Here’s a question that comes up the frequently in my DM’s; “how do you get into penetration testing?”
I’ll do my best to come up with a path that works for the majority of people. However, it all depends on where you are in your career and what you’ve done up until know.
I’ll approach this from the point of view of someone starting out fresh in IT, right at the bottom of the ladder. I will also aim to point out a couple of good certifications. These hold value in the job market and give you a good body of knowledge to build from.
Bear in mind that there are 3 caveats when it comes to certifications:
1. Certifications on their own without any experience to go with them are less valuable than just the experience on its own.
2. A certification is often only useful when you’re trying to get past the HR sift while you’re job hunting. Once you’re in, it’s less about your certifications and more about your experience and knowledge.
3. Not all certifications are made equal. Some tick the HR box; others require you to learn the content and craft and will take you down the rabbit-hole. There are a few that overlap these two key areas, and are the ones you want to go for.
Disclaimer: This will take 3–5 years if you take the time to get the experience under your belt, which I would advise you to do.
A good starting point is a help desk job. It’s guaranteed to give you exposure to all the technologies you’ll need to be comfortable around. Yes, you’ll be answering phones, doing general first-line tasks, and your hands-on exposure to technology will be somewhat lacking. However, you’ll learn key skills like how to communicate with users of various technical abilities, how IT works at a base level, and how to escalate issues to second/third line teams.
You’ll also get to see how things break and how users break them in quite ingenious ways!
A good certification to aim for here is the CompTIA A+. I’m a fan of CompTIA as their certifications are vendor-neutral, recognised across industry and follow a frequent update cycle. There are also several great free resources to help you prep for the exam. I have added them to the “Certifications” page under Resources, so be sure to go check that out when you’re done here.
A sysadmin (system administrator) job is a good next hop, offering second-line responsibilities and greater exposure to whatever technologies the business uses. Sysadmins typically get left to their own devices and you should be able to capitalise on this. Spend time learning skills such as coding, networking and virtualisation. I’d recommend getting to grips with Python and PowerShell as a minimum. If your schedule permits, get stuck in to C/C++ as well.
Ideal certification goals should be the “CompTIA Trifecta” with the Network+ and Security+.
This is where it really depends on what sort of penetration testing you want to do. Aim for something like a network administrator, web developer, Linux sysadmin, or identity and access management (Windows servers and Active Directory) role. Any of these will serve you well as a penetration tester. If network penetration testing is the goal, network administrator should be a first choice where possible.
Certifications here that are worth pursuing include the CCNA, MCSA (until Jan 31st 2021) and the RedHat CSA (or CompTIA Linux+ equivalent). Just note that Microsoft will be changing thier certification paths, and you can read more here. Possibly cover some cloud stuff at this point as well as that’s a fairly new area for penetration testing. Microsoft Azure and Amazon Web Services are realistically the two options to choose from.
HOP 4 – PENETRATION TESTER
Whatever you choose to do up until this point, you’ll get to a position where you’re ready to begin moving into the realm of penetration testing.
This is where it gets much more hands-on, and your free time begins to get swallowed up somewhat.
I’d like to start this section off by stating that breaking into penetration testing is 20% certifications and 80% experience, so the odds aren’t in our favour. We need to tip those odds in our favour. How do we do that?
If you work for a business that has its own internal security/pentest team, you need to start work shadowing them. Get yourself on to a “ride-along”. This may have to be on your own time but that should be a small price to pay for the opportunity of gaining valuable experience and exposure to the right people in the right place.
If your employer doesn’t have an internal security function but does outsource the penetration testing to an external company, you can use this to your advantage. The next time the pentest company is onsite doing an assessment, arrange to have a “ride-along” with them. Most providers will welcome this and won’t have an issue with you doing so provided you don’t slow them down.
This is important advice I learned from Ed Skoudis (@edskoudis), who’s webcast you can find here. It’s well worth taking the time to watch the whole thing as Ed is someone you want to pay attention to when it comes to penetration testing.
Build a home lab environment. This will form an on-going base for you to operate from. This is where you’ll do the majority of your pentest learning, testing of tools, exploiting vulnerabilities, etc… The importance of a lab environment cannot be understated. You can build a basic lab environment for not a huge amount of money (although this is of course subjective) and expand it as you learn new things on your cyber security journey.
The /rHomeLab subreddit is a great resource for getting ideas, tips, help and picking up hardware for not a huge amount of money. I bought my switch and Dell server from someone on there!
I would recommend that you have a read of the “Penetration Testing Execution Standard”. It gives you a great overview of an established and frequently referenced penetration testing standard. It is free and will help you make a start in penetration testing.
Online Labs and Challenges
Registering to online labs like HackTheBox is another good move. The key to utilising something like HTB is to pick a challenge and approach it as a mini penetration test. Be sure to follow the PTES methodology (others are available) as much as you can. There will be parts you cannot apply, like the scoping elements, but make sure you screenshot everything you do. Write a full penetration test report at the end. Rinse and repeat this process until you’ve got about a dozen reports written.
