#cyber-and-careers

Also, if somebody is from Ohio and in difficult financial situation ("low income, partially, or totally unemployed"), the Ohio Cyber Range Institute offers free bootcamps with free exam vouchers for Network+ and Security+.

SANS also has various programs including for women (re-entering workforce, low income)

They need to have discount programmes

No individual is gonna be payin 12k out of their own pocket lol

SANs really isn’t for individuals

their target is corporations

Yeah for sure

But I imagine their discount schemes for unemployed people aren't looking for corps to pay haha

If you are interested in Junior SOC information, I would be willing to discuss in VC at somepoint.

I think OSCP is probably at the right price point for individuals to be paying

yes please!

Likewise if anyone wants to chat about getting into penetration testing, specifically in the UK, I'm happy to talk.

@raw current is the resident pentesting market guru for the UK

Mans got it locked down😂

bonjour?

je suis present

Just letting people know you're the with the plan when it comes to UK market for pencil testers

I'm not saying as a recruiter lol

I know.

I just mean the skills, certs you'll need etc

yes, gotta test then bics too

Recruiters know all that jazz they're the best people to talk to for it

UK wise I have some leads on junior pen test roles, just need active SC

Hmm

Disagree

But hey ho

they'll teach the rest

If you know Paul, you'll agree.

I agree with paul

Sure they know what certs are in demand, but the vast majority don't have technical knowledge

You can't self agree

oh 😦

There are a couple of really good exceptions, plenty of time for those guys

we can only do our best Hugh

Most clients use certifications as a bench mark for pentesting

And I'm not saying any different

sometimes its because their clients need CREST

At the mid/senior level

gotta go have my tea, cya guys

Paul shall I become a tester after I get my crest

CRT / CCT?

nah, you gotta live an breathe pen testing, otherwise it's burnout time!

You'll want to change jobs after getting CRT

If you get one after CPSA

Because CPSA doesn't mean anything without CRT

nah go towards IR stuff

ewww

Nah I couldn't take the pay cut

😂😂

anyway, being summoned! Ciao

See you dude

Whatchu doing atm Nox?

Senior SOC/CERT

Moving to red team lead after CRT is dusted

I always forget CREST do blue team stuff

What

That sounds... interesting

CRT is nowhere NEAR red team capable

Even CCT isn't really

You're looking at CCSAS for Red Teaming

Yeah can't take the position until I have CRT/OSCP (customers want it)

When you say red teaming

Do you mean proper threat intelligence based exercises

Because people seem to use the term red teaming to mean anything from a nessus scan and beyond these days

Full black box engagements

Whitebox is handled by the team as well

black box =/= red team

I am aware.

Any regulator lead Red Teams will need a CCSAS and a CCSAM to lead and work on

CCT inf a pre-req for CCSAS

But anyone can do CCSAM

Who said I am UK testing.

😉

🤷‍♂️

That does make more sense though 🙂

I know in the US they band 'red team' around a lot more loosely

It DOES sound a lot cooler haha

we have a physical red team and digital red team

they work in close tandem during engagements

I think physical stuff is less common here in the UK

probably because phishing is just such an easy way in

Depends on the clientele

Company I have close affiliations with do tests on NCI

CNI* even.

my company has a red team along with a blue team... and the blue team is very very broad, things from non-technical to technical... the red team and blue team work together quite a bit, red team goes in with zero knowledge, blue team seperately collects knowledge and then they put their reports together (this is a US based company)

red team does internal and external stuff, blue team is only internal

(and I'm on neither team)

"red teaming" has become very much a mutable term in security

yeah but also almost every security title in my company is 'cyber security engineer'

I think that's specific to the US

Which leads to some confusion across borders lol

Benefit of being a Pentester and a SOC analyst, lots of leverage when it comes to roles.

Which is commonly encompassed in a "cyber security engineer" blanket role

early in my career, I was able to play a bunch of roles, it was fun, got to explore a lot, got to take some SANS courses as part of exploration

but at some point, they decided to split team into more defined roles... when given choice of being part of the IR team or going into design/advisement, chose that. IR was fun for a while though

I am just uneasy about the pentesting market - very saturated

yeah no doubt

pentesting can be fun, but can also be overrated imo

i think its one of the more glorified roles in security unfortunately

What we are currently seeing is people using Junior SOC roles to break in, and then pivot to pentesting leaving, Mid-Senior SOC roles empty, which drives demand for them roles up as well as the salary

Most of our Junior want to be pentesters

you want into pen test / red team in the UK? I know a guy

I know many 😛

I have seen my next pay bracket lol I may stick aroudn

ha Paul always jumping in

I just imagine most of pentesting is finding easily fixable security issues and doesn't seem very intruiging to me

'oh yay another win7/win2000 system'

you mind me asking what you do Zojja, I guess it's more blue teaming stuff?

i'm an architect, so I'm in the secure design side

Zojja just explained 99.9% of pentesting

Ahh right, that sounds pretty interesting

and that is why I say its not blue or red, if you had to put it into a bucket, it is defense

(hopefully)

"Thanks pentester for elaborating on what our vuln scanner said"

Wonder if the board will believe us now

Oh no, they are just happy they got attestation for PCI-DSS

yeah

majority of pentesting

is telling people their session timeout is too long on their webapp

and rewriting nessus outputs

that and blasting <script>alert(1)</script> into every input field you can find

Pentesting in the UK (Most likely a world wide issue) is tickbox flexing for companies due to regulatory compliance. the reports collect dust after they are done.

My old VP was the worst for it.

and its really sad

people don't care about being secure

they care about being able to claim they're secure as a marketing strategy

or to please their regulator

its why an exec summary just reels off lists of GDPR fines and potential compliance breaches and loss of consumer confidence

My old VP used to rip the technical part out of the reports and just go to meeting with the exec summary

and downplay it.

They soon realised when they got hit with 3 different variants of ransomware in 2-3 months they needed to take it seriously

This happens all the time. It makes more sense when seeing the details of a job description as to what level it is going to be. I think it's also good in general for this channel to hear multiple viewpoints as it broadens discussion and shows the lack of conformity and evidence of geo-locational diversity in the industry. So, thank you for contributing yours. 🙂

Anyone who did ecppt or oscp ?
A Question : When we get the answer/flag , how are we supposed to submit it ? is is like tryhackme ? What if i am confused between 2-4 possibilities ? can we try hit and trial ?

Or we have to be exact in the first attempt ?

Please tag me if anyone answers
Thanks 😄

I dunno about ECPPT but with OSCP you'll have access to a platform to submit them

So , if i have 2-3 possibilities , it is ok to try hit and trial ?

@lofty ibex

I'm not sure how you'd end up with 2-3 possibilities on OSCP but wouldn't

I mean i was doing BOF in thm now and when i get bad chars

ALternate one's are just kind of false positive in mona

I mean ... see i am confused either my answer will be \x00\x3d\x4e\x4f or \x00\x3d\x3f\x4e So do i have the freedom to enter those 2 one by one

or I have to be sure about one ? @lofty ibex

you wouldnt be giving your bad chars

I mean if you're doing a bof you should just get a reverse shell and go from there?

once you have shell you'll find a proof.txt or user.txt

ugh got it , I thought we would have to submit bad chars

So , in each case we would have to get a reverse shell anyhow

right ?

Shell that would give you access to the proof, may not be a reverse shell

If you go read the oscp FAQ, it has info

ok thank you

nice

As a beginner with the goal of becoming a penetration tester, should I go straight for the OSCP certification? Or should I first make smaller steps, such as with CEH (Because its unfortunately very recognized in Germany), eJPT etc.? If I should do the smaller steps first, which certificates should I do (where I also learn a lot)?

Trite im no expert im in the same boat but I can give u some knowledge of what I have found, I started out Billy basic and learnt the theory on
https://www.futurelearn.com/courses/introduction-to-cyber-security

The course is free and gives the user a basic over view of what malware it what http is tcp/ip etc and is aimed at the beginner level if u wanted to upgrade u can get a cert its all verified by GCHQ.

Then if you look at ine.com u can sign up for free and follow the steps foe epjt ans just pay for the exam.

