entry level pentesting but I can't find that any more

Found it

i think i applied for a few pentesting ones but none of them got back to me

https://www.linkedin.com/jobs/view/2000700836/?lgTemp=jobs_jymbii_digest&eBP=NotAvailableFromMidTier&lgCta=eml-jymbii-organic-job-card&recommendedFlavor=ACTIVELY_HIRING_COMPANY&refId=0d7aab7e-def6-4f8f-bbb7-819bdcada009&midToken=AQEwMdlRSp-5xA&trk=eml-jobs_jymbii_digest-jymbii-16-job_card_new_flow&trkEmail=eml-jobs_jymbii_digest-jymbii-16-job_card_new_flow-null-akmfvn~ke92oddr~2l-null-jobs~view degree || experience

That's london though. My viewpoint is definitely skewed because of where I live I live. Salaries are much higher there

LinkedIn fired a bunch of people lately. May explore other sites

Not sure how behind they are after that

I only use s1 jobs and linkedin really when job searching

that link james hehe

reee

👀

@static tide

i remember seeing that and i swear i applied for it 🤔

can't see it on my applied jobs thingy tho

I found this on my travels, good if you are Welsh: https://www.indeed.co.uk/viewjob?jk=c12346772ebe7024&tk=1egmh63ljr8rq801&from=serp&vjs=3

Hey im in the US, have worked IT jons in the past and looking to get a cert to break into the industry. Is the CEH cert the best route?

No on CEH, hard no.

As for what cert you need, check what postings say. Usually OSCP will get you in the door, but you might see other certifs asked for

why the hard pass on the CEH?

OCSP is the same thing just offered by Offensive Security.

No, it's not

CEH ANSI = non practical

CEH Practical = a mini ctf

That and the OSCP is full on a CTF thing and it requires a writeup analyzing your findings at the end

Iirc the CEH also just has a bunch of multiple choice questions

yep, 125 MC questions

what about comptia security plus?

it sounds like people in the industry dont care for CEH. Do they respect OSCP?

Sec+ isn't bad for entry level

If you really want to know why CEH is a meme, you should look it up.

OSCP is considered the baseline for Pentesting

damn just google OCSP memes then CEH memes

https://pbs.twimg.com/media/Dg73khOXcAAzcbq.jpg

quality meme

im not good at python - its a pre req.

being good at python isn't required

Better than OSCP

http://puu.sh/Gmd3M/f7574c73ef.png

we do be writing

Spooks

What is AD just contains "A waking nightmare that will crush your hopes and destroy your willpower" right?

Spooks if you ever need me to proofread, hmu

❤️ will keep that in mind

if you already have a good base knowledge in infosec why do you need a cert?

1. To challenge yourself
2. To validate your knowledge to yourself (and employers)
3. To see what you know/don't know
4. To get past HR

Because you're probably not going to know everything and earning a certif helps you learn things

Like if you somehow know more than the content the OSCP will present like 😅

thats true it dosent hurt to keep learning.

OSCP doesn't cover AD, but PWK does

The course is a part of it, a meaningful part

hwo is the trainging part, do they set you up for success?

i mean i know its up to you to study

Success on the OSCP is up to the student

Most people fail the first time, figure out where they went wrong, ace it the second time

how much is it to retest?

$150 iirc

ok thats not bad

i thought it was like 800

But there's a bunch of prep material beyond PWK

Don't limit yourself to just one source

Overflow all the buffers, hack all the things, drink all the coffee/booze/whatever

thanks guys i appreciate your help. Yeah there is so much out there its hard carving a path i get all add and jump from one thing to the next. Malware Analysis is starting to look like fun now.

I heard CMNatic has some really good content on that 👀

There is a lot of work in automating malware analysis, it seems many years ago a lot of it had to be manual but less so now unless you want to go into the research of it and create better tools.

Security in general will always need people though so try what seems to be fun, poke and prod, etc, etc

Has anyone here had difficulty finding an internship? Last night was at a class and half of the kids already had one. I’m a senior. I applied to some got denied, then came the pandemic and my chances for finding one went out the window. I’m feeling so lost right now I could use some help. Last night I called my dad worrying and he’s making me apply to one internship and day and I hope it works out.

In the US, internships postings are August-November. Are you in the US?

I would search for large companies, which are the ones that are most likely going to maintain internships, and search for their college recruitment pages and you don't necessarily need a security company, I'd look at companies in general that span the technical arena

Has anyone here had difficulty finding an internship? Last night was at a class and half of the kids already had one. I’m a senior. I applied to some got denied, then came the pandemic and my chances for finding one went out the window. I’m feeling so lost right now I could use some help. Last night I called my dad worrying and he’s making me apply to one internship and day and I hope it works out.
@native bane I’m also a senior and I find that creating a network within cyber security is by far the easiest way to get opportunities that you didn’t even think were possible thrown at you

Hi guys, im new to this. can somebody please tell me what the is about?

