Pentesting

Hi All,

I currently work as a standard IT tech but i really want to change path to become a PenTester. This issue i am having is there seems to be no entry level positions anywhere! I thought if anyone knows where to look it would be the members of HTB. If anyone has any tips / links it would be really appreciated.

Thanks all!

I’m in the same case and interested too.

I think certifications from offensive security like OSCP, OSWE… help a lot, but feedbacks are always welcome

I am not a pentester so I can’t really help much but I do work in security so take what my views in that context.

First off, security in general sucks when it comes to finding entry level roles. Every organisation says they want to bring new people in but then demand 10 years experience for the most basic roles. (I’ve even seen roles this year advertising for Kubernetes security people with a minimum of 10 years Kubernetes experience, never mind it has only existed for about six).

Dont let this get you down. The main thing I can suggest is to apply. You might get rejected but you might not. If you don’t apply, you definitely got rejected. Ideally, applying will give you feedback on what areas you need to improve on which might help. (Most orgs/recruiters are too lazy to actually do this though).

Have a look at Login :: Hack The Box :: Penetration Testing Labs - this is a good place to start and there are actually some entry level roles if you are OK working in Germany.

Next step - do your recon. This is critical if you want to be a good pentester so get some practice in now. Search all the job boards, find out what most ask for and see how you can best fit it. If you find 90% of jobs you want ask for OSCP, then you need to get OSCP. If they don’t ask for it, don’t get it (yet).

The security hurdle genuinely exists - you often have to work in security to work in security. Until this madness gets resolved you need to work with the system as it is today.

For example this is is a super entry level role advertised here:

As the ideal candidate:-

· You should have atleast 2 years of professional experience as a Penetration Tester.
· You have obtained certifications such as OSCP, OSCE, OWASP etc.
· You can conduct Source Code Reviews.
· You are capable of working independently and within a team.
· You are a Native level German speaker, and communicate fluently in English.

(don’t laugh at OSCE being entry level)

The reality is, however, “ideal” can be flexible. Find a way to reassure the hiring manager that you are as good as a random other candidate who has spent two years running nessus scans for a body shop pentest company. Create write-ups on boxes so they can see your ability to produce a report, have a blog discussing technical issues.

Your ultimate goal is to convince a hiring manager that hiring you is not a risk.

Most pentesters at a big shop do around 2 pentests a month, so you’d expect a two year veteran to have been part of about 20-24 pentests. You can easily create 24 write ups (HTB, TryHackMe, VulnHub etc) on a blog post to show people your reports, just make sure you do them as a pentest report not a technical walk through.

The next hurdle is technology but realistically, most junior pentesters have very little breadth of exposure. I’ve met lots who’ve spent two years running scans on Windows 2016 systems, nothing else. If you can show broader knowledge than this, you are in with a chance.

There are lots of people on the HTB forums who can give you much better advice than I can though, so hopefully, they will join in the discussion soon.

As I’m a professional pentester (and forensicator), I’d chime in here, and add my thoughts to what Taz already said.

@TazWake said:

…
Dont let this get you down. The main thing I can suggest is to apply. You might get rejected but you might not. If you don’t apply, you definitely got rejected. Ideally, applying will give you feedback on what areas you need to improve on which might help. (Most orgs/recruiters are too lazy to actually do this though).

I fully agree, here. Usually, job offers are written by people who rarely understand the technology they write about. They just get some buzzwords from the department that is looking for new employees, and then start putting them together into their own “mindset framework”
Especially for entry-level, many things are only a “nice to have” (and/or partially to pre-filter people who lack the self-confidence, but that’s the case in most tech-jobs).

Have a look at Login :: Hack The Box :: Penetration Testing Labs - this is a good place to start and there are actually some entry level roles if you are OK working in Germany.

You probably didn’t mean that to sound as being a bad thing, right? We have great places (and companies to work for) here in Germany. We have public health insurance, and lot other benefits of a social security system

Next step - do your recon. This is critical if you want to be a good pentester so get some practice in now. Search all the job boards, find out what most ask for and see how you can best fit it. If you find 90% of jobs you want ask for OSCP, then you need to get OSCP. If they don’t ask for it, don’t get it (yet).

For entry-level, certifications should usually not be a must-have. Many companies will happily invest in their “juniors” getting on track quickly, and thus pay training. But sure, being able to provide some certificates, even when it’s just a “certificate of completion” from a Udemy course will make HR people happy

The security hurdle genuinely exists - you often have to work in security to work in security. Until this madness gets resolved you need to work with the system as it is today.

For example this is is a super entry level role advertised here:

As the ideal candidate:-

· You should have atleast 2 years of professional experience as a Penetration Tester.
· You have obtained certifications such as OSCP, OSCE, OWASP etc.
· You can conduct Source Code Reviews.
· You are capable of working independently and within a team.
· You are a Native level German speaker, and communicate fluently in English.