Then like you are know work through the beginner stuff on the try hack me website ..... this is nor me saying u have to do any of the above this is just what I have found out on my short time on here and I've started learning just in the past 3 weeks and my knowledge has gone from knowing F**k all to a small amount and im still learning

I'm sure others have more knowledge base than me but hope the above helps if anyone can input more I'd be intrested to

The OSCP you gain real pentest experiance, CEH you gain recognition by HR staff. the choice is yours blue or red pill neo . i mean @clever dawn

Yes, that's right. I don't know if it's smarter: to get a junior job as soon as possible with one or two certificates, like with CEH and eJPT. Or if I should study directly for the OSCP.

Why donr you do the epjt and then move on to oscp ?

Means your be doing pentesting all the way through ?

The course is free for epjt its just the exam and then at least your still gaining knowledge on the way ?

@clever dawn its rare but some companies put you through an assessment asking you to capture the flags, these host based assessments include pivoting deep into the network, I can say for sure OSCP helped me with those assessments as the OSCP labs had pivoting challenges. With CEH when i looked at the mock up exam it was so ridiculous a question asked which Flag do you use with wireshark to perform some action... I felt CEH was more of memorizing commands and nothing practical

Yeah @split canopy I agree @clever dawn is willing to do two certs then OSCP and then choose the other one either eJPT or CEH

@clever dawn if you can do two certs why not do OSCP and one of the other certs ?

No, I think you misunderstood me. I'd do CEH / eJPT first. Along the way always do CTFs and then when I feel confident in some way and know what I'm doing then go for the OSCP. Would that make sense like that?

Or what was your path? @visual swallow

oh i see yes ok yea if your very new to it

What is CFT ?

Exactly, the point is that I am an absolute beginner in cyber security. I have basic IT knowledge.

Capture the flag

Cheers im assuming then some type of challenge again I'm in the same boat

@clever dawn I went straight for OSCP but thats only because for a long time as a hobby Iv been learning host based hacking, so i was very familiar with networking, python scripts (reading and writing my own) etc

I'd have and would like to teach myself hacking on the side, but it's just difficult from a time standpoint when you finish your high school diploma this year.

@clever dawn id say go for eJPT and CEH , CEH you will learn the tools used and a lot of high level stuff like what the tool does how hackers hack and stuff

And then for the OSCP

@clever dawn yeah

eJPT < CEH < OSCP

CEH is only worth it in India

when you feel you gained a lot of knowledge have a look at OSCP Course Syllabus from there you would be able to see what you know and what you can learn or be familiar with not necessarily master it

Why? In Germany, CEH is very often written as a requirement.

All our recruiters advise against getting CEH unless you're in Indian or want DoD jobs in the US

CEH is a meme in the cyber field

So then if your going pwntesting route is it worth getting compita certs then?

Pentesting *

That's actually also my impression that CEH is a meme. But what can I do when it is so well recognized in Germany? 😄

Speak to Nox or Paul when they're online, he'll know A LOT more than I

Thanks

Which path would you suggest for absolute beginners? So from beginner to advanced (OSCP)

!docs free-path

It's all about certificates 😄

(I don't really know about Germany), but I really like the way I chose: eJPT --> OSCP

Are there actually any other certificates that are on a similar level to the OSCP?

But eJPT is just to boost your confidence, you won't really gain too much from passing the cert alone

Level in what regards?

OSCP is pretty entry level

So eCPPT is kind of similar

lol Really?

Yeah

OSCP really isn't that hard, it's base knowledge and enumeration.

It's good, because you'll get to know most of the broad topics and then expand your knowledge from there

OSCP is about understanding why things work, having a broad base knowledge, being able to thoroughly enumerate, good methodology and being able to google well.

So you can see the OSCP as a kind of foundation that you can then build on in your career, for example?

Yes

The worst difficult thing I find in the OSCP is the 24h. How did you feel about it?

(I'm going to take the exam in April so ask @forest knoll )

But from what I've heard it's not as bad if you are well prepared and organize your time

Take a lot of breaks and if you can sleep too

So as a conclusion, I can theoretically drop eJPT if I already have good experience, do I understand that correctly?

eJPT is a great first cert. Puts u in the mind to understand how practical cyber certs work

You can just go through the material and skip passing the exam

The knowledge you get from it is really valuable for beginners imo

My advice is always eJPT->OSCP then get certs for your country, e.g. England is CREST -CPSA

eJPT was a great experience, the first "network" that I hacked into without any help

Certification for my country? How can I find out?

Ask either a recruiter or someone working in your country

/look on job offers

That is certainly a special feeling 😄

alright

Of course it is! 😄

How long u been doing hackingy stuff for?

OSCP is way above CPSA level btw

It's more similar to CRT

CPSA would be easy for anyone with a background in network engineering / communications I think

+1 to CEH and all of the compTIA certs etc. being seen as a meme in the UK

They're great for demonstrating an interest and a willingness to learn, not so good at demonstrating job-readiness

What about eJPT? Is that recognized in the UK?

I first heard of it yesterday in this Discord when someone mentioned it. 😄

It may be not be recognised that much but it's a great intro to practical certs.

Remember there's a difference in doing courses as a learning experience to develop yourself, and obtaining certs to boost your CV

Aye

Any learning is good learning, it just might not speedrun any% your dream job

Would you rather your first exam be panicking over 1 machine having spent £200 or 5 machines and £1000+

It's a great learning experience

-masochism intensifies-

👍

So my path will be eJPT < OSCP. Wish me luck 😄

Make sure to practice your buffer overflows 😄

Thanks all been a good chat to read through

@ruby remnant Weird question, do you play OSRS?

I mean

dang

you dox'd me

hahahaha i'm trying to

you talk exactly like my friend Hugh who is a pentester in the UK

DM me then

i used to play osrs 🙂

TFW you're bumbros irl and meet on THM

Hahaha thats amazing!

Please just kill me

Are they hard to master? 😄

It's just different

IDA is a PITA

@visual swallow @forest knoll @fringe spade @ruby remnant What resources help to learn for eJPT or OSCP outside of THM? Do you have resources/books, courses

THM,HTB, the mayors list, PortSwigger

VHL

Tiberius / TCM udemy courses

for privesc

immersivelabs is decent too I think

mayors list?

What about TCM's Practical Ethical Hacking course ? Is it good to start with? @ruby remnant @undone shore

I think so, yeah, if you're starting from 0

I personally haven't done it, I've flicked through it and and seems like a good starting point like hugh says

Do u have a link

Yeah, I've got it on udemy but haven't done much of it

So I start at 0 in the cyber sec area. But I have basic IT knowledge. Should I still take the course?

The Tiberius privesc courses are great though, if we're talking udemy stuff

https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course

So I will start with the TCM course I think and then go to the mayors list.

I've not actually looked at the Tiberius course yet

I'll check that out as well

also there is the THM room for tibs courses

well 2 rooms

and I know they say you don't really need programming knowledging but at about 80% done with the PWK course, I'm glad I have a solid understanding of Python

^^^

Especially being able to debug is 100% worth it

realising that the exploit is calling an invalid path or something and just being happy to change that

is a good time saver

Don't complicate it too much with eJPT, just do the INE course, take notes and complete some THM rooms

yeah Python is veryy helpful in OSCP, but fortunately you don't have to write any exploits from scratch 😄

Don't bet on it

the labs has at least one exploit that is basically from scratch... 'fix exploit' my butt

I can't give any hints for the exam, but don't go in expecting to not have to write an exploit @fringe spade

Also, have you actually done OSCP yet? I thought you were still on PWK?

I'm just stating on what many people that have done it say

It's never actually completely from scratch, you always have something that you can base on from exploitDB or any other website, isn't it like that?

Not necessarily

But don't go in expecting to not have to write exploits.

Ok sure, thank you 🙂

Depends on our luck I guess

Based on the labs, I’d expect to at least be able to do bofs from scratch

Oh yeah, you'll have to do the BoF from scratch too

It still doesn't require too much of programming knowledge imo

And there are many "templates" to base on

If you end up with a broken exploitdb exploit, it is helpful, because you’d have to debug

Yeah, I agree

I’ve written a handful of python scripts in the past few weeks going through the pwk lab material too

That's how autorecon was created hahaha

No doubt

Many of these were related to bofs just because it made it easier

By the way @pseudo creek, how do you prove the years of experience for CISSP?

