Getting a Job in Offensive Security Penetration Testing

12 Oct 2023

Overview

Offensive Security is a great, saught after, and important career path. Unforutnately it’s also extremely difficult to get into initially. Below I’m providing guidance on how to build your experience before you even get your first OffSec job, helping you clear that hurdle to the job of your dreams. I hope it helps and encourage anyone who benefits from this to add me to LinkedIn so we can all learn from each other going forward.

Target Audience

Anyone trying to get into pentesting, especially people very new to IT such as recent college graduates. These same methods can be adapted to any field.

What is Pentesting?

• A pentester does manual and automated testing of web apps and systems.
• They are considered experts at locating and exploiting vulnerabilities, as well as knowing how to remediate the findings.

What are the Most Common Types of Pentesting?

The following are the most common types of pentesting, in my recommended order of learning. You can definately get a job with comprehensive Web App, API, and limited network testing skills. I strongly recommend on focusing on that order to get your first job.

• Web App
• API
• Network
• Cloud
• Mobile
• IoT/Physical Device
• Wireless
• Social Engineering
• Physical

Notable Other Pentesting Types

• Mobile
• Assumed Breach
• Red Team

What Does An Employer Need To Hire You?

• An internal security team needs someone passionate, willing to learn, have time to learn on and off the job, and have a drive to quickly ramp up. Many will expect you to be completely useless to them for 6 months to a year. Don’t bet on that though, the market is getting much more competitive and if you have experience already then you’ll have a much better chance at that job!
• A consulting company get paid by the hour, and they can’t afford staff that they can’t bill out to customers. As such, they need you to be able to start and do the job right away to a reasonable level. They will expect 1-2 years of experience or proof of strong knowledge. If you don’t do the job well, they lose customers. Bad engagements are talked about and word travels FAST.
• Very new hires are likely to be forced to be onsite (not remote) for the first year so progress can be monitored closely, and assistance provided swiftly. I don’t agree with this, but it’s very common.

The Elephant in the Room

Pentesting is usually not an entry level job. I personally don’t recommend trying to do it as your first professional job as you’ll always be playing skill catchup. I recommend going one of two paths. Nothing stops you from getting a hybrid job doing both paths, or from doing one job for a few years and then the other for a few years!

1. Developer
2. DevOps/Cloud

For the Developer path, I encourage 1-2 years as a developer in Python. Any language could work, but Python is the most versatile language you can learn. Alternatives could be Golang or Java but Python will serve you best. Web Development in Python will serve well for web app testing and will get you familiar with other languages/frameworks such as Javascript, Angular, HTML, CSS, JQuery, and Django. Knowing some or a lot about these languages will server you very well in exploiting web applications. 1-2 years of professional experience is enough to have a rounded basic knowledge of Python development. You’ll also likely learn some things about modern Pipeline CI/CD tools such as Github, Jenkins, Travis CI, and/or TeamCity. These systems are excellent targets for “shift left” pentesting where you exploit before code is released, and knowning these tools will set you apart from your competition. Going down this path will make you very strong in Web App/API testing, but won’t build you in other types of testing. Since Web App/API is by far the most common testing done by pentesters, going down this path is my recommendation.

For the DevOps/Cloud path, find a job that uses infrastructure as code to build servers, firewall rules (security groups in AWS), and does automated patching/maintenance. AWS is the most used cloud platform and finding a job doing DevOps for an AWS customer will provide you options both inside Information Security and outside of it. If you guessed that Python is going to be the most likely language needed for DevOps for Infrastructure as Code, then your right! While you can write IaC in multiple languages, Python is the most common and most flexible. Learning how servers are setup, configured, misconfigured, and break/fix hacked together will provide you skills that directly transfer to network pentesting. You can still learn what you need to for Web App/API tesitng, so don’t worry! You won’t have as deep of dev skills most likely to find complex web app logic vulnerabilities without more training than would be required by a Developer, but you’ll still have the skills to do a great job!

What is Experience?

When looking at experience for a job, many people think of only two options: College, and professional job experience. While these are two of the easiest experiences to have, it’s definately not the only experience you can have.

So let’s ask, what constitutes experience when applying for a job? A job role has a list of specific skills that is needed to do the job. The objective of those looking for candidates is to find people with those skills. To do this, you can’t just say “I can do web app pentesting”. There’s no way for the employer to know that you know it, people lie constantly when trying to get a job. Espeically a 6 figure job with fantastic benefits. So, employers need 2 things: They need the experience to be documented, and verifiable. Think back to writing papers in school, if you say “The moon is made of cheese”, you better have a reliable source to go back on or your going to get flunked out.