(don’t laugh at OSCE being entry level)

IMHO, the OSCE is a lot easier than the OSCP
But other than that, 2 years in professional pentest experience isn’t entry level, anymore.

The reality is, however, “ideal” can be flexible. Find a way to reassure the hiring manager that you are as good as a random other candidate who has spent two years running nessus scans for a body shop pentest company. Create write-ups on boxes so they can see your ability to produce a report, have a blog discussing technical issues.

This. For a penetration tester, it is vital to be able to report the issues they find. Often, you don’t just need to document it technical, but also will have to explain it to managers and other decision makers. They need to understand the impact of a finding. Sure, the technical staff will have to fix it, so make sure to include a technical description of what they can do to fix it AND what they have to do to verify it.

Your ultimate goal is to convince a hiring manager that hiring you is not a risk.

Most pentesters at a big shop do around 2 pentests a month, so you’d expect a two year veteran to have been part of about 20-24 pentests. You can easily create 24 write ups (HTB, TryHackMe, VulnHub etc) on a blog post to show people your reports, just make sure you do them as a pentest report not a technical walk through.

Actually, I’m more down to usually 1 pentest per week. Longer tests that go for 2 or more weeks are often performed by several testers, to keep the time frame as short as possible. But eventually, I get to perform some long(ish)-term engagements over a few weeks. But those are rare.

The next hurdle is technology but realistically, most junior pentesters have very little breadth of exposure. I’ve met lots who’ve spent two years running scans on Windows 2016 systems, nothing else. If you can show broader knowledge than this, you are in with a chance.

“Knowing something about everything” might sound appealing, but at a certain point you will have to decide and specialize. Yet still will having a broad basic knowledge make the decision for those hiring (both HR and the department that is actually seeking) a lot easier. But those who already working actively on HTB boxes will definitely gain (or already have) that knowledge

So I dont have much to add but I am interested in this thread and want to keep it floating to the top.

@HomeSen said:

You probably didn’t mean that to sound as being a bad thing, right?

I 100% did not mean it as a bad thing and I really never intended it to even hint that, sorry. My point was a badly worded way of saying that geographical restrictions are real and not everyone has the ability to work in Germany.

Very bad wording on my behalf. This appears to have been a theme in my post.

Actually, I’m more down to usually 1 pentest per week. Longer tests that go for 2 or more weeks are often performed by several testers, to keep the time frame as short as possible. But eventually, I get to perform some long(ish)-term engagements over a few weeks. But those are rare.

Very good point. I was thinking more around the utilisation rates for pentesters and averaging out for the various organisations (body shops which demand their pentesters are billing 5 days per week without caring about the quality of work vs shops which have a more sensible approach and want testers to actually test rather than run nessus and rebrand the output).

@TazWake @HomeSen thank you for your input. Can i ask @HomeSen how did you first get into the industry? I have used the HTB job board already but not sure how upto date it it.

@TazWake said:

@HomeSen said:

You probably didn’t mean that to sound as being a bad thing, right?

I 100% did not mean it as a bad thing and I really never intended it to even hint that, sorry. My point was a badly worded way of saying that geographical restrictions are real and not everyone has the ability to work in Germany.

Very bad wording on my behalf. This appears to have been a theme in my post.

I didn’t take it as an offense or something. It just sounded a bit weird (in a funny way)

@wooly13 said:

@TazWake @HomeSen thank you for your input. Can i ask @HomeSen how did you first get into the industry? I have used the HTB job board already but not sure how upto date it it.

The offers on the job board don’t have a date, so I can’t tell how recent/current they are. Looking over a few of them, they seem reasonable from the expectations. And even if you don’t meet all criteria, take the chance and apply (or at least get in touch with them).

For your other question: Watch out, a wall of text is incoming

Well, I always roamed around the cult/topic for many years. Back in the days, when I was in school the “Hacker’s Blackbook” was a huge thing. And almost the only information source (despite some disassembly/cracking guides for software). When I studied computer science, the internet became a lot more accessible to the general public and I started digging into all kinds of “hacking-related” information (and I can say, that I never crossed the border of laws). I quit my first studies since university was way too theoretical for my taste. I then studied at a “dual university” which means that you always have 3 months of practical education at a company and then 3 months theoretical education at university.
During that practical education I learned all kinds of admin/IT stuff, since I basically was to do everything customers wanted/needed/demanded: Windows and Linux server/client administration, first-/second-level support, software and web development, incident response, system and hardware deployment, etc. (or as we call it in Germany: “A mommy for everything” ).
During that time, I mostly learned offensive stuff from VulnHub, Hacking-Lab and later by joining a CTF team. Additionally, I took the eLearnSecurity Pentesting Student course and certification. Since I never wanted to leave my home town, and I only knew pentest companies located in Berlin, Tübingen, Munich and other rather far away cities, I never even made an attempt to apply for a job at those companies. One day, thanks to the CSCG/ECSC (European Cyber Security Challenge) I learned that actually 2 companies that do pentests have a branch office in my city. Both of them required a lot of travel (50+ % of the time) which wasn’t too appealing (due to having wife and kids). But from there I learned about 2 more companies in my area

