#cyber-and-careers

There are no inbuilt protections and the language itself doesn't help you secure things

Yeah ik I've had some experience on vulnerable websites

Like OWASP juice shop

You can solve vulnerable challenges very easily

But I'm not sure how worth it it is to learn as they are only backend languages and I'm not exactly a web developer

Try sticking that on hard mode

Exactly

I did the easy and intermediate

But DVWA is good too

Idk I just had fun learning it and getting an intro

The burpsuite certification is WAY too long

https://tryhackme.com/module/learn-burp-suite

My summer project

Enjoy

Just thank you so much for making project ike this free to people to me

I don't even have a credit card and in just learning stuff online and I love computers so people like you are truly a miracle to make courses like these for free

Don't get too excited -- I was paid to do it, and only the first two rooms in it are free
That said, ping me tomorrow and I might be able to arrange a sub voucher if you don't have one already 🙂

I swear when I get a well spying job in coding I'm gonna come back and help the other people here

I'd work for free to make rooms

Also yes please if you could do that thank you so much!!!

Do you work for tryhackme?

A lot of the rooms on the site are community built, which is what usually happens. People just build them because they want to, which is awesome.
THM also has an internal staff team (the people with the THM Staff role) -- a lot of them are in house content devs who get paid a salary to make rooms.

I'm the last of the old system -- I work on commission. So no, I'm not technically a TryHackMe employee because I didn't want another full-time job alongside university and my pentesting work, but I still get given work to do, and get paid for it

I just get paid on a per job basis rather than a salary

Ahh I see

Yea the community doing that is amazing

The education is great for people like me

I'm so far behind in my IT career. I have certs but you guys are so far ahead of me.

Most walkthrough rooms are commissioned or internally developed, most challenges (including all bar one or two of mine) are community developed

Even if it's not for jobs I still learn stuff

My biggest fear is ending up with a lot of certs and not having a good job

Everyone has this fear of being unemployed

same with me , don't know whats gonna happen anyways

Yea same here

an interesting story was that an early hacker in the 1986 hacked the nsa from his home in maryland. As you said esrlier he had just learned programming and weote code to exploit a server. but i still dibt understand how he did this in the 1980s as the interner wasnt reslly available for the common person at the time. I know that the military had made ARPANET but this wasnt publicly available

Don't worry guys. Let's be passionate of what we are doing. Keep working hard and things will fall our way. After having 9 years of career in designing ERP solutions, my passion for cybersecurity has got me started in this field. I am sure we will make our mark.

ufff ERP solutions....that gives me the shivers. Massive respect for you. I cant imagine the integrations you had to deal with....

honeslty I havent had any experience in another job Im getting my first job this summer but its unrealted. But Ive had a passion for computers and technology since when I elarned about them in like 2020

when you are passionate about something you will get it no matter the odds

Hi guys, in the next months i'd like get Comptia sec+ certification, really i don't know where to start though. There's like preparation classes before taking the exam? I saw a lot of bundle to chose on and they're kinda misleading me

Buy a book thats an official study guide from amazon. Mike Chapple is good.

Good morning all. Would someone, preferably who has hiring experience, take a look at and critique my Resume? I would be very appreciative.

You can post it in here to get multiple eyes on it. Make sure your personal information is removed though.

I used Professor Messer on YouTube, part of Get Certified Get Ahead, and Dion's quizzes in order to prepare for Sec+

Dion's labs were quite useful for me. Doing some 15 min stuff to see how the theory worked went a long way towards helping me remember it.

Over at Cyber Jobs Hunting server, they have a section for that and they are really good at it. You can DM me for the invite if you wish.

https://jobs.lever.co/fanatics/7d2909f8-a2ec-4f13-b218-d7a7d65ad399?lever-via=4NS0llbs1I

Thank you so much!

Gave +1 Rep to @stoic cave

Just another question, how much did generally takes to be able to take the exam? I have to coordinate all with other exams

I procrastinated a ton but when it came down to solid study time probably a week and a half. Not recommended though because my degree is a BS in Computer Security and Information Assurance which covered most of the material on the exam

You're looking at about 1-6 months of studying depending on how much you know already

let's say the i'm self taught by the moment, so even if i know something it's not bad at all do a review. I have another exam in June that will take me around two months for taking it. For this reason i have to menage my studying properly

How hard is it to get Public Trust Clearance minimum of a Tier 3 investigation for a role?

I got offered a position and they want me to get it

I think it's just a background check for criminal history and credit history? I could be wrong though on the tier

I didn't know Credit history could effect what jobs you get too

Depends on the job but yes. I was denied a credit union position a few years ago because my credit wasn't good enough.

It's not like it needs to be perfect

It's assessing how bribe-able you are

@stable walrus just go for it and see what happens if you want the position. If you don't have a criminal history and you don't have like a 300 credit score, it can't hurt to just submit

Are they telling you to get it on your own? In most cases an organization has to sponsor you for a clearance

It just says US Citizen with active ADP IT-II Public Trust Clearance based with the minimum of a Tier 3 investigation. Federal Government requirement.

But public trust is more than likely a background check with a few added checks like credit. This article should provide answers to any questions you may have.

https://news.clearancejobs.com/2020/09/01/what-is-a-public-trust-position/

Thanks I'll ask the recruiter for further info

If they are telling you that you have to get the clearance yourself, not sure they are, that's not right

I've never heard of a company telling someone to get it own their own. That would be crazy!

Nobody would have a clearance

Exactly 😂

It would be cost prohibitive beyond belief

I'm guessing it's just a clearance specification saying "hey just to let you know we're going to submit this bci check before you can start" kinda deal

Afaik a Secret is $100k+

It's going to be a bunch of paperwork and they are more than likely letting you know before you commit. More of a warning before they dig

Public Trust is really easy to get. Just be honest and have the last 10 years of your life on record.

And be absolutely honest about it.

This

Even if you think it's bad, don't lie

The "bad" thing itself isn't likely to get you kicked. It's the lying that will get you booted

Also, if they find out you lied after being granted the clearance, expect it to get yoinked at the minimum

Criminal charges usually follow. IIRC perjury can be brought against any "white lies" on the forms.

Yep

And if you ever have a poly, don't just sit there

Ask questions

Aren't polygraphs essentially entirely discredited now?

Not according to USG

Legal cases it's inadmissible

See that is crazy to me.. I never agreed with poly tests. They're to inconsistent as a persons mood isn't going to stay baseline through the whole test etc

Personally, I've never had to take one so my opinion's just from hearsay though

Not legally admissable, but still used in many USG background checks. Especially those that have to run through the FBI and higher clearances through OPM.

I mean my gov just do interviews of you and close friends and family for higher levels of clearance

USG still does those too

AFAIK it's mostly Secret and higher - I've never heard of Public Trust clearances having a lifestyle/poly check done

Nop

Poly isnt even for secret really

Can confirm that PT will do family and friend in-person interviews

I thought Secret for 3 letters needed it?

They usually just bump you to a TS

Afaik

I don't think ive seen a 3 letter that's doing secret only for any technical work

Maybe for cleaners and those types of jobs ? But they are always escorted

Fair

9 times out of 10 if you require a poly, you also require a TS/SCI

I'd agree

This popped up on Dark Reading the other day... interesting insight but is it too early to start lowering the standard for cybersec people, just because of the number of jobs? Especially when these jobs do really need highly skilled people who need to be better-versed than highly skilled professionals in other areas of computing? Especially at a time when hiring organisations either don't seem to understand the levels of qualification needed or the knowledge base for those recruits...