Then take those reports and approach a penetration tester that you know or follow. Ask them to read and critique your reports and get feedback on how to make them better. This may or may not require the promise of alcohol in return! Once you’ve got a couple of well-written reports finished, hold onto them as they will be vital in a job interview. I’ll come onto interview stuff in a moment.
It’s also worth talking about the wider cyber security community. Get involved in things like webinars, virtual summits and talks. Connect with people from all over the industry on social media and pay attention to what they’re doing.
Capture the Flag
Capture the Flag (CtF) competitions can be rewarding, soul destroying and intimidating all at the same time. I’d strongly recommend getting stuck in and signing up to CtFs as soon as possible. Don’t wait until you’ve mastered a specific skill as CtFs are a brilliant learning resource first and foremost.
Set aside time every week to get onto a CtF and treat this time as sacred. Don’t let anything distract you away from this time slot if you can help it!
Try not to get fixated on winning the CtF nor get disheartened if you’re not near the top of the scoreboard. Treat the CtF as a learning platform and build your real-world skills. The biggest benefit of using CtFs comes from the persistence and patience you’ll learn to deploy.
Consider joining a CtF team to enhance your pool of learning resources. There are always teams looking for new members. The “OpenToAll” team is one that comes to mind, who are now at an astounding 300+ team members.
I’ve added a CtF page under “Resources” on the knightsbr1dge.red site which should get you started
Whilst you’re doing CtFs and have started down the cyber security rabbit-hole, I strongly recommend you start keeping a journal. In this journal you’ll want to keep a track of what CtF you were doing, when, how long you played. More importantly you want to note down what you learned and what you struggled with.
I’d also recommend starting a personal cyber security/IT blog. This will be dual purposed. Firstly, it will help you document and track your journey through the murky waters of cyber security. Secondly it will help you begin to build a reputation in the industry. Neither of these reasons can be underestimated and both will be an asset in an interview.
I’d recommend setting up a twitter account and following several well recognised cyber security news outlets. This will keep you up-to-date with the latest news from across the industry. Being asked about current events in the industry is almost a guaranteed interview question!
If Twitter isn’t your thing, there are several other sites you can check out:
Cyber Security Certifications
There are a few cyber security certifications that are both HR-friendly and have relevant content to get you started down the cyber security rabbit-hole.
The first is the Certified Ethical Hacker (CEH). HR love the CEH and whether or not you agree with its content and or value it as a certification, its clearly here to stay. Don’t rely solely on the CEH for a penetration testing job offer though. CEH gets your foot in the door, but it’s your experience that will help get you over the line.
CREST is another organisation that has a huge footprint in industry, especially so when it comes to any cyber security jobs that require a level of security clearance. CREST should be a part of your roadmap.
Then there are certifications that I am personally pursuing such as the OSCP, CREST Certified Infrastructure Tester, GPEN and GXPN.
The OSCP is somewhat a rite-to-passage and a baptism by fire. It’s tough, has enough twists and turn to keep you on your toes and culminates in a 24-hour practical exam with a further 24 hours to submit your written penetration test report.
The GPEN is considered by many as the gold standard when it comes to penetration testing certifications. Be warned though, it’s not cheap although this is certainly a case of getting what you pay for, especially when you look at the reputation SANS has as an organisation.
Speaking of SANS, they released a “PenTester Blueprint” a little while ago which will give you a greater understanding of the sorts of skills a penetration tester needs to have.
A certification that’s gaining quite a bit of traction and acclaim is the eLearnSecurity eJPT which I’d recommend taking a look at.
When it comes to applying for penetration testing jobs, try not to get disheartened by the requirements. Businesses always seem to want people with decades of experience who have a wealth of knowledge in every aspect of IT. Ignore this. Apply to jobs that you feel you have the skills to do well and go for it. The worst that will happen is you’ll be told no or won’t hear back and you’ll be no worse off than when you started. That’s fine and it just means you need to tweak your approach until it works.
A lot of cyber security businesses now tend to use practical assessments when looking to hire penetration testers. As long as you’re confident in your abilities, you should be diving into opportunities that allow you to show your skills from the start.
The CtF time you’ve been putting in should help you prepare for this quite well.
Remember those penetration test reports you’re going to have written up? I would be taking those to the interview as proof of your quality of work and your capability. Also take with you your journal as it shows just how much personal time you have committed to the industry and to the craft of becoming a penetration tester. Your blog will act as a timeline of what you’ve been doing over the years, what you’ve learned and the personal time you’ve committed to getting to where you are.
Hopefully this has been a useful post and helps some of you figure out how to get to where you want. I’m on the “path to penetration tester” myself and this largely mirrors my approach.
A great bit of advice I got early on in my IT career was that “the best opportunities are the ones that never make it to the job board”. Network with professionals who are already doing what you want to do and be active in the community.
If there’s one thing you do after reading this post; start a blog. Begin documenting your journey now. Don’t wait until you’ve got a particular certification or done a particular thing. Just start now. Go buy a proper domain, install WordPress and start documenting everything you do on your way to becoming a penetration tester.
Share this with anyone you think would benefit from reading it. Drop me a message on social and let me know you thoughts and where you are on the roadmap.
Finally, I want to give Ed Skoudis a huge thanks for taking the time to help me bring this post to life.
My social media is: