#cyber-and-careers

Yeah, writing for a company blog is good. I've avoided it for SBRC thus far as it would involve putting my name on it 😆

👀You couldn't even put it on your LinkedIn so not surprised.

Ah by the way. Has using a logo in place of a real picture affected you in any way? Asking for myself.

Yep

Nah, although anonymity doesn't last forever

A logo is a lot more iconic than your face -- look at Dark: he's built an entire brand around his resistor

Diode

Oops

Shows what I remember of high school physics

Thanks James

Resistance is futile

That was a good one.

That's what I thought too but...when a CISO tells you that you should change it to a real picture...

You thank them for the suggestion 🤷‍♂️

Gave +1 Rep to @stuck rover

I'm still not gonna do it though. I'm that type of person.

Really..?

Bad bot smh

Ez rep

I did.

Still not gonna change it anytime soin though.

I use my avatar on zoom calls with Execs on a daily basis

Used to have Hackerman from Kung Fury but people actually thought it was me, so I just use my avatar. Its memorable and has helped people connect my JIRA/Git work to me better than just a name

Yeah eventually I may have to go real name on internet

But idk if i like that

Yea I've thought about it a few times but I just cant jump that hurdle yet.

i am having a kick off meeting for my first ever pentest tomorrow. i will be testing the authentication for a few web apps. ive been trying to think of some good questions to ask the client tomorrow, but i am blanking. i was wondering if anyone has some good questions in mind that would be helpful for me to get some useful info from the client?

what is a good host to start a blog, what do you recommand?

I kinda do this but I make sure my life's segmented so it's hard to relate the real "me" to my pseudonyms.

Medium.

Or you could create a static page and host it free with github pages.

Amazing! I can't exactly help you there but looking at the OWASP testing cheatsheet and triaging from there is a good idea.

I should really watch Kung Fury. Hackerman has glorious hair.

You mean you don't turn on your camera?

Is the free option good on its own, or you should subscribe to it?

You don't need to sub for writing. Just reading stories.

so basically if i dont subscribe no one can acces what i write there?

No, no.

Absolutely do not use medium for infosec stuff. They have a nasty habit of arbitrarily deleting it all...

Something something ToS providing hacking instructions

They have a system where each reader can access member only stories twice per month without being prompted to subscribe. As long as you disable that option then everyone can read your stuff as much as they want.

Interesting. I see many "pros" using it despite that. Maybe they haven't got to them yet?

Off the top of my head, Tiberius and Vickie Li but they also have personal blogs.

🤷‍♂️
I started out using it. Someone reported my AoC2019 writeup for containing hacking content, and the entire account got removed.

By that point I had already moved everything to my own blog, so I just shrugged and moved on, but I would not recommend using it for anything hacking related.

I guess I'll have to work on my own blog sooner than expected then.

To Github pages!

They're both also webapp pentesters, so no mention of Metasploit or other well-known hacking frameworks.

Plenty of people post their writeups containing those tools in there. Maybe it's just a matter of time til they're found.

Or a matter of time until they're reported for it

ok, i guess i'll stay away from it then. what are some other decent options on the free side if possible xd

That's part of what I meant. Welp. Time to learn web dev faster than expected.

Github pages.

It's not that hard to set up one.

As long as you know some Python you could spin up a flask or django site. Which is what I'm gonna do.

Can you run Flask apps on Github pages? I thought it was only static content?

I only know about Django tbh and yeah static pages.

thank you, I will check it out

Gave +1 Rep to @quick forum

So I’m curious as to where I’ll get to when I just get a degree in computer science and go for the OSCP, eJPT, PenTest+, etc

It’s what I’m planning on mostly doing but will I be able to get a high paying job with that??

Just in general I guess

I'd honestly say only one of those certs? They're a little redundant

Then OSCP since it’s like the most valuable, correct?

Look at job listings in your area

Alright then

wasnt security+ the most important one?

100% depends what you're going for

Degree and OSCP can get you a long way in pentest roles

Sec+ is a generic security cert, versatile but not specialised

i see. so its better to go for one that specilises in whatever you want to do

Sec+ is appropriate sometimes/often

But there's no match for actually looking at job specs and seeing what they're asking for.
That's the way to get localised, accurate, and specific reqs.

Sec+ is also a requirement for a lot of government positions

Hey Folks : I'm hiring for tons of mid-senior level, remote infosec jobs, if you want to learn more, feel free to get on my calendar: calend.ly/gshwrec

If you drop me an email from a legitimate corporate email address to muiri@tryhackme.com, I can give you a recruiter role to post that in #jobs-board 🙂

Hey guys I want to get into hacking

What steps should I take

start doing the learning path on tryhackme

Hello, in the #start-here channel there is some information on how to get started. Also you may want to verify to get a color and post media. Instructions are below.

!docs verify

Hey guys. I’m pretty much almost ready to take the Pentest+ certification, my first certification. I have about 5 years IT experience but none in cyber security and an associates degree.
Do you think there’s any benefit in going for the Security+ certification after, since i’m still trying to get my foot in the door?

It’s very odd to get security+ after pentest+ but it’s also never going to hurt you

If you are going to do a general Cyber Security analyst certification it might make more sense to do CySA+ or, better still, an ISACA CRISC. Do a job search for CRISC, then a job search for CySA+ and make your own decision. Doing a general Certification like this gives you a virtual certain foot in the door..... then you can use your Pentest+ to move into the Offensive Security world.

Why is this abnormal?

Difficulty scale. According to Jason Dion, Sec+ is easier than CySA+ which is easier than PenTest+. however, that's just peoples opinions. IMO CySA was hardest out of those 3.

Because CompTIA's hierarchy says sec+ is below Pentest+

ah noted noted. in THM the PenTest+ path is rated easy, so if i complete that should the PenTest be easy to complete??

I did it that way. I would say yes. Do the PenTest+ path, and then read the pentest course materials real quick. You'll be ready.

sweet thank you 🙂 looking forward to it

Gave +1 Rep to @native elm

Thanks for the feedback guys

hello can someone tell is it possible to become a cybersecurity specialist with doing bachelors

bachelors + certs

+1 to what @pseudo creek said. Many employers want to see a cert + a bachelor's degree. If you choose the right bachelor's degree you might find that it has a CEH subject in it and a lot of other good stuff.

Is there any opportunities for Cybersecurity volunteering?

I see there's some for coding, but didn't see any for cyber specifically

conferences always need volunteers

or are you talking about things like open source development?

What are conferences?

things like DefCon, Bsides, Blackhat, etc, etc.... basically events that usually include talks, CTFs and other things

Oh ok a literal conference, it seemed like it meant something else the way you used it, thank you 🙂

Gave +1 Rep to @pseudo creek

it is a great way to network, a little adder to your resume

I’ll look into it thank you again 🙂

How long did it take you to hear back for a job offer?

I had my 2nd round of interviewing 3 weeks ago and he said it would be a little bit because I was the first interview and he had other candidates to get through but 3 weeks seems like a bit much. Think I just got ghosted

That's not unreasonable.

If it goes another week, contact the recruiter

be nice about it, being a jerk will pretty much mean your application gets round-filed.

Lol I'm nice

Hi advice please for my DF/IR path , eCIR, Cysa+ or crest CPIA? Thanks in advance🙂

One Common question i'm sn experienced fullstack developer looking for transition in to information security and honestly frustrated with the recruitment process as everyone is looking for "experienced" candidate ? I mean how the hell should i gain experience if i don't get hire anywhere on the basis of certification ?

well it depends what they mean by experienced, do they mean experience in general or cyber? Usually when our job listings list experience, they are talking about general experience

@azure bridge - eCIR is fantastic if you want to actually learn useful real-world relevant skills. But recruiters have mostly never heard of it. 😫
Do a search on your local recruiting site for eCIR. CySA+, CPIA, CRISC, etc, look at how many jobs call for each certification, and then make your decision. In my part of the world, CRISC wins by a massive margin. THM is going to teach you the real-world skills, eCIR might help, but something like CRISC gets you noticed by recruiters. Sad but true.

