#cyber-and-careers

What's up? I took it last month.

2 months ago

I've been doing the practice questions provided by CompTIA, and it seems really easy.

I've been at it for 6 months, so I didn't expect that at all.

Different from person to person. PT+ is the only cert exam I've ever failed, but I only prepped for 2 weeks and didn't have any labs. I was also doing 90% on the CertMaster Practice questions, so that apparently wasn't a good judge of my preparedness. Spent another 2 weeks studying before testing again and passed with a 795.

Passed it last weekend, some of the questions were tough

Don't put your faith into passing with just practice questions... It's gonna hit you in the face based off the questions they had

Dion usually has really good practice quizzes

Tougher than the actual exam in my opinion, this was for Sec+

Yeah I used Dion between my failure and my pass. Probably helped me pass.

Is it possible to become a security consultant from being a ethical hacker / pen tester with the CREST certifications

Define Security consultant ? I would say Yes, though CREST is more Pentesting soo you might benefit from a breoader scope of cert like CISA/CISSP but juet depends on the exact role. You could of cours move up the lap from Pen testing to Consultant.

i feel like id have to do offensive security consultant as looking at job offerings they require similar certs to pen tester but also require pen testing experience. I feel like going from pen testing to consultant opens alot more doors and just seems like something more like front line than back line

and the pay seems nicer

and eventually when im older i could do it very part time if i just dont want to work alot

If you DONT want to work in Pentesting - you can easily bypass Pentest roles with Cyber sec certs: https://www.giac.org/certifications/ I am not saying take a GIAC cert but their roadmap should shed light on how to progress. Dont follow the herd and do Pentest certs if you dont plan to use them - life is too short.

Why not hit the job boards just to get an idea of the variety of certs Consultants need and go for the open thet best suits you. Just my thought.

I do want to work in pen testing, but just not for a looong time, like when im 30 latest i dont really still wanna be doing pen testing, i wanna be higher up and be able to do less if i choose to do so, which is why consultancy seems like a logical next step ygm. However i will take your advice and do a little research on some jobs and that ❤️

You're UK, right?
I'd say one path would be CHECK Team Member (Crest cert + security clearance), then maybe Team Leader, then hopefully an easy pivot to more management?

CISSP fits in well there

Yeah I am UK, that's why I'm gunning hard for the crest group of examinations. And I was planning on becoming a CHECK team member from the beginning so if it only takes one more cert that I can take my time on then that does look desirable for me in my consulting path

CREST is only really good for CHECK

And remember there's CyberScheme and TigerScheme as alternatives

im ngl im really confused what that line means

Companies can put you through CHECK btw

yeah its a one time thing tho isnt it, once you SC you SC for life or something

so i gotta find a company whilst im a pen tester who will put me thru

Not in the UK its not unless thing have changed - my friend has get his done ever 6 years

oh damn

The quals for check def expire

i just presumed like you would be good for life

But once in a company you're solid and getting SC is e much easier

you only have to do sc paperwork (which is a bitch) once

but you just resubmit every x years

Where abouts in the country are you, and how are your pentesting skills?

somewhere in the middle. and Ill be honest kinda ass id presume, im working on it tho

A few people here work for places that are hiring pentesters, that's all

not given up quite yet

Exactly! There's also CompTIA and Masters seems gaining steam ...

not got any qualis tho, and im still a teenager which i presume is a downside

i hope in 6 months i can sort my qualis out and stuff. like atleast get CPSA at a minimum

You re in right mind! Master all the THM skills and the rest will a walk in the park except maybe ISC2 certs

yeah i plan on working hard on loads of THM and other related stuff for now, and when my life gets more predictable with free time. Signup for some course which i can then get my Crest certs from

I know my company is hiring and will put you through an exam for CHECK Team Member

omg we can be work buds FK and james.

Teenager can mean anything 13 to 19

luckily im on the back end of that

19 isn't going to be as much of a problem as 17, seeing as you can sign contracts from 18 properly

ive only got a few months left of the title

which is really scary ngl

FWIW I'm 20 and working in a pentest role

hey james can I dm you?

but i really appreciate all of your help jake ninja and kitty

Regarding?

we’re also hiring if you wanna dm freshie

the jobs/pentesting positions

If you re still a teenager - also remember things change fast in the Cyber world - so try to stay abreast of changes in technology....

I don't think we're hiring internationally

awwww

fr?

DM me if you want to know more

Will keep on looking then

thx

this might sound like a silly question, but were u not scared moving onto 20

No, same old same old

fair play man

Does THM tale vounteers so you dont have to pay us - we just want the experience?

Not hiring for THM

Room creation is something you can do for fun and to give back to the community, I'd honestly say it got me my job

i shall DM you both jake and ninja but i presume i dont fit the bill but i would really gain alot from the information ❤️ if thats alright

any tutos or blogs that speak about doing this? sounds like fun

Dark has a tutorial somewhere

to create a room is still on my bucket list

i saw some remote jobs on crowdstrike, but i dont got any idea what company that is and no experience with remote jobs

it's one of the top cyber security vendors at the moment specializing in endpoint security. They've been growing quite a bit and their stock performance has been quite good considering the actual price, the IPO price and how long it has been since they held the IPO.

I think if you lack the experience networking is a key part of getting yourself into a job

Just be "out" there and connect and talk to a lot of different people

Also making sure you "give back" to the community will open tons of doors

totally agree

thanks @edgy tiger

Gave +1 Rep to @edgy tiger

Question: on LinkedIn, you can input a certification ID. THM certs have one but I can't seem to find a use for it on the THM website - like a tool to verify that a cert has actually been delivered to x. Is there such a thing?

idk maybe with acclaim?

I guess you can make your profile public and redirect people in linkedin to your profile, right?

😬

That's kinda not great for privacy

Until THM exposes some sort of API (or codes to validate like AWS does)....I see it kinda hard to prove you actually did something in a way different than what I suggest :/

Id like to point out that Certifications != certificates

Certificates are given upon completion of a task but don't actually certify knowledge of the material

Certification leads to professional accreditation

probably because of this certifications has to be renewed???

Also if your using LinkedIn your real name is going to be out there. Not sure why your name being on the certificate would be cause for concern

Cant I put 'Certified by TryHackMe in . XYZ' on Linkedin?

No, I wouldn't

It's a certificate of completion

Not an accreditation by THM

Idk if im using the words right

THM is an extracurricular

Even for the Paid labs - throwback and Wreath ?

I haven't done those but I'd still say no

It's an extra activity, like HTB

Thanks for saving my bacon @stoic cave I was just about to ....

Gave +1 Rep to @stoic cave

Perhaps in the description? It's the only place I see it fit inside linkedin (Given that it lacks something like hobbys/Misc.)

Back to studying .....

Sec+ is a certification and professionally recognized, which is why it belongs on the resume/LinkedIn in a main section

Just make a little post

Something like "Great material and very informative" and attach an image of the certificate

Shows your learning on your own but not trying to pass it off as professional experience

That's the best option imo. Forgot completely about posting it. You leave some sort of proof you did it.

In the best case, THM certificates of completion may be accepted as CE credits to maintain your existing certifications.

An existing certification is usually only worthwhile to list on a resume or CV if you had to sit a proctored exam.

If anyone has worked for Mandiant, or currently works there, how do you like working there? What is the culture like working there? Specifically for the Advanced Analysis Team or Security Analyst positions, is the job and Mandiant culture rewarding and positive job satisfaction? I am waiting to hear back on whether I will get an interview or not. Mandiant has been my dream company and job roles for a long time, and I'd like to get some feedback on them and if it is as cool as I think it is!

@wet meadow connect with Zander Work on linkden https://www.linkedin.com/in/zanderwork. Hes super friendly and works cybercrime unit in the threat intel department. Just connect with him, send him a friendly message first, get his discord tag, have a convo with him and then u can ask him what the culture is like.

@warm hinge Awesome, thank you so much!

Gave +1 Rep to @fleet surge

Wouldn't necessarily recommend cold messaging someone but that's just me

Especially if you have zero connection with that person such as same Alma Mater, former Employer, etc

Mandant is a well known company. I'm sure there are plenty of interviews in both video and written format available for your consumption

Well thats why I said connect with him with a friendly message attached before even engaging in a full on convo or asking a question off the bat. Plus you use linkden to network and connect with others anyways, so its not a total cold message. What else is he supposed to do

That's the definition of a cold message. Sending a message to someone who you have zero in roads with.

