#cyber-and-careers

This is not a part of the Cyber Corp program

I mean, everyone else is in the same boat

If you want to accelerate your learning, build a Homelab

yeah that's the scary part

Doesn't have to be with fancy or expensive equipment either

Well I'm not even in college yet so I don't think it's worth my time RN, I'm gonna just keep going with online courses and such.

A Homelab is definitely worth your time

Shows initiative and allows you to start learning before your peers

Just set up a couple of VMs on your computer and start playing around

Alright, I'll look into it. But I'm still very new to the entire field of Cyber Security, mostly just have programming and general CS knowledge

And I mean I know the junior/no experience job market is competitive but it seems somewhat excessive to start preparing for a job field before even starting a degree in that field

Degrees are worthless paper

Wait till they find out about certs

Can you give tallyERP 9 LICENCE KEY

To by pass

@tribal flicker

No but you can get a ban

is anyone in a grc position?

has anyone done the ceh coursE ?

If you're not located in India, you may want to look at OSCP instead

ive already paid for it unfortunately

RIP

how much is the oscp

?

999$ for the lowest package

I think 1300 is the highest

rip paid 1200 for ceh

oh well ill finish this first and start the oscp after

or are they he same ?

knwladge

Not in the slightest.

ok cheers

See CEH as an get through HR in India pass

OSCP is well respected across the globe

(Still entree level pentest cert)

Check out local job postings. CEH might be relevant and get you through at least HR filters

ec-council is a questionable company but don't worry they got quite a few of us that didn't know...

Yep - I wouldn’t recommend anyone to get a certificate from them also for those reasons. But if one has already handed over the money, there might be ways to work around the cert’s apparent limitations 🙂

Hey guys, so what should i focus on to be a Cybersecurity Analyst

Should i focus on topics related to offense or defense?

A lil guidance is much appreciated thank you

what do you like to do? There are more jobs with defense than offense so defense is a great way to break into the cyber world

Hi there, well my current internship falls under cyber analysis and risk analysis and all that, so yeah i can try defense, and it would be nice to excel in the internship and labd a job hopefully

Are the tryhackme labs for defense a good way to start?

sure! and knowing the offense, makes for a better defense

Yeah i went deep into offense in tryhackme, the two aspects definitely complete each other

Alright then ill try with the defensive side, thank you! @pseudo creek

Gave +1 Rep to @pseudo creek

This is true, but offense will open a lot of defense doors to ;P

Atleast that happened to me

thats just what I said?

Is ceh just requested for pentesting jobs or others?

Depends where you are.
In India, CEH has a lot of respect.
In the US, it has rapidly decreasing amounts of respect.
Outside those countries, it's not very respected at all

I'm in the UK. I've seen it on some job postings but dunno more than that.

Don't bother. CHECK certs hold a LOT more weight

😂. Never knew it was that bad.

It's quite literally a meme

and EC-council has revealed themselves as a pretty gross company

If you're interviewing for a company where the technical teams genuinely holds it in high regard (as in, it's not just HR throwing buzzwords into the brief): run.

You'll spend more time fixing the company's outdated rubbish than you will actually doing the job.

A company that outdated won't even know what CEH is. It's too new.

no way

CEH has been around for what? 20 years?

Give or take. It was one of the first iirc, which is basically the only reason it has any weight

well I took it like 15 years ago and it was like version 3 so...

Well, one of my last major pushes as an infosec engineer was to get Server 2008 out of an environment, 2 years ago..... It's only a little bit of hyperbole.

let me tell you about the Vax system and Dos system I found a couple years ago

that's amazing

yeah, I was amazed

There was a win2k box i wasn't able to make any progress on - the legal team "had" to have it for some old software that required network access.

luckily the Dos system wasn't on the network but I was like... how.... ?! "well it runs this software we rely on, we buy spare parts from ebay to keep it running"

I've seen a couple of XP boxes in the past year

I think we have some IBM z/OS at work for fun stuff

Definitely a POWER6 box that I spied

Oh muiri, I didn't note the XP cuz we found a ton of those

That's promising for my future career prospects 😆

Wow, this just keeps getting better. 🤦‍♂️

If you want a nail in the coffin, EC Council are also sexist, hypocritical thieves 🤷‍♂️
See the scandals earlier this year about the sexist LinkedIn poll (conveniently blamed on the intern, if memory serves), followed almost immediately by ripping off blog posts from 5 or 6 prominent infosec authors (removing the gender inclusive language in the process), despite having notices all over their blog about not accepting plagiarised content

Dam. I was interested in them cause they are offering scholarships worth $1 million. But this isn't good at all. I'll stick to oscp and others.

@quasi stream I see you're in the VC, could you answer this question?

I will reply shortly yo @spiral garden

Thanks

Sorry I missed your pings. I get a lot of them in the Discord and I don't get the time these days to reply to all / the non-urgent work related ones unfortunately.

Essentially, I applied for a role that I was underqualified for. They let me come into interview anyways and got to know me. They created an apprenticeship role that didn't previously exist for me

Nah it's fine

But before that, I applied to maybe 5/6 different places. I was 15 and literally just finished GCSE's so I had no experience, etc

just good work ethic and a personality I guess with a lot of luck😅

hope to get this lucky✨ I'm looking for placements for next year in cybersec and surprisingly enough there aren't that many out there

Hi guy's

I wanted to ask a question

What salary should be given to SOC Fresher

Depends on local market. Rates in areas like LA, NY are going to be very different than Cleveland.

Thank you @flat sedge

Gave +1 Rep to @flat sedge

50k usd would generally be appropriate for smaller cities, 70-80k for larger

Maybe even lower, depends on a number of factors

Any tips to becoming a Security Researcher?

it depends on what you mean by "security researcher"

In this case, I'm assuming they're asking for India given the use of the term "fresher." I'm not sure any of us are familiar with the rates there though. @sacred garden

@stuck rover thank you

Gave +1 Rep to @stuck rover

definitely not going to be the same

much much less from what I'm told

Does anyone know any good cyber sec internships that are available now?🤔

If you would like to be a security researcher, it would help significantly if you had an academic background usually or many years experience in the field with a view to having expert-level knowledge in a specialty in some particular topic or set of topics, and usually this would be informed or influenced by engagement with the field and other experts.

Most people going into research would have a knowledge of a topic, for instance it might be malware research or cybercrime or cyberwarfare or secure programming. If you're going into a research area, you obviously need to understand what topics need research and understand how to develop research questions and follow methodologies etc. Most people doing this would also be already learning or practicing some other area of cybersecurity or usually multiple areas.

Jobs-wise, researchers would either be aiming to work in academia or perhaps in the research divisions of government or enterprise organisations and the path might be quite complex. You'd be expected to have a reasonably high level of experience. Plan for making it a long term path if it's what you're passionate about

Gotcha, thanks for the in-depth explanation

Gave +1 Rep to @rugged delta

Hope you have lots of fun with it

Right now I’m a little confused which area of Cyber I’d like to focus on fully, I’m at a toss with either Engineering or Research, but your explanation was really what I needed

I know how it feels, there's a lot to consider and it's something you should take your time with. It would be good to try out a little of everything, find what excites you and learn as much as you can about it. You can do that by interacting with THM, doing the rooms and other challenges, reading books on many topics, paying attention to experts with a good reputation (people here will recommend Youtubers, bloggers, researchers etc), following talks from conferences such as RSA or Black Hat or DEFCON etc (loads of those on YouTube) and even reading academic papers on arxiv.org or various other resources.

Plenty of us would be happy to point you towards things

From what I have seen, it seems that those entering the Cyber Research field at an occupation level, meaning paid by an organization not bug bounty or similar programs, have some sort of experience in another area of the cyber space

That doesn't mean that you can't do it on your own time by starting a blog, YouTube, etc but I wouldn't expect to be paid at the occupational level mentioned previously off the bat

Thanks guys!

Check out #bookclub for pointers in that direction

Anyone with CEH here? I have a quick question

https://dontasktoask.com/

I got v9

My brother is taking EC-Council Academia Continuing Education Bundle: CEH v11 . It doesn’t say exam voucher is included or not. any idea?

he probably needs to email them... also tell him not to do it

Hmmm. Why is that?

it is valid in India so there is that but not really outside

so if y'all are in India, then its probably fine

Nope. USA

its not a very good cert, isn't well respected and generally time and resources will be spent elsewhere but some schools may require it/give college credit so there is also that to consider

It's still 8570 whatever but so is pentest+ now

And pentest+ is better

Yes. I think he need it for the education. But it’s too pricey

CompTIA is clear with price but CEH is not at all.

Yet another reason to avoid CEH

if he can do a comptia cert instead, that'd be a much better choice

I have to ask him.

It is still a requirement for certain DoD jobs in the US but there are usually other certs you can take in its place...

https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/

that is what James said like Pentest+

I hope 🤞 he can take this one. Way cheaper 😂

Thanks guys!!

Cheaper, and not through a company that plagiarise content while removing inclusive language. And not from a company that has been shown to be sexist.

