Consultancies

It's crucial to understand that not all consultancies are created equal. There are good, bad, and mediocre firms out there. One person's experience in a particular role can vary significantly from another's.

If you're a novice penetration tester or red team member gearing up for an interview, do you know the right questions to ask to gauge the firm's culture and expectations?

Are you familiar with what a kick-off call entails? Can you identify the contents of a Rules of Engagement (ROE) document? Are you aware of the typical number of consultants needed for a given project?

And importantly, do you know how to verify if the IP range provided by a client is accurate? This is a significant aspect to consider.

Do you possess the skills to input a domain name into dnsdumpster, analyze the endpoints listed, and determine if the workload is feasible for one person within the given timeframe, even if your supervisor insists you can manage it alone?

This article is not an attack on the industry, as some on Twitter have suggested; rather, it serves as a cautionary tale for those eager to enter the field who might overlook glaring red flags in their prospective employers.

Some of the experiences I shared were not solely my own but belong to colleagues and friends I have made in recent years. Personally, I was never pressured to bring in clients, although I have heard from others that such expectations exist, which is not typical for the role.

Offline, I could recount some truly uncomfortable scenarios that I experienced, but this article isn’t about disparaging the firm where I worked. Instead, it's about an industry that has evolved rapidly in terms of the products (pentesting/red teaming) and the skill sets required to deliver valuable results in just two years. Unfortunately, this rapid change has inflated the perceptions of recent graduates and career changers about the current job market. This misconception can lead individuals to accept roles for the sake of experience, often spending thousands on training that may not lead to employment or may place them in jobs they are unprepared for or uninterested in.

The demanding work schedule I described is indeed accurate, and I am not the only one who has faced such expectations, whether explicitly stated by the company or not. To claim that such situations are rare (as opposed to common) in the industry is simply uninformed.

When evaluating a firm, inquire about work-life balance and scrutinize their answers. Investigate what policies they have in place. If they boast unlimited Paid Time Off (PTO), remember that it often doesn't equate to the freedom to take extended leaves. Research shows that employees tend to work more when unlimited PTO is available, as they fear appearing to exploit such a policy.

During my interviews, my primary request was for mentorship and someone to turn to if I encountered difficulties. If the hiring manager had been forthright, I would have learned that I would be handling engagements solo while they focused on sales calls. This knowledge could have saved me a lot of trouble.

The skills I mentioned are indeed expected in the field. Knowledge of various programming languages is essential, with the level of proficiency varying by firm and management.

Some firms may want you to develop an exploit from scratch in Python, while others may simply require you to modify variables or change IP addresses on a public exploit.

Clients will expect to understand why a vulnerability is exploitable, how it was exploited, and what recommendations exist for remediation.

At times, the solution could be as straightforward as upgrading from Windows 7, while in other cases, it could be quite complex. During a debrief, if asked how a public exploit functions, you cannot simply respond with, “I changed the IP, and, uh, it worked.”

You will also be expected to be proficient with industry-standard tools, many of which you may not have access to, such as Nessus or Cobalt Strike. Programs like CRTO can provide hands-on experience with Cobalt Strike.

There are other commercial tools that may not be accessible, but these are just a few examples.

You will be expected to have expertise in various protocols, hardware, and software. At one point, I was asked about BitLocker bypass techniques, as the firm was presenting a “stolen laptop” scenario to clients. I was at a loss.

As one individual on Twitter pointed out recently, be prepared for the inclusion of Large Language Models (LLMs) in that ever-growing list. Can you envision an interviewer asking about your methodology for pentesting LLMs?

On a related note, I never witnessed anyone from the AppSec or Web App teams being assigned to infrastructure pentests. However, infrastructure pentesters were often expected to have knowledge of Web App and AppSec tasks. Odd, right?

This is another question to ask during interviews: Will you be placed on projects for which you lack qualifications, such as AppSec? Their response may surprise you.

I was fortunate to have worked in various industries before transitioning to IT, giving me a better understanding of corporate structures than many new graduates. Once you join a firm, observe the departments and the number of individuals in upper management.

A clear indicator of potential issues within a company is the absence of dedicated departments for traditional roles. Startups or firms that have been in business for under five years may be exceptions.

Some companies may have operated with just a three-person team for years before needing to expand rapidly. Some people thrive in startups, enjoying a small team environment with significant impact and opportunities for growth. Others may prefer larger organizations.

However, if you find yourself in a company that has been established for nearly two decades without a dedicated sales team or that outsources functions like accounting and HR, it’s worth investigating further. Are you being asked to promote their services on your personal social media accounts? Does anything feel amiss? If you’ve been there for a month and have concerns about the stability of your paycheck, it might be time to polish your resume once more.