What are your views when it comes to on-site vs remote for an entry level job? How much of a benefit is working in an office?

working in an office is a great benefit for those that are early career

Hi @velvet spindle . As a hiring manager, I have not actually IRL met any of the people I hired since April 2020. We work exclusively remotely due to Covid. But my country has chosen to minimize the number of Covid deaths, and in my country online work is mandatory if it is feasible. Most of my team love this way of working and would resign if I told them they had to come into the office. I suspect that it would depend on the country you live in.

basically the networking and in person contact is very important, doesn't mean you can't be succesful remote but I've noticed more careers being stagnated / feeling stagnated due to remote for early career peeps

+1 to what @pseudo creek said. Networking is important if it is feasible.

Being able to joke about and socialise with people in person is great.
Having a dedicated, clearly defined, separate space to work in is great. The commute is time to wake up, then chill out.

you can network remotely but its harder

Building on this, I got a physical book to borrow from my coworker. Couldn't have done that remotely.
We sometimes adventure out the office to the shops etc at lunch.
Team builiding!

Absolutely true @quick forum . My team have been remote since April 2020. No culinary adventures for us. On the + side, 2 of my team members moved to the mountains, three now live beside beaches and one moved O/S to a lovely property in New Zealand. As @pseudo creek said, this will potentially stagnate their careers, but they know this. I guess, if they want, they will just come back into the city when it is all over.

Also work curries, very good

Stop. You're killing me.

Issue is, I haven't had a remote position where I work as part of a team. Only remote stuff has basically been contracting, so I can only give one side of the story

Thanks for this advice . Is CRISC only aimed towards risk management ? Or would it help with IR

Gave +1 Rep to @gusty iris

Crisc is oriented towards Risk Management in an Information Security context - so that includes DR as well as Cyber incidents.

Find a Cert that looks like fun and then type it into your local Job Search interface. Find a winner 👍

CRISC ain't the only Cert that scores well.

Thanks for this 🙂

Gave +1 Rep to @gusty iris

Hello all,
I am kinda stuck in between two univs for my master's in Cybersec
1st : University of North Carolina, Charlotte
2nd: George Mason, Fairfax
Can you help me out choosing one, with reasons please if possible

Thanks in advance
As of now, I am pursuing my Undergraduate about to pass in 2022

and also please tell, where can we find some good internships easily

I got an email back/interview setup for a post-grad security analyst entry position

I don't even graduate til 2023 lol

Go work for a few years before going for your masters in cybersec. Until it becomes a requirement for advancement, it will price you out of the jobs you'll need experience in to get to that next level.

Honestly, am only gonna go for a master's if a company helps me out. I already hate being an undergrad and having to pay for part of it, I'm gonna utterly hate going for a masters and paying for it myself again

Why are you going to graduate school? What are you hoping to do?

career growth , i literally want to work in Cybersec, options in my country are less, soo ..

so you currently aren't in the US but want to come to the US for school with hopes of getting job? I guess thats difficult because companies in the US really don't like entry level employees with a MS degree.

if you aren't a US citizen, I would not go to George Mason. Most of the recruiters there will want you to be a US citizen as most jobs in the area are gov related jobs.

One thing I'd recommend though is if you do decide to come to the US, you work on certs.

Just curious to know..what qualifies a candidate for that recent content engineering job THM just posted?

well they have the requirements section

Crap I haven't looked

Thanks I'm working on all this now

Gave +1 Rep to @static tide

Hey Thanks for your advice, so I passed my SY0 601 recently, so from now I am planning to prepare for OSCP to complete it before my master's end!
is it a good idea or can anyone suggest something else?

Gave +1 Rep to @pseudo creek

Does THM offer any internships?

yeah that would be good

they had one before, believe it was limited to specific locations

It is a company from the UK, right?

yup, someone can correct me if I'm wrong but I think the internship I last saw posted was for those who are from the UK / right to work in the UK

Okay, thanks a lot for the info, I'll stay tuned 🙂

Gave +1 Rep to @pseudo creek

i am sub to htb and thm is it enough to prepare for oscp?

no

merely subbing to a service does not prepare you, you actually have too put the work in

if you actually do put in work, it again depends on how much work you do 😄

And what you work on

Take what I say with a grain of salt because I haven't taken OSCP yet. But from what I've heard, if you actually practice exploiting machines manually, and get good at it, that'll be good prep for OSCP

Any SOC analyst here? Need some help

We prefer you to directly ask your question rather than ask to ask

https://dontasktoask.com/

Any Java experts around?

Do you participate in IT audits along with SoC operations ... What exactly do you do in audits? Also how do you validate false positive alerts in siem tools

I-
Please refer to what we sent directly above you.

We prefer you to directly ask your question rather than ask to ask

These seem super hyper-specific is this for an exam or homework?

it was a reference to this, haha

#cyber-and-careers message

Yes sir... I have an interview Tomorrow

Is THM only hiring remote working professionals from EU region or from other parts of world too?

Most of those will be dependent on the organization and their response policies. Auditing really isnt something that I do but there are plenty of resources about it. Validating false positives will also depend on policy, generally its just a matter of cross referencing sources

THM has hired professionals from all over, location isn't really a restriction. I'm from the US and work with the team

and they will specify if it is country specific if so

Thanks @polar rock for the information 🙌

Gave +1 Rep to @polar rock

anyone have any recommendations for looking/scoping out internships in infosec

sorry if this is the wrong place to ask that 🤣

Join LinkedIn, build a network, also look at college recruiting sites of companies that operate in your country

I'll be glad when my hiring spree is over.. I feel like I'm working in HR instead of infosec 🙂

Sorry if this isn’t the right place to ask this. So I’m a third year student looking to get a bachelors in cyber security. I have a blog where I post about learning Linux and such, but I’ve been very overwhelmed due to the vast amount of information and resources out there and skills and tools to potentially learn that I’m not really sure what to choose to make the best use of my time outside of classes. My goal is to eventually work on the defensive side. What are some things I should be spending my time learning to develop a good skill set as I look to get internships and eventually a job?

I think this provides a good overview https://dfirmadness.com/getting-into-infosec/the-five-pillars/

Certs are huge these days so I'd be eyeing some certs, like Network+ and Security+ and I'd also look at a cloud cert, either AWS or Azure

The Pre-Security path and other paths on TryHackMe are also really good

Ok thanks! Unfortunately for me I can’t afford certs right now, being a broke college student and all

But I’ll definitely look at that site and use that and be doing the THM paths. Thanks!

I would definitely look at certs before you graduate though, it'll really help with the job search

Ok I’ll start looking then, thanks!

@j21 also check with your school and see if theyre able to pay for some of the certs. my school received a grant to pay for any certs for the cybersecurity students

There are some that are free rn. Speficially Cloud.

Oh ok, thanks

Has anyone done / heard much about TCM Security’s PNPT cert? I’ve been doing a lot on THM/YouTube/Udemy /INE and other sources but looking at my first cert (I’ve got a background in IT)

Unsure what route to take? eJPT / CompTia / TCM

Would it be a massively bad idea to try and dive head first into something like OSCP / CEH courses?

OSCP is harder so depending on you, it might be something to work up to. CEH is a waste of money unless you live in India. And tbh the title is deceptive considered it's a theoretical exam. PNPT is extremely practical as the name implies. You're given 7 days to complete the engagement ending with the submission of a pentest report and debrief of the examiners acting as a client. The course material and exam focuses on AD which is extremely common in real pentests plus the exam is unproctored so if being watched while you do an exam isn't something you're ready for rn then PNPT. eJPT is similar but doesn't teach AD and has an MCQ at the end with answers gleaned from the exam so it's less real world. It's also unproctored and you have 3 days to complete it. They both offer free retakes where the rest don't. So they're good for working up to OSCP but there's nothing stopping you from doing it right off the bat. eJPT is the easiest from what I've heard.

CompTIA certs are MCQs too iirc. Sec+ is what you'll see advertised for most blue team roles but don't take my word for it. As always, do your own research and see what's best for you. Cheers!

Anyone from Canada here who is in located in Canada as of now? (btw Thanks for all the help Hydra)
I am planning on moving there for MS in CyberSec (and preferably a job) this feb or sometime around that, was looking for someone local, I can get specific should know stuff from.

Thanks for your response - I’ve done a load of research about how to break into the field which seems to contain the same information of where to study etc but the major difference seems to be which certs to do first.