(scroll up here, message from Muir about it)

Ohoooo

While that may be true, I would be careful about voicing that sentiment too loudly. Especially with the high price lawyers they have and companies tendencies to be sue happy

@quick forum Now I know why LOL

I think you'll find it's protected with free speech either way. It's not hateful or untrue.

They won't sue you, though they may for slander, they would more than likely go after THM. While you aren't a paid employee you are technically working in an "official" capacity

I'm most certainly not

They'd need to go after Muir first

Again, I think they're trash too

They'd just go after the company

The claims they make wouldn't even have to be true, they could sue and then drag it out until THM went under

That's restricted under SLAPP

Do you mean Anti-SLAPP?

I'm not familiar with UK law but in the US there is no Federal Anti-SLAPP, it's on a state by state basis

I may be wrong here as well, but I believe the burden falls on you to prove that it is a SLAPP

You can't sue someone for slander if they make a true statement

Like I said, I don't disagree

But.....

Corporate enterprises that take these kind of actions tend to hire very crafty and morally corrupt lawyers

The onus is on the person suing to provide evidence that contradicts the statement made by whoever they're suing, so if whoever they're suing is basing their statement on publicly available information, then they can't be sued for slander or libel or defamation.

You're limiting it to one type of suit though

There are numerous things that a company can claim and then provide evidence for to trigger proceedings

And yeah they might cause trouble for you but they're going to cause trouble for themselves as well. And yes I'm being as specific as I can be, based on my understanding of this particular area as taught to me in college by a solicitor. I'd still recommend getting a legal expert rather than just listening to my advice 😛

And this is why I've never fancied being a lawyer.

Right, which is why I'm trying to be as general as possible and saying to just be careful. I'm pulling from my business law 101 and Cyber Law and cyber crime classes as well as legal proceedings i have watched on court TV. It's a convoluted landscape

In my mind the most likely avenue would be through THM itself and not through an individual

But not a lawyer so

Yep I get that, I've had some law & ethics classes too but I'm pretty sure James is basing his opinion on reliable sources, in my experience he tends to be pretty accurate and precise in the information he provides and sentiments he expresses. He's not going to discredit an organisation in a biased manner and he's not, in my experience, the type of person to run his mouth about things

Right, I don't think I called James' honesty into question. I merely stated that they may want to be careful voicing those opinions in that manner.

Oh yeah I'm not saying you made any remarks like that, you're just looking out for him and erring on the side of caution, a noble trait. But he's also right to call them out on their bullshit and suggest alternatives, once he's basing his statements in reality. There's plenty of info on the web to back up what he's saying, so it's not slander or libel or defamation

A safer response would be "We don't recommend CEH because of certain actions taken by the company administering the certification"

That doesn't/won't stop them from bringing the suit though

Yes but sometimes it's necessary not to make a safer response 🙂

But I'm speaking on behalf of myself.

I do not in any way speak for THM

I'm not an employee in any capacity any more

Are you in a position of responsibility for the official THM discord? I could see it being argued

You and Muiri are two of the highest non-paid positions here

The discord is not an avenue for official support or anything beyond a community

Moderating the discord connects me to the community, not the companu

Alright, I'm not going to continue to try and make my case

CEH - trash cert, EC-Council - Trash company 🙂

true story

in my time, this was IRC

no they call discord channels

this is discord

irc is something separate and still exists

I still use IRC on the daily; my employer's engineering teams use it almost exclusively.

internal IRC?

I think we use netcat more than IRC for chatting
I think we're trying to get some BBS stuff working internally, but that's less for productivity

i got to 2nd stage and failed on labs, shame really

Hi! I am a second year undergraduate computer science student. I am thinking of applying in some sort of a research internship in computer security in any reputed university (reputed for their computer security research/curriculum standards). My motivation for doing so is because I want to work on some real project (could be of vulnerability research, or maybe implementing security tools like fuzzers, sanitizers, etc.) under the guidance of some experienced people, so that I can learn more. I have basic experience in computer security, mainly binary exploitation and reverse engineering. I have fair bit of programming experience, and have done moderately small contributions in open source (mainly https://github.com/rizinorg/rizin, a fork of radare2, focusing on stability and under rapid development, do check it out :) BTW, these are the same guys behind https://github.com/rizinorg/cutter, which is also awesome). I would say I am proficient in C, C++, Python. I know fair bit of Java and Rust. My interest is in systems level security and programming (operating systems, drivers, etc.). I am looking for an research internship where I hope I get to do some "practical" work, i.e. I just don't scroll through whitepapers and publish yet another whitepaper. Instead, I wish to maybe create a new tool, or do some sort of vuln research. Right now, I don't know much regarding this. Any input will be extremely valuable to me. Feel free to reach out to me in my DM if you think I should provide any more details. Thank you very much.

ahh this happened to me too, I was only able to complete about 80% of the labs but I learnt a lot while doing it so I guess that's good

Hi guys, so I'm currently a Software Engineer 1, with maybe enough experience to be a SE2 (atleast in my current companies eyes). I have an interest in infosec and have been going through tryhackme courses.
One thing that I want to find out more information on is, if I hopped over to the infosec industry would I once again be entry level? But for a lateral movement like this, what I guess "level" should I aim for? I want to be in infosec but I also don't want to take a big paycut to do so. But I will admit im not well versed in infosec/networking.

I know every one wants to do pentesting, and I also know its not something you just get a job and do.

Basically how should one progress or approach a switch like this?

it depends... basically if you jump to application security, your level would probably stay the same, sometimes jumps to pentester for example may require a level drop

apparently the way they score is by the Top 5 highest point ones you do. So doing lots of little ones never seemed like the way to go, I just focused on level 5&6&7 difficulty ones, but i saw people were doing 8s so I kinda figured I wasn't gonna get in:/ a lot of people applying for it already have experience in IT unfortunately and I'm just a college student lol. I only completed about 60 labs.

ohhh that makes a lot more sense, I had no idea how it was scored, I thought it was just people who completed all of them got through. And same, I didn't have any experience when I applied either so it was all new for me as well. Good job completing 60 labs though, it's not easy when it's your first time and that's a lot to have been able to do. The level 8 ones were so difficult though, I don't think I got any of them :')

Yeah in the emails sent about 4 days after giving lab access they specified how it was scored :/. Thank you, I really did give it my best shot and I'm sure you did too:) now just looking for other opportunities (hopefully an apprenticeship where I can learn lots from peers and by doing).

What are you doing now?

@thorny hull

ahhh, I wish they had said before hand :/ thank you, I'm proud of us :) good luck with getting an apprenticeship, it sounds like a really good way to get experience
I'm currently a computer science student and I'm hoping to work in cyber security when I graduate but I don't have any modules in cyber security until my final year so I'm trying to learn as much as I can in the meantime and maybe get an internship if I'm able to

Gave +1 Rep to @south birch

I'm considering uni too, coventry does a masters in Ethical Hacking & CyberSec w a placement. I would much rather go the route of apprenticeship + certs tho, it's just hard to find something from what I've seen. I bet you could find a good internship, I've seen some advertised on indeed for students. Good luck with THM though it really is a good platform :p

yea I was looking at some masters degrees too in cybersec as a potential option but I think I would also prefer apprenticeships like you, plus uni is a lot of money. I have applied to some internships and have an interview for one next week but I'm quite nervous about the technical interview questions because I've never done an interview before and I'm not quite sure what they ask and if I will know how to answer the questions but we'll see how it goes. thank youu, I only started using THM yesterday but I've been really enjoying it so far, I'm excited to keep using it ^^

Gave +1 Rep to @south birch

google some common questions and that may help, they know you're an intern so hopefully they would be easier than a full interview. Best of luck and keep going:) I'm going to do some labs rn I think

thank you so much, I really appreciate it! good luck with the labs, you got this ^^

Gave +1 Rep to @south birch

Lmk how it goes I’m in a similar

will do :) good luck with your interview too!

hi guys, so i have a technical test as junior pentester next week but i have no idea what kind of test it is. any help or suggestion?

Hi Guys.
I want career advice in perspective of EU. Recently I've given a penetration testing certification PNPT. Now that after passing it I've been looking forward to learn something more, I've researched jobs in EU and found out most of the jobs required skills such as Detection, Analysis, Risk Management, Incidence Response etc....Which are more Blue Teamish. There are way less job out there for Red team as compared to Blue Team.

Q. What in your opinion should I start with cause I've no idea about blue team as compared to Red team.
Q. What should I focus on and what cert should I look up for as a beginner? OR should I dip my hands in cyber industry meanwhile learn and understand broader perspective rather than just cert route..

you'll learn far more on the job than you will by studying any certification

you should leverage your pentest knowledge to be able to spot malicious traffic. Blue Team isn't difficult; it's about knowing what to look for. Identifying lateral movement should be easy, because you, as a red teamer, should know what lateral movement looks like

Makes Sense.
So should I start out with SOC L1 or Most of the youtubers say "Get your hands dirty in IT Help Desk and move into Cyber later"

IT Helpdesk is meh, imo. You learn more of the sys admin side, but if you're already comfortable working in Windows userland, you won't get much from it

SOC it is then..
Thanks for Guiding me. 😇

gl, take a peak at some Splunk training. They have a couple of free videos (formerly a course called Fundamentals 1) which will get you working with various logs and datatypes/sources. Knowing how to generally analyze logs will give you a major edge

hi guys, so i have a technical test as junior pentester next week but i have no idea what kind of test it is. any help or suggestion?

