#cyber-and-careers

I'd go so far as to say that, in the US, most companies actually have different payscales for degree or no degree doing the same job

Hello all, I am currently a Junior studying CS and Cyber Security at UNCC. I have been searching for my first internship/job for the past year and a half now and have had little to no luck. I was wondering if there is any recommendations/advice y'all can offer me to help better my self and my chances at landing my first internship.

hey! is anyone preparing or had done ceh-v11?

I've done the beta, its pretty meh

as in ? @languid hearth

as in its bad

not worth it?

yes

very much not so

the only reason its respected is because of the title

"Certified Ethical Hacker must be good because of the title"

What internships have you applied to, what are the titles of the jobs?

Do you have any kind of portfolio?

blogs are great as well. Potential employers love to see what youre doing

any projects too. It could be a home lab, or something simple like a VPN

i want to learn more about hacking ?

any guide to that ?

!docs free-path

https://ine.com/pages/cybersecurity
Edit: the basic tier doesn't include labs
Updated pricing - $50/Month, $500/Year (basic), $750/year (Premium, includes certification discounts, unknown % tho)

have anybody try pluralsight for security? They have some stuffs similiar to ine

That’s actually crazy dumb imo the courses are really not that good without the labs

they’re dry af

hence my latest tweet

99% of the way there

basically just paying for some slide shows with 95% of content you can find for free already

need the extra 1%.

actually pisses me off more than when they first announced all of it

Cheddars Bay biscuits and cookies?

-> replies

So are ejpt labs included for free in basic?

Or still free?

eJPT labs are still garbage free

alls I can say is one word:
Yikes.

ADVANCED EXPLOITATION

for someone that is brand new to hacking I guess their labs are alright

here's the thing

And for free

one task is 3/4 labs

I did a speed run through them one night in a couple hours because I was bored

Thankfully they are doing the right thing - also didn't realize you get access to the all the training with the new plan, thats pretty cool. I'm guessing their subscriptions weren't selling well

As an existing INE subscriber, you have the option to upgrade your current plan to receive full access to our entire library, and receive a credit for the difference in price to be used for your future renewal.

wait what

whatcha confused about?

what kind of subscription is upgradeable?

ah i see, the new INE plan, supuki and cry were talking about it above, https://ine.com/pages/cybersecurity

oh god

they changed it entirely

i had the $1200 for 2 years plan, I was credited the difference and put on this new plan

that's nice in my opinion

and you now have access to all their training, not just the Cyber Security modules

the price is quite good for the amount of training that's now offered

like theres a 130-hour python course 😭 among a bunch of 60-hour cisco courses

cloud courses are also great

yeah its a massive improvement imo, still darn expensive but much more attainable, getting the labs add on is almost mandatory though if you're gonna do INE/eLS training

it's expensive but worth it compared to the older version

100%, end of the day the more training thats out there thats not SANS/OffSec the better it is for the community

(not knocking their training, just that they are the de-facto standards for hiring purposes)

I might look more in-depth into that after oscp

looks like a great learning source for me

i will say, im not a fan of just reading off power points

I find that lack of elaboration on certain things (im working through xds right now)

is not very helpful.

the area where they need to improve is lecture content

some people like that kind of learning

it's basically what schools are about now

yeah, and that's bad

true

right thats why you need the upgraded version to get the labs + videos and other supplemental resources

discussion is a huge necessary component

id argue they're critical, not so much supplemental

I don't personally like watching OffSec videos on OSCP

So I wouldn't do that for INE

it all comes down to the instructor

I tried forcing myself to watch the PWK1.0 videos and it was dreadful

watching the OSWP videos was very nice and refreshing

the guy is literally reading what's on the pdf

well thats also a more systemic problem with this type of training in general, afaik you never get the classroom environment outside of SANS, not familiar with how its done for OffSec

SANS, obviously varies from instructor to instructor (like I imagine how INEs does)

but Phill Hagen did an amazing job at 572, super engaging, right amount of jokes, and was passionate about what he was teaching, so it went well.

but the whole reading off of slides thing sucks

yeah in general my attention span really sucks so I gotta work like 10x as hard to retain things

I love how IPsecc does his videos

Great source of knowledge

No INE has one guy with a monotone voice that goes through a lab example step by step and nothing else very very very different than sans

And it's very pleasing to listen to

and having to page back and forth (because my results didn't allign with what the video) was a pita

the INE guy sounds identical to the "How It's Made" guy

ah my bad Esqy

so the instructors who make the course are different from the ones who makes the videos?

I don't know if you've ever heard John Strand teach, but his passion is so infectious for it

I haven't yet, the name sounds very familiar though

correct

thats whack.

i mean they may have input on the content of the videos and just have an actor read off a script so idk

He's run a few (free) courses through Black Hills Information Sec, which are definitely worth checking out

Would be a pretty neat job to be a voice actor for INE

bet it pays pretty well

Ah yep, that's where I've heard it from

Both ones I've attended were more SOC based and for the Blue team, but they're still very good

either way, really hoping cons come back into swing soon so I can get a little more hands-on training/networking that way

same, some networking opportunities would be nice.

Yeah, the networking seems so good from them

Discord just isn't quite the same

agree'd

its hard to beat face to face

i've also literally never met a person IRL into hacking /infosec or have any friends to discuss this stuff with so it would be nice to meet some folks 😄

that's also a pretty good point, did you not go down the university route?

online school for an A.S in a very generalized IT degree + largely self-taught, I actually lied I did meet a couple people from a local defcon group but that was quite a long time ago and only for a lock-picking event

im really hoping I can scrape together funding and apply to the undergrad program at SANS - basically get like 4 SANS certs in a year or two that route

Ahh right, and in the US?

I don't know what the age limit for the SANS fast-track is there

Yup

Just ask Sam lmao

you just have to be 18 minimum but you still need college credits to get into the program, I talked to the admissions lady at SANS who was very nice and helpful

Ahh right, so you basically don't apply yet?

it seems weird the college credits are required

yo I was wondering, what happens when all these 3 - year duration certifications like CEH expire?

does any employer care? Can u still claim to have it

I've technically applied already but they need a $10k deposit which I unfortunately can't swing at the moment - so looking at financing + saving up in the meantime

slap it on your resume, but put expired

phew, that's not something to shake a stick at

Don't they just have a continued learning requirement or something and if you keep going then it doesn't expire?

Hi guys, just a tiny question: do you put your thm-certificate on your resumé?

No, I briefly mention it under a larger umbrella of continued learning/training

kekw not really

certificate of completion != certification

I believe there was some good advice somewhere in this channel regarding how you could work something like THM/HTB into your resume

Okay I will look for it, thanks!

Could be worse and be a PDF with a watermark plastered on every page. 😂

just look for anything Zojja posts in here, usually good stuff 😄

no cap, I think money better spent would be saving it and just following blog posts.
By spending the <insert x amount of money>, I now feel obligated to make the <x dollars> worth it.

they're 99% of the way there, just need the last 1%

but honestly, they keep shooting themselves in the foot, its an easy fix! $25 more a month

I've made my eLearn investment back tenfold at this point. And it really has been the best investment I made in this career.

Just a matter of perspective I guess.

its not like they don't have these things ready, because they do, they're just not using their head in a business sense.

wait i only read a fraction but

it includes all the content now ?? like the networking section too ??

o damn

i am deffo buying that then

it's not like a limited time offer or something is it? that's the new price

nvm saw the reply on the tweet 🤓

Will we ever see a monthly premium subscription?

Thanks for your time!

OHHHH HEEEELLL YEESSSSS @exotic epoch

I've been eyeing out a couple certs but I thought the price was too high. Great to see! Definitely gonna jump on this

so if you all had a choice of SANS course (and not specifically pen testing), which one would you choose? (not malware either as I've done it already)

figured i'd cross post to here too :]

Might be helpful for people wanting to get into info sec ^-^

me, personally, something like SEC588 maybe....

but then again.. I'd take so many certs if I could

maybe some day 😄

Sec588 was the one I put on my list 🙂 it looks good

I hope it delivers on what it states, because yeah it seems to be very much relevant right now

specially with all the public cloud drama going on

yeah I asked my manager for it but honestly once the budget is approved, I could switch to another if I found one that was more to my liking

Hi 🙂 moving from dev to cyber sec...........where do I look for remote work for sysadmin or something junior 🙂 lots of resources but Im looking at a basic pay that accepts foreigners (im from South Africa)

@warm hinge One for you, I think 😄

System administration and Cyber security are vastly different fields and require different focuses when it comes to your skill set.

System Administration

Depends on the customers environment or your employers environment on what kind of systems you will be required to know.

