#cyber-and-careers

Hello guys . I am really confused about which certification should I take to be a penetration tester . I mean what path I should follow

@worn nebula dark made a good video thats worth checking out https://www.youtube.com/watch?v=BN_H6BYBJnE

Ok

also this guy made a really nice interactive chart
https://pauljerimy.com/security-certification-roadmap/

I would take it with a great grain of salt

^

I got my eJPT recently and will always vouch for it as a beginner cert if you can afford it, arguably you could learn the equivalent knowledge and skills with a tryhackme membership and the offensive pentesting learning path, but the structured approach of PTS coupled with some networking bits really make it worth it imo, plus a checked box for hiring purposes

Sec+ -> PenTestStudent (Course materials are free) -> eCPPT -> OSCP -> Let your employer pay for anything else
@languid hearth that would be nice, but who's going to be paying before I get employed? 😛

Anything wrong with 1.5 months preparation (THM & HTB) before diving into the OSCP labs for 60 days?

@wise grove what do you mean??

hello i am going to start studying it and telecommunications but i also want to work in SC field is there a master that could help with the IT and Telecommunications degree that i am going to get?

@cosmic ingot Well that's my plan, always happy to have some feedback 🙂

@wise grove of course it can't hurt, you're only going to be somewhat better prepared. I wasn't sure if I understood the question at first

Alright, I was actually thinking that I'd be underprepared since people were talking about getting X certs before going for their OSCP. I guess not all certs help with the last big one?

Was starting to get a bit anxious hehe, this OSCP exam has got me a little spooked

There are too many variables to determine one single best path for everyone. Essentially you must make your own, depending on your skills, how much money you have, how much time you have, etc. Generally, OSCP is an entry level cert so you don't need to get any other cert before it. There are certs that could help (by helping you build the skillset and the mindset), but if you want to go straight for the OSCP, you can. If you're stressed out about it, think of it as a grind. You might need to invest time and work hard, but you can get there. THM/ HTB etc are only going to help. Plus I've heard OSCP's study guide is great.

Thanks for that, I agree. I've also heard the same about the study guide and am certainly looking forward to going through it. Never knowing when is the right time to jump into the OSCP course is a bit stressful though, certainly with the amount of money involved. I'm sure it'll all clear up when I've actually started it, then it's all about that grind and making sure I'm ready.

Don't expect to feel ready, just work hard 😉

@wise grove the exam is, unfortunately, rather luck based in that they select boxes from a pool at random, and not all of them are the same difficulty. I've heard people who've taken the exam and said that it's easier than the lab boxes, and I've also heard people go through it and find it harder than anything they've seen or practiced with.
My advice would be to cram as much knowledge about different things as possible. You never know if you will need it.

so it's almost like that one annoying professor

I didn't know this about the random boxes from a pool, ty

@undone shore I'd have hoped it would be at least a partially controlled selection (some easier & some harder boxes)..

I guess I'll find out soon enough.(Will be keeping $150 on the side though, just in case)

Two of my friends at my college. Went straight to oscp skipped other cert. They both passed. No point of getting other cert if you know you will do pen test. It is like you skip associate and went straight for bachelor degree.

Im also doing that track as well.

not true lmao

there's this thing called a foundation

you don't build a foundation on toothpicks (which is what they did)

well they got job as pen tester while at school after snagged the oscp.

hey :) ... quick question what cert do i need to get job as a Pentester ? only OSCP/PWK or some other stuff ?

I would recommend at looking at spooks blog on certs https://blog.spookysec.net/certifications/

@jovial crown when you do pen testing interview, they will throw you in a lab room. Similarly to those pen testing room. OSCP Is enough

not necessarily

OSCP is far from the be-all-end-all. It's an entry level certification, and it gives you nothing in the way of foundational knowledge. A pentester who bases all of their skill on the PWK is in for a nasty shock, sooner or later

100% not true

And that's assuming, of course, that you get a job as a pentester. There are a plethora of different infosec jobs available

I've been through red team interviews and I was never asked to touch a keyboard.

this is at fortune 500s as well :L

Crowe and Amazon did that

Example of nasty shock: You get asked in an interview how the OSI and TCP/IP models work. You don't have a clue

@polar rock ok thx i will read the Blog 😁

You get asked about low level computer architecture, you don't have a clue

There is network class in college for that 💀

we go in depth on it

You get asked about a memory exploitation attack that isn't a stack based BoF on x86 Windows, you don't have a clue

every company I have interviewd at has asked more fundamental questions because those are the things that matter

Heap!

if you cant tell me how ARP requests work, you shouldn't be preforming anything that involves poisoning

well one of our alumni, work as amazon for pen right now. He held OSCP OSCE, a master that it :p

There is network class in college for that 💀
Exactly. You need some kind of foundational stuff.
Doesn't matter where it comes from, but OSCP itself will not be enough

It's the knowledge that matters

Not the piece of paper

not everyone goes to college

PWK is superb for that, yes, but there is plenty more to learn

Many people have literally no formal education in cyber, no certs, and they still get jobs

Why? Because they know what they're talking about

pwk is no where near satisfactory for teaching red team ops kekw

lmao

^^ it's entry-level, and marketed as such

the criticality of AD is missed almost entirely

In fairness, the new AD stuff is pretty good, although perhaps more of an emphasis could be placed on it

PWK/OSCP is honestly nothing more than a CTF cert tbh

but i do not think the cert and degree landed him the job at amazon thou. His 3 CVEs did

😂

whoever referred him did :L

you dont get interviews at amazon without knowing someone

that all he needed

doubt

refferals are needed at Amazon to get your resume looked at

they can afford to throw away as many candidates as they want/need to

as I said before, you need to know someone to get hired at Amazon

or an impressive portfolio. But might be referred thou. I don't know his background, but do know he published many CVEs.

let alone have your resume looked at

lmao you said his oscp got him a job without mentioning his cves, osce, oswe dear god

naw

that guy

is older alumni

but he did get job at regular firm

while at school

This is after like 5 6 years after graduated, he worked for multiple firms before land job at amazon.

I know the U.S. hiring market very well, its garbage.

and I've never interviewed with Amazon, but I do get pinged by a recruiter from there every couple months, I'm not sure I'd say you don't get an interview without knowing someone, maybe as an entry level

Same, though they were for design/dev positions at Amazon, not infosec

(in Canada)

mine are security, the recruiters have been especially active the last few months, but entry level is hard wherever you are

I remember seeing one video where an Amazon VP was saying they scout out people on LinkedIn for interviews at higher positions, resume is optional

i've heard their work/life balance is non-existant though, a coworker I had quite a few years ago went to work for them, worked there for like a year, then tried to come back to our company and couldn't

Yeah heard that as well. Like even if you don't work much above the 40 hours you'll likely still be thinking about work at least

Guys are there any certifications with practical approach but for free or less costly.

from a practical typically no just due to the fact of lab costs however THM, HTB, TCM and Tibs course on Udemy, eJPT

Getting a job is like getting your first credit card. It is so hard to get the first one, and once you have it, you get bombarded by offers to get another one. 🤣

eJPT is probably the cheapest certification (distinction from the Udemy stuff… which are just course certificates of completion… not as valuable in the large scheme of things): get PTS Barebones coures for free and I think they still end you a coupon to knock off some of the price off a eJPT exam attempt

There’s also splunk fundamentals 1 which is free and very good and it’s 150 for the exam

and I've never interviewed with Amazon, but I do get pinged by a recruiter from there every couple months, I'm not sure I'd say you don't get an interview without knowing someone, maybe as an entry level
@pseudo creek if you're not actively being sought-after by Amazon's recruiters, and you're fresh out of college, you stand no chance.
I've got several guys at Amazon telling me that (and I've applied for various positions ranging from Network Engineer to PenTester)

my friend just got a grad offer from amazon with no connections 🤷‍♂️

@static tide did they apply directly or did a recruiter reach out to them, either directly or through a school program?

uh not sure i can ask

the only difference in my qualifications from now to back then was a W.I.P associates, vs a complete associates and CEH, but we all know thats a meme

and, you know, give or take a years worth of experience

https://twitter.com/purpl3f0xsec/status/1311682737288499201

exactly

When your CEH expires, you get fired on the spot. 🤣

A great book to read that I recommend, is a critique on what/why is broken in the security industry; Unsecurity: Information security is failing, by Evan Francen.

This?

Can anyone suggest me a good college for masters in Cybersecurity in US

From a recruiter of mine if everyone is interested i can push you guys forward:

Oh thank you! I actually have two app security engineer roles currently (one senior, one junior/associate), 2 lead cloud security engineer positions, a Head of Development,  senior information security analyst role and a principal security analyst!