I’m struggling with an internal debate of if to do something easy first or just try and deep dive - if I do something easy and pass the plan would be to move onto something harder anyways. So it also seems kinda pointless to waste a sum of money on something easy too 😂

Gave +1 Rep to @stuck rover

PNPT is hard and practical.

Might be your best bet

It also seems reasonable in terms of price - how is it with using it to get a job though? Is it “HR Approved” or is it still relatively new?

If you want HR approved then you go for SANS or OffSec tbh. The new ones may be more up to date but less recognised.

Note, that advice highly depends on where you are.

Look on linkedin at job postings in your area/country and see what they're asking for

Aye I’ve been checking job postings regularly, but struggling to find a “trend” of which qualifications people are after. Thanks for the advice guys 😊

put the qualification in the search box rather than the job title and see how many are returned for each

probably start with terms like OSCP, CEH

James is right to say check local job postings. As a general rule PNPT isn't really recognised just now though 🙂

I’ve actually begun to see them on some really large vendors. Clear and Optiv are two that come to mind right now from postings I’ve come across

Mostly US though. TCM has been pushing for recognition quite a bit.

Wouldn't be surprised if it surpassed eJPT in a few months not that that's saying a lot.

Aye, one or two. It's got a way to go

It will get there, but it's not one to rely on to get you a job

kekw, I was thinking the same thing

I'm going to enroll in a college IT course next year, after high school, but I feel like it's unnecessary considering I'm able to do 99% of the things on that 4-year syllabus. Do y'all recommend multitasking college and studying cybersec for certs? (Not really a career, but still edu so this is probably not the right channel)

I really doubt you are able to do 99% of the things on that syllabus to the same depth of knowledge you'll get in that 4 year program. If you really do think that, please create a github and just go straight into industry. If you are that good already, you won't have a problem getting a job once you can get past the initial HR blockers.

Practical projects that you can build into your curriculum to push you beyond the coursework is going to be a much bigger boost on the CV than most entry level certs, depending on what kind of career you want build

Is anybody interested in some IT roles with a cyber focus? They aren't SOC/Red Team/Threat Intel but general IT infrastructure like server infrastructure gigs with cyber tacked on. They roll up specifically to me and we are hiring in Australia, Europe, and the US and we are remote friendly 🥺

Thanks for that. That link is fantastic.

Gave +1 Rep to @pseudo creek

is there a specific requirement? Im just looking for experience

Hey everyone, quick question here. Is it a good practice if I add a "Currently preparing for OSCP" in my CV?

Yes, it may get you past an automated filter and it always shows you're willing to self study.

It's also something I'd definitely discuss in an interview

Thank you for the answers

Can you please tell me where I can add it? Should it be in the summary or with the certs that I've achieved?

That honestly depends on you. Some people told me it looks better in the summary, others tell me along with existing certs

I think I'll just add it in the summary in order to let the "achieved certs" list more specific

I'd definitely not put it with the certs

Because you haven't got it yet

True. Thank you for your time. Have a great day

Gave +1 Rep to @quick forum

I put it with certs myself, but mark it very clearly as "Currently studying for"

That's what got me the job I'm currently in -- I sat the OSCP exam about a week after sending in my CV, got the interview, had received confirmation of passing the day before the interview

Does anyone have hands-on experience with the learning platform "Code Red" of EC-Council? https://codered.eccouncil.org/

I just have a list of my certs with the date I achieved them and then below that there is In Progress with the cert and the passing date I'm aiming for

the last advice Dave Kennedy and some others big employer i asked, they all told me that is better to have a blog and github account who show your passion and wiilingness to learn than having big cert on your resume, all that for a junior pentester role.

Maybe for software dev.
If your github isn't pentest relevant then what's the point?

Tbf, coding tools and exploits is still good

That would be pentest relevant

Passed the beta exam first time! Couldn't have done it without you Tryhackme

Thank you guys for the advices

We are hiring junior and higher level roles, maybe PM me and we can talk further

I saw your post and was like "I need to check my email" and I passed too!!

Im guessing you also just got to hear back from the beta? Good job! I did too, i’m so happy

Hey guys, I’m slowly trying to get more involved in the cyber security industry. I did several rooms on tryhackme, along with some courses on INE and I’m currently going through the labs on PortSwigger while reading ‘the web application hacker’s handbook’. I started looking for summer internship and graduate position over UK and Europe and I thought I should post something on here as well in case any of you know of any available positions 😅

And I just realized I posted it to the wrong channel 👌🏼

This is the correct channel

Ah, okay. Thanks

If you've done some rooms you can verify by following the instructions

!docs verify

How difficult did you find it?

Not terribly difficult. Mainly used the pentest course to study. Spent a month studying 30+ hours a week. The last week was mainly spent going over the exam objectives for the previous edition since the ones for pto-002 hadn't been released. Sections 1 and 5 were likely my weakest as those focus on the business side of things rather than the technical.

👍 sounds good. Im gonna wait a while and get some feedback for pto-002 before paying for the exam 🤣

Nice. Did you study at all for those parts ?

Hey everyone, I've a project coming up in which I have to interview a penetration tester or red team professional for about 10-15 minutes with a few general career questions. Would anyone be willing to help me out? please pm me if so :)

I feel like I really struggled with the code parts of PTO-002 and I focused way more on them since then, I have my CEH tomorrow so hopefully it translates 🤪

Good luck!

Thank you! I've been studying long enough and doing enough of it at work that I am confident and more confident now that I passed PTO-002

Gave +1 Rep to @stuck rover

Turns out my CEH was today, but I just bodied that. 109/125 lol

Congrats 🥳
Don't forget to get your CEH role.

Thank you 🥺 i need to get all my certs added I have quite a bit to add!

Gave +1 Rep to @willow gate

Awesome!

congratz dude

Hi all, I was planning to get certified. Which cert should as opt for eJPT or CEH (Practical)?

If I'd be you, I'd go for OSCP

but eJPT is good too

this can give you a clean basic knowledge

You can go for eJPT at first

i don't think CEH is good tho

it expires, and i don't like that

They said they were in India, OSCP doesn't really hold weight over there.

personally, I'd pause on the idea of eJPT, I'd go for CEH if you are in India

generally, certs that expires will have more value than those that don't

Guess what! I'm Indian, but I want to do the OSCP

You can do it, but it won't hold as much value.

but doesn't CEH just require CEUs?

vs 'expire'?

i don't really care about the jobs until and unless I'm 24, but i just want to extend my knowledge as far as possible Got 6 years more ! yayy

Does the location matter?

Yes

Why is that?

Because the jobs market is different in each country

Because government compliance asks for different certs in different places

What is the job market in Canada? I will be moving there in a month

Take a look on LinkedIn and find out

Okay

I have lot of collogues who got a job because they were CEH certified

I have no clue about eJPT (but it has better hands on depending on what I have heard)

do you have any other certs? like Security+?

no certs

this will be my first one

In India, yes

Eventually, I will do both. But, which one would be good to begin with?

like James said, I'd look at LinkedIn, but I think security+ is pretty good overall

certs can get jobs? i'd go for a bunch of certs then

In Canada as well, one got placed in Artic Wolf

Look on LinkedIn and you will see what the job adverts want.

when you are looking for a job, I'd look to see what job listings are asking for... often they will include certs

They help the recruiters filter people.

ah! yes ! got it

I'd love to get a job of a pentester.

Gave +1 Rep to @pseudo creek

Sure, will do my research. Thanks

who knows what exactly will be required in 6 years but best to talk to pentesters in your area if you can

Yes

anyone here done the CRTP? what impact did it have on your career, if any?

If I wasn't further along in my career, and the choices came up, between eJPT or CEH, I'd go with the former. My company paid for me to take the CEH and I wouldn't otherwise and my next step is likely OSCP or the PNPT

But yeah CEH like a lot of IT certs like from CompTIA can be renewed by doing other certs, going to lectures/events

I recall when I went to GSX in 2019 I earned CEUs I could apply

i know “ceh sucks blah blah blah”, but are any of these courses any good? (considering they’re only $1)

@static tide for $1 I am sure they far exceed the cost tbh

true

i will just add them to my never ending course list

Honestly, same. Especially that python one

which python one?

IMO python courses are a waste of time if you already know at least 1 programming language and set of libraries pretty well.

Better off just using readthedocs and working on projects.

