Pros and Cons of moving from Blue Team(CSOC) to Pentesting

UnixGuy

I want your awesome opinion on this! Let's make a comparison between working in a CSOC/DFIR/IR and working as a pentester

Money in the long run? Flexibility? travel(can be a pro and a con)? work environments?

Also I noticed that in a CSOC/DFIR/IR type roles there seem be a way for incompetent people to survive in those environments but I imagine this be harder in pentesting where lack of skill can show quickly? (I could be wrong here as well...)

Both CSOC/DFIR/IR and Pentesting roles can be internal or for consultancies, that's something to keep in mind...


Curious to see hear your opinions and thoughts

Pros / Cons

tedjames

Which type of work would you prefer? If you've done SOC-type work for awhile, maybe you should move into penetration testing for a few years, mainly for the experience and to see how you like that life. A former co-worker went from penetration testing in a SOC environment to testing for a major security company. He told us great stories about flying all over the world (Russia, China, Dubai, many parts of Europe) conducting tests. Now he's heading up a full team. Check it out and see what you prefer.

UnixGuy

I haven't done pentesting yet so I don't know what's like, I reckon the experience will be worthwhile!

I'm curious to the earning potential in both...both fields seem to have a good earning potential , dependent on the organisation and other factors, but good to hear stories from everyone!

TechGuru80

I’ll do the comparison of consultant vs internal.

Money: as an internal technical person you have a salary ceiling versus a consultant who can make theoretically a lot if they can perform a lot of work. If you work at an actual consulting firm you still might make more than internal but I don’t think it will be drastically different compared to being a partner or independent. The ability to be a partner is limited compared to management roles in a company so you really are aiming at being an elite technical person in a lot of cases.

Flexibility: Both can be flexible but with consulting you get strict time lines, unlike an organization that might be ok with letting something slip to the right....expect to work more hours as a consultant.

Travel: consultants generally travel a lot compared to internal members...some companies want internal tests or to keep an eye on you.

Work Environment: depending on the consulting firm for example smaller ones will have a startup like atmosphere and have a lot of anti corporate mentalities. Internal environments can vary from cube farms to startup culture but are generally more structured with things like PTO / benefits / HR, etc. Also consulting firms lots of times might allow more remote work where companies are going to frequently say 0-2 days per week.

atippett

UnixGuy wrote: »

Also I noticed that in a CSOC/DFIR/IR type roles there seem be a way for incompetent people to survive in those environments but I imagine this be harder in pentesting where lack of skill can show quickly? (I could be wrong here as well...)

You're definitely wrong here. If the SOC you're working in isn't mature and is only doing the bare minimum, then yeah maybe someone can slide by without expert knowledge. But if you are performing DFIR, you better know what the !!!! you're doing... Your statement basically says that all of the DoD CERTS, US-CERT, etc. does not require expert knowledge, which is not true.

UnixGuy

atippett wrote: »

You're definitely wrong here. If the SOC you're working in isn't mature and is only doing the bare minimum, then yeah maybe someone can slide by without expert knowledge. But if you are performing DFIR, you better know what the !!!! you're doing... Your statement basically says that all of the DoD CERTS, US-CERT, etc. does not require expert knowledge, which is not true.

It does require 'expert' level knowledge...but not all team members will posses this kind of knowledge..it happens mate. I worked in both mature and not so mature socs, I've seen both sides

atippett

UnixGuy wrote: »

It does require 'expert' level knowledge...but not all team members will posses this kind of knowledge..it happens mate. I worked in both mature and not so mature socs, I've seen both sides

This holds true for every IT discipline, really every job in the world. There will always (and should) be junior team members that are learning from the senior guys on the team. This hold true for Security, Networking, Accounting, Financial, HR, everything.

EnderWiggin

Travelling for work is awesome, if you have no family obligations.

Also, it's definitely possible for people with a lack of knowledge to slip through on pen testing positions. If they don't know how to find certain vulnerabilities, they just don't put them in the report. Unless someone is going behind them and redoing their work, no one would know.

amicmanzo

Fortunately, I've had the pleasure of doing both CND and CNA within my naval experience I can tell you that they are definitely ran at difference paces! My first 3 years of my career I did IR, malware analysis and digital forensics which to me was never a dull moment because it was like treasure hunting. My pen. testing side showed me how tedious and frustrating it could be to find access and innovative ways into a network. All in all, it help me create this full circle of knowledge for the realm of cyber security as a whole.

ansionnachcliste

I'm going to be doing the same thing.

I have 5+ years with information security and compliance, and have just landed a new job as a consultant mainly dealing with compliance. I have noticed a gap of people in the red team (actually, there are none in this company that I can find). To expand my skill-set, I'm going to focus on penetration testing once I obtain my CCSP accreditation, as I already have the CISSP.

I'm looking at the OSCP journey but think I'll focus on courses provided by elearnsecurity, and will get my company to pay for them while I have some down time.

What courses are you considering? GPEN, I see?

UnixGuy

That's right I'm currently doing GPEN, and will follow it up with eCPPT from eLearnSecurity if everything goes smooth....

I like the replies so far, I'll add few observations though...

I found that the entry to Blue Teams/SOCs to be less demanding, I can analysts who are good at AVs or FireEye or Splunk or some kind of tools, which doesn't take much to master to be honest....while entry to Pentesting these days requires OSCP/CREST(UK/Aust) and years of commercial pentesting experience...

Also, there are definitely more people with blue team / SOC experience than pentesting...and there is tendency to rely on external companies to do Pentesting....which makes me think Pentesting is more difficult skill to have (and thus could be more valued?)

I have few years of SOC experience now and think that Pentesting could be a good way for me to improve and progress....