When you look at a job posting, look hard at the requirents and at your resume and think “does my resume PROVE that I meet this requirement?” This is where people have extreme trouble getting into Offensive Security jobs. You almost have to have had the job for 1-2 years to get the job. Or so it seems, but that’s not the case at all.

If you were lucky, you may have had an internship in college in Offensive Security, Information Security, or development. This is directly applicable expeirence that you can use, but you have to document clearly what you worked on. The best internships give you a large project to work on that you can say “I made this cool tool for this company” and it gives a great discussion point for you.

If you weren’t that lucky, or even if you were, let’s look at excellent sources of verifiable experience.

What are common skills needed for a pentester?

This is an extremely non-exhaustive list but it’s the very core skills that I’d recommend getting.

• Programming skills
• Linux Skills
• Web App Pentest Skills
• API Testing Skills
• Common Hacking Tools

Proving Programming/Development Skills

• You likely didn’t learn enough in a college class to prove you know a language to a reasonable level. They teach you enough so you can learn the rest on your own.
• You learn programming by writing code, lots and lots of code. Expect 1 year of writing random code consistently to learn a language good enough for a job, and even that’s not a guarantee.
• The best way to prove you know coding, is to show what you’ve written. Create a Github account and push the code you write to it. From small scripts to web apps to larger applications. Focus on 2 pentest tools that you create from scratch to highlight on your resume and talk about. They don’t have to be crazy, and they can be based on something already in the industry, just make your own version to show you can do it. When they go to look at those two, they’ll see all the rest and be impressed!
• Put your Github link on your Resume, your LinkedIn, and your blog!
• You can start pushing code when in college, make a repo like “learning” or something, it’ll show your commits for how many years you’ve been doing it, that’s verifiable!
• Language certifications are generally useless (currently). Don’t bother unless you can get them free or super cheap.
• Side Note: No programmers can just write blindly, they research, google, and use references for syntax. You shouldn’t expect to just blindly write flawless code for years, if ever. Imposter Syndrom is a very real thing in our industry, don’t fall for it. Nobody is as good as you think they are, and your always your own worst critic!

Proving Linux Skills

• Focus on Debian/Kali Linux
• Linux+ is a great cert that helps prove Linux skills, but this costs money. I highly recommend finding a book and reading it,or finding videos online and watching for the knowledge. Get the cert if you can afford it.
• Writing Bash scripts/pentest tools in Bash shows linux programming proficiency (add to your Github!)
• Create some Linux how-to videos and put them on Youtube. Even if they’re basic, they show your know things! Add them to your blog and post them on social media!

Proving That You’ve Learned Pentest Skills

• Port Swigger Academy (Free) - Has a verifiable dashboard if asked for proof
• HackTheBox (Free) - Has a verifiable dashboard if asked for proof
• TryHackMe (Free) - Has a verifiable dashboard if asked for proof
• If your college/employer gives a Udemy.com subscription, you receive certificates of completion when finishing courses. Keep these as proof.

Port Swigger Academy is, arguably, one of the best free resources for learning web app pentesting. They have 3 difficulty levels and a growing number of labs to teach skills. This is the first place I recommend people to go when learning pentesting, to learn practical and directly usable skills.

Side Note: HackTheBox has an academy version that is very cheap for active college students ($8USD/Month). They have paths to learn Bug Bounty and Pentesting, and I highly encourage learning with their resources. Again, these are verifiable and HackTheBox (HTB) is industry recognized. The one bad part is people post writeups/solutions to hacking challenges, so it’s hard to know who cheated or not to pass challenges, but you still had to follow it and it’s a learning expeirence either way, so it’s considered very good experience to have. Many job posts reference HackTheBox as a positive experience point.

Proving That You Can Actually Do Pentesting

• HackerOne/Bug Bounty
• Other Responsible Disclosures
• Getting CVE’s on web apps you can download and run in your own environment

Bug Bounty Discussion

A difficult challenge when learning penetration testing can be finding a place to get real world, hands-on experience in a safe and legal way. Joining a Bug Bounty program can be a great way to learn running into legal issues. There are two primary platforms, HackerOne and BugCrowd. Both offer similar programs, for this discussion we’ll use HackerOne because their hoody is exceptionally comfy.

A Bug Bounty program allows anyone to sign up and find companies who have approved testing on their network by anyone on the platform (IE HackerOne). The agreement is that anything found will be reported through the platform and kept private while being remediated. Companies offer 3 things in return for hackers: Kudos, Swag, and/or Money. Only the first person who reports a vulnerability gets credit. While learning, I strongly recommend going for the programs that only offer kudos or swag, as these will have less of the “rockstar” hackers on them finding things.