True, not everyone needs a Degree or a Masters, and most don't even need a CISSP but they should really understand their environments as well as a reasonably skilled network or systems engineer, if not moreso...

https://www.darkreading.com/careers-and-people/rethinking-cybersecurity-jobs-as-a-vocation-instead-of-a-profession

aye it worked, they moved my application to the other position

And I don't have to go through the video interview again

I think its a tough question that needs a very intricate and nuanced response. My two cents is that I don't agree with necessarily lowering the bar because that lowers security posture in some ways. I think looking into possible manpower multipliers would be a great idea along with, possibly, shaking up the SysAd role a bit. Bringing up the regular workforce in better cyber hygiene would be a boon as well. Just some quick thoughts honestly

Yeah the article might also be a little bit biased, since it's written by the CISO of JupiterOne, a company who aims to reduce the cost of securing your cloud environments, so he might be trying to game the employment market to reduce salaries for talented cybersec people, thus reducing cost...

exactly. We should recruit people who actually know cybersutff. it doesnt matter where they learned it but if they learned it they should get it

rather then making someone get a degree

or a certification

which sometimes doesnt help

And how, exactly, do you intend to filter through applicants?

Job entry requirements exist to remove perceived low-hanging fruit so that recruiters aren't inundated with thousands of applications. Asking for a degree or certifications increases the likelihood that the applicants are suited to the role.

a test

like google does interviews

and its not like you cant judge a few certifications

If you meet a recruiter and develop a rapport with them, you may find that they are more than willing to bypass those requirements for you if they know you know what you're doing

Like... an exam?

Same as you do for a cert?

but I think hands on projects are a great way to test knowledge

yes except not paying like $10k

for the course

Why would they bother running their own tests (at whatever great cost to them it is), when they can use other peoples' recognised and respected tests for it?

Usually companies do both.

Also that ^^

So you check the boxes for HR? Come in / VPN in and complete our CTF

When employers are only looking at each resume for a few seconds. If you have no certs, degree, or experience they aren't going to look at your online portfolio etc.

Also, I can't think of any non-SANS certs that are more than a couple of thousand 😆

Designing a test for your applicants is work too though, it's CTF dev with a slightly different focus

no what Im saying is it would benefit companies to work with major certification companies like OffSec or Ec council

to create cheaper tests

andf for someone like me $1000 is a lot

Recruiters are some of the most overworked people you're likely to meet. They absolutely do not have time spend on candidates who don't remotely meet their requirements

They do.
A lot of companies use THM / HTB to do that for them

I'd imagine Offsec Proving Grounds have that available too

Companies will often pay for your certifications once you start working too

Uh. That's not how the business of certs works. Most of the 'valuable' certs are priced that way so that companies will pay for them not individuals

$1k is a lot but it's an investment

See SANS for examples

IIRC the CompTIA certs are a lot cheaper too

Yes, exactly.

Some of the most respected certs in the business, but if you pay for them yourself you're a muppet

If you lack experience, certs, or degree you need to make that resume look appealing and hope an employer gives a second glance.. That's the problem with today's world. Way more applicants than positions. They simply don't have the time to look into every single application/resume.

Nah, cyber has a jobs surplus just now

CompTIA are designed for entry levels, the more valuable certs are designed and priced that way to enable business function, not to let people get jobs

Also, fwiw there are companies hiring people with skills rather than degrees and certs. They're rare but they're out there. @sharp rain

(Although bear in mind they tend to be looking for a little more than Eternal Blue with metasploit)

Do they though? At least in my area theres nothing on the job boards anywhere near me that I've seen. The recruiter that got me my recent position said they are lacking in the cyber positions while there's plenty of dev positions open

The pool of people interested in, say, GPEN is much smaller than the pool of people interested in OSCP - since the pool is smaller, more has to be charged to keep the course useful and valuable.

In the US, there are 10x more openings than qualified applicants specifically for cyber.

Industry wide? Definitely, yes.

Cyber specialists are very much in demand

Most of the cyber openings are not entry level

Maybe it's just my area. I am in the middle of nowhere where I have to travel 30-60 minutes to get groceries 🤣
I currently work almost 2 hours away (mostly remote) just because there's no IT jobs around besides help desk and repair shops.

Across the board, I see devops/devsecops as a way for companies to reduce entry level requirements further, while at the same time accidentally deepening tech debt.

lmaao you reminded me I got asked 4 times if I spoke English at my first job

(I sent a transcript of the CAE - C1 cert)

wowow how's that? never thought about it that way

Right. IT jobs aren't really common until an area hits a density of businesses. Mom and Pop gas'n'grocery isn't going to need the same IT positions as, say, Kroger

Here's some food for thought: How much expertise is needed to develop a fully featured CI/CD pipeline vs maintenance? What happens in 10 years when the entire tech stack is being replaced with the next big thing?

10 years? You're optimistic

I've seen systems that are 30 and still in prod

Literally 1.5 times my age

Isn't the second question independent of DevOps? Or you mean it (DevOpes) makes it even worse?

Ya I fully expect to have to move in the next year or 2. I've skated by the last 2 years just getting experience and finding where I want to go. I've landed on this position about 2 hours away and so far I'm loving it. I'll probably move closer late next year.

System replacement always depends on business, reqs of course.

CI/CD and devops are basically synonymous.

Independent of CI/CD - DevOps then?

like, the same could have said back in the 80's with the AS400s

right?

We still have an AS/400 in the office

lol um ya... 2 jobs ago I worked at a tire warehouse with their own "throw together IT department" AS-400's everywhere xDDDDD

Why would it be independent?

The current industry move is towards CI/CD

I should clarify.
It's not in use. It's for fun. I've not seen it powered on.

When the next iteration of systems happens, there will be even fewer actual experts to put those systems in place

I mean....let me put it another way: Replace CI/CD with what was being used before it became a thing. Are your 2 questions still valid?

ohhhh now I get it

Yeah I can see that happening

IT is going to get uglier down the road

I was going to say that it could be extremely beneficial just to have one for lab purposes since it's still being used in big enterprises

the monsters created to work around them could have their own nat geo docu

Yea this summer I got a job so I can save for the CEH certification

I know it's outdated but it's great for government jobs and the company I want to work for likes to see it very much

I think they even require it

Garbo. CEH isn't even a good test. Everyone I know that's taken it sad it's full of spelling and grammar issues and has irrelevant questions on it.

ECC themselves just kinda suck.

True that ^^^

I swear we've had this conversation several times now Hawk 😆

I'd set your sights beyond what just one company likes

CEH has been relegated to a specific CSSP category. You are much better off getting Sec+ as it covers IAT II

for DOD 8570

https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/

Did has CEH as a baseline certification for all three levels so it looks pretty good

you're more likely to get in on the IAT certs. Once you're in, you'll be able to have the government pay for your CSSP certs

So get sec+?

yes

Eight now in focusing on learning the stuff more rather then certifications

its cheaper and will open the door for you

PenTest+ is also an accepted cert now for every level that CEH is.

Except for Infrastructure Support, which accepts CySA+

I would rather take CySA+ and PenTest+ again than take CEH once. Probably cheaper, too.

Honestly probably is

That being said, I don't think ive seen anyone direct hired onto a job that requires a CSSP level unless they have prior experience

Which is why I'm suggesting that Security+ for IAT II would be better. Doesn't mean that it doesn't happen though

How hard is the OSCP?

Can you study within a few weeks if you have minimal knowledge?

Probably not

Unlike all of the other certs usually discussed, OSCP is a lab and requires a lot of practical knowledge.

Thats a good way to set yourself up for failure

And, they don't let you use automated exploits. Which eliminates the skiddy applicants.

Do some of the Practice boxes without a walk-through. I think they'd make decent practice.

Or check out HTB

People have said here before that if you can do a medium THM box without assistance you may be ready

I struggled on Pickle Rick

From a technical standpoint, yes

From a methodology standpoint, unlikely

one of us!

im getting really scared of oscp now lol

how do you know if youre ready?

Labs

Yes I don't think OSCP is realistic since you can't really do automated scripts

Like in real life I think you can use whatever necessary tools you want

Correct me if I'm wrong

It serves its purpose: to verify applicants have the foundational knowledge, methodology, and experience. Despites its relative difficulty, it's OffSec's entry-level cert.

You can, but there are a lot of people around who can use a tool without knowing what it does
OSCP proves that you actually know what you're doing and how things works.

It goes back to what we were discussing the other night about the differences between a hacker and someone who can run tools at a target.

