As I’m a professional pentester (and forensicator), I’d chime in here, and add my thoughts to what Taz already said.
Dont let this get you down. The main thing I can suggest is to apply. You might get rejected but you might not. If you don’t apply, you definitely got rejected. Ideally, applying will give you feedback on what areas you need to improve on which might help. (Most orgs/recruiters are too lazy to actually do this though).
I fully agree, here. Usually, job offers are written by people who rarely understand the technology they write about. They just get some buzzwords from the department that is looking for new employees, and then start putting them together into their own “mindset framework”
Especially for entry-level, many things are only a “nice to have” (and/or partially to pre-filter people who lack the self-confidence, but that’s the case in most tech-jobs).
Have a look at Login :: Hack The Box :: Penetration Testing Labs - this is a good place to start and there are actually some entry level roles if you are OK working in Germany.
You probably didn’t mean that to sound as being a bad thing, right? We have great places (and companies to work for) here in Germany. We have public health insurance, and lot other benefits of a social security system
Next step - do your recon. This is critical if you want to be a good pentester so get some practice in now. Search all the job boards, find out what most ask for and see how you can best fit it. If you find 90% of jobs you want ask for OSCP, then you need to get OSCP. If they don’t ask for it, don’t get it (yet).
For entry-level, certifications should usually not be a must-have. Many companies will happily invest in their “juniors” getting on track quickly, and thus pay training. But sure, being able to provide some certificates, even when it’s just a “certificate of completion” from a Udemy course will make HR people happy
The security hurdle genuinely exists - you often have to work in security to work in security. Until this madness gets resolved you need to work with the system as it is today.
For example this is is a super entry level role advertised here:
As the ideal candidate:-
· You should have atleast 2 years of professional experience as a Penetration Tester.
· You have obtained certifications such as OSCP, OSCE, OWASP etc.
· You can conduct Source Code Reviews.
· You are capable of working independently and within a team.
· You are a Native level German speaker, and communicate fluently in English.
(don’t laugh at OSCE being entry level)
IMHO, the OSCE is a lot easier than the OSCP
But other than that, 2 years in professional pentest experience isn’t entry level, anymore.
The reality is, however, “ideal” can be flexible. Find a way to reassure the hiring manager that you are as good as a random other candidate who has spent two years running nessus scans for a body shop pentest company. Create write-ups on boxes so they can see your ability to produce a report, have a blog discussing technical issues.
This. For a penetration tester, it is vital to be able to report the issues they find. Often, you don’t just need to document it technical, but also will have to explain it to managers and other decision makers. They need to understand the impact of a finding. Sure, the technical staff will have to fix it, so make sure to include a technical description of what they can do to fix it AND what they have to do to verify it.
Your ultimate goal is to convince a hiring manager that hiring you is not a risk.
Most pentesters at a big shop do around 2 pentests a month, so you’d expect a two year veteran to have been part of about 20-24 pentests. You can easily create 24 write ups (HTB, TryHackMe, VulnHub etc) on a blog post to show people your reports, just make sure you do them as a pentest report not a technical walk through.
Actually, I’m more down to usually 1 pentest per week. Longer tests that go for 2 or more weeks are often performed by several testers, to keep the time frame as short as possible. But eventually, I get to perform some long(ish)-term engagements over a few weeks. But those are rare.
The next hurdle is technology but realistically, most junior pentesters have very little breadth of exposure. I’ve met lots who’ve spent two years running scans on Windows 2016 systems, nothing else. If you can show broader knowledge than this, you are in with a chance.
“Knowing something about everything” might sound appealing, but at a certain point you will have to decide and specialize. Yet still will having a broad basic knowledge make the decision for those hiring (both HR and the department that is actually seeking) a lot easier. But those who already working actively on HTB boxes will definitely gain (or already have) that knowledge