I'm working as a dev but I've been doing some HTB/CTF/playing around with pentesting stuff in my free time because it's fun. But lately I was thinking about seriously pursuing it and maybe switching careers. Is it worth it? How is the reality of the job? I know that you aren't larping as le Mr. Robot haxx0r, but besides that I have no idea about the field. How is the pay? How competitive is it? How enjoyable is it? Do you actually get to do some "hacking" or do you spend 80% of your time making sure that company XY adheres to standard Z and telling Susan from marketing that she shouldn't click that phishing mail next time? Also, when you do HTB/vulnhub/whatever, you know that there is a flag and the machine can be rooted. In reality, I assume that many times you won't be able to enter a system when pentesting, right? So does that mean you spend days/weeks trying to gain access and then go "oh well I guess it's secure" and then write a report? Im asking this because, as I said, I enjoy it as a hobby, but Im scared that It will become dull and unenjoyable once It is my job.
>Is it worth it? Honestly depends on what you get out of security. >How is the reality of the job? A lot of paper work and spreadsheets. >How is the pay? Typically very good, even for graduates and juniors >How competitive is it? There's a metric fuck tonne of people trying to get into security, but the hiring practices are completely fucked, they don't want to train anyone and shit like that >Do you actually get to do some "hacking" or do you spend 80% of your time making sure that company XY adheres to standard Z and telling Susan from marketing that she shouldn't click that phishing mail next time? Completely depends on your position. I've worked in security operations and a lot of what is basically , as you say about adhering to standards and the phishing email stuff. Currently I'm a mix of vulnerability analyst and penetration tester so I'd say 70% of my time is spent scanning and testing whether our vulnerabilities have been fixed and stuff like that. >Also, when you do HTB/vulnhub/whatever, you know that there is a flag and the machine can be rooted. In reality, I assume that many times you won't be able to enter a system when pentesting, right? Yeah, you're basically right on the money. You don't know if anything actually *can* exploit something, despite your scanners saying it's vulnerable. Things won't be as easy as a HTB/vulnhub box, so "hacking" a box on those services might take you a few hours, but in real life scenarios, a pentest could be days, weeks or even months. Depending on the scope and rules of engagement that you have set out with the company, you might be able to enter a system, you might not. I'll be honest, the answer to most of your questions is: it depends. It depends on how much you like the subject. It depends on how much you know and are willing to learn. It depends on your actual role, your responsibilities, and the company you work for. There's no other way to know whether you'll enjoy it as a career until you go for it
Nicholas Miller
One thing I want to add in regard to >So does that mean you spend days/weeks trying to gain access and then go "oh well I guess it's secure" and then write a report? Again, depending on your role and company, this will be different. That kind of stuff is bread and butter of MSP work or contractors, whereas in my job (mix of vulnerability analyst and pentester) its all internal, I'm doing it for my own company, not pentesting an outside company. So I don't spend days/weeks trying to get access and just going "guess it's secure". I run tests on our own networks and subnets, run vulnerability scans, manually test any vulnerabilities that come back to see if they're true/false positives/negatives. So in my case, my "reports" are a short email summary each month to our international divisions saying "Hey, these are how many vulnerabilities there are on your networks. Please fix them", and then I do the whole thing again periodically to see if they've been fixed.
Noah Gonzalez
From my personal experience in a third world hell hole.
>is it worth it? Yes. They pay is good.
>how is the reality of the job? You will be auditing web applications.
>how competitive is it? Not extremely competitive because generally only certain sensitive industries can afford to hire information security services.
>how enjoyable is it? With a competent and responsible project manager, it's great.
>do you actually get to do some "hacking" Yes. Basically you will adopt the role of a malicious actor and your job will be to cover as many attack scenarios as possible through automated tools. This is done to buy time and cover as much space as possible. Real threats do not operate this way, but as a consultant you will be working through agile scrum methodology. Finally, eventaully you will discover one o more edge cases where it will be possible to inject unwanted functionality and from there you will start poking.
>do you spend time making sure that company XY adheres to standard Z? These are special exercises that are carried out from time to time.
>telling Susan from marketing that she shouldn't click that phishing mail next time? When documenting a finding and submitting your report, it is not always the case, but it does happen, that you will have to defend your position on the actual threat level of the vulnerability. In such cases, you will be called to a meeting attended by the product owner, the scrum master and the technical lead and you will have to explain as eloquently and simply as possible what the finding is about, how it can be exploited and its implications for production.