I can run tools all day long

That's all you need to do in many jobs. Absolutely nothing wrong with it either 🤷‍♂️

Imagine your job is just running nessus scans and shit. xD

Everyone has to start somewhere I guess

Sounds accurate to some of the DoD cyber guys I work with

Who I actually just joined last week. Transitioned from net admin to cyber analyst.

yeah DOD cyber is a lot of scans lol

STIGs. Spreadsheets. Policy updating. It's fuuuuuun

You forgot POA&Ms

real quick, I was talking to a recruiter 5ish months ago and we left off with her setting a calendar notification for 6 month from that point. I realized I did my math wrong and should probably start the conversation now otherwise im going to run into my lease. Do I shoot her a message?

Forgot GATs too

I'm putting together my raspberry pi

CVTs

yikes maybe not that emote lol

I sympathize with the emote, but definitely extreme

Fiiiine

Gone

Don't laugh, I know people in senior technical positions who do that for a fair amount of cash 😆

Yeah, id laugh all the way to the bank if people tried to come at you for that lol

Vulnerability analysis and compliance. Big bucks, even without actual pentesting 🤷‍♂️

especially if you setup an S corp or an LLC and do it on a contract basis

-undelete -a

Huh

Know a guy doing GRC remotely and pulling in $400k

That's basically his day-to-day. He said it's the easiest work he's ever done.

On one hand, I would love that

On the other, I would hate it

Booooooooooring

No worries for him since he does it at home. Spends as much time gaming as he does "working"

Dude has about 40 certs and has been in the field over 2 decades. Finally hit that sweet spot I guess.

YESSSSS guys I got kali Linux installed on my raspberry pi!!!!!!

I can't wait to see what I can do with my raspberri pi

Grats!

HNC/HND are very vocational where things like undegrads are very academic

not to say you can't swap on over -- you totally can

#infosec-general

The best thing I did with my pi before it died was making a piano from banana peels.

but there's reasons why you take a vocational route & a direct academic route

If I could, I absolutely loved my level 3 apprenticeship and I’d do that up to level 5

Yeah. I just don't know if a degree is all that worth it without experience

There are value in both paths, and there is even more value in working through both

It’s very different to going a purely academic route such as skipping to 2nd year with a level 4 equiv

In my case, a degree definitely was. A degree is a shortcut to management or to a career, especially if you lack the social network to make the connections for those jobs/roles/career paths.

If I’m honest, I have two/three years experience and that is what I’ve been questioned on in interviews over my degree

Ofc the degree plays a part in getting through the door, but when push comes to shove — I’ve always been asked on experience abd the sorts

I think vocational are absolutely fantastic

Which college are you at?

One of the most common advice lectures i give to my friends who want to get into IT, is that ideally theory and practical should be blended

Edinburgh

You can definitely get a job in todays climate with just a degre but expect to be working your way up. Degrees give a false sense of realitythat you’ll be in management straight away from a degree alone

Experience is what is the deciding factor I’ve found personally in job interviews etc

Not doing anything practical and not having a lab isn't a detriment, exactly, but the lab becomes a huge talking point in the interview. Having a homelab even if it's just a couple of VMs is a huge standout for someone without experience

I'm doing HNC Cyber Security and Ethical Hacking in Ayrshire.

Yes very what Juan said

Agree with that. Degree is a faster track to management, but not immediate management.

You can do HNC or HND either full or part-time which can help if you need a job for rent etc.
HNC is 1 year full time / 2 years part-time.
HND is two years full time / three or four years part-time.

Ahh. Near from where I used to live lol

Did you move for college?

Yeah, see I know many people who have degrees and they know nothing about networking and pen-testing etc.

To be totally honest, when I think of things like this I totally look at tradies

Yeah, I've applied for Napier 2nd year

Nice.

Plumbers, electricians, earn so much and are in such demand from just pure hands-on practical experience

Formal qualifies are just a plus

I thought about a job after HNC at first, but then I thought I can go further in my education.

Have you did CCNA?

THM is a good meduim to learn some practical stuff.

Obvs what you can do with a cyber sec degree is different to that but still, gotta climb the ranks

Yee, this is what happens when you go too far into "everyone needs a degree"

It’s not instant success

Not yet, I'm working on it soon.

You don't know what you're talking about. A very popular elective for computer science is networking and security.

If you're around Cheltenham or can move to study here Gloucestershire College (next to GCHQ) has a new cyber sec building, it's pretty sweet. They have a lab dedicated to CTFs and the top floor is full of companies that are involved in the sector.

Edinburgh is getting a Cyber Centre,

As is Dundee, from my understanding.

CS grads may not be up to the level of CCNA or Net+, but they certainly know enough to understand how networking policy fits into organizational policy and strategy.

Isn’t that ran by or at least founded by the uni there Fenris? I remember just as I was leaving they were the big name in innovating that environment

Although Muiri said Dundee is pretty much concrete, so that one is certain.

Dundee is great

I know.

Nowhere else I can go to a nightclub then stand in line for a pie at 3-4AM.

LMAO

Whenever y'all say Dundee I think Crocodile Dundee

And a CS degree teaches a lot more of the underlying theory of networks. I would wager that almost all CCNA holders can't explain how OSPF works, but every CS undergrad can understand and explain the algorithm.

I think my plan will be, do "BEng (Hons) Cyber Security & Forensics" then get fully CISCO qualified

BEng for cyber sec and forensics? That’s really interesting

Depends what CCNA

I mean its still STEM but its not bsc

There is only one CCNA cert.

^

Really curious to see how they justify it as eng and not a direct bsc

I’m not trying to be rude or obnoxious either btw (:

Yeah UWE uses it quite a bit. Went to an open day for business owners (actual business owners weren't interested) and got to spend some time teaching people how THM works lol.
It's actually a really cool extension of Gloscol.

Ah. So what the hell is CCNA 1,2,3?

I’m generally interested

Are you talking about the modules that comprise the certification?

I thought I read ages ago that CCNA is becoming CCNP?

This is the only CCNA that I know of: https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna.html

Yes very! Tbh anything g that makes more use of the fact the uni are partnered with GCHQ

wait so if some companies like tryhackme and HTB then is it a good idea for me to get a subscription so I can get a certification

They're very very different

You are totally correct, I understand.

Use it as talking points, I wouldn’t use the certificates as proof of knowledge itself to be totally honest

Small or large margin?

Big difference between certifications and certificates. One is a proctored exam, the other is a checklist of stuff you may or may not have done

THM/HTB teach you skills. You apply those skills in a job context, talk about them in an interview, or apply them in certifications

THM Certs are good to show an interest to learn.

yeah thats what I heard

and they show you continued learning

CCNA Cloud, CCNA CyberOps, CCNA Data Center, CCNA R&S, CCNA Security, CCNA Wireless 🥳

like to show you also have an understanding of other stuff as well

a mix seems pretty good

like knowing 3 different things

I don't think I've ever seen so much staff and mods in talking about a subject without someone getting in to trouble.

They consolidated all of CCNA into CCNA 200-301 last year. It's just one cert now. They moved some of the extraneous topics into various CCNP tracks.

have a certificate

know some stuff

have a portfolio

we don't just lay down the law 😎

Thanks Tim. High level, do all of those have the regular CCNA as a pre-req, or are they considered parallel certs?

Gave +1 Rep to @distant pier

I love talking to people here

@quasi stream you still trying to come up to Securi-Tay?

Ah! I think that's what I read.

wow so many messages

Also, is the guy in our Twitter DMs from UWE one of yours?

Main take away was that there are teams of uni students prepared to take on pen testing projects spanning 6 months to a year that you can call upon, small projects or large they're down for it. The one they mentioned was pen testing for the DoD for six months lol.

I hope that I never come across as someone whoise just there to get people into trouble

Is this another minute break?

Those don't exist anymore. They're still recognized as valid certs until they expire, but it's just CCNA now.