Quite a bit going on at the moment but all of my other roles are US based or based in Europe.

Let me know if it's of interest for anyone
(Jobs are London,UK based mostly)

@polar scaffold looks up top computer science university in US. They usually win hacking competition most of the times.

What's a "principal" sec analyst?

the main person that deals with something

something like a specialist

@sinful holly ^

gotcha. don't have the experience for that then haha

there are like a few other roles in between lol

Job titles are horrendously inconsistent and can mean varying different things. Principal can mean: Lead Analyst, or Senior Analyst, or Security Architect, etc.. @sinful holly

Yeah it depends, principal at my company means highest tech position you can be, I’m 1 below principal with goal in about 5 years to be principal but maybe sooner

At my company that would be either consultant or architect. Since I have a masters but no experience, I’d probably only land an entry position. App sec isn’t my thing though.

I've been looking for entry level Soc analyst positions haven't landed any yet but if anyone has some leads or something would appreciate

@polar scaffold Carnegie Mellon University has some prestigious security programs for graduate students. I am currently at the program at Heinz college called information security policy and management. It is more management focused while the engineering school is more technical.

https://www.heinz.cmu.edu/programs/information-security-policy-management-master/

https://www.cmu.edu/ini/academics/msis/index.html

@full violet im planning to go there or ga tech after graduate. May I know your background?

I've heard great things about GA tech. I dont think you would regret either. As far as my background goes, I graduated from Weber State in Management information Systems. While in my undergrad I attended the IT lab: Summer Security Intensive that Heinz college offers. As far as experience though I worked customer service at Home Depot for 5 or so years during my undergrad. GPA was about a 3.5 and 149 on grammer and 151 on math for the GRE. I hope that helps. Let me know if you wanted to know something specific about my background.

Also if you want in at Heinz, the IT Lab is a great way to spend the summer to get your foot in the door.

that sound really great

@full violet do you have any prior security experience before went to IT lab?

Looking for a little guidance, been in IT for 3'ish years, just started a new role as a SIM moving away from Help Desk. Thought it was appropriate to start the cert journey.

Goal is to land a role as a SOC analyst/Junior Pentester. Does this track make sense: sec+ > eJPT > CEH [maybe] > Pentest+ > oscp

We had a related discussion about that path a few days ago. The gist: that path sounds fine, though you can probably do OSCP earlier depending on your comfort level with the topics

Also if you do decide to stick in SOC then CySa+ might make more sense than Pentest+

Related convo starts here https://discordapp.com/channels/521382216299839518/707992725646999553/761265628916219964

oh nice, thanks @meager hazel, was just reading through Supūkī's pinned 'cert talk' message, super helpful. I appreciate the heads up!

what is the usual salary track for infosys/pentesters? curious here as their skills are pretty awesome, but wondering how career progressions work

It depends where you live and depends where/how you work. Independent pen testers can make a lot of money but you have to build up clientele.

But I will say that Cyber is one of the better paid IT careers in the US

This can give you a general idea on the numbers, this is US-focused https://www.cyberseek.org/pathway.html

@full violet thank you. Will check it out. Although I think CMU is difficult for me to get into :/

@loud marsh thanks for the reply. Will google and look it up

Working on starting a sec blog to document my learning path, bug bounty stuff, etc. Anybody have an recommendations. Was looking at using bluehost with minimal WP plug-ins, just looking to make it simple and clean, looking for advise. First time setting up a website as well. *not sure if this is the right group to ask this in either

Hey @halcyon ice , I'm also looking to do the same thing. I've been thinking about self-hosting something with Ghost (https://github.com/TryGhost/Ghost).

My main concerns are security & speed , some of the things other people use are just sooo slooooow!

(Also not sure this is the right channel for this, perhaps infosec-general would be more fitting?)

Easy way IMHO is to just make a static blog on GitHub pages using jekyll (or another static site generator like hugo)

You don't want to worry about setting up a server or keeping your blog install up-to-date

I didn't think of that, looking now, thanks!

Working on starting a sec blog to document my learning path, bug bounty stuff, etc. Anybody have an recommendations. Was looking at using bluehost with minimal WP plug-ins, just looking to make it simple and clean, looking for advise. First time setting up a website as well. *not sure if this is the right group to ask this in either
@halcyon ice Don't use Bluehost that's a very bad idea -- they are very toxic (but not as toxic as medium).

Ghost is amazing, I love Ghost 😄

Visiting medium for writeups is the main reason for my obsession with speed

Oh don't worry, if you wrote on Medium speed is the least of your worries 😆

This can give you a general idea on the numbers, this is US-focused https://www.cyberseek.org/pathway.html
I had seen this before, didn't realize it gave salary estimates. I would say that the salaries seem a little low but considering its across geographical areas and is an average, is probably a decent estimate

it was still helpful-- thanks! I'll probably just stick to my current career but learn infosec skills anyway for fun

it is fun 🙂

although kind of weird that they list CISA as a cert in job listings, I've never seen CISA on a job listing or Security+ (as someone who has been mostly in the Security Engineering/Architect role)

@gothic_butterfly I had the same thought before applying but I would definitely recommend applying. Its free to apply and worst thing that happens is they say no. UTSA also has a good and well ranked cyber program and idaho state as well. So there are quite a few options. WGU has one too but not sure how good it is or not

@loud marsh no i didnt have any security experience prior to the IT LAB.

so they take you in and train ?

😮

@loud marsh kind of. So the IT Lab is basically an intro/interview to their masters program. They pay for your living and give you a stimulus. During the 8 or so weeks you take 3 courses (database security, ethical pen testing, and intro to info sec). You also select one of their provided projects with a local company. This project is similar to the actual masters capstone. My project was conducting a vulnerability assessment with a local non profit. You are of course partnered with a faculty member.

https://www.heinz.cmu.edu/programs/itlab/

But during the time you can see if you like their program and if they like you

that is a lot of pros 🤔

The program director teaches the intro to info sec class

Oh yeah it was an awesome experience. They even do Friday activities like bowling and canoing and stuff like that so you can get a feel for pittsburgh

I do believe you have a year left in school, similar to other internships

Oh and if you do come back for their masters then you get 50% off tuition

although kind of weird that they list CISA as a cert in job listings, I've never seen CISA on a job listing or Security+ (as someone who has been mostly in the Security Engineering/Architect role)
I see CISA a lot in generalist cybersecurity roles for Big 4, like this one I got from EY for a Red Team Specialist: Possession/working towards the following certifications CISSP, CISA CISM, OSCP, GPEN, GWAPT

That makes sense that they would want auditor, I never look at consulting firm job listings myself so maybe why I don’t see them

Mind explaining why you're skipping all of the consulting firms @pseudo creek?

my friend got an offer at consulting firm. He denied it and told me it too much control. They want him to work 55 hours a week

Another one got a job at Crowe then quit within 1 month

when you're on salary, your time belongs to your company kekw

@wise grove I don’t want a consultant type job, I rather work for a company doing their internal security. I also have zero desire for travel at this point

can confirm, internal sec is much more relaxing

dealing with clients suck

I'm an internal security consultant so I get the best/worst of both 🙂

well part of my job is kind of that, but less so these days than previous years but I think it all being internal is a good thing

Guys I really want to learn ethical hacking. I’m a CS student, what source is best to learn?

And could you please provide some websites for easy pentest-machines?

Appreciate it 🙂

Tryhackme?

https://tryhackme.com

how important would you guys say knowing sed is in your dayjobs?

its nice to know

Hi , i will start a career in IT and i have choice to go to dev/programming field or networking. Do you know guys which one would be the best if I want to do self taught pentest and security at the same time, for be able to go to this field later ? Thanks

I find ex-developers make better pentesters personally.

if I choose to start as a web developper it's a good option or any kind of developping would be better? And what part of the networking/sysadmin I will need to focus to have enough knowledge ?

Any development path will help buddy. Developers tend to be good problem solvers which is a key aspect to being a good pentester/security professional.

Ok thanks 🙂

Just get stuck in, get the experience and keep learning 🙂

I like my development work that I do alongside the pentest and sec stuff

Especially because I create rooms, but I feel like coming from Dev gave me the right mindset and some decent skills

on the other hand, not pentesting but I find networking knowledge is important for security, it is one area where people seem to struggle a lot (I'm not a pen tester and don't plan to be one so if that is your specific goal vs general security, I can't say)

yes but i don't want be wrong and wasting time by going into the wrong path^^. I know some basic stuff in both (more in programming) but i can see sometimes my lack in network skills...