Top right @static tide

i kinda agree with juun there, although maybe a mini course on working with sockets or something (but there's a few on youtube)

And judging from the title, that course is going to use content from Black Hat Python as its basis. Just go to the book (super easy read, no python experience needed).

ahh i wonder if it's the same as the book

oh yeah lol

I wouldn't even go that far, jake. Sockets are trivial in the py networking libs.

Fair enough, I'll take your recommendations to heart then!

hmm

i found it a bit weird learning it for the first time tbh

python net libs are way easier to use than C or the C++ Boost libs.

if you can do the beej C networking tutorial, you'll have zero problems with the python networking.

lol

i'd need to learn c first

that's a problem for when i start osep

OSEP doesn't use C

It's a mixture of C#, PowerShell, JS, VBA, etc. The classic malware scripting languages

oh

c# is what i'll need to learn prior to that then lol

JS or that weird Microsoft jscript thing?

(which is a version of ecmascript so kinda JS)

Both 😆

jscript is not weird.

It really is. It's also totally dumb

You’re totally dumb

https://tenor.com/view/that70s-show-ashton-kutcher-michael-kelso-burn-gif-4891812

What is meant by a kernel. And difference between normal kernel and shared kernel. And how can a kernel control hardware of the system.

This sounds like homework questions.

Looks totally legit...

@quick forum

@undone shore I'm on mobile, don't have the option here

Omega already banned without -ddays

hay everyone

am new here

hello

i'm new user

Hi

Hi.

So I know jobs like to see what kind of personal projects or your dedication to cyber, is there a recommended site to write-ups or cyber blogs on?

You could set up a free website with github pages. Otherwise if you're lazy or can't make websites then medium works fine. Just keep a backup of your blog posts. They're known to take down infosec pages apparently.

Gotcha, thanks!

Gave +1 Rep to @stuck rover

Hello

Hi! I am currently a 3rd year student studying Computer Science, from India. I had recently started to study for CCNA. Today I received an email saying that my Institute has collaborated with EC-Council and are offering CEHv11 courseware with exam voucher. I can pursue and afford only one of them for now. So now I am very much torn between them.

The one with exam voucher is for approximately 210 USD

lots of people have mentioned CEH is valuable in India

plus study groups can be valuable if it is multiple students

but CEH also has a yearly maintenance fee I believe

I have heard the same as well

Also if I were to go for CEH later, what will the fee be like as compared to the above screenshot?

can you find out what the fee is in India? sometimes companies adjust their fees for low cost of living countries

in the US, its $1200 it looks like

It seems that it is around 40k INR

$533 then

worth

iirc student discount is about 50%

I can get it for like £250?

https://store.eccouncil.org/product/ceh-vue-exam-voucher/ not sure if theres an eu store, but $1,200 us :x

What kind of assesment could I expect for applying to a internship? (it-security company)

do you think when you have finished jr pentester space and understood everything you are ready for an entry level job?

is there anyway to get some mini projects in basic network security ?

As an intern? Your questions will likely follow your background; I wouldn't worry too much about it.

The vacancy says that I have to do a assesment testing my skills, they ask me to note my experience with Linux, TCP/IP, programming and security. So i think it will be something covering those subjects but i have no clue what level of knowledge they expect. Will it be searching for XSS or SQLi? Do you have any experience testing interns?

It's an intern role. Your technical aptitude is secondary to your attitude

Depends on the company and what they do tbh. I’ve applied to companies that just want to know about you and your studies and I’ve applied to internships where there were full on technical challenges (that was a very technical company however)

Your technical test likely won't go too far beyond what you have on your resume; usually these kinds of things are to weed out the liars and misrepresentations

Be upfront and honest with both your resume and your answers

Gave +1 Rep to @flat sedge

okay thanks for responding @flat sedge @polar rock 🙂

6 years

Hello everyone! I'm a 20 years old university student in Europe and I'm currently studying for my BSc Computer Science degree. I'm planning to do a MSc in Cyber Security as soon as I finish my BSc. My first thought is to work as a red team operator although I have a couple of questions to do:

1. Which certifications should I go for before I finish all my educational years?
2. I'm currently studying in thm. (I've completed many paths in regards of Networking, Linux fundamentals etc. and I'm in the middle of Jr Penetration Tester). Do you think just trying to do machines in thm/htb would be the best practice for me ?
3. Which role-jobs am I going to land as an entry level pentester ?
4. Which roles am I going to be able to fill later on after a few years of experience as a pentester?
   And finally but not least
5. What's your opinion about teleworking. Is there even possible to that in this field ?

Thank you everyone so much for reading and answering it's extremely important to me! Feel free to dm me if I've caused any spam trouble here.

P.S. Sorry if I did :S

Not to rain on your plan, I'm not sure how it is in Europe, but a masters before getting actual job experience may not be beneficial and will actually be a hindrance on your progression. By getting a masters too soon it prices you out of entry level positions and even though you have the education credentials you don't have the real world experience.

Penetration testing also isn't necessarily an entry level position so be prepared to start somewhere else. Security in itself isn't necessarily entry either

Remote work is possible in the cyber field but as an entry level it may not be totally accessible, depending on organization. As an entry level employee going straight to remote may not be the best either. Having in person contact with coworkers really helps when you're just starting out

Excuse me if I misunderstood but are you saying that MSc is a bad idea? I really want to do it :/

Masters are for Management

I'd love to go higher in ranks if that's what you mean

As an entry level they may be more of a hindrance

I want to go as far as possible in the future

or at least have the chance you know

No, you get them when you have enough experience to be management is what I am trying to say

Juun will probably explain it better than I

it's not a bad idea - but if you don't have any enterprise or work experience, going for a M.Sc in Cybersec may price you out of the initial entry level experiences that are foundational to security

Doesn't that mean that even if I'm extra-qualified for entry level I can still fill in the job and perhaps get promoted faster?

MSc + 2 years experience = promotion
BSc + 4 years = promotion

something like that

MSc = struggle to land entry

Nope. It usually means you leverage that entry level experience at a faster rate, meaning the organization now has to backfill your role before they've broken even on the investment they have made in your employment

Every role has a cost:value ratio that is targeted by the business people who determine budget. Typically an overqualified candidate is offered a more senior role, but sometimes that can't be worked out.

So the org is better off not hiring overqualified candidates, because they outgrow the entry level role too soon, so a promotion or moving on before the 1 year mark means the business has lost maybe not money but value by hiring

I totally understand it now, thank you. What would you recommend me to do though?

Because this is kinda a plan changer for me

be lazy with your credentialing, and degree. until it becomes a checkmark in your career path, don't do it

it also means that you aren't paying out of pocket for the degree, the company is

That can happen too ? 😮

exception to that is the bachelors degree - that opens many doors much faster than just work experience alone

IMO SOC Analyst I and II shouldn't have Masters degrees. That's too much money for that role.

others who work security as a day job may have something different to say, don't take my word as gospel

Yeah don't worry all I want to hear now is opinions. All right then, let's say I'm not going for the MSc. That means I've got a decent amount of money saved, what would be my best investment choices ? for that specific role I mentioned earlier

put it into retirement or savings

what about certifications ?

do just enough to get the role you want, and let the company pay for certs and taining from that point forward

CCNA|NET+ && Sec+ are great entry level security certs

investing in a small homelab gives you a lot of value to potential employers too

What about OSCP ? since I want to work as a red team operator

"I have a small linux homelab, I installed FreeIPA and a bunch of services on VMs, here's the specs, here's how I manage it, etc"

Pentest and related adversarial emulation really isn't entry level in the true sense of the word.

Entry level to so-called Red Team is really 3-5 years of experience

there are exceptions, but they are pretty rare; it's almost unheard of for anyone to get permission to pentest, red or blue team, within the first few years of their security career

Excuse me if this a silly question but you're saying that for me to join Red Team I need to have 3-5 years of experience.. of what though? Pentesting? what would be the first job Im going to land in order to get that experience

of anything IT related

Development, network engineering, sys admin, systems engineering, SOC roles, et al

some people do come to security through the business side, but those folks usually end up doing GRC

at least from what i've seen

Oh I see. So, I shall continue studying material in thm/htb and practice machines. I'll get those certifications you recommended me and we'll see how it goes :D. One more last question

so I live in Greece and I don't know if there are many job spots for pentesters in general. Will I have to be restricted to Greece only or can I work almost 100% remotely too?