>you spend days/weeks trying to gain access? Never. You work under agile scrum. In my particular case, the auditing was to take four days and by the fifth day I had to send in my report for technical assessment.
There's more to cybersecurity besides red teaming. For some reason, people only really talk about pentesting. The white man joins the blue team/DFIR.
Henry Mitchell
Also hoping to switch from developer to sec as I realized that's where my interest truly lies. Assuming I'm going to have the certs needed (OSCP and the like), does anyone else have any tips for entering the field? Would be really appreciated, quite nervous.
Camden Watson
>certs needed Got in without any. Just prove that you know your shit and you're actually interested.
Jacob Martin
Thanks for that comprehensive response, user.
Isaac Roberts
redpill me about blue teaming / DFIR
Jace Davis
>There's more to cybersecurity besides red teaming. For some reason, people only really talk about pentesting. this. theres GRC, red team, blue team, forensics, malware analysis etc. So many under the umbrella yet everyone focuses on redteaming
Adrian Reyes
>watches IBM Guardium monitors the whole workshift
Carson Anderson
I really can't. I was in the fortunate position to have a malware analysis, threat intel/hunting, forensics and IR position, pretty much. A healthy mix of everything that one might call blue teaming. And, in contrast to red teaming things, I actually learned a ton of stuff. I was tasked to detect and prevent and find breaches in various capacities, which not only required the knowledge about the attack vectors, but also what these attacks did to the underlying OS and how that could be prevented or detected. You get insight in TTPs, you research those, you find new cool things to try out on your own. Now I moved from working for customers and consulting to being employed by a single company, and while it's similar, I also have to deepen my network and domain knowledge, even more so than before.
Granted, people at the top of their class in red teaming activities/pentesting are very, very smart people and also have deep knowledge of their stuff, but I feel like for 99% of people their knowledge boils down to basically following different kinds of playbooks. There's all these little pentesting companies hiring some rando off the street that had the patience to get whatever certificate just to have him follow the same exact engagement plans for every single assessment. Most companies I worked for in the past hire these pentesters to be compliant to some standard or just because "it's what you do" but rarely to they report that the assesments were fruitful for them. Red teams that are working for a company are different, these actually tend to do some funky shit instead of just running vulnerability scanners and report every XSS as critical.
But you know, that's what I gathered in my past few years in netsec. YMMV.
Jackson Bell
Which is really strange to me. I always thought I wanted to red team until I actually got into it. But you know, media portrays netsec as the guys breaking in and anything in a defense/response role as admins. Because they don't do bad shit or run kali or something.
Yeah, that's the other side of the coin, I guess. It's what playbook/vulnscanner pentesters are on the blue team side.
Christian Perry
>malware analysis Malware analysis has pretty much become my hobby. I have no idea how I go about making a career out of it though. I guess I should start investigating my options as a fucking start.
Benjamin Martinez
start a blog/whatever analyzing shit and apply at AV vendors or smaller companies developing their own scanners (which are just yara based anyway)
Kevin Green
Actually starting my blog in the coming week yeah with a few writeups already done. I noticed that's a common approach amongst a lot of malware analysts so I figured its time to get on it. Come hell or high water I'm going to make this my fucking career. Good thread, appreciate all the insights shared.
Kevin Turner
Has anyone here done an watched an online course and managed to do some freelance gaining some money?
Grayson Nguyen
Today finally I successfully deployed a container with Atutor 2.2.2 in order to follow step by step the AWAE WEB-300 course. If you have questions, go ahead, I always look the board archives concerning cybsec.
Rapidly changing industry. When I started I was mostly just doing email gateway work. Releasing clean emails and doing static analysis on malicious email attachments, and then blocking payload URLs.
These days, I just approve or reject an AIs decision to block x phish campaign.
Dylan Sanders
Just started a 1 year TAFE (vocational school in Aus) course this week. One of the courses is literally learning python from scratch, one of my other classes is boring OHS shit that I’ve got to do for 4 weeks. Only interesting one so far is hardware because I haven’t done much of that before. I know my cert from this is going to be useless when I finish (they’re trying to push people into help desk roles). Is it worth getting online certs? Or just working on my own projects in the meantime? I don’t want to have to tell old people to fix basic shit over the phone any longer than I’d ever have to
Wyatt Green
>python Always useful.
Tyler Phillips
Python is cool but I already know most of what’s going to be taught to me. I didn’t really elude to well to what I was asking. What should I do in my spare time to get a better job?
Tyler Mitchell
You could do OSCP or CREST certs and join the army or maybe find a entry level cyber job.