I don't think there is a wrong path

Web development is a good choice, especially if can build something small and take it to deploying it on a server yourself. You'd need some sysadmin or cloud knowledge along the way and that will help

Make sense, thanks a lot

it seems like many of the skills learned in these rooms are useful no matter what tech career you're in

i'm a data scientist, but knowing some networking/pentesting is pretty nice when trying to set up ML infrastructure in the cloud

maybe they are differences in terms of job opportunities or ease to do the swap beetween those ?

leveled!

So is web development necessary for becoming a pentester or a plus point ?

no but an understanding of web applications is critical since web applications are everywhere

@pseudo creek oh okay

Oh wow that’s interesting

What if I have no knowledge of anything and you don’t know where to start? Where could I learn the basics?

https://tryhackme.com

@rugged sable

@quick forum

i got it

or not

ive been told that doing my cpsa and then crt to be able to get my check team member and be able to get SC was a good path to be able to become a pentester, can someone confirm or add any insight if possible

Do any of you add the cert badges in your cv? If yes, can you post an anonymized screenshot so I can get an idea of what it should look like?

Yeah i do

John Hammond has a video of his where he has then

I add mine to the top by my name

iirc John clusters his together

is there any free but worthwhile ethical hacking certs

?

No free certs, really but there are a handful of courses that provide certificates of completion that are well put together and will make you stand out

https://medium.com/@DanishZia/how-to-get-fortinet-nse-1-and-nse-2-certifications-for-free-269284a80781

https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html

I'm wanting to grow more in social engeering, is there any courses that you can think of?

no lol

you get that from experience

you can crack open the Art/Science of Human Hacking

but other than that, you pretty much just gotta do

cool, I come from a magician based backround, so I know a bit about se already.

The Art of Misdirection 😄

Isn't OhSINT kinda around social engineering? I thought so anyways...

No

OSINT should NOT involve social engineering

OSINT is just publicly available information.

SE requires interaction

Ok, I agree technically with that, just kinda the closest I have experienced so far on the platform but I am new so...

OhSINT is entirely OSINT

Sounds good, TY!

I just got my security+ ce certification, is the next best step for a security career to get a job as a junior system administrator, junior IT administrator, or help desk position? Or should I try and get more certifications? Trying to switch into IT so no real job experience.

MCSA and or CCNA would be good picks

also, lab all the things

build an AD Lab, add it to your portfolio

create multimaster environments

set up sites, dhcp, etc.

ty

I just got my security+ ce certification, is the next best step for a security career to get a job as a junior system administrator, junior IT administrator, or help desk position? Or should I try and get more certifications? Trying to switch into IT so no real job experience.
@tawny eagle Could you share some experience? Did you purchase any book ?

Thank you

I did not, I used Professor messer’s YouTube videos for general education, a free app on iOS, and then more YouTube videos to clarify different topics

Hi all

Profressor Messer's best

I think that to start the path beginners is interesting to have a solid base but to work as a pentest junior is it enough? Is it necessary to do after the path OSCP or Pentest+ as well and then to pass one of two certifications but would I have enough competence to pass it as well? Do you have any advice? Have any of you done this?

Sorry I need information please

You probably should start with the CompTIA triad (Sec+,Net+,A+) and more foundational certifications before trying to break out into pentesting, feasibly as a pentester you should at least have the same level of knowledge as a helpdesk technician as a pre-requisite, know how to deploy and troubleshoot basic computer systems before breaking them

I'm helpdesk technician yet

You probably should start with the CompTIA triad (Sec+,Net+,A+) and more foundational certifications before trying to break out into pentesting, feasibly as a pentester you should at least have the same level of knowledge as a helpdesk technician as a pre-requisite, know how to deploy and troubleshoot basic computer systems before breaking them
@ancient prairie

I have as a pre-requirement since for several years, I had done a CCNA training but I failed the certification, I don't know if it is necessary to do the sec+. What do you think?

I dont work as a pentester but I would consider CCNA to be pretty crucial considering you will encounter a lot of Cisco devices in the real-world, probably not absolutely necessary for pentesting but CCNA is an entry-level network certification

CCNA would be closer to Net+ than Sec+ so I def wouldn't consider CCNA to be a pre-req

Is the ceh any good

thats a tricky question, it more depends if job listings in your area/country ask for it or not

As a course? Probably not

As a cert? Depends.

ok thanks for your answers but what do you think about the path ofTryhackme if I already have prerequisites but not in pentest, can this be an opportunity for a junior pentest or not?

if I do the path beginners

You'll still need certs

Certs, at least here, are not a substitute for experience

humm ok I understood

so either OSCP or Pentest+.

They, uh, aren't really equivalent...

Probably OSCP.

OSCP can get you an entry level job

ok

Check in your area

See what the jobs are asking for.

more XP

so much XP

Over here, it's a cert+(xp||bsc)

get xp, level up

Over here, it's a cert+(xp||bsc)
@quick forum what is bsc ?

Bachelor's

BSc

I wouldn't worry about certification choice at all in the beginning. Focus on courseware, both theoretical foundational courses, and hands-on practical skillset acquisition through a platform like THM.

get xp, level up
@pseudo creek yes but for a beginner it's not simple so yes I think it's necessary to have certifications to help but it doesn't replace the experience but if you're motivated, you have certifications like OSCP and before maybe dry+, you make boxes on Tryhackme, HTB I think it can go through

I wouldn't worry about certification choice at all in the beginning. Focus on courseware, both theoretical foundational courses, and hands-on practical skillset acquisition through a platform like THM.
@distant pier +1

sorry I was trying to amuse myself, not entirely trying to be helpful 🙂 also something to consider is that entry level security jobs are rare, IT jobs less rare and IT experience can help you get into security

I think I could play on it then because I have experience in IT helpdesk.

yup that helps

Thanks to all for the advice, very practical and important.

@languid hearth ^

If anyone is interested

Has anyone started and completed the CompTIA CASP+ exam?

Goodevening everyone, i am just starting my IT career and plan on taking the A+ exam and getting my first job, my goal is to enter the cyber security field as a white hat hacker. Could you guys offer any advice?

Currently on the same path as you, be prepared to take a job as help desk first before getting into security, it's hard to break into that field if you don't have real experience (like me)

And for A+ specific advice, get Professor Messers notes and also DionTraining on udemy has good practice tests and explains the PBQs pretty well

Also skip the PBQ's in the exam at first and do them last, the wording for some questions are tricky by design so make sure you are carefully reading the questions as well.

appreciate it 🛐

I’m a cs major with A+, N+, S+, and the CCNA looking to get a security internship - I’ve applied to 60, rejected by 10 and ghosted by the other 50. What are some things I can do to increase my odds?

try getting a different position and work your way up from there, im thinking jobs are more in demand than internships rn, or just keep applying, maybe even show up to where u want a job and try to network in person

not much. I applied to over 400 +/- jobs and got 4 interviews

nate are you in the US? and US citizen? If so, I'd apply to some of the defense contractors

I am and I’ll take a look at it

I’ve just been going through every linkedin post and applying to those so far

I would go directly to large company websites, search for 'college recruiting <company name>', lots of times they won't advertise their internships

Any feedback on resume summary appreciated.

Well, too long was my first thought

• get rid of fillers where it's expected every employee should have those qualities (reliable, adaptable, has communication skills, etc.)

I also don't get a sense of what you actually do or what kind of job you're looking for

firsdt thing i saw was 200...... on the left

I agree with ESWAT, the summary should explain exactly what makes you stand out as a candidate, and align it with the job that you're applying for. It does not have any job specific terms in it related to Security.

Hi guys, I saw earlier in the chat talks about OSCP; but from what I understand you need to be 18 to do it (I just turned 17). I've heard that it's better than the ECPPT (the other course im considering, which you can do at my age). I dont really think I can do both, so I wanted to know if anyone can elaborate a bit about those courses, is it worth waiting a year for the OSCP, or should I be looking at something else?
Thanks a lot

OSCP is widely considered to be the gateway cert. It's the most respected entry-level certification. eCPPT is gaining traction though, and it's up for debate which is actually better

If you only have money to do one, I would suggest doing OSCP, given the boost it will give you (theoretically) for job hunting. I haven't done PPT, but I have done the PWK, and can say that it is pretty dang good

@stoic lotus im also studying for a+. Thats a whole lot of useless information, im my opinion.

Like who really needs to know the physical components of a printer

If you only have money to do one, I would suggest doing OSCP, given the boost it will give you (theoretically) for job hunting. I haven't done PPT, but I have done the PWK, and can say that it is pretty dang good
@undone shore Ah, I understand. Thanks.