That's actually my biggest concern to be honest..

I don't know. I live in the US for an international company; hiring in EMEA is something I don't know anything about

It's ok you helped me a lot providing all these useful and interesting information. I appreciate your time and effort

Have a great night sir 🙂

and all of you who answered as well!

good luck

Remote work really depends on if you're eligible to work in the country despite being located in a different country altogether. You should be able to apply to other positions within the EU.

And I'm guessing every company has different terms for remote work

If you want to have a discussion about homelabs I'd be happy to answer any questions you may have as well. I attribute it to me getting hired as it was a major talking point in my interview

To be completely honest with you, I have no clue what is a homelab but I'd love to hear more about it!

I'm guessing htb and thm can't replace home labs especially for setting up and hardening the system.

Perhaps. Some are moving fully remote.

are we talking about the way someone's practising?

Oh that's good news

Money is not that important for me but I definitely need to pay my bills haha, so how's the salary in Cyber Security field ?

let's say if you work as a red team operator after a few years of experience

Entry level positions are still fairly unlikely to be remote though

It's much more likely to get a fully remote position if you're senior

I'd like to have someone experienced next to me guide me in my every-day tasks

So I'm not seeking for remote work as entry

That was more a future-question let's say

You, uh, may want to phrase that differently if you're discussing this with a hiring manager 😆

The ones I've seen lately are. But tbh it's better to be on site as a junior. It's infinitely harder to learn OTJ in a remote position.

hahah Yeah I expressed it poorly my bad xD I didn't mean that exactly

You'll be expected to have some grounding in whatever job you get. They will also usually provide training, and almost certainly some kind of mentor figure, but someone actually guiding you through it is, uh, highly unlikely 😆

Yeah mentor is what I meant my bad 🙂 That's exactly why I don't want to work 100% remotely as an entry

I guess it kind of depends on your role. I'd think it'd be much harder for a junior SOC analyst to learn in a remote position than a junior pentester.

That is true I can see that

Don't bet on it. Dunno about you, but I wouldn't wanna let a completely new pentester loose on client systems without close supervision

Homelabs are what they sound like, computer labs in your own home. Commonly, used enterprise gear is bought for homelabs but isnt necessary. If your computer is powerful enough you can just virtualize it on that. It allows you to play with technologies in a safe environment. Research - > Build - > Test - > Break - > Research - > Fix - > Repeat

Best case scenario they know what they're doing. Mid case scenario, they don't have a clue and just sit there wasting time. Worst case scenario, they come from the CTF world, hammer some poor ancient public-facing server and bring down the client's website

In my homelab I have the following: media center, pihole, virtualized router, Active Directory, mock work environment for my job, a SIEM, minecraft servers, etc

Of course there's gonna be coordination via a call or something but you can't really screenshare with zoom for hours and show the new soc how to parse through network logs lol

Why not?

I don't mess with malware because I don't have a dedicated box but we did malware forensics in my Uni so I didn't feel the need to build out that portion of the lab yet

Time and duties, I'd assume.

Either way you're gonna be sitting staring at a zoom call for hours

Which is why they bring the new starts into the office where a bunch of more senior folks can keep an eye on them, rather than one person having to dedicate their time to it.

No idea about blue team, but pentests are nearly always team things anyway, so the new start gets put into a team alongside more senior people who keep an eye that way.

I shall continue studying material on thm/htb then and once I feel more confident I'll get into the machines/rooms. Shouldn't I get OSCP since I want to be a Jr Pentester for example? And if so, is it a good idea to get eJPT first so I can get a "taste" of what the examination is like ?

The only thing I'm confident right now is coding and that's because I've been coding since high school non-stop. Reading and understanding code and perhaps inject, is so far my best skill

OSCP is your golden ticket to a pentest position as Muiri can confirm.

I'd advise going for the pnpt over eJPT as it's more practical and harder but that's just me.

I'll definitely check it out!

As always, do your own research and see what works for you.

But the pnpt exam seems close to a real pentest engagement.(Feel free to disagree with me on this, Muiri) You even have to debrief the "client" afterwards.

I'd love to get Muiri's opinion to that whenever he/she has time!

what I'll say is there's no junior pentest cert, if there is, you're doing it wrong

security isn't a junior field, especially pentesting.
Your "Junior" phases should be spent out building your enumeration methodology

Not gonna lie I feel a bit loss...

tl:dr junior pentest certs cater to a type of people that shouldn't exist. If you can do eJPT, you can do PWK/OSCP and PNPT.

it's 100% a psychological thing

so what you're saying is that it's basically a waste of money for me to get eJPT and I should go straight up for OSCP

let me put it this way, eJPT didn't exist back in my day lol

if you understand networking, security and system administration, you're ready.

eJPT is the cert you get if you want a nice easy introduction into what a cyber cert exam is like

If you feel like you need that practice, it's a good thing to get

Oh I see, now it's clear!

"Back in my day." Aren't you like 20? 21?

eJPT came out in 2015 I think

yep, but compared to "back in my day", it's accurate 😛

I also don't really consider eLearnSecurity to be a more than 2 year old company tbh

their name has just made the mark

eLS is atleast 5 years old. INE acquired it 2 years back I think.

I believe it was about a year or so ago now

oh no

the years are blending together

it was 2019

oh god

IM GETTING OLD

At 20 lmao

me does math to try to figure out how long ago it was that I got my OSCP lel

not much pog but UvU

I need help with something, I’m finishing my CSPT soon and I wanted to know what other intermediate certifications there are, professional yet not OSCP level?

not familiar with CSPT and a cursory search turned up nothing, but OSCP is not an intermediate/professional level cert, it is meant to be an entry-level pentesting certification - like literally the bare-minimum you need to know for the field

I meant an exam that is easier pretty much, more like cissp or sec+

Or like eJPT

stuff like that

CISSP is not easier by any means and requires 5 years of industry experience before you can be called a CISSP proper - really depends on what your aspirations are, I enjoyed eJPT a lot but Sec+ will lead to more job prospects

Thanks!

Gave +1 Rep to @ancient prairie

Welp did some digging and my state happens to be the worst for cyber jobs lol

Any tips for moving for a job? I’m planning to start applying to just all the top states and see what happens

Define worst

It was listed as 51 for top places for cyber roles

Low pay? Bad benefits? Long hours?

According to who?

51? sounds upper mid, not worst 🙂 (And I'm being a smartass, of course you're referring to US only)

Lol

Sorry I’m having a coffee run before studying so I’m not at the computer to get the site rn

But it was that site that measures each US state with cyber jobs available and what certs people have in the state and what employers are looking for

Just listings in general

How are they 51st? There are only 50 states. Is this not the US?

Lol I took it as it was so bad it got off the US states

I'm still confused but I would still apply to places in your home state. You're more likely to be hired if your applying to places within 75 miles I think it was

There's a radius in which a company is more likely to hire you or place you in the applicant pool

My guess is they had Washington D.C separated as its own listing

I'm living in New York working for a company in Texas. Try finding remote jobs if there aren't many cybersec jobs in your area. But anything in a city will likely have more opportunities than where I live, countryside, 45 min drive to nearest city.

Keep in mind that the salary might decrease a little depending on where you are

When is a good time to start PWK?
Complete eJPT, reach 0xD on THM, and do the OSCP prep boxes on THM/HTB, then do PWK?
Inb4 varies for everyone
I know, just looking for some suggestion.

Planning to Follow Fawaz's pinned guide;

1. eJPT content - no exam
2. Offensive Path - TryHackMe
3. Buffer Overflow Prep - TryHackMe room
4. Linux/Windows Privesc courses - Tib3rius
5. VHL - 1 month subscription
6. Ippsec videos (Just watch and take notes) - HTB TJNull list
7. OSCP labs

Gotcha, I’m trying to find a remote role but not having a lot of luck, thinking about pursuing an internship at this point

What do you guys think about Bug Bounty Hunting? What should be the prep and prerequisite to move forward?

To get started?

its a waste of time for the effort put in but may make sense if you live in a country that has a low cost of living and limited job opportunities. Better to ask in #bug-bounty

anyone got some good advice for uk cyber?