Can ISC2 CPE Credits add up for that?

CISSP's "years of experience" is a self-return. However, it may be checked by the ISC^2 when randomly selected audit.
You need to write your boss's contact, so I hear that sometimes there's the confirmation by ISC^2 to your boss.

Thank you 🙂

I had years of experience validated by my manager

I don't recall ISC2 contacting any of my previous managers to verify work experience. That said, I had 20+ years in IT at that point and claimed the past 10 years as all InfoSec. The one that counts far more is the recommendation of an existing CISSP holder. They did contact the person who recommended me.

It’s been quite a few years, not sure if it changed but when I did it, I thought I had to have my endorser fill out some sort of web form (they were a CISSP holder)

Speaking of ISC2 and CISSP. Has anyone had any issues with the "official" hours being rejected when using a learning path for a CPE?

Yes, there is a form that has to be filled out. However, they did follow up with my endorser/sponsor as well. Not an audit per se, just a few additional questions. Spot check maybe.

Maybe, I don’t know if they did with me

I only know because the guy endorsing me called me and gave me some grief about it.

Good-natured that is.

Is CISSP really that hard, or is it just the amount of hours you have to work before attempting the cert?

Our org is huge on CISSP and we get far more intrusive things than ISC2 asking questions

I didn’t think CISSP is hard, but none of the questions were really relevant to my job when I took it and doubt they are now given the practice questions our more junior employees share

The axiom for the CISSP is that it is "An inch deep and a mile wide". That is pretty true. It covers a LOT of subjects (8 domains to be exact; down from 10). It is also far less a technical exam than it is a management exam. Generally speaking, if you pick the technical answer over the management answer it will be wrong.

I took it when it was 10 domains

CISM ❤️

Honestly I find the CiSSP to be a lot of basic concepts of security that many people don’t know

I wouldn't call it hard either. I would call it expansive. There is a LOT of material you have to know if order to pass it. I tend to agree with Zojja though. I don't know that the CISSP gave me anything other than a blurb on my CV and in my email signature. It was a baseline of security concepts and that was a good thing. I did learn those concepts and can apply them to my work, but overall the real reason to get the CISSP is that it is the de facto security cert and checks a lot of boxes for HR, Management, and Fed.

My company, basically every one who works in security takes an internal class based loosely on CISSP and once you have a few years of experience, you are expected to take the CISSP

I agree on the CISM. It is the next logical step after CISSP and they share CPEs. Good cert to have if you need another InfoSec cert.

I would personally just stick to CISM if I am honest, less money going out, CISSP is more of a filter bypass than anything nowadays.

UK market wise

When looking at any cert to determine it's value (value is subjective and depends a lot on where you are in your career), I check DICE, LinkedIn, and Indeed to see how many hits I get on a cert. In that regard, CISSP is by far the most popular security cert.

I think CISSP is "define common language in the Cybersecurity world" rather than certificate.
especially in the US.

Mainly due to businesses lack of industry understanding from the hiring functions/processes.

So, if you just need a "security cert" to check a box then the CISSP will check more boxes. If you need it to show mastery of a specific area then you will need something more specific.

This is why I stick to consultancies and MSSP's they normally have a very good understanding of what they want.

I never see job listings in the US asking for CISM but lots ask for CISSP

Go for commercial role or in house security teams, certifications are used a benchmark.

I work for in house security team 🙂

Yeah, CISM is really a Manager/Director level cert, heavily on Security Program Governance.

CISM does appear on a lot of Job descriptions around the management level

I used to work in a in house security team, the hiring process was so wrong.

I can’t actually imagine being a consultant type

I like it, we can shout security at our clients and not worry about their board going NO 😄

Ahh boo I have zero interest in management yet every time a manager role comes up, people ask me if I’m applying

The scope of the exams overlap, so how about taking both CISM and CISSP?😎

Not worth the out goings.

I agree that it is overkill to get both CISSP and CISM unless your company requires it.

I would only take the certification if I require it for a role

and CISA, too.🌞

considering I have not used my CV for a long time, I doubt I will for a while.

I’m in the process of looking at/studying for certs i don’t need but I’m also ridiculous

I am getting 3 exams done this year which I don't currently need, but I want for the banter.

Same. I get an itch every 2 - 3 years to get another cert. Don't need them at all. Have more than enough covering nearly every facet of (major) IT. But I still want to get them. Hence why I am doing THM and looking at OSCP and CRTP.

I am Using THM for CRT and OSCP prep,

Kind of a pre-season if you will.

I am still not convinced that I will sit the OSCP or CRTP. Neither will enhance my CV much, if at all. The CRTP is more relevant to my work as an AD Architect and probably the one I should pursue, if any. But honestly, THM paths are fun, I am getting CPEs out of it, and it is cheaper than WoW or WoT. Maybe I get to the end of the paths and decide I want to go further and get a cert. Maybe I don't. For now, I am not worrying about that.

honestly, there are so few certs that do apply to my job, its just kind a way of focusing on expanding horizons

I am not a pentester by title, though I wish to move to the offensive team in a Lead role 🙂

plus I went for so many years not asking for training, finally working for an org that has training dollars, its a bit worth it

Keeps the grey matter working even if I do not need it 🙂

like I've been waiting for SANS to come out with proper cloud courses, now they are

I will never be a pentester. At best it would be an additional service to provide to a client after architecting and implementing a new AD environment. I am far more Blue Team than Red.

yeah I'll never be a pentester

but a major part of my job is threat modeling and it is useful

What does everyone think about AWS/Azure certifications?

I mean reading about stuff is good, knowing how to do it... its fun... plus I miss scripting

I think AWS Azure certs are great

Azure certs are required if you want to work for Microsoft.

I highly recommend the AWS Solutions Architect - Associate if you are doing anything with AWS

dan, do you have any nice resources for architecting ad? i’m working my way through this atm https://activedirectorypro.com/best-practices/

i also went through some of the server 2016 mcsa but work died before i could complete it

i have an AWS cert! 🥳 I wanna do AWS developer architect

And Azure, although I've only looked into a few... I think 301 looks good

Honestly I do not. At least not offhand. I kind of fell in to it. I have been working with AD since 1999 when the beta for W2K came out. So, just have years of experience that led me to doing AD full-time.

oooh i seeee

I had to design an AD architecture recently, as someone who is really not a Windows person, I read a lot of microsoft documents, listened to various videos on Pluralsight and... also did Throwback

I will look and see if I can find things that are relevant.

Thinking today's system environment, system without AWS doesn't exist.
To assessment, risk management, AWS knowledge is essential.... so we need AWS cert. (I'm at blue team in my company)

depends on if they use cloud or not 🙂

also the company

GitHub uses Azure cause Microsoft

yeah, and honestly a lot of on premise technologies are applicable to cloud

Azure is growing in popularity in the US especially due to the Jedi contract with US gov from MS but it sounds like that is getting redone

maybe AWS building a HQ right on top of the US gov had something to do with that... who knows 🙂

Zojja is right that you will look at a LOT of Microsoft documentation. Mostly it is about organizing things to be logical and secure. Deciding on company policies before you implement. As the saying goes: "Measure twice, cut once."

AWS for offloading web services/external servers. Azure if you are doing any sort of hybrid setup. Especially integrating it in to AD or using O365

and once you know AWS, its easy to translate that to Azure, there is a lot of similarities

apparently they're getting rid of azure devops as they're sticking all of it into github now

Honestly, Azure will overtake AWS in market share in the next 5 - 10 years as more large companies go hybrid. Azure can do hybrid and provide far more services to on prem than AWS can.

AWS has a hybrid option, and RedHat is also in the game but with a smaller market right now

but AWS hybrid option came later than Azures

AWS's hybrid options are lacking compared to Azure.

True. kubernetes and GKE comes my company.... maybe I'll need GCP cert, but that knowledges is also good for EKS and AKS.