Be aware though that it's not just a case of going out and getting them -- the OSCP is tough (and very luck based as well), so either way, make sure you're well and ready before throwing money at them 🙂

Yea, I went over the syllabus and I feel like I know most of the topics well already

Hi guys, I saw earlier in the chat talks about OSCP; but from what I understand you need to be 18 to do it (I just turned 17). I've heard that it's better than the ECPPT (the other course im considering, which you can do at my age). I dont really think I can do both, so I wanted to know if anyone can elaborate a bit about those courses, is it worth waiting a year for the OSCP, or should I be looking at something else?
Thanks a lot
@clever iron you can take it at 17 but only with explicit exception, it can be a bit annoying

How does that work?

@clever iron you can take it at 17 but only with explicit exception, it can be a bit annoying
@polar rock

You basically have to get in contact with an offensive security advisor and discuss

I mean

You have to prove that you know what you’re doing and actually want to take it

I’ve heard stories of offsec just being like nah

Does sound like Offsec, to be fair

At your age

Unless you absolutely know this is the path you want I would just stay with ecppt

Note this is coming from another 17 year old

(There will be time later to expand the repertoire either way)

And job opportunities that will pay for things

I guess ill try for the OSCP and if they dont allow it ill go to the eCPPT

Take for example dark star he got a very nice pen testing job without oscp and they paid for it I would say where but I don’t know exactly what his stance is on what he can and can’t say rn

IMO ecppt will teach you a lot more but oscp will give you an edge in the job market

Good feedback

Of course, I just would rather get a headstart with a course, I feel like if its a good thing to have under your belt

(There will be time later to expand the repertoire either way)
@undone shore

Bear in mind that neither of us (Me or Cry) have done eCPPT, however, from what others have been saying, there's a good chance that it will contain more in the way of knowledge

^

And by all accounts, the Hera labs provided by eLearn are second to none

I’ve taken eJPT and am working on eTHP I can say both are jam packed with info

so ecppt I assume is the same

The PWK lab machines are good if you like being thrown in at the deep end. I learnt a lot from them, but Hera is guided

Why do you not have that role Cry?

🤷‍♂️

I never took the exam

Ah, fair enough

Yea, I guess my problem is I dont really know how good (relatively) my knowledge in cyber sec is, I find it hard to tell unless youre part of an environment of pentesters.

The PWK lab machines are good if you like being thrown in at the deep end. I learnt a lot from them, but Hera is guided
@undone shore

so OSCP comes with pwk course material so it will teach you all you need to know from what I understand, it just depends if you are able to apply and understand their format

The other thing about OSCP is that the machines are picked straight from a pool -- there's no guarantee of a standard level of difficulty. Trust me, if you get hit with all hard ones, it makes you re-evaluate how good you are

I'm not sure I agree with that one anymore (Cry), to be honest

Again I think the RNG element is a scheme for retake money

The PWK material teaches you everything you need for the PWK lab boxes -- no doubt about that

And from speaking to many other people who passed already, it sounds like it can be all you need for the exam

But I can tell you with absolute assurance that PWK was not even half the preparation you'd need to take on the ones I saw

ITS ALL A CONSPIRACY THEORY!

That's something you definitely wouldn't get with eCPPT

Is it worth doing the extra points for the writeups?

I didn't, and to be honest, I stand by that opinion

If you're five points away from passing then something has already gone wrong

The questions start off Ok, but get increasingly time consuming the further through you go

By chapter 18 or so, you could write several pages as an answer, and still not be sure that it's "complete" enough -- the questions are open ended by that stage

And of course, if you fail to answer even one of them, well, no extra points for you

😄

Yea thats what I thought lol

Your lab time is ticking down, while you answer these, by the way

The longer you spend on the course material, the less time you have in the labs

Better to go do them, than waste time answering questions which aren't even guaranteed points

Got it. Thanks a lot

Easy peasy. 😄

Np 👍

If Muir doesn't pass the 2nd attempt, he has to eat a 28oz Porterhouse. That will put on the pressure.

With a nice whisky pairing

😋

If Muir doesn't pass the 2nd attempt, he has to eat a 28oz Porterhouse. That will put on the pressure.
@distant pier

I was in the same mindset as Muir. It's a risk to not do the PWK report. But if my success hinges on 5 points, I probably should have done something else to prepare instead of spending all that time on it.

It's nothing more than a carrot on a stick.

Have any of you guys done SSCP?

what's the first thing i should learn to improve my hacking skills

Sign up to TryHackMe.

Thanks!

Once signed up, do the rooms on the Dashboard: https://tryhackme.com/dashboard

Some really good feedback on here folks, great help 👍

Hi! sorry to bother! So I jsut passed eJPT exam. I wanted to ask that did you take OSCP after the eJPT or how long have you studied for OSCP

Yup, I took Security+ and eJPT a week between each other and started PWK/OSCP a month after

oh nice

how long did you study for OSCP then?

But I have a web dev background and had been doing some HTB and other stuff before I started PWK, so was somewhat confident already

i see

~5 months? I started early Oct and got certified early Feb

ohhh nice!! was it the 2020 version of OSCP?

they added more content in

Nah, pre-2020

ohhhh i see

did you follow the TJNullz path?

or what kind of path should i follow? haha

I think it took me about 2 weeks to go through the PDF… would have probably taken longer with the new material

yeah

I am thinking I should follow the TJNullz path on OSCP and purchase the course

along with the exam

Yeah I saw that OSCP-like list for HTB and did some of those. Before I started the exam I rooted 15 HTB machines, completed 66% of the THM offensive path and rooted 3 PWK machines (too much stuff going on when I started the course/lab)

I see

Yeah that seems like the standard way to go about it: purchase the course but add supplemental material as you need them

I am a little confused about OSCP

so like, I can purchase the pdf and labs

what is that 30 days lab mean

means the labs can total availae for me for 30*24 hours?

Yup

and the materials are pdfs which I can hold on to it forever?

Yup

thanks for answering!!

ohhhhhh

I see

But keep in mind you get the PDF and labs at the same time, so the time you spend reading the PDF initially is time eating away at your lab time (you can't get the PDF before the lab time starts)

ohhhh

I see now

You also get videos. They made the PDF and videos so that you can consume one or the other and you should still get roughly the same content (little difference in content, just different medium)

okay. THank you so much!

I am planning to tackle that next!!

Nice, best of luck when you go for it 🙂

yes sir! thank you so much!

Hey guy, I am a begineer , where do you guys suggest me to start from in tryhackme?

https://blog.tryhackme.com/free_path

Wow! So cool that there's an official listing of that. Thanks for sharing, @rugged sable

Its the last year of my School and i was wondering about the Course i should take up in college, thoughts?

@midnight jacinth US or the UK?

Live in neither of em, but prefer UK

Where do you live?

Flashback to Scams

India

lmaoo

Well

I don't know if college is differnt to what it is in the UK but i took up computer science.

I would really prefer not studying here, so i am currently looking for scholarships

Where would you like to study?

Germany comes to mind

Somewhere in the EU

Well My English and maths was not the best so i got put in the lowest level course, level 1. I like being there but everything is to easy for me. It's things like "Make a guide on how to turn a computer on and off". I'm only doing it for my qualifications and then i plan to go to universty and i plan to get a job with BAE Systems.

It all depends on what you want to do when you're older. As im on that point, what do you want to do when you're older?

Id like to get into Cyber Sec

And if given the chance, Penetration Testing

Thats what I plan to do. Computer science goes over network and security ETC but it doesn't go fully in depth with it. You can always do Computer Science and after you have finished with college and got them qualifications you can go to a university and do a certain IT subject.

Might be a good idea to have a small plan, find a college and a course you like and see what topics it goes over.

Okay

Sounds like a good idea, Thanks

You're welcome.

hi

Im new here
im currently a BE developer in python django. im moving to cyber security

can anyone tell me what should i start with?
i know basics of networking

should i take ec-council's CEH course?

no

Ew

no

https://blog.spookysec.net/certifications/

ah, so i should learn basic stuff like footprinting, scanning, system hacking and all
and then go for oscp course

just wanted to know if CEH certification is worth paying or not

Honestly, if you know you want to go the certification route, I would go eJPT since it’s free and cheap for the exam

it's not worth it

$200 or so for eJPT exam

wouldn't necessarily recommend it for the certification though

my aim is just to get a job as pentester and then move on for better opportunities like security engineering
i heard that companies asks for certifications like CEH and all, so ...

thanks

whats the best cert to start with

Depends what your goal is

Any opinions on PWK 30 day lab or 60 day lab time? Is 30 days generally not enough?

Unless you already have a lot of infra pentesting or similar CTF experience or can dedicate several hours per day, probably not

Are the boxes in the exam similar to the labs?

Nope

Although that seems to depend on the boxes you get @clever iron

When I signed up for it, I had people saying that the PWK boxes were harder than the exam boxes

The ones I saw in the exam were significantly harder than anything else I've ever seen -- including the lab boxes

It's entirely random

Ah. But theres not really a better way to prepare for them correct?