*Windows server
*linux administration (commonly CentOS and RHEL)
*Networking knowledge (Commonly around protocols used in servers)
*Maybe Docker/K8 knowledge

But again it all depends on the environment, I would recommend looking at different job descriptions and make a study plan of the requirements which they ask for this can be a good way to go, as for roles, you will commonly see bigger companies hire more frequently at the junior level for both cyber security and system administration

@cursive fern

Thanks @warm hinge this is awesome advise! I assumed this was the starting ground to cyber sec?

For cybersecurity I would research the various roles available and focus your studies and efforts to that particular role, what would you like to do in cybersecurity? what interests you?

Pen testing is my go to dream area. theres so much info out there its tough to consolidate to a manageable starting point without the experience to knowledgeably do so 🙂

and all say IT degree.....I dont have one 🙂

are you looking at jobs based in your country? Remote jobs in another country are very difficult to obtain, so I'd focus on local jobs for now. Once you get to a certain experience level, it may be possible but I wouldn't pin everything on that

For pentesting, remote roles at a junior level are almost zero albeit very competitive - maybe take another route to pentesting? there are many ways to the top of the mountain!

Junior SOC > Pentester is a common route

and it really depends on your country whether there would be remote roles for junior level, usually remote roles are for more senior levels

thanks thats great, didnt know. Im totally down for starting from the bottom just dont know which bottom to start from 🙂

thats the problem, in South Africa theres not much in general for juniors esp without an IT degree. I am doing Post Grad in Project Management, did dev for 5 years now on my own as a freelancer but getting into the industry full time is proving challenging. Thats why Im looking remote 🙂 I also am a certified Business Systems Analyst and much prefer remote as it has more opportunities 🙂

Well you'd want to look for companies that are already established in your country. Also if you have a degree but not an IT degree, I'd still apply for those opportunities.

thanks @pseudo creek appreciate

Definitely don't let the type of degree deter you, I'd focus on the other aspects of desired/required skills in job listings

ah that makes perfect sense ! thank you

going to focus more on the skills part of my cv and my upskilling now

yes 🙂

🥳 thanks all, much appreciated

any thoughts on getting a splunk certification to help get a SOC position?

They certainly will not hurt!

its free material with a free exam and the material is actually fairly good and gives you a basic understanding of working with a SIEM

oh nice Im definitely going to knock one out then

sorry cheap not free exam but still you get a lot for not a lot of money there

would you recommend to start with Splunk Core Certified User or a different one?

if you dont have any experience with Splunk youre going to be super confused trying to take any of their other stuff

thanks

Do the fundementals first 🙂

HEY

Hey

just found in the exam objectives:
Splunk Core Certified User is a recommended entry-level certification track for all candidates.
Makes sense. I was a bit lost in the list of all their certs.

power user costs 2k for the course anyways lol

I would add, it is only relevant if the company you wish to join uses it.

otherwise, go for vendor agnostic certifications

I was just asking in the general room last night if I should add THM badges and Udemy certificates onto my resume!

I don't have any actual security experience or a degree.

But I do have the Security+ cert and am working on the OSCP.

I have a system design interview, any resources I should study up on?

@pseudo creek if I recall isn't system design your job? 🥺

How soon will you have that interview?

Basic scope for those is:

1. outline and scope 2. create high level design 3. design core components 4. define how the system would scale

I cant find prices for Splunk exams?

also would one need to do the training through Splunk to do the exam?

next 2 weeks 😄

hi! i am currently enrolled in the beginner path and find it very very interesting. i was also wondering if the certificate you get holds any value in front of potential employers? not necessarily the beginner path one but thm certificates in general. either way im staying and doing all the paths because they are very very interesting

Ehhhh not much value if any. For a super entry-level position where you're coming in with no other relevant experience? Definitely worth mentioning because it shows interest in learning, but beyond that I don't think THM certificates are going to hold too much weight with employers

you have to specifically request them, but iirc they're $100.

But, they'll do great at teaching you a lot of fundamentals that will make more recognized cert courses much easier for you

Exam: SPLK-1001 - Splunk Core Certified User - $125
Exam: SPLK-1002 - Splunk Core Certified Power User - $125
Exam: SPLK-2003 - Splunk Phantom Certified Admin - $125
Exam: SPLK-3001 - Splunk Enterprise Security Certified Admin - $125
Exam: SPLK-3002 - Splunk IT Service Intelligence Certified Admin - $125

those are the certs you can attempt after Fund1

anything else requires training afaik @cursive fern

thanks for your 2cents 🙂

is it cloud related? I would look up sample architectures, AWS has a ton of them for instance. Security wise, it would be, how are you securing the system, how do you seperate out trusted zones and untrusted zones. Cloud focus would be more about security groups and how do you design various services to an overall solution.

They will also probably look at things like collecting requirements (how many users? Ways of accessing system? (Mobile? web? other?) Budget? Timeline (3 months? 1 year?). And also in agile terms, what would a MVP (minimum viable product) look like

This looks pretty solid https://gist.github.com/vasanthk/485d1c25737e8e72759f

Tthanks for this!!! 😄

Thank you

Ok so these above I can do without the training they provide ?

What is splunk in a nutshell. Iv read and been to their site...is it a framework or like aws/azure

1. Yes
2. Splunk is a really beefy log aggregation tool. It's super powerful, and has a lot of functions and apps, so it can do a ton more than just log aggregation

ok Im actually touching on it now on THM module starting out in cyber sec 🙂

just open like right now

ah ok makes sense 🙂

You would be shocked to hear they can do

Hello. Just subbed to Tryhackme, loving the material.

Im scared now......cisco looks super hard.......pass mark is very high...........but its better then comptia ?

CCNA or what?

Passmarks are adjusted, scoring is very fair

800-850 out of 1000 isn't as easy as the math seems

I was studying for CCNA (school started so had to put a hold on it). Frankly, I think it just has a lot to learn since it's the basics of all but it's really achievable

hypothetically it's about 80-85%, but not really because weighted questions, certain questions are throwaway to detect if you're cheating, certain questions are used for betas, labs are worth more, etc.

yeah thats what I want to do but I see some of the other people fail even though they good.....like by 1 %

yay to labs

Maybe I should just stick to THM certs and Splunk

Theres a university section coming on THM?

THM for universities

Rather than university through THM

Which would be better to start with, Sec+ or eJPt

eJPT is a pentest cert

Sec+ is a more generic cert

Which would be a better starting point?

Or are they not really comparable

They're differently focussed

Ah okay

thanks:)

Do CompTIA Security+ first. It's foundational security/networking knowledge.

okay, that’s what i’ve ben studying for

but i just heard of eJPT and didnt know if thatd be more useful

thanks!

I just passed my CCNA and I used a combination of free stuff on youtube like Keith Barker's channel, Jeremy's IT lab, and other random videos. Download packettracer and do loads of labs as well. Hands on is the best way to remember all the syntax for commands

Thanks 😊👍

Not to clog up Nox' chat, but one thing I'd say about bug bounties since it is a common question is that it is great for companies, horrible for practitioners. It is a way for companies to get free/cheap labor without actually hiring people. If you wonder why there is such a lack of entry level positions, why should there be when companies can pay someone much much cheaper if they happen to find something

pay hehe

I hope all you lot interested in careers enjoyed the talk. We did record it, and once we've tidied it up a bit we'll link it here. We are also looking into transcription options for those who cannot listen for any reason.

Google's Live Transcribe Android app is pretty good, you could also break up audio in chunks and assign to volunteers. I'd be happy to help anyway

We are all hackers, Theres sure to be software out there that'll do it 😄

But thank you for the offer Droogy, I'll bear it in mind 🙂

AWS transcription is 60 minutes/month free on free tier, and $0.024/minute outside of free tier (so $1.44/hour)

@cursive fern I am a Splunk Certified Admin, we use it a lot at work and as others have said it is very powerful, if you have the certs then I believe it is very helpful on your resume.

Thanks @still coral that's very encouraging

Esqy could u help me

Or any other mod tbh

?

Hey James is it possible to send u a private message regarding the server

That's kinda vague

Its about a user trying to scam through pm

Ok, screenshots and ID please

Alright

weird question but can i put tryhackme in my resume under education?

A lot of people do put it on there

It shows the employer that you're passionate about what you do and you can show and tell them what've you learned from here

for entry-level, and maybe even getting into mid-level? probably yeah. for senior level? you should have more impressive credentials that make THM rather irrelevant

all depends on how ur resume is built

I would put tryhackme under "personal development" vs education

What else could be put under the personal development section? Personal blog?!
Also, I am thinking of whether self-study for certs and then earning the certs could be put under the personal development too?! Thanks!

Wouldn't official certs be under either "Education" or "Professional Development"?

