@MrErickMars I’m sure there’s more qualified people with fresh ideas that can give you a better answer. Additionally, there’s no short answer. There's the canned response “you just have to work hard!”. Instead I’m going to ramble off a few things to hopefully help someone along.
Be ethical. At some point, as a penetration tester, someone will ask you to hack something as a favor or for a profit without proper authorization. Get caught once and all your credibility is gone. Don't kill a cow for a few steaks when you can live off the milk for years.
Be relentless. You may have to try the same thing again and again with a slight tweak each time. You know it's there, try, try, again. It'll likely pop.
Start your journey. Network: At a minimum learn how to use nmap, a vulnerability scanner (Nexpose, Nessus, etc), and the Metasploit framework. Do constant research on every service you touch and learn how to write your own exploits/payloads.
Application: You'll find apps during net pens but might lack authz, business logic, or other opportunities. At a minimum, read the "Web Application Hacker's Handbook" and “OWASP Testing Guide”. Try to learn all things @Burp_Suite. Do constant research on the frameworks you touch.
Automate. Start to learn some scripting languages and try to automate repeatable processes and exploits.
Get certified. This may or may not help you learn something, but it will make you more marketable to future employers. If consulting, your employer needs you to be marketable and some clients want to see certifications after your name.
Socialize. Go to local security meetings, network, make friends, find a mentor, and learn.
Tinker. Try your luck at CTFs and bug bounties. They may help you learn and you can talk about what you have accomplished when trying to get your foot in the door with a potential employer.
Side step. Maybe try to get a position doing phone or desk-side support and lookout for internal security job postings. Sometimes it’s easier to make internal moves within a company. Put in requests for paid security training.
Communicate. Anyone can break all of the things, the hard part is telling them what you did, how you did it, and how they can fix it. Include detailed steps so they can reproduce it. You can showcase some of your value with a quality deliverable. It becomes easier over time.
Finally, good luck to anyone that is trying to break into the industry and happens to read this thread! I hope it helps!👍
4.5 months ago I told a "HIPAA compliant" telemedicine company they were vulnerable to cross-site scripting. if a user is authenticated; + session hijacking. telemed is interesting in COVID times.
Can you guess if they fixed either vuln yet?
So, it's been more than six months now. This is why CVEs and reporting directly to vendors is pointless and soul crushing. @Bugcrowd is pointless too if you're not interested in money for reports. Reference this current thread and
Here are some fun prints of what #infosec is. Note, the second DM was really fast and did follow through to put me in contact with the right person. thank you twitter person #2. It fizzled out though after that at no fault of person #2.