May be a kind of CTF or just questions, however you can take a look at the reviews from other people who applied there, usually at sites similar to kununu there are plenty even for startups, and there might be information about interviews.

sadly i cant find any information about the test. the company is not listed on kununu as well

have you checked their linkedin? do they have a youtube channel? social media?

is there really a shortage of cyber security professionals?

also it seems like everyone wants to become a pen tester, wouldn't that just make it hard to get into the field?

A vast majority of the people who all wanna be pentesters don't actually have a single clue what they're doing. The reason that it's harder to find red team jobs than blue team is cuz there's like 5 times more blue team jobs than red team

There is a shortage of senior level / experienced cyber security professionals. There are a ton of entry level

I'd say it more that there are probably 10+ times as many blue team jobs than red team

So what would be the safest option to go for, idk whether I wanna go red or blue yet btw

or actually depends how you define blue team, but there are 10+ time more cyber jobs that aren't red team, than there are red team jobs

blue is a good entry level bet

red team is generally considered an intermediate type role although there are some entry level red team

Fair point

Also important to note the difference between the general "red team vs blue team" and an actual red team.
Working as part of a red team is very different from working on the "red" side of security.

huuh

that just confused me

so what would be a good recommended path I should take (ik zojja said blue but I want a more specific answer)

TL;DR: "Red teaming" is a job in its own right. It tests security posture, rather than technical security (pentesting).
People lump a lot of different "red" jobs together though, so you can say that you're a pentester and on the red side of cyber, without actually being on a red team.

what is security posture

oh

just googled it

Security posture is how resilient an organisation (or individual) is to being breached.

Might help if you started reading books/websites and watching videos/doing courses on a few topics in the field

Very true

H👺 :

How i make carrer to cyber securite

heyy guys i m a student french and i have questions about somes things like usualy, a french pentester with french certification have a chance to found a job in US or Canada ?

if you can tell us some of the certifications you might get over there, we can advise better, but generally:
CompTIA
ISC2
Cisco
Offensive Security
GIAC/SANS
EC-Council
and similar orgs all carry weight over here.

Mhhh okey thank you it s perfect

And do you know RNCP certification ? It s French certification and work in eu too i Hope for that work in us or Canada or out the eu but i don t think so...

It would likely have to be something the employer/recruiter recognises or you would need to give a breakdown of the skills you learned. Most recruiters will specify appropriate certs but may accept equivalents if they're sufficient. If not and you can demonstrate your skills through a technical test they give you then the skills you have might help.

It would benefit you to network with recruiters in the places you want to work

Don't just cold message people though. It's a good way to get ignored and blocked. You'll also have to look for sponsors on both the US and Canada. US you'll need a corporate sponsor for a work visa and I believe in Canada you need someone to sponsor you for 7 years if you want to move there

I see thanks for your help and times !

hey everyone. im looking into making cyber my main career after 4 years in retail. I'm currently taking my math GCSE exams next year. so im really just looking to make a plan sort of to know how i can break into the industry! my main question is what are the pathways into the job? i see there are a lot of courses that get you the certs but a lot of them are fairly pricey are they worth it? i have started tryhackme and im thinking of going pro with it

(im in the uk btw)

Certs are an investment in your future.
Yes, they're expensive

Usual path into cyber is something like a junior soc analyst, but often people start in IT and move over to cyber

^ i recommend starting a network+ course now (professor messer on youtube is free) and then you should be ready next year to take the exam which would give you a head start

Hey guys, quick question.
Is it necessary to have a degree in computer science/IT, or does it work if you have any another STEM degree as well (mechanical/electrical/biomedical engineering, or math/physics, etc)?

You don't need to have any degree

depends on where you live

I live in Germany, I have the chance to do masters rn but with my bachelor's in a different STEM field, I am in a slight dilemma whether I should pursue a master's in cybersecurity, or the same field that I'm in

Also, is it possible to move to cybersecurity with 2-3 years of experience as a data analyst/scientist?

so in order to get into cyber security. i need to really achieve a basic it career first

or knowledge of one

hey what learning path should I do in order to get into pentesting after the pre security path? I see that both jr pen test and complete beginner both require only the pre security path

Is it true that to get into it is to learn and complete INE's Cybersecurity course, doing hands-on things like HTB, TryHackMe, and/or taking eJPT? e.g a highschooler with a passion of this and eagerness to learn could take this path and get somewhat progress

you could do both considering rooms overlap so if you pick one and the same room is in another path it will already give you progress, so its not like you will really be wasting time

you can choose either to start with; some of the content overlaps so i reckon take a look into each path and see which you like more

snap

hands-on is the best thing you can do in cyber security, but you also need to make sure you know the basics/theory

the eJPT course is free from INE and it's decent so that's somewhere to start, and coupling it with tryhackme

should I do jr penetration test or offensive pentesting first?

again, content kinda overlaps

any recommendations tho? im gonna do both anyways

probably jr pentester first, since it goes over the basics quite in depth and seems to have more walkthrough type rooms

whereas offensive pentesting looks like more challenge rooms

yeah def jr pentester first

What possible services can be given by Info sec Beginner as freelance

Please don't ask the same question over several channels

Hi

unlikely any.

anyone looking for a pentesting job in the uk? dm me :)

@languid hearth @languid hearth

I need help

Is somebody there?

Ask your question

Don't ping spooky repeatedly

what exactly is your question?

Hello guys

😏

i thought u had a job

well

I do

but

gotta collect 'em all right

hehe

i can send it to you if you want

yes please

Does anyone in here work for Mandiant or have recently worked there?

Please direct message me if anyone works at Mandiant. I have some questions about a position I am going for. Thanks in advance

Just ask your questions in here. That way future people who may have the same questions can see them.

True that, but I am still waiting for someone to say they were at Mandiant. Ha!

Again, just ask. There is a wide breadth of knowledge here

So, with my work I can get £2,000 x3 (can use once per year), to spend on education. I have to spend the full £2000, I don't get the refund if it's lower. What certs should I start on? I have 7 to 8 more years in my current job - so I have a lot of time to focus on education. Not sure the exact route I want to focus on but securing a business from external threats interests me a lot. I also am extremely interested in working in the government role in cyber security.. as I already have a SC/DV

sounds like you’re in the uk, so you’re going to want to look into becoming a CHECK team member, and eventually a CHECK team leader

Hi folks. I'm looking for internships in security. I was hoping to get my resume reviewed by some professionals in the field. Let me know if you can spare some time. :)

Post a redacted resume in here

You'll get a bunch of eyes on it

I don't think we can upload files here

You can if you verify

!docs verify

Once you verify you can post an image of the resume

Dumb question but do you guys think a business/IT degree would be good for cybersecurity? (I can't afford Computer science lol)

Upload an image, people aren't going to want to download a random PDF

What type of degree is it? Is the program accredited?

The program is acredited. It is new tho ( release like 2 ish year ago). It is a 4 year degree with 14 weeks internship.

Cyber Security isn't necessarily entry level to begin with so you're more than likely going to have to start in IT or a SOC

What university/college?

https://www.stclaircollege.ca/programs/honours-bachelor-business-administration-information-communication-technology

Canadaaaaa

I don't think that's an IT degree

Is it?

it is actually. it's a 4 year degree offered at a college.

It's weird here in canada. We don't have associates degree instead we have diplomas

No, i mean this looks like an MBA with a little bit of how IT works sprinkled on top

I took a look at the site but I'd be interested to hear what some of the CMs have to say

It's an interesting program, I want to look at people who already graduated and see where they work now but the program is only been out for 2 years lol.

your address is on this. you may want to take this down and redact all your private information

I've been an IT generalist for a year, and I'm going to be running a small state agencies IT (Building from ground) is this enough on my resume to maybe get an entry level red team job of some kind

also, if my resume isnt quite up to snuff yet, what can I do to get it there, and when will I know its ready

Red teams will want Cyber experience and certs. I'd look for job listings for red teams, see what they are asking for and see what gaps you might need to fill

Should i get a degree if im interested in cybersecurity and like programming but not enough to do computer science or something

Or should i go directly go into job hunting etc and get certs

This is an often asked question. There's no right answer other than what you can decide fits your life better. Three main paths to get into IT are 1: self study and practice with home labs only (with or without certs)... 2: University path, computer science is usually highly recommended if this path, but others also work (with or without certs)... 3: tech boot camps, rigorous and potential to be more focused than uni, but lots of variation in the market (with or without certs). Research each and see what works best for you. Hands-on experience or work experience will be the most valuable

Are cybersec jobs remote? I'm thinking about getting my OSCP when I'm 17 (hoping for an exclusion) but there aren't any cybersec offices in the nearest 90km (which is like, 20% of my country)

In addition to that, is it likely that I can get a job as minor because of the OSCP cert?