Stuff like tryhackme, hackthebox, or others could be under personal development, but I think certs are professional development and the like

Personal development could be your blog, or projects you do

hobbies

things that contribute to your betterment as a professional outside of work basically

thanks @primal frigate , it makes sense

I would have a certification section if you had official certs (certification of completion are not certs, btw and should be under professional development if mentioned)

And there is no one right way to do a resume, gut generally, education is formal education, certification is industry certs that include some type of test

Thanks @pseudo creek , I got what you meant, I just wanna add that the correct phrase is "certificate of completion" vs "certification". Certification is obtained after someone passes exam (s)/test (s), while certificate of completion is achieved after someone completes course(s)/training(s) without exam (s)/test(s). Please feel free to correct me if I'm wrong

Nope that is correct

Hello everyone, Starting as a security analyst next week. Any advice? I’ve got my eJPT looking to get my eCPPT and OSCP later this year.

I need help

What kind of help?

Take notes 😄

Hey @pseudo creek , I'm a recent college graduate based in America. Esqy and some others mentioned that you might be able to provide some career advice for the US. I'm interested in getting into infosec, but I'm not quite sure where to start (e.g. if I should go for any specific certifications). I do have some programming/CS skills under my belt and have worked about a year in some basic tech support as a student, but it seems like infosec has a lot more to it. Would you mind giving me some direction?

I would suggest looking at something like Sec+, possibly Net+ as entry level certs. Also, IT help desk is a good starting position, especially if it is within a larger company which may offer mobility. Definitely upskill with TryHackMe, get familiar with Linux, Networking, etc.
This is an overall guide https://github.com/ED-209-MK7/5pillars/blob/master/5-Pillars.md
I'd start looking for entry level SOC analyst type positions, those are going to be the easiest to get in with no security experience. You could build experience and move elsewhere if you like.

Also, do you have a general idea of what you want to do overall? or just a general idea of security?

I see. So far I've been doing rooms along the Beginner Track of TryHackMe, which seems like it's geared towards pentesting. I've been having a blast with it, but I think I'd like to work in a more Blue Team position (although I don't mind learning skills in other areas).

Currently, I don't have any certs. Should I wait until after getting Net+/Sec+ before applying to jobs? Or are entry level SOC analyst positions something I can get into without them? I've found some study material for Net+/Sec+ and have been mildly parsing through the network+ material for the past few weeks since that knowledge seems pretty useful, but I also heard that sometimes companies will also pay for you to train/take certification exams so I'm not sure when I should take them.

I now realize that the link you sent has already answered my question. :0

You could certainly start looking and applying but your success may be limited. Also make sure you have a LinkedIn account, its a good way to get visible, put in your desire for entry level cyber position, if you get certificates of completion, pop those in there

Ah, I see. Thanks a bunch for the tips!

I'll start studying on Sec+!

good luck and as always, we are here for you

Hey folks. I was just wondering is everyone here from the US. I am in the UK and was wondering if the information is the same (or similar) on both sides of the ponds?

Seems like most folks here are in the UK, actually.

sorry my bad. Im new here and just assumed (bad drills i know). Most of the IT stuff I have seen is usually from US people. whoops I'll get back in my box sorry

Nah, no worries asking questions!

Yeah, THM is UK based, so there are a lot of UK folks around here. If you have a look in #archives @full gyro, we actually had a talk about getting into the UK cyber industry this passed Thursday -- there's a full recording of that in there, plus an archive of the text chat following along 🙂

Should be a transcript incoming as well at some point

I have the transcript in a doc

actually @spice violet was the transcript ok?

How's it looking?

Good I gave it to deafhacker

Mega! Thank you very much. It helps to know that people are talking about the same industry. cheers

It was great!

Thank you so much for making the transcript!!

That's good to hear, it was view only right?

Yep!

Ah good @undone shore would you like me to dm you the transcript?

Is it a link?

no .doc file

Do us a favour and PDF it, then send it over? 🙂

Sure

i apologize if this has been asked a thousand times. But if anyone here had to pick one Certification to pay for out of pocket, which one would it be? Money is no object, and i can devote time to study. I'm very new to the field of pentesting and want to get my first cert in the field.

eJPT, or OSCP/eCPPT if you feel like going straight for it

Nice. I have a friend with an oscp, but the ejpt is new to me. I read the description on the organizations site, but it didn't give me any real sense of difficulty of the test. How hard/how much effort should I put into the study for the ejpt?

Plus are any of the rooms and challenges on thm a good study tool for the exam?

eJPT is considered a spring-board, really

It's pretty easy apparently, so if you're comfortable with the stuff here then it'll be a good fit

I say eJPT because it's a first cert. Realistically, if you feel up for it and money isn't a problem, one of the other two would be good if you've got some experience behind you

That is good news about the ejpt. I might look into taking that one soon. I unfortunately don't have much experience in pen-testing. I have a cybersecurity degree, but I've only ever worked as a programmer/cloud architect. I'm looking to break into the pentesting field but i don't know where to start.

Yeah, eJPT is apparently a really nice introduction to it all

TY this was very helpful.

If money is no object then SANs there is no other course or cert that compares

Oh, 100%

Now i feel like a fool. I had the opportunity to take a couple of these in school. I never heard anybody say anything about them so i passed it up.

SANS?

i believe they are referring to this https://www.sans.org/

pretty much any of their stuff is great

sans good, price bad

^

no I mean, you had the chance to take those in school?

either way, neither here nor there, onward 🙂

Ah, got ya. And yeah, i don't remember the context completely as it was a couple of years ago. It was either a competition or some other extra curricular activity. I tried looking into the cert back then since I never heard of it. Nobody i knew had any experience with it either so i passed up the opportunity.

ahh yeah I get ya

lmao no one had any experience with it because it’s stupid expensive and only the best of the best have it

sounds like it was one of those outreach programs that SANS sponsors for teens. more than likely you'd be competing against some experienced people in it so don't feel bad like you missed out or anything. they also have a really good undergrad program I'm saving up for if you have a certain amount of college credits and qualify

https://www.pentesteracademy.com/activedirectorylab

This looks like an amazing course! I found it through The Mayor, cheap too.

PTA courses are okay

i did the red team labs, it was valuable, but sure as hell not worth the money

Can anyone provide guidance?

What do you need guidance with?

guidance in detailed paths of cybersecurity and what finally i can choose as a career. There are so many paths and i m so confused about my future in cybersecurity.

What side would you prefer in cyber security red team (offensive) or blue team (defensive) it's kind of hard to answer your question as it is vague

yeah i know but i want to step into both sides so that i can see first hand what i m good in

So you want to do purple teaming let me see if I can find any roadmap about that

Interesting, I thought the price was rather cheap for the one I linked. Espically for 30 days

do let me know when u find something. It would be a great help for me.

I thought CRTP/Attacking and Defending Active Directory was well worth the money.

It was a really good course Magna. I recommend it.

My experience with the Advanced Red Team Labs was watch 4 videos to try to figure out what they want you to do to for one task, do that task, re-watch the four videos for and realize you need to watch 2 more to figure out what your next move is, compromise another box, and loop back to the first four videos, do that task, and then loop back to the previous 2 videos. Overall, my thoughts are the course structure was pretty meh and promises way too much and follows up on not a ton. They label it like "200 hours of torture", when realistically, I think most have it done in 24... for reference, they provide videos along with Slides. The videos for the course with 200 hours worth of content is 3.25 hours long. It's gotta be a joke, right? Nope...

Zero Point Security's Red Team Ops course is far more valuable imo.

• It's built by Rasta Mouse (which should be convincing enough).
• It's guided, and actually has the content that PTA promises.
• It's incredibly well put together, most tasks have lab that ties into the AD-Domain so you know what you're suppose to be doing at just about all times.
• You maintain access to the course material, forever. Once you get it, it's always hosted in their canvas for you to view.
• Bonus: there's a discussion board for course takers to collaborate in.
• ZPS RTO is what inspired Throwback. Imho, it's the precursor to RTO.

PenTester Academy really takes the Udemy approach. "Here's all this info you can have for this price point, but it's only an inch deep, you gotta figure out the rest. They constantly tweet out videos of their content, that's pretty indicative of the rest of the content. In fact, I'm pretty sure you could find all 14 hours worth of videos for free in their twitter feed. Here's a sample video: https://twitter.com/SecurityTube/status/1361201111168868356

Blue side generally has more jobs so it'll be easier to step into especially as a junior. I think once you get into security, you can get a better idea at the various jobs and your various likes. A SOC analyst is a great role to start with and more likely to have junior positions available.

okay sure thnx!

hello guys I apologize in advance for the long post, but I have a question and need some ideas. I work with a fairly new enterprise security team, we are full of analysts that only have experience blue teaming. I am very interested in learning a lot of red team, and have been very involved with TryHackMe rooms and challenges, trying to do 2 a day for the past 2 months. My boss suggested that I take the PenTest + and then the CEH to add more red team experience to the team, but also have to justify why we would need red teaming experience in our security team. Any ideas on how to justify to my boss to provide budget towards certs geared towards pentesting? I am going to start with those mentioned, but I would like to continue and get the OCSP eventually. Or any ideas on other certs that I should start on? Thanks for reading!