It depends, if you are in the US and if your company does any work with the gov, Google is kind of hands off in that field

Let me give you an example. My current client (Gov) is moving hybrid. They are moving endpoint management up to Azure with things like Defender ATP and InTune. They are replacing a lot of on prem servers (AV and SCCM) this way and are planning to move all client email to O365 to cut out (most) on prem Exchange servers. This isn't something AWS can comparably do.

or you go with a multi cloud architecture, my company tried Azure hybrid and then nixed it

InTune will manage things like LAPS and BitLocker and you just can't do that with AWS.

then we went full on board with AWS and are dipping our toes into Azure once again

The VA is doing multi-cloud hybrid because they have to (can't favor one over the other). But it is probably 25% AWS and 75% Azure. They were in Azure first and have a lot of Microsoft MCS and PFE folks that help manage all of it.

I find it an interesting dynamic: Cloud providers try to apply platform tie-in to have companies commit to them, and corporations try to remain platform-agnostic and explore hybrid. 🙂

i can believe this github seems unique

but our dipping toes into Azure is one reason I'm gonna look at Azure 304 cert this year... I've already helped one program do a PoC on Azure

also looking at potentially the PMP cert this year but... that may be next year, mostly because our corporate architect tract requires you to be well versed in PM details even if you don't PM

and my other goal was SEC 588/GCPN which will either be pushed to later this year (Nov/Dec) or next year

Zojja has plans. 🙂

I do 🙂

@pseudo creek @coarse fern Thanks, today I learned many things from the two of you.📚

@distant pier and thanks to throw questions, tim!

@pseudo creek do you have an education budget that you use for certs, or do you ask for certs and that money comes out of a different pot? A lot of jobs I've appliued to have a per-person pot of £1000 so I'm curious 😄

Hybrid deployments help me sleep better at night

so we have a bit of both... we have an individual budget and then we have a community yearly budget. Honestly what happens every year is at the end of the year they are like 'hey we have extra money' and then people scramble to ask for classes. The biggest issue in the past is they would have training budget but not travel budget. The individual budget is a budget over the lifetime of your career, so it has to be planned for... most people would use it to do a MS program... but it can be used for certs... They instituted the lifetime budget after I got my MS... and the lifetime budget could pay for over 10 SANS classes

Yeah thanks everyone, I've also learnt a lot

can you only use the lifetime budget if you agree to say 5 years of work at the company?

i'd assume so else you could just do that and get a better job wit hthe new certs / MS

you agree to stay for 1 year after you use the lifetime budget for any class

So basically if you started your MS in 2018... finished in 2021... you would be expected to stay with the company til 2022

or else they would ask for a portion of what they paid back

Always remain friends with the person who's in charge of budget. They can make or break your project. 😄

yes... also know who the admin assistants are and make friends with them

I got the AWS CCP a couple weeks ago

It’s useful, but not one to brag about

Yeah mostly our management takes that one vs practitioners, kind of ironic given the name

well it is their only foundational cert

I got it too, only company that cared about it was AWS lol

my friend who's a softwaer engineer says their company is pushing all the devs to get aws stuff so i know they'd value it

I think it's better to actually have an AWS project than to have the cert, like:

My blog is hosted on AWS! It uses Terraform to set it up and is in an autoscaling group. The CDN is CloudFront, the DNS is Route53 and it's in an autoscaling group with EC2 && load balancers

^^ this is quite easy to do since theres tutorials you can just copy / paste and change it slightly 🤷 It also doesn't cost much at all, the auto-scaling probably won't kick in and with AWS free plan it might cost like 5p / month

I meant for CCP level*

Solutions Architect is a v/ good cert

Honestly generally, I recommend if someone wants a cert in AWS to get the Solutions Architect - Associate. It'll take about 3 months of study and has a higher value. I think with Bee it was a good call to go for CCP as it was a quick filler

i mean yeah deffo, projects using the technology is always good

annd I will say I may be slightly biased as AWS solutions architect - associate was my first AWS cert, I went from zero knowledge/didn't work in it to certified in about 3 months

but does that cert teach the basics that the ccp would?

SA? yes for sure

yes it is CCP + more

ohh okay guess that answers that question

it goes

CCP -> Architects

I want to do Developer, Zojja did Solutions -- it's basically the same except solutions you learn about the broader AWS offerings and developer is more about programming stuff in specific offerings

The Developer is very similar to the SA-Associate but it focuses a bit more on DynamoDB but honestly management doesn't know that and they tend to like the name 🙂

I did Developer too

You can go above architects and do their security cert too https://aws.amazon.com/certification/certified-security-specialty/

yeah that's the one i was looking at, but i would need something lower than that first

oh actually wait

do CCP then SA

I think it's cheaper as you get a discount from CCP

at least I did 😄

interestinggg

i will be able to talk about this in more detail once i pass my stupid oscp

cause then i'm gonna focus on cloud

i might do eCCPT

i dont actually need it as im a SWE

but it'd be fun

and i think INE is more fun than offsec in terms of like actual raw fun

would a web app exploitation one be more beneficial to you?

Took me like 1 week of practice for AWS CCP

I brought the Udemy practice certs for like a week and then just farmed questions and I passed it lol

Got an enterprise Udemy licence so all courses with more than like 50 students are included for free 😃

bruh

I’ve been doing a bunch of them to work out which ones to suggest to our juniors

personally, I'm not a fan of of the AWS security cert, its basically a cert on their security products, which is fine but limited use but HR may not know that

and I took the AWS Developer associate about 6 months after I took the SA-Associate, took about 3 weeks of study

if I circle back to AWS certs again after this year, I'll be targeting their Networking cert which has the most applications I think for a security person

I still need to take Sec+. I've been sitting on a voucher for like 6 months

If it's for 501 take it before it phases out in July

https://www.linkedin.com/jobs/search/?currentJobId=2413333919&keywords=cyber security engineer @warm hinge It's happening....

Hi guys, I am looking for Penetration testers for both Austria and Germany, with good German language skills

https://www.aplitrak.com/?adid=Ry5OYW1hbGdhbWEuODI3ODIuNTQwM0Bub25zdG9wcGhhcm1hLmFwbGl0cmFrLmNvbQ

Are you applying?

Nah, I cant 😦 read the certs they're looking for 😉

Which one's is it, multiple are coming up

"entry level" 3-4 years

lol

CEH...in the UK

I was reading all that and then read entry level

Entry level you have Sec + if lucky

The certs are on the "desirable" list, so go on and apply.

@tawdry frost yup that's on my radar thank you. I'm going to schedule for end of next month

I would apply for that job if I wanted it. Worst they can say is no

Looks like a awful job

I would avoid

Let me send a email to their MD

That's why I sent it to u 😉 thought u might wanna email them about it

I know u like that stuff

I've applied

Based on the research they're recruiters looking to get a quick buck out of security candidates, based on the other jobs they have, I would avoid personally

If you're looking for a cybersecurity role in the UK, stick to the recruiters well embedded in the industry

It's pretty silly that a lot of recruiters don't have any idea about the field. I think of the ones that have reached out to me only handful have had any technical knowledge themselves.

You get a good idea who are the good guys and bad guys In recruitment

The big corps often seem to have their recruiters use checklists when doing the initial vetting.

I prefer going through third party recruiters personally rather than internal departments. It's hit and miss from my personal experience

I've had both external and internal ones reach out to me. I've a senior enough title for them to try and headhunt 🙂

That reminds me, I should really update my CV once more. Haven't done that in a while. Perhaps I'll do it as a website this time.

yes

I recruit for the Penetration tester positions within Germany, and I do speak with a lot of consultants, and thus have an understanding about the requirements, and if I don't have a role that is not in line with the direction of the candidate, I always tell them that and go back to them when I do have a good role, along with that they are truly looking for

Good hiring starts with the Hiring Manager conveying clearly what type of candidate they see as a good fit, and what is not, to an internal recruiter or a recruiting agency. Furthermore, what specific skillset is needed for a successful candidate. Can't blame it all on the recruiter not being technically proficient. 🙂

I can recommend two good UK recruiters to anyone looking

Can anyone recommend recruiters in Australia?

Ricki Burke and Mitchell Carter

Two very good guys very well connected in Australias InfoSec/Cyber world.

Thank you

Example of a good (Sarcasm) JD

Can you elaborate?

Entry Level SOC analyst - with unrelated certifications and some very hard to get certifications in regards to affordability.