A lot of people recommend VHL

That's what I'm off to do the second my schedule clears up a bit

Mayor recommends exposure

^^

Honestly I'd agree with that

See as much as you can

The more you see, the better

I thought that doing the PWK labs would be the most beneficial

But honestly, it was other experience that got me through the boxes I did tackle

Mayor recommends exposure
@quick forum
What is that? You mean like exposure to concepts?

All the CMS

Do lots of different boxes

All the software

Just see as many different things as possible

Aha. Ive seen a list of HTB machines that people reccomend for the OSCP. Are those also good?

Like, I did it with just under a year's intensive experience, and that wasn't enough

They are. The THM Offensive Pentesting path is good too

There's a list of recommended ones pinned in #resources

Oh thanks ill check that out

For the HTB retired machines, download the official write-ups in PDF format. These write-ups have a great feature, as it shows a quick summary of the "skills required" to do a machine, as well as the "skills learned". It gives you a quick insight as to the diversity between machines, and whether you can learn anything new from it. @clever iron Furthermore, I highly recommend IppSec videos for retired HTB machines.

Yea, I've seen some of IppSec's videos - they're amazing. Thanks for the advice. @distant pier

Guys does anyone have an idea about the Job Market for freshmen in Security in India ? I had a senior who was into security and got a whopping 6 figure placement offer but later I found he left security for Backend dev and I am kinda worried now.

Who can advise a good course in the Netherlands for CompTIA A+ online or live

Quick question. Is eJPT obtainable for someone at beginning stages. Thinking about getting all the material neccesary.

Saw a few posts saying that provided material and labs is more than enough to be able to pass

@gleaming basin it depends what you mean by "beginning stages", can you be more specific? generally, a lot of people here have said that even the barebones edition is enough, and I'm going this way for the exam very soon

@cosmic ingot w/o actually ever working in infosec field etc. Self learned

oh yeah definitely

you can go even higher while being self-learnt, it just depends on how much time you can put in

I feel like people who go for these certs tend to already work in or around the field

Which certs?

Im just trying to first get an entry level tech gig

eJPT is much more basic

Many pentesting jobs want OSCP

I figured ejpt is a good starting point

The advice I keep getting is: If you've done quite a few THM rooms then skip eJPT as it's very basic

But get the free barebones and see if it would provide value to you.

Cant put thm on a resume tho

I mean you can

But eJPT won't get you a pentesting job

I know that but it could open a door to infosec, maybe?!

Anyone familiar with CompTIA's PenTest+ certification? I'm working in the cyber security domain (recently graduated), and want to get some knowledge within the pentesting field.

Problem is im not working in any IT field, at all.

hi

@somber bramble It's loading now for me

me tooooooooooooooo

🥳

It errored out before for some reason

me toooooooooooo

I know that but it could open a door to infosec, maybe?!
@gleaming basin Then look at Sec+ or something for a generic sec cert

eJPT is a very basic pentesting cert

Thats my goal. Taking A+ next month for hr screener and sec+ after

Would like to start working somewhere first but it may not be an option with just A+ and some google courses

Thanks for your input. Im far away from being able to take OSCP

the thing is, ejpt is cheap compared to most other certs, and you can gain some practical skills from it even if it's not able to get you a job

oscp is probably guaranteed to get you a job, but way more difficult and also expensive

I doubt it will hurt getting that. As you said, its cheap.

@gleaming basin well, you're the one who decides how you'll spend your money, but yeah

you can get the barebones edition for free and practise what you're learning at tryhackme etc.

you can always upgrade if you want

True.

Just like A+ , far too many it support gigs want that and its probably the most useless cert out there

At this point, A+ is keeping me from putting my foot in the door

Like, why do i need to know every part inside a printer

Anywho. Thank you for the input.

can someone please give me advice about passing the compTIA A+ exam besides professor messer lmao

as much of a dick that dude is, him and Mike Meyers are the best tbh

Ya I used them for test prep and bought the $30 e-book from comptia which came with a small question bank

Also, A+ is a very useful cert specifically for IT support/tech work because it requires an extensive trouble-shooting methodology, which is also an invaluable skillset for infosec

plus, from my personal experience just having an A+ alone has led to more foot-in-the-door opportunities given that most IT jobs around here want that cert as a minimum

So I have a question regarding EJPT certification of Elearnsecurity so I heard that the course does not fully prepare you for the exam and some stuff you are required to learn on the fly and some of it is outdated content I already have the course and voucher so I am currently preparing for the exam is there anything I should do beforehand?what are some best practices to prepare for the exam?

Know how to manually set-up a routing table. Don't treat it like a CTF; the point isn't to get "flags" and shells but to enumerate everything

Everything you need to pass the exam is covered in the slides. The Hera Labs are really good but most of them are not applicable to the exam, the Black-Box labs will really prepare you for the exam, if you can clear those with ease then you are ready for the exam.

A large chunk of THM rooms are harder than the exam. U have plenty of time, just be methodical and smart then you should be fine

Thanks! Appreciate it!

are there any thm boxes which are similar to the black-box labs ??

I felt PTS was enough to prepare you for the exam… not sure where you got the info that it's otherwise

I agree with ESWAT. The materials were more than enough.

@jagged mango I wouldn't say these boxes are exhaustive or that similar to the Black-Box labs but I cleared the following THM boxes while preparing for eJPT; Tartarus, Lian Yu, Break Out The Cage, Smag Grotto, Year of the Rabbit, Alfred, Hackpark, also it wouldn't hurt to run through the Kioptrix Series on vulnhub

Anyone who's done PenTest+ what's the exam like? I'm about 70% through the course and the majority seems trivial.

I've read the %s etc for the exam.

Have you done a practice exam for it? @forest knoll

Nope, I've done the end of chapter quizes so far. I get a few practice tests at the end (going through LinkedIn Learning)

A lot of the actual hacking stuff so far is explaining the basics of common vulns, e.g XSS, race conditions, XSRF etc

Conceptual learning. Hopefully those end practice tests through LinkedIn Learning will be close to what you get in the exam. 🙂

Had a quick Google, seems to be some free practice exams too. I'll give those a go once I finsh too.

Have you taken any CompTIA cert exams?

Nope

CompTIA has a very specific and annoying way of asking questions

Idk about text prep materials but for the exam itself just take your time and read questions carefully and fully comprehend, they will try to always throw you off a bit

if the exam has PBQs save em for last

I'll keep that u mind :) finish the learning, grind the questions and practice exams / THM path :). Thanks for the advice guys

Also, keep an eye on the news for PenTest+, I think CompTIA are pushing hard to get this cert DoD certified iirc which in time would make this cert more desirable than CEH

One of those academic annoyance type question styles is using particular leading-terms, like "best fits", this means there are two correct answers, but one of them is the best. 😄

Oooo yeah I nearly signed up ages ago to CEH, then I found THM haha. Ahhh yeah I hate questions like that, I tend to overthink them.

Yeah that's a really good example of how they'll ask a question, in my experience from A+ like half of the questions were like that

I'm aiming to get quite a few CompTia certs so I best get used to them

i mean depending on your background it might be more advisable to start with the CompTIA triad (Sec+, Net+, and A+) before moving to Pentest+

So far in finding it I'd say pretty easy. I may have to revise some of the earlier terms in relation to "legal groundwork" etc. If I have trouble with the practice tests I'll take a step back, then try for a different cert. Don't think that'll happen though

Planning, Scoping, and Reporting will probably be new areas, that are non-technical.

And writing Powerpoint presentations. 😄

Think I'll enjoy that, hopefully. Though PP, maybe not as much

"next slide please"

😄

Hi, I have 1 Year of experience as an Infrastructure Engineer. I already have done CCNA, Red Hat, or MCSE. I want to make a career as a Penetration Tester. now I am confused about what I should do. CCIE Security or OSCP? Should I do CCIE Security and gain strong knowledge and experience in Network Security then I would do OSCP. or I should directly land on OSCP and make my career.

Help me as a career mentor.

OSCP+(degree or exp) can get you a pentesting job in the UK

I'd check your local area though

Hi @quick forum . I have only Diploma in Computer Engineering and I am From India.

Check linkedin etc in your area

See what they're asking for

If you're in India you'll likely need the CEH

@elder grove thanks for your suggestion. Please suggest OSCP or CCIE Security.

Why are you set on those certs? He gave you a cert that will help

@tacit wagon CCIE Security isn't anything related to hacking -- it's a ton of Advanced Implementation of Security Controls on Cisco Devices + Advanced Network Design + A ton of theory

https://learningnetwork.cisco.com/s/ccie-security-exam-topics

https://learningnetwork.cisco.com/s/ccie-security-exam-topics

CCIE Sec Lab is also $1,600 per attempt

Please don't @ me. Thank you.