Learn the basics of the management side too

Anything you eant advice about specifically?

just about finding opportunities, is it okay to dm the specifics?

Seems counterintuitive if you're asking everyone here for advice

@warm hinge I m in UK but UK cyber is too general. Do you need advice on anything specifically or which part of cyber security ? For starters you can try https://cybersecuritychallenge.org.uk/

Im looking into degree apprenticeships but they are either to far away and don't pay enough to live off. Just wondering whether i should go with apprenticeship or uni course. I didn't pass for GCHQ's degree apprenticeship so just looking for direction.

I just need to break into the industry after doing my college course, and my college course is way to easy and broad

So, I'm currently in school for my cyber Security associates degree at the University of Phoenix. I want to become an analyst, which certifications do u think I should look into. I want to study them now, so I can take them after I get my degree and hopefully get a job. Thanks in advance for the help.

security+ is a good solid one but I'd try to get it before you graduate if possible

network+ is also good to validate network knowledge

What is a good internship position to try to obtain as a Second year Cybersecurity University Student

Would you recommend skipping A+ and going straight to Net+ --> Sec+

Are cybersec engineer paid well?

if you are looking for a help desk job as a foot in the door, you might want an A+

sure, but thats a very generic job title

Currently working "Help Desk" at my University I was thinking the next step / other positions that are still entry-level.

Regarding A+ I feel like it would be more worth while to try to go for Net+ as my university degree would essentially display the qualifications of an A+ Cert

yeah, lots of people don't need it but some help desk jobs seem to require it

Yeah, I'm aware. Do you know some other entry level positions that I could potentially look at for my Internship

I'd start looking for internships as most companies (in the US at least) have already started their application period for summer 2022 internships

The deadline for a lot of US IT internships is usually end of december or january - do not delay

This is true for large orgs

Smaller orgs will hire all the way into May

I got my internship offer in April and started working in May and my roommate didn't get an offer until May and started working the same month

An offer vs application dates are different

Applications were February and into late March

Of that year

Is it a good idea to do masters in cybersecurity?

I graduated as a biomedical engineer but I've found cybersecurity to be a lot more exciting, and I've wanted to switch since a long time.

I've got a year before my admission in cybersecurity msc begins, and I'm planning to get the certs before that

I'm just not sure if I will have enough opportunities considering the switch in my background

Not without experience first, generally you should get a few cyber certs and apply to jobs

Plenty of people go into cyber with various background. I’ve worked with people whose undergrad degrees were psychology, biology, English, etc

I'm getting the opportunity to work on 2 internships before I enroll for masters. Meanwhile I will also get my certs

Is that experience enough to set my foot in the door?

That's pretty cool to hear

I really only can speak for the US, if you are in India, the situation may be different

Oh yeah, I'll be doing my masters in USA

Then I wouldn’t do a masters

But I have a year to go

Ohh

I’d skip masters for now, get certs, then get full time job

Thing is, I don't want to work in India right now, I want to change places

I thought certs+internships+masters would be good to get an entry level job at least

In USA/Germany

I don’t know about Germany, I think they are more degree focused. In the US, having a masters can make it more difficult to get an entry level job

Even with certs and internship experience?

Yes

Oh that's sad to hear

But you can try. Also, cyber is one of the few tech fields in the US that rarely sponsors work visas. Not to say it’s impossible but it’s rare. If you develop a unique skill, that definitely helps

Oh damn

Thanks for letting me know

Any idea how the market is in Canada or Germany?

I don’t know those markets

Okay, thanks!

Hi, i want to ask if anyone has any good videos or resources that concludes what to prepare (what skills need to have) to become a pentestor or to begin an ethical hacking career (for interview and future job)?

Start here: https://youtu.be/mdsChhW056A

I was just about to post that!

Also I know this is an infosec discord, but does anyone have any connections/resources for someone trying to get a data analytics/science job. Asking for a friend who’s trying to pivot from business to that field and has been taking classes and working towards it.

I only know about the google certificate on Coursera. Apparently, a few companies agreed to take graduates from that programme. Aside from that, I've seen a course on it from freecodecamp and an introductory one on INE's free starter pass

Thanks for the tip. But, I'm mainly looking for stuff like Discords/Slacks or anything else where they can make connections and/or find jobs.

yeah I don't know any data science discords

Is it possible to switch to cybersecurity after working in data science for 2-3 years?

With the right certs and courses

Asking for a friend

sure

Absolutely

I need advice on CySA+ is anyone online who has taken that exam?

is the Cyber Defense path a good addition as study material?

generally no

CySA focuses more on policies and procedures rather than practical elements

ex. you notice a key production server beaconing out to a known c2 server, what do you do?

a. shut down the device
b. capture a memory snapshot
c. quarantine the device
d. contact the device owner

are there multiple answers here

I have no idea

that's just generally the kind of shit you'll see on that stupid exam

typical comptia question

CCNA CyOps > CySA

hey guys im new here, i study cybersecurity and i have a question so i know a bit about general IT. I just wanted to know what do u think about eJPT cert to be my first cert ? or maybe u recommend sth else ?

ofc to get first job in cybersec

eJPT is not a bad cert, but it's not so respected by employers yet.
Go onto LinkedIn and look at security jobs that you'd want to apply for. See what those are asking for.
Sec+ is often regarded as a good foundational security cert, but certs have different values in different countries.

and eJPT may never gain employer respect as it sound like they are phasing that cert out next year

phasing out after just doing the beta program?

or am I confusing certs. Was it SEC+ that had the beta exam...

Pentest+ Beta most recently

So I was mixing them up, multiple times 🙂

yeah apparently INE is phasing out all eLearn certs

Hey I'm on on a limited budget and I'm looking at cybrary, pluralsight, linkedin, udemy,edx and more sites to learn cyber security IT and pentesting . I'm considering paying for a monthly subscription for one of them. I want to choose the one with the best content alot of content and alot of potential to use on my resume. Which one would you recommend ?

honestly? i'd go with a tryhackme subscription

Why is that ?

because imo it's the right mix of practical and theory

This 100 percent

if you want something for your resume, I'd look at certifications

That's what I said as well.

It really depends what you want. If you want to learn and have the option to explore a little bit of everything or even focus in on one topic I'd go with a tryhackme subscription. If you want something for your resume I'd go with a Cert

cheapest way to showcase skills that you can put on your resume is becoming a github contributor and also maintaining a technical blog, both can be done for free

For real, I'm a decade into my career and I'm just now doing this, wish I'd have started way earlier

Yup TryHackMe is the best bang for your buck

you can also make a blog about various rooms you do on tryhackeme

Planning on pushing every program I make to github. Custom automated nmap scripts, malware practice, backdoors etc

If you are employed, run that by your director and double check your employment contract first. It'd suck if you did that, and got in trouble because they had a clause that all code and scripts developed under their employ is their property.

I would but I'm not employed XD. Don't really expect to be atleast until I'm 18.

this is why you develop stuff on your own pc out of work

Depending on the contract, and how litigious they are, that may not matter.

wait what

Yeah, doesn't always work that way

Some contracts are written in such a way that they can get you for working on "similar" technologies

Dosent Disney have a contract for animators that Disney owns anything they create during the time they work at Disney?

Ew

lol would not wanna work for a company where stuff made in your own time is not your own

It's more common than you think

yeah its very common

my husband submitted a request to do bug bounty hunting, they basically look at it, determine its not a conflict of interest and let you go about it

I've been offered side jobs before and I was like 'nah, I don't want to do the paperwork'

Yeah i have to put in a management request if i want to try and make money on the side

Me too

Can only pray I don't end up in a workplace like that.

Side jobs is pretty normal

Them owning the code (or sometimes even patents) tends to be bigger companies. I know Nortel used to do it

I was reading about careers in cyber security and someone said most of it is policies. I want to do pen testing or security engineering, is he right that the majority is policies as that isn't something i want to be doing?

I'm gonna say it depends on your locale.

Like GRC jobs may be easier to get into in the US because SOCs and red team jobs are competitive asf but in somewhere like Sweden there may be less competition

I want to stay in the UK for now so what do you think?