I'm v passioante about helping people out and giving my two cents on what I've experienced

Aye 😆

That's why DefCon has had an official Goon Squad

uh no idea? LMAO

Professor Phil Legg?

2 in one night? you're REALLY treating yourself.

if ain't Phil it ain't to do with me

OH

LMAO

, so ,yes

We need to get his tickets allocated for him

And I need to get the damn VP to actually... reply to him 😆

maybe but I really don't think I can afford the time. I kinda screwed phill over a little bit because of personal/academic reasons/constraints so I don't think he's too happy with me

I had a good chat with Phil about how he's teaching his students how to use Pwnagochis lmao!

lmao, I'll message him -- I'm still v interested but yeah I'm very struggling to keep up with te course let alone extra-curicular stuff so

Muiri can help you.

Phil is fantastic

I think they're separate, or used to be. I have not looked at what entails CCNA 200-301, which might be the latest and greatest.

😄

We still need to put a hold on them in Eventbrite and it's being a pain, so don't be too optimistic

i've never met a course leader who is more invested in their students

aight well

I know he's v keen is all

and I'll pay to go to the con myself

The opposite of my lecturer, who taught us nothing last year.

UWE's on big tings Muiri

Mine is pretty good as well, made me aware of HTB and THM

Right. Back to report

I've genuinely never been able to talk to a course leader (who is in charge of 4 cohorts) and be treated like an individual rather than a student on a course

other than phil so

makes all the difference imho

Oh, our course leader is the same

He's great for that

He never treats anyone like a colleague or a student
It's all informal with him

M-dawg when is securitay again?

I've never been scotland

March...3rd.

4th...

and your first/second pint is on me

Hhmm....

March? I see I see

4th.

He was great fun to talk to for the short time we had. Seeing as I was the only one on the 2 day course that knew anything about security.
He was pretty interested in the key-logging and duckyscript abilities of Nethunter when I gave him a sort demo. 😊

Muiri, is Clarks 24 hour bakery still open? If you know?

Muiri loves me he'll get me in no problemo

Not a clue

Nether inn > Fat Sams > Casino > 24hr bakery for a pie.

CLCOR, DCCOR, ENCOR, and SCOR. More CORS than a web pentest lab. They have have combined CCNP with CCIE. Just to keep it more complicated. 😂

You missed HODOR.

And HODOR.

Yeah I've been "studying" for ENCOR for a year now. There's literal dozens of secondary exams too, based on the path. 6 just for the ENCOR path I think.

Is that a private / invite only event? I'm sure my company would pay for the trip up.

I don't think it's private.

Mo' Money for them.

I think there is a second batch of tickets to be released.

Dinner time. 👋

Yeah, I tried to buy the first drop, sold out in minutes.

Ask @Muiri nicely he might let you know when the next batch is released.

If you have a link to their website I'd be appreciative. Worth putting forward at least.

https://securi-tay.co.uk/

Cheers

I am on the waiting list apparently.

Ah! I see.

Hey guys, I have an interview for a cyber security consultant position. Should I wear a suit for the interview? Is a suit still looked at as being important or is it does have less of an importance since it's tech? idk need help

Suit. You don't have a second chance of a first impression 😩

It's not my first time meeting with them tbf -- it's one of those multiple interviews kinda thing lol

Better to be overdressed vs underdressed

True

from my experience they'd tell you the working culture / expectations on dress code for interview i.e. if you don't need a suit, but even for cultures where "smart casual" or something along those lines, I've always gone in a suit for

not a three piece sure but defo shirt, tie sorta gig

can't really go wrong with that as it's pretty standard for job interviews and I feel you'd get noticed more (on the wrong reasons) for underdressing then overdressing

Yeah true, thanks mate

Just gotta go pick up a suit now

np np! good luck!

I've been told before "we don't expect suit and tie"

Yeah, it's always "oh its great you're wearing a suit. We're much more relaxed here"

and unless I've been told that, I've just assumed it

is what I'm trying to say

exactly this! (:

Thank you guys, the advice is much appreciated

All the best Dvrk

rooting for you (:

literally just dress smartly (that doesn't mean money!) and show your potential

you've got this

Ah lmao. What did you wear the first few times?

They were online, so just a shirt and no pants kinda gig

As a consultant, your job is to project the image of expertise to the client. Be erudite, approachable and knowledgeable. Presenting and projecting trust, knowledge and personability during your interview is to your benefit

So yay or nay on messaging the recruiter before she messages me back?

As long as you're not blowing their inbox up, I don't see a problem reaching back out. Could open up with something like "Hey I wanted to reach out and see if you were open to changing the timeline." Or something like that.

Give it a week

Yeah, I haven't messaged them since I last opened up the line of conversation. I'd like to work at this employer but I don't want to seem needy. It's just I messed up on the expected timeline

This isn't the same person as earlier if thats what you mean, from DMs

I last messaged them in September

Not what I meant - i would wait a week from the last message you sent to any recruiter, unless it requires immediate attention

Had to check

chad move.

oh yeah defo if your role is a consultant

you're very business face

Right, so I'm all set. I said six months in our initial conversation but just realized now that it would put me after my re-up for my lease

We last talked in September, which is a more than a week

I hate that I have to notify my apartment two months in advance that I'm leaving

Figure that's normal though

That's in my rental contract too

Check local laws to see if they are required to give an inspection report of defects you can fix before they just hit your deposit

Virginia is definitely a landlord state

I'm allowed to be present for the inspection

I think at this point they know I'm not going to just take what they give either

There's been multiple cases where they've tried to wrongfully charge me and I've called them out on it

Could be worse.. I don't have to give notice in the first year (2 weeks required after the first year) and lets say I leave 6 months into my contract I'm still required to pay the next 6 months of rent on a 1 year lease. After the years up it's a month by month basis

My end career goal is to work somewhere in the cybersecurity space, I'm graduating with a degree in CS in may. My 2 current options are work a pretty good paying job as a system administrator within healthcare tech, not directly in a hospital. Or attend Heinz college at CMU masters in information security policy and management. What would you do and why?

Is the Systems Administrator job 100% secured? If so, the job. Getting your masters too early in your career prices you out of what most companies are willing to pay for entry. This early you're going to want the professional experience over anything else really

I defo agree ^ unless you have a very specific route in mind to make use of your masters, the experience you can get (and progress from) at your current level will be the most beneficial

I say this as someone doing a masters with no specific job/end goal

you also have multiple years of industry experience before you went to uni

Hey guys I have a raspberri pi and it's all set up but I can't connect it to wifi to run my tools and stuff. My laptop has wifi but I want to share my laptop s wifi with my raspberri pi. I have an Ethernet cable but that didn't work either. Does anybody know if a solution to this? I code in my bedrooms m so I can't connect it to my wifi router which is downstairs and Google didn't help me much either

I was wondering since maybe some of you have used the raspberri pi?

Is it not WiFi enabled?

What model is it?

Also, #infosec-general to respond please :)

It's model 4

And wifi is enabled but my laptop ahs the connection

But my raspberri pi can't connect to the wifi

I can see other networks tho so it's on

But it's probably just a weak connection since my family has one router and it's downstairs

But us there another way I can sue an Ethernet cable

What due diligence do you do against a company that offered you a position?

As in a signed offer letter? You don't do anything against them. You should have already done some research into the company to see if you think they would be a fit. You should have gotten a benefits package before or with the offer and you need to decide if it's right for you.

I mean during the job hunt, and or if they reach out to you for a position before sending an offer letter

So they want you to apply is what you are saying.

Yeah

Same stuff then. If they give you an interview make sure to ask questions. Especially questions that may make the interviewer think a little bit. Look into the company, see if you think you'd be a fit.

It's very much a personal decision

Discord is so much better than Reddit. If you were to ask that question on there you would get ridiculed in my experience. People on here seem just more genuine

This discord has the specific purpose of education. I'm sure there are other discords that would do that but

Hey guys, 0 IT experience just SAAS sales experience in a way different industry lol. Recently got my security + and cysa+ is this enough to get a SOC analyst job ?

