What now ??

Viewing 12 reply threads
  • Author
    • #7410

      Hi all,

      So for anyone who don’t know about six months ago I landed my dream job as junior penetration tester. Well recently I lost this job and was told they didn’t think I was ready and they could not make money on me. This was a big shock to me as at no point did they give any indication that they felt I was not doing ok. During my time with them I done everything they asked me and they seemed happy with my progress.

      Anyway I am now in a situation where I have no job and really don’t know what to do. I feel down and feel like as much as I want be pen tester am I really not that good enough I know I have loads to learn and I felt I was doing really well and it just come as a big shock. Half me want to give up but the other wants to prove a point to them. However I cant put my life on hold hoping I get another security job.

      What would you guys do in the same situation ?

    • #46279

      Damn, I’m sorry to hear that Jamie.R. If you don’t mind me asking, what certs and  work experience did you have before the job? And did they tell you which skill or skills that were not up to their liking?

      If I were in your position, I would still apply for security jobs…but you’ll probably want to apply for other jobs as well (like whatever else you use to do before the pentesting job?). Keep your head up, I’m hoping the 6 months of pentesting experience will land you other pentesting/ security gigs.

    • #46280

      If it were me, personally, and IT security / pentesting was what I really wanted to do, I’d stay after it.  Sure, you might need to find some other work for a time, to maintain an income stream, but if it’s what you really want, I wouldn’t give up.

      Now, that isn’t to say you won’t have long nights and weekends, continuing to put in the effort to grow and maintain your pentesting knowledge, while working in another job / field, but it’s a worthwhile price to pay, if it’s the means to the end that you want.

      I spent MANY nights and weekends away from the wife and kids, locked in my office, to manage to make time to continue and grow.  It’s rough to dedicate the time, but if it’s right, it’s right.   😉

    • #46281

      Really sorry to hear that.  I actually had a similar experience a number of years ago.  I had the opportunity to work for a friend of the family, everything was set, the interview was more a formality, but afterward the friend had a discussion with the guy that interviewed me and the guy essentially told him that I didn’t know anything, wasn’t worth the time, and he didn’t want to work with me.  I was really down for a while, and I finally decided to “show him” and used it as a life lesson.

      The best thing to do is think back on your work from their perspective, try to see what may have been negative and really work on it.  You wouldn’t be in the field if you didn’t love it, so take it easy, refocus on applying for jobs, get something so you won’t starve in the mean time, then apply for a better “dream” job.  Chances are next time around you will be focused on different things, always trying to improve yourself, and will be an even better asset to your next employer.

      Don’t give up!  It was a great experience and next time know you’ll do better.

    • #46282

      Not knowing your background, it is hard to really give sage advice.  However, I think it very difficult to land a job as a pentester (even junior) straight away from training.  I would recommend trying to land a job in security on the defensive side first and gain a few years of experience (I know, easier said than done sometimes, but keep at it).  It is easy enough to run through tools referenced in the CEH materials, but it is much harder to understand infrastructure and methodologies if you have spent all of your time on offensive certs, IMHO.  In my experience, the best pentesters come from areas of administration who worked their way into offensive skills by defending against them (sys admins, net admins, etc.).  Wish I could help directly, but IIRC you are in the UK, right?

    • #46283

      That really sucks Jamie.R, but if I were you, I’d keep down the path you’ve started.

      From what you’ve said here and at Hacking Dojo (when I was around there), you seem to be putting the time/effort into the offensive side. It may take a couple years of working on the defensive side of things, but so what? There’s a sort of badge of honor that people in IT wear when they’ve work in roles like SysAdmin, Network Admin, etc. (These jobs can be a lot of fun too!) Why not go and do that for a while getting more and more experience while working toward your dream job?!

      Good luck to you whatever you decide to do…

    • #46284

      I don’t have anything to add besides a lot of +1s.

      I just wanted to say that I’m sorry to hear about you situation, and I hope you get back on your feet quickly. Don’t give up.

    • #46285

      I hate to hear that. Were you honest about your capabilities when you started? That’s the hardest part and I know I’ve screwed myself out of a few jobs because I was too critical about my own skillset. It’s hard to gauge your true knowledge level though when you follow all these mind blowingly brilliant folks on Twitter. I’m never sure if I’m really any good or not. 🙂 I constantly see “experts” who try to land consulting gigs with us that are rank amateurs and then run into unemployed guys at my local DC group who can’t seem to land a job but are so absolutely amazing I can barely follow their train of thought.

      Keep trying, don’t give up! I’ve found local infosec community involvement to be a huge advantage for folks looking for work. I know I’ve found infosec/technical jobs for at least 3 colleagues I’ve met at these types of events but I market myself and get a lot of recruiter contacts because of that.

    • #46286

      Hi Jamie,

      I am really sorry to hear that with your job. I second what everybody has written so far.
      From your posts here on EH-net as well as your site you seem really passionate about ITsec…So DON’T give up!

      “Our greatest glory is not in never failing, but in rising up every time we fail.”
      (Ralph Waldo Emerson)

      Since I am still in my masters and job hunting for me won’t start before august, this is the only “real advice” I can give you: “DON’T give up, if IT-Sec is really your passion!!”

