10 Year Systems Administrator wanting to get into Pen Testing

Viewing 16 reply threads
  • Author
    • #7848


      I am in the military. Been in for about 11 years now trained as a network/system administrator. I currently own (lead) about 5 networks supporting 80 people with day to day operations and maintenance with some repair/rebuilds as required. I work on Server 2003, cisco routers/switches/redhat/solaris/slackware/ubuntu/win XP/mint and various other OS’s including VMware.

      I am sick and tired of the customer service part of this job. I only have 2 guys underneath of me, and its not going to get any better for a while. I get to retire in 10 years and in those 10 years I want to improve my resume enough where i can walk out of the military and become a strong freelance pen tester/consultant. I have a multitude of resources at my disposal and the military will pay for me to get any of these certifications:
      A+ (taking in 2 weeks)
      Sec+ (taking in 3 weeks)
      All of the homeland security certs
      Fiber installer (FOI)
      Fiber Technician (FOT)
      MCSA Security
      MCSE Security
      Oracle/Solaris 10 SA

      So as you can see I have a ton of resources to get all the study material and knock out certifications. I know its not about certifications and in 10 years many of these will not matter and the tech is going to evolve and change. I am a complete newb in terms of programming (i can do basic linux programming) and need a place to really start my research and grow into it. going through the security + student guide has really opened my eyes to how much I want to do this stuff. I just need to know which string I should start pulling first. Server maintenance, workstation trouble calls are taking the life out of me. I have been playing with McAfee Host Prevention system and its a cool program. Very detailed and dependent on databases. but its still feels like maintenance and defense. I am ready for some offense, or at least wanting to learn how to be offensive in security. Thanks for the help.

      oh yeah first post. sorry if I missed a post that states my answer, but most of the “i need advice” posts were individuals junior in IT. I have built many networks from scratch in the middle of the desert to having people setup talking on video teleconference phones the following week over voip.


    • #49411

      You’ve got a similar background as mine. Here is how I did it: http://www.pwnag3.com/2011/12/my-road-to-pen-testing.html

      From a cert perspective, I think the most valuable one on that list is the GSE. There are about 100 people (maybe less) who have the GSE. A lot of them are also Network Admin’ish. HR loves the CISSP, I’m not sure how much real value it has towards pen testing…. Outside of that, I would focus on the SANS courses. You should also look into if they will pay for OSCP, the one I think you’ll get the most value out of.

    • #49412

      Hey BACARDI,

      I did 7 years in the military doing sys/net admin type work with a healthy dose of telecom/satcom thrown in. When I got out it became very apparent to me that without a degree very few companies where interested in me regardless of my experience. In fact in many cases, even after I have gotten a degree, my military experience has put off many potential employers. It to the point that I use a functional resume format instead of a chronological format to down play my military experience will still being able to include what I have accomplished in my career.

      After being in the civilian world for several years I decide to get my MS in Comp Sci. Which has been the biggest boost to my career advancement. I’ve never been one for certs, but I have seen were they have gotten many people interviews over other people with experience.

      Again I have to say that in my experience it has been my degree and advance degree that has open more doors for me then my military experience. That is not to say that the skills and experiences I got from the from the military are not valuable or have allowed me to excel in my career, just that it hasn’t opened any doors for me.

    • #49413

      Agree Cissp is great for bypassing HR but its not really a cert that help with pen testing. I would just try do as many as I could espically if someone else was footing the bill.

      If you have good understanding of networks and geneal IT I would say do all the security ones and dont worry about the networking type certs.

    • #49414

      Hey Barcardi,

      welcome to the boards 🙂

      Firstly, that’s one hell of a list of certs on offer. I was like a kid in a candy store reading down your options.

      From my own perspective I’d look at GCIH to get a good grounding on the technical side followed by CISSP, although mostly to open HR doors in lieu of a degree.

