Career shift from IT audit to Pentester or Security Analyst

clashofkalanclashofkalan Registered Users Posts: 4 ■□□□□□□□□□
Hi just want to know if it is difficult to make a career change from being an IT auditor to a pentester?

Highly interested in VA/PT
Currently working as IT auditor.Performs review of the application and general controls of IT systems
Only CAATs tools are being used in our audit work
Familiar with various operating systems, databases, network security devices but with no system or network administration experience
Familiar with the pentesting procedures/methodologies and some of the tool being used for pentesting
Not an IT or ComSci graduate


How can I develop my skills toward vulnerability assessment and pentesting?What track should I follow?
Can I get a job related to pentesting with my current skillset?

Highly appreciate your help.Thanks in advance


  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    OSCP. Ignore anyone who tells you that you need to prepare to take it (the course that is...not the exam). Assuming you can navigate through a Linux box and understand basics of TCP/IP, you should be good. The PWK course starts from the basics and will provide you with the framework you need. You will need to do a lot of independent research, but that's kind of what PenTesting is. If you are persistent and want it bad come out on top.
  • clashofkalanclashofkalan Registered Users Posts: 4 ■□□□□□□□□□
    Thank you sir for the reply. If I may ask, what is a PWK course? and don't you think that the OSCP course is quite advance with my current skillset?
  • MrAgentMrAgent Member Posts: 1,309 ■■■■■■■■□□
  • BlackBeretBlackBeret Member Posts: 684 ■■■■■□□□□□
    PWK is a course designed to bring you from basic to advanced. It starts out basic, explains a lot, points in the right direction to learn more, then tests your knowledge with the OSCP test. Honestly if you can set up a VM and operate Linux at a very basic level, you can complete PWK/OSCP.
  • clashofkalanclashofkalan Registered Users Posts: 4 ■□□□□□□□□□
    Thank you for the enligthenment..Don't you think I should have at least a hands on experience with networking and the different operating systems or I can go straight to learning the art of pentesting?
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    Yes, the OSCP is difficult for ANY skillset. That's just the nature of the course. I know people who do PenTesting for a living and have struggled with it for years and still don't have the cert. But its a test of endurance and perseverance. It gives you the framework of what you need to know, and if you want it bad enough, you'll get there.

    When I took it, I had never done any professional PenTesting. It was brutal...but by continuing to push myself, I got there after a 90-day subscription and a 15-day renewal.

    And yes, you should have some basic knowledge of networking and Linux. Which is why I said earlier:
    "Assuming you can navigate through a Linux box and understand basics of TCP/IP, you should be good."
  • clashofkalanclashofkalan Registered Users Posts: 4 ■□□□□□□□□□
    Thank you sir for the advice...Very much appreciated
  • verdigrisverdigris Member Posts: 5 ■□□□□□□□□□
    I'm in the exact same position. I think nova is spot on - between the relevant audit experience and the OSCP (which I'm working on now) you should be able to show you're a serious candidate with some skills.
Sign In or Register to comment.