Hi all,

So for anyone who don't know about six months ago I landed my dream job as junior penetration tester. Well recently I lost this job and was told they didn't think I was ready and they could not make money on me. This was a big shock to me as at no point did they give any indication that they felt I was not doing ok. During my time with them I done everything they asked me and they seemed happy with my progress.

Anyway I am now in a situation where I have no job and really don't know what to do. I feel down and feel like as much as I want be pen tester am I really not that good enough I know I have loads to learn and I felt I was doing really well and it just come as a big shock. Half me want to give up but the other wants to prove a point to them. However I cant put my life on hold hoping I get another security job.

What would you guys do in the same situation ?

If it were me, personally, and IT security / pentesting was what I really wanted to do, I'd stay after it.  Sure, you might need to find some other work for a time, to maintain an income stream, but if it's what you really want, I wouldn't give up.

Now, that isn't to say you won't have long nights and weekends, continuing to put in the effort to grow and maintain your pentesting knowledge, while working in another job / field, but it's a worthwhile price to pay, if it's the means to the end that you want.

I spent MANY nights and weekends away from the wife and kids, locked in my office, to manage to make time to continue and grow.  It's rough to dedicate the time, but if it's right, it's right.  

Not knowing your background, it is hard to really give sage advice.  However, I think it very difficult to land a job as a pentester (even junior) straight away from training.  I would recommend trying to land a job in security on the defensive side first and gain a few years of experience (I know, easier said than done sometimes, but keep at it).  It is easy enough to run through tools referenced in the CEH materials, but it is much harder to understand infrastructure and methodologies if you have spent all of your time on offensive certs, IMHO.  In my experience, the best pentesters come from areas of administration who worked their way into offensive skills by defending against them (sys admins, net admins, etc.).  Wish I could help directly, but IIRC you are in the UK, right?

I don't have anything to add besides a lot of +1s.

I just wanted to say that I'm sorry to hear about you situation, and I hope you get back on your feet quickly. Don't give up.

Hi Jamie,
 
I am really sorry to hear that with your job. I second what everybody has written so far.
From your posts here on EH-net as well as your site you seem really passionate about ITsec…So DON’T give up!


Since I am still in my masters and job hunting for me won’t start before august, this is the only “real advice” I can give you: “DON’T give up, if IT-Sec is really your passion!!”

If I were in your situation, though, I would first ask your employer for a talk to elaborate on the exact reasons why they have fired you. This might hurt, but will give you valuable information on what you can improve the next time.

Second I would right away start to apply for new pentesting jobs. Don’t let the “feeling of being not good enough” let you down or discourage you and get right into the game again!
And only if this won’t work out for whatever reasons “too less job experience”, “too young”….blah blah… try to get a job as admin or what else…to build a solid foundation (always with the goal to learn something new...so no "brain death" jobs). 
And never forget to focus on your goal or “dream job”!

I wish you good luck and all the best!! And again: Don’t give up!

I really don't know where it went wrong I went to the job as open as I could be told them I had no experience as was really looking to learn. Everything they gave me I done to the best my ability apart  from one program they asked me to do at the time I had lot going on with family and my Girlfriend so it took me longer than they hoped this was the only downside that they pointed out they felt I was not learning as quick as they wanted me.

Despite this I found a DOS bug on a website that had been tested 10 times before that no one else found.

I was asked to go on site and do some SE and broken into two of the three buildings.

All web app test I done I found the same problems as my mentor. In fact I think on some occasion I taught him a thing or two.

So I really don't know it just kinder knocked me for six I do plan on carry on learning as I love security I find it so interesting it just they said I was not good enough makes I dont want get another job and six months later I leave as it just dont look good I guess I dont want to more harm than good on my CV.

I can sympathize with what you're going through.  Being hired into a dream and then feeling kicked out of it can be an emotional hit to your ego and personal outlook.  Maybe it was deserved, or perhaps there's a good hard lesson to be learned so you can emerge stronger from it.

I'm relatively new here and not a pentester so take my two cents with a grain of salt.  I also don't know your background, skill set, etc., except what I've just read on this thread.

My background is on the defensive side of the house and I sense that you're relatively young, new to the infosec scene, and your practical experience (aside from the immensly valuable and enviable six-month gig doing real-world pentesting) is still relatively green.  Since I wear the blue team hat, I'm probably somewhat biased but I'll say this: it seems to me that in order to be an effective pentester who can deliver value to clients with the ultimate goal of providing recommendations to increase the security posture of their businesses, one would need at least some IT background in the normal sense.  Knowledge of operating systems, applications, networks, protocols, human behavior, and the glue which binds them all together would be considered a fundamental requirement in order to understand how to perform attacks on these ecosystems.  That usually entails experience working as a systems administrator, network engineer, and the like for some years.  Otherwise it'd be difficult to impart suggestions on how to fix a broken system.

My limited experience with offensive training has left me with the feeling that courses and certifications geared towards that aspect of infosec does not really give someone a strong understanding of the minutia which goes into building and maintaining elaborate networks.  Breaking in and proving a point is great, but you have to impart the corrective measures in a way a client can actually use (because they're probably not trained in offensive-thinking like you've been).

One of the things I'd put a critical eye on when evaluating a pentest report is effective communication skills.  Perhaps your reports contained grammatical errors or things weren't explained concisely to the client's benefit.  I'm only hypothesizing this based on the occasional minor grammar errors in your posts and a quick perusal of your website.  Or maybe your mentor(s) didn't feel you had sufficient background experience / industry maturity to support your reports' claims when face-to-face with clients.  I'm only guessing as I have no idea what in-person pentest engagements are like except my meetings with vendors and business partners.

It's natural to feel let-down and angry.  Perhaps it was an unfair call against you but these things happen in life.  Your former employer might have thought to just give you a chance to see if it'd work out and then eventually decided a junior position still requires more ground-level experience.  Who knows.  I'm assuming you proved yourself as more than just a run-the-tool monkey and did satisfactory manual testing.  If I was let go in my current position I'd feel the same way, questioning myself and my abilities.  It's frustrating to put yourself through massive self-training efforts only to be let go and feeling dumped.

But as I said ... you have six months of actual pentest work under your belt coming right out of some line of training.  You're already ahead of a lot of people, in my opinion, and you can put that to good use.  I also encourage you to explore the other half of the equation - countermeasures against the attacks.  Learn intrusion analysis. firewall design, systems hardening, and incident response skills.  It'll make you much more well-rounded and balanced as an individual.  And these will be qualities that any organization worth their salt can identify and respect.