      As cd1zz has mentioned, take a look at OSCP. It’s not on your list, but it’s a relatively cheap set of training and certification in comparison to the others. I used it as a jump off point from network/system administration that I had been doing for a few years into security. It gave me the technical information I needed, and I was also able to leverage the sysadmin skills I already had to complete several of the challenges (know the defaults on some of the target systems can really reduce some of the difficulty accessing unhardened systems.

      It might not be purely security, but given your background getting your MSCE/MSCE-sec certs shouldn’t be too much of a challenge, would prove the skills and experience that you have and (hopefully) ensure that you remain employable for the years to come.

      Good luck with you A+ and Sec+ exams, and whatever you chose to follow them with

    • #49415

      Thank you all for your advice. I have been doing a lot of research and found that a lot of people do admit how hard it is to get into security becuase its just so vast.

      I am going to focus going deeper into the knowledge that I already have to really get a better understanding of network/A+/OSI layers so when I dive deeper into the security side I have a better understanding of what I am doing.

      My question to you guys is do you think OSCP should be precluded by other training? Is it a certification that can be “jumped” into and just learn trial by fire.

      Thanks again for all of your help. I am really just scraping by on the A+ certification, meaning I am studying to take the test, not studying for long term application (short term cramming). I need to change my approach now to how I am going to be studying. I want these certs to be something that I know, not something that I crammed to pass the exam.


    • #49416

      Hello BACARDI,
      I am currently on the McAfee HBSS project you mentioned.
      I have been out of the military for a few years now. Although my military experience did not help me get my first job in telecom, it definitely got my foot in the door in my current position.  I think others will agree that it depends on what sector you are looking at going into. From my experience, the private sector allows for more growth/freedom. In that sector you may be hired as a Sys Admin but do Network Admin, Desktop, ect. Also, the private sector wants experience above certs.  A degree in this sector will help.
      This environment (Gov. or Contractor) is really compartmentalized meaning AD does just AD, DNS just DNS, Server support, UNIX, Windows, Applications Teams just do their specific application. Although not great for growth it is good when you look at it from a security perspective (segregation of duties/least privileged). The Government wants certifications (DoD 8570.01m) and military experience. A degree if you want to advance. My opinion… You have some great experience. I would focus getting a degree before you get out of the military and a few key certs such as Sec+, C|EH, CISSP, CCNA, MCSE. I mention C|EH just because it covers 4 of 5 levels of CND under the DoD 8570.
      Like others have mentioned OSCP is great and in my future plans.
      Good luck and thank you for your service.

    • #49417


      I have had to reload our HBSS a few times. It is surprizingly an easy system to work on. I have been working steadliy towards a degree in Business Administration because I did not really know what I wanted to do. All the classes I have been taking have been lower level classes, so they would be easily transferable to another degree. I am about 2 classes away from starting my upper level classes and I am going to shift my degree towards Information Security as others have suggested.

      How long were you in the military? I am really trying not to become Gov or contractor when I get out unless I have a really good job offer.

      I am in a interesting predictament right now. I am in the Navy, enlisted as an IT1 (E-6). I am in the middle of my second submission for an officer package into the management side of Information Security. If I get selected for my Officer Package it pushes me more towards the planning and management side instead of the “behind the keyboard” side of the job. The pay and benefits of the Officer side is really hard to outweigh against a job I really am not sure that I will enjoy. Also another hard swallow is if I get selected as an Officer, all of those certifications will have to come out of either my GI Bill (which I have not had to touch yet and want to leave to my kids) or out of my pocket. If I stay enlisted all of those certifications are free to me. For me it is a really hard decision, the pay of an Officer will outweigh the benefiets of the certifications, but will I find enjoyment in the management side? I can always do the management side during the day and focus on the “behind the keyboard” pen testing at night in my off time? I feel this is a critical turning point in my military career and I want to make sure I make the right decision not only for me, but for my family.


    • #49418

      Hi Ryan,
      I was in for 6 years and got out as an E-5.  When I left I didn’t really wanted to distance myself from contracting/military. Not that I didn’t enjoy the experience just wanted to get away. There were plenty of offers from DoD contractors and Government but I turned them all down and decided Telecom would be my career. When the economy tanked I was laid off after 8 years in Telecom so, I used my GI Bill and finished my degree in Information Systems.  I was also able to get a few certs with my GI Bill before it ran out. The only areas hiring at the time were DoD/Contrators. Now that I’m back in this environment I don’t see any cuts in the near future. There is a big push for cyber security professionals in DoD right now.  I don’t see that changing any time soon.
      I can see your predicament. If you plan on retiring from the Navy then I would go the officer route. Your retirement pay will be higher, I believe.  Finish your degree and a get few certs. Most of the certs aren’t too expensive unless you go for SANS. The Navy has some really great schools as far as Network Security goes. I think Mile 2 does a lot of their training.
      Oh yeah, working with HBSS is easy but maintaining it is a pain. 🙂

    • #49419


      I do plan on retiring, the medical benefits alone are worth the 20 years. After doing this for 10 years, I already want to distance myself from DoD stuff even though they are a easy transition. 10 years from now after I retire I may feel differently, I will keep my options open. I have already received one good security school which really introduced me into the world of security. It was basically Security+ course on crack with a hint of HBSS. I am very impressed with the training that I have received and the schools/college/certifications I am able to obtain for free while serving. My wife keeps on pressuring me to continue on with my degree, I fought her on it a few years ago saying my experience will get me through. Yes I have since then grew up lol. OMG the maintenance on HBSS is intense! I still have yet to go through the school but I was told by one of the installers I am leaps and bounds ahead of the game since I dug into the documentation and reloaded myself and applied everything without help. I am not afraid of research, I thrive on it. Thanks again for all the advice and personal experiences, definitely helping me make smart decisions.

    • #49420

      Good luck Ryan,
      Check in every so often and let us know your progress. And if you ever want to talk offline let me know.

    • #49421

      I have a question about degree’s. With regards to pen testing and employment, do employers care if you get your degree from an online source like U of Phoenix? Being military and traveling its tough to go to a brick and mortar type of school. All of my classes so far have been online. Just want to make sure I am not wasting my time. Thanks!!

    • #49422

      Most of my credits were online also. I think in the private sector, especially in Management, it matters more. From what I’ve seen around here the contracting company gets more from the government if their employees have a degree. I haven’t heard anything different on the Government civilian (GS) side. I would have gone with WGU if I’d known about it sooner. WGU has IA Bachelor and Master Degrees that incorporate certifications into their degree programs. And they are all online. I haven’t researched WGU (http://www.WGU.edu) enough to give more information. I’m sure others here can help in that area.

    • #49423

      I am extremely impressed with what I am reading about WGU. Never heard of them, thanks for pointing me in that direction.

    • #49424

      Well I was forced into taking a gauntlet of certification tests this past week. I took both of the A+ certs (practical/essentials) and my Security+ Cert all within a 4 day period.

      So I studied for all 3 tests simultaneously and passed all 3 tests.

      A+ Practical
      Scored: 762

      A+ Essentials
      Scored: 758

      Scored: 789

      I know if I was able to study these independently I could have scored higher, but I am still impressed that I was able to pass the gauntlet of certs within a 4 day period. Work required me to do all certs within a week time frame. (military)


    • #49425

      Haha awesome! Maybe you will actually obtain the whole list  😀

      What will your next cert be? I am currently prepping for CISSP. A lot of overlap with Security+ so I can recommend it if you are thinking about it. After this I really wanna start with OSCP, a fun hands-on challenge.

      edit: WGU sounds nice. Too bad I am not a US citizen.  Good luck!

    • #49426

      I am going for a degree in Security at WGU and they count certain certificates for credits. The 5 they require for a degree are:

      CCNA Security

      I am going to knock out project+ next followed by the cisco certs to get a head start on my degree since the military pays for the testing. Then I am on to CISSP.

Viewing 16 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?