I provided alternatives in the message above

I believe Darknet Diaries has also interviewed people who have worked or are currently working at Mandiant as well

So if ur someone i want to connect with, and i want to connect and send u a message attached, i can never do that because i dont have any roads with u but im trying to start one road with u

I'm sure others will weigh in, but in all honesty I would probably deny the request. I don't know you, don't have any mutual connections, etc

Okay, fair, its ur choice in the end. But the mutual connections can literally be that one person is an influencer in the community lets say and accepted both. But im guessing ur saying it has to be a close mutual to then consider it

Looking at all of their profiles, none of it screams influencer to me. The person working at insert popular company doesn't automatically make them an influencer

Okay content creator

I just wanted to know what mutual connection meant in your head. Thats all

Yup that's fine. All I'm trying to get across is that it'd not necessarily cool to just message people and request a connection. Their response may be friendly but in reality they may not like it. LinkedIn is a professional platform and people talk. If they are rude word may get around especially if they are working at a well known company

As I see it: In case its a +3rd connection and the person I'm trying to add to linkedin has no public exposure (Ie: Presented at a conference, wrote a book, taught a course, has a blog or something like that) I won't add them. Otherwise I send them a cold message telling them how I came across their profile. That's how I see it at least. I mean...I've presented at a small conf and I've been sent requests from +3rd connections. I then look at their profile and decide whether to add or not.

hi guys, i work for a small start-up company as the only IT person and my big mouth suggested a pentest cos we have had breaches on our websites and servers (we had to change our domain hosting provider as a result) and everyone just kinda glossed over it after the change and igot the site running again. then i started thm on the jr pentest path now i'm full on paranoid of what might have been leaked when i haven't even finished the jr pentest path 😫 . now i'm getting gittery, and not sure of myself

any tips will be appreciated

First of all, have everything in mail mmmmkay? IF they don't want to run the external pentest, have them reject it via mail. If you warn them about the consequences, do so via mail. Leave a trail of everything. That's rule #1. Something happens tomorrow they might try to blame it on you and have an excuse to fire you or sue you for any loss when in reality you were doing an excellent job. Words have no weight remember that.

Second, that place is now a time bomb. I don't really know your situation and if you can afford the extra stress it brings, but I would start searching a new job asap. Somewhere else where they at least pay attention to security and best practices.

Third, it's not your responsibility to carry out the aforementioned pentest or vuln analysis on your site. You don't have a reason to doubt yourself and your skills. If you really worry about the security and want do something in the meantime, check out the hardening basics rooms (part 1 & 2).

Who's the CIO/CISO? Talk to them

Someone should be the named person in charge of security

Thanks a lot for the suggestions. I didn't think too deeply about it. I was just kinda overwhelmed with the knowledge of our potential vulnerability i guess.

Gave +1 Rep to @twilit arrow

no one really is. if there would be then everyone would probably point at me 😅 . its a pretty small start-up, not up to 20 employees for now

yeah really if they're at that stage, being small and not caring at all about security....not a nice sign

Someone needs to be. Ideally a board member. We have one and we're 10 employees or less.

Someone needs to write policy documents and handle security

like, needs to be due to law or something like that?

(in the same way GDPR states you gotta have a data protection officer)

Needs to be to prevent the whole thing falling apart

I'm ignoring any legal stuff because I don't know it and I don't know where they are

oh that's true....unfortunately too many seem think "We got the IT guy" and that's it D:

oh wow, thats another angle i never thought of

this is exactly the mentality

we're based in the czech republic, might have to research the laws

thanks a lot! the suggestions will definitely help me to calm down and think it through

Gave +1 Rep to @quick forum

I thought you worked for a consultancy though

Idk what we are

"Our IT guy has the security+"

We have a board, we have someone who writes and signs policy

Suddenly that makes him qualified to handle everything

How reliable do you think the salary figures in glassdoor etc are?

Honestly no idea

I try to look around at multiple sites and then average them

I don't think they are all that reliable because they work on averages

I'm not looking for exact figures, just trying to gauge a bit.

when I was a junior, I thought the listed numbers were high now as a more senior person, the amounts look low

Even considering roles and levels within a specific company and location?

well often they don't have levels

That data would be mostly useless, I agree. It might help in comparing companies, but not much else.

Then again, if a company has listed e.g. SWE, Senior SWE and Staff SWE, that's likely more reliable. But do people post real data there? 🙂

depends, people may inflate

Guys I'm looking for remote internship Or a job in Cybersecurity.
I'm Certified
1-CEH Master
2-CASP+
3-Pentest+
4-CCNP Enterprise
5-Certified Burpsuite Practitioner

Please help.

you also didn't say where you are located

I'm from Afghanistan, I migrated to Tajikistan country with my family 4 months ago due to war in Afghanistan.

@pseudo creek I also have a bachelors degree in information technology. And I have one year of official work experience and 3 yrs of teaching (Networking and Cybersecurity).

No one looks at my resume or replies when I mentioned I'm from Afghanistan 😥

that is a lot of PII, I'd suggest scrub it if you want feedback, if you aren't on LinkedIn, get on it

I'm on linked for more than 2 years.
Honestly I'm so frustrated. I applied for 100s of job postings but heard nothing. That's why I shared my resume without scrubing it to prove its not fake.

Thanks for the feedback, I wanted to blur PII, but 😓

Here is my resume.
Looking for intern or entry level job in Cybersecurity/IT

I'm sorry if this isn't the right place to comment my resume.
Apologies.

Couple of things off the bat, in Education, if you have a degree you don't need to put high school. Second, you don't need the images of the certs, it makes it cluttered. Third, the resume is rather long with too much white space. I also wouldn't necessarily put twitter links in the community involvement section. If it was a talk I would put a link directly to where the talk is hosted

Faces on resumes can also go either way and you also dont need that paragraph next to it. That's what a cover letter is for

I agree with Moose, @jaunty heart . Put in the cert ID# and a link to verify instead

Special Projects and CTFs can also be a single section under Extracurricular

Not sure if I’m wrong but most companies would rather have 1 page vs 2 page resumes

Also there may be a typo on iTex, not sure how you can work into the future

if you're still working there, I definitely wouldnt do that

I try to condense everything down into a single page for two reasons. The first is that if your passing in paper resumes the second half is never going to get lost

the second is that HR sits and reads resumes all day. If you give them one thats nicely formatted and concise its going to go a long way

@stoic cave
Thank you for your feedbacks.
I really appreciate it. I will definitely consider those points.
Regarding certs images. I watched John Hammond video, he suggested certs images will make your resume to be notified .https://youtu.be/ZAt8MM8WG0o

Gave +1 Rep to @stoic cave

Going to have to disagree

I would be fine with it if it was a resume on a webpage

Regarding face . I used an online template from Nova Resume
https://novoresume.com/

but on paper id try to keep it neat and concise

I would use Awesome-CV

its free and easy to use

@flat sedge
Noted i will definitely add cert ID.

LaTeX is non trivial for most people

There are some pretty reasonable markdown templates out there

The nice thing about storing your resume or CV as a flat file is it becomes very easy to comment out sections that aren't relevant for a specific role

this is how the company writes its name "iTex"

its how I have mine setup, this is just a redacted and old copy

I was talking about the dates, not how it was spelled

piggybacking on moose's comments about overall structure:

• I think the blurb next to your photo is fine, I have a similar one and have received feedback from hiring professionals specifically about that who says thats fine in lieu of a cover letter, I am however anti-photo for resumes
• tear out the "competencies bit", roll it into "Special Projects", "CTF Involvement", and "Community involvement" , call the new section something like "Professional Development" or "Continuing Education" and stick it towards the end
• remove the cert images
• elaborate on classes taken at uni

I think all of that is good except the last one. I think listing the classes is fine but describing them could get cluttered

Making your coursework relevant and including something like a home lab can be huge for an employer

because it shows you aren't starting from zero for their needs, you have some background already

Moose is outvoted, keep the coursework 🙂

I might be talking about a different thing

yee, sorry thats what I meant - relevant courses with maybe a one-line description

dont have to list everything

mine has both a course list and then one course that I went in depth about

above 3.5 GPA is notable enough too if applicable

I thought we were talking about taking a course list and expanding on everything

if its just choose one, i agree with that

Also, you can list In-Major if its considerably higher than the total

I had to do that because of Biology

Thank you guys for your amazing feedbacks. I really love it. I will definitely consider all these.

Hello guys and girls. I have a bachelors degree in digital forensics and cybersecurity but I’m struggling to find a job as I do not have any relevant experience. I am currently working as a data center engineer and I want to switch to something a bit more close to my degree. I was thinking to try and get the CompTia pen test+ certificate as a booster but I wanted to hear some comments or advice about my plans.

Do you have Security+

if not, I would do that one first

depend on what job you wanna get

Unfortunately I do not have any certifications. Is cecurity+ be more beneficial than pentest+ in general? @sour pike
@stoic cave

Pentest+ is more designed for those who want to get into Pentesting and that line of work

all certificates will benefit , but only get a certificate if your future job needs one

pentest+ is more specific to pentest activities, security+ is more of an overview of security as a whole. Take a survey of jobs you want and target your cert learning to that.

Security+ is an entry cert for the Cyber Security field

I would say I have quite strong interest in the penetration testing field

than start training yourself with the pre-security path of THM first

I am at around 40% of it.

sounds like a good start

Do you think that would be enough to pass the certificate exam or id have to do some extra stuff. I was planning to take it by the end of January

I might just get both 🤷🏼‍♂️

Are you UK?

What country?

you definitly need more training

Yes

Country dictates certs

dont agree Ninja

That degree combination seems familiar to me lol, I graduate in July

I graduated a few years ago

your new job dictates certs

Then you're allowed to be wrong.
UK pentest roles often want CHECK certified people. That's Security Clearance and a CREST, TigerScheme, or CyberScheme team member cert.