^ It may be worth it to disable notifications if this is consistently a problem

And override for the the Staff channel groups

Discord is really good about their notification flexibility tbh

So im studying ECE in university but i love cyber security.is it possible for me to go after cyber security?

In the U.S, companies just really want a degree. It doesn't really matter what it is, as long as you can loosely justify it's relationship to IT

@heady moon ECE or CS degree would put you above others at a similar level without, definitely possible

@ancient prairie i dont know about you but A+ has an unhealthy obsession with printers. Seems like youll be troubleshooting printer hardware with that cert >.< Its a lot of random memorization and not actual troubleshooting methodology

But thats just my opinion...

It is a foot in the door cert thats for sure

https://ine.com/pages/experience-the-new-cyber-security-pass

Woah, just realized I'm eligible to get TestOut courses for dirt cheap, a lot of students should be eligible but I'm looking at getting this bundle for about $250, unfortunately I don't see much recognition for their Pro Certifications but they provide some of the best training I've seen https://testoutce.com/products/admin-bundle

To start my career in Cyber Security, what are the things that I should know before? Btw I'm now in class 11 and I'm from India.

I would recommend to go through the learning paths on thm. Did you do that already?

which certs are regarded highly in australia ? does it differ from US/UK? From what I know oscp is preety standard in all three but what about others ?

@jagged mango OSCP is widely considered the gateway into infosec. As far as entry level goes, that's what you want if you're wanting a leg up for job hunting.
eCPPT is supposedly of a similar level, but contains more information and indisputably a better practical environment, but doesn't carry the same recognition.

See if CREST certs are a big deal there (look at the job descriptions)

If you get OSCP first it makes getting one of the CREST pentest certs easier

I would recommend to go through the learning paths on thm. Did you do that already?
@warm hinge yeah. But is there any thing else like networking or powershell which I need to know before?

do most IT jobs drug test? or only some of them? stoner here🤣

anyone know how to pass a cotton swab drug test?

Uh… maybe those that require security clearance (government)

anyone know how to pass a cotton swab drug test?
@stoic lotus Yep

There's a secret for doing it

You ready?

Here it is:

||Don't do drugs||

some do, cotton swab tests are typically the easiest to pass if you have foreknowledge, just dont smoke for a couple days and you're fine

it honestly depends on the company but a lot of them do from what I’ve seen in job requirements if it requires a clearance or if it’s a gov job then it def will

Hey ! I just had this doubt that has been eating me for quite some time so here it is.. should I do masters in cyber security or the certs like comptia cisco, offensive security is enough to get a good job... by good job i mean good pay as well as i get to do things i like. any comments ?

Depends on your situation, its hard to get good jobs with just a college degree, and conversely its unlikely with just certs. Look for what certs are desirable in your area, get your Bachelor's first and then look for internship, entry-level jobs

around me having a Bachelor's and the CompTIA triad will get you a lot of callbacks and make you very desirable for entry-level positions

well 2 degrees are not enough? bachelors and a masters?

if doing masters will not help with a job.. then why do it

comptia or offensive is better then i guess

I'm saying a combination of the two is better, certifications are typically more real-world and practical as opposed to the theory and frameworks of Computer Science in general that you would delve into with a degree

For example I've never seen a college course cover Cisco Routing and Switching like the CCNA certification does, but I do see college course broadly cover Routing and Switching in general

if doing masters will not help with a job.. then why do it
@astral badge typically better pay, certs get you the job, degrees get you the pay from what I’ve seen

Okay so in short to achieve hands on (real world) knowledge I should do the certs... but a college degree can help ease the process of getting into a good job with a good pay

That's about it

Okay Thanks !!

I had to pee in a cup for my drug test

tl:dr dont do drugs and you'll be fine

Hello, new user here, and I am going into my MS in Information Security, but my Bachelor's is in Physics, do you have any recommendations on what I should be reading up on or preparing for to get ready for coursework? In addition, it seems like from the above conversation I should be looking at certs as well, what certs should I be looking for?

https://blog.spookysec.net/certifications/

hhiiiiiiiii

What about try a THM path? @livid relic

Some books can be usefull too 🙂

Well I planned to do that to get hands on experience, but as someone who has always handled things on the theory side better, I do learn best from texts

so far I have the all-in-one Network+ book

should I look for any others?

With no infosec experiencie? right?

yup

If you are more a text guy and new into infosec CEH Certified ethical hacker all in one exam guide by Matt Walker can be good to you

So much teorical in my opinion but a good book if you are new into this topics

Awesome, I will order it tomorrow!

Thank you for the help!

Oh no not CEH

Yea.. Is about CEH
But is new friendly lol

Cause he is looking for teorical things
No practical

it’s also irrelevant

literally the dumbest cert

Its less about the cert and more about sureing up my knowledge since I don't have a BS in a computer-field

if it will help me get caught up to my peers, then I want to learn it

I mean, moving from theoretical physics to information security is a bit of a jump after all

The cert is for HR

not exactly gonna be modeling atomic energy levels and all

They're typically needed to get a job

but is the prep material useful for learning actual skills?

and theory

I learn best by reading theory then seeing application

personally I don’t think so

dude hacking is this weird thing where you need practical and theory is more sys admin stuff, it’s weird

i.e. here's the origin of the equations of motion, how you derive them, etc. followed by "here's how we would use these in this instance of person Charlie throwing a ball"

right but I need theory to help me understand practical, if that makes sense?

just saying "here's how you do this" will just fly thru me like water thru a sieve

but I see where you're coming from

I just need to know why I am doing things so that I can adapt down the line

are there any resources which I can use to learn in that methodology?

thank you for all the advice so far, I really do appreciate any and all help I can get

and I will certainly try and emphasize the practical as I try to get caught up to where I need to be!

which methodology?

Learning theory then practice

either way it is less of an issue now

I can always just grow and learn new ways!

I do have one final question, I'm looking at desktops to upgrade (my current one is 8 years old and has never been upgraded, but it met all my needs until now) to, what specs should I be looking for given that I will be taking my classes online

http://www.pentest-standard.org/index.php/Main_Page

oooooooh this is right up my alley

I once had an internship learning NATO STANAGs

For a fraction of the cost for CEHv11, you can get CompTIA Security+ and PenTest+ certifications.

Which certs would be good for offering penetration testing services?

well, tool man, I definitely appreciate the financial concerns!

I see some certification course on https://www.cybrary.it/ . I don't know how valuable the cert is!

Cybrary does not provide industry recognized exam certifications, instead you get CEC (Continuing Education Completion) course certificates.

So it is better to get Sec+,Pentest+ and OSCP?

It depends what you want to learn, and what type of career you are going for.

obviously, penetration testing!

🙂

Download the objectives document from the CompTIA website for Security+, and see how much of it is completely alien to you. That can be a good validator to see whether any foundational knowledge is missing, before going into a Pentest oriented course.

I have done some pentest+ test exam. I am lagging and 1. Scoping and Planning, 2. Communication and reporting!

https://www.comptia.jp/pdf/Security%2B SY0-501 Exam Objectives.pdf

Just passed the TestOut Client Pro exam :D. It's 100% practical and although this isn't really an industry recognized cert I did learn a lot about Local Security Policy, Group Policy management, basic AD management and quite a lot about basic Sysadmin stuff for Windows. Strongly recommend course + exam for people trying to up their Windows game.

Price?! Since you have to have some sort of code to get a price @ancient prairie

Got my security + tomorrow wish me luck!

Good luck!

Online or in person?

Online 🙂 and ty

I think im gonna do all my comp exams in person

Everything around me is closed so :/

but gl 2 u 2

Best of luck with the sec+ @south nest hopefully I get the chance to give you the role (:

Thank you @quasi stream 😄

best of luck brotha, make sure to check in early and take pictures of your work area with your phone if possible, really annoying to do with a webcam lmfao

@gleaming basin my school lets me take Testout courses for $80 each

the courses themselves are pretty affordable around $200 iirc and they really are excellent quality, couldn't recommend them enough, going to use them for my Sec+ prep

hi guys recently got my ceh cert and wanted to start learning more about pen testing so that I eventually obtain oscp

May I know where should I start?

!help

OSCP path?

Hey guys, I am doing 3 year CyberSecurity. I need to complete Final Year Development Project . Any ideas for topics related to cybersecurity ?

Which topics do you like?

Hey! I have 2 major open source projects I work on. Normally they would go into a projects section at the end of a CV, but I spend multiple hours / day working on them, collaborating with multiple people and even get paid for them (via Patreon like sites). If I put them into "work experience", is that like bad because I'm not technically employed by anyone or?

