Pentesting as a Career

peacock_6633

I am audit and compliance professional who wants to move to a career as a pen tester.

I recently passed GSEC, have some experience in IT Auditing. Currently I have subscription for Cybrary and TryHackMe. Can someone help me understand how do I land my first role as pen tester?

How do I really sell my resume for entry level roles?

UnixGuy

you need to start working on learning pentesting if your free time, get certs like eLearnSecurity, OSCP, etc... and start working on hacking labs

It's a skill that you need to build, it takes dedication, passion, and continuous work. You can highlight all of that in your CV

Start networking and going to events such as B-Sides, OWASP, conferences, etc. Show interest and approach people, ask for help

JDMurray

There are several types of pentesting: application, network, device (IoT), and human (social engineering). Decide what area you will begin with and how you might specialize (such as how to pentest .NET Web applications running on Microsoft Web servers).

Read the posts here on TE about the various pentesting certs. Studying for certs is a good way to learn, but as @UnixGuy pointed out, you will also need to practice, practice practice on your home lab to learn how to actually pentest.

Learn all of the attack tactics in the MITRE ATT&CK framework. Pentesting is about finding and (possibly) exploiting vulnerabilities, which requires you to behave like a "bad agent." ATT&CK shows you how the badness gets in.

Learn the business and legal side of pentesting. Although you may be pentesting for an employer, you still need to know the rules to play by them. Have a look at the pentesting frameworks available.

And finally, documentation, documentation, documentation. If you aren't documenting what you are doing and finding then you aren't pentesting.

peacock_6633

JDMurray said:

There are several types of pentesting: application, network, device (IoT), and human (social engineering). Decide what area you will begin with and how you might specialize (such as how to pentest .NET Web applications running on Microsoft Web servers).

Read the posts here on TE about the various pentesting certs. Studying for certs is a good way to learn, but as @UnixGuy pointed out, you will also need to practice, practice practice on your home lab to learn how to actually pentest.

Learn all of the attack tactics in the MITRE ATT&CK framework. Pentesting is about finding and (possibly) exploiting vulnerabilities, which requires you to behave like a "bad agent." ATT&CK shows you how the badness gets in.

Learn the business and legal side of pentesting. Although you may be pentesting for an employer, you still need to know the rules to play by them. Have a look at the pentesting frameworks available.

And finally, documentation, documentation, documentation. If you aren't documenting what you are doing and finding then you aren't pentesting.

Thank you for in-depth response. At this time I really don't know what I like, e.g. whether I want to go into network pentesting or IoT or social engineering. As for labs, I occasionally do TryHackMe challenges but still finding them a bit tough.

JDMurray

You need to get in with a crowd of like-minded people to best learn something complex, complicated, and new. You not only learn from the skills of others but also receive encouragement and inspiration to study and practice harder. Find yourself a meet-up of local pentesters and go from there.

peacock_6633

JDMurray said:

You need to get in with a crowd of like-minded people to best learn something complex, complicated, and new. You not only learn from the skills of others but also receive encouragement and inspiration to study and practice harder. Find yourself a meet-up of local pentesters and go from there.

Let me see what I can find locally. Thank you for the idea.