My personal experience is that you must “brand up yourself”. Get known in your community and try to catch even the smallest opportunity.
IDK where you live how the business environment is, but if it’s like here, where there’s plenty of SMB’s, then the best bet is that you have to know the business and follow the money. Make network online and offline. Go play tennis in a tennis club and meet others.
You see a company that is fast growing? send them you CV.
You see a company you’d like to work with? send your CV.
I mean: not always SMB’s are aware that they need a skilled security engineer/manager, unless they see an appealing candidate. Maybe you’ll not see job offerings around you, but it’s not that they do not need you, it’s only that they do not ask you.
And, BTW, remember that in today’s world “cyber” means “ununderstandable and costly tech”…But what company are looking for, is not necessarily what they need. Maybe they do not need a pentester or a red teamer: maybe they need a manager who knows the stuff and is able to talk directly to third parties in order to avoid unnecessary costly setups…
And, BTW, consider also that I’ve seen job postings looking for 12+ years of experience in kubernetes, so do not rely on what recruiters tells you…

Man, i am so sorry for that.
I mean: i dont know you, so i hope you’ll excuse me for not being aware of your troubles…
I bet you already tried whatever you can to gain a better position, so sorry for not having sharp answers to your questions.

The reality at the end of the day is that you are a tool designed to dispense money for your overlords. If you are lucky enough to find a way to do that while also enjoying yourself, then you are already getting awards and kissing babies in the race of life.

Unfortunately, few of us get to do that. So resetting expectations can help, your work is a product and products are bought and sold. Get too emotionally attached to the work you produce or to how you prefer to produce it and you’ll feel hollowed out very quickly. It’s callous but true.

Also, there are a lot of personality types and backgrounds, some will thrive in environments that others would find toxic. It comes down to the individual.

Yes, the chances of fame and fortune are slim, the chances of steak and potatoes might even be slim for some. However, aren’t they always?

To the idea that we are tools to dispense money for our overlords. :wink:

That wasn’t meant as a suggestion to you, it was a suggestion for people new to IT in general who come across this thread. People reading these threads must get quite depressed and discouraged, but I think it’s good to keep things in perspective.

I also didn’t mean to chastise you if that’s how it seemed, it takes ■■■■■ to share such personal stories, and reading them is helpful I think. Just trying to provide an alternate perspective.

I’m not, it’s my style.

Also, on the plus side, these messages are keeping this topic at the top. :wink:

@svenkali said:
Also, on the plus side, these messages are keeping this topic at the top. :wink:

… where it belongs.

@Chobin73 said:
Pentesting is 50% editing report templates and reviewing presentations and only the remaining half is actual systems vulnerability exploiting
And, believe it or not, most of the times you will end up with a lot of unknowns. You are usually paid for the pentest itself, not for the sheer number of vulnerabilities you find…
Spotting exploitable vulnerabilities and actually exploiting them are two huge different things.

still very much the same today.

Pentesting should always be done as teamwork.

this is very crucial to keep remembering!

i know the IT Sec community has grown a lot in the last few years, and eventually became a less inclusive world than what was back in the past

i guess, definitely less inclusive than this (i.e. HTB) community.

This eventually also drove me sometimes into a huge “impostor syndrome”, starting thinking that my hard skills would hardly be really considered valuable by someone. I was almost conveinced that i was not that good at all in my work, and I went down to such a deep hole that i eventually had to choose between buying food or paying the bills.
[W]e carry with us our HUGE backpack of uncertainties, shyness, sadness.

yeah … so true! :confused:

@sparkla said:
People explaining HTB has nothing to do with pentesting

that’s true; but HTB (and similar “services”) might help you learn some of the skills needed for the real-life pentesting (that’s just my opinion)

You need to know I’m already pretty old […]

i have no idea what the mean age of this community is, but judging from the previous jobs i had, i would also count me to the older generation.
but i constantly had/have to remind myself that this categorization is only in my head.

Transitioning from an IT tech to a Penetration Tester can be challenging for entry-level positions. Here are some tips:

  1. Expand skills: Get certifications like CEH, OSCP, or CompTIA PenTest+. Learn networking, operating systems, and programming languages.
  2. Gain practical experience: Set up a lab, practice with tools, document findings, and showcase projects on platforms like GitHub.
  3. Network: Engage with the cybersecurity community, join forums, attend meetups, and participate in CTF competitions.
  4. Apply for internships or junior positions: Gain experience in cybersecurity or IT security departments to build a foundation.
  5. Use specialized job search platforms: Check cybersecurity job sites and career pages of relevant organizations.

Patience and persistence are key. Good luck in your transition!ggg