The job market. You want broad appeal.

depends on what job you want to get

can be different , different companies ask for different jobs

eh certs

so check out first your new potential job , look at what certs they ask

Most of the ads I see do not specify any certificate requirements but they all want some experience…

@heady axle How are your pentest skills? Which end of the country are you?
My company is hiring pentesters down south. No experience although your DC work would probably benefit you, only skills required

Pentesting doesn't tend to be an entry level field. A lot of people go through SOC analyst roles for a year first

Working on them 😄 I am at the south coast but definitely need to learn more.

Keep me in mind then, we're south coast

You can DM me for more info, just mention it's about the job role

There's at least one other person here scouting for pentesters in the UK too

I agree on that. Part of my current responsibilities are basically incident response and monitoring so it’s just the name of the role…

This is very good stuff to cover in a CV/interview too

I’d definitely message you if I feel comfortable enough to apply for a penetration tester role.

If you're confident with medium rated THM boxes, I bet you'd do fine

The thing is most recruiters don’t really care about CTF experience because there are walkthroughs so anyone can pass them and earn the badge. But I started using THM as a learning platform to work on my penetration testing skills. So hopefully by the summer I’d have some certifications and the required skills to start looking for a penetration testing role

I'm talking specifically about the apprentice type roles we're hiring for here

as a complete beginner in the IT and InfoSec fields, what subjects / learning pathways should i go down to start and what certifications should i aim for

Hello! So I am practically in the same position as yourself, very little knowledge of IT and wanting to get in to infosec. I was suggested to go for sec+ to get in to infosec, however, if you're anything like me and want to learn about computers first, then A+ is a good place to start and then take it from there. Also if you want to also learn ethical hacking then pre-security pathway on THM is pretty awesome and then follow with the complete beginners path. Good luck in your journey and welcome to cyber security 😄

@boreal ermine thats up to u. None of us can tell you what area in cyber to begin in. U just have to mess around with a little bit of red team stuff and a little bit of blue team stuff and that will give you a more clearer path as to what area u like the most. The most common example is web exploitation. If u do the rooms on thm or learn on portswigger and get ur hands on practice in to apply what ur learning and it excites u, motivates u to want to learn more and go the extra mile to become better, then focus on web app exploitation and everything that accompanies it

Skip A+ , go do Net+ , land a help desk job for 1-2 years and move to net administrator from there, get all the fundamentals down, then go do cyber security. There’s a lot of avenues in cybersecurity.

I definitely can't afford to work a help desk job

So you highly recommand paying and using comptia certification ?
An old 30 years old french in retraining here

yes, net+, sec+ are good ones

I don't know where you are at, but in the US, help desk jobs vary widely and some with very good pay ($70k). On the flip side, if you work it, network well, you may be able to get job like jr sys admin, network admin or soc analyst, but again those pays would be similar.

70k$? 😮 In italy i take 26k€ as a pentester LOL

i need to go out from italy

Currently I make 120k but I hate my job

is your current job in IT?

current ADS from indeed.com

notice top 3 certs are most boring certs ever...

also certs that more senior cyber people would have

Idk why OSCP is bad like that

😮

Impressed

because pentester / red team jobs are fewer than other cyber jobs

No

Hard to compare anything to USA

yeah my friend soc analyst take about 18k

then I'd say you are going to have to take a drop in salary to move to a cyber / IT job, there is one guy on TCM's server who busted his butt and was able to get $100k as an entry level pentester, he sent out hundreds of applications, networked, built up skills, etc

sure, but living in romania is way cheaper than living in more developed countries like the USA

yeah and we basically have 0 social safety net

Yea it's going to be hard. I have a plan but I can't say much on here unfortunately

I'm also romanian, but i'm only 16 so i don't have to worry about taxes yet ))

unfortunately

Ouch

hello everyone, I don't have any certs yet and I want to start taking certifications as a pentester and i'm torn between the INE eJPT and Comptia Pentest+ . Also I got a discount for A+ but i'm not sure if it will be relevant to a career in cyber and infoSec so I didn't take it yet. for entry level purposes which should i start with?

do some research on LinkedIn, Indeed, or other places and see what the most requested certifications are for the job you want

Alright, Thanks a lot!

Gave +1 Rep to @languid hearth

Thanks I will investigate on that. I don't have any degree in IT. So beginning with A+ is an option for me.

Gave +1 Rep to @pseudo creek

Hello everyone! I am pretty new to cyber sec. Just passed my MTA in security fundamentals. What cert should i be looking to learn/complete next?

Its not really comparable. I worked with a Chef in the UK from Romania. On poor UK wages he was able to buy land and build a house in Romania. Same wages here you would struggle to even rent in the UK

Bucharest. My point is more that afaik that wage is good for the country. Its the same reason as why people in the UK are payed more if they work in London as its down to the cost of living, house prices ect

ost of living in Romania is, on average, 48.51% lower than in United Kingdom.
Rent in Romania is, on average, 67.43% lower than in United Kingdom.

But you do have sick internet tbf

Would like to visit sometime. My friend spoke alot about how nice the Black sea area is

Yeah which also brings wages up, well hopefully that is

I wouldn't want to live and pay rent in london. might as well be a slave

Pretty much what the guy i worked with said. He only went back because of the house he built and his kids

Yeah that's fair enough and i would never begrudge anyone trying to better themselves or their families. Issue you will be just left with how do you guys put it. With people that do gypsy work lol

Hopefully it balances out in the end

I was told a Romanian term for "bad work" is gypsy work. l

as in doing a poor job

tbf he may of just not liked gypsies thinking about it lol

Nah i know they are different. I don't associate a Romanian as being a gypsy. Afaik they come from India a long time ago

Exactly what my friend said tbh

I think it depends on what exactly you want to do within the cyber domain..

Hey anyone got insight into OTW on twitter? saw his profile and website. Just don’t know much about major players in cyber security

In a dilemma.. hiring manager is negotiating salary, no formal offer yet.. but I feel like he wants me to accept, say yes… I already asked for time to consider other options I have, that was 2 days ago.. they offered and I countered, so don’t even know if they met my request. And at this point I’m feeling pressured because I’m still interviewing at other places .

if there is no money on the table, you are under no obligation to accept

"I would like to accept, but you haven't sent me the employment contract yet"

that should both buy time and inform you the details for compensation and benefits

Actually, the A+ helps you to understand the machine you're testing on and does help in being able to troubleshoot your own computer problems.

And upgrade your system, as needed

I didn't like it, go for Sec+ or Network+ 🙂 You can solve your self troubleshoot, no need a certification, just google

hello everyone

Hey guys! Would a customer sales executive job be considered as an entry level job/helpdesk job in IT?

someone here have done burp suite practitioner exam?

Yeah, but I got a bachelors in computer science so would I really need it?

Thinking more about doing this instead 😁

Yup nice certifications

https://youtu.be/XkTNQCtuRPY

okok kids

GRID or GREM

hey guys just wanted to ask about cyber sec career and potential kind of things
just attended a workshop on ui/ux today the seniors were talking about how good prospects ui/ux has
and getting a good entry level job in cyber sec is harder
i researched a lot on these things in the past but after todays workshop couldnt help but ask

look, not gonna lie...I have the same impression and even though it's purely anecdotical evidence, everytime I look up someone in Linkedin who's working in a UX/UI role...they have some degree that has nothing or veeery little to do with IT (Sociology/Law/Biz admin/Marketing) and they had a bootcamp under their belts which clearly got them the opportunity to get their current UX/UI job. Can't say I've seen the same with cybersecurity.

GREM

I'm not a senior or anything even close in cyber but IMO if you to want to pursue a career in cyber you have really want it. By it I mean the in-dept knowledge of Computer systems, IT/Web infrastructure and how to make, break or defend it. Without that drive, you might easily get sidetracked if something easier comes along.

I mean, I could have gone down the path of developing and earned fat stacks of cash (easily putting me in the %1 of my country. By far) but...I don't really like it. I enjoy programming but it's not what I want do for the rest of my days. On the other hand, I know that I'll get job offers and a decent salary for my skills if I keep on working in cybersecurity and it's something I enjoy 100%

so you have to take that into account. Perhaps you do an UX/UI bootcamp, get a well paid job and then find out it's not what you really wanted and it's not something you enjoy at all.

Hello everyone. I recently connected on LinkedIn with a sales recruiter at my top choice for a cybersecurity company. The main commonality is attending the same college, and of course the interest in the industry. I have a pretty good idea of how to open the conversation more and network, but I'm wondering if there's a certain way I should approach it or something specific I should mention.

@waxen plaza be upfront with your intentions and something that I love to lead with when looking to move into an organization is to say "Hey, what can i look into and learn right now to make a me working there integrate faster?" If the org uses specific tools or platforms while you might not have previous experience with it you can start looking into it. This communicates that not only do you want the job but you want to be apart of that team.

I want to ask,which cert is best for pen tester to get more practical hands on approach?

GREM but I'm biased af.

OSCP or PNPT. :) Look into them and see what fits your situation.

whats PNPT?

TCM's exam/cert

TCM?

TheCyberMentor

ah ok, that one i heard before

I forgot the main part ,it will be my 1st cert of cyber sec

Nothing wrong with that 🤷‍♂️

OSCP was my first cert

1st cert, is easy to get with certs from THM, ok not a macro cert, but at least a micro-cert

You can do it!

