Entry Level to branch into PenTesting?

Nerkle

Hiya yall!

I am in my early 20s currently and getting my first bachelor's degree in Cybersecurity. I will be graduating in Nov and preparing for what comes next. I want to get into PenTesting, but lack relevant internships(I did the Disney College Program Internship but it was more business related) or job experience in IT/InfoSec experience. I am currently practicing labs outside of class and preparing to take the OSCP. Some of my friends have suggested taking desk support jobs, but the ones around here that are looking for help are severely underpaying to the point that it will not make rent.

What would be a good way to branch into Pentesting to get that work experience? Should I continue seeking higher paying desk support jobs or what would be another entry level position that would best help transition into the PenTesting field?
If not any of these, what would you suggest? I truly appreciate any feedback. Thank you!

scada

Try to get a Netops job or focus your helpdesk support on networking . Then try to move from there.

[Deleted User]

Hey man I was in your shoes also just 2 years ago! One thing I can tell you as a pen tester, build a foundation. Doing labs is great! Companies like this type of mindset for pen testing: Color outside the lines but within the sheet of paper! In otherwords, think outside the box but logically that makes sense. Learn to develop the mindset of business risk. Consider watching free CISSP training videos on Risk management and assessment. Business risk assessment + technical skills (1337 skillz) = pen tester! Also, if I could be in school for 1 more year, I would focus and learn Powershell and Python. I can't tell you how useful those 2 languages are for doing pen tests! Honestly, doing OSCP while in school is going to be a nightmare with classes and career fairs, friends etc. Start with something like the Security+. Main reason for this is because not only will it give you a credential for jobs once you graduate, but will lay a foundation of knowledge and companies like certs! the real world is all about credentials for getting in a job. Once you're in, it depends on real world skills @ that point. I would do Security+ since other certs like CEH and ECSA will require experience unless you **** 3k for a bootcamp! Sorry if the post was a bit unorganized, feel free to PM me once you get more posts here if you want guidance.

BuhRock

Do your sec+, but I would try to do your OSCP asap after college while you have another job. That job could be like network ops or helpdesk. Once you get your OSCP, you should be able to get a jr pen test role.

McxRisley

I agree with getting your sec+ first as well. The sec+ will give you an understanding of the basics and give you an idea if security is really for you. Also I would like to shed some light on the severely underpaying support jobs. I too was once in college and thought I would make a decent wage straight out of school, some people are able to but the truth is making 20k-30k is about what you should expect straight out of school. I landed my first job a year after I got my bachelors and started at 24k a year in a desktop support/rollout position. Now here I am 2 years later and I'm making over 100k as a pentester. Part of this is due to my skills and the other is due to me seeming to always be in the right place at the right time. Basically my advice would be to to take any experience you can get at this point.

adrenaline19

I think you should get the Net+ then your Sec+. The former helps solidify the latter. OSCP is something you want to dedicate a lot of time to getting. It isn't like a college course. You can't just study some class notes and pass it.

Learn Python now too.

Nerkle

I haven't heard of Netops as an option before, I will research into it! Thank you, scada!

Nerkle

Oh man, it is great to hear that you went through a similar experience too! I really appreciate your thorough response and would love to PM you for your guidance! I am currently taking a Python class in school, but I only had a small introductory to Powershell way at the beginning of my degree program. I will definitely put that up next to learn, once I get Python down!

You are right though that OSCP is a bit of a challenge, I am currently studying some other labs first as introductions and before jumping into OSCP labs during my final months hoping that I would be ready but for the exam in October. Though, speaking of career fairs to attend, there is also a Cyberweek convention strictly for Cybersecurity pros and students that I was hoping to attend to that is coming up, so maybe having the Security+ would be best to have there and able to get it sooner than the OSCP. Hmmm.. That's something new to chew on, and I am excited to hear your suggestion that companies like certs such as Security+! Thank you, kMastaFlash!

Nerkle

Sorry, I am abit unfamiliar with how to edit a post since I tried making a post to thank more of you, but flagged as spam. Thank you everyone for the advice! I really appreciate it! Yall have given me a some great ideas and paths to dig into! Thank you!

wd40

I am not a pentester but planning to look for a pentest job "to get out of a helpdesk job"

Starting with free cybrary courses (I did eJPT back in 2015 but I forgot 90% of the course content)

Already finished https://www.cybrary.it/course/ethical-hacking/ and started https://www.cybrary.it/course/advanced-penetration-testing/

The main point here is to try to improve your skills, so, to follow the course I did the following:

Setup Kali Linux, and a couple of target VM's including ubuntu, debian (minimum install, no GUI), redhat, windows XP and windows server 2008.
Then setup LAMP server on the debian machine (Learn to setup Linux, Apache, mySQL,PHP, use ssh, scp and vi)
then at the web app section setup wordpress on the lamp server.
setup xampp on the windows XP machine

etc etc

So by the end of the courses you know more than pentesting.

[Deleted User]

You're welcome! Glad I could provide some insight! Consider watching youtube videos and find youtubers who make pen testing videos. You can learn pen testing on a budget without spending on certifications. The certs are more of an HR checkbox and a way to beat your chest @ work and with friends! haha. Also if you want cheap paid courses, consider Udemy or Stacksocial:

Cheap course for $1 (college budgets bring me back)
https://stacksocial.com/sales/pay-what-you-want-white-hat-hacker-bundle

Nerkle

WOAH! I never heard of Stacksocial and these courses! This is incredible! Thank you again, kMastaFlash!! I am definitely on a tight budget and worried about which certs I could afford and what training to do.

I already bought coursed on Udemy like "The Complete Cyber Security Course" all 4 parts of that course and the "Learn Ethical Hacking From Scratch" on a great discount sale awhile back. Though I did pinch up some savings and got the 6month labs for Ethical hacking from Cybrary a week back and tinkering in those too. Should I worry at all about SQL or study up on it too?

Nerkle

Hey guys, really want to thank you all for the wonderful advice.

I heard there were options about Bootcamps for training for certifications and such. I am currently a dependent using the VA benefits for school. Is there a way to get into a penetesting bootcamp or other certification groups that falls under VA approval? Has anyone else used the VA to go such a route?

EANx

The list of approved organizations/certifications is at WEAMS Public

Make sure you have either "certification" or "both" selected in the menu. You can search on the organization or the certification but it it doesn't show up, sometimes it's entered in a different way. For instance, they entered CompTIA as both CompTIA and Comp TIA (with a space). There are a lot of options for someone with VA education benefits to use but they typically have the ones that have been around longer. If nothing else, you can always call up your local VA office (not the one at the college).

Nerkle

Thank you so much, EANx! This helped so much!
Called up the VA office like you said, and they say once I finish my degree program, I can do another program/bootcamp/and Certification with my left over funds. Though the Certification will be out of pocket but reimbursed taking off a month of my left over disbursement. They also gave me a list to choose from in my local area if I want to go to a bootcamp, but I will have to get it approved after my Degree if the bootcamp is not on the online list. https://www.vets.gov/gi-bill-comparison-tool/

I don't see OSCP on the list, but they do got a couple of bootcamps for CEH near me that say they are VA approved.

tedjames

I'd say skip the bootcamps. In my experience, they only teach you how to take the test and are more useful after you've put in the time studying. I wouldn't go into a bootcamp cold. That would be a waste of money.

Nerkle wrote: »

Hey guys, really want to thank you all for the wonderful advice.

I heard there were options about Bootcamps for training for certifications and such. I am currently a dependent using the VA benefits for school. Is there a way to get into a penetesting bootcamp or other certification groups that falls under VA approval? Has anyone else used the VA to go such a route?