When I applied to both of them, I also included (links to) several write-ups, as well as my eJPT certification. I got an invite from both and am now working for roughly 4 years as a professional pentester and forensic analyst/incident responder.
One of things I liked about the recruiting phase with my current employer was, that I had to perform a (pretty short) pentest on a lab machine, and then present my results and suggest potential mitigations. I communicated right from the beginning what I can do, and also what I can’t do. I have a network/infrastructure background, so I am (or rather was) quite weak with regards to web testing. The recruiter was a bit irritated about that, because most people in professional pentest seem to have started with web. But for my (now) boss this was alright. He knew what to expect and for which projects to deploy me, and could be sure to (mostly) get tests in my field of expertise, instead of being pushed into web tests “because everyone starts with web”. So, it’s basically a win-win if you can really detect and communicate your strengths and weaknesses.

In the end, the only thing I regret is not having searched for opportunities, earlier. I mean, nowadays there are also a lot opportunities for working remotely.

@HomeSen thats great, it gives me a real incite as to what is required. I will keep studying, applying and keeping my fingers crossed.

Just trying to keep this on the surface.

Seeing that you live in the UK, it might also be interesting if @mRr3b00t can contribute some insights (to avoid a shameless bump of the thread )

Duh, looks like @TazWake was ninja’ing me

Just getting this back to the first page, hopefully some more people will join in

Type your comment> @HomeSen said:

@TazWake said:

(Quote)
I didn’t take it as an offense or something. It just sounded a bit weird (in a funny way)

@wooly13 said:

(Quote)
The offers on the job board don’t have a date, so I can’t tell how recent/current they are. Looking over a few of them, they seem reasonable from the expectations. And even if you don’t meet all criteria, take the chance and apply (or at least get in touch with them).

For your other question: Watch out, a wall of text is incoming

Well, I always roamed around the cult/topic for many years. Back in the days, when I was in school the “Hacker’s Blackbook” was a huge thing…

Thanks for sharing your story man. I found it very inspiring.

The hacker’s blackbook brought a smile. Brings back memories. Remember whistling in the phone, or clicking in stead of turning the dial?

Anyway, mainly wanted to say thank you. I enjoyed reading your words.

Thank you for the kind words.
I also enjoy looking back to all those “rage ping-of-death” during LAN parties :trollface:

I am not yet ready to let this thread die

Here in Finland, we have quite many entry -level pentest -positions open now and them, and some of them are fully remote. If you want to know more, please PM me for more details about Finnish information security companies.

Thanks for popping up this thread…
This topic really brings me back in time to a long time ago.
I stopped pentesting back in 2005, so sorry if my opinions may sound quite “aged”, but i think that some of the messages are still valid…
At that time, where i live it was almost impossible to pay the bills with IT security, so i was used to spend only my “spare time” on this part of the field…
Instead, nowadays, pentesting is often a well rewarded job and has got a new shiny “cyber” look. Saying you are a “red teamer” or a “pentester” makes you cool, but i cannot hide myself the four lessons i learnt back in the late nineties and early 2k’s…