Search for jobs, see if they mention fully remote and see what the requirements are regarding work experience.

A very large enterprise will have different requirements than a smaller business. Increase your chances by understanding the job market in your area before you spend money on certification exams. 🙂

You just need your parent's approval

I believe as long as you're 16 and above, you can get hired in the EU

Yeah legally but I mean it like do they actually hire a minor for work that's not stocking shelves

Lol. Idk

Trying to get hired myself

Hello, mates.
I need your advice. I'm a good developer (web, desktop app, services, etc.) with more than 10 years of experience and I want to change my career to cyber security (penetration testing, ethical hacking). I got some THM paths and learned many things, but still, I don't understand how to slowly move to my goal. I'd like to practice (or at least know what I need to do) maybe as a junior assistant but I have no idea how to do this and where to go.
I can take some certification and search for a Junior job position, but it's quite difficult without any practice.
Maybe there is a team that needs a good developer and we can exchange our experience?

Iam new here anyone please guide

I am in commerce field if get oscp certification . Can I get job as a web penetration tester

Yes but there is a popular misconception that OSCP guarantees you a job, it does not. Also, for web app testing I'd much rather have someone with web development experience than someone with OSCP which covers rudimentary web-testing

This is excellent advice, not just for OSCP, but also for any cert, degree, and even experience. Nothing is guaranteed

I think offsec also just put out a 200 level web course?

yup

i really don't understand their subscriptions.. if you would like to do their new SOC-200 and also WEB-200 you have to buy the Learn Unlimited subscription plan for $5499. that is crazy.. and you can no longer do PEN-210 without the subscription plan.

whats the diffrence between penetration tester and cyebrsecurity engineer

the latter is pretty broad umbrella. They might be for example designing security aspects of a system or deployment.

Yeah it's really targetted at businesses

Hey I just recently passed the Sec+ and I was wondering if anyone would be willing to take a quick glance my resume.

it's really annoying because I'm interested in doing WEB-200/WEB-300/EXP-312 but I'll save approx 0

Redact all your PII and drop an image of it - those of us that cycle through this channel will take a look at it

I think if you are doing 2, the best is probably to email them and ask about that, lots of people have interest in doing 2.

but yeah, I'm doing it cuz my employer is paying for it, I'm going to investigate web-200 after pen-200

has your employer purchased for you separately PEN-200 and the Learn One subscription for the WEB-200, or you have the Learn Unlimited subscription plan?

I have the Pen-200 Learn one subscription, once I'm done with this, hoping to ask for web-200

also they said they are releasing a web-100 which will be part of the subscription plan

good luck with your studies.

or I may be like 'screw this, I'm done' 🙂

@flat sedge Thanks

Gave +1 Rep to @flat sedge

So here's my thoughts: Resume Summary isn't a category I've ever seen on a resume, maybe it's a canada thing; Objective is something I see much more commonly.

Looks like a personal statement type thing to me?

Maybe 50% similar to what we'd do for a lil bit at the top of a CV?

Professional Experience section looks fine to me, overall. If possible reduce the # of bullet points in the older sections, unless you feel like the resume is losing out by reducing those

Hard Skills should be a summary section and not an aside - especially if you can tie a technical skill to a specific role.

Education and Professional Certifications are different things, it is inappropriate to put CompTIA as Education

Consider adding a new section for certs

It's not really a personal statement though; it's a summary of the rest of the resume. The point of the resume, IMO, is that it is the summary of work and relevant personal experiences. The Objective shows what the candidate hopes to get out of the role being applied for

I'm with Juun on that one. No point in summarising something that should already be a summary 🤷‍♂️

@cunning spruce Also tailor the resume to each role you are applying for. Emphasizing different parts of your background that will be more relevant to the target role can be the difference maker when the recruiter or hiring manager reviews your application

I'm a student who's going to graduate soon and I'm thinking of having my own personal brand or blog to stand out and have something to showcase during job interviews. So should I code some scripts, publish some CTF writeups or what? What are some good starting points to creating a personal brand?

yes

When you do make a blog, (1) don't use medium, and (2) don't write like 2-3 posts/writeups and just abandon it

When I was reviewing resumes from our tech recruiter, I preferred to see the highlights. I didn't need to know all the job responsibilties, just the ones that pertained to the role we were interviewing for. If there is a way to tie anything to the listed reqs, do it

For example, working retail or food service still ties into GRC through 'client/customer expectations management'

@flat sedge Thanks for the feedback, you're right it sounds wrong it might be better to stick with objective

Gave +1 Rep to @flat sedge

@peak wind Interesting, as much as I don't like to lie on resumes, I understand theres the real you and a "resume" you. While those "point form" tasks are real, I dont know if I can attach metrics or essentially expand them. That being said it's something I can take a look into thanks for the feedback 🙂

@peak wind Thanks Dont wanna skip the award lol

Aww maybe theres a thanks cooldown

How do you give thanks/+1 rep? I didn't realize that was a thing earlier when somebody helped me lol

Reply to a message from the person and say some form of .thanks or @ them with it

Thanks!

Gave +1 Rep to @stoic cave

I shall go back through and see if I can find the one from earlier to give due credit 🙂

Why not use medium?👀

Because they A) monetise your content, and B) have a nasty habit of just deleting hacking content.

Always own your platform

There's always the option to do both which I am until or if my posts get yeeted

I often skip reading content just because it's in medium 🤷‍♂️

Their reader experience is pretty awful as well.

That's kinda funny ngl but yeah I do both so I come out on top. Medium to tap into the native audience and github pages for a better feel/in case it gets taken down.

Any Tips on Technical Interview ?

Do you have anything more specific? Is it just "technical interview", or is it going to be coding, systems design, younameit?

What role are you interviewing for?

it is for JR software developer

General tips:

• Stay calm
• Stay focussed
• Don't be afraid to take a break. Water, coffee, a short walk

Make sure you understand the questions properly. Don't be afraid to ask for clarifying questions.

I am little bit panic if they ask me to write code

If they do, try to stay calm and focus on the problem. Talk through what you're doing and why.

Don't get stuck on details. Usually it's not an issue if you forget something like the correct name of a function or method you're using. If you do, explain that you don't remember the exact name, but use this instead.

If they're asking for you to code, code in whatever language you're most comfortable with - if they give the possibility to do so.

Thanks for the Tips @ebon mica Really really appreciated

Gave +1 Rep to @ebon mica

whatever happen i will learn for sure

😄

That's for sure 🙂

How soon will you have your interview? If you're uncomfortable with coding, try doing some practice in some of the services listed in posts pinned in #programming.

And it won't hurt to get used to working with typical data structures and algorithms.

I'm not sure but I have a feeling level 2s may need to be familiar with malware analysis and RE. I'll ask a friend.

This seems like something that would vary from company to company, I would look at what the job is asking to figure out what they would be doing

Hello 👋 Anyone knows/recommends a good resource on security researcher career? Interested in knowing more how the daily life looks like, how they pick targets, structure research and don't rip their heads off after a few not finding anything.

That's a very loaded question

Because the role is so diverse.

You have people researching/making new security tools

Malware

Browser exploits

Etc

Then there's what bugcrowd calls their bug hunters

In the likes of James Kettle

thats like 20 different roles combined into one -
we have 3 different SOC levels; Level 1 analysts have "eyes on glass", they are looking at every alert coming through the SIEM and triaging the really simple cases - any weird alerts or P2 incidents, gets escalated to Level 2 analysts.
Level 2 analysts handle harder cases that can't be resolved quickly and have more incident handling responsibilities where they are actually touching systems.

Level 3 analysts are the threat hunters and detection engineers, they have the least interaction with the day-to-day alerts, but drive how the SOC functions the greatest.

what level are you Droogy?

Between 2/3 right now until our SOC matures more, but threat hunting is most of my day-to-day waork

oof thats rough, you shouldn't be doing all that work - especially preparing playbooks and procedures but I get how it is in some orgs, fighting the good fight!

we use a custom risk matrix to assess incidents - how many workstations impacted and the risk to business associated with those workstations are usually the deciding factors

i.e. priv-esc on a regular user workstation - P3, priv-esc on our SQL server - P2

yeah good threat hunting is hypothesis-driven, thankfully our director is very technical and cranks out hypotheses to drive hunts, takes the guesswork out of it

Not to spill proprietary info or anything, do you do bayesian analysis as well?

nothing proprietary about what I do haha, I don't but I would think Naive Bayes is implemented in some way via the EDR or NSM we use as part of the ML capabilities, our SOAR probably does too but implementing that algo among other data science-y things are on the roadmap once the team matures more

Bayes' theorum application is difficult - quality of input is so hugely important. Mis-rating an input can completely ruin the rest of the test data

we are mapping our maturity model to Sqrrl's old hunting maturity model, right now we're just about in between 1+2, 3 is where we bring in the math nerds

makes sense

but yeah the extent of the data analysis techniques I was taught to use with our data sets are searching, stacking, clustering, and grouping - not sure if those are "actual" data science things but I'm definitely realizing how complementary and important that field is to infosec

statistics gets a bad rap for 'making numbers do what you want', but that's some of the essential statistician knowledge

.... Right, and was it about how to propogate intentional dishonesty and misinformation?