I understand I'll have to do it regardless but not if it's the only thing I do

May be better to ask the UK folk then

James and Muiri come to mind

(I'm not in the UK) I think its important to understand the security lifecycle... risk influences policies and both influence cyber work. A lot of compliance programs require penetration testing. In Europe, my impression is that a lot of penetration testing deals with risk and compliance, meaning validating that a company is following compliance requirements (aka policies). And even in this day and age, lots of companies wouldn't spend much money or as much as they are spending if it wasn't due to compliance requirements.

Overall, any cyber person should understand policies on some level. Some people are the "I can quote policies" while others are the "I know how to follow the policies but sometimes gotta ask/look it up". I'm the latter of the 2 myself.

if you wanna be a pentester in the uk, then that person is wrong. maybe 5-10% will be risk & compliance /policies? (obviously depends on the company but a ballpark percentage based on mine and others experience)

Alright great thanks everyone, obviously I understand policies are something I'll have to deal with but I don't want to go into cyber security to just spend all my time reviewing and writing policies

my current role as a security consultant (uk) is broken up into smth like

• 50% hacking
• 20% reporting
• 20% development
• 10% other

nah, you only need a few policy writers and a lot of your policy will come from industry policy.

I'm not a penetration tester, the closest to policy I've gotten are whitepapers which aren't policy but guidance on how to implement a specific technology. But again policy can be important to understand, be able to look it up, etc.

Hello, I am a trained linguist. As I'm also passionate about technology, I am considering pursuing a degree in computational linguistics. However, I have the idea that such a degree won't be relevant because companies will always prioritize a software engineer trained in NLP over a computational linguist. Did I get the wrong idea? I would like to know your opinion and if I have better options.

Can you land a cyber security internship without any college experience with certs and experience?

It really depends on how you present yourself, and the company. I worked my way up to a CISO position without any college experience.

Internships are typically set aside specifically for students. If you aren't at least a part time student, an internship probably isn't going to be an option. If you are currently working in industry, ask the security team if you can shadow them for a week or twoo.

Depends on the country tho, my friend did an internship to break into the IT industry and she's 30 so you never know

this is news to me, when has INE made that announcement?

i don't see any relevant posts from INE's blog

they have talked about it in their discord according to people I know that are there / have elearn certs

oof... if that's true then that's a shame; i felt the eJPT course+exam were pretty good for showing me the basics of penetration testing

All I heard was that they were updating the course material because eLS stuff was very death by powerpoint.

i've asked the question in the unofficial INE Discord server but it seems like the people there aren't quite sure as well

hopefully INE's CEO would answer that question during his AMA on Friday 12th, 1pm ET

He's actually the CCO

If you mean Neal that is

i didn't bother checking lol

it's Richard McLain

Yeah. Neal is the Chief content officer. Last I checked

it's going to be worth my time staying up late to listen to him answer my question 👀

Yeah, the whole legacy certs thing was something that came out of a live stream on YouTube from Neal. No warning, no official communication, just all of a sudden they are being referred to as legacy. Definitely needs to be put to Richard to ask for some official communication on this. Getting a cert doesn't happen overnight, i started studying for eCPPT months ago and getting ready for exam now but suddenly hearing your cert is considered legacy before you even get it is really bad. They need to stop leaking stuff via Neal's stream or at least back it up with official communication in my opinion, as a paying customer i shouldn't have to be tuning in to an employee's personal YouTube channel to find this stuff out.

I think the certs are still gonna be there. Just updated material and under a different name

well if they don't change the name of your cert then that is a concern

I.e in place of eJPT perhaps INEJPT ro something along those lines

like grant you a certification that says 'you are now ... <new cert name>'

otherwise it becomes like "eJPT? what is that?' "well its the old cert, it was renamed" "why you listing an old cert on your resume?"

Renaming the cert is kind of a problem in and of itself though. eLearnSecurity was the platform that had the name recognition, INE has no real reputation as a cyber security certification body and frankly i'm very worried about them doing that going forwards considering the disaster that there newest foray into certifications is after the Azure and AWS Beta exams. The Azure Beta exam was so bad the whole thing has been scrapped, again no official communications of this had to watch Neal's stream to find that out.

oof

wow i've missed out a lot on INE stuff huh

i should go watch Neal's videos/livestreams

Seems to be the only way to get any information unfortunately.

He brands it as a good thing that we're getting sceret information via his channel but really it's just a communications failure by the company. As a paying customer i just want to receive this information directly.

I asked about this in his server and his response is that you shouldn't take what he says as fact or official communication. So it's all rumours until there's an official statement

idk, it's still common to see "MCSA" on cv's, even though those exams are retired now and i'd still encourage people put them on

But again, that's the problem. The company itself is not provding any communication and the CCO of the company is then stating things on his own channel so of course people are going to listen. You can't have it both ways, either it's official and it should come from company or it's not official in which case why are you mentioning it and starting rumours?

yeah but MCSA was a gold standard for so long and was well known

Well eLearn were purchased by INE only in the last couple years, and now INE is owned by Pluralsight. Just sends more people to OffSec

I had no idea INE was owned by pluralsight, when did that happen?

Oh wait I'm getting mixed up, they bought A cloud Guru just after they bought Linux Academy... too many platforms

Hehehe! No worries 😄

I’m waiting for Pluralsight to buy INE

A bit of an off-theme question - would you include non-cyber related tech projects in your resume? Especially something completely stupid and useless, but fun?

What type of positions would you recommend for college students?

Internships

Honestly doesn't matter where it is in the tech field. Cyber, IT, etc. It's experience that you wouldn't otherwise have to put on the resume

Yeah but would type of internships are considered "entry level"

That's the actual point of internships. They don't require special knowledge, they don't require the student to know anything that would be valuable. It's a try-out for the company and the student, in the best case. The most important thing for an internship is an attitude, not a skillset.

Tell that to crowdstrike and facebook.

Well meta now

Yeah, crowdstrike's internships entry requirements are higher than graduate/ entry level jobs

CS are not an entry level company, even within netsec. Same with Rapid7 or any company like that.

Unless you are an omega-student like Muir and James etc.

IMO, companies that do that are missing the point of internships

I had to do my internship with my colleges internal web design team, because I had so few internship opportunities 🤷‍♂️

I got an interview with CrowdStrike's malware team

It was a hard interview

I have no idea what good benefits looks like but I am thinking this isn't the best benefits package. Pay is not great either.

the big list of "employee paid" seems like a red flag

mad to think these are work benefits in america

All of those employee paids are extra types of insurance it looks like

Without seeing actual numbers I can't tell you anything

VSP is great vision insurance

PTO is similar to my PTO structure

You have a decent amount of education reimbursement

The 10 holidays are all the federal holidays

that 401k contribution is non trivial in the US

typical employer matching is up to 1% of salary

not bad in terms of benefits

401k could be better

yeah, 5% is really good - 1% is very common. 3% isn't bad, but not what i would think as top tier

I forget what mine is

I know its more than 1% and less than 6%

the tuition reimbursement is kind of meh, but much better than i hear about in non-tech companies

Yeah it's more than a mine but my company is also super flexible and doesn't really say no

tuition reimbursement is really meh in general

i think my company does like 2k a semester at approved schools, but mine isn't 😐

Oof

So, everything looks average

yep! I know places that don't do 401k matching, so having any is still better than none

The health insurance is going to be a deeply personal thing though

So we can't necessarily help with that

My health insurance went up 11% this year

the PTO is pretty typical of US entry level

Yep

More than I get

it's pretty straightforward - only things to ask about are unused PTO at EOY and compensated OT

It's not uncommon for salaried employees to get additional PTO instead of OT for hours work over 40

I get neither

Ah, I lied. The benefits sheet doesn't include bonus schedule. Although that's usually part of compensation not benefits.

the problem with tuition reimbursement is they said to expect 50-60 hours a week and the ability to work remotely on call

so im not sure how i would attend school at this job

universities are likely to be flexible. you don't have to take full time credits to make progress towards a 4 year degree

check out WGU

It'll take longer, but you won't have nearly as much debt

Sounds like you'd have to take night school or some similar

if it's remote on call, so long as you can get the emergency calls in class and the prof is willing, that shouldn't be a blocker

i dont know if i want to risk taking out student loans for a job that will only pay $4k of my tuition a year, especially when its a call center where they already said expect 60 hour work weeks and being on call

for $17.44 an hour

if it's a call center, you should be making OT for everything past 40

assuming it's a US center

it is, just doesnt seem like the best

i dont wanna rely on ungarunteed overtime to pay rent

If that's higher than minimum wage in your area, that's a good wage for a call center.