Could you elaborate please I don’t understand what you mean

You haven't heard of THE? It's the hot new ceritfication

OSCM is where it's at

Oh I didn’t know I thought there sentence just got cut out without then realising

Infosec topics and career questions/postings @severe canyon

..... 😂

my legal name is jacob but i have never been called it, what do i put here

i realise this has nothing to do with infosec but is to do with my career 🤓

What's it for?

if its official like a government doc put your full name

if its something theyre asking for like a preference put what you want

i think it's for background checks

i guess i put jacob

yea that seems official-y

Whatever name is on your driver's license / passport / birth certificate. @static tide

It asks for a different name as well

That's for when people have changed their legal name, either first or last, or have used a different last name due to marriage.

So if your previous legal name was James Bond, you might not get hired. 😄

hehehe

yeah i did tim thank you :D

Jake Bond, Jr.

this is way too official for me

i have probably definitely fucked something up

They are likely doing a simple background check based on legal-name history. Standard stuff.

select * from blackhats where first-name = 'Jake' and last-name = 'Bond';

I feel like that’s not gonna be the actual query 🤓

you're right

they use camel case rather than a hyphen separated case

select * from blackhats where first_name = 'Jake' and last_name = 'Bond';

SELECT * FROM blackhats WHERE first_name = 'Jake' AND last_name = 'Bond';
Plz caps for keywords

How hard is OSCP? (im asking this because i am going to try working towards it)

Background: CyberSec student, I want to fully commit to pentesting, Doing THM now since about 8 days, doing an ethical hacking and cyber Associate degree and it works out

did some SOC (little bit) and firewall management

apart from that a bit of admin stuff mostly linux

let me know even if it's way out of my league, you can DM or ping ofc.

@warm hinge If you ask me late on Tuesday or on Wednesday, I'll tell you how it went for me (without specifics)

Sure! i will, thanks

There are also a good few people around who already have it, so feel free to ask if they show up 🙂

sure ^^

You gonna take the test somewhere next week?

Monday

Goodluck!

Thanks 🙂

i would tell you but i didn't even get a foothold on 3 of the boxes

i'm inclined to believe i got a hard pool of boxes to make myself feel better about it 😅

You're filling me with confidence here @static tide

you're better at this than me you'll do a lot better

Aw, I doubt that ♥️
I'm hoping for easy boxes

are we allowed to say what boxes we got (as in just like the software running on it) with other people who have taken the exam?

to see if we had the same ones

Probably not officially

Also, I just tried to use eternal romance and forgot to set a port for netcat in the exploit, so.....

ahaha that always happens

a lot of the time i do LPORT 1234 and it takes me hours to see i forgot an =

I think my view of OSCP is slightly skewed because everyone I know of in my company who has it was doing pentesting/red teaming for years prior to getting it but you hear stories here and other places that people are using it to break into the biz

Good morning all

wave

For me it was more a "i don't know what to aim for so why not OSCP"

If you're unsure then something like eJPT might be a good idea first

A lot of people go for that as prep

eJPT?

European Journal of Psychotraumatology LOL

It's an elearn cert

https://www.elearnsecurity.com/certification/ejpt/ nvm found it

elearn something or other

Ow that looks good

Download the free syllabus on their site to review the table of contents of the course.

hmm

im going to look that up

Each course they have has a free syllabus PDF.

I think they're still 35% off this month.

I have a litteral 3 days to think about it for the 35% offer 🙃

tick-tock, time goes off the clock.

lol

They'll probably have an equally-good discount in November/December

Ah chill. I think ill wait a little

School is getting and all

ESWAT i see you have the eJPT, Did you like it/did it help?

I got the barebones package (free) + paid for the cert exam attempt. I liked it, solidified some of the random h4x0r stuff you do on platforms like HTB but don't know how to actually tie it to professional work

But I also don't think the course itself is worth money, unless you’re starting completely from ground zero (no IT experience, or don't play around with platforms like HTB/THM). You can do the free Barebones course and decide whether you want to go for the cert or not

Ah, so it's worth it as long as you take the free selfstudy course

An exam costs about 200 (i think, i read it quickly)

Can you just take the exam ? without getting the course

I also see the Full/Elite course is lower than what I remembered when I took it, so that might be a factor too. In the end those course upgrades give you labs + PDFs and cert attempts, so you have to ask yourself if you can engage with the material enough without them or not

Yeah you can take any eLS exam without the course

If you take PTS Barebones I believe they email you a coupon later on to reduce the eJPT exam cost… can't remember by how much (or if they still do that)

With barebones you mean "selfstudy"

?

I guess. You just get the slides. No labs or downloadable PDF

hmm

Thanks for the advice!