Personally, I'd ditch CEH and look at OSCP instead of it.

I think a lot of depends what you already have security wise, do you have standard vulnerability scanning (web, network, db)? If so, do you have systems that are not able to have those vulnerability scans? Where we often see red teaming as vital is in 1) Specialized applications/closed source applications and 2) environments that are on-offs. Of course I am not speaking from a red teaming perspective but I think there are layers, a comprehensive vulnerability management program is one layer, beyond that is getting more specific to areas where that VM program may not catch

might also just help you to google red team business cases to see what may be out there already

@pseudo creek That makes sense, yea that is a good starting point. Yea I have also heard a lot of from people to go straight to the OSCP and ditch the CEH lol. I appreciate your time reading my post and answering. Thanks for the advice!!

Red teaming is largely a business buzzword. Determining the scope and meaning of red team wrt your org is going to be a break point.

You are right, that is going to be the real break point. Thanks for the response and reading my post!

Just accepted a job offer as a Security Engineer, my first job in security (moving from Network Admin). TryHackMe was a huge help and motivator. Thanks to everyone who is a part of it!!

Good luck!

Congrats 🙂 Glad THM could be a part of it.

congrats!!!

Congrats!!

Congrats!

ok, so

probably dumb question

i know most people here are from the uk, but for the us people - i'm going into my senior year of high school and am debating on whether i should focus/study for sat/act or just use that study time to focus on getting a cert before i graduate to put on applications and such

sat/act are the standardized tests for colleges and stuff for the uk peeps

What are your career goals? Do you intend to work full time after graduation, take a 'break' year, or go into a 2 or 4 year program?

I'm planning on attending a university to study cyber operations, and going into the Navy as an officer

that's my plan a

plan b is to attend a 2 year program and get an associates degree relating to something cyber security, and see what goes after that

So a cert prior to that may help. But it's more likely that it'll be entirely unnecessary. Your officer candidacy is more than likely going to be unrelated to any cert, only the BA or BS. Caveat that with I did not go down that route and am relating that 2nd hand at best.

yeah

the main reason im even mentioning this is since it's nearly impossible to find testinig for sat/act because of covid

And, if you are looking at armed forces for cybersecurity, I've heard that the AF has the best program.... again, that's 2nd hand though

yeah, i think that's true

i haven't looked into the af too much, i've mainly focused on navy

but yeah i definitely should look into it

I went through a CC program and transferred to a 4 year after - it's possible, but do research about guaranteed transfer courses and what can be applied to major electives vs gen ed electives.

did you get a job after the cc program?

If you are still a student, maybe you can get onto a cyber range team as well.

I did not - my credit load for my BS was enough that i could not work more than 10 hours a week

ahh

That said, the goal of education is employment. I strongly recommend starting your internship search as early as possible - a cert would definitely help with that as a freshman or sophomore

yeah

i was thinking, if i do take the 2 year route

i could get a decent job, and when i get enough money

get my BS

that will slow down your BS a lot

yeah

i mean

if i get enough experience, would i even need a BS?

the BS will also up your starting salary considerably. It was a 15k raise to have my BS vs going into the same kind of position with my AS

It gets your foot in the door - and some employers will require it to even look at your CV

long term - the BS won't matter much

but to get that first job? it's a huge advantage

yeah

i understand that

just 4 years of school and debt doesn't sound fun

So here's the calculus, then

do you want to make 40k for your first 5-6 years

or do you want to make 60-80k with 70k in debt

and that's just the entry level

assuming the same percentage raise per year, which gives more benefit?

this is kind of a bullshit example, but working your way through it helps codify what you want out of it

yeah

haha

that makes the answer seem a little easier to pick out

i really think moving up to sr engineer and architect roles is a lot more difficult with an academic background

it's definitely possible without the formal education

it's a checkbox in a lot of places though

yeah

where'd you study?

I went to a tier 3 CS school

it wasn't great, but wasn't bad

i'm at the point where my BS doesn't matter, and finishing the MS is my next checkbox for my next promotion

cool

i saw somewhere

there's a list from the nsa

of like colleges with achievement in cybersecurity

unless you are going to go to carnegie mellon or MIT, it really doesn't matter... the degree is enough to at least get consideration

have you heard about that at all

there are degree programs for cybersecurity

https://www.nsa.gov/resources/students-educators/centers-academic-excellence/#defense

that^

IMO they aren't as rigorous as a normal CS degree

are they harder to get jobs with?

that hasn't been my experience

it really depends on the program

from what i've seen, most cybersecurity programs focus less on the fun parts of security and more on the stuff like governance, policy, and compliance

that's interesting

but that's just my opinion; that's the impression i have from being on the interview panel for an infosec team for mostly entry level candidates

alright

yeah, thanks so much for helping me map things out

i've got a lot to sleep on lol

you welcome

One thing I'd say is that it is harder to get an entry level position (in the US) without a degree. The one things that do matter about a college is how much they help you get a job. Traditional schools attract a lot of companies. And where you go doesn't really matter in terms of prestige, but your local state school is going to be a solid choice. (I know my company only recruits from state schools)

It's a server of hacker ?

?

Hi all, I am python developer for about 3+ year, I am also in the middle of my CEH certification, a huge cyber security enthusiast , how possible is to get remote entry-level job in cyber security?

Are you anywhere but India, CEH is worthless everywhere else.

🙂

I would ask, what do you want to do in cybersecurity? It is a very vast industry

So it is just for India ? Oh boy.... i am thinking about pentesting.

What region are you in? - Certifications/training differ from region to region in regards to precedence.

I live in Macedonia, Europe. I just did a research that CEH was something that I need to get started but I was wrong ?

I am not to sure on that area, I reccomend looking at local job descriptions and seeing what the requirements are

What about remote? I live it that kind of conditions that i cant be in a office

I would say the same applies, maybe look at roles in your area and query about them? remote is soaring in popularity now even at the junior end

Thanks for the advice. Appreciated

If you are Military you have access to CMU like curriculum provided by their Cyberforce program.

Hey, everyone, how's it going?
I'm looking for a job opportunity and I wonder if you could recommend me some
I'm coursing Cyber Defence college and I'm a computer technician - I graduated last year

are you US based? if so try the usual job boards like Indeed and such. Worth looking through social media as well for any local meet-ups/job fairs. oddly enough I've seen some decent freelance opportunities for IT stuff on Craigslist job boards but I wouldn't recommend that. do you have any certifications? CompTIA triad (Net+, Sec+,A+) is generally a good starting point and will net you plenty of interviews especially if you have a degree already

I'm actually from Brazil. I don't have any certification yet - unfortunately.
But you can check my LinkedIn profile at https://linkedin.com/in/NaomiLago/

Honestly I want to get into digital forensics but I seem to have an issue figuring out where to start. I’m separating from the military soon in a completely irrelevant field of work but I already have my BS in cyber security. It’s hard figuring out employment options for entry level positions related to this though.

Like I have my TS/SCI clearance and everything but just figuring out a place to get experience seems to be the death of me when looking around at options for entry level positions.

SOC analyst would be a good place to start, having a clearance is definitely a huge help

your typical position to get into DFIR is SOC analyst

You could also try for a threat intel position but those typically require further experience

My current job deals in great depth with security/infosec so I’m lucky to have that aspect under my belt but I need to figure out where to go specifically for an SOC analyst position. I’m somewhat newer to learning about job positions within this field of work.

Hey, I need a bit of advice in terms of certs... I am currently on the middle of B.S. in Cybersecurity. I decided to start it because when I moved to US almost every single IT job I saw needed some degree, so I decided to do one. Now, I get that I need some additional certs. I really would like to land in Internet Crimes Against Children Task Force, but I am aware that my path there can be long. I am interested in forensics, I saw GIAC certs, but I cannot afford them now, is there any chance that they could be sponsored by employer? What kind of positions I can look for to get into field? I know that there is no such a thing like 'forensics entry level job', but I really appreciate some advice because I do not know American market really and I am getting panicked that I will never get a job I want :/

gotcha, first thing I would do I check job boards for your country and see what certifications/qualifications are the most desired for IT/infosec roles. my advice is mostly applicable for US, i know requirements can vary wildly on a country-by-country basis. try looking around for local defcon groups/hackerspaces/any sort of infosec groups, I know Brazil has quite a few. you also may want to look for abroad/remote positions if possible depending on your citizenship/VISA status

I would try and take advantage of the military as much as possible, I don't know much about how it works tbh but are there any services you can utilize to help place you in this field?