A lot of people do. It's just nowadays there are other options that people do first as a "warm up"

I want it to apply for jobs and also get proper,structured knowledge

That's a certificate, not a certification.

Definitely OSCP then

Out of those two

A certification has industry recognition, a certificate from THM really doesn't

Ideally search for job descriptions in your local area and see what they want though

cert is short for both

Currently I am in india I also prefer oscp because of its practical element

If they're talking OSCP and jobs, they mean certification. Context is king.

dont agree with that, you always can make impression with THM certificates

You're welcome to disagree, but they're not the same and you CANNOT lump them together. It's been covered here a million times

every thing counts if you apply for a job, if you cannot appreciate the small you also cannot appreciate the big (its never good enough)

@sour pike #cyber-and-careers message have a read

#cyber-and-careers message More accurately from here

@sour pike its not about the appreciation of the paper, the point is, certificate and certification are not the same

i am not telling you that they are the same, i only tell you that everything counts to make a good impression to apply for a job (certifications, certificates, experience, even experience in playing CTF's or other extracurricular activities)

OSCP it is then.😀

Just bear in mind OSCP doesn't have as much value in India

For some crazy reason, employers seem to like CEH which is not a good cert

Right on point mate I wanted to include that but somehow I did not mention it I really dont like ceh

Last I remember they have diff exam 1 practical and 1 theory but not in one package ,if the structure is diff now correct me.

These recruiters seems to prefer theory over practical😑

][;

Did an interview with a school district today 🤞🏼

GREM

yup they prefer Theory just because it's more famous then practical and cost 1200$+ then practical

lol

but practical is useless i prefer to go for offensive sec

I am currently not working in cyber security but my job has a cyber security department. Would it be a good idea to get in touch with them about my interests or should I wait until I have security+

sure wouldn't hurt

I am in the same position and I emailed the information security department at my workplace. They allowed me to shadow them and the manager became a mentor to me too!

Oh really? That's awesome

Maybe I should try it

I am also seeking out people in my country who are currently working in cyber sec

Did they give you any kind of direction to work for them?

If you guys have a dept of cyber sec surely get in touch with them

Oh yh, there are roles coming out at some point but the organisation is having a huge shake up so not sure when the roles will be out. But I'm keeping my options open to work elsewhere too.

I'd also suggest networking wherever you can, here, other related servers, twitter, career's fair and linkedin. It is exhausting if you're not social butterfly but well worth it in the end as you have your go to people to help you out when you need it 🙂

@stable delta what you are doing currently with the cyber sec dept of your org?

They added me to their mailing list for talks, career's fair and courses for the time being. The rest I research myself. Atm everything is in limbo due to organisation shake up, my own work being super super super hectic and personal life stuff. But to ensure I keep learning I and a bunch of other people made a study group on here and do rooms every Sunday (morning for UK/Europe people)

And also one of my friends works in that dept so he keeps in the loop of anything coming up

You got it mate slowly slowly you will get there even small improvements daily will pay off in long term keep it up! I also try the same approach if I have lots of thing to do but keep hacking as a habit.

Yh I kinda knew from the beginning it'll take me a while to get my foot in the door so I'm not too worried really. But if you're interested we have a #917563091644985424 thread you can join for studying! May I ask what you're doing?

Currently I am in last year of my comp
Eng and learning to hack and want to get a cert to get my foot in the door in industry path similar to yours

Oh sounds cool! Well good luck with it all and hope you manage to get your foot in the door for cyber security too!

Best of luck to you ,too. Will be seeing you int the study group.

Hi everyone, we're (Fanatics) looking for an intern for the summer of 2022. Is this something anyone would be interested in? If so once we get the req approved I can post it on here.
The title would be Security Operations Analyst Intern and you'll be working in a SOC located in Jacksonville, FL.

A lot of people would be interested. Not sure many of us are specifically from Florida though. 😄

Got one in indiana?

@urban sapphire might know some people in that area

Honestly I don’t 🙏

can't believe our resident Floridian doesn't know anyone in Jacksonville smh

Florida is a long state, long way from south Florida to Jacksonville

I know someone in Orlando looking for Summer '22 internship but that still isn't going to help

Takes over 9 hours to travel from Pensacola to Miami.

So advice,

I got passed applying and got asked for a phone interview,
Okay sweet,
So the recruiter asked me to give my availability for the week okay sweet I did. Never heard from them. New week. I follow up. They ask if I’m available that day to talk I say yes. Okay they cancel ask if I’m available next day, I say yes. Never hear from them. Okay I follow up, they ask if I’m available and say confirmed they will call me at so and so time I say okay, never heard from them. ….

I'd email the recruiter and say that you aren't comfortable working with them due to their inconsistency and move on.

Was this dealing with a recruiter or corpo talent acquisition?

Recruiter

I'd ask if the company is cancelling, or if it's the recruiter playing schedule games.

If it's the recruiter, I'd ask for another contact at that agency. If it's the company, I'd tell the recruiter I'm not interested in working for a company so dysfunctional they can't host a meeting they asked for.

Not being able to confirm a time they asked for is a huge red flag for me

Bet. Ur right

Thanks

yup

Hey everyone! How do you write a resume for an entry level job in IT especially if you don't have an IT/CS bachelor's degree or experience (but you do have a few projects to show)

there are lots of websites on that, here is one https://www.indeed.com/career-advice/resumes-cover-letters/how-to-write-an-entry-level-resume but also make a projects section

Thanks a lot! I've just been wondering if recruiters look at your degree or how many times you've changed it?

Gave +1 Rep to @pseudo creek

I wouldn't put degree changes just the degrees you have earned

?? how many times you've changed your degree? If you have a degree, you should post it in your resume. If you are in progress, then post your current in progress degree

Also, Latex and Awesome-CV are excellent resume choices

I've completed one diploma in metallurgy, and then a degree in biomedical engineering

So I'm just wondering if it reflects badly on a resume

stuff like that is really country dependent on what you would put, but it wouldn't reflect badly on your resume

Ohh thanks a lot!

Yeah, I don't see either of those being a detriment

Oh cool! Because I've been having trouble finding jobs since I've switched my field thrice

It's not an abrupt change after BME because a lot of it is connected to embedded systems

But that jump is kinda hard to explain

When I was exiting college it seemed, from professors and Alum that came back, that Cyber Security was going to be the next rush in Biomedical Engineering

Wow

Tell me more pls haha this is pretty exciting

Sorry I really can't. They were talking about medicine in general but mentioned BME and then more specifically the security of devices that have direct control over people like pacemakers, insulin pumps, etc

Oh yeah, recently there's a surge in IoT based cybersecurity

Thanks though! Needed this guidance

out of curiosity...is this PwC lol??? Because that was my experience with them and abandoned ship before it set sale

I don’t know who that is butttt. I messaged another recruiter of the company and lucked out getting a new recruiter after telling them about it politely and they thanked me to get the chance to fix the experience I had

Do y'all get yearly evaluations? What's the format like?

Anonymous peer feedback going into a meeting with HR.
Goals for the company, goals for personal/professional development, and anything you'd like to add.

Thanks James

Gave +1 Rep to @quick forum

I think it varies from company to company and even within the company I'm in, it has changed over time. Generally for us, we write goals for the year, then write how well we did on those goals. Then we have peer reviews which way into on how well we did our goals. Then we talk to our manager about our goals and how well we did, things we need to improve on, things we want to focus on for the next year.

Thank you for the feedback Zojja

What type of things should you expect during a Help Desk Interview (Specifically an Internship if anyone has any insight)

f0.vgbhjnmk,l.;/

+4

I had an interview the day before HR calls me the next day that they found a candidate but there’s going to be an opening for another position and they want me to apply what kind of.. man!

I'm looking for remote jobs! Really hard to find

hi guys! same here

dont even know what to do, I'm really enjoying cybersecurity but I don't feel confident on landing a job here. So far I haven't got any certs but I 've been active on HTB and THM for a while, and even started my own blog a couple weeks ago to try to demonstrate that I'm really interested on the topic but man I'm desperate

I'm considering switching my focus to python or web development because I think it's easier to find a job although I dont think I will enjoy those as mush as I enjoy pentesting

Don't give up sir. I have 4 years exp as Web Dev and 2 years as AI researcher. I've decided to switch to cyber security last month because my job as police officer. Maybe you should get a cert? Its the shortest way to prove your skills

yeah I'm thinking about doing eJPT, I think I can pass it but don't really think it's gonna land me any job

still a bit of time ahead before I get to OSCP level, plus the fact that it's expensive, thats why I was thinking about maybe switching to a bootcamp which might be a safer option

Pentest is not a task that usually gets assigned to entry level roles.

Easy come easy go. Trust me. Keep your hard work. It is not about "I must get a job", it is long career.

Penetration testing also has a much level of risk associated with it, and requires more knowledge across the board to not unintentionally break the items in scope for the test. I'm not trying to discourage you, just be realistic with what your next steps to get to that point should be.