@rugged sable if you can explain that in an interview, then you're probably good

If you earn money from them you could easily argue they don't belong in Projects section. Yeah I'd put them in experience (if you want to be safe just remove Work from Work Experience)

I would put them under Projects. @rugged sable

there are employers that specifically list contribution to OSS in the nice to have's, so depending on the company I think that would get recognized. not sure if and how much it matters where you put it though.

good luck on your search bee!

I passed the Security + 😄 wasn't too bad actually

👏

That was the first exam I wrote in 8 years… hated it but enjoyed the learning I had to do to get it 😛

Yeah i learned a lot of stuff it was dope

How did you study? @south nest

@clever iron Jasion Dion's Course + Practice test + Professor Messer study group sessions and reviewed course objectives and ensured i understood what everything did and how.

Nice, did you pass easy or was it a close score? @south nest

i got 781 out of 750 so kinda close there were some things i just completely blanked on haha. I am also not the best test taker so :p

Same, good job

Thanks only took a month! now i can focus on THM :p

https://danielmiessler.com/blog/build-successful-infosec-career/

Hey i am looking for 1on1 Mentorship, please DM if anyone interested, in-return i am ready to help in your daily stuff and small tasks like an intern. Please let me know if anyone interested in teaching me!

Do you guys know any good sites that I can freelance pentest and earn some good money?

thats not really a thing because its a huge security risk.

the most you've got is bug bounty
the best option within that category is Synack "Red Team"

I found a website that had 1BTC which is $7,000 AUD I'm not sure if that was real or not. (They said you could legally break in.

I lost that name of the site but thank you, I'll look those up.

I was looking for bug bounty OMG

freelance pentesting isn't really a thing because the legal side of pentesting is huge. You need all sorts of things (NDAs, points of contact between client -> project manager -> employee which adds another layer of compelxity with freelancing, careful data storage/removal, reporting standards, etc)

Upwork has them all the time. Can check there.

Thoughts on EC-Council's CND certification?? Have the opportunity to get it a little cheaper than usual so am debating!!

To learn as a course or to obtain as a certification for a job in your area? @hollow needle

I aim to move up into a Security role, end goal pentesting but for now experience and more knowledge is what I need... I had not even known about the CND until recently

So to answer your question, both.. knowledge and hopefully help get into a Network Sec role

am hiring, PM me for details (OSCP certified is required)

where can i find a compTIA A+ practice exam?

jason dion has really good practice exams on udemy

also if you buy the official CompTIA ebook they have a small test bank and practice exam that are decent

CND is a defensive blue team certification, not pentest offensive oriented at all. For Network Security role it does apply though. @hollow needle

@distant pier Tracking, I ended up getting it.. Starting the training Monday.. Thanks brotha

How did you study? @south nest
@clever iron About which certification were u talking about

And what would you recommended as first certifications in the cyber security?

@clever iron About which certification were u talking about
@clever dawn
Comptia Security+

And what would you recommended as first certifications in the cyber security?
@clever dawn
If you don't know much about computers, I would say CompTIA A+ and Network+, if you do know linux and networking then you can look at Security+

Once you pass those, you will probably look at more advanced certs, like the OSCP or eCPPT

As a high school student, what certs would you guys recommend I start working towards? I qualify for the student discount on comptia now that im a junior. I know A+, Network+, and Security+ are good ones to get but I don't know much about non-comptia certifications

is crybray any good?

@void dome I honestly would just stay in CompTIA and if you know A+, Network+, Security+, then next would definitely be Linux+ and then I'd even throw in some cloud computing with Cloud+.

@opaque lance Thanks!

I can't see any good reasons to take Linux+.

The other ones are valuable for entry level work. But that one really isn't going to do much for you.

I think some microsoft certs are 15$ right now if you wannna learn azure

There's all kinds of good reason to take Linux+. Employers know what it is and I've seen people get hired based off of the simple fact they knew linux alone. Servers, Cloud computing, mobile devices, etc, a lot of them run off of linux, so I'm not quite sure how that isn't a good reason.

i’d push someone towards the red hat certs tbh

rhcsa and rhce

I don’t see the reason to take a certification when Linux is one of the easiest resources to find for free

just to prove to hr

i guess

I honestly don’t know a single person with Linux+ not even spooks and I know a lot of crazy talented and educated people

Linux+ and LPIC-1 through LPIC-3 are more SysAdmin oriented certifications. Most of what is required Linux wise for security is covered in Network+ and Security+.

Interesting and good info to have. So how would you all answer the original question then?

Do you guys agree that start I should start with A+, Network+, Security+ though?

i’d say skip a+ if you’re even slightly technical

and start working towards n+ then s+

Jake

Go to sleep

i’m workingggg

Oh noooooo

well i’m getting pizza out atm but 😤

Well I currently work for my school's tech department as a "technology maintenance worker" during the summer and winter break, which is basically doing their help desk tickets or providing the tech department cheap labor. I was thinking if I get the A+, it might teach me how and prove to them I can do more technical tasks/projects for them

ah yeah

i’d suggest a+ then, that would deffo it that sort of role

Ok thanks

Also the academic voucher for each exam is like $100 for a+

hey guys

what counts as experience to the companies

how do you prove that experience on your resume, I am so confused with that

Like work experience?

yea exactly

they be like minimum 2-5 yrs of experience

or in general just experience

They are (generally) looking for people that understand that part of the industry

2-5 years could just mean you working lvl 1 tech support

say If I am decent in hacking

and got no certs at the moment , applying for a job

The experience thing is basically HR telling people that they need to KNOW how to do the job

SOC Analyst

but have no experience in the field?

Well as an employer I would want at least some sort of cert, even a networking one

I will also say if something says 1-2 years experience, that will be more flexible than something that asks 8-10 years

first one of course

2-5 years, they would most likely want something that shows you have worked in the tech field

depends on the company on what they consider experience and how flexible they are

if you want it just apply, it cant really hurt you

what about Security + then CySA+ for applying as a SOC analyst

and also remember you are going against people like yourself, those with a little experience, etc, certs would give you some edge up on the competition

guys

whole point is - what is experience in general ? wrt the companies

does having a cert and being unemployed count as experience ?

they mean you have been working in the field or closely related

no

or just having a cert

you would count as having 0 experience if you have no tech field experience

how do you prove that closely related part 👀

by your resume, how you can talk about your previous jobs

like in college, I worked in the CS computer lab, I was a lead, so I fixed computers, helped lab techs work out their schedule, did some unix admin stuff, did scripting, etc, when I started looking for jobs before graduating, I could talk about the job which I had 3 years in... although being it was part time, any company really considered me max 1 year experience

The required section of a job description typifies the "ideal candidate" for a job. That doesn't mean you shouldn't apply for it. HR thinks in buckets/levels for job descriptions, and part of each bucket/level 1,2,3,etc.. is a number of years of proven work experience. This is standard, and partially is used to tie wage/salary to each level.

yup, that is why you will see list of nearly impossible wish lists, but they expect that their candidates will only hit a few of the targets

I got the secret ingredient I guess tysm!

Anyone Here interested in giving mentorship in cyber security to a noob who is ready to work as an intern in return of that!

Anyone Here interested in giving mentorship in cyber security to a noob who is ready to work as an intern in return of that!
@coral mango just failed my attempt for IT sec. internship, godspeed. I can share some questions from the interview if u like

fun fact: all those basic TryHackMe courses cover most of internship interview questions (at least from my experience)

@reef mason IT Sec? Is it a course name?

It security internship at one of the big4 corporations (EY, PwC, Deloitte, KPMG intl.)

any advice on making an ISMS system as a junior admin followed by asking for a pay raise?

@reef mason I'm interested in the questions, I'm interviewing for two smaller places this week and I'd love to know what to expect

There's some good sec questions pinned

Is buying the textbook for comptia certs worth it? or are online resources like professor messer or udemy courses enough/better

I did both my certs through udemy and professor messer

if work will pay for it, I'd do it otherwise online materials work well. One thing that books might have are sample questions but most of those will be online somewhere

@void dome professor messers advice is to do the video course plus buy a good book on the subject

you can find some books he recommends on the site of professor messer

Any aussies here doing certs? What certs should I be looking at for an entry level Security role in Australia ?

Sec+ Linux+ CCNA

I see. Would Linux+ help if I already had Sec+?

Was told elsewise by someone on here a while ago

The answer for anything: it depends. Do you feel your *nix skills are fine as they are or do you think going through the learning path needed to pass Linux+ would be useful?

@cosmic topaz Have you done sec+

?

I think Linux is always helpful. I've had a few interviews where I got hammered on Linux questions.