Where do I apply
Heard similar tell about CHECK certified pentests for UK companies.
At very reasonable contracting day rates.
Reminds me of when people did PAT testing and made a killing (electricians)

I found this on LinkedIn

https://www.cyberseek.org/pathway.html something similar.

Top row is similar to the 5 pillars link I’ve shared before

Would you recommend me to take the CompTIA sec+ SY0-501 or the SY0-601?

Take the 601 as it's the latest version, unless you've already trained for or paid for the 501

Hi everyone, currently I'm a university student and I kinda like researching. So, I wonder what kinds of works a cyber security researcher often do?

Wouldn't a researcher fall on a blue team? someone correct me if I'm wrong

Because I think that whether we are a researcher or a pentester, we still have to do researching so I don't see the differences between these jobs

hmmmm

I'm a strong advocate of adding standard deviation everytime "average" is mentioned for this reason

Or location...

A researcher may do things like research exploits in general, a pentester has a specific timeframe to work on a specific environment/system/set of systems... Generally, pentesters are not finding unpublished 0 days, a researcher may

So think of a pentester as a well defined scope, looking for generally known issues and reporting on them or looking for misconfigurations

And separating mean average from median average

Agree with Zojja. Researchers get a lab and much more time to spend on a single thing. Pentesters usually have a scope, timeframe, and allowable risk. They aren't looking for novel vulnerabilities, they are looking for misconfiguration and known-vulnerable exploit points.

Uh, I looked deeper into these, and they don't really make any sense. If you'd trust these figures, advancing on your career would have practically no effect to your salary.

bit late, but the 501 is already retired, at least the english one. so if you don't do it in japanese, portuguese or chinese until end of march, the 601 is your only option. it's basically the 501 with more stuff added, e.g. cloud. didn't find it harder to study for, it's just more stuff to learn. professor messer has some good videos on it

Thank you, infact I'm already watching his videos and maybe buy a book, but I was already going toward 601. Tho, I didn't understand yet how the exam structured. Since I'm already asking, do you know where I can get some decent practice test?

technically you can get everything from comptia directly in their bundles. they have some official partners, like prof. messer and a couple others and some courses on udemy that include practice exams. wouldn't recommend going for "brain-dumps", since they are explicitly prohibited by comptia. in the end, it's up to you (or your employer) if you want to pay for a bundle or one of the other official options

I used the Dion Practice Tests for 501

of course i wouldn't, i would just like to train once in a while after studied a chapter, as i never took an exam like this before

They were fairly similar to the actual test format and I thought were harder than the actual test questions

Thank you @stoic cave @vocal heart, i'll look up for something like that

Gave +1 Rep to @stoic cave

It can easily be an issue of sampling. Unfortunately we don't know the site gets their data. (Although it was funny to see that 😛 )

even I'm thinking about starting my preparation for sec+, thanks for the info guys. @vocal heart @stoic cave

Gave +1 Rep to @vocal heart

All these openings and I can’t get a job

Is your resume updated? Are you displaying your skills in a way that's easy to follow? Do you have the necessary qualifications, ie Degree if it's in the requirements section, technical knowledge that's required/preferred, etc. Job hunting in itself is a full time job. I applied to probably 70 places before I got an interview and then 100 before I got a signed offer sheet.

Then of course once I accepted the offer a bunch of companies started to call me back.

Just got word I won’t get hired at my internship. Does anybody know any entry level SOC analyst positions that I can apply to? Or know anybody I can talk to?

Location?

It is definitely a numbers game. All my stuff is up to date . Have gotten a couple interviews.. only to get to round 2 and rejected.

Did you ask for feedback?

Atlanta, GA

Still in school?

No

Hmm, this looks interesting in the area:
https://careers.equinix.com/jobs/security-operations-analyst-redwood-city-california-united-states-ashburn-virginia-atlanta-georgia-chicago-illinois-culpeper-dallas-texas-los-angeles-miami-florida-new-york-san-jose-seattle-w

The thing is I’m trying to break into Cybersecurity . I have six years working in IT/helpdesk and what some of these people are looking for someone who’s a little bit more advanced so that’s kind of a hurdle for me I’m trying to level up my skills by doing THM and other resources.

Certifications?

While on IT support/Helpdesk did you do any scripting/automation? Involved in technical writing and documentaiton? ITIL standards?

Knowledge, especially provable knowledge will help.

Don't be afraid to stretch your experience and qualifications. As long as you can speak semi-intelligently to any experience you claim to have (like, a couple hours' worth of Googling and reading), you'll get through most interviews.

Sec+, CySa. CCNA. I’ve gotten to the point where I’m comfortable speaking in an interview and making more of a discussion, which is better. I guess I just need someone to give me a shot

It's cliched, but a huge part of it is who you know. I've had some success messaging people on LinkedIn that post about jobs and opportunities, or that work with companies I was looking at. Also in other cyber security Discord servers.

Stupid question but instead of just applying to random companies aimlessly. What research are you supposed to do to tell if the companies right for you. Is this just an individual thing?(PTO, Vacation time...etc)

Stuff like that you usually won't know until you talk to a recruiter/HR. GlassDoor may give some insight, but companies are known to artificially inflate their ratings on there.

It's more sales related but applys regardless. Whatever company you apply for add other similar position people at that job and just chat with them and hope they give you a referral.

In any field relationship building is more important than what you know.

Yea, sometimes it’s who you know and not what you know

A large percentage of the time

Anyone know of any remote Help Desk positions hiring at this time

LinkedIn and Indeed are your friend.

Yeah I know I've been looking on there. Was asking personally

Ah. Sorry, not I.

Hey y'all. I recently graduated with a degree in Computer Science, I have a keen interest in cyber and just recently started learning more, although I'm not sure where I'd want to start a solid career. would it be more advisable to start doing software development, then connect from there? I know as most industries, it's moreso of who you know so maybe that could help me more

Most people cut their teeth on helpdesk roles starting out in IT. If you could start in software dev, you'd probably have an easier time, though it would probably be harder to transition into cyber from there. Especially at a comparable pay.

Yeah, Software increases salary at a pretty fast pace. IT may be a better place to start though in order to be more cyber adjacent. I'd look around on LinkedIn and Indeed and see what jobs you can find that are requiring a comp Sci degree. It's harder but not impossible to break into cyber off the bat

"Entry-level" roles still require a year+ of experience. Pretty wack

I mean cyber isn't entry per say so it kinda makes sense. Entry for the occupation requires some level of experience

Yeah I've heard that going through some time in IT is pretty necessary, albeit still rough. I'm not expecting to get the same pay starting off the bat, but at the same time settling for extremely low isn't my goal either.

do you not have a job right now?

nope - recent graduate in CS, I think it's been about 3 weeks since graduation ? not sure I just keep learning and don't really mind the time I put in

oh you really need to be putting in applications ASAP... get a job, (almost) any job

work experience will be your best bet, look at IT help desk, software dev, dev ops, etc

you should've been applying 6 months ago

I went the help desk and developer route. I can recommend. Getting that initial experience to move up is key! I got the help desk job because of my degree then got the developer job bc of my 6 months in help desk. Now I'm in a dev/sec analyst position because of my 1.5 years of developer/devops experience

oh believe me I know that deadline came and went, can't do anything about that deadline now. I've been checking for new applications filtered on a weekly basis from about 5 different sources, so there's 40 applications in so far, and I think I saw about another 20-30 newly posted this week.

I spent 6-12 months applying to 1-200 jobs before getting that first chance. I am from a rural area though that's limited in IT related positions

ok good deal, also check various larger companies, look at their websites, get on LinkedIn, put your resume there

that's an interesting route. I've heard that DevOps is a very good route to go, and it wouldn't take me long to learn, just would need to apply time if thats a route I'm willing to take

A ton of larger companies are doing full remote now and usually have a lot of junior positions open. Does your school have something like Handshake?