Also understand that the value of a pentest is in the report that gets handed off to the client - cannot stress enough that the final report makes or breaks the value of the test.

yeah I guess, anyway I got into this a a secondary career because my main careers is still being struck by covid. It's hard not to get dismotivated

yeah. we always have to be realistic, thats why I was thinking about switching. Iguess

Dev can also be difficult to break into also - look for qualifications for the jobs you find interesting on linkedin or indeed or hired, and start looking at what it takes to get there. OSCP is industry standard for pentesting in the US, but preferred certs and quals are going to be different based on region

yeah I'm from Spain, I think OSCP is a must but some enterprises here also require a degree which I dont have because again this is a secondary career for me

but I wouldnt mind working remote for an US enterprise

You're right. Every area has its own challenges. @warm hinge you have to be really patient this time. If you try hard enough to break this entry, you might have better feelings :3

thanks man, I guess it's a matter of being constant. I've started a cybersec blog a couple weeks ago, do you find that a good idea?

Gave +1 Rep to @split ermine

I've just started so I have less experience in cybersec. I'm looking the answers for the same question haha

But I have couple of papers in AI topics and exp as dev and research help me a lots

Why don't you get a degree?

4 years of university at least, by that time I think I will be working on something else

Its not worth really

my main career is aviation and hopefully I can get a job there way before 4 years ahahah

Yes, absolutely. Communication is the most important skill you can develop.

Hello sir. I'm planning to get OSCP next year but they'll change their exam structure next year. Can you give me some advice?

Nice I'll continue running it then!

I don't have an OSCP cert - and I haven't been following the exam changes.

I don't have OSCP yet but I plan to get it within the year. Lots of folks have been freaking out about the changes and have been posting videos. John Hammond recently put out one that I thought was pretty informative.

I am taking Pen-200 right now and the primary concern was for people who were expecting to take the test early next hear but after Jan 10th as well as those that have run out of lab time. Overall, the changes are better for the cert in itself as it tests something you are more likely to see. I wouldn't worry too much about those that have not started studying yet, we will just need to hear from people after the new test takes effect to see what they say about it.

new changes are good because it ensures you have the required skills to be a penetration tester

the real world runs on AD.

Changes are good, execution was not.

execution was fine. They could have switched it and not said anything like literally any other cert vendor.

you're not suppose to know anything about the OSCP exam environment prior to the changes, so instead of hate you should be thanking them for making it more clearcut ;x

something a lot of people miss is everything about the previous exam environment has been leaked. Not officially published by OffSec

if you had gone through the full course with expectation that anything could be on the exam, you would have been perfectly fine with these changes.

at the end of the day it was <insert person's name here's> choice not to do the AD section and it really shows who it's biting

Certainly there are people who did the AD portion that were still nervous about that aspect of the exam. It is natural to nail down the concepts you know that are on the exam even if you weren't supposed to know they are on the exam. So people who have done AD but also studied buffer overflows over and over would still be upset

What type of things should you expect during a Help Desk Interview (Specifically an Internship if anyone has any insight)

check out these link (its about the new subject in the OSCP exam: hacking AD): https://github.com/zjja/Cyber-Notes/blob/main/Learning/Active_Directory.md

That you know the number 1 advice "Restart the computer" and that you are able to communicate properly

Yeah fair enough

True something that many of us took for granted. But it is actually pretty bad

Also the AD part will help being preped a "bit" more for OSEP I think..

I'm not too worried it's just going to be my first proper internship and thought Help Desk would be a good place to start in Cybersecurity bc I highly doubt I would get accepted for a Networking Position rn

If you dont have any certs or experience than you would not get accepted for networking indeed

So you made the right step 😄

Get your feet wet and try to stick with the sec guys

Yeah I'm currently in University planning on getting Certs starting Junior / Senior yr

I mean insofar as so much is known about the exam, isn't that because a lot of people (especially the makers/arrangers of the common tools people used to study for it) felt that OffSec's training materials were insufficient?

Like TJNull's list probably doesn't exist in a universe where PEN-200 isn't a slab of a PDF and a "Good luck! Try harder!"

I'm a CCNA and preparing for CCNP SECURITY, I discovered tryhackme few days ago and it looked very interesting to me so how can I pan out my career ? Can I do it in both the fields ?

What do you mean can you do it both? Do you mean both network security and offensive security?

Hello All,
Curious if you guys can give me a bit of direction. Specifically the people who are currently employed haha.
I work as a school teacher now and I'm in my early 30s. I do not have a bachelor's degree and my aim is to pursue a career in cyber. It's something I'm deeply passionate about and have been casually doing ctf's for a couple years and enhancing my knowledge.
I am considering going back to school to pursue an undergraduate degree. My question is, are cyber degrees worth the time or am I better off going cs to learn programming while attempting to gain certs while in school? That way I'll have more options when I graduate. I'm not passionate about programming but I do have some interest.
I could also finish my AA and do the last couple years in cyber.
I'd appreciate any info or direction. I'm located in the US btw.

Another concern I have is am I too old? Will it matter if I have a degree and certs if I'm up against 30 somethings with degrees, certs and years of experience?

Picking a career path is always a personal route - certs get you the interview, not the job. I'd also survey the jobs you like, and see the certs required

Much appreciated man. I have been poking around and seeing what companies are asking for. Seems most want a degree but I think it's like most fields, your experience, personality and work ethic can be even more valuable.

Yes , I heard from some guy that companies are hiring those employees at better salary who have knowledge in both the fields

The advice I've gotten is that it's better to be a generalist because things change.

Good to understand many areas.

This website might answer some of your questions about pathways, certs, education, etc.: https://www.cyberseek.org/

Trust is the most important thing in security. You need to be able to be trusted to be competent, a good communicator and to be trustworthy. CIA triad is fundamental, especially for entry level trying to get in

this is very helpful, thank you.

I'm still confused about where to go in

Do what you like and you'll find a place

I just bought the subscription for tryhackme and will go with flow

Have broad knowledge, be good at something. You don't have to know everything, but it's good to know something about a lot.

Yes and no. Understanding tools and knowing a tool very well is really useful. Being able to translate that deep knowledge to another similar tool is also a high priority when shifting jobs

naturally. thank you juun

Security is such a huge domain, I think it makes sense to specialize first, and cross apply that domain specific knowledge to the other silos

or specializing in specific tools and understanding how those tools apply to the larger scope

Agree. When it comes down to it, it's good to be able to say I am an expert at.... something. Most jobs don't require you to know everything about everything, but you have to know how the parts fit together.

that's a really good thing to know because what I felt for so many years that my knowledge isn't good enough for the industry but when I look at people who are actually working have less knowledge or faded knowledge than me and now I should apply for a job

The imposter syndrome thing is real and it's a big deal. I feel like that a lot of the time. There is just so much to know and there will always be someone that knows more than you. Something that people in the forensics side like to say is that most security people don't think they're experts, but they are experts compared to most other people.

Another area where we have to be strong is communication. I know many cyber people that do Toastmasters to build up those skills

true

I'm preparing for OSCP , but really guys.. What you learn with OSCP?

Hack some unrealistic boxes?

I need to do this exam just for job.. But it teach me nothing

i hope in 2022 they do something good.. And good courses too

I think it is too overrated certification

I will never have this problem. Simply because I have a degree, and only I know what I had to go through to get it. I studied really hard and after 5 years I deserved it. Thanks to this, now i'm an Engineer and I will never have this problem.

Gave +1 Rep to @vernal moth

OSCP is mostly learning about methodology. If you've already learned methodology on your own and understand the concepts already presented then you are a step ahead of many people. I find the PWK/Pen-200 course to be full of useful information, lots of practice and a good way to practice methodology. I mean, sure its not a lab of hundreds of windows xp/server 2000 machines so you may find it unrealistic but a lot of it has to do with being able to research what you do find, figure out how to solve it, figure out how to document it and present a report, which is very realistic in job terms.

if you've spent basically any time in hacking prior to your OSCP, you're going to get significantly less out of it.

but aside from the new exam, there isn't a ton more that you can get out of it

and what Zojja said, report go brrrrr

Yup, anaway i'm with this guy

https://medium.com/@carlsonj0503/pnpt-practical-network-penetration-tester-5dc926268196

PNPT vs OSCP this guy had each

The TCM training stuff is really good. Also a report with an oral part? amazing... but it will take a while for PNPT to really catch hold as something which HR is looking for in critical mass

Also, I don't know why anyone would listen to the videos, I think fluff mentioned for things like buffer overflows, but I've been through the entire PWK PDF and it is excellent, lots of good stuff, and I never listened to the videos

I agree with this somewhat but it is making headway between hackers and cyberrsec workers who would make good networking opportunities and could be potential referrals in places where they currently work as long as you're earning a good reputation

sure true enough although the HR gate can still be tough, and one thing OSCP is good for right now

and I might be unusual but not according to the OffSec discord but I don't need OSCP, no desire to be a penetration tester and no jobs I'd apply to would ask for OSCP, I do TCM courses but have no desire to do the PNPT.. I think one of the biggest benefits there are the oral presentation part, which I do every week if not a few times per week

Yeah absolutely, OSCP is one of the leading HR pieces, along with several of the ISC2 and ISACA certs, depending on the role. Most HR specs tend to unfortunately insist on high level certs for entry/intermediate positions and most recruiters aren't looking for a high volume of offensive applicants. SOC and engineering roles are getting a lot more attention

That reminds me, I need to do a couple of presentations for projects due this week in college 🤓

presentations are great, painful at first, but you get used to it. Also to its credit, OSCP will be recognized as an industry cert outside of penetration roles

Very true, a lot of managers and teams recognise the benefit of understanding attack methods as part of providing protective services

a huge part of my job is building threat models and attack trees, which are a paper exercise but understanding offensive aspects are good for that

Yeah a lot of the defensive measures we put in place for projects require recognition of potential vulnerabilities and either guidance on how to overcome the issue or performing pentesting to demonstrate security flaws at various stages of the production process or both

Why do employers put a pay range in the job listing, confirm that in the first interview, then turn around and say they can only do like $7 less an hour

And then they get like offended when I tell them I won't accept that offer

Because they are playing budget games.