      If I were in your situation, though, I would first ask your employer for a talk to elaborate on the exact reasons why they have fired you. This might hurt, but will give you valuable information on what you can improve the next time.

      Second I would right away start to apply for new pentesting jobs. Don’t let the “feeling of being not good enough” let you down or discourage you and get right into the game again!
      And only if this won’t work out for whatever reasons “too less job experience”, “too young”….blah blah… try to get a job as admin or what else…to build a solid foundation (always with the goal to learn something new…so no “brain death” jobs). 
      And never forget to focus on your goal or “dream job”!

      I wish you good luck and all the best!! And again: Don’t give up!

    • #46287

      Hi Jamie,

      I am sorry to hear you have had this setback. I agree with what everyone has said. From your web site you certainly look to be dedicated and also a good communicator.
      I would say if you enjoy penetration testing keep it as your goal.
      I know how hard it is at the moment to find the right job because I am in the same boat. 
      I hope you find something soon–in the mean time keep posting because I am sure there are a few of us in the same position and it is really helpful to hear how other people are doing.
      all the best

    • #46288

      I really don’t know where it went wrong I went to the job as open as I could be told them I had no experience as was really looking to learn. Everything they gave me I done to the best my ability apart  from one program they asked me to do at the time I had lot going on with family and my Girlfriend so it took me longer than they hoped this was the only downside that they pointed out they felt I was not learning as quick as they wanted me.

      Despite this I found a DOS bug on a website that had been tested 10 times before that no one else found.

      I was asked to go on site and do some SE and broken into two of the three buildings.

      All web app test I done I found the same problems as my mentor. In fact I think on some occasion I taught him a thing or two.

      So I really don’t know it just kinder knocked me for six I do plan on carry on learning as I love security I find it so interesting it just they said I was not good enough makes I dont want get another job and six months later I leave as it just dont look good I guess I dont want to more harm than good on my CV.

    • #46289

      Protip regarding short term (or any) employment: Don’t list months, use years only.

      Penetration Tester 2011 – 2012

      Looks better than

      Penetration Tester Sept 2011 – Feb 2012

      and then once asked in the interview to clarify you can.

    • #46290

      I can sympathize with what you’re going through.  Being hired into a dream and then feeling kicked out of it can be an emotional hit to your ego and personal outlook.  Maybe it was deserved, or perhaps there’s a good hard lesson to be learned so you can emerge stronger from it.

      I’m relatively new here and not a pentester so take my two cents with a grain of salt.  I also don’t know your background, skill set, etc., except what I’ve just read on this thread.

      My background is on the defensive side of the house and I sense that you’re relatively young, new to the infosec scene, and your practical experience (aside from the immensly valuable and enviable six-month gig doing real-world pentesting) is still relatively green.  Since I wear the blue team hat, I’m probably somewhat biased but I’ll say this: it seems to me that in order to be an effective pentester who can deliver value to clients with the ultimate goal of providing recommendations to increase the security posture of their businesses, one would need at least some IT background in the normal sense.  Knowledge of operating systems, applications, networks, protocols, human behavior, and the glue which binds them all together would be considered a fundamental requirement in order to understand how to perform attacks on these ecosystems.  That usually entails experience working as a systems administrator, network engineer, and the like for some years.  Otherwise it’d be difficult to impart suggestions on how to fix a broken system.

      My limited experience with offensive training has left me with the feeling that courses and certifications geared towards that aspect of infosec does not really give someone a strong understanding of the minutia which goes into building and maintaining elaborate networks.  Breaking in and proving a point is great, but you have to impart the corrective measures in a way a client can actually use (because they’re probably not trained in offensive-thinking like you’ve been).

      One of the things I’d put a critical eye on when evaluating a pentest report is effective communication skills.  Perhaps your reports contained grammatical errors or things weren’t explained concisely to the client’s benefit.  I’m only hypothesizing this based on the occasional minor grammar errors in your posts and a quick perusal of your website.  Or maybe your mentor(s) didn’t feel you had sufficient background experience / industry maturity to support your reports’ claims when face-to-face with clients.  I’m only guessing as I have no idea what in-person pentest engagements are like except my meetings with vendors and business partners.

      It’s natural to feel let-down and angry.  Perhaps it was an unfair call against you but these things happen in life.  Your former employer might have thought to just give you a chance to see if it’d work out and then eventually decided a junior position still requires more ground-level experience.  Who knows.  I’m assuming you proved yourself as more than just a run-the-tool monkey and did satisfactory manual testing.  If I was let go in my current position I’d feel the same way, questioning myself and my abilities.  It’s frustrating to put yourself through massive self-training efforts only to be let go and feeling dumped.

      But as I said … you have six months of actual pentest work under your belt coming right out of some line of training.  You’re already ahead of a lot of people, in my opinion, and you can put that to good use.  I also encourage you to explore the other half of the equation – countermeasures against the attacks.  Learn intrusion analysis. firewall design, systems hardening, and incident response skills.  It’ll make you much more well-rounded and balanced as an individual.  And these will be qualities that any organization worth their salt can identify and respect.

Viewing 12 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?