Entry level jobs wanting certs is something I'm used to seeing now

Sec+ aint that expensive

Sec+ I agree on, OSCP? nope.

90% of job offers here want entry level jobs with "3 years of experience, OSCP, CEH, Sec+ and a pay of $700-100"

SANS? nope. people can barely afford it

I see the first line as "some security related certification"

^

i imagine they'd interview anyone who has a cs or related degree and just a small interest in security

Some of the other lines below that are more suspicious. SANS, as Nox said. And that vague "knowledge of standards and frameworks"

I interview people without any certs

SEC-503/504 probably means competency in Incident Response and Incident Handling, that's what those two courses are about. It's just weird to not mention IR and IH instead of 7000 dollar courses. I read the whole skillset requirement as: experience in Security, IR and IH, Splunk SIEM, Cloud platforms, and Networking.

Experience in obtaining meme certs (CEH) 😉

If you have all those Certs, you are not entry level

that's debatable, just because someone as certs doesn't mean they have real world experience

for example, at my old job, this guy was 18 and had two sans certs (which he achieved by some scheme during his a-levels)

but was still a junior soc analyst because this was his first job in security, even though by his certs you might assume he's higher

By the time I exit uni, I intend to have OSCE^3 -- or at least OSEP and OSWE (two certs with "Experienced" and "Expert" in the name respectively). I'd sure as heck not be applying for anything other than junior jobs

I am basing my concept on the UK job markets, for SOC analysts.

me too :)

When I was a Hiring Manager, I always had to fight with HR to get accurate job descriptions, and even than it could be the case that you'd end up with awkward pieces in there like the one posted above has. It's a constant battle to elaborate to non-technical people how it is representative of the actual job and skill required.

The expectations on that JD are beyond entry level SOC

how come hiring managers don't write the job descriptions?

I have entry level SOC analysts on my team, they are still learning the fundementals.

They do, the issue is, they have to be "Approved"

dumb question but is it just organizational hierarchy that prevented you from writing the spec yourself?

you're going for all the offsec certs before you've left uni? that'd be impressive

Which normally means, throw random acronyms in and certs.

approved by who?

the recruitment team?

HR or the recruitment function

That's the plan. Now way I'd have OSEE though

ohh

I wonder how many people have OSEE

I had to get one of my JDs pulled down before they put CISSP on there for a T1 role

Had to explain to the that full CISSP requires 5 years relevant xp in one or more of the 8 domains

It depends on the corporate culture. If HR has an upper hand in wanting to career-level the descriptions across the board, the JDs becomes watered down. Mostly politics as to who gets to approve/has the final say.

^

I have had lots of candidates that I have wanted to say yes to, but HR say no due to the certs ect..

wtf

that's so weird

i get what you mean in that regard then

The first ever job I was hiring for, I was not allowed to say yes or no, it was a joint decision

HR and Security had to agree

yeah thankfully my boss basically had carte blanche to hire me, because on paper I didn't have crap besides A+

It is strange, bigger businesses are so much worse

In india , we don't complete the formal education till we are 21-23 👀

India are really strict on higher education too?

yeah ! i am in 11 trying to cope up between studies and hacking ... And India still is very much backward in IT stuffs on comparing with other countries , exact reason why i fear about not getting a job 🥺

but yeah , It's upon you if you want to drop after 10th or 12th but most companies mostly wants graduates

@warm hinge

Thought so, Saw a few JDs over there before and it feels like HE is compulsory for jobs :/

I hope by the time I am ready for a job , India prospers in regards to IT stuff

yeah it is , and mostly interviewers only come to expensive private colleges

btw whats your occupation ? @warm hinge

SOC T2 Lead 🙂

My friend wants to do blue team IR UK, best certs she should do? 🙂

is a PhD student so has more money than ur avg student but also not corp level moniez

https://www.crest-approved.org/examination/crest-practitioner-intrusion-analyst/index.html

https://www.crest-approved.org/examination/registered-intrusion-analyst/index.html

Practitioner level is only £275 + VAT

I believe you need CRIA to work in an incident response capacity at an NCSC approved CIR provider

https://www.ncsc.gov.uk/section/products-services/all-products-services-categories?productType=Cyber Incident Response (CIR)

@rugged sable Hope that helps 🙂

Hi all I just want to say a huge thank you to this forum and for the support and information you guys share.

tyyyy @ruby remnant ! 😄 ❤️

Adding to @ruby remnant - I think the best question would be, what industry? Government, private or public

While Crest is recognised heavily by government and private (and supporting third parties such as MSSPs) a large portion of jobs (public/commercial) don't regonise it as much as they should and lean more towards CompTIA/CCNA.

I would also add, build the network within the cyber community, normally a good way to get round any filters

@warm hinge she joined Cyber Job Hunting so I'd say networking might be good 👀 but yeah, unlikely Government due to her predisposition of enjoying all the things that SC doesn't allow 😆

cysa+ is a very good cert imo

not taken it but briefly been over the syllabus and friends said they really enjoyed it and it helped them

Blue Team and practical to me tends to lead towards CRTP since they cover Red and Blue Teaming and it is around Windows/AD. All fairly practical. More practitioner than manager/theory though.

Although, the whole Certified Red Team Professional doesn't scream Blue Team.

Would yall go for CCNA or Sec +

Depends on what career path you want to take. Cisco and Security are both good HR buzzwords. If you want to get in to InfoSec, then Sec+. If you want to get in to Network then CCNA. Otherwise, both are good complimentary certs for other fields, but only if you have a certification that is "primary" for the field you are in. If you are just starting out in your career and trying to get your first job, then Sec+. Mostly because it is easier and "security" applies to most all IT fields.

If you decide on CCNA:
https://learningnetwork.cisco.com/s/cisco-certifications-and-training-offers

Personally I would do sec+ and then CCNA as a value add

good thing, last day to book is April 1st

For 501?

for 50% off Cisco certs

July 31st for 501

That's what I thought. July for 501

Do you have to take Cisco before the 1st for the 50% or can you buy a half off voucher?

Schedule before April 1st, take before May 16th

Hmm ok

I might be able to swing that lol

thats what I'm thinking

Take Sec+ on the 31st of March and then CCNA on the 15th of May

You have a link?

the link up above has the relevant details

Whoops missed that. Sorry

no worries!

Has anyone taken the new exam? How heavy is subnetting on it?

My college networking class was based on the last exam

new exam ?

Yeah the new CCNA. It might not be so new now

200-301

What about after that?

When it comes to certifications, the best thing to do is look at 10-20 job descriptions in your area and within your desired job role and see which ones crop up the most, that's normally good way to see which ones the industry favours in your area.

Certification hold different weight in different regions, so it's good to do preliminary research before venturing onto certifications.

I would not bank all your effort on certifications as building your network within the security community is just as important, helps you bypass filters and get access to jobs not commonly advertised

it's good to research to find out if the certification is or isn't relevant to your chosen path, once you've broken into the industry, go wild

So much this ^

Like many things in life, it's not what you know, it's who you know

Message people on Twitter, add people on LinkedIn, just chat to folk

One person from your network saying to their boss "Hey, I know this gal, I think she'd be a good fit" is so much more powerful than spamming job applications

Current Cyber Sec student. Anyone take/taken Tactical Perimeter Defense?

yup throughout the years, I've used job descriptions to figure out what I need to work on

are the cyber security certifications valid in the EU? Or do I have to get different ones? Thanks

Yes they're valid

Some of them are less valued

i took it at the beginning of the month, subnetting was strong on there along with ipv4 and ipv6 routing

definitely make sure to do loads of hands on stuff through packet tracer or equipment

Roger

Thank you

Anyone in Australia? What certs would you recommend a uni student? (Last year)

I'm already doing CCNA

But anything besides that?

I'm trying to get into SOC Analyst roles

NoxCyber was pretty knowledgeable about that field, he's left the server now

but I'm sure if you message him really nicely, he'll be able to give you some basic pointers @cosmic topaz, he also mentioned some Australian recruiters in this channel a little bit ago

so you could always try contact them in a friendly way if no one here can help 😃

I'll repeat what NoxCyber said: search for job postings in your area and check what certs tick the boxes for these companies

I wouldn't recommend DMing someone without asking them first, personally I hate receiving DMs out of the blue, even really nice ones

He's not on this server anymore to ask him but anyway, I decided not to and do my own research. Thanks duderss

He has specifically said he is fine and encourages people to reach out

Just as an FYI, NoxCyber is still on the HTB Discord. Just in case someone wanted to talk to him in a channel setting and not through DM.