They may not think you are worth that extra $7/hr, depending on how well they think your current skillset fits into the role

Salary is a negotiation, finding a middle ground and they also want to see if they can pay you less than they know you're worth. A lot of organisations are finding that they become training grounds for deeper-pocketed orgs and kind of grow into hoping to get a couple of years out of you at a lower price until you have the real experience to demand the higher pay

Many organisations find that their lower salaries can only retain quality engineers for a certain period until they up sticks and move on, unless there are other benefits to stayting, such as location, technologies, advancement etc

That's also true. Also check the title; if the pay at that company is significantly less than industry standard in that area, it's likely they are paying people with titles not money

A lot of large orgs will also focus on moving you around to different departments at your level for various reasons, as they don't want you to be the golden goose of your technology area and they also want to ensure you don't burn out if your work is beneficial

Even larger organisations get stuffed in the upper levels so they have to keep you interested, engaged, give you new opportunities and try to give you a competitive offer and they balance out their needs and yours in a lot of different ways...

Would suggest going for a place that has opportunities to try several different roles over a number of years and provides support for training

Hi guys! I have the option to enroll into a university next year but I was wondering, are your university degrees related to your current career in cybersecurity?

Do I need a degree? Can I get a pentesting job with only certifications like CEH / CompTIA etc?

a lot of that depends what country you are in and where you are at skill wise. I would consider college generally to be building your foundation for your future career. Some countries, College seems to be a must (India/Europe?), others it seems very optional (possibly UK) and US often has alternate paths but lots of traditional companies want college degrees.

like in the US, a frequent alternate path is the military. Sometimes people are able to work up through the ranks starting with help desk. Help desk is a common suggestion throughout various countries though

I see. I'm currently in Singapore. To be honest, I have no idea where I am skill-wise. I've completed a lot of THM rooms, I've done a lot of CTFs, but I don't really know how this fares in terms of "real world skill"?

But skill aside - Assuming I can get certifications like the ones I mentioned, would there be any issues in terms of employability? I'm just thinking if I should attend for 4 years OR simply just keep learning things online and achieving the same amount of knowledge anyway..

yeah you'd need to talk to someone in Singapore to determine how critical going to college is or what certificates are best

I think in the past, people have mentioned that Singapore is more college heavy than other areas but I could be wrong

Oo. Do you know any active members from Singapore?

Yes, generally, employers in Singapore look for a degree as their first criteria. But I'm not sure if this is applicable to infosec-related careers as well.

possibly, I know one of the mods from InfoSec Prep is in Singapore (a different discord)

Oh! That's really great to hear. Thanks, I'll check it out. It's currently 4:30AM here though so I doubt they'll reply but I'll update you tomorrow :)

@misty narwhal My company has an office in SG.

"Why did your peers choose you as a nominee for this award?" Don't say, "I dunno, I'm just happy for the opportunity."

I believe foleosy from the OffSec discord is from Singapore. That may be who Zojja's referring to

I thinks it's always wise to enrol in a university if that's possible. It not only enhances your knowledge in cybersecurity, but also in the field of doing research, working together and change of mindsets (personal experience). A degree also enlarges your opportunities abroad. There is always time to learn and get relevant certifications!

Good luck!

Curious of everyone's opinion on this, but would it be a good idea to jump right into Pentest+ as a cert concerning a path for employment and continue up the chain, or would it be necessary to almost mandatory that one gets the more foundational stuff like Security+ and even Network+?

Depends on your timeline and existing skills. But Network+ contains invaluable skills for IT/Cyber practitioners. And Security+ is a baseline of the security environment you will encounter from network, to IAM, to vulnerability management and offensive security topics.

Here is the intern position I was referring to before. We're trying to create a pipeline for future candidates. Come join us this summer if you're trying to break into Cyber and hopefully you would consider us for full-time employment. 🙂
https://jobs.lever.co/fanatics/7d2909f8-a2ec-4f13-b218-d7a7d65ad399?lever-via=4NS0llbs1I

Might want to ping a mod about getting the recruiter role so you can post that in #jobs-board

Interesting. What I'm ultimately aiming for is the offensive side of cyber security and whatever it entails. I've come to really like the idea of being a red/purple teamer and want to jump into that as a focus so I've been curious what I should try to get to essentially "prove" myself to employers and a lot of what I see is in reference to stuff like the OSCP, CEH, eCPPT and the like so that's where I was curious whether or not having the more foundational certs mattered as much or at all in comparison to these more focused and demonstrative certs.

certs get you through HR robots, knowledge is most important

certs are also important for jobs that require 8570 certification, it's a DoD thing

so, contractors care about that

so, in short: go look at the job you want and go read their requirements. figure out if it's a wishlist or if it's a legitimate need. eitherway you'll probably get a sense of what they are looking for

Hmm. So it's more of a tailoring kind of posture to take rather than looking for a one-size-fits-all approach.

I'd say so. I mean if you take a look at the Nice Framework there's like 52 job roles they list and there's overlap in places. you could compare what you're interesting in doing and look for patterns. if you're working for yourself on bug-bounties no one is going to ask for your bonafides, but if you're trying to work for an employer (especially one who takes on government contracts) you're beholden to the structure they set up

computers will filter you out based on what pieces of paper you have, once you get passed those you'll have interviews with actual people who will see what you've got

https://niccs.cisa.gov/workforce-development/cyber-security-workforce-framework/workroles?name=Cyber+Operator&id=All

Hmm. Well bug-bounties and stuff free-time based I'd probably look as side-hustles and aim for actual employment and possibly government contraction, so I guess I'll need to look up stuff in association to that. I live in Canada, but I imagine Canadian requirements and government standards aren't that far off from American ones.

Does anyone here work for the DoD in cyber?

I think moose said something about that

Ask your questions and I'll see if I'm able to answer them

So, currently active army. Looking at transferring out in spring 2023. Currently looking at the certs required on the DoD webpage and such. I guess I just need some explanations on what's required and what's just extra experience? I have 0 experience right now, working on some CompTIA certs like security+, networking+ and A+. I don't have a degree, but will have almost 9 years of service with multiple leadership/management jobs I have fulfilled. Also currently don't understand the levels. I.e. IAT 1, 2, 3. ... IAM 1,2,3... CSSP etc... And what those jobs mean and such lol.

Sorry I'm not smart on this field yet 🤣

All good

If you want to get into specifics my DMs are open

Absolutely ❤️

Anyone have experience with IoT/Embedded or Automotive systems?

Please DM for details about a job opportunity!

https://nikolamotor.com/careers/jobs/embedded-cybersecurity-engineer-781

Net+, Sec+ check boxes if you want to work with/for gov contract companies - if you maintain your clearance, that's a good way in. Moose will know more about that world than I do though.

We had a good long chat

I don’t know who can help me but I’m trying to decide if I want to go for GIAC certs, GCFE or GCIA… I don’t know which to pick

I also don’t really know what I’m interested in but maybe if anyone knows what they have to offer? What kind of jobs it more leans to? Or what is most beneficial? I’m so lost

Hi guys, If you were in highschool going into college, what would your end goal be?

Would it be to work at a big company like offsec or Google or to create your own business

Or anything else that you could do as an end goal

My end goal would be to graduate college

Graduating is good

I know it seems silly but focus on what's in front of you before worrying about what's ahead

Things change so much so fast long term can be hazy

If you look too far you're going to get slapped in the face by something that's right in front of you

The question should be what do you want. What do you want out of life and how can you position yourself the best you can to meet those wants

I have no idea therefore I have no idea which cert to take

Doesn't mean those wants are going to become a reality though, because frankly, that's life

Sec+ should realistically be the only cert you're paying for out of pocket in my opinion

I have GSEC

Maybe CCNA or net+ too

But anything higher than that I think is way out of budget for people

So I have to kinda pick

Didn’t really want to talk about money though but.. just wanted help ❤️

Oh sorry, I didn't see you had asked a question

Ahh it’s ok. I don’t know many people who can answer.. career counselor told me to pick what makes me happy lol I’m still stuck

https://community.infosecinstitute.com/discussion/136170/need-help-choosing-sans-elective-class-gcfa-vs-gcia

The post from Lonervamp seems relevant

Ahh it’s GCFE (so windows) but similar yah

Dammit

Sorry

No no this works well!

Cause the GCFE really is the start of the forensics line of courses for them

It worried me that the sans website reviewed GCIA as one of the hardest courses they offer

But it makes sense that forensics with memory analysis seems more on-site and less remote. And I really want to work remote

It’s also good to know there are some other pentester certs out there, I really didn’t want a pentester course; I feel like working through THM or other places can help me learn without a cert

Personally, I like digital forensics so I would probably go with GCFE myself. I'm sure others are better equipped to discuss these certs than I but, based off the names, I would assume GCFE is more the "this is how you analyze the data from the responders" and GCIA is more of a networking incident response type thing?