Another factor to consider is the ratio of upper management to regular employees. Does it appear that nearly everyone besides you holds a director, vice president, or chief title? How many levels are there between you and the head of the department or company? This can provide insight into your potential for growth within the organization. If you take that position, what are your prospects for advancement?

Once again, startups represent a different scenario.

The Job Market

Currently, the job market for junior to mid-level penetration testers and red teamers has contracted. I know individuals with solid experience—five years working on public open-source projects, advanced certifications, and industry contacts—who have been jobless for six to seven months.

As previously mentioned, if you possess 10 to 15 years of experience, you likely won’t struggle to find work, and the roles you secure will probably offer better treatment than those hired at 80k with no experience.

It’s uncommon to find someone like Bobby Cooke or Chompie who quickly rises to a position at X-Force Red. Most individuals pursuing this line of work require guidance to navigate their path. That doesn’t mean they can’t be developed, but in the current job market, who is investing in that?

There are a few aspects I may have misrepresented in my earlier article, so here’s a clarification. The majority of individuals involved in bug bounties are not earning four to five times what consulting firms offer.

I retract my earlier statement.

However, there is a segment within the web/app security community that is bypassing traditional job experience in favor of bug bounties, whether as a part-time or full-time pursuit.

My advice to new graduates looking to enter the cyber realm is to secure a legitimate IT job to fall back on while you pursue certifications and side projects. Positions such as sysadmins, DBAs, or cloud specialists are invaluable, allowing you to pivot back to a role based on your skill set if you find yourself in a situation similar to mine.

DevSecOps also represents a beneficial avenue for those interested in penetration testing, though it can be competitive. Pursue what excites you so that you can enjoy the journey until you land your ideal position.

Recently, I came across a job listing for a Red Team Engineer, which piqued my interest as it essentially involved supporting the red team by managing infrastructure and setting up domains. If you can find similar roles, they could serve as a stepping stone into red teaming or pentesting.

The Certifications

Ah, the certifications. This section certainly stirred up some controversy.

Here's a list of the certifications and courses I completed before securing my position:

• Offensive Security Certified Professional
• Certified Red Team Operator (with Covenant)
• Certified Red Team Professional
• Sektor7 Malware Development Essentials
• TCM Security Python for Hackers
• TCM Security Ethical Hacking Course
• TCM Security External Pentest Playbook
• TCM Security OSINT Fundamentals
• TCM Security Practical Phishing Assessments

Seems extensive, right? This is in addition to my sysadmin certifications and IAT Level 2 certifications. If you’re unfamiliar with what IAT Level 2 entails, a quick search will clarify.

While I did not take the CRTP exam, I completed the coursework and lab.

I also engaged in numerous personal projects, including setting up Rogue APs, crafting custom payloads for Hak5 tools, completing CTF walkthroughs from Vulnhub, and running my own Active Directory lab, complete with write-ups.

What I've provided is merely a snapshot of my resume, excluding my actual employment history.

All of these courses offered valuable insights, structured syllabi, and curated content. At that time, CRTO was the only certification focused specifically on Active Directory, and I completed the course using Covenant since I lacked a Cobalt Strike license.

PNPT was not yet available; it was merely a course. OSCP had not integrated the Active Directory aspect into its exam, although it was included in the course content.

While some advanced certifications existed back then, they were not as prevalent as today. I believe OSEP had just launched following the retirement of OSCE.

It has been a while since I completed any of these courses, but I suspect they have improved significantly since my time. I empathize with the individuals behind these programs, particularly the independent content creators who design labs and manage certifications.

I can't fathom the challenge of keeping content relevant while maintaining lab uptime. Implementing updates must be a considerable undertaking.

When I took the OSCP course, Defender was disabled on all machines. I’m uncertain if they now include an AV evasion component in their materials.

Most firms employ custom loaders and implants for operators, allowing payload execution as if defenses were non-existent. However, the risk of detection during post-exploitation remains a concern.

It’s worth noting that the assertion that current training courses fail to prepare newcomers for real-world jobs isn’t a novel idea of mine. David Bombal interviewed Neal Bridges, a former NSA hacker, a couple of years ago, and Neal noted that individuals who believe they can exploit a real-world web application as easily as they did with DVWA are in for a rude awakening.

How many of the attacks taught in courses are detected by Endpoint Detection and Response (EDR) systems? Techniques like DCSync, LSASS dumping, and PrinterBug are all examples. While these methods might still work, the likelihood of alerts is high. Executing Psexec across a network will certainly draw attention. While you might achieve Domain Admin access, it’s likely that you’ll need to coordinate with the client to address alerts they receive.