You can always just join Nox's Discord https://discord.gg/j7deFA7m

Mods delete if u dont like me sharing discord links :))

idk if Nox's one counts

^^ Dark approved don't delete 😄

I have zero authority lol

Patch your stuff https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html

Yeah, I've been putting off upgrading from 6.0.0 for too long anyway since it's a huge pain, but now I definitely need to

For transparency, that is Jobs/Technical Cyber Solutions' discord @raw current

but Nox is very active there

Hey there, I'm a Software Engineer with 5 years of professional experience transitioning to Cyber Security career, I recently subscribed to TryHackMe and started taking the path of Complete Beginner (making sure I don't miss any basics within CyberSec). Any tips or advice from people who were on the same shoes as me before? What kind of certs do I need to start a job in CyberSec field?

Sec+ is always a good start, when trying to transition to cyber security

It's a fundamental cert and as you have 5 years experience in software engineering then you should be able to pass it easily

I am not sure but ejpt would be good too

ejpt is a pentest cert

Sec+ is a nice generic security cert

I went from a network engineer to a network security engineer. So not quite the same but basically, looking at jobs that leverage your current knowledge is good unless you want out of development completely. I would look at application security engineer or cyber tools development.

Best way is to look at job listings in your area and see what they are looking for. Sec+ is a good step generally

Gotta do some quick revisions, I literally forgot some stuffs over the course of my 5 year tenure lol

Thanks guys, I'll prepare myself getting Sec+ 🙂

The overall "best" (most sought after by HR/Recruiters/Companies) is the CISSP. Second is probably Security+. I don't know that you would qualify for the CISSP so Sec+ is probably a good first step. It's a baseline certification that will help get in the door.

Yeah CISSP requires time in industry

You can take the test anytime I believe

One of my professors wrote the first CISSP exam

I think it really depends, in the US, CISSP is definitely a strong certification, but it's not an entry level certification. Also if you are going for a specialized technical role (penetration tester, reverse engineer, etc) a CISSP is more of a nice to have and other certs would be useful

For those coming from other corp environments, CISSP is a lot like the cybsersec version of a PMP

but also want to point out, the person was asking about breaking into cyber..

Maybe in the long run I'll get CISSP, this certification looks like you need experience and ample time in the industry before qualifying.

I did some research on certifications, some caught my attention - specifically certificates from Offensive Security, although this looks like I need ample experience to at least qualify.

you need knowledge, not necessarily work experience

this is also a good reference, TryHackMe can help you in many of these areas https://github.com/ED-209-MK7/5pillars/blob/master/5-Pillars.md

Security+ is a great breakthrough cert in my opinion. It certainly would have helped if I had had the cert while job hunting. If you're in the US, and want to work gov sector, look into the 8570 certification requirements as certain jobs require those

(Sec+ meets some level of 8570)

You know you can pass CISSP and get the "associate" and work a few years in the field and it becomes the full certification. Right?

But honestly Sec+ is a better breakthrough cert

Agreed

Do I need a bachelor's degree to get a job in cyber domain?

Depends. It doesn't hurt ans it's a requirement for some positions/places of work

Thank you, I'll pin this

This link https://github.com/ED-209-MK7/5pillars/blob/master/5-Pillars.md specifically mentioned a degree is not needed, but if you need to get a degree, get Computer Science

If you're looking for a c-suite role, CISSP is fine. If you're wanting to work in offensive security / pentesting, it'll get laughed at.

Absolutely NOT! It can certainly help in some places, but most decent organisations will hire you based on your skillset and aptitude, degree or no degree. I wish I didn't waste my time at Uni. Half of my team don't have degrees. Heck, one of our best testers is here on an apprenticeship.

That is not true in the US. Many companies will expect to have a number of people with the CISSP including pentesters/red teamers.

Fair

Anything I say is only from a UK perspective.

I'm not sure of the numbers right now but my company heavily encourages CISSP for mid to senior level cyber positions. Its probably about 50% of our non managers that are above junior level have it

Wow, really?

yup

Is this cyber generalists or pentesters?

all roles

I know our generalists are advised to chase CISSP.

Not sure there's a whole load of value in it for technical people.

we employ thousands of cyber professionals, red teamers/pentesters is closer to about 100

Sure, same as my company then.

Sounds like you're probably also at a Big4 lol

but the red teamers I know have it

nope

just a large corporation that values cyber

I'm gonna start my AWS solutons architect prep today 🥳

Good luck and have fun! 😄

SAA-C01 or SAA-C02?

i have no idea

the platform im learning from doesnt mention theres different types 😦

I need to get started on my AWS stuff as well. 🙂

C02 was released in March 2020, so it will likely be that one. Are you going for Solutions Architect Associate?

ahh

its co2

AWS Solutions Architect – Associate (SAA-C02) Certification Preparation for AWS

Sounds like fun to learn. 🙂

@distant pier THM SAA-CO2 study group?

I have to do others first, like CLF-C01 😄

From what you said, it looks like CISSP is for people wanting to move up the ladder to become a manager (middle to c-level), I don't think it's advisable for people only starting in cyber security field, correct?

I'm considered C-level at my current company right now but I don't think I'd be confident to even become a manager in a different field and without field experience

In my mind, it's a cert for 'non technical' cyber people.

It's more holistic, looking at the business as a whole etc.

that's what i thought to, maybe after 5 years in the field, I might take it 🙂

but for now i would want to enjoy "grunt work"

for moving into cyber, sec+ is 100% the cert to go for. at my old place (an mssp), they were pushing everyone to have it (even sales, hr etc), from there you can decide which path you wanna take since it covers most if not all areas of security

You got this Bee!

Arkin if you are in the UK, it sounds like the CISSP is more for management, in the US, it is expands beyond that

Huh weird I thought it was management everywhere

and how I view the CISSP is knowing the basics of Cyber Security, but yes you want to at least have a few years experience before getting the CISSP

I thought this too, but was advised otherwise earlier.

It seems it is in the UK

nah, In the US, CISSP is pretty much a standard for mid/senior level cyber people

my husband's job is more technical than mine and they still emphasize CISSP for everyone (he is a reverse engineer)

You're confident it's the same across the country, and not just your organisation?

I'm confident it is the same across organizations that do any support for the US government

(which is a huge list)

I seeeeeeeee. So it's the government who value it.

yeah and that whole 8250 that elevates the CEH

I will say that I also don't work on gov contracts, mostly people who work on gov contracts (within my company) are versed on Comptia certs, no one I work with has Comptia certs

so thoughts....putting a personality test on a resume????? showing you have imitative etc like "verifying" in a creative way you fit the role

Honestly... I'd say no

or career quiz or something

i was made to do one for 1.5hours once

yeah I've done them for work before

thats like putting your zodiac sign on your resume its kinda weird

"sorry we don't hire Aries in this company"

the one I did for work actually had other people rate you

mmm interesting

which was really weird, but personality tests are largely perception of yourself (other than ones where other people rate you)

so maybe just linkedin link and have people endorse you there

thanks all 🙂

always good to get a second and third perspective 🙂

linkedin endorsements are kinda sad i think, it's basically just "i'll pat your back if you pat mine"

endorse me tho

for real

so what would you recommend for the personality part ie the fit

because all else can be added skills, certs etc but i think personality is crucial too

show it in the interview?

like if you not social dont apply for sales mostly......

and so on

I was also told about this. Sec+ is my first certification goal.

I just endorsed you as a highly skilled helicopter pilot

ty

Not been flying in ages 😦

I see, so there's a significant difference in how CISSP is being viewed from other countries. I'm in Southeast Asia btw, so it might be very different here

ahh ok yeah, definitely look at job listings in your region

Heh, I just saw a job ad in linkedin looking for someone with solid experience in object oriented programming languages like Java, C/C++ or Golang

oof

Objective C I will allow

Golang, I felt pain

It's kind of silly. Some parts of that look like it'd be a good opportunity for someone wanting to relocate to Norway, but as if the recruiter didn't know anything about what they're looking for 🙂

Maybe theyre looking for a one man team

Is getting into cyber through a government agency a good idea?

