May 15, 2014 at 8:01 pm #8699
I have been working as an IT professional for a little over 5 years. I have always wanted to get into security and hacking so I decided the best way to learn was a trial-by-fire into the OSCP course. Having little to no experience in security or hacking I plunged into the course and quickly bit off more than I could chew. Long story short, in the end I learned a ton and was awarded the OSCP certification.
I am looking for advice on what I can do now to get my foot in the door as a pentester. I have sent several resumes and applications, but I have yet to hear anything. I’m worried my lack of on-the-job experience is hurting my search. Any help would be greatly appreciated.
May 16, 2014 at 10:40 am #53816SephStormParticipant
Welcome to EH.Net. Congratulations on passing your OSCP, that is quite an accomplishment. So I want to start out by asking a few questions, what qualifications other than the OSCP do you have that may benefit an employer for a pentesting position? Any wireless hacking experience? Do you have a CEH in case you need to work with DoD? Outside of certifications, where are you looking for positions? Are you meeting the requirements of the postings? How does your resume look?If you like you can send it to one of us for review. I also have a few contacts I can reach out to, find out what companies are looking for in a Jr. Pentester. Also, you could look into trying to make a name for yourself by discovering vulnerabilities in a legal fashion, and getting your name out there as a vulnerability researcher or RE expert, ect.
Honestly though my first thought is that they want to see previous security experience. Rarely do people go directly into pentesting.
May 16, 2014 at 5:15 pm #53817
Thanks for getting back with me! OSCP is my very first cert for pentesting and ethical hacking. I’ve been in more of a systems support role before then. When I made the decision to get into ethical hacking I was trying to decide between CEH and OSCP. I chose OSCP because that course fit my learning style best. I am going to get my CEH next. I am told it’s a cakewalk compared to OSCP 🙂 As far as experience I am just starting out. My current employer has delegated a lot of the security responsibilities to me. Since I understand the vulnerabilities, he believes I am more qualified to prioritize and implement the vulnerability fixes. As far as the requirements for the positions I lack previous experience as a pentester and some are asking for a 4 year degree which I do not have. Honestly I had hoped the OSCP would carry enough weight to get me in the door because of it’s difficulty and high demand. Can I just PM my resume to you? Thanks for your help!
P.S I plan to write up my full OSCP story in the OSCP forum soon.
May 17, 2014 at 7:41 am #53818SephStormParticipant
Of course you can, i’ll do whatever I can to help.
May 18, 2014 at 3:10 am #53819dynamikParticipant
Congrats on the OSCP, that’s quite an accomplishment! Based on the subject alone, I initially thought this thread would be someone whining about the OSCP being too difficult, so I was pleasantly surprised when I actually read your post.
If you haven’t already done so, write a penetration tester version of your resume. Highlight all the security responsibilities in the role(s) you’ve had, and emphasize everything that’s as close to penetration testing as you possibly can (network scanning, vulnerability analysis, patching, system hardening, password auditing, etc.). If you haven’t done those things, get permission to do them, and then do them. See if you can even get some exploitation approved, so you can also add internal penetration testing activities.
The CEH is a multiple-choice marketing cert, so no, it’s not going to hold a candle to the OSCP. It may open some doors with HR or recruiters, and it will satisfy a DOD checkbox if you’re trying to go that route (but others can be used for that). Aside from potentially helping you get your foot in the door somewhere, it’s really not well-respected by technical professionals. It’s not going to hurt you, but you already have the one that matters to those people.
What’s your official title? You first said you’ve been an IT professional for ~5 years, but your second post makes it sound like you’ve been in a support position that entire time. If so, that’s getting to be a long time in a support role, and the lack of advancement may be viewed negatively by some people.
What other certifications do you have? Everything we do revolves around general IT, so certifications like the CCNA will definitely lend you more credibility. As great as the OSCP is, it doesn’t encompass everything. I’ve met OSCPs who haven’t been able to do basic network troubleshooting. A large component of penetration testing is explaining why the current configuration is vulnerable, how to remediate it, and what the potential repercussions of remediation may be. It’s unlikely that someone who lacks those core skills and knowledge would be able to do those tasks well.
If you don’t have a blog, start one. Put your OSCP review and other things you learn/are working on there. That will demonstrate your knowledge and writing skills (writing reports is a big piece of the equation, so make sure the message you’re sending is that you’re a competent writer). Unrelated, but the same is true for the quality of your resume. If there are errors and your thoughts are jumbled on such an important document, one can only imagine what the quality of your reports would look like. I’m not implying that your resume is in poor shape; I’m just emphasizing the important of making sure it’s polished.
What are you doing for networking (the kind that doesn’t involve bits and bytes)? Are there DC[Area Code], OWASP, ISSA, ISACA, etc. meetings in your area? BSides? Do you attend any larger conferences? DefCon will likely be overwhelming if you aren’t yet acclimated to cons, but if nothing else, you should definitely head out to DerbyCon later this year. That should be a relatively short trip for you too. Snag your ticket quickly though; it’s a smaller con that will sell out.
Are you open to relocating and/or traveling? You’re not in a great area for InfoSec, or even IT in general, so being able to broaden your horizons will significantly increase your likelihood of success.
May 19, 2014 at 1:03 pm #53820
My official role is Technical Support Analyst, but I’ve been working with a medium sized business(around 250 users) with only a 3 person IT dept for about 4 of those years so the title does not really describe my day-to-day responsibilities. I’ve worked on server, routers, and switches on top of doing desktop support. I am well versed in Active Directory, DNS, DHCP, Citrix, Exchange, Group Policy, Terminal Services, etc. so I have a strong base in general IT. My other certs are A+ and Net +. I have never had anyone really critique my reporting, but I do know that a lot of how the OSCP is graded is based on reporting. I’ll send you my resume for review. As far as relocation/travel I would prefer to travel, but relocation would be an option. I have also never blogged before so any advice on getting that started would be greatly appreciated. Thanks a lot this is very helpful!
May 19, 2014 at 2:31 pm #53821ziggy_567Participant
As always, dynamic gives great advice.
Here are a couple of links to videos/info about getting into security especially dealing with resumes, interviewing, etc. etc.:
And a whole series on “Breaking into Security” from Robin Wood:
May 20, 2014 at 12:35 pm #53822
Thank you all. I’m so glad I found this board. Sounds like I need to slow down and start building the foundations I need in my current position. I believe I may have been a little too aggressive in finding a new position when I should be taking the opportunities to use my new skills in my current setting. I will keep my eyes open for new opportunities obviously. It’s nice to get some perspective. 🙂
You must be logged in to reply to this topic.