I believe if you read the last few posts that were made in response to mine you would get an idea on how to start getting into forensics.

There are options for me to work an unpaid internship with a company which gives 2-4 months of work experience which normally rolls into a job offer.

Thanks!

oh, that clarified me a lot. thank you!
i'll try to find BR communities and, yeah, I intend to look for abroad positions
one more time, thank you very much ^ ^

I would definitely encourage looking into that. If it's a large company you can most likely just bug the hell out of the Security teams and shadow them and try to get a foot in there

Let me know if you find any useful information that hasn’t already been provided but I think a good start in certs if you’re looking to get into government or federal work is to get your sec+

O, ok, thanks, this is some good hint!

no problem! best of luck, there is actually a cool Brazilian community that runs a weekly hacking challenge with a live stream that is really good. you might find some friends on there too https://uhc.seg.br/

I have a giant lab nearby, and I thought I could maybe get some internship there, but because they do 'everything' they demand applicants haveing Bio or Chem degree, which I understand for all forensics, but for computer it is a big barrier :/

Wow, that's amazing!
I'm a starter in this area, so it's really nice getting in touch with these communities

By this area I mean InfoSec

TS/SCI is a huge in - honestly, i'd just start applying to known government contracters and see what comes up. Especially if you have at least 2 years before it expires

Are there some reliable forensic certs but cheaper than GIAC? By reliable I do not mean very prestigious but rather solid courses with info to potential employer that I know something substantial already? Or it is better to go for Sec+ for now?

eLearn

CySa

Cool! Thank you.

I wish there was some way to get a clearance before getting a job.

Internships

Because I would love to work in cybersecurity in Washington DC

I also think you can sponsor yourself but it’s hella expensive

I have the linux forensics book by the course author at pentesteracademy, I found the book really informative as an introduction.

I've bough a complete course on this website for 50dollars that was a complete waste of my money TBH do you know some good books/course ?

Phil Polstra wrote some really good books on forensics; his defcon talks were also pretty good. What topic are you looking for books on?

Thank you 🙂 I've got for V-day 'A practical guide to digital forensics investigations' by Hayes. Awesome book, made me realize how little I know 😄 I feel like my knowledge is really scattered, and needs some 'ordering' too.

Pentesting and defense i'm starting a License in CyberSec at the start of next scholar year

So that's two different things. What is a License in cybersec? is that some sort of government accreditation?

basically it is a degree

I've done at the end of the year a second-year (univ) in Networking & Telecommunication

Defense of what kind? Which OSI layer?

I think learning the offensive part of security first is more difficult; knowing the defense teaches you likely places to find holes

Thanks for the name of the author, I will definitely check these.

You think defense better approach first ? More likely firewalling ,router,SW security i guess would be optimal

So you are looking at Layer3 and lower as your starting point; I think a lot of that is covered in some of the networking protocols books. How well do you know wireshark pcap and protocols?

Yes pretty much i try to use it very often when i'm debugging network issues but i'm not an expert. I'm stuyding it and i'm trying to be better at a technical point of view

IIRC there is a book called 'Attacking Network Protocols'. It's probably a good next step for you

im more of a generalist (purple?) and have definitely found that having both perspectives can only help

Definitely

but as your career progresses you're gonna have to drill down into something, i've some people say that theres no real room for generalists in IT like there used to be

From starting a knowledge base though, I think defensive is easier to get familiar with the concepts. Picking up why a vulnerability exists is a good starting point to eventually having an intuitive grasp of where holes are likely to be

I think there is still room for generalists, but more as a facilitator and bridge builder between specialist silos

Yes I was more confident for starting at the Red team since i already used Linux,burptsuite,nmap etc ...

yeah as an attacker you should definitely have a firm grasp of security controls and general defensive infra before anything

Also, there is a LOT more defensive side documentation and recommendations than offensive

True

If I can, there is also 'Network Security Assesment' by Chris McNab, it helped me a lot in terms of learning/understanding protocols and stuff. But you are probably way more advanced than me.

and there are a lot more jobs for blue teamers too!

Since there is RFC's for everthing defense would be more easier to learn

Like CIS benchmarks, OSCAP, USGBC, DISA STIGS, and a lot of security frameworks have public documents to download the requirements and controls

and ISO

would you say that Red Team career are far more complicated ?

27k1 and 27k2 aren't bad, but they are (in my opinion) more abstract than CIS benchmarks or STIGs

No

hmm thats hard to say tbh, I'm not in infosec so I can't really say

I'd say the path to becoming a red teamer is pretty competitive compared to blue team roles

Because i wondering a real good network admin , with defense knowledge could be better than the same guy but with only attack knowledge

Red team is all about scope vs risk in terms of what they are allowed to do. I also dislike red team vs blue team in general, as I think it puts an un-needed adversarial relationship in to play

i prefer to think of it is whitebox and blackbox assessment

My dream is to become a pentester but as you said this is very competitive

if anything its definitely far easier to break things than fix them most times 😄

Yeah, breaking stuff is fun and educational... but it's the scope vs risk part of that. What is the risk tolerance in the pentest? Are potential DoS attacks allowed? is there a potential to deny service based on the activity? If the answer is yes, the scope of what is to be tested is going to be very limited and probably not on production systems

That's really interesting

Good Day everyone,

I recently completed my Sec + and was looking at what Cert to pursue next, I'm looking at a more Defensive approach due to when I'll be able to swap my current job position, the Offensive side will not be feasible for a more hands on approach, what would be good cert recommendations to pursue?

I haven't actually done it, but BTL1 seems promising

Never heard about it until now but it seems in hand with what I'm looking for, good suggestion. I'll look some more into it today

Great, you also get a cool looking badge after passing

Cyber badge or physical badge?

Physical

If you score more than 80% (or 90) in the exam it's golden, otherwise it's silver

Challenge coin, good to add to my collection

@fringe spade @tawdry frost I would advise again the BTL1 cert. I have heard less than amazing stuff about the instructor and overall the course material isn’t that amazing it’s just a few specific tools and worded to sound better than it is. I would suggest going for CySa+ or an eLearn cert over that cert especially since they have better content and they have more recognition in the industry

which eLearn cert would you recommend? I was looking at CySa+ already

I’m taking eCTHP right now but all of their stuff is pretty good. If you want the learning material INE has their pass so you can pick and choose any of them

The eJPT is the eLearn Security basic pen testing cert and the training for that is free (part of the starter pass) if you want to see what their courses are like before you commit to the full plan
https://checkout.ine.com/starter-pass

eJPT is great fun, but it's kind of too basic

Well it is geared at people who have little or no knowledge of pentesting/red teaming. It's low level and covers quite a bit. It's all hands-on stuff. I like the way eLearnSecurity does their exams. You have access to their website and when you want to start the exam, you just login, click 'Start Exam' and you get the OpenVPN file and your own environment for the duration. You don't have to book a date for the exam, you paid for it so you just start the moment you want to. You can step away from it when you like and it's very permissive in what tools you can use.

In contrast, OSCP and other Offensive Security certs have limitations on some tools and types of task automation and they have their reasons for it.

Might be worth looking at reviews from the likes of John Hammond or The Cyber Mentor if you want expert opinons on those things from people who've passed those exams rather than me, who's still working on mine

it's also some of the cheapest letters you can put on a resume though

also, eJPT is a 72 hour exam

It's great for a challenge, but it's kind of the same as a medium boot2root box on THM for $200

It depends where you're applying to. The cert itself shows your ability to perform certain tasks hands-on and a lot of organisations will ask you to demonstrate your skills through their own tests anyway. You can and are expected to take breaks, get some sleep, etc on all these long cert exams to show that you can plan and perform just like in a real pentest. They don't want you at your keyboard the whole time and if you are then you're not doing it right

Well, it's a really good cert to boost your confidence, but the course itself is really bad. It is slightly outdated, the labs are kind of not relatable to what you have in the powerpoints, so it could be structurized a little bit better

The exam itself was fun, but not too much of a challenge, it won't prepare you to handle a relatively easy box on HTB

The course was only updated last year but it's aimed at performing simple things and all their courses get updated every 2 to 3 years afaik

Don't you think that the way of presenting things with powerpoints isn't the best?

Well it isn't aimed at solving that style of box. CTFs and exam boxes are generally going to be styled differently anyway

Yeah Powerpoint sucks but they really do most of the teaching through the videos and labs. The powerpoints are very basic and don't show all the things you should be learning

Yeah, but these boxes will usually prepare you for critical thinking that's used in real-life scenarios

I honestly hate the powerpoints

To be honest, I just did the labs in 4 hours, took notes, passed the exam the next day

lol nice

Yeah the eJPT isn't meant to be much of a challenge for someone with experience, it focuses mostly on the preliminaries and won't give you anything that can't be solved with standard approaches. It's aimed at people with little to no knowledge of hacking/pentesting to get them in the right frame of mind and to point at the kinds of things they should start learning.