Yes

sure

still is cyber

you probably wont be paid as well but you'll gain a bunch of super useful things:

• security clearance
• knowledge of government stuff (compliance in other companies will be easier)
• cool tech (depending on the job)
• unique perspective, you'll have a lot more regulations to follow regarding data && what services you can use etc

The job sounds cool and salary seems good

go right ahead! 😄

im doing gov helpdesk right now and i can say its alot of proprietary systems, and regulations to adhere to. No complaints tho

what country?

i want to specifically try get into https://asio.gov.au

So, this is US specific, but a security clearance is HUUUUUGE in getting some high-paying jobs in private sector

That’s pretty much the only way to get anything private sector

Oh geez

if you can come in with a TS, that opens up tons of lucrative opportunities

My brain

I meant public not private whatever im tried

lol

Tried

Close enough

no company wants to pay to adjudicate a clearance and have you sit around doing basically nothing while they interview all your neighbors and crap

(secret is less useful, since that's comparatively easier to adjudicate, but still very helpful if you can get it from gov before going private)

100% agree with polarbear. Getting a public trust isn't a big deal for a project, but if you want to work in DoD getting that TS or TS/SCI is a huge benefit to you.

TS/SCI clears 6 figures easy

Private sector wise. Actual Gov you'd have to be above a GS11 probably

lol that's the bad joke, yup

Yeah pre covid the graduating class in front of me were getting multiple 6 figure offers from private sector. Now 30% of my graduating class is still unemployed

Guys I got a question

Would tryhackme labs be considered experience or no?

Not professional experience.

Would it be even worth to put on a resume then

It shows an interest outside of work and school.

I'd mention it but not as experience

Unless you were a commissioned creator or something, because that's work.

I'd put it in projects or extracurriculars if you have either category

if you don’t have work experience, some people put “cyber experience” or similar

or personal development

Extracurricular over projects though

Also true

I see, okay cool thank you all 🙏🏻

So i’d have to personally build my own labs for “experience” then? I’m confused on how that works exactly which is why

Still not professional experience

If you were paid by THM to make rooms, then I'd count it.

I'm sometimes paid by THM to make rooms.

experience is actually working and getting paid (also internships)

For example bug bounty is just about the bare minimum you can squeeze in terms of "experience"

I mean if I'm being pedantic then I'd include volunteering at a nonprofit

it’s probably best not too include too many sections though, especially if they only have one thing within it

I would separate out volunteering into the extracurricular activity category

I do school, work experience, projects, extracurricular

Thanks to Awesome CV it all fits lol

I understand. So what would be the difference between at home projects and labs? Are they essentially the same thing regarding the experience "level" or is one weighted more than the other?

I was speaking to my professor and he told me that the projects we do are considered job experience, but they are literally just labs so I am confused

normal labs*

In my projects I have my senior practicum and my homelab

Each given space to explain why they are relevant

Extracurricular doesn't always make it onto the resume. I write a new resume for every application

what would you consider your "homelab" to be? just projects that you've done / created?

trying to forge this resume but I dont have that much experience lol

You know they're gonna find you out.

Lean into it. Be honest. Show uour passion projects and the fact you do this outside of work.

Homelab is just that, a Homelab. I give some broad examples on the resume and then give in depth answers during the interview

Forging a resume is the worst thing you can do. Recruiters and companies talk and generally blackball those who entirely forge their resumes

oh snap I didn't know "forging a resume" means to lie on it I just meant to make it myself while being 100% truthful LOL my bad

alright then I understand, thank u guys

Think to forge a signature

Same meaning

I am so fed up of balancing between formal education and my own way ( cyber sec ) , formal education won't get me job but still it matters , I am just depressed 😔 || ( sorry for spam )|| I just wanted to write it out so i did , if you think it's spam , do delete it

I think you're not the only one that are annoyed by classic education and prefer to learn by yourself, but that's the world we're living in, at some point it will end and you'll finally be free (lol). Also formal education can give you knowledge that will be useful later although you would never have study it by yourself.

some point is more than 5 years ahead

I did a quick search and their own site doesn't seem to show what the certificate is for. My guess is it is a certificate of completion? Personally, self directed learning is a great attribute in a potential employee. The problem is that the person who takes serious notes ,does a ton of steps, research, etc and the person who just watches videos and doesn't retain anything will both get a certificate of completion.

I don't know anything about the quality of LinkedIn Learning other than it might've used to be Lynda.com (which was pretty decent). If it helps you learn a topic, it could be good but the value of a certificate of completion is pretty low in general. I'd consider those supplemental to certifications and formal education.

Some of the LinkedIn learning certs are shown to others. You have to go out of the way to take those exams and they are shown to employers once you have applied to a position

At least that's what I got out of LinkedIn when it repeatedly asked for me to take them

Are you talking about the certs or the end of course exams?

oh those you have to share you your profile yourself I believe

There is a thing called knowledge assessment exams or something

And they are shared with an employer upon application

Again the video course or the knowledge exam? They are two separate entities

also I would caution you not to lie on a resume, don't put a cert if you don't have it. You could mention a course if you like but they are not going to have much weight

Zojja im not crazy right? Or am I a beta test for a feature lol

and LinkedIn learning says its $29/month?

for LinkedIn? I don't know

LinkedIn learning comes with premium

Which was probably $30 when I last payed for it. I don't remember

yeah it says it starts at $30

Ahh found it: https://www.linkedin.com/help/linkedin/answer/94427/linkedin-skill-assessments?lang=en

sec+ is a solid cert to get

I don't pay for LinkedIn and recruiters check my profile and i get notified

if you want to pay $29/month for LinkedIn learning, thats up to you but honestly, I would say there are cheaper/free resources out there

ok if you are happy with your progress then go for it

it obviously depends where you live but people talk about HR filter but the hiring managers will look at your resume and compare it against other candidates, if someone has a sec+ and someone took a sec+ course... the person who has the sec+ would be looked at more favorably

Like I said, if you are happy with your method, go for it... and senior level people really don't need certs, its really the juniors that do

I'm going to be having an interview in a little under a month for an OCO position (it's a training pipeline), I currently have very little experience in the field (doing the offensive path on THM) is there anything else I could do to complement this and make myself more attractive during the interview?

OCO as in Offensive Cyber operations/operators?

Is this Gov work? @tawdry frost

setting up a home lab has been very well received on my end :)

Yeah i was going to suggest that. In the interviews that I have had they either have asked A. What's a Homelab or B. What services are you running. In both cases they lead to long conversations about said topic

If it is gov they really aren't going to care what you bring as long as you are competent and can learn. The pipeline will take care of everything you need to know. Prior knowledge is just a plus

But yeah i would recommend continuing THM, building out a small homelab, and maybe trying some HTB rooms with no help using the knowledge you learned from THM. With the Homelab I wouldn't necessarily focus it on hacking.

Yes, I can go several routes but I'm interested in the OCO route to which I have to apply

Alright cool. Do you mind saying what office? If not you can pm me

I actually got my HTB key today

Do I need any kind of certifications to get a job as a Penetration Tester? (SWE transitioning to CyberSec)

I am planning to get Security+ sometime later this year

pentest+

its a good cert, also the cheapest

but you need 3-4 years of experience or thats reccomended.

@terse stone

kinda bit overkill specially for someone wanting to start without prior experiences

Usually entry to pentesting depends on country but oscp tends to be deemed an introductory baseline cert, if America pentest+/ceh if you’re looking for government clearance

Full-on pentesting typically seems to be seen as a more advanced role, so coming in with certs and no infosec-specific experience might be tough. This varies by market, but there seem to be pretty few entry level pentesting positions aside from internships.

I see, so what would be a good entry-level job for someone like me who's transitioning from SWE to CyberSec roles

Definitely doable in the UK. 🙂

Okay, so according to CyberSeek.org those who have experience with Software Development, they can get a CyberSec Analyst or VAPT role (mid-level)

sounds okay to me

What country you looking at?

