Is this a good pathway to become a pentester?

YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
A+...Network+, security+, ccnet, ccna,(maybe ccna-security), CEH

Of course gain some experience along the way, but as far as certs go, is this a good path?

Thanks everybody


  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    I used to work with a couple of guys who went on to become penetration testers. I remember one of them saying knowing laws, rules and regulations and compliance as well as being able to explain them to a customer was important.
  • RobertKaucherRobertKaucher A cornfield in OhioMember Posts: 4,299 ■■■■■■■■■■
    Others are going to comment I am sure. But I think lot of the people here who are in the infosec field took a similar track cert wise. But I think the important thing is the career path, not just the cert track you choose.
  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
    robert can you explain more?
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    I think what he meant is that is probably significantly more important to make sure that the positions you take (your 'career path') align with the cert track - you will be hard-pressed to get a pentesting job without very relevant experience. I know you characterized it as 'some experience' but truthfully, most hiring managers aren't wanting someone who has just dabbled in security as an additional duty, they want someone with very relevant, hands-on experience. The certs are intended to highlight your expertise in specific areas that are relevant to your career path.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,260 Admin
    You might want to throw some actual pen testing certs in there. Have a look at this thread:
  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□

    I was showing what certs I would get so that I would have a good foundation of knowledge before I started with Pentesting. Do you agree with the path, or are there different certs I should start with to put me in the right directions?

    after my general certs..I was thinking..CEH, ECSA, OSCP, OSCE, LPT
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,738 ■■■■■■■■■■
    Although this thread is aimed at security certifications in general, I think there is much to be learned from it:
    Currently working on: Linux and Python
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I think the A+ isn't as relevant directly, so to speak, but on the other hand if you don't already know general PC troubleshooting maybe it's very relevant that you have the grounding.

    In penetration testing, you'll need to learn the tools (CEH helps a bit here), how networks function (Network+ and a CCNA are a good start, although CCNA Security is applicable as well), but after you uncover the results from your tools, whatever they may be, you'll still have to interpret them. That requires knowledge of how protocols work (something the CCNA isn't necessarily going to teach you that much of), and very importantly how operating systems function, including both Windows and Unix. Going further, you'll need to know how applications work to some degree (web servers, databases, SMB / CIFS, RPC, SSH etc.).

    That casts a pretty wide net, but the folks requesting pentests against their infrastructures are going to be running various services on different platforms and you'll have to assess, write reports, and make recommendations based on the results of the various methods you employ. Tools are subject to false positives and they require a lot of human interpretation. I think the writing / documentation part tends to be under-stressed sometimes.

    If I'm a security admin who requests ACME Consulting Company to make a vulnerability assessment for me, I'm going to want it in a thorough report that also provides context within frameworks that are important to me (such as PCI, HIPPA, etc.). I would expect the report to contain recommendations and prioritization of issues that need to be addressed as they are applicable in my business space.
    Hopefully-useful stuff I've written:
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,260 Admin
  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
    Ive been reading the reviews lately, and Im going to def. get that book. I tried to d/l backtrack 4, but it kept giving me an its annoying not being able to d/l it. Ill try again when backtrack 5 comes out.

    Whats the best way to learn wireshark and nmap, books?
  • SephStormSephStorm Member Posts: 1,732
    books, practice, and of course you can watch some of the better videos on youtube and other security centric websites.

    I would advise you to consider taking the elearnsecurity student course. It prepares you for the Pentesting Pro class, and should give at the least, a high level overview of the knowledgebase you will need.
  • powerfoolpowerfool Senior Member Member Posts: 1,649 ■■■■■■■■□□
    CCNA Security would definitely be a good lead-in to the CEH, so would the understanding of many of the MCSE Security concepts and background knowledge.
    AZ-204 [ ] AZ-400 [X] AZ-500
    2020 Goals: Azure Developer Associate, Azure DevOps Expert, Azure Security Associate
Sign In or Register to comment.