I keep getting emails from Handshake linked to my school about job opportunities, hiring seminars, etc etc

yes I have an interview with Walmart cyber division early Feb and PwC is barely opening up their cyber division. I connected with their recruiter and so she made it sound that there wasn't even going to be technical interviews due to sheer volume they're trying to hire. My LinkedIn is highly updated and I'm using LinkedIn Learning to learn a bit more, along with trying fun stuff at home

Yes we have handshake, in the past it's been pretty bad for me from a buggy UX perspective, but I can definitely give it a second shot, can't hurt

I don't think LinkedIn learning is particularly valuable but probably doesn't hurt... one thing I'd also do is try to focus on a certification, like Security+, AWS solutions architect - associate, Network+, etc

I got lucky with the devops route. My second developer job was more "open" to what I got to do. I slowly moved over and worked with both the sys and network admins and they eventually put me in my own devops role managing different env servers etc.

Got the company to switch from tfs to git which was an uphill battle etc xD

devops is relaly IT adjacent and a good option if you want to go into security

I wish I never got laid off from that position xD It would've been a perfect position to stick at for 2 years and get more experience while I went back to school lol Stupid C**D

Feel like I gotta plug networking as a good entryway as well. Took me a bit, but I'm transitioning from networking to cyber now.

Noted, I mainly used it since I am preparing for Network+ at the moment, scheduling my exam today/tomorrow so I stop procrastinating on it.

yeah I started with networking so I'm biased 🙂

DUDE LOL I can imagine.

lol, they used tfs for years (from when there was only 1 dev for quite awhile) and just never switched as they hired more and more developers. It was an absolute messy trainwreck.. I should've got a raise for switching them to git for how much time/effort I saved the dev supervisor and IT manager 🤣

at least it was tfs, not vss.

hmm I will commit more time to it then, it seems like a very viable option then. Thank you all for the feedback and I'll update once I'm employed 👍

Gave +1 Rep to @pseudo creek

Actually never heard of vss but idk if I wanna look it up the way you put that lol

MS Visual Sourcesafe.

Ah ya I've heard that thrown out. Guess didn't put 2 and 2 together 😂

Here's a great way to start an argument: which IDE is best for coding/programming?

The question would be what type of programming? Desktop, web, etc?

And what language, no?

I was gonna group that in the argument 😂
I only use 2 IDE's

Only IDE I have experience with is IDLE. So, that.

Note: I am not a programmer, and this is not programming advice.

lol
I only use Visual Studio and VS Code.
I've been switching over from PHP to C# but I always used PHPStorm for Web before switching.
Java I would use eclipse (but haven't touched that in years.
Python I always just use the built in IDE/IDLE for windows

Now that I think about it... if I actually used Python, I would just use VS Code at this point... but besides the little side projects with my raspberry pi, I don't use Python 🤣

Please take IDE discussion to #infosec-general or #programming

I just use kali linux since Im a hakcer in traning but I just run my python scripts from the terminal

Any advice for a panel interview with the company’s security team? I’m pretty nervous since this is the third round and don’t want to mess up.

Sounds like you're going good so far getting that 3rd round! I have no experience with panel interviews though

I did a panel interview for my network role, then conducted 2 to hire my replacement. They were all light on technical questions and heavy on soft skills. "Will you mesh with our team?" kinda thing.

I didn’t think about the soft skills side but that makes sense since they’re allocating an hour. Thanks for that!

Gave +1 Rep to @low osprey

Is it ok to create a portfolio entirely made of projects I did? Because I'm learning python but I learn it from videos I watch online and so I don't have any actual course certificates to put down. So could I make a portfolio filled with projects I did rather then certificates and courses

Document all of it. It shows your taking it upon yourself to learn. All of that would fit in the projects section of your resume

A github or gitlab account is great way to show potential employers your programming ability. It's also a good way to contribute to a community as well, because it gives you credibility to submit patches, bug fixes and features to existing FOSS software that you like

seconding GitHub/Gitlab and GitHub pages (free website hosting via GitHub)

Yea u don't really fully understand GitHub I just save all my different projects to different GitHub repositories in order to document and save them

I

Also what about a python certification?

Like the one from Microsoft

I just like the certifications because I don't have a college degree in anything related to computers and I've never gone to college anyway so I'm a self right programmer. I like the certifications as a way to prove myself other then some 4 year long college degree

depends on what you want to do really, if you're just trying to break into IT/Security without a degree then starting off with the CompTIA triad will set you up well (A+, Network+, Security+)

I can attest to this, been progressing in the interview process for a new potential employer who were checking out my github and I'm not even a programmer

I thought about doing all my THM box walkthrough's on my github in it's own repository. I'm regretting not doing full detailed notes going through all the boxes I have

The only thing I don't like about that idea is having to take notes outside my kali vm. I currently output my initial scans and then build notes at the bottom of the scan

Some of these positions on LinkedIn are kind of misleading unless I'm reading it wrong. I filtered for remote and in the headline they say remote but in the body text it says no potential for remote

I noticed that as well when I was looking for my recent position xD
I'm guessing some are using old job descriptions without updating them.
My position now is a hybrid 2/3 but the initial job description said 100% in office.

Or could be a 1/3 if I wanted to work 10 hour days

Let me have your job

lol my job is to gucci to give up 😂

lol

Just keep at it and apply to the jobs you want. Once you get into the interview you can assess the more fine details. Remember: An interview is not just for the employer to see if you're a good fit, it's for you to see if the position is a good fit for you as well!

How should I respond back to a recruiter who offered me a position? I told her I was definitely interested. She sent over some docs which I signed(Tax information..etc) now it's been M.I.A. just be patient and wait?

First of all, was it an offer, or an invitation to interview? I'd think the former, if they already asked for some tax information docs?

Second, how long has it been silent?

you could put them into shared folders,. so even if you break your kali vm, you still have the folder with your notes and it doesn't really matter where you edit it

3 Days. I mean she sent me some resources on how to prepare for an interview with their company.

I actually didn't even think about that... That's a good idea even if for only persistence

I've got an "archive" folder I put all finished room in.. theres probably 100+ folders in there xD

I think the terminology is that an offer is when you get to choose if you join them or not. But still - three days is not that much. But if they seemed intent on getting the process going on fast, you might send a polite query on if there's been any progress or if something is expected from you.

Have you already done interviews with them yet?

I've had to fill out tax forms before getting the first interview before. Though only once or twice out of who knows how many interviews I've had in the 12+ years I've been out of high school 🤣

No. Kinda surprise they didn't call me either just sent me forms

thanks

Gave +1 Rep to @ebon mica

what kind of data is on tax-information docs you had to fill out?

i've just never heard of it

Equal Opportunity Employer and Work Opportunity Tax Credit forms with my info

and I checked out the person who reached to me. They are on Linkedn with loads of connections

ah ok, was just wondering because sending tax-information seemed a bit fishy and at least in my country anything tax-related only becomes relevant after you sign the contract😅

Yeah I know thats another thing thats weird. I was too excited should have thought about it first. Hopefully I didn't get burned

yeah, since 2 years the job market is pretty weird, but if the recruiter and the company seem legit it should be ok. and in the end, they're also only people and i often had cases where "we will get back to you at the end of the week" becomes "sorry, this and that person was on vacation so we couldn't follow up until this person is back" or "hey, remember us from 2 months ago?" 😄

Sounds like just getting the nitty gritty stuff out of the way in prep for interviews? Definitely could be wrong though

My first job in the industry was a help desk job where I only got it because I had an Associate degree. I had the job before going to the first interview which was just a meet and greet with the team

"Hey, remember us from 2 months ago?"
Yeah, but I already accepted an offer because y'all ghosted me. Good luck on that search though.

I still get offers or interview appointments from months ago when I was searching 😂

Same. Also the occasional rejection from a company I'd forgotten I applied to.

I think it's absolutely nuts that I turn a resume in 5-6 months ago and just now getting a call for an interview...

How are they expecting people to actually say yes to these interviews or offers? xD Of course they're gonna have a new job in that massive timeframe

Also why don't they leave voice mail anymore

They'll call you but nobody leaves a voice mail.