Certification should always only be seen as one of several gateways to a career in cybersec. Having a passion for what you do and being persistent is far more important

Hello I’m a junior In college studying computer engineering starting to look at internship opportunities. Really just looking for opinions you would like to see on a resume to acquire an internship?

Interns aren't expected to really know anything (yet). An internship is less about being productive and more about scouting potential talent. If you have skills, interests and some coursework that aligns with the company you are applying that is good enough to get your foot in the door. Don't neglect talking with the recruiters though, your attitude with them will often determine how hard they will advocate for you to the teams you would want to join

Have you looked at overseas contracts w/ CACI?

anything in IAT lvl 2 is required for DOD work. https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/

Sec+ is just the most "brain dump" and "easy' way to meet the standard and doesn't require another certification

Thank you a lot for that. I think I will go for CySA+ from that list. I plan to write to Internet Crimes Against Children Task Force to ask them directly what I need also. They had a big conference few months ago, but it was only for people who are in the Force already or in Police at least :/ I noticed that a lot of related things are for ones who already work in the field.

No problem, best of luck. Can always ask for someone in the "force" to be a mentor; that is typically how niche communities work.

I have that problem that I do not know anyone :/ I need to get better in networking, uh. Thank you 🙂

If you don't mind me asking, are you in America and where? I have a few friends in law enforcement if that's truly where you want to be.

I am in US, yes, I moved here few years ago from Europe.

In Ohio

I can ask around. I'm in California, so my network doesn't span that far. lol

how hard is it to move to the usa, from the uk

i go to the us every 2 years for vacations but always fancied working there

Depends on your situation and wether they deem your skills to be in demand. Points based system

I can not get into the US but I can get into CAN atm

yeh its to do with sponsoring you etc i think

If you have a sponsor you can get into easier, without one, it is a challenge but not impossible

when i was out there i spoke to some woman at a gym, she said she just had a tourist visa, applied for a job a month in to her holiday and they sorted paperwork out. She said it wasent conventional however and dont count on that working

what do you do now? I mean you could apply certainly, security positions generally rarely sponsor work visas unless you have some type of specialized skill/knowledge.

tbh with the security stuff im fairly new to it. When i was originally looking it was when i was working within the ultra high vacuum industry as a quality assurance and production development engineer

and again few years later when i was at mclaren

ahh

honestly its easier if you come from an english speaking country as we have limits and usually certainly countries (India, China) max out our limits pretty quickly but those are a lot of engineering teams, software engineer, other types of engineers

yh

but companies have to still pay to sponsor you, and security in the US generally has a bias against non citizens, its not impossible and some companies don't care (like I can't imagine Google caring as they've already thumbed their noses at doing any US gov contracts)

there is a bias but if you are from a 5 eyes country there are ways to get your clearance transferred to a US one and vice versa

5 eyes?

US, UK, Canada, Oz and NZ

ah

clearances equivalent to NATO secret level are valid in each country

i know a common way is working for a company here who based in usa. When i was at a company they had a site in detroit and wanted people but i didnt want to at that point

top level clearances usually get demoted, so if you're UK DV you'll get the equivalent of SC

ok

thanks

no one wants to live in Detroit...

also be aware that 6 weeks/vacation is extremely rare in the US although common in Europe. Generally companies will give you 2 weeks. Maybe a week of sick leave so if you don't get sick, you could stretch that into 3, but some companies don't give dedicated sick leave but frown at you if you get sick for more than 1 week/year.

also some companies have started not giving dedicated time off, hoping to leverage the usual habit within the US for people, especially young people, to not take time off

what are the working hours like "generally"

mon-fri i take it

unless shift pattern

do they do 4 on 4 off

generally mon-fri, there are some alternate schedules, I work a 4x10 schedule

so Mon-thur - 40 hours

BUT generally my hours fluctuate between 40-45 hours

some companies expect employees to consistently work over 40 hours, 50-60 hours, you'll find this more frequent in newer tech companies like FAANG

but you get paid for 40 hours with the expectation that you won't ever work just 40 hours

And another big difference from US/Europe, is that Corporations have a large influence on our laws. Corporations rights are generally favored over worker rights. Now this doesn't mean companies are horrible to employees or always horrible, as companies compete for talent and what not... just companies can generally fire at will... even in states (different states have different laws) where you can't just fire someone, you can easily get around that... Companies of certain size are required to provide medical insurance to full time employees, but the extent of that medical insurance can vary widely. Popular now are high deductible plans where the employee is expected to pay anywhere between $1000-$5k before insurance kicks in. The employee is expected to save part of their paycheck into a health savings account to pay for the deductible

Health insurance costs varies, for myself, no kids my insurance is about $200/month, my husband is the same. Some people pay well over $1k insurance/month even with employer providing insurance

is the healthcare system good tho?

as the nhs can be hit and miss

and ridiculous waiting times

well it isn't one healthcare system, its a bunch of various insurance companies, employer based insurace may offer you 1 or more options. My company used to offer 1 option for medical insurance, now we have 2. 1 is an HMO, which is pretty strict about where you can go for medical treatment or else you pay a lot out of pocket. The other is more flexible (but costs more). Basically you have to find an in network doctor (which isn't hard to do for at least me who lives in a major metro area) and then work with them. Then wait times are based on doctor availability... like if I'm sick, I can walk into a clinic and get same day treatment, may take me a few hours to be seen but its possible. If I call up my doctor for an appointment, it may be a few weeks. Only specialist I usually see is a Dermatologist and they are very busy so it can take me a month to get an appointment. Often major surgeries (I haven't had one but know those who have) can take a few months

and insurance companies are 'for profit', which means that you may have to wait for approval, then wait to schedule with a doctor. I have never had any major treatment like that where I needed approval so I don't know that process. But for instance, if you had cancer, you'd work with a cancer doctor but if the doctor recommended surgery, they'd have to contact your insurance company for approval, your insurance company could deem you need to see a different doctor or they could deny treatment for alternative treatment and it could take a few months to hear back from them on the decision.

Alternatively, something some people have been bumping up against with Covid is insurance companies can set lifetime maximums (I know mine has one). So you hit the maximum, they kick you out of the insurance. Which means you may have to find another insurance, which isn't easy especially if you have pre-existing conditions, which they can exempt from treatment. Some insurance require a medical exam prior to being able to join (most employer based ones do not). So worst case with insurance is if you have a string of bad health luck, you could end up paying a lot for insurance and not getting much for it.

yeah healthcare in the US can be horrible when it comes to paying for it, you might have to wait a bit for an op with the NHS but at least the bill won't kill you!

yh i guess

to be honest the finances would have to be really good to consider it

just dipping my toes in to see the options

only thing I had that was relatively beyond normal is I had a slipped disc a couple years ago, I paid about $6k out of pocket, no surgery was required, I did physical therapy and I was fine but diagnosis took a bit... it also happened near the end of the year so basically I hit my deductible one year as I rolled into the second year, where I was hit with the deductible again

One of the UK places I applied to has private healthcare. That was the first time I realised you could get private healthcare in the UK

wow usa sounds a bit meh on the medical side

is there issues with the insurance if you have pre existing conditions etc

like they wont cover it

generally that only happens if you are self employed and have to get your own insurance

like a couple years ago when Trump was trying to dismantle the Affordable Care Act (aka ObamaCare), they were negotiating with insurance companies on pre-existing conditions... some insurance companies wanted to add pregnancy as a pre-existing condition (that failed to pass)

yeah you can get private, I used to have BUPA cover for example, but it's nice to know that if I lost that I wouldn't be in a bad situation if my health got bad or even if I broke a leg or something

but generally if you have a good employer insurance, pre-existing conditions don't come into play because your employer will cover that

seriously, one of the major uses of GoFundMe in the US is people paying for medical billls

just getting an ambulance to hospital in the states costs a few thousand $

yes, there was a story of a lady who was hit by a metro train in DC begging people not to call an ambulance because she couldn't afford it

some places charge new mums money to hold their new born children after they have given birth

my county decided to install their own ambulance service and get rid of private ambulances because they were tired of seeing people dying due to not calling an ambulance

health should be a human right

should

sounds rough

as a beginner - is it worth to go ahead with a CEH course/cert by ec-council or focus on other cert path?