I understand the need to start with foundational knowledge before progressing. I think the disconnect lies not in the certifications providing a solid base of information but rather in the current landscape offering limited opportunities for the type of candidate these programs produce.

When it comes to certifications, I have never encountered a certification that guarantees employment. Let’s be clear on that point. What often confuses newcomers is the lengthy list of certifications included in job descriptions.

It’s common knowledge that OSCP serves as the HR gatekeeper. While it’s not impossible to secure a job without it, you will notice its presence in most pentesting and red teaming job listings. The list of sought-after certifications has expanded, and you’ll increasingly see PNPT, CRTO, and CRTL, alongside longstanding options like eJPT from INE. However, OSCP remains the most sought-after certification by hiring managers.

In the United States, it’s a requirement for many pentesters working for agencies such as the Department of Homeland Security and the Department of Defense.

So, can you land a job with OSCP? Not necessarily. However, it certainly feels like securing employment without it is a daunting task, especially if you lack industry experience. In my experience, finding an interview opportunity without OSCP can be challenging.

To be candid, OSCP has become exorbitantly priced. Even when I was enrolled, the cost was already steep. The LearnOne platform is subpar, and when I considered pursuing OSEP, I ultimately opted out due to their transition to this new system.

I wouldn’t recommend pursuing OSCP before acquiring a job in pentesting. Some may disagree with this stance, but it’s my perspective. It might sound contradictory given my previous implication that securing a position without it is difficult.

Instead, I suggest pursuing other, more affordable certifications, establishing your reputation through personal projects, tailoring your resume to showcase your skills, and seeking opportunities at smaller firms. Encourage them to cover the cost of your certifications. Additionally, target firms that require candidates to complete a small Capture the Flag (CTF) challenge before being hired, as these organizations often place less emphasis on certifications and degrees if you can demonstrate your abilities in the CTF.

I envision the market moving toward a model akin to that of the physical pentesting industry. How many people do you know who can pick locks, utilize proxmark syntax, clone RFID tags, or employ under-door tools? I once bypassed my own home security system to avoid waking a sleeping baby when letting my dog outside. No one from CoalFire has knocked on my door yet.

The physical pentesting sector is relatively niche. Dedicated professionals focus solely on physical assessments, while others who specialize in network pentesting may only engage in a few physical evaluations each year when the firm secures such projects. While many aspire to work exclusively in physical pentesting, the demand simply doesn’t match the number of available positions. I foresee traditional network pentesting evolving similarly over the next five years, though I could be mistaken.

Independent Courses

Some independent courses are excellent. For example, a specialized course on lateral movement techniques priced at $20 is a steal. Conversely, a $1000 EDR evasion course teaching XOR string encryption and process injection may not be worth it—it's up to you to decide.

The Degree

The topic of college degrees often sparks debate. I can assert that having a degree won’t hurt your prospects, but it may not necessarily aid them either. I hold a degree in Information Systems and was earning a six-figure salary before graduation. While this is common, it should not be taken for granted.

I have never been hired solely based on my degree, and to be honest, few people even inquire about it. This could be due to the concise nature of my resume, where my degree is just a single line, or a larger trend where hiring managers prioritize skills and experience over formal education.

Student loan debt is another consideration. Thankfully, I did not personally incur any costs for my degree, courtesy of the GI Bill. If you reside in the U.S. and did pay for your education, you might feel differently. I also lack experience applying for jobs with degrees from prestigious institutions like Princeton, MIT, or Stanford.

I have heard positive feedback about Western Governors University, which apparently allows students to earn certifications as part of their degree program. Look into it!

I am not suggesting you forgo college entirely. Obtaining an associate degree from a community college, where financial aid alleviates the burden, is a smart move. RedHat Academy is a fantastic option for those entering Linux administration, but there will always be a demand for Windows and networking professionals as well.

I don’t see much value in pursuing a graduate degree in cybersecurity if your goal is to become an operator or team leader, though others may disagree. Some companies might grant years of experience based on your educational background; for instance, a position may require seven years of experience, three of which must be with a master’s degree. However, graduate degrees come with a hefty price tag.

The Money

This topic often generates considerable debate. If you’ve been attentive while reading this post, you may have noticed the unusual requirement for IAT Level 2 certification. Those in the know understand its significance, while others can quickly find out.

Regardless of its implications, the salaries I mentioned were reflective of what I observed in the industry and continue to see today.