When you report findings, you have a dashbaord that you can provide employers that shows how many vulns you’ve reported, how many have been accepted, and in some cases the full vulnerability report is visible. Non-money programs are not only more likely to not be picked over as quickly, but the programs are more likely to make the report visible, which is great for you as you can show an employer what types of vulns you find, how you found it, how you’d recommend remediation, and your overall writing style. This is the best difiniative proof that you not only know the job, but you can do the job.

Put a link to your bug bounty profile(s) on your resume, and link 1-2 of your best public findings if you have any. Sign up for the platform right away, because the joined date is public and even if you don’t do any hunting right away, it’s starting the experience counter for you. As your learning, I encourage you to try to find vulnerabilities on these real networks.

One important thing with Bug Bounty programs, is each will have a scope. This is the rules of engagement, what you can hack, how deep, what vulnerabilities or activities are not allowed, etc. It is very important to not go out of scope, as this would put you in potential legal trouble. Stick to the sites they provide.

Once you find vulnerabilities and report them, it can take a few months for them to show publically so keep looking and building that resume experience!

Take a look at an example profile of a friend of mine who’s been doing HackerOne for several years: Hogarth45 HackerOne Profile. Note that you can see some of the vuln reports, you can see activity over time, and total number of vulnerabilities reported. It’s basically a stand alone resume!

Pentest Tools You Need to Know

There are a lot of pentest tools someone should know, but there are a few that are so indispensable that not knowing them will be looked down upon. Back in my day they’d say ‘Your not leet’. Spend some time getting familiar with these and it will help you on interviews.

• Burp Suite (Pro Preferred!) – Will learn well with PortSwigger Academy! Expect to be asked for 1-2 of your favorite extensions!
• Metasploit
• Nessus (Free version available to learn with)
• An API application like Postman or Insomnia
• Sqlmap
• Nmap
• Wireshark (At least the basics)

Important Knowledge To Know

• Know how to pentest the OWASP Top 10 and know what they are
• Know the high levels of the Penetration Testing Execution Standard (PTES)

Unverifiable But Useful Methods of Learning

I recommend spending 30 minutes a week reading each of these resources. Your skills will grow very quickly as you learn from others!

• https://medium.com/tag/bug-bounty
• https://hackerone.com/hacktivity/overview
• https://twitter.com/hashtag/bugbounty
• https://www.exploit-db.com/

Showcasing Your Experience

If you have a lot of dashboards that show activity (such as Hack The Box, portswigger, etc) that can’t be seen without logging in with your account, then create a webpage to showcase all of them and make it an extension of your resume! Github offers a free hosting system for static webpages. I recommend learning Jekyll and making your own webpage! Example: the blog your reading right now! You can also make a list of notable blog posts/hackerone reports, etc that you like to showcase some unverifiable things, making them slightly more verifiable!

Certifications

Certifications are a good way to showcase that you know knowledge, and HR loves them. While it’s not required that you get them, having at least a few will help you get jobs. Here’s a list of certificaitons, in a rough order, that I would recommend you look at when starting out. Note though that they do cost money.

• PortSwigger Burp Suite Certified Practitioner
• INE Junior Penetration Tester (eJPT)
• INE eWPT
• INE eCPPT
• CompTia Pentest+
• Offensive Security OSWA
• Offensive Security OSCP

Note that INE has a year long learning subscription of all of their training for about $800/year, and certifications are approximately $350 each. I believe INE provides certs of completion if you can’t afford the certs, but I strongly recommend doing the certs if you’ve done the work.

Offensive Security is a fantastic set of certifications which don’t expire. The exams are hands on practical labs, and not just a brain dump. The downside is the training doesn’t prepare you to take the exam, it prepares you to start working on the labs. You need to beat your head against the labs and “try harder” for a, and I can’t stress this enough, LONG time to get success. I’ve met testers with years of experience who fail the OSCP, and I’ve met testers with no experience who pass. All that matters is the time you put in. The problem with this, is Offensive Security is rather expensive. At the time of this writing, 90 days of lab access + cert attempt is $1500. While this doesn’t sound bad, for someone more entry level, 90 days is likely not enough time to go through all of the material and the labs. I strongly recommend using other resources to learn before spending the money with Offensive Security. They do offer a 1 year “All access, unlimited cert attempt” path for $5500, but this is difficult for many to afford. You may be able to get your first job to pay for it for a year. If that’s the case, spend every waking moment in their platform and get every certificaiton you can during your year. They are the most valued certifications in the industry for good reason, if you can pass them, you can do the job. INE has great training that actually teaches you the skills needed to attack the labs and make progress, and going thorugh several of their courses first will save you a lot of money down the road at Offensive Security.