Seems like I only get voice mail now if its an extreme emergency or something

That must be a personal thing. I get a ton of voicemails.

Even now, when I'm not actively looking, I get 1 or 2 a month.

with my current job, the whole process took 1 week from first interview to offering the position. i am a backend-dev, which at most other companies means a coding-challenge, technical interview, "practice day", the whole shebang. for the second talk i thought they wanted to give me a coding challenge, but they made me an offer and when i asked why they don't do coding-challenges, they just said that the talk was great, they think i'm a good fit and they liked my stuff on github. before that i had an interview-process that went on for almost 3 months...

That's awesome.

My first post-military job was similar. Was in the middle of a 2-month hiring process with LogRhythm to be an FE for them, and got a call from a recruiter who said he had an opportunity and liked my resume, and the team lead of the contract wanted to talk to me. Talked to the lead for 20 minutes, and an hour later I had accepted an offer. LogRhythm was not happy when I told them lol

dodged a bullet there 😄

Oh?

I was only at that job for 4 months, but it got my foot in the door and led to my current gig, which is pretty nice.

they should be aware that they aren't the only job someone is applying to and get mad when someone else offers you a job before them

Ah.

Well, I waited until a telephone panel interview to tell them, since it was the next day. So I get on this call with the HR lead, team lead, a manager, and a tech consult. They go through their spiel how they're happy to talk to me, they think I look good, blah blah blah. When they stop I'm just like "Yeah, so.... I accepted an offer. I just wanted to let y'all know via phone instead of an email. So, yeah. Thanks, but no thanks."

🦗

Awkward

that's a boss move tbh 😄

apparently my voicemail is messed up on my iPhone so thats why

can't receive any voicemail go figure

They've been trying to reach you about your extended warranty.

lol

So I'm in a help desk position right now. What roles will prepare me for Sys admin or Network Admin? Or is it just self-studying?

I think I just answered my own question never mind

lol

Help desk is a typical starting point.

UK or US?

If you want to go networking, get CCNA. If you want to go systems, get a cert like Security+ or a MS cert.

US

Noiiceeee

Hey. Would someone please explain to me how relevant learning JS is for career entry? I've read mixed opinions on this subject. Or if there's any sources to refer too, I'd appreciate it.

depends on the career path, cybersecurity is a broad field. but let's say you want to look at a websites source-code and see a script-tag, you should at least be able to read and understand what's in that tag

Got you. thanks. Like you say, it's a broad field. Maybe that's something I'll be able to answer myself once I've learn't more and finished more paths.

Gave +1 Rep to @vocal heart

php also falls into that category

I wangt to become a cyber security analyst by next year. Currently i have my comp a+. Should i go for secuirty +, network + and eJPT

or is there a better recommendation

i recommend going for ccna and security+

Sounds good. I heard CCNA gets you jobs even with cert alone

is that true?

it worked for me in the uk :)

Heck yeah man

i became a soc analyst with just ccna

Damn

Congrats bro

and the first cert they were pushing me for was security+, so those together should "easily" get you somewhere

Sounds good brother. Do you have an opinon in eJPT

imo not worth it, it's good practise but if you're tight on money it doesn't help

Oh okay I see. @static tide appreciate your help brother

no worries good luck

Sorry to bother you again @static tide . But lets say if i put 4 hours into studying every day starting today for ccna and security + . When would you expect to get the cert. lets assume i am a average iq person haha

Would you say less than 1 year?

Couple weeks for Sec+. Few weeks for CCNA

Damn that fast huh

iq has nothing to do with it, but 4 hours everyday then yeah you should expect to pass before the end of the year

Awesome ight brother

I noticed on infosec they have specific things like Pen-200, are these courses that are good for listing in your resume as a Pentestor?

Pen-200 is PWK, i think. Which is OSCP. So yes, earning it would be a boon to your resume

its pretty much a requirement honestly

Yea my main goal is to get CEH as there are a lot of fairly well paying government jobs that have CEH

And maybe a python certificate as well

Which government?

Eww. Do PenTest+ instead. Assuming US gov, based off of 8570 requirements, PenTest+ will satisfy the same requirements as CEH

Hopefully they'll add eJPT to it as well. Eventually.

India?

We've told them this about 6 times so far 😆

Yeah

I'll keep repeating it though

Same

I'm from India and I'm still not wanting to go for CEH 😅

even if that offers more jobs here

Pentest+ is what, half the price, by a more reputable organisation, and better in terms of learning?

Yes, yes, and yes

CEH has been sequestered to CSSP on DOD 8570

I've heard eJPT is good too, but haven't looked at it.

Which, isn't even going to get you in the door as most of those positions require prior experience

And eLS is still working on the "widely recognized organization" thing.

Or aren't even open to public applications

Know someone who got hired with U.S. Bank to be a pentester with just PenTest+. Soon as she graduated our school, she was hired.

Yeah, I mean sometimes you just need bodies

Then they'll learn on the job

Ye

I was to one of those

Government entity down in Savannah i think it was, was hiring for a red team position. Wanted someone right out of college with a Cyber Security degree or something close, didn't need certs, didn't need experience, because they wanted to bring the person up their way

What happened?

Ghosted

That one stung a bit lol

Ngl I probably think I was closer than I actually was but

Oh ouch. Ghosting is shit. Like, at least a boilerplate email that says "Thanks, but no thanks."

USAA does those. Got one last week. "blah blah blah another candidate more closely matches the role blah blah"

dude pentest+ is insanely hard

why do that when CEH is very hard but at least multipule choice

and less experience required for CEH

and a lot of jobs take it

Because the value of CEH is exponentially less.

I haven't even seen a job on indeed/linkedin require ceh though

US based east coast

even the IT people with 4+ years of pentest+ fail to crack it how the hell am I some kid who has 6 months of hacking experience gonna crack that?

Study?

Nothing of value is easy.

Comptia Certs are not hard in comparison to other certifications

Yeah. And practice. I took it and passed with no actual hacking experience.

PT+ is also 4th in the chain of comptia certs - it requires a deeper knowledge.

Additionally, if you didn't know the PT+ material and have the CEH the value you bring to a pentest is nothing

I take it at the end of the month.. already have Sec+, CEH, and CISSP.. I know, all different "genre" within cyber so-to-speak.. but I think Pentest+ won't be too bad

Month and a half of studying and practice tests. Jason Dion's courses were awesome, as they usually are.

Dion's quizzes for Sec+ were nice

actually btw in my area there wer eover 100+ jobs that paid good salaries and NO I dont live in silicon valleuy

valley*

If you don't understand networking, basic systems, basic webapp security configs, and you were engaged for a pentest that client is going to be extremely upset with the report.

I don't look at salaries when job hunting. I pay attention to that after deciding if I would want to work there

What's the relevance of this?

Never underestimate the value of comic relief

people were saying there were no CEH jobs

There are no good CEH jobs.

Different folks and so on. Salary is usually the very first question I ask when engaging with recruiters/HR.

but many I saw paid decent salaries

That's most definitely not the only factor

If a company made it a requirement to hire that I get CEH, I would hard pass on that company. Their security outlook is not good.

well DoD has CEH as a big thing

That's not even touching the ethical issues and problems that surround EC-Council.

I'll agree with that. Personal preference and ways of looking for jobs 🙂

You've been told, repeatedly, that there are better and cheaper certs that fill the same checkbox as CEH.

It did.
Pentest+ checks the same box and actually teaches you.

CEH's only advantage is that it was the first penetration testing certification to hit market. They've leaned on that as their sole distinction since then. It's slowly fading away in favor of better exams.

Pentest+ costs less money

@stoic cave works in that space, and I know he's said it at least twice in response to you.

Pentest+ is more relevant

but its harder form what I heard

So?
Stop trying to take the easy route. It's going to take work.

What did I do?

Oh

It's cheaper, and teaches you more but may be harder. Personally sounds like a win unless a company is paying for it.