(damn expensive)

did you type all this .

eLS/OSCP

ceh is a bad meme

depends on the location , again.

still not a good certification

regardless of the location

agreed.

just the name is too attractive

yeah agreed.
for the ocsp path - so many information are around. any hints where to start - recommendations for labs (courses,labs, ...)

just checked the topics in ceh - yeah, not so impressive

do you have penlabs VIP ? @restive oracle

get CEH only if you're in india or want to work for us public sector

OSCP, this is the way

nope, can you link something?

i mean i ve heard that buying the VIP helps you in OSCP prep . that site is focussed on oscp it seems ( Again , from what i ve heard )

btw - saw your stream before, nice tacs

😄 , not that good tho , still learning 🙂

ah, yes vip here - yep working hard on that stuff

Eh, Pentest+ ticks the box in the US now 😉

james , counting - this is the second time you used that emoji

That's false

just doing a research on what you told , by pentest+ you mean comptia pentest + or just pentest+ .

Pentest plus is a cert fom comptia

did someone finished the pen-200 course from offensive? worth?

It's identical to the PWK, so yes

And yes, it's good

ah yes, i can see that on the offensive-sec page, thx for confirmation

Hey, Im a complete beginner when it comes to cyber security. I wanted to know if learning from TryHackMe alone is enough to get good enough for a job?

yep :)

skills-wise, definitely. might not be qualified on paper but with the right technical interview you can do quite well with zero "real" qualifications

THM has A LOT of content, dive in head first and learn well. Then when you're ready get some certifications e.g. eJPT,eCPPT,OSCP etc it's very dooable.

Sorry, I did not notice it yesterday. It would be very helpful for me if I could talk to somebody who is in the field already and works in similar force, who could direct me a little with some hints and tips. I even do not want somebody to 'give me a job', but rather explain how all of it works, and where to start. I am in total chaos right now and do not know where to start even. I need to start talk to people... I feel weird writing emails to some agencies/local offices asking, but maybe I should? Would it be ok to write to local criminalistic lab asking for internship in computer forensics even if they have in description that applicants must have bio or chem degree? Or I will be perceived as an idiot who cannot read? Is it a good idea to email departments even if they do not have internship programs? I need to figure out a social part of it the most, I guess...

Thanks for your replies, that makes me more psyched up for learning!

worst thing any potential employer can say is no, as long as you are polite there's literally no harm in asking. sounds like that might be a forensic lab - they might not deal with computer forensics at all

Prior to doing that, try to find their solicitation policy/internship policy on their website.

It is a big new lab, and they have everything there, like 'normal' forensics and computer too. They probably want people who can do everything or cross-train, or I do not know. But you are right. I will send few emails, and I will see what will happen. Maybe I will get some hints at least.

Ok, I will, thank you.

why wouldn't I?

yeah

@ancient prairie

If i haven't taken ejpt , is it still fine to go with ecppt ? How much time does it take to mug up the concepts and practise the labs ? How much time does we get to complete the main exam .... like its 24+24 for oscp

my Q

ejpt gives you 3 days - more than enough, I finished it in about 4 hours with only a couple months experience from THM

ecppt is a week-long I think? as far as grasping the concepts it really depends on how comfortable you are on sites like HTB and THM

eCPPT is supposedly easier than OSCP but with more pivoting.

I'd say if you can clear medium and hard boxes on both sites without any guidance you're probably good to go for the eCPPT exam

I won't take ecppt now

yeah I've heard a lot of mixed things on the exam itself, it's definitely "easier" because you can use metasploit but you cant exactly autopwn your way thru pivots without a good understanding

I will do it after 2 years

I will gain some experience with thm and htb till that time

and also do some courses and earn some money with bug bounty

given how cheap eJPT is though I would strongly suggest that as a good entry-level cert to learn a little about hacking and gain some confidence

But ejpt doesn't really cover any thing right

i can't advise on bug bounty much but I would definitely suggest spending your time elsewhere as it's really hard to make money doing so

I am a student , i cant really do other stuffs

ejpt covers quite a lot, if you're a complete beginner like I was you can learn quite a lot, I also branched out to sites like HTB and THM to supplement my learning - don't limit yourself to one platform

but i made 175$ , last 2 months

on bug bounty?

yaay

Blimey, not bad

so eJPT is definitely a waste of time for you, congrats!

well , the bug was bruteforce on login page lol

you must've found a nice program, many sites won't accept this kinda of a "bug" hahaha

yeah even the 2 private programs I was in basically banned anything automated or sends x amount of requests per second

There was a 3 y/o program , i was surprised that program still had that vuln

still fun to mess around in tho!

Nope , mostly all accept rate limiting on sensitive places like login

If you aren't confident with bbp , try vdp , very few hunt on those

SO , is doing ecppt after spending more than a year on thm and htb fine ?

and how much time is needed to complete the content of the course ( ecppt ) on an average?

And is eccpt well known cert in the security industry ?

Care to elaborate on these? bbp and vdp

BBP = Bug bounty programs = Those who pay you money

VDP = Vulnerability disclosure programs = Those who don't pay you money

eCPPT is not really well-known now - but the way they are positioned in the market I'd give em another 4 or 5 years and INE/eLS may have brand-recognition like OffSec

Oh, I thought they were websites xD

O ok , I will take it then 😄

and whether you spend time on Bug bounty or not is really up to you but the amount of time you spend on bug bounty programs could probably be spent better elsewhere, learning stuff, building up your brand, whatever

john hammond also noted that if you completed eCPPT you'd pretty much be good to take OSCP with little prep, so take that for what it's worth too

ya those are programs which consist of websites

Oo ok thanks for the help 👍🏻 , appreciate it

You all do jobs or are students ?

both 😅

agreed but bug bounty will give you real world scenario knowldge , neither thm or htb can give you those

howz that ?

go for eJPT, it will give you an in-depth understanding or the fundamentals of whatever is ahead of you. but be doing htb or thm or portswigger alongside..it helps.. all the best @pliant yacht

kind of... depends... but like you could study for a cert which a company would put value in, hiring companies won't put a lot of weight in someone who says 'participates in bug bounty' unless you reach a fairly high level

i work full-time and go to school part-time

will think about it thank you

I guess you are doing some graduation level studies right

nope! still undergrad - getting my Associates' degree in the fall

what are you getting it in?

it depends... there are some vulnerabilities which I've found and exploit in real life pentest engagements because I saw them in either thm or htb... I will say learn as much as you can...ctfs helps!

Actually , I wasn't pointing out that , i meant bug bounties consist of real websites , not lab environments , to learn ~~> htb and thm are best , to gain experience --> Bug bounties

okay

information technology - main objectives of the degree is to get you the CompTIA triad + 2 Windows Certs (Desktop Admin, Server Admin)

ahh cool

thats nice, so you graduate with an associate’s and certs

yep its an okay program, not as intensive as a CS degree but it's more of the "trade school" approach for IT studies

probably skipping the Window's certs as they're not too relevant for me but still nice courses regardless, Microsoft specialists make $$$$

is it an online school?

yeah they're a hybrid school, some programs are in person - this wasn't my choice of school but tuition is free through a family member's union so I'm not complaining

comptia triad is what i think should be taught at a-level cs in the uk

could you post screenshots? people may be hesitant to download a pdf from a stranger

Hi guys, how can a 3+ years python developer and 2+ year freelancer get into cyber security world ? I also have CEH in preparation.

I've deleted your message, its probably best if you host it on say GitHub or another platform for others to read. As Droogy said, people are very hesitant to download files.

step 1 is to never tell anyone you have ceh

Why ?

it's a meme

It may be a meme cert in the technical circles but it will still help you get your foot in the door. CEH is also DOD 8570 approved

Certified Ethical Hacker sounds huge honestly

what

To a non-technical person it looks good

I guess

And non technical people are generally the first people to look over your resume

That and the robots

Anyone here in this room done the Comptia Pentest+ exam ?

I have CEH but I never tell anyone that... its not even on my resume

ye go the pentest+ @pseudo creek

got*

no

https://tenor.com/view/michael-scott-happy-cry-happy-tears-the-office-gif-7425816

I don't have any Comptia certs

I don't think you would need CEH on your resume if you have CISSP

the CEH cert wasn't really intentional, CISSP was but both happened similar way, end of 5 day course (well CEH was 4 day course)

My bad, should have guessed

https://drive.google.com/file/d/1d_iZv5oy_yrP8pnd-rzwETKSUiLFuS9d/view?usp=sharing

Would really appreciate the feedback

I guess I will put it on my CV if the job required it 😄

looks good! i've heard mixed things about including OS or Tool experience unless you have any certifications with them (like Linux+, Splunk ceritified user, Microsoft Desktop Admin)

yea i have literally no certs

I will get one after college

overall pretty solid experience imo, my only suggestion would be that you grab a few certs to really round out your CV, but otherwise I don't see any reason why you couldn't land an entry level job as is

Entry level jobs, what entry level jobs do they even exist?