That's at least more intellectually honest than I was expecting from that title.

Hum, you're right. I'm interested in people that do web research for security products like SAST, DAST, etc

Hey I got selected in Interview but i messed up in salary part how can i increase it now ?

Messed up how? Presented a figure too low?

Yeah i presented too low

I guess he guideline is to not initiate talking about numbers. Just say ”I don’t have a specific number in my mind” or something

But the values is decided and he told me you can talk to your parents if u want

now how i say around these number i want my salary

Is there minimum salary in your area?

yeah but i said more low than that

"after doing some careful thinking and consideration - I think that X would be a fair number for this position. I got this number based on current market rates"

i am scared if i say high are they gonna yeet me ?

if you ever negotiate, that's a risk you have to be willing to take.

Jobs come and go. That's why they're called jobs.

Careers stay

ok

i am gonna copy and paste in hr's dm

Hey guys just a quick question. In January I am going to join a cybersecurity team in a energy producer company and my knowledge on cybersecurity I believe I can say it is in the beginner level. I would like to take a certification during December that can leverage a bit more my knowledge and confirm the knowledge that I have now. Is there any recommendations to have a certification both good in IT and OT?

At some point I will need to perform activities such as audits on regular IT and ICS/OT environments

Seeing you have only around a month time, it would probably be better to just play CTFs in THM or HTB and learn from youtube, etc. In my opinion any certificate that would take only 1 month to finish is not worth it (unless you can do OSCP ofc but 1 month is pretty unrealistic as it takes around a week I think to only get the learning material and another 2-4 to just go through it)

I think cisa.gov does some sort of training in that sphere

Thank you! I started looking into security+ but it is entry level certification and it does not cover much in OT. I enjoyed the rooms in THM and will look what makes sense. I also looked for GICSP but it is very expensive (GIAC)

Gave +1 Rep to @lament socket

Will have a look, thanks 🙂

@lone gazelle https://us-cert.cisa.gov/ics/Training-Available-Through-ICS-CERT
and on the calendar we've got ICS cybersecurity from dec 13-24

haven't checked them in a long time, but if I remember correctly they were way too expensive to pay for unless your company is paying for it. Though I've heard they have pretty good content.

Tbh if I had a choice between a single GIAC cert and Learn Unlimited. We're going Learn Unlimited

SANS classes/GIAC certs are great especially in the wide variety of topics they have. If someone can sit down and dedicate hours, like take a few weeks off of work, a Learn Unlimited may be worth it. The cost vs value of Learn 1 vs Learn unlimited is 3 certs. If someone can get 3+ certs in a year, Learn Unlimited is worth it, otherwise, I'd go with Learn 1..

It takes a lot of mental energy and drain to do 1 of the OffSec certs, 3 may be a challenge for most people.

And then there's Spooky

🐒

I just failed SOA so

and I've got OSED on friday

I'm enrolled in Learn1 right now and I think the idea that I get a year of lab, access to PG practice and 2 cert attempts is great and gives me a high confidence I can pass. I'm figuring my first cert attempt will be around June. Working full time, even studying daily, I'd personally feel pressured to try to get 3 certs if I had the learn unlimited. If you tell people they should shoot for at least 1 cert, possibly 2, and 3 at a stretch, I imagine you'd have success. You'd be overspending for most people but hey thats what happens sometimes

hubs is doing OSED today and I'm biting my nails

i might reschedule tbh

SANS classes really helped me kickstart my cyber career

sans is really great for getting up to par with a certain skill really quickly

I learned network forensics far faster than I would have otherwise tbh

Is it possible to get a job in cyber security without a college degree

yeah, I did an incident handling and reverse engineering course, both were great, I mean tiring after 6 long days but labs were great, courses were great

yep

I already have a security clearance

I just need to figure out what certs are best

just click on 802.11-0day's name... (just kidding)

what certs do you have?

security+ is a standard entry level cert

Registered nurse. That's it lmao

oh! no worries

you have ASN? I'd still list that on your resume

I plan on getting security plus. There are just so many options after that

network+ if you don't have an IT background

Bsn

well thats a degree... I mean I understand its different

but cyber seems to be the most willing area to accept people from different degree areas

I'd get a network+, start applying to jobs, get security+

Any reccomendations after those two?

well after that, it depends on what you want to do

but those should be enough to get an entry level position

I like the idea of pentesting rather than admin/network monitoring etc

monitoring (SOC analyst) is definitely more standard entry than pentesting as entry level

but OSCP is a good pentesting cert to have

@pseudo creek can I dm you about a job offer I got?

sure? I'm not sure if I'd be helpful but I can try

Pentest is usually the step up from entry. A common pattern is SOC for a year or two, then pentest.
Not to say there aren't exceptions. I started in pentest at age 20

(or spooky there)

Nice! Yea I am worried a bit about starting in an entry level position. I think I will take a big pay cut from my current salary

Hello! I'm new to the InfoSec world and haven't received any certs yet. Right now I'm learning basics with a base of Graphic Design and Web Dev. What cert do you guys recommend I start with? My goal is to eventually have my CEH.

CEH is only really useful in India

Really? Then what's best for the US?

If I don't have to pay for that test, that would be awesome.

Pentest+ checks the same DoD 8570 box

Sweet!

So, do I only need the Pentest+ cert? Or should I work on getting my Networking+, Security+, A+ certs?

I can't really answer that.
You only need Pnetest+ to check the box

Ok. Can I DM you about a more sensitive matter? Nothing bad, just curious about something that doesn't belong in public chat.

I'm not sure I'd be helpful, I'm not US.

That's ok. It's more of a connections thing. Like do you know someone type question.

If you are going for DoD, expect to have multiple certs to check the various boxes based on the role and seniority needed for that role.

Yep

There is no one cert that fills all the boxes

Oh, I know I'm going to need more than just the Pentest+. I'm just trying to figure out which ones, specifically and what order to do them in.

Are you going for a cleared job?

What do you mean, "cleared job"? Like security clearance?

That would be nice

Yes, cleared jobs are ones that require clearances

Ah. I don't have a security clearance yet, but I am looking at government jobs.

Depending on your background and role you are eyeing, specific certs may be required or may not apply. Nothing like spending thousands of dollars of your own money acquiring certs, then realizing they have no impact on your career trajectory.

Rule of thumb is, if the employer doesn't value the cert, don't do it.

But you should still have time for personal skill and knowledge development

Ok. I'm still trying to get my foot in the door and the first one I was asked about (and the one that sent me down this awesome rabbit hole) was the A+

so, I think starting there is a good idea, but I'm second guessing myself now.

A+ is unnecessary for most cases if you already have an IT, CIS, or CS background

I have a graphic design and web development background

A+ is basically the 'do you know how to install a NIC and do basic configuration'

Having a brain fart. what's NIC?

Entry level support

Network Interface Card

ew. don't want to do that.

Oh. Yeah, that's easy.

When you say 'web dev', what do you mean?

back end coding. PHP, Java, HTML, CSS, JavaScript, and SQL

Basically, I can make web pages be pretty and work.

That's a useful background to have.

Cool. Gave me 2 certs out of it: Web Dev and Java.

That's a decent place to start from.

Next step on your security journey that makes sense to me is to integrate SpotBugs into your java dev environment, and see what kinds of bad patterns you can find

Ok. Thanks. i'll start there.

Um... what room on THM do I start that in?

It's not covered on THM (yet)

Oh.

I wanna do some code review content

I've had some ideas for some SAST content, but I'm still in rough planning due to RL and being a mostly responsible adult

What's your java IDE?

Eclipse, IntelliJ or something else?

Oh jeeze. I don't remember. it's been 9 years since I've really used Java. So I'll be brushing up on that first. Eclipse sounds familiar.

Eclipse and IntelliJ both have plugins for SpotBugs

oops

SpotBugs is a simple SAST tool to verify secure code patterns

I'm cleaning my keyboard and trying NOT to push buttons and obviously failing. Cool. I'll look that up and see if I can find an environment to check it out.

for a set of default code patterns; orgs that use it will typically tune beyond that to also validate that devs are using good style as well

Cool. and I just remembered that my roommate can set up VMs for me to break and not worry.

Setting up VMs is really, really easy.

Anyone familiar with MarathonTS? Reputable?

I'm not. What are they used for or what are they?

Looks like headhunter/recruiting

Oh. Them. I think I've been found on Reputable before, but unsure. It sounds vaguely familiar.

I've looked at MarathonTS before and cringed at the obvious stock photos.