Linux+ is more of a sysadmin cert

There's a discussion here

Yeah technically. My take would be that if you're going for a security job that needs linux skills and you don't have a ton of experience with it professionally, the Linux+ might get your foot in the door. My own personal experience has been, I've worked in Windows shops the majority of my career and my resume shows that. Transitioning into security, just saying I know linux seemed to bring on a ton of questions. To be fair at the time my Windows knowledge far outpaced Linux.

(I still haven't done a linux cert, but one of these days! 😁 )

soooo does oscp have a layaway plan? or does it ever go on sale?

https://www.reddit.com/r/oscp/comments/a7pn1q/does_the_oscp_ever_go_on_sale/

I'm guessing no lol

without reading

yeah I like the response "It's only $800..."

now "it's only $999"

what a horrible answer to the question though

The answer is a no

yeah no, not that one

the "it's only X"

It's cheap compared to sans, but sans is expensive

ik

@coral niche if you have the time, care to elaborate on the questions you were asked?

@marsh cosmos Christmas time last year AWAE was discounted $200. I dont expect PWK to ever be discounted since it's OffSec's cash cow.

@languid hearth sounds good. Thanks

ejpt training now $1999 without cert is stupid. was less than $400 for cert and training a month ago. was planning to do it but cant justify paying $1999

Don't love their new system, however on the margin you're getting a lot more since you have access to their entire course library

thanks INE

lmfao

2k year

INE is such a shit company

cant say I didn't see it coming

https://discordapp.com/channels/521382216299839518/707992725646999553/758789985863729225

https://discordapp.com/channels/521382216299839518/707992725646999553/758789747266420736

yeah I, dont love this for some of their more expensive certs fine but it really screws some people out of things like cheap eJPT

people doing ejpt are looking for an easy, guided and cheap entry into security not a year subscription to a bunch of courses they dont plan on taking anyway. so it just means all those people will no longer do ejpt

I mean yeah, it really just sucks for elearn but ine owns elearn now and from my understanding ine doesn't have the best reputation for keeping users best interests as their main focus

with the 35% off coupons they had would be $1300 which wouldnt be as bad if aiming to do ejpt and ecppt

unfortunately, that's still $300 more than OSCP.

*base cost

yeah almost equal to 90 day lab access cost

any cheaper alternative certificate for oscp?

not since INE sold out

CEH is the only thing that can compare to OSCPs HR value, but thats about the same cost

when everything is said and done, it'll run you about a grand

there are much better courses for cheaper cost

but, the scope of then isn't beginner pentester

https://www.zeropointsecurity.co.uk/red-team-ops

they want more people get into the field but make these entry certificate expensive af. Hmm

Dang I was planning to do eJPT sadly I can't do it now

wait a sec, I got the barebones edition for free through here https://www.ethicalhacker.net/register/
is that no longer possible?

in any case, @lofty apex and whoever else wants to go for it, go for it

me and the other people here that have the cert can tell guide you with the resources a little

https://www.zeropointsecurity.co.uk/red-team-ops
@languid hearth that seems amazing. do you know if it will get recognized?

Did some research on it. For HR probably not, but i saw it mention on many site

but it probably doesn't matter, you can still be a hacker with it

it doesn't matter if you're not trying to get a job with it

what is bareborne edition

the PTS course (for the eJPT cert) had 3 tiers: barebones, full, elite

the first had only the course material in presentations -- no labs or videos

I'm not sure if that's changed now

they removed it

😂

yeah just saw it

well, the voucher for the ejpt is still $200, so what I said before still stands

still unfortunately, not recognized.

tbh the 2k/year deal doesn't look that bad if it's a bundle deal w/ everything else

probably a matter of time, it seems well organized

So now the only way to get into offsec is OSCP ?

tbh the 2k/year deal doesn't look that bad if it's a bundle deal w/ everything else
@warm hinge They should really be doing a monthly option. 2k is a ton to fork out all at once.

tbh the 2k/year deal doesn't look that bad if it's a bundle deal w/ everything else
@warm hinge this is what I was thinking, but it's not as affordable for new people looking to get into the field

So now the only way to get into offsec is OSCP ?
@lofty apex depends on your networking skills.

@warm hinge They should really be doing a monthly option. 2k is a ton to fork out all at once.
@languid hearth Honestly I agree w/ you there, but I guess that's just how they're planning to monetize now

yeeeep

for anyone that's struggling with money though, be sure to get TCM's course because he offered it for free as a response to this

I'm halfway through, it's great

@lofty apex depends on your networking skills.
@languid hearth can you elaborate on this point?

if you can find the right person who is nice enough to give you an opportunity

I can confirm that ^

I landed in a red team, without any experience, just eCPPT (which he didn't know of before)

just addrd the eCPPT role ^

Oh nice

Shiny yellow

So you landed a job in red teaming with connections like he said to find the right person ?

I got lucky, and slipped my CV into the mailbox of the CEO right before he was about to post the job post
So not networking, but he was nice enough to give me an opportunity

@shrewd gazelle Without any experience and degree?

Nice

@unkempt nova Yeah, all experience i got was made in my free time

And eCPPT

Job is mainly physical tests and in-house tool development though

Plus your traditional pentest stuff

@shrewd gazelle this is really great to hear. Do you have any open source project such as in github and public profile?

Yeah (github.com/pynox) but nothing amazing in there

Got some private projects though

How you actually proved that you have the experience?

By talking mainly

We talked for 1.5-2 hrs

While getting some coffee

You met him?

Yeah

He invited me to a coffee bar

Did You talk all about your technical skills?

Technical skills, aspirations, soft skills, everything

He is really a nice person... Perhaps he has good skill in pentesting and social engineering

Yeah, he does most of the stuff

Its a small company

So he is on most tests

It was not a HR kind of interview

I see

many company asks for bachelor degree and 5+ experience. Most of guys who holds bachelor, i think doesnt have good penetration testing skills

Yeah, its a shame

Still working on my degree

You opened your door heh

Sure did

Yeah I'm doing BS CS I don't even knew about how to make websites and all that TryHackMe stuff till I actually started to google stuff , university doesn't teach nothing sadly

Wasn't all that easy though, they have no public emails, so i had to brute guess the correct email of the CEO

You will have big success in few years

ooo

What a technique!!!

@shrewd gazelle Don't they have public website?

They do

But no email on there

Same with LinkedIn

They mainly do work by reference

huh, guess they deemed you worthy given that you found their email addr

Not sure during the pandemic, but much of the value in BS SC is outside of BS SC: you're studying alongside other smart people at a time with (assumingely) little responsibilities and you get to try out crazy stuff with your friends during this time (entrepreneurship for one, if your school offers assistance with that)

@shrewd gazelle But you got there without any reference?

I mean, it was a funny talking point, but it wasn't all too bad

Just use an online email validation service

@unkempt nova Nope

Just kinda wedged myself in there

Job hunting is another art 🙂

Sure is

@shrewd gazelle Can you recommend some projects for us to do if we want to get into pentesting field so that we can you know showcase them on our github profile ?

I wonder what you told him and he invited you for coffie.

Mhmm, for me it was various "malware" projects, C2 frameworks, etc
But anything in code really, just show that you know how to code

Doesn't need to be pentest specific

@unkempt nova Guess my CV was interesting

Oh okay , I was thinking about making a discord bot so will it count ?

Hell yeah

Discord bots are fun

I made one for malware analysis

In Python

@shrewd gazelle I think you mentioned lots of technical and coding skills in the CV?

Okay neat , thanks for sharing your experience with us I really enjoy when people share how they got into this field

C++, Assembly, C#, Python and Powershell yeah

Also, i got my security clearance

So that helps

@lofty apex Np, happy to share

Also, i did some lectures and stuff in a couple Discords

Interviewers seems to like that

You are skilled in coding in more than one language?

Sharing your knowledge

Yes

Mainly C#, Python and C++

I script often in Powershell though

I can read the code, but not good in writing

If you can understand the logic, its really just different syntax

Which can be learned via documentation

I can write code but require help from Google and stackoverflow

Same

Can't just make some crazy program from the top of my head

aha

Need that "How to do x in y language"

yeah....

I need a good CV example perhaps! The CV could be game changer!

There are some videos about how to improve your CV , I think JohnHammond and Thecybermentor uploaded there videos on it

I just used this template tbh https://templates.office.com/en-us/Student-Resume-Modern-design-TM16402487

HTB and TryHackMe can't be included as experience?

I think it can

I didn't

I had freelance programming, and my current job

Azure sysadmin

I think it can be included as a hobby

@warm hinge I heard lots of employer look at these profile!

THM and HTB most popular platforms. If these platforms offer some course and certfication, i believe, will be well respected!

Unless you do Throwback you get a cert

@shrewd gazelle is eCPPT advanced than OSCP?

No idea, haven't taken OSCP