🤣

They probably don't exist where I'm from I guess

Generally I don't seperate out distributions of Linux, I would just say Linux. Also, you don't list Windows at all?, I would agree that you should get a cert if possible (Sec+ would be solid), generaly this is better than 90% of certs I see so you are doing good (I'd also list THM under hobbies)

Go into more detail about tryhackme?

oh nevermind... I guess I wouldn't describe TryHackMe as CTF ha

hahaha

maybe instead of CTF player say TryHackMe Cyber Security Platform

O.o, I like it

https://tenor.com/view/smart-thinking-thoughts-think-ponder-gif-7713620

have you made any content for tryhackme or similar platforms?

Nope

they love seeing that on mine

Will eventually

ah okay

yeah for tryhackme i have "security education platform"

maybe mention a few things you've learnt? such as attacking active directory or whatever

LMAO @static tide I was gonna flex that my CV says I work for THM but I just realised I completely forgot to include that part

no wait i diidnt

its right at the end

heck yeah

maybe mention you're primary support via email? (if that's true)

Anyway this is my current CV. I change the technologies / projects depending on what tech the company is looking for (this one heavily wanted Python / AWS)

i wish i wasnt

ahahaha

when you have so many projects you have the luxury of tailoring them to the job

Is it good practice to take off skills for specific job or just write all of them ?

@static tide you have a website and a chess app no??

we abandoned the chess app

bruh

I read that as cheap a**

someone else published basically what we were creating

maybe I need glasses

and it looked better than how i was gonna create it

but i have like 700k+ downloads on an npm module hehe

You know a certain Twitch streamer published RustScan's core feature (at the time) a week before me and I still crushed them. Time to market is important but it's not everything 😉

oh really?

the CoD module?

was it?

fortnite

https://www.npmjs.com/package/fortnite

yeeee

is that taylor swift

spill the beans 😉

YES

TAY TAY

I'm also crushing someone right now in this Discord, their app is 2 years older than mine but they still suck lol

love TS

oh but this person deserves iit for being a thief

I'll send u the memes

Depends on the role but it is good to narrow down to the applicable skills. Throwing everything on it can get messy and may also have a negative impact on where you go in the resume pile

It's also good to look at the job descriptions and take things from that and put it into your resume. If applicable. Don't lie

Soooooo this is very bad

Thanks for the advice... @stoic cave

python 2

Yeah np. My advice definitely isn't gospel and should be taken with a grain of salt lol

fired on the spot

just put python imo

Main skill -> Main skills
Remove etc. from Design & IDE Tools

Also place skills in order of proficiency

Applying to lot of jobs make me do that. Read the descriptions "Skills needed: Python 2 and 3" ....

Yeah just put python. Also a tailored resume is a good thing and worth the extra time

also ?

some of these aren't office lol

Yeah there seem to be a few categories that are redundant

Like the web dev category is still programming

also idk if employers like it but just listing a bunch of tools seems a little bit script kiddie ish but idk

if you know all those tools then you ain't a script kiddie

I separate mine, keep in mind I was applying for DFIR and general Cyber Security positions, into programs, languages, and certs

Let me double check that though

I might have changed it

the capitalisation is weird too GoBuster and HashCat

I never see anyone list the most useful tool out there...AutoHotKey

It's not script kiddie to list tools you've used but it's kinda pointless unless you mention a use case/purpose for it and how it helped you achieve something. Even if it is minor. Anyone can open a piece of software or run a script.

yeah agreed

Ok so yeah I had it separated out into Certifications, Software, Technical skills, and then programming languages

Can you please dm me your CV ?

I don't have a washed copy so no sorry

I'll see if I can make a washed one later tonight and then I'll DM you

Thanks, appreciated

Ignore that image

You did not see that

👀

what's a washed copy?

without details and stuff I assume

Correct

@slow shale probably not going to happen tonight

Hey all! We have an AMA from CyberSecMeg who's a blue teamer! I know we talk a lot about red team, but if you wanted to get a job as a blue teamer Meg is answering all your Qs 😎 https://www.reddit.com/r/tryhackme/comments/lnep71/ama_cybersecurity_meg_cissp_msc_cybersecurity/

she's awesome

as a whitehat what can i do?

Pretty much anything a company is willing to sign off on

I'm neither red nor blue, maybe I'll call my role a green team role

green team - those that can keep plants at their desks alive

And work where the grass has a different hue

I can't keep plants alive

my work has blue team, red team, then various areas, like GRC isn't part of blue team either

That's a really nice AMA

you can thank @onyx falcon !

😊❤️

Thank you!

so happy to participate! 🙂

Hello everyone, Just got to subject and It is very interesting :). Is TryHackme good place to start learning? Any god road map to cyber security? Blue or Red XD? University or hand on or both? UK, Manchester based. THank you

uh heyo @weak anchor

1.) Yes

2.) re-read number one again, just so you make sure you've got it

2.) there are a couple which I can try and find for you, but take them all with a pinch of salt - everyone has different opinions as to how to approach the industry

3.) Really personal preference, try both (you can on THM), and just see which you enjoy more is my personal advice

4.) goes back to the road-map really, this one is a pretty hotly debated subject

I'll try to weigh up the pros/cons:

Uni: some (arguably more backwards) recruiters require a degree, can be a good learning foundation | However, majority don't offer much actual hands on degrees, so definitely worth learning that on the side - and the whole student debt thing isn't the best shadow to have over your head

that's just my two cents from listening in to smarter people talking, so I'm sure someone can come along to provide a much better opinion and please do.

x+

.

TryHackMe is great for ethical hacking learning and defensive cyber security learning. A roadmap depends on your interest, start with learning networking/security as foundational. Start with Blue, pivot to Red. University Yes/No depends on your budget and your learning-style (autodidact or structured learning). Welcome! 🥳

oo, that's pretty interesting Tim

can I ask why you suggest Blue team -> Red?

More Blue jobs than Red; Defending make you a better attacker, in understanding the target attack surface, how it is defended, and what techniques are outdated (as in: they get picked up by Endpoint and Network monitoring).

ahh perfect, thanks - I've been trying to incorporate more patching into my research, and I've found it very interesting

so it would probably be a good idea to focus on that initially

not sure how happy Nox would be with your first point there though ;)

Blue also has more junior/entry level jobs and potential.

everybody wants to be a red teamer, but the blue side has a wider variety of jobs as well

University can be dubious for hacking and cybersecurity. The course I'm on for it is really good (BSc (Hons) Ethical Hacking, UAD), but I hear some... interesting... things about most of the other British ones -- and even that one has some odd sections to it.
It really depends on your budget, time and learning style whether you go that route. I would recommend it, personally, even if only for the experience of being a student

Have you found the Ethical Hacking degree covers enough hands on content Muir?

It sounds like that's one of the main gripes of recruiters, that degree students don't actually know their way around the keyboard, and although that wouldn't be an issue if you do work outside of the degree, do you think it prepares you well enough by itself?

universities are limited sometimes what they can teach so it may limit what the students get out without self study of the topic, if the student is just in the course to fulfill a requirement they might not get as much from one they choose to take

Yes. This one is very hands on

I would say that (as dragon said), many of my peers don't make full use of it. They use they content they're given and nothing else, which means they don't gain nearly as much from it as someone who fully engages and uses the coursework as a springboard -- but that's a matter of attitude rather than the course itself 🤷‍♂️

Yeah, although it could be argued that's the case for many other degrees as well.

That's just uni in general

Have you found the networking is good there? That seems to be one of the best aspects of it

100%
Especially through the society, the networking is incredible

Like, I've spoken to the head of AWS security in the pub because he flew over specifically to take a course for us. The connections are incredible

Sheesh, and I imagine all the students (who are active in the society at least) want to persue the career professionally

so you could end up working with several of them

I did my bachelors at a traditional college and the networking was a lot better than when I did my masters at a non-traditional university

Apologies -- I'm misremembering his job description. Head of the security team for one of the us-east AWS regions. Just looked it up

So, not quite at the top of the pile, but a good contact to have

Yeah i did my bachelors at a university with a very tight alumni corp

Should see the folks who turn up for Securi-Tay though

well, any networking is good networking

If we're flexing, I've played golf with someone at director level in Citrix

I imagine many are pretty keen to speak to students as well?

The networking i can do with said alumni made the price of admission worth it

Golf. Of all the bloody sports to play 😆

if we're flexing golf i played golf with boris johnson

Golf courses are where all the business deals are made

and diners

Diners or dinners?

You played golf with him

smfh

okay not really

diners, as in the great places to go get dinner or lunch

i was playing when he flew down and landed his helicopter on the course

and he walked by me