1. Pentesting is 50% editing report templates and reviewing presentations and only the remaining half is actual systems vulnerability exploiting: being able to drill into AD is completely senseless if you are then unable to explain to the decision makers how you did it and what should be fixed. It is indeed fascinating and enjoyable, but do not expect to be paid for hacking the s**t out of a system. You’ll (eventually) get paid for the information you’ll give back to the client. And, believe it or not, most of the times you will end up with a lot of unknowns. You are usually paid for the pentest itself, not for the sheer number of vulnerabilities you find…
2. Spotting exploitable vulnerabilities and actually exploiting them are two huge different things: a white hat is usually not expected to gain root on a system unless it is explicitly asked to. And this usually comes AFTER a preliminary report is handed over to the customer. Black Box pentesting without agreed objectives were exceptionally rare at that time as nowadays. This means that 99 times out of 100 you will have to resist to the temptation of making that little step ahead that may not be well appreciated by the systems or applications owners. Getting a sneaky eye inside to understand and explain the effective impact of a vulnerability is relevant. Showing that you were able to download the whole contents of their CEO’s mailbox is not.
3. Pentesting should always be done as teamwork. I know none but a few exceptionally talented guys who are able to take the whole monkey on their shoulder and do a good job. If you want to pentest, consider that your skills as a team are often much more valuable than the sums of each one’s skills. Moreover, you will end up being stuck sooner or later, and another approach will seldom come from yourself “at will”. Here we’re used to CTF’s, and we know that the system must be exploitable. We can be noisy, we can reset the machine, we can do a lot of things that usually are not allowed during a reeal life pentest. So it’s important to have access to specialized skills. I am potato in coding, not bad at finding footholds but i am (maybe better to say that I was) good at finding privesc paths once in. Without the help of someone able to code my intuitions i would have been never even capable to report a dll injection…
4. Sometimes pentesting means something not strictly related to IT systems. No matter what you are looking at, remember that, 99.9% of the times, a system is built to allow some type of interaction with humans, and social engineering is a completely legitimate attack vector. If you see that you could easily trick someone into providing you access, consider it as a potential attack vector exactly as you would consider as such a www-exposed CVE. I know it is not that fascinating to write in the report that you were able to gain access thanks to an employee who provided you its credentials. My old fashioned approach tells me that the term “cybersecurity” somehow lacks of the depth of the whole “IT security”. Needless to say that the surrounding “Information Security” is broad enough to include also printouts management, labial recognition, eavesdropping and lockpicking. You really do not want to dive into the vast ocean of physical security during a pentest, but if getting access to an IT infrastructure can be easily done by simply asking a receptionist to let you have a look into the network cabinet and link up your Raspberry pi…it is worth to report it.
   Those are my opinions, and i am sorry in advance if some of the exceptionally talented guys that are here on HTB may disagree or consider my words as “shortsighted” or worse… i know the IT Sec community has grown a lot in the last few years, and eventually became a less inclusive world than what was back in the past…i hope noone will feel offended for not saying that everything is gold and diamonds.
   I still work in the IT Security, even if I am no more a professional pentester, hence i’m here on HTB just for fun and learning, but i truly believe that our world will need all of the devotion and passion that any of you (us?) can pour in it.
   Because if you start considering the “cost opportunity” of being a white hat…you’ll be easily tempted to switch to the dark side!

@sparkla said:

There’s two things I read here every day, on a plattform that’s advertised as “cyber security training”:

• People explaining HTB has nothing to do with pentesting
• People explaining that pentesting is not a dream job, is difficult, isn’t about hacking…

Fairly sure I am the only person who says this here.

@sparkla said:

Nope, I said every day and I meant it. A good part is in PMs, but I doubt you have 28 different accounts here and talk to me every other day.

I dont have enough time to answer my own account’s questions

Type your comment> @sparkla said:

My whole life I was made belief “work hard, be better than others, then you gonna make it.”. And by making it I mean having a normal 9 - 5 job that’s payed enough to buy a car, go out on Tuesdays and fly to Guatemala on Summer. Guess which part of that never happened in the last 20 years.

I am not sure that i correctly got your point, so excuse me in advance if my words may sound a little “assuming”…
TBH, while i see that there’s plenty of white collars in the IT and cyber security field that do the classic 9 - 5 and gets paid enough to bring home a salary which allows their family to keep going, i hardly would recommend to keep the bar so low.
I mean: established that nobody should be expected to work just for glory, and that a healty work/life balance is mandatory for everyone (not only for IT or cyber staffs), it is a totally different thing if you are doing something that you like.
Choose a job you love, and you will never have to work a day in your life.

I’m tired and worn, and if you take the whole world’s population I’m probably within the top 0.001% in terms of skill in a variety of inovative technology fields. I’m willing to work. That’s still not enough to get a normal job? Then what am I doing here?

I felt the same i dont know how many times. This eventually also drove me sometimes into a huge “impostor syndrome”, starting thinking that my hard skills would hardly be really considered valuable by someone. I was almost conveinced that i was not that good at all in my work, and I went down to such a deep hole that i eventually had to choose between buying food or paying the bills. And, believe it or not, i also had to eat puffed rice for dogs for 10 days when my clients did not payed my invoices…I thought i was not getting paid because my work was not worth to.
Then i was enlightened by a thought: if someone thinks i am not good at doing a job, he whould have better skipped me or replaced me…What is the clue in letting me do the whole work and then skip only paying my invoices?
The same eventually is about getting an emplyment somewhere. We are not skipped because we are not able to do the job. We are skipped because we think we should be better to do the job. And we carry with us our HUGE backpack of uncertainties, shyness, sadness.
Know what?
We (you) are perfectly able to do whatever job until we carry with us our willing to learn…
so maybe, the reason why you (we) are here is that we are willing to learn, not just to stockpile abilities to use at work.