Yeah they were reaching out about a fully remote position at the DFC

@lunar juniper Please don't DM without asking. It's against server rules, and the questions you asked me may be more valuable when answered by others within the community as a whole, my perspective is just my perspective.

Hey, i have two questions if anyone could shed some light one me rq

1. What are the must know if i wanted to become an info security analyst... If you know that is

2. As a student what are some jobs to earn as a student in cybersec field?

These are some super generic questions that are kind of hard to answer specifically, I recommend checking out this room https://tryhackme.com/room/startingoutincybersec

also if you can I highly recommend against a job in infosec while a student. I try to balance it myself and it’s practically impossible. Rather I encourage internships, community involvement, self study, and open source development

thank you

Very general question but would I need a bachelor's degree to be hired as a hacker or does it not matter

Most of the times it does not matter if you have the skills. However you may come across as*hole companies that may discourage you by saying that they can't hire you because you have no degree or smthg like that. But just don't deal with them anymore and continue to the next one.

I'd recommend doing some recon on your target and seeing what they are asking for. Apply even if you don't meet their wishlist, but at least you'll have an idea of where you stand

is A+ useful as an entry level cert or should i just start with net+ etc

A+ Net+ Sec+ are all useful entry certs

But yes A+ is useful. the more knowledge you have from ground zero the better of that you build skills on top/around that.

A+ is sometimes required for certain help desk jobs, if you know the info of A+, you can generally skip it

Can someone tell me what are 5 different types of exploits / hacks ?

Have you tried consulting your favourite search engine?

yes!

However I am trying to make a minigame, and I want the 5 'hacks' to be in the correct order and to make sense realistically

they need to be in order, and you progress through each of them

You're wanting a five-step kill chain for exploiting something?

This ?

• Reconnaissance
• Scanning and Enumeration
• Gaining access
• Maintaining access
• Covering tracks

Hello, I am interested in the field of computer forensics , is there a demand for this kind of job ? Can I learn the basic things on THM ?

yes, THM can help you build a foundation for that, but you'll need other resources for forensics like https://dfirdiva.com/

Yes, something like that

The goal is to hack a 'black box' that contains $ in the minigame

Something more like:

• Phishing
• Password Cracking
• Server Acess
• and here i am lost for last 2 steps 😄

Is there a list of all jobs in cyber security or ethical hacking ?

NICE tries to achieve this https://niccs.cisa.gov/workforce-development/cyber-security-workforce-framework/workroles

If you want to start a career in cyber security should you focus on a single path ? Like Incident response or penetration testing or foresniscs or SOC analyst etc

I'd recommend giving each role a bit of a trial, see what you like and what you could see yourself doing daily for years

not when you are starting off, generally you want to focus on IT before switching into infosec - but if you feel ready to begin that path you should have defensive and offensive knowledge to become a good security practitioner

buffer overflow,sql injection etc

I second what Droogy said. I am suffering the fact that I've never touched Active Directory and it's on every single company I've talked to. Thankfully the THM labs and rooms related to it saved me. So if you can get a syadmin job don't think you will be wasting time on the position if you plan on getting into cybersec. On the contrary, all the stuff you learn (AD, outlook/mail admin, O365 or GWorkspace, doing backups, basic networking) they all come in extremely handy later on.

Guys can someone tell what to do after college for to get in pen tester

Well, you could search for pentesting internships or go to a cybersec bootcamp at one of the big consulting companies and try to get into pentesting or just start working in IT/dev while studying pentesting on your spare time (THM wink wink) before trying to get a jr role

Ok thanks

Gave +1 Rep to @twilit arrow

@warm hinge also best pentesting certificates

if you mean the ones that will be able to land you a job?? Ehhh, that will only get you past the first filter. In that case you need to look at the job postings in your country and see what companies are after.

I would advise trying to have an employer finance your certs. Don't spend money on certs if you aren't 100% sure it will help you progress on your goals.

Certs are not a free ticket to a job. You'll need to actually know what you're doing. The best way to get a job is experiance. Internships and such are invaluable

The biggest thing to get a job in security is trust. That can come from personal relationships and being vouched for, it can also come from a work history. Either way, attitude is much more important than technical skill to start out.

with CEH v11 cert, how much salary I can expect in the Penetration Testing jobs (in India)

I think the salary is mostly based on your skills, experience, soft skills, and company's budget not on the certs you have.

You're indeed correct! (And also how many people available for that role there are. You know, supply and demand.)

Does cybersec as an industry make more bucks than software development?

I can find all sorts of SEO blogs on it but I believe it for a little bit

'depends'

there are stories of senior developers in silicon valley making $500k+... that money isn't as accessible for cyber unless you are in management

I don't think most CISOs make that much

yeah thus management

IIRC CISO avg is 200-350k? mgmt usually gets paid on the backend with RSU and performance bonuses

so those numbers don't show up the same way as an engineer salary

I dunno exactly but our cyber techs can make 200-350k, I'm guessing our CISO is probably $600k+ with stocks and what not but again its harder to gauge

I can safely say from looking at both my country's salaries and USA's salaries: That is definitely not the case for the moment being and for most cybersec positions. To give you a measure of what's happening in my country: Most cybersec positions are around 700-1500 USD per month while programming goes from 500 to 7000 USD per month depending on the technology stack and seniority.

wth?!

Isn't 700 way below minimum wage?

salaries should be looked at from the perspective of the country you're in versus just looking at it from USD

If things are cheaper in your country, you generally will be paid a lower wage because the expenses are lower proportionally

The minimum wage in the US is 7,50 or so

Yeah sounds like our friend lives somewhere in eastern europe

he was just converting it to usd

if you work full time that's 40 * 4 * 7,5 = 1.200 USD

isnt it 15?

i thoughht mmim wage went up

Idk

oh

that explains it https://i.imgur.com/11qjS5C.png

I thought it was the same across all states

You meant me?? hahah man I wish I was in Czechia or Poland! It's in Argentina actually and those are the highest salaries you'll find around here currently. If devs land a remote job on their own and not via freelance recruiters they can be buying -no mortgage involved- houses in 2-3 years

Ohhhhh is that why steam games are so cheap in Argentina

Indeed as @merry matrix has mentioned, expenses in Argentina are way lower than in the USA. To give you an idea: 1kg of beef, the best cut you can find around here, is more or less 10 bucks.

ack I should of looked at your profile pic first

no no problem man 🙂

But yeah, usually dev > cyber in salaries. I wonder though if that also applies to DevSecOps or the application security guys who have to code....

Economics 101 😎

But on a more educational note, salaries should be viewed through the lens of the country/area you're working in, rather than making judgments after converting to USD, which is a mistake a lot of people make

Turns out my degree is in biz econ 😛

That's right. There's PPP though to have some sort of...comparison. In any case (I can't speak for your countries) everything here in Argentina is turned into USD due to the ARS instability (Inflation, devaluation and some other funny historical things we had...)

Does anyone work remote? What does your average day look like?

How many interviews have you y'all done before job offer? First cybersec interview I was offered, which happened after about 13 applications - Seems odd since I see a lot of reports of hundreds of applications and dozens of interviews

It depends on the company tbh

Lazy af and boring. The only good thing is that you kinda have more free time than driving to the office.

How many hours do you work in a day

8

How to be a Ethical Hacker?

What to do for that?

Imo Google or YouTube can answer that question better than us. Though if you are looking to start learning definitely start with TryHackMe and check some of the paths that will suit you the best.

For me it has been usually in the 4-6 interviews range. Depends on the structure. The flatter the organization is, the fewer interviews.

I’m not sure if they were asking about interviews per company or companies interviewed with.

Oh, you're right. Hahaha didn't notice the "applications" (Thought they had 13 interviews 😮 ). In that case I got mine after interviewing with 1 company in Argentina. It just turns out all the rest were rejections (I was applying trying to move abroad).

Well. I know SDE role applicant might have to do ten interviews in certain companies.

That's just awful. Do you know why so many interviews? The ones I've had are usually: The HR guy or recruiter, the guy who would be my boss, a technical interview (discussing a solution for a challenge), the big boss and then finally one talking about the offer.

Oh an example: HR/recruiter. Manager, systems design. Second HR round. Homework assignment. Problem solving round, algorithms round, more systems design, soft skills round, general tech discussion round, perhaps second manager round.

I’ve heard Apple was one of the worst offenders, with these being spread over a number of weeks, and the total number of sessions way over ten in worst cases.

I have worked remotely for about 6 years. We have a lot of cyber positions that work remotely as well as developers. It depends on what your job is. My husband has also worked remotely since the start of Covid, his and my days are completely different.

For me, I'm a cyber architect so my day is spent a lot on the phone. I am in design meetings as well as providing security guidance. When not on the phone, I'm often creating documents / drawing up designs and such. My husband on the other hand is doing a lot of hands on technical work.

Ah nice! Working from home sounds glorius

I start work at around 7:30 and end before four. Lunch at noon, roughly. About one fifth of a day in average is meetings, in zoom or slack.