No problem

I have a litteral 3 days to think about it for the 35% offer 🙃
@warm hinge discount is till 30th September THM-035

Can you just take the exam ? without getting the course
@midnight sparrow yes I guess, it is 200$ for exam voucher

Hello everyone , hope you all are doing good , I just wanted to know that I got barebone edition of eJPT if I don't take labs and instead practice on TryHackMe would it be good enough to pass the exam ?

@midnight sparrow yes I guess, it is 200$ for exam voucher
@slender basalt
Appreciate it, thanks

@lofty apex Depending on your background THM might not be enough. If you stumble on a topic be willing to Google and dive into other technical resources as well.

That being said, yeah you can get pretty far with THM with the walkthrough rooms

@meager hazel Okay. Thanks man for your feedback

For anyone who has gone through the eLearnSecurity Certified Professional Penetration Tester (eCPPTv2) exam, are bufferoverflows part of the exam ?

Hello everyone , hope you all are doing good , I just wanted to know that I got barebone edition of eJPT if I don't take labs and instead practice on TryHackMe would it be good enough to pass the exam ?
@lofty apex pulled the trigger and purchased the elite package

It’s available for $343 USD

is worth collecting the ejpt cert if I am aiming for OSCP?

@regal orchid eJPT is a great cert if you are a beginner in the field of hacking. However, if you've done a bunch of THM and/or HTB then I'd suggest skipping to eCPPT (the next level). My personal plan is eJPT -> eCPPT -> OSCP

I got my eJPT a few months back and am currently working on my eCPPT. Would highly recommend eJPT

I'd do the eJPT cert for intrinsic motivation, get a sense of what PWK/OCSP will be like and if you can use it as evidence for initiative/passion for the field during an interview. On its own it won't do much in terms of getting through the HR filter

Hey i heard starting a website/portfolio is a good thing to do while on my learning path.
What are peoples recommendations in terms of hosting and how to start one?
Should i use git pages?, static site generator? or maybe host it on a VPS?

I can use html, css, javascript just wanted to know what are some good options i could use to get my page out there.

I use Netlify personally, free hosting.

Oh i have heard of netlify! i will look into it.
Thanks @quick forum

I like free

free is good

You can use your own domain with it

But obviously you have to pay for the domain with whomever

Would you say personal blog, portfolio is a good idea? putting write ups, accomplishments, blog posts on it?
To show potential employers.

Yeah i will just grab a cheap domain from namecheap or something

Yes to everything.

wooo!

Marketing and making a name for yourself is of upmost importance im assuming.

also github is one way to get out there

Like having your own repo @pseudo creek

I think it's almost an expectation to have a blog/portfolio/github at this point.

@warm hinge yup, you can put all sorts of info, also look at gists.github.com

Personally, I don't have any public portfolio other than linkedin but, thats just because I'm not actively looking nor plan to, I do have a small github but I don't advertise it and only has a few personal projects on there

although who knows what the economy is going to look like by the end of the year/early next year, my job could theoretically tank

Ok perfect thanks for all the advice im going to setup a github and a website i think and link them together.

100000x recommend it @warm hinge

Yeah as other people have suggested, there’s a few free ways to do it I.e. GitHub pages

Very good things to bring up in interviews + the whole “self branding” thing in infosec

100000x recommend it @warm hinge
@quasi stream Awsome! im doing it right now!

If you want / need a hand getting something setup, I don’t mind sitting down with you and helping out if needs be

Although granted it’s 6.30AM I should probably go to bed

DMs are open and I’ll get to it when I wake up if you need!

@quasi stream That would be amazing! im just thinking of the best way to host.
Free would be good....But i want to be able to migrate away if need be to somewhere else (In terms of hosting)
Im thining just a basic static site possibly and then move up from there later on
Really appreciate it 👍

For sure! Static site generators like Hugo and Jekyll are really easy to get started, you can upload to GitHub so you have version control, hosting AND backups all for free

Static site gets essentially turn text you make from Markdown into HTML so it’s very easy to move about

Best of luck (: would love a read through when you get setup - always looking for new bookmarks 😁

if you need help blogging I have an 11k words personal note on everything I know :)

Hey guys! I've been new to THM(2 months now) and I feel like I cannot get through a room without looking at the writeup. Is this normal in the beginning or I should always try never to look at the writeup?

I've had theoretical knowledge about networks and security before THM, but I feel like this takes practice and time. I understand that pentesting is something that does not come easy, but I would love to hear opinions/advice on how you think I should proceed to make the most out of the situation.

The goal is to always try harder it took me quite a while and lots of rooms before I started not looking at writeups sometimes I still look at them when I get stuck it's completely normal

Do you think getting into a pentesting job is too ambitious with only 9 months of hands on?