Some may argue that if a job requires IAT Level 2, it follows that their salaries will be higher. This assertion is misleading. In fact, finding jobs that necessitate such qualifications is challenging, even in the current market. For those who possess such certifications, maintaining them is crucial.

Let me clarify: money is not the only or even the most significant factor when I search for a job. If it were, I would be an SAP architect earning $140 an hour.

However, compensation is an important aspect of any job opportunity. Ideally, you want the highest salary possible with the least amount of responsibility.

This balance can sometimes be disrupted: too much responsibility and insufficient pay, or the opposite scenario. In many cases, as job responsibilities increase, so does salary. Finding a role that offers the right balance between responsibility and compensation can be challenging.

In my case, having the option to transition back to a sysadmin role provided a safety net I established long before taking my current position. I needed employment and sought a less stressful role, which turned out to be more lucrative.

Had I been thoroughly satisfied in my cybersecurity position—enjoying exciting challenges, a supportive team, and minimal stress—when approached with that sysadmin opportunity, I might not have considered it. That’s the reality.

In my previous article, I mentioned being approached for a web app position with a salary of 120k. Upon reflection, the actual compensation was 100k, which included all benefits. Thus, the cash value was only 100k. I declined the offer due to salary concerns and a lack of interest in web apps compared to other security areas. Had it been a role focused on physical assessments, I might have seriously considered it. While salary is important, it is not the sole factor.

Recently, I was offered a position outside of security with a starting salary of 240k, but it required being in the office four days a week, with a one-hour commute each way. I declined the offer, even when they suggested covering hotel costs for those four days. I opted to remain in my lower-paying role, where I enjoy flexibility and the ability to work on personal projects while participating in daily stand-up calls.

Discussions about jobs, salaries, and career advice can be sensitive. If this is your passion, pursue it! Feel free to reach out to me on Twitter or Discord with questions regarding job applications or resume crafting.

You should expect a competitive salary since penetration testing is a highly technical field. However, that doesn’t always mean a salary of 150k. If you receive an offer below 100k, investigate the reasons or negotiate for an early performance review and potential salary increase.

Consider accepting a position at 80k with a salary review after 90 to 120 days. Ensure you have this documented and establish measurable benchmarks for your progress within the company to facilitate a higher salary negotiation. If you meet those goals at 90 days and the salary increase doesn’t materialize, you’ll have to make a decision then.

I won’t delve into politics, but I will say that in the U.S., a salary of 100k doesn’t stretch as far as it did a few years ago. We all recognize this truth, and as inflation rises in 2024, it’s reasonable to desire higher compensation for your work.

The Veteran Influencers

Much of the criticism directed at my earlier post came from individuals with 10 to 15 years of experience in the industry. I often wonder why anyone would care about their insights regarding entry-level positions in cybersecurity, with the notable exception of hiring managers.

Many of these veterans can offer valuable advice on creating your own course or certification, which is a route many are currently pursuing.

If you want to understand how to break into cybersecurity, ask someone who just landed their first job if you can review their resume. Many will gladly share it with you. If you seek guidance on entering the field in 2008, consult an industry veteran.

And that sums up my thoughts on that subject.

Would I Go Back?

Interestingly, no one has asked me if I would consider returning to cybersecurity or what it would take for me to do so. I’ve kept up with current trends, documented recent attack techniques, and maintained a well-regarded blog series and GitHub repository. A few months ago, I even purchased a lifetime subscription to MalDev Academy and have completed most of the modules.

So, would I return? I’m uncertain. It would depend on the firm, team dynamics, culture, and several other factors, including salary. A lot has changed for me personally since I left the cybersecurity field, and factors such as family considerations and financial stability will weigh heavily in such decisions.

I doubt I would return to network pentesting, but I would be open to opportunities in physical security or social engineering. Even if a perfect job opportunity arises, I would need to think it over carefully. I still experience anxiety over report approvals, difficult conversations with CISOs, and last-minute client updates.

I have a passion for security that I anticipate will remain with me. I will likely continue experimenting with labs, developing tools, and exploring whatever innovative iterations of Havoc, Covenant, or Sliver come next. Fifty years from now, I can envision myself reminiscing with a grandchild who isn’t particularly interested in my tales about the AD-CS craze.

In conclusion, I believe I have addressed all the key points I wanted to make. To summarize: thoroughly vet your potential employer, understand that certifications do not guarantee jobs or readiness for employment, grades don’t define your worth, strive for a livable wage, and remember that someone with 15 years of experience may not be the best source of guidance on how to land a job. Lastly, let’s not forget—SECURITY IS AWESOME!

Catch you later!