Yeah

That's probably a fair statement. PenTest+ is the only exam I've ever failed. But I don't see how that's a bad thing. More difficult means it's a better gauge of your knowledge.

hey whats up everyone quick question studying for security + exam trying to take it in march i watch vids and have practice exams wondering if we have any tutors in here or know where i can go to get help i feel 1 on 1 will help me alot as well

You can take it twice and still pay less than a single attempt at CEH.

I have no personal opinion on pt+ vs ceh though. I haven't taken either and currently studying for Sec+ and AZ-900

DM

https://startacybercareer.com/comptia-pentest-vs-ceh-which-should-you-choose/ This here quotes "ook at any forum about CEH vs. PenTest+ and it will tell you that the PenTest+ is a much more difficult test. The PenTest+ has thus far been considered to be a challenging exam, even to those that are well experienced in penetration testing."

look*

I think I'm about done giving you advice. You've been told repeatedly by at least 5 different people that there are better alternatives, in every possible capacity that CEH would fill. You are so invested in this idea you have about security and how CEH fits into it that you are no longer listening to anything any one says on the subject.

Unless you have a new question, I'm not going to waste any more of my time on this.

If you need 1 on 1, I would go to Comptia's website and see what they have available personally. That way you know you're not paying for something that won't assist you.

Who says that source is reliable?

And why is difficult bad?

Easy devalues the cert, does it not?

Check the box that gets you more respect, not the easy box

Also more learning and understanding of the topic

If you go for easy, you won't break in to the space

Seems like an obvious bang for you're buck to me lol

also thaqts not the only soucr NEtworkChuck also recommends the CEH if you guys have seen his videos

and he is an employed cyber professional

Very funny

Are you trying to meme in here?

So am I

I accidnetally did that

So am i

At the time, NetworkChuck was also new to the "hacker world" when he made that statement

Question to those more experienced, would Pentest+, then eJPT, then OSCP be a reasonable track and goal to accomplish in a year or less time?

uhh

no

I'd skip eJPT in there

maybe one of them

Not sure of you need ejpt

in a year

IMO eJPT is fine for learning, but itn's very well recognized.

maybe pentest+

yegadz, NetworkChuck. Have you seen his server? I lasted all of 5 minutes in there.

it's not*

Yeaaaaaaaaah, NetworkChuck isn't necessarily one to take seriously.

There's a big jump between PT+ and OSCP, but as far as I know there's really no in-between. So yes.

thanks. I wasn't sure if there were any "stepping stones" so to speak between PT+ and OSCP / other OS* certs.

Gave +1 Rep to @quick forum

perfect

You don't need to certify every step

Also, yeah, don't take the easy option. The only reason CEH still appears on legitimate jobs is because HR see the whole "First Cyber Cert" and jump on the bandwagon. It has no actual use. If a company genuinely likes it from a technical perspective then I'm with Juun -- run as fast as you can

@stoic cave thank you, yeah i just got directed to the comptia discord to ask the question to them

Gave +1 Rep to @stoic cave

I'd be 50/50 on agreeing with that statement. Take everything with a grain of salt bc he's usually learning something new and then making a video on it but he's also a very good source for getting the gist of a topic and then researching more on your own...

Oops meant to turn the tag off on that my bad Muiri xD

https://pauljerimy.com/security-certification-roadmap/
Check this out. It'll help guide you, if you want.

current job is requiring PT+, but I feel as though that's the sector I want to focus on.. so I figure OSCP would be next.. training up to/for it.. and a lot of jobs out here seem to have it (OSCP) as a baseline requirement to join a red team

thanks

I hope $currentJob is also paying for PT+

It is

Good, nice and straightforward then

That applies to individuals as well, for the record @sharp rain. I'm not in a position to hire, but I can tell you for a fact that if I had a candidate who has CEH and genuinely raves about it (i.e. doesn't just have it to tick a box), I would have serious concerns about their knowledge of the field and technical aptitude.

they'll pay for anything contributing to professional development (materials, courses, certs, etc)

I genuinely think we'd laugh them out the building.

If CEH is your gold standard for cyber knowledge then... there are problems

Yeah, basically

I thought Networkchuck, before he went full time creator, was alright. I actually learned some stuff by watching his earlier content. But now it just seems to cater to clicks and not substance

So I agree

Oh I'm being literal here

Education budget is awesome. $4k/yr for my company. Though, if you leave within a year you have to pay it back.

Wow that's insane

Yep, that's fair. A lot of what he does now is just clickbait, and the amount of trouble he's caused us with his borderline blackhat shit causing people to come in here and say "It's not that bad... NetworkChuck did it" is a reeee

Maybe I just have a soft spot. I enjoy his videos and have been watching for a couple years now. I enjoy the content and usually end up doing more of my own research afterwards

This is what I've seen as well. He went full "influencer". Lots of yelling and flashy graphics and faux-urgency. It's annoying.

not bad! our's is a lumped in budget of 6k/yr, and if its a job requirement they cover it out of their overhead.. no paying back

Paying back if you leave is fairly typical

See that is understandable! I've only been in this discord for a few months so I haven't seen that.

yikes, we don't have a number limit per year but we can get SANS classes

Jelly

Totes jelly

only thing we have to pay back is if you use the 'tuition assistance' budget

which is separate than the yearly training budget

My cert budget is listed at $300 a year

is this organized from easiest (bottom) to hardest (top)? or just sporadic?

But I can just ask and they'll approve things much pricier than that

Generally easiest to hardest, bottom to top.

Does re-certs count for that budget as well?

thanks

Gave +1 Rep to @low osprey

Yeah, any professional certification stuff

Oof. Seems kinda low but nice they will approve needed certs if it goes over.

But prior to me deciding not to take OSCP, I was approved for the test and 60 days of lab time

That's cool 🙂

how I got learn one... my manager "hey we have tons of training dollars we haven't used, someone pick something" "maybe I could do pen-200" "ok sold"

When I get to the oscp I am on my own lol Work is already paying to finish out my degree and a few certificates not covered with tuition.

and my manager is also pretty cool with things like me saying "I want to spend half a day studying"

although its sooo busy, its hard to do that

That's what I'm doing right now xD I left at noon to study from noon-4

One of the orgs I work for is getting org wide Azure training for free. Trying to see if I can hop on that class

I test for SC-200 tonight. I could've used some Azure training.

Nice! My supervisor wants me to have the AZ-900 scheduled by next Friday

yeah we have the free Azure training, its how I got 104

esi.microsoft.com 🙂

the class is 'ok', but when you take the azure class, they give you 1 month of Azure credit and a book, the book basically follows the class

yeah this was for AZ-900 I think

if thats the fundamentals one

Yup the basic fundamentals cert.

which I mean, free is free lol

I got Az-900, studied for a week, then took the test, Az-104 is a bit more time intensive

whats 104?

ah Admin

I got approved and started studying for 900 today. Supervisor wants me to have the exam scheduled by next Friday but no rush on when it's scheduled for.

So putting Sec+ on the backburner for a week or 2

geez, i'm getting jealous😅

Is it easy?

az-900 is non-technical, mostly cloud terms

If you want to take MS exams for free look out for the Ignite Cloud Challenges during the MS Ignite and for free vouchers on Fastlane
sometimes its harder to get a free exam, than to pass the exam itself 😄 (got my AZ-104 and SC-200 that way, still have a free AZ-500 and the one from the last Ignite... still need to decide what exam i want to try)
Even if i fail i learned tons of things 🙂 and i will try again with the next free voucher 😄

Dang never heard of that but after a quick google search it only happens once a year... which was only a 2 months ago 😂

I'm wondering to myself how I've been a dev for 2 years and a dev student for 2 years before that and never heard of this lol Scratch that, I've heard about Tech Ed. It's just a rename. I think we talked quite bit about TechEd back in high school which I graduated from over 10 years ago

So I just got off the phone with a group that is interested in bringing me on for red team work. He wants me to send a resume. Does anyone have any good samples for this type of work l?

Heath Adams/The Cyber Mentor has one https://github.com/hmaverickadams/Sample-Pentest-Resume