Looks like CyberSeek.org based its data on US companies

https://www.cyberseek.org/heatmap.html

Na, I meant what country are YOU looking at working in.

But now I'm guessing USA

Oh right right, my bad. I'm looking for a job in my home country but working in the US or UK would also be a great option.

Right, and which country would your home country be?

The best advice varies hugely from country to country.

Philippines

Oo nice.

I believe that in southeast Asia, the Certified Ethical Hacker certification is reasonably well valued.

I see, then it would be logical for me to aim to get CEH certification after I get my Security+ this year

I think that sounds like a pretty good plan. 🙂 Best of luck!

Thanks Hugh!

General rule of thumb is Pentest+ and CEH does not hold value, however CEH does hold value in the Asia region

And also in the US, for DoD, although PT+ ticks the same box

Ironically - DoD jobs are some of the lowest paying in the US, but most secure in terms of stability

It's the companies that work with the DoD, they like you ticking those boxes

I was going to go for a DoD role post forces to migrate to the US, ended up going for LHM in the UK with intentions of moving

My honest advice is don't worry about DoD type roles, they're not that common in the grand scheme of things - security+ and OSCP will suffice for the level of DoD compliance required

Or go all out and get CISSP associate and never have to worry about DoD compliance again 🤣

Anyone aware of any certificates which hold some regard in the Australian CyberSec industry (Any sector, gov, private. etc)? Looking to pick something up in addition to Uni studies.

look at job postings

i heard the eCPPTv2 has a lot of value in Australia and Europe, also check Linkedin to get a basic idea of what recruiters want.

More often than not people mention direct experience with technologies, or esoteric skills which normally wouldn't be conditionally measured rather than listing even one or two certifications. Thank you for the input though 🙂

I'll take a loot into the eCPPTv2. LinkedIn is a place i should have looked already, but i forwent it and went to typical job boards instead for AU. Thank you for your input 🙂

no problems and i see your man of culture Majima San😂

I've only played through 0-Kiwami 2, but the character to too damn legendary to not use him for some sort of a DP.

I post about Podcast few days ago, and forgot to say this:

Cyber Work Podcast
https://www.infosecinstitute.com/podcast/

Every week you can listen to infosec people's talk. I think it's good for this room's people to listen to....

would recommend the other games they are super goood, specially with Game pass they are a steal

Can anyone vouch for the eLearnSecurity’s eLearnSecurity Certified Malware Analysis Professional certification? I'm trying to figure out what to move on to next

It's either that or SecurityBlueTeam Level 1

Anyone here know about comptiaA+examination?
I really need help

a few people here have taken the exam, what do you need help with?

(if it's a technical question about some of the content i suggest moving over to #infosec-general)

I wanted to know what kind of exam it is there are two core 200-1001 and 1002 the both core will come in 130$? Or separate pays for both core

Each “core” focuses on different areas. Core 1 will deal with hardware/troubleshooting for example. I would just google the objectives. U do need to pay for two separate vouchers for core 1 and 2. Do u have to take both at the same time? No

Ohhhh okay

My recommendation. Take each exam separately

Yes I’ll give both exam separately

Cool!

i cant exactly vouch for that course speicfically, but i have done a few courses from elearn and also i doing them now, and there courses are fantastic to learn from.

I'd say BTL1 is a better cert, seems to be more foundational - Malware analysis is something you could move onto after BTL1 as that is a specialized area. As a whole though, I vouch for the INE platform and would say its a pretty decent platform if you get the pass with labs.

Thank you both BLT1 does make sense to do first, so I'll work through that and then progress on towards eLearning

Shame all of the test centers are closed here, I just want to sit my CISSP 😩

hey, i want to be a pentester in the future, but, even with my research,i still can't found where i can become one, i don't know if i need a school, if it's just a training path like Tryhackme, i'm a little bit lost with all of that, moreover i don't know if i just need to to a cybersecurity school then at home do a training course, if anyone have some help ^^

(i know there is a lot of certificate tho)

This is gonna depend on what country you live in partly but basically, most people's path is Some sort of entry level job in IT (IT help desk for instance, junior network analyst, jr sys admin) -> Junior level security position (jr SOC analyst for instance) -> Jr pentester.

Everyone's path is different though and how do you get the entry level positions in first place? Usually certs. Whether a college degree is required/recommended seems to vary by country. In the US, its common for people to have a BS in Computer Science, but that is not only path. some have military experience, some people have other paths

ye i'm in France, i don't know if i'm just gonna do a training course at home or a school, ahh it's hard, thx anw 🙂

Hey quick question,
Any tips on setting up a linkedIn if im not currently working in IT or cybersec?
I have completed my eJPT and currently doing my eCPPT.
Should i be looking for a help-desk postion?

Or is it necessary to start a help desk position?

anyone recommend CNSS from ISCI as a beginner level network security cert?

Help desk is a great way to get your foot in the door into IT, you could look at some junior Soc analyst positions too... generally see what positions in your area are asking for in terms of skills/certs

Yeah i have seen a few helpdesk jobs ,will look into soc analyst as well.
The thing is alot to those jobs want a+ which i don't have and i'm already studying full time at eCPPT right now.
I remember the Cyber Mentor saying to not worry to much about the job requirements as much.

yeah but they can be a guideline to follow, I would apply to a job if you feel that you mostly qualify

I really have a passion for all things IT and i really want to get out of my dead end job i currently have.
Im really loving my eCPPT and don't really want to put that on hold to go and get my A+ though.

err sorry I stated that wrong

basically, if you see a job is asking for a CCNA (for example), then I'd look at going for CCNA, A+ seems like it is a raw basics cert, so I'd apply to jobs asking for it

if you end up not getting those jobs though... then maybe consider it, it could be a quick cert

Ok makes sense, i mean i really want to get my foot in the door with something! i have a massive passion that i need to follow.
I cant work retail or hospitality anymore!
I will try my luck at trying to apply and maybe get an interview at least.

Just need that foot in the door!

https://tenor.com/view/god-father-kick-door-wwe-entrance-gif-10136675

Free Azure cert(s) if you attend Ignite today btw

@proper barn

maybe @pseudo creek ?

yeah I forgot, I signed up but they didn't email me or I was lazy to check

oo I signed up :>

SC-200 seems interesting

thanks @rugged sable

https://csc.docs.microsoft.com/ignite/registration/March2021

https://csc.docs.microsoft.com/ignite/registration/March2021?wt.mc_id=ignite2021spring_home_webpage_wwl

challenge for the cert

I know az900 is on the list

that's it haha

if they have SC-200 I might as well do it, AZ-900 is basically AWS CCP but for azure haha

so do they provide learning resources for it as well?

idk about azure certs

only AWS

ah right

well hopefully there's resources out there

they have a lot of stuff on their website thought

I don't have faith in my winging abilities

SC-200 is on the list

for az-900 theres like 10 hour youtube videso you ca watch

@pseudo creek wheres the list? 🙂

https://docs.microsoft.com/en-us/learn/certifications/microsoft-ignite-free-certification-exam-offer-march-2021

oooh

no az-900 this time :((

az-900 isn't there though

it was there at the last ignite

I can do AZ-104

but I've neverh eard of it

that doesn't look bad, I found this which helps explain the Azure paths https://www.whizlabs.com/blog/wp-content/uploads/2019/01/azure-certification-path-2020.jpg

what is this ?

free cert attempt if you do something during Microsoft's onlne Ignite conference

There is a free learning path in their website

ahh right, thanks

I'll go try find that

I think AZ-104 looks nice

at least for me, a dev

yeah I think I'll do that one

Thanks for the heads up AZ-104 would be nice to have

Hi i have degree in BscIT, and i have worked for 1 yr in technical support engineer now i am pursuing for Certified Network Defender and thinking to go fo CEH Also. i have zero knowledge in programming . my dream is to be a hacker and explore bug bounty filed also.. can anyone help me what should i do?

I swear they make it free once a year or so. Grab it then.

I probably wouldn't have paid for it tbh.

Yeah, I think I've got the free course

but I've just read something about them removing it from their courses

It's just to buy the actual certification attempt, it's around £75, and I don't know if that's worth it on any of their courses?

Pretty sure the exam was free with a voucher as well

It wasn't hard, so I doubt it's valuable