And it takes some getting used to. I wouldn’t recommend going remote for junior folks, for networking and mentoring reasons.

You sure should have a dedicated office.

Can confirm. Office is good for starting out.

Also IMO good for my mental health, as I have a dedicated place to go and work. Not multitasking exisiting space etc

Good to know

I currently work three 12 hour days a week.

I got my first (and therefore jr) cybersec job...technical sales....during 2020. I agree with your recommendation 100%. I wish I could have gone out with the senior guys to our clients' offices. Being on zoom for 6-7 hours a day really made me tired.

how are shifts laid out? Like, 3 straight days or something like mon wed and fri?

I'm not in the cyber field but I pick however I want to do it

I typically do three days in a row because I work 7pm to 7am

And then you a get a 4 day rest?

Or more if I schedule my work at the end of the next week

Hmmm doesn't sound bad actually...Will see if my manager accepts something like that. I prefer to have a whole day to study and do chores rather than 6pm-10pm every day

I prefer it

But working from home sounds nice too

It's definitely easier to get overtime with 12 hour days

I would definitely recommend working in an office if you are early career, it is so beneficial career wise. Also, like I have a dedicated office space, my husband does as well. If you work and live in the same space day in, day out, it can be draining.

Also when working from home, you have to be disciplined about things like getting up every hour, going for a walk daily, getting some exercise, etc and just generally getting out of the house when you can.

It's nice to walk down to somewhere to grab lunch with a coworker etc too. You're stuck with these people for most of your week, might as well make it enjoyable

That's what I miss the most 😢 Or having lunch and relax while we talk about stuff

On the positive side, you won't have to deal with that antivaxer, flat earther colleague talking about how his uncle's post on fb on why the latest conspiracy he read about is accurate 🤣

(we don't get flat earthers but we get all sorts on our internal social media at work)

Internal social media sounds like a bad idea 🙂

its kind of a requirement

Dude where have you been working at 😂 😂

You mean where I am working? Yeah... 😂 😂

we do have a guy on the security team who I hope ironically has a flat earth poster up in his cube

Hope

Has anyone heard about or tried letsdefend.io? Any opinions?

Great take

Question: As a Cybersecurity student in University I'm curious about obtaining a certification and I was wondering if skipping A+ to go straight for Net+ is advised / good idea given that I'm in University

I’m in Uni too, and many of my teachers said that if you wanted to go for certification you gotta grind it and then you’re certainly able to. They also told me it’s advised to do them at the right time (given i’m first year) and some certificates are only valid for 2/3 years. They will be useless for me. It would still be beneficial to learn them though.

Specifically I could not give you advice on A+/Net+, I am not familiar. I only can offer some general advice.

Thanks for your reply! Yeah that definitely makes sense and I've heard that a lot too. I'm currently a Sophomore and looking for a CO-OP / Internship for the summer and just slightly stuck on where to begin my search.

Imposter Syndrome is definitely hitting when I hear from other people my age, which makes me shy away from applying to certain companies.

Gave +1 Rep to @spice elm

Yea, I know what you mean. Some can be seen incredibly ahead of others. Don’t let it get you down, use your qualities and grind the knowledge. You just gotta get used to it and know that you’re worth it. I’m lucky to have had 4 years in a sales job before returning to Uni which has given me a good perspective on this exact thing.

If you don’t know something you got to be utmost determined to find out, even if it is asking for help.

Appreciate it 🙂 Do you mind if I send you a DM?

Not at all, I will be heading off though, I’ll respond in the morning.

Yeah I don't think I have the knowledge base to completely skip over A+ and Net+

Currently doing Network Programming, but next semester I'm taking Network Administration which will go more in depth about Computer Networks

Most of my knowledge stems from external recourses, such as TryHackMe and self curiosity

Knowledge about networks is extremely helpful. Net+ is a good baseline

Exactly that's why I thought about starting at Net+ before obtaining any other cert

Oh bye

Was just going to say, networking is industry relevant

It's a majority of my day

+1 for learning networking. Easily the most important topic I studied when I got started in IT

hi

If you are at uni with that kind of courses it's very likely you'll see the topics net+ covers and even more. Wouldn't it be prudent to wait until last year, check your knowledge (Because perhaps you end with enough knowledge to sit for a more advanced cert) and then decide which cert to pursue? At least that's how I would do it if I had to do my first degree all over again

Or, assuming you're in US, go to WGU and get the certs while you get your degree.

ive always been told CCNA over net+, not that one is way better thenn the other

but more hands on with CCNA then net+ teachings

That's partly true, though they did away with the sims. But if all you need is a base networking knowledge and aren't looking to do networking as a job, Net+ is more than enough. And cheaper and easier.

What the telco engineers and guys who had CCNP at my previous job said was that CCNA had a lot of networking theory but then it also had a great deal of things only seen in CISCO and nowhere else like the CLI commands and some propietary protocols

Which is beneficial because Cisco has a huge market share

Aruba and Juniper are good too. But I would just stick with Net+ as a neutral cert that focuses on that foundation knowledge

Yeah i haven't seen either of those in the wild yet

I've only seen Cisco and Fortinet

I know they exist though lol

Im working on my ccna right now since I’m not knowledgeable on networking what so ever

IMO CCNA is better to get - the practical parts of it are specific to Cisco IOS appliances, but the practical parts make it easier to pick up config for a different brand

They did away with the practical parts

Well that makes me advice irrelevant. Is that because they split it up into multiple certs?

They combined all CCNA into one cert. CCNP got split into concentrations. You don't do any labs or practical exercises until you do a P-level specialization exam like ENARSI

Why would they do that? It's the only reason people couldn't just memorize the entire test bank

They also did away with CCENT

CCNA is harder by all accounts.

I took the old version right before the swap.

Yeah, my Network class was literally "CCNA prep" on the old exam but I didn't have the funds to sit for the exam

I hated that class so much

1 day a week for 3 hours

Is there a new textbook for it? I will ahve the 200-301 material

I took Net+ a couple months ago cold on a whim after being a network admin for 10 years and still found it a good test of my knowledge. It's a decent test, and I'll stand by it being a good foundation networking cert for those who want to go into cyber.
If you want to do networking as a job, then CCNA by all means. It'll open some of those entry doors for you that Net+ won't.

200-301 is the latest version.

From guys that do infra stuff that requires a lot of cluster networking and SDN stuff (like openstack, k8s) CCNA is more helpful than Net+ - but YMMV

It covers practical aspects. But doesn't have any sims like they used to.

networking can be such a PITA

particularly the more advanced topics

Multicast has been kicking my ass at work all week

AWS networking specialty is a PITA absolutely. I have business PTSD from a client I had that tried to establish a VPN between azure, aws and on premises with HA and dead peer detection and I can't remember what else

so if you guys can take networking classes or training by all means pay attention because sooner or later it's gonna come in handy

I guy I know who has been doing openstack for years would rather take a networking person and train them up on the openstack platform than take a senior sysadmin

I dunno, I feel you can't escape networking, at least if you put any effort in what you do. I've never once felt compelled to get a networking cert at all, like, you just learn it as you do your job. I've never seen them mentioned on any job that didn't have "network/cisco" in the name

I've worked quite a bit with openstack and currently the "kubernetes engineer" of the devops team I'm on

Hmm

Why can't i join some of the rooms in this server

You have to verify with the server

Probably because you aren't verified

Agree to the rules and what-not

!docs verify

Different verify though. One verifies with THM profile, the other verifies with Discord to give you server access.

No, some rooms are not available if you aren't verified with THM

VC for instance is locked until you verify with the THM bot

Yeah, I get that. It doesn't look like they've done either.

Thanks . I just verified

If they can talk here, they've agreed to the rules.
They need to agree before being able to talk anywhere

Gotcha. I should know that. Thanks.

Gave +1 Rep to @quick forum

CCNA is also much harder then the NET+

Because it is the fundamental layer, if that does not work your nice k8s application won't work xD

K8s is great I worked a lot with Openshift and plain Kubernetes also got CKA and CKS xD

Cilium is also a beauty

OCP definitely has value - picking a flavor of k8s is really about where the org wants their tech debt to be. Pre install or post install

I would always prefer kubernetes over openshift

Openshift is a pain atleast in my experience

I got cka and ckad instead, we use ocp, so I'm catching up on that

But there's hopes to move away from ocp and go to straight vanilla k8s, fingers crossed

the pain of openshift is in getting the prequisite checklist actually done before RH shows up for the install

post install, all the stuff they have layered on make it much easier to manage deployment lifecycles and pipelines

you can do all the OSCP functionality in regular k8s, but getting all those services and operators installed and playing nicely is nightmare

I had a few times when a newly installed Openshift did not even wanted to update lol

No changes required as mentioned in the Openshift docs

Never had that with a k8s cluster

(yet)

usually that's related to environment DNS and network routing policy

OCP is a beast to config on your own, would not recommend it

but if you can get to what RH calls day 2 ops? It's very accessible to manage and maintain

Not sure what that is

But yeah Openshift is nice, the GUI is also for less technical people a win

day 0 is the checklist RH gives the client to have done before services shows up

day 1 is the actual install and operational setup

day 2 is post-install day-to-day lifecycle

Ah yeah

Day 0 is pretty ok to do

Day 1 is a pain

some of the tack-ons for Deployments vs DeploymentConfigs are nice too

I remember the first 4.5 release, needed to type everything in pre boot no backspace

the problem i used to see with day 0, was just getting someone to do it

4.5 still way better than 3.x

True

The amount of times I made a typo

The nightmares are returning xD

YAML all the things

It was my first 4.5 cluster so wanted to taste everything as close to the source as possible xD

But yeah if you need a CNI Cilium is the way to go

how does that play with ist.io?