Depending on the contract you're on, don't expect to be there for longer than a year, two at the most

We can talk about the numbers of attrition for call centers, but it's not really interesting... it's more horrifying and appalling than anything else

they said it would be a 6 month contract to hire and i have zero idea what the pay or benefits are at the actual place

i did apple tech support for a bit and it was pretty awful

Fedex is always hiring

It will be grunt work and hard but you'll make OT

you're getting those benefits as a contractor? thats pretty damn good

Big difference between being a 1099-T contractor and having an employment contract

Temporary employment contracts are very common, from BPOs.

@quasi stream how did you find a company to ask to get an apprenticeship?

you said before that you had contacted on at 15

could you give some tips

Can anyone tell me about PNPT, personal experience, review, recognition, etc...

Something that is not mentioned on site.

Haven't taken it, but from what I've seen/heard, it's a good cert to test/grow your skills, but maybe not the best for trying to land a job

If your reason to get the cert is a pen tester job, OSCP is probably your best bet. If you just want to learn, I don't see why not.

Well i am thinking about PNPT, it's not too costly as well compared to OSCP or eCPPT

What about eCPPT is it recognised?

I'm no authority on certifications, but I believe so.

Is it true, that eLearnSecurity's certificates are deprecating.

I read in this chat

I'm just gonna say that anything that isn't GIAC or OffSec(regretably CEH too) in the pentesting realm isn't gonna be as good as the oscp for getting past HR

eCPPT is a learning cert and so is PNPT. Besides, eCPPT is kinda the same price as OSCP unless you grab the training while it's discounted

I'm just gonna say that anything that isn't GIAC or OffSec(regretably CEH too) in the pentesting realm isn't gonna be as good as the oscp for getting past HR
@stuck rover Yup, I think you are correct

Damn your discord version must be old.

I cannot spend money on two expensive certs, one for learning and one for recognition. Besides that, I think PWK is a very good learning material too.

Then you have your answer, my dude. Go get that OSCP💪

Yup

I thinking about trying to switch from Software Development to pen testing as a career. My question is two fold. One, is that switch even possible, and two, what does a professional pen testers job generally entail? Like, is it a lot of technical write-ups?

Think about how much writing and documentation your testers do for a product release - it isn't unusual for a pentest report to be at least as in-depth, and contain a lot more high level language to explain the findings and informational items to management.

Would the switch even be possible for someone who is currently in Software dev?

Oh, definitely.

It's a pretty big leap from software engineering to pentest, but it's doable. You'll find things like BOF a lot easier, but some of the system config vulnerabilities will take some time to pick up.

BOF?

buffer overflow

Also, should i get a cert before trying to land my first job?

It's very rare to jump straight into pentest without some other sort of security knowledge

Sec+ is a good cert to have to make that transition. A good chunk of pentesting is destructively testing someone else's code, I would suggest speaking to your QA team about how they address security issues, reported bugs, and test strategies that they use to expose your code.

Instead of trying to get a cert immediately, try to gain some base skills instead, then after a while I'd recommend going for the OSCP, its a very well known cert and actually teaches you a lot.

As for the dev base you've got, that's really good. Being able to understand how Softwares work and how they are build is going to be an enormous help to your learning process.

Yooo guys

Well couple of months back perhaps two or three, I once came here to nag bout my lack of purpose in life and all and how much I love pentesting and all

Lots of guys from this particular discord came out en masse and talked me through things 😂😂

Thanks allot @stuck rover

Gave +1 Rep to @stuck rover

Well even tho I was already given where to start, I still didn't start early with it, procrastinated it for a long while
Until last month when I decided for some reason to just start it

Then I still used the excuse of not being able of not being able to learn as a subscriber and in the subscriber only room I stopped progress for a day or three

But I came back started running free rooms my hand can get too

Became a bit addicted to this stuff

Then resolved to get subscription next year January but still keep learning

Now I'm having my school exams (3rd year computer science) and I don't even know what we are to read there 😂😂

I pull all nighters for this stuff

My only mistake was not creating a blog to document my learnings 😂

Thanks @stuck rover for listening to me nag and being patient with me right from the beginning

Gave +1 Rep to @stuck rover

Hey, no problem at all, man. I don't know if I mentioned this to you before but if you aren't able to get a subscription anytime soon then you could always do INE's Penetration Testing Student which is completely free and then use TryHackMe for challenges to practice and come back to the subscriber rooms once you have it.
https://checkout.ine.com/starter-pass
Just sign up and create an account. It's all free.

Any advice for getting into Security Engineering?

look at job listings, see what they are asking for in terms of experience/certs and work towards that (Security engineering means 100 different things to 100 different people)

Gotcha

I'd also look at enterprise security, sysadmin, configuration of firewalls etc

Thanks allot sleepy

Gave +1 Rep to @stuck rover

Are you in software development now, or in infosec and wanting to get into development? Both require different paths

I'm in infosec (or rather trying to get into it right now, I'm a Cybersecurity college student graduating next month)

I've been learning Python and some Golang as well

Ohh, I love security engineering

Hey guys, im a fresh Cybersecurity graduate and im very lost, i don't know what to do career wise, what should i do?

I've been practicing on TryHackMe and learning alot but what's needed to land a job?

Ignore the sticker i accidently sent it

Any guidance is much appreciated

hmm

Well you're a graduate, but don't know about career.. Not a great position, but graduating is a good start. Do you know anyone in the industry already?

Nope

I don't know anyone

What country?

I'm currently in France lol

Darn, I'm not sure I could be as much help. Find an internship?

I am currently doing an end of studies internship but its just so dull man, all im doing is collecting info amd putting them in a word document im not learning shit

So i definitely need to find something else after, but french is just killing me

And moving is not an option

I either find something or im done for

Do you have any experience in any part of Cybersecurity?

That is 90% of security work right there. There are things to learn in every job, if you take the route of 'this is a waste of my time' you aren't just wasting your time, you are wasting the opportunities at that company.

Nope

I see

Network while you are there, make connections with your bosses and the IT implementation groups you work with and around. Why are you doing the documentation? That's a key insight to have into GRC for enterprise.

Im the youngest member of my team, and the language barrier is killing me, i can't connect well with them

As soon as you have the attitude of 'I'm better than this' you've lost the most important thing for security: attitude to learn all you can and grow. If you think what you are doing is pointless, ask your supervisor for help understanding why it's been tasked to you

The documentation is basically for summarizing all the needed info of a system to make correlation rules to prevent attacks

Security teams can teach skills and impart knowledge, what they can't teach is attitude.

I understand what needs to be done, it's just it's dragging too long

I'm not saying im better than this, I'm just demotivated

I have known and worked with at least 2 interns who got post-internship jobs based on the strength of their report writing skills

Im 40 pages in, it's not ending 😂

Only 40 pages? 😆

For now yes, my tutor was like we will keep upgrading and adding to it, i was like yeah cool

faints

I'm pulling info out of 15-20 documents, 2 of them are 3200 pages long, ive been spamming ctrl+F for 2 months now

As a technical writer i feel your pain lol

Haha

At least what certification should i start with as a beginner

It depends on where you want to go and the opportunities where you are.

Generally, sec+ seems to be it for blue team. OSCP for red team. Feel free to correct me on this

Always found pentesting is fun, i might venture in it, also i noticed that a good understanding of programming languages is needed in order to bypass/attack websites or systems ir whatnot, i suck at programming tho, im gonna try to work on that

Do CS50 then! It's awesome for learning programming.

Does anyone want to start a pentesting team?

Dm me

I don't know what that is but ill definitely look into it thank you

Gave +1 Rep to @stuck rover

Programming is definitely something you want to learn earlier rather than later

Yeah programming is a key factor in everything

Never too late

To learn

https://cs50.harvard.edu/x/2021

Saved the link

It's gonna be a useful base going into exploit dev, malware dev(if you're that sort of person👀), automation, reverse engineering.

Im into everything i wanna learn, but its just too much, that's why it's getting harder and harder to live on this planet

Alot to learn, we're not immortal

It's confusing

Got recommendations on what languages to learn aside from Python?