A note on Certifications:

• Certifications often expire, and you should probably let them go. Just add (expired) after them on LinkedIn and your Resume. Nobody will care. Renewals are often lockins to try to get you to spend more money with the cert vendor and provide you little to no value.
• The exclusion for this is the CISSP and CISM, maintain these for DOD 8570 and for HR.

Job Posts

• Job Posts are a wish list, not hard requirements
• The worst that can happen when applying for a job is you get rejected or ignored. So always apply for a job and be honest on your skill level.
• Never lie to get a job. Honesty on skills is very important.
• There’s currently a LOT of competition for remote jobs. You may have to move for your first pentest job, or keep bug bountying until someone is willing to hire you remote.

Automated Resume Rejection

• Many new HR systems automatically parse resumes and reject weak candidates. These systems are horrible and reject even some of the best candidates
• Slightly unethical solution: Take the job post, add a page to your resume, and paste the job posting on that page. Set the font to size 5 and set the text to white so it’s invisible. Now you’ll meet all requirements and you’ll be passed on to a real human to review you!
• ChatGPT can really tailor your resume to a job posting, use it wisely. Always check that it didn’t lie with the changes!
• No matter what, expect rejection. Applying for jobs is like using Tinder. Just swipe right on everyone, and see who likes back and go from there. Don’t bother being picky before knowing you have a shot.

Training Budgets/Learning Resources

• When getting interviewed, ask detailed questions about training budgets and learning resources!
• Udemy and O’Reilly Books are great resources some employers provide, Udemy especially is really worthwhile
• How much do you get for training yearly? Will they support your journey both in your current role and your interest in security?
• SANS can be 8-10K a course/certification and is often not worth the money unless your employee volunteers it. A lot of people have a Fear of Missing Out (FOMO) regarding SANS, there is better training out there that’s more hands on practical. Don’t fall for the trap, unless your work will pay for it.
• Offensive Security courses/certs are $1600-2500 and are very worth the money.
• Do they do tuition reimbursement? (Free Bachelors/Masters Degree!)

Marketing Yourself

The tech market is a popularity contest, there’s no way to refute that. Who you know is as important as what you know. The industry is very into shiney tools and deeply respects people who do research, share knowledge, and give the community a good reputaiton. It’s very important to market yourself on social media. Here’s some examples of ways you should be marketing yourself:

• Blogs
• LinkedIn Posts (share your blogs!)
• Twitter Posts (share your blogs!)
• Talks at Cons
• Attending InfoSec Meetups/cons
• CREATING MEETUPS - Those who run meetups are very respected
• Volunteering at cons

• Volunteering on opensource/community projects

• ** Constant Contact! **
• ** Constant Engagement! **
• ** Up it when you know your going to go job hunting! **

Udemy & Other Courses

There’s a lot of free ways to gain knowledge, but if your lucky enough to have an employer who gives you a Udemy or Oreilly subscription, I’ve curated a list of useful courses you can take. If you have to pay for each course, I don’t recommend this path since you can find the knowledge free somewhere with some effort. If you do choose to pay for any of these out of pocket, know that there’s Udemy coupons online that can substantially drop the price for courses.

Foundational Knowledge

• Security+ Udemy Course
• Network+ Udemy Course

General Pentesting

• Pentest+ Udemy Course

API Pentesting

• Intro to APIs and Postman
• 30 days of Postman course for Developers (free+badge!)
• Hacking APIs

Network pentesting

• Art of Hacking Video Series
• Introduction to Network Penetration Testing
• Active Directory Pentesting

Cloud Pentesting

• AWS Pentesting
• Azure Pentesting
• Hacking & Security Docker Containers

Wireless Pentesting

• Wifi Pentesting
• Wifi Pentesting Book

Pentester Academy

Pentester Academy is a great resource for learning a lot. It costs $69/month but has access to a massive amount of course videos and labs. I don’t know if there’s certificates of completion or dashboards showing progress, but you can document on your webapage/resume which courses you have completed to show some knowledge. In years past they’ve given good discouts on Black Friday/Cyber Monday but since they’ve been acquired by INE I’m not sure if they still do this. They do have aggressive practices of making you feel a deal is about to be ripped away and pricing will go up. It won’t, don’t fall for it. They have some bootcamps that do come with certificates of completion and certifications. While not as industry recognized, they are great courses and I recommend them. I wish they were more recognized, but as we’ve seen above it’s less about industry recognition and more about showing your knowledge and interest in the job.