@MrErickMars I’m sure there’s more qualified people with fresh ideas that can give you a better answer. Additionally, there’s no short answer. There's the canned response “you just have to work hard!”. Instead I’m going to ramble off a few things to hopefully help someone along.
Be ethical. At some point, as a penetration tester, someone will ask you to hack something as a favor or for a profit without proper authorization. Get caught once and all your credibility is gone. Don't kill a cow for a few steaks when you can live off the milk for years.
Be relentless. You may have to try the same thing again and again with a slight tweak each time. You know it's there, try, try, again. It'll likely pop.
Start your journey. Network: At a minimum learn how to use nmap, a vulnerability scanner (Nexpose, Nessus, etc), and the Metasploit framework. Do constant research on every service you touch and learn how to write your own exploits/payloads.
Application: You'll find apps during net pens but might lack authz, business logic, or other opportunities. At a minimum, read the "Web Application Hacker's Handbook" and “OWASP Testing Guide”. Try to learn all things @Burp_Suite. Do constant research on the frameworks you touch.
Automate. Start to learn some scripting languages and try to automate repeatable processes and exploits.
Get certified. This may or may not help you learn something, but it will make you more marketable to future employers. If consulting, your employer needs you to be marketable and some clients want to see certifications after your name.
Socialize. Go to local security meetings, network, make friends, find a mentor, and learn.
Tinker. Try your luck at CTFs and bug bounties. They may help you learn and you can talk about what you have accomplished when trying to get your foot in the door with a potential employer.
Side step. Maybe try to get a position doing phone or desk-side support and lookout for internal security job postings. Sometimes it’s easier to make internal moves within a company. Put in requests for paid security training.
Communicate. Anyone can break all of the things, the hard part is telling them what you did, how you did it, and how they can fix it. Include detailed steps so they can reproduce it. You can showcase some of your value with a quality deliverable. It becomes easier over time.
Finally, good luck to anyone that is trying to break into the industry and happens to read this thread! I hope it helps!👍
@threadreaderapp
unroll
unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