I think if I ever got stupid amounts of extra money I’d like to go forensics route for sure. I love analysis and forensics both.

GCIA seems like something Network Engineers would do

What worries me is that GCIA is so close to GCIH that I don’t know if necessary?

I have GSEC and GCIH

Yeah, I've never really looked into GIAC stuff

I blame KringleCon for getting me into this mess 🙂 but I’m grateful. I rather be in infosec than accounting lol

Wait im a dummy. GIAC is SANS

Yah

So yeah I've been eyeing the FOR498 course

Ohhh

I got a one hour lunch and learn with them and it was probably the most I've learned in a single hour ever

Oh man! I’d love to sit down with any of them! I’m really enjoying the classes I had so far and they’re not even talking to me; it’s all videos

Forensics was initially what I wanted to get into when I started but hearing it might not be super remote friendly got me second guessing.

Yeah, I wouldn't think it would be remote at all given the cost of some of the tools and systems as well as the sensitivity of the data

Seems like a valid end goal, thank you

Gave +1 Rep to @stoic cave

I guess it's like the argument of being in the present or the future

And how school makes us keep thinking about the future instead of in the moment

do you think If do as many rooms as I can on tryhackme, it is a definite way to get good at this field?

If you support your learning with other resources too, then I'd say so. Hacking is about understanding how stuff works first, then breaking it.
Just completing rooms and not trying to understand as much as you can won't get you as far.

Gave +1 Rep to @quick forum

I understand , thank you

What do you recommend for other resources

Any good books?

May I interest you in #bookclub ?

Hey everyone! Im not sure if this is the right channel to ask, but I was thinking about changing my masters degree program and going into Cybersecurity. My bachelor is in Information Science (IT) but I dont have any prior knowledge really in cybersec, just basics. So in order to get into the Cybersecurity program I was thinking about getting a comptia sec+ certificate to have some knowledge in cybersec and not just go there completely new and lost. Do you guys think its a good idea to do that, or what else should I look into in order to gain some knowledge and be fine in a cybersec program?

In my freshman orientation they said, "look left, look right, one of you three will dropout". It me 😭

They also mentioned that over 50% of the people who get a degree don't wind up working in the field they studied. So chew on that one

I'm not 100% certain about the source but they bring up topics one may want to research https://whattobecome.com/blog/college-graduates-unemployment-rate/

Hmm, I've done some calculations on roi and uni seems to be the best option but I don't know how to actually research for jobs that would accept me

It's kind of hard to look for jobs 4 to 6 years in the future

wowowowowoowowowowowow. i had to do a challenge, passed it, got scheduled an interview, they cancelled for after christmas and now i got a message that the position is filled and i didnt even get an interview

I take it wasn't a large organisation?

f-secure

May I ask where this would be? If you're not comfortable sharing it here, but would be in private, you may DM me for it.

That isn't uncommon. There is actually an approximate satisfaction algorithm for hiring

whats that mean

Finding a link/paper now

Basically, you randomly sample 10-25% of the applicants to form a baseline

Then you take the remaining candidates, and interview until you find the very first one that meets the requirements you figured out from the baseline

then you stop interviewin

so if you get 1000 applicants, you interview 100 to get a baseline

from the remaining 900, you interview until you find the first candidate that is satisfactory enough for the job

Currently waiting for a job offer or a kind no thank you after 4 rounds of recruitment

so if they schedule for say last week. cancel cause its busy before the holidays and tell me to wait until after the holidays, but then tell me its filled, its their algorithm?
i would understand if,
im an applicant in that algorithm, and they planned their schedule for interviews properly, not cancel reschedule and then hire

best of luck to uuu !

Thanks

Gave +1 Rep to @tough spruce

Business changes

It may be that the candidate hadn't accepted, or they hadn't made an offer when they rescheduled

so the interview was still valid

i guess that makes sense unfortunately

Most people aren't deliberately malicious - poor planning and change are much more likely causes for stuff like that to happen. All you can really do is recognize that there are other pressures working on the situation, and accept that there are things that won't be explained and that won't be in your control

Most annoying thing is when recruiters wont inform applicants if they're not getting an interview...like total radio silence

When that has happened to me, I stop responding to emails from those recruiters, even if I was actively looking

There are enough recruiters out there that you will find one that will act like a reasonable adult

@flat sedge you had good advice on that too though previously to me and said try reaching out to another recruiter in the company

in regards to you @queen cargo you can try another recruiter in the company if youre having trouble hearing back and the position isnt filled yet

Oh that doesn't relate to this particular one, meant more generally

It's common, but it doesn't make the org look professional. It happens even with larger corporations, but is more common with small companies.

OSWA vs OSCP?

if you're getting into pentesting, do oscp

Never thought I'd see this question

OSCP all the way

What do y'all think about this InMail I want to send to a recruiter at a company I'm interested in?

Hi,

I hope all is well. I connected with you a few weeks ago, as I saw we both graduated from CSU and have some mutual connections.

I also see that you're currently with SentinelOne, which I've noticed is one of the leaders in XDR, and also happens to be my top choice for the next step in my career. I would love to learn more about your experience and how I can best prepare myself for any potential opportunities.

Thank you,

Gabriel

well said imo, I wouldn't change a thing

I'll respond once I get home

Can't type that fast at a red light lol

After rereading it more thoroughly, I think it's fine

You don't necessarily need to send an inmail if you're already a connection

When I was reaching out to alumni I would send a short blurb such as the following:

Very Respectfully,
*redacted*```

Then they would usually send over their phone numbers and it would result in a hour or so conversation, if not longer

hello guys, CRTO from hackthebox is a valid certification for job?

Did you take the exam?

crto isn't from htb its from zero point security

Only 3 jobs on LinkedIn are looking for the CRTO certification it looks like

i see so much guys on linkedIn that write "CRTO" and when i see their profile is certification from htb

it's from zero point security lol

Googling it produces results from Zero Point

whoever is putting it from HTB has no idea what they're doing

CRTO is the certification for the RTO course

i can tell you why they're putting it from htb, but it's not from htb.
Rasta made Rastalabs. HTB bought Rastalabs. Therefore people correlate Rasta (and his company) with HTB.

This is why people write CRTO

i can see now lol

how should i go about deciding what position i should aim for in cyber security? at first i was dead set on pen tester but now that i've broadened my knowledge more i'm not sure where i want to go into in the long run, im still heavily a beginner with everything info / cyber sec but i'd like to hopefully have a goal. i did the aoc3 career quiz and got incident responder and i thought that was pretty interesting too, my main interests are most likely pen testing, all forms of ethical hacking, red teaming, incident response

So there is room in security for a lot of different roles, goals and careers. Pick a domain that interests you, and build out from there. Depth before breadth, but you'll eventually end up with breadth if you stay in security long enough

Awww shit I got the job

yup but i think is not valid as certification

but sure you will learn so much things

It infuriates me when I look for cyber security roles and the "entry" level ones demand 6 years experience... wtf

This is usually because cyber isn't an entry level field. A lot of people will have a LOT of experience in IT first before changing

This is changing, but it's still mostly the case

I get what you're saying with regards to IT experience. What I've seen though is companies putting up an entry level position and then demanding 6 years experience in cyber security

Also entry level pentest would be different to entry level analyst

But if you think a company has silly requirements, don't apply

Yeah no point in applying if I don't tick enough boxes for them

Yo
I'm am a total beginner at cybersecurity. Is it worth to buy the thm premium? Should I have a better knowledge to understand further modules or I can get this knowledge through the course?

THM is beginner friendly

It's entirely up to you, if you feel it's worth you investing money and time into it. There are a lot of free rooms, some you can only access if you pay for them. There are also some perks that come with subscribing. To me it is worth it

Apply anyway. https://www.linkedin.com/pulse/why-job-description-only-wish-list-marek-wierzbicki/

Thats insightful, thanks

Gave +1 Rep to @inner elm

no problem. I'm used to rejection so it doesn't hurt so bad when I get told no and have to move on 🤣

A lot of companies ask for requirements for their ideal candidate, covering all the bases they determined as important. Not checking all the boxes shouldn't stop you from applying, as the ideal candidate does not exist in reality. 🙂

my wife applied for something she didn't think she had a shot at and they wound up calling her before she could submit all the extra stuff that was requested. (in her case you submit the resume, then fill out a bunch of stuff like references, etc view the website)

Thx bro

Gave +1 Rep to @vivid flume

Yesterday a recruiter got in touch for a single role looking for a security engineer to prepare the security policy, write the documentation; engineer cloud, onsite and data centre security; be familiar with and implement secure programming standards and oversee and perform software engineering security evaluations, perform forensic and malware analysis and implement a SOC while being a Linux engineer

Sounds awesome, did you bite?

needed qualifications: Be a wizard

I'm guessing it's likely a small company with a few Linux servers probably looking for someone with familiarity with the field or someone re-wrote a Facebook SRE job description cos it looked slightly familiar to one of those I saw shortly after but no, this week I'm finishing off some college projects and I don't want a pre-Christmas interview

so they're offering 500k minimum right?

