Career and Certifications Path?? Please Help!

mkjoungmkjoung Member Posts: 15 ■□□□□□□□□□

So a brief overview of myself.. I just graduated from a 4-year school with a Bachelors in IT last year. I am currently working as an IT Associate (been over a year now) taking on a junior sysadmin/helpdesk role (just helping out sysadmins with their projects). Now, I am trying to enter the infosec field. I just passed the Comptia Security+ last week and I will be taking some online classes (Udemy, lynda) to learn wireshark and nMap and then applying to security analyst/engineer roles in the next few months. However, my end goal is to eventually take the OSCP and become a penetration tester. After hours of researching, I learned that eJPT is a good cert to have before taking the OSCP so I am now leaning towards that.

So to summarize, I guess short term goal is to get a job as a security analyst/engineer role and long term goal is to become a penetration tester. With that, is getting a security analyst/engineer job, then obtaining the eJPT and then OSCP while in that role and then applying and moving to penetration testing role the best path I can take?

Some other questions..

1) Should I just stay in my role for now and take the eJPT, which will probably take about 4-5 months, and then apply to security jobs after?
2) If eJPT->OSCP isn't the best certs for the career path I am trying to take, what do you guys recommend?
3) What tools should I start learning to apply for security analyst/engineer roles - like wireshark, nMap or even Splunk (SIEM)? Just not sure what managers would expect me to know.

Sorry for the long post, but I would greatly appreciate your thoughts. I really need help to plan out my career/cert roadmap! Thank you all!!!


  • N7ValiantN7Valiant Member Posts: 363 ■■■■□□□□□□
    Do you have experience working with networks more intimately? I get the feeling they would want maybe a year of experience working(actually sysadmin) with networks before they let you into a security role, but that's just my gut feeling.

    I believe when you look at some of the job descriptions for security analyst, particularly DoD positions, they'll list some of the tools.
    MCSE: Core Infrastructure
    MCSA: Windows Server 2016
    CompTIA A+ | Network+ | Security+ CE
  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    I would stay in your current role to gain more experience while you are working on eJPT and OSCP since any pentesting role you apply for typically wants 2-3 years of experience minimum for a junior position. Those are good certs to get your feet wet with pentesting but I would advise you to do some serious thinking abd research on the pentesting role because its not just going around and hacking networks. An actual pentesting role is going to be about 10%-20% actual pentesting and the remaining 80%-90% will be report writting. As for what tools you should start learning, that will be specfic to the roles you apply to. A security analyst position isnt a one size fits all role, the tools and skills you will need will vary greatly between companies. I would suggest going on indeed and looking at some job descriptiosn to ge ta better idea of what you should work on.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • N7ValiantN7Valiant Member Posts: 363 ■■■■□□□□□□
    Hmm, but pen testing is pretty much the only place where you can utilize metasploit among other tools to penetrate a network right? I just figure, if that's what you really enjoy, it's pretty much the only place to go.

    I think one simple exercise would be to go over to VulnHub and try to penetrate a "beginner" VM by following the walkthrough.

    I just did SickOs today myself(almost no knowledge of pen testing myself):,132/

    Now I will grant you that being able to follow instructions isn't an indication that you would be suited to pen testing, but I think the actual setting up of this simple virtual lab(I used Kali Linux on VMware Fusion) and working out all the kinks and complications(there were a lot) might hint that it's doable for you. It also gives you exposure to Linux(wish I used this much earlier in my youth) and I believe it gives you a small taste of what you generally do with reconnaissance, enumeration, running a command shell, etc.

    I just figure it might be helpful to dabble a bit more before you commit to spending time and money on certs.
    MCSE: Core Infrastructure
    MCSA: Windows Server 2016
    CompTIA A+ | Network+ | Security+ CE
  • ShamsiddeenShamsiddeen Registered Users Posts: 2 ■□□□□□□□□□
    I wish you all the best.
  • mkjoungmkjoung Member Posts: 15 ■□□□□□□□□□
    Thanks for your input! I just thought I should move into a security role since like you said they require you at least 2-3 years of experience but I feel like they require 2-3 years specifically in the security field not just IT. Because I would say the role I am in right now isn't security related too much..
Sign In or Register to comment.