If you keep having rh supporting, it's probably fine, our support officially ends this month and I'm full time supporting ocp then

I dont think you need istio anymore

Cilium has some build in pod to pod encryption

ist.io is required for certain multi-tenant security configs

Istio does a lot more than cni tho

because default OCP SDN is too open

Government is going full on board with istio it seems

https://cilium.io/learn

There are some key components on this page

Haven't played with all of them

For those of you that work in cyber, what are some of your gripes about the field?

lack of coordination and accurate reporting from IT groups to security managing compliance statuses

Co workers who see cyber as a hindrance rather than a necessity. Mind you these are other IT folks.

like tito says, you are often seen as the enemy. And honestly business is a balance of security vs functionality so you have to figure out the right balance. Also, sometimes there is some elitism to it. Most people I work with are cool but sometimes they are not.

Security isn't revenue generating. That's a big thing.

I feel that one

How my work is currently

Security is a great big money pit... until it saves you more money down the line.

@undone shore your new dp is disturbing...

Blame Bee

Human brains struggle with that though

Like spending £10 now to save £30 later

Yep. Human brains be dumb

(unless you work for a MSP or other cyber company)

but even then, they are at the whims of customers so customers don't buy / cut costs? then MSP / Cyber company needs to cut costs and easiest way to cut costs is usually to cut personnel

https://www.cisa.gov/publication/cybersecurity-workforce-training-guide

A decent look behind the curtain for people willing to do a bit of reading

thanks! does anyone know how these interactive PDFs are made??

Gave +1 Rep to @inner elm

In terms of kit is there a nice to have spec of kit for pen testing? Or does a basic MacBook with beefed up ram do the trick?

If you're doing engagements at a professional level, salaried and or signed contracts, pentesters generally have a dedicated machine

From what I have gathered, nothing too expensive as it may get beat on and something that can just be wiped at the end of an engagement

Okay that makes sense

Thank you :)

I also would avoid macbooks

Yeah, Macs have their issues. You wouldn't be running x86/x64 on an ARM Mac.

1. Attracting attention
2. Cost
3. Performance especially for the price

I was thinking of just making a cheap rig with 16g ram and a mid range cpu that I could overclock

Not sure why you would want to overclock. If you're doing paid engagements you're going to want to have your hardware stable

And OC in a laptop you run the risk of heat killing your hardware

Like the big dell 7000 series stuff will heat kill itself if you're not careful, and that's stock

I burned myself on a chassis one time

Can confirm

It honestly surprised me how hot those dells would get

I'm honestly surprised about the build quality of even high end dells.

When I was an intern, we had 3 die due to heat. They would be chugging, heat up the desk, and then the desk would hold the heat. The laptop wouldn't stop and it got to the point where we were buying those laptop curbs for everyone

After $12,000 in heat cat laptops

Geez

I'm stuck with a Mac at my new job...#1 is what worries me the most D:

Wish they had given me the option of a windows laptop at least

I'm currently working as an SRE/DevOps engineer and deal with these attacks all the time with sites I manage and monitor 24-7, lead me to learn how to mitigate the attacks by learning about how to do it but I'm getting more and more interested in the analysis and pentesting world as I work through the content. Has anyone made the move to pentesting full time and what's the work life like?

Hello, I started working as a soc analyst T2 a few days ago (my first job) and want to specialize in something. I am thinking about malware analysis but I couldn't find a single job posting for a malware analyst on linkedin in my country. Should I give up on malware analysis as it isn't in demand and work on something else?

job options these days for malware analyst are definitely less than say 10-15 years ago but there are companies such as Fireeye that still look for those skills. You could also look for Reverse Engineer. Otherwise, you could work on those skill and watch for jobs but understand that is more of a niche job

I think I will do some malware analysis to see if I like it and hopefully it also helps with my job.

Anyone in the great state of New York? Just looking to network with others for where I plan to move back to in the coming months.

Check out this heat map
https://www.cyberseek.org/

I thought this was particularly interesting, private vs public certs being requested for US jobs openings

Hey guys, i’m a college senior, majoring in computer science.. any advice on landing a job out of college?

start applying today, brush up your resume

been applying since october, unfortunately haven’t really heard back from anyone

it is a bit tough, if you don't have any certs, you might want to see if you can get one before graduating (Cloud certs are great), also widen your field of jobs you are applying for

great, definitely will look into getting certs! i’ve been applying to everything under the scope of CS. just wish i had better luck

I sent about 100 applications after I graduated for 2 interviews that went all the way to offers

Started about 3 months after I graduated and did it with no certs but I did have a security clearance

See if you can do some networking with your schools alumni. Having someone on the inside is always better than applying blind

I am going to start applying soon as well considering my time is up in the Military. With that being said I think two things that can help a lot is 1) Growing a network on LinkedIn. 2) Build a website or something to document personal projects to show passion.

Two things for this. Be wary of recruiters looking to take advantage prior service individuals, if you feel they may be leading you on or trying to get you to join some program don't be afraid to say no. Second, for opsec reasons be careful who you expand your LinkedIn network to. I've personally noticed an uptick after putting cleared and my current job on there

Good looking out! I am not joining no program haha. I also primarily focus on growing connections in one particular area. I have noticed random individuals requesting a connection but I deny almost immediately.

Also remember employer's are looking at your resume for only a few seconds or less. Make it "different" so it stands out but not to much. I've gotten many interviews this way and told in feedback they liked my resume

Basically make it appealing so they spend that extra couple seconds looking at it and informative, sweet and to the point so they know a complete general over view from just glancing

I was also a hiring manager for about 2-3ish years and know how feels

Lol but then again nowadays everybody's using scrubbers and whatnot so that could all be irrelevant 🤣

AWESOME-CV on Latex is a great choice

Let me see if I have an old copy handy

This is back when I was in school

The Screenshot makes it kind of meh but it looks good

US Military? have you considered Skillbridge? https://skillbridge.osd.mil/

I have actually. Time is coming to an end with an injury though and being med boarded after 10 years. Still waiting on results so well see but either way I am looking forward to it as its my chance to dive into what I am passionate aboute.

Look at them weights you pulling!

I'm getting old, so gotta do what I can to stay fit to fight

I hear that. I try to still do what I can, I miss the gym.

anyway i can send you my resume for you to look at?

What’s a average salary for a Information security analyst II in so cal? Looked online and there’s nothing really definitive

that'd probably vary a lot by where in So Cal, like Los Angeles (where there are lots of large companies and higher cost of living) vs San Diego (where fewer large companies, lower cost of living comparatively). For entry level, with a college degree / experience of some sort for major metropolitan areas can vary widely between $60k to $85k. Without college degree / some experience, would be on lower side of that or maybe even slightly below.

okay i'm a comp beginner

i need to be job ready real world pentester

pls give me the roadmap of certifications and stuff

and approximately how much time it can take

i'm majoring in cs

That massively depends on what country you're in, what skills you already have, and if you've got any IT experience yet

no experience but like i'm focused on learning while on a job rather than learning all by myself

i'm from india

India is quite different, and I'd say Muir and myself aren't overly qualified to give advice there

planning to move to japan

For example, India is one of the very limited number of countries that places value in CEH

hm

yeah i've heard about that

do you know about japan

Certainly not from a security point of view

anyways despite of the country can you guide me if possible

I've heard it can be quite difficult to rent an apartment etc as a foreigner though, with places just simply point-blank refusing

all i have in plan is just completing thm pathways lol

A common path to pentesting is starting out in an IT field to get IT experience. Possibly even webdev. Then a pivot into a security role, then pentesting.
Sometimes an SOC analyst role, then pivot into a pentest role.

There's no one path for anyone. I got a pentest job before I graduated, through connections

okay yeah i can do webdev

just frontend though

Frontend I'd argue is less relevant.

hm

okay what about the certification i can go for

This

We can talk about the countries and markets we know about. For Muir and myself that's really the UK, and a little about the US

your next homework assignment should be to research different ways someone can become a penetration tester in India, create a presentation for it, and add it to your blog/portfolio

hm

then you'll be our servers SME on the subject 😄

Or outside of India

ill look for japan and india

you can be the Jc of Indo-Japanese hackering!

My advice would be look at job adverts, see what they're asking