That is a lot of roles for 1 person. CISO down to SOC Analyst in one go?

I'm guessing someone's in panic mode. NIST standards were mentioned. Nothing about competitive remuneration. they're likely looking for someone to put out a dumpster fire 🚒

That's more than 1 dumpster fire. That req sounds like a whole landfill is burning

Yeah I think they need to hire a security advisor/consultant to plan their approach from the bottom up

Dumpster fires are fun, where do I apply?

Hey all. Looking to get into cybersecurity. Would like to get involved in the offensive side but know its not really a starting position. Any advice on how to get into cybersecurity or maybe what certs might be good to get starting off. Any help much appreciated.

What previous experience do you have? Degree? Etc.

Keep in mind cyber security isn't necessarily entry and offensive cyber even more so

BSc in computer networks and 6 years as IT support technician.

Oh, rad

Do you have any certifications already?

I don't. Just my degree

Sec+, in my opinion, is the base and then you move up from there. Others can correct me if they feel I am wrong

Was looking at the sec+ or the Pentest+

Sec+ and then OSCP would be my recommendation

Sec+ gives you that foundation and ability to move into another security field if you so choose

Ok cool. Thanks for the info will look into Sec+.

not active in here as much but the other day i was offered a cloud & security engineer role! gotta give it to Tryhackme for getting me familiar with most cyber concepts and practical experience!

Hi everyone, I'm new here. I need help and direction in starting a career in cyber security. I have little knowledge on cyber security but I am a fast learner. I appreciate your help

#start-here

I just came home from the last day at my old workplace, gave back all my equipment and said goodbye. I'll finally start a new job as a senior security engineer in January, yay!

congrats 🙂

Thanks! I was at that company for 13 years... Much too long! Need to see something new...

I've been at my company longer but they keep me interested and happy ... for now

For some people it works but in my position it was just company politics lately and that was exhausting.

oof

Congrats 👏
I hope to reach this milestone soon with tryhackme.com by my side

Thanks! THM is really good for training and getting a feel for offensive security. Luckily in my country companies do not look for certs as much as the ones in the US but I will still be preparing to do the OSCP next year. My goal is to land some job in OffSec later 🙂

Noice!

i just want to say thank you to all of you hard working hackers out there that just post random insight and i just lurk here and gain knowledge as i try to get into this field ❤️

Hello everyone

I’m new here

Welcome, have fun. If you are new i would recommend checking out #start-here . Moreover if you just want to have casual conversations you can use #general and for any queries you can use relevant channels.

Okay thanks

Thanks

Gave +1 Rep to @willow gate

What about the roles ?

!docs verify

Ok great.

Hey @flat sedge hope all is well!

So I just landed an entry level IT job and finding myself not really thriving in cyber security. Is this the path I need to take in orde to get into cyber sec? I not doing anything related to cyber sec so just wondering where do I go from here

IT is a common starting point for security. It allows you to learn a lot of technologies and gain the knowledge the seniors that are there.

Interesting, this is what someone told me. But how long do I have to be here before I can actually start the real cyber sec activities and land a job in related field

coding bootcamp or college degree

Security itself isn't exactly entry level and by going through IT first it allows you to understand how the systems work together before you start making security decisions

They are not the same. Depends on what your goal is as well

I want to work in cyber security i been in Help desk for 6 months

Okay so I'll learn the technologies then if I don't necessarily want to go the degree route can I just get my CISSP and start applying for sec jobs

I don't think a coding bootcamp will help you accomplish your goal then

varible that im throwing in is that my college tutition can be paid for so student loans is not an issue or bootcamp

If your college is paid for, go to college

Do you have sec+?

ok . what can i do while i attend

no almost done with proff meyer video series

30 more vids

That's up to you? I'm not sure what your living situation is like

no i mean i would go for a cyber degree but i mean while im attending school what extra can i do to learn

Not yet my job is going to pay for my A+ barely

Then I'm getting apple and Samsung certified

i live with my girl n babe

Out of your own pocket?

Nope 😊

Theirs

You can start learning the basics by going to #start-here. You can also build a homelab to start learning on your own. Bunch of good YouTube videos on homelabs

Which is pretty cool cause I'll be A+ , Apple and Samsung certified

Others can correct me but I'm pretty sure CISSP is more of a management certification?

👍 thanks

Gave +1 Rep to @stoic cave

I've read online that in order to get a broad spectrum of cyber sec and all the avenues you can venture to take the CISSP

Yes you are correct

They said this

I don't know if i would necessarily get it before you do some of the lesser certs

eh its becoming more ubiquitous but its a decent blend of technical and business knowledge

Ok

Gracias

I wasn't sure

you also need 4-5 years experience in the field

Right

otherwise you can still take a test and get CISSP associate i think?

Niiiiiice

Yeah it's associate until you hit the experience mark

So certs are okay ?

either way def not in the cards for me for a while

Like Pentest+ CISSP etc..

i have been promised SANS courses as soon as Im off this damn contract

What type of entry level IT job? There are ways into security from all paths, it's a matter of asking your seniors and supervisors the right questions

I landed a job with Geek Squad as a consulting but soon to be ARA where I will be doing actual repairs and such

"Associate of ISC^2" is the official Jr CISSP cert title

And look at viruses 😍

Juun!!!

I have to clock in now soon in 10 minutes

I will revisit this conversation later i sincerely apologize

Repairs can mean very different things. Do you mean things like cleaning up a customers PC, virus removal, or physically repairing something like a dead board by resoldering components?

No worries. I will be around, on and off, for the rest of the day

Both except the soldering part!!

... You aren't repairing a dead board without soldering. Part replacement != repair, even though they get conflated very often.

More like repairing small components and screens and such nothing soldering related. And cleaning up restoring pcs and other electronic devices

Ok. Physical security aside, you probably won't touch much in the security space outside of encrypted disks.

hey guys i'm thinking about going into the pentest field and i was first sold on my decision that i might just get all the recommended certs but i was looking through job listings, just so i have a reference to future job listings, and i found that a lot of these entry pentest job fields do require a Bachelors degree. I was also looking at cyberseek and it did mention that the requested education for this field is a BA. i'm really torn because there obviously isn't an exact way into this field but i'm just really confused on all the information and I guess I'm just not trusting myself into finding a path and sticking to it. Does anyone have any recommendations as far as paths go? A second opinion would be really helpful or any information honestly! Some background information about me is that I am 21, I graduated High School (2019) with a proficiency in Engineer and Computer Science, have been working with computers since I was 7, just want a change in my life and I feel motivated to chase after this career! I was thinking about going for the eJPT into eCPPT-into OSCP cert route. Currently using tryhackme to get some networking and pentest knowledge in, started this about a week ago haha 😅

getting a bachelor's degree will significantly increase your apply:interview ratio as a newcomer in the field.
look at sites that have job applications (LinkedIn, Indeed, etc) and evaluate what certifications to pursue based on the job you want.

will look into this! thank you 🙂

Gave +1 Rep to @languid hearth

quick question
I'll be setting up a file server along with trilium on server and wireguard, I want to document/ blog about it as you do for proof that I can do things. But I'm not sure entirely sure which parts of the setup are important to document and include in the blog? if anyone could give a bit of guidance or point to a good example

struggles you had are a good thing to add in

additionally, if are running it in a container or deploying via an infra management tool, that's a really good thing to have

I see. I still have to get my bearings on how to do everything but struggles is a good thing to add

I'm just using UNRAID on it

just some general things I'd want to see in a blog post like that are; exact version of everything used, deployment method (standalone binary, compiled from source, container, etc.), commands used, hardware information for the server, what the use case is or what problem this solves for you

ah cool, those all sound like good information to have. thanks

Gave +1 Rep to @ancient prairie

and as with any good technical blog post, journalists have a good structure they use where the first one or two paragraph can be read by an 8th grader and sums everything up, leave all the hands-on-keyboard stuff until towards the end

right, makes sense

Is this how y'all feel?

well, you're in a field that has more jobs than people looking for jobs, so not that big of a deal anyway

Yeah, it kind of amazes me how there is a severe deficit of Cyber Security Professionals and companies are still looking for that "Rockstar"

I understand though at the same time because it's a business risk

That mindset from companies worries the hell out of me. Like, just train me and help me fill in the gaps for things I don’t know. I’ll never be a “rockstar” in cyber security. Hopefully when I’m ready I’ll find a company that fits me well.

The fear is that if they train you up in 3 months, you'll be gone in another 3 months when you get recruited by a competitor who gets you trained up for free.

Fair point. But offer me something to keep me there long term. Treat me well and I’ll treat them well.

A business sees a job as a value proposition. What can a new hire bring to the table: add value. Training someone without retainment is a net loss. It is cheaper for them to hire qualified candidates. Training someone is a double-cost (trainer + trainee). 🙂

You’re making me nervous Tim lmao

Everyone is going to be nervous at first. It wears off eventually. 😄

Now there are situations where the apprenticeship model is available. 🙂

So, that worries me as well. Im 30 with a family. If it doesn’t pay well I can’t move forward with it. Im hoping I didn’t screw myself by switching careers too late in life

Another trend is having two part-time jobs, to transition slowly. One full-time job + transitioning will be a challenge, but not impossible. 🙂

Yeah, it’s hard with kids. But I see your point