Pentesting as a Career
peacock_6633
Member Posts: 16 ■■■□□□□□□□
I am audit and compliance professional who wants to move to a career as a pen tester.
I recently passed GSEC, have some experience in IT Auditing. Currently I have subscription for Cybrary and TryHackMe. Can someone help me understand how do I land my first role as pen tester?
How do I really sell my resume for entry level roles?
Comments
-
UnixGuy Mod Posts: 4,570 Modyou need to start working on learning pentesting if your free time, get certs like eLearnSecurity, OSCP, etc... and start working on hacking labsIt's a skill that you need to build, it takes dedication, passion, and continuous work. You can highlight all of that in your CVStart networking and going to events such as B-Sides, OWASP, conferences, etc. Show interest and approach people, ask for help
-
JDMurray Admin Posts: 13,099 AdminThere are several types of pentesting: application, network, device (IoT), and human (social engineering). Decide what area you will begin with and how you might specialize (such as how to pentest .NET Web applications running on Microsoft Web servers).Read the posts here on TE about the various pentesting certs. Studying for certs is a good way to learn, but as @UnixGuy pointed out, you will also need to practice, practice practice on your home lab to learn how to actually pentest.Learn all of the attack tactics in the MITRE ATT&CK framework. Pentesting is about finding and (possibly) exploiting vulnerabilities, which requires you to behave like a "bad agent." ATT&CK shows you how the badness gets in.Learn the business and legal side of pentesting. Although you may be pentesting for an employer, you still need to know the rules to play by them. Have a look at the pentesting frameworks available.And finally, documentation, documentation, documentation. If you aren't documenting what you are doing and finding then you aren't pentesting.
-
peacock_6633 Member Posts: 16 ■■■□□□□□□□JDMurray said:There are several types of pentesting: application, network, device (IoT), and human (social engineering). Decide what area you will begin with and how you might specialize (such as how to pentest .NET Web applications running on Microsoft Web servers).Read the posts here on TE about the various pentesting certs. Studying for certs is a good way to learn, but as @UnixGuy pointed out, you will also need to practice, practice practice on your home lab to learn how to actually pentest.Learn all of the attack tactics in the MITRE ATT&CK framework. Pentesting is about finding and (possibly) exploiting vulnerabilities, which requires you to behave like a "bad agent." ATT&CK shows you how the badness gets in.Learn the business and legal side of pentesting. Although you may be pentesting for an employer, you still need to know the rules to play by them. Have a look at the pentesting frameworks available.And finally, documentation, documentation, documentation. If you aren't documenting what you are doing and finding then you aren't pentesting.
Thank you for in-depth response. At this time I really don't know what I like, e.g. whether I want to go into network pentesting or IoT or social engineering. As for labs, I occasionally do TryHackMe challenges but still finding them a bit tough.
-
JDMurray Admin Posts: 13,099 AdminYou need to get in with a crowd of like-minded people to best learn something complex, complicated, and new. You not only learn from the skills of others but also receive encouragement and inspiration to study and practice harder. Find yourself a meet-up of local pentesters and go from there.
-
peacock_6633 Member Posts: 16 ■■■□□□□□□□JDMurray said:You need to get in with a crowd of like-minded people to best learn something complex, complicated, and new. You not only learn from the skills of others but also receive encouragement and inspiration to study and practice harder. Find yourself a meet-up of local pentesters and go from there.
Let me see what I can find locally. Thank you for the idea.