Penetration Testing is one of the most sought-after careers for new cyber security college graduates. I don’t know how many times I have had an intern or mentee who has said that their goal was to be a pen tester. By no means is it an easy road. It takes passion and dedication to put in the hours to gain the required knowledge to just pass an interview. I think just as often, when I discuss the journey, people decide to take a different path.
This blog will discuss my recommendations to go from an infosec college student with no industry experience to a junior pentester. In another blog, we will dive into the career itself and the day to day life.
By no means is this the only method of achieving your dream. But this is my recommended approach based on my experiences completing the journey and mentoring others in the ethical hacker track.
1. Before Graduating, Get a CompTIA Security+ Certification
One of the most beneficial things you can do as a college student is to get a certification to go with the degree. Degrees are great, but they don’t raise eyebrows like they use to. Businesses want to see that you go above and beyond what everyone else is doing.
Having the forethought and gaining the Security+ certification will accomplish that for you. You may be thinking, I don’t have time to do that with all my classes. Ok, well, how about during the summer break? Or how about carving an hour a day out to study for the exam. Surely you can find an hour a day somewhere.
Whatever you need to do, figure out how to study and pass this exam. This is the pivotal certification for getting your foot in the information security industry.
Now, I don’t want you to just memorize test questions when you study. You need to learn and understand the concepts. This is also a requisite for breaking into the industry.
The CompTIA Security+ exam covers the fundamentals of what you need to know to become a SOC Analyst or any other infosec role. If you don’t know the information, believe me, you will not pass the interview.
Most junior-level interviews are based almost entirely on the topics in the exam. You probably won’t have a multiple-choice interview, but they will ask you a question and expect you to explain your answer well. Many a time have I interviewed someone with a Network+ and Security+ certification, and they couldn’t field any of the questions. They were deer in a headlight. Don’t let this happen to you.
2. Take Online Classes with Certificates
Sometimes you need a little bit more on your resume to land interviews. This is where certificates and online training come in. Because you are going to be a broke college student, you need low-cost options for this step.
If you are a military veteran, check out LinkedIn Learning. I say veterans because they get a free LinkedIn Premium account that comes with access to LinkedIn Learning. Find classes on there interesting to you and related to Infosec and complete them. Add the shiny new certificate to LinkedIn and your resume.
I recommend checking out the learning paths:
Each of these paths includes multiple courses, each providing certificates. For instance, the Wireshark path will give you 8 certificates of completion.
3. Get a LinkedIn Account
If you haven’t already, please create a LinkedIn account. Recruiters for companies are actively looking for candidates on LinkedIn like you.
Recruiters are actually able to narrow down their searches to specific information in a profile. So they narrow searches down to people with a Security+ or a particular college degree. This could be you!
I can’t stress having a well-maintained LinkedIn account enough. This is how I got my first job in cybersecurity. The company reached out to me, and I couldn’t believe it! Even after being in the industry for some time, I regularly get interest. Typically every one to two weeks I have messages from a recruiter about a job.
Even after landing your first job, maintain your profile. You never know when the next opportunity lands in your inbox on LinkedIn.
4. Start in the SOC
I almost always advise people to start in the SOC as an Analyst. By starting somewhere besides pen testing, you are increasing your chance to land a job, earning money while you learn, and gaining exposure to technologies and processes that will serve you in the future.
Junior pen testing roles are rare. Junior pentesting roles at companies with a quality training program are even more rare. Unless you are a hotshot. And have really been burning the midnight oil in college, you probably aren’t going to get picked up as a pen tester first thing out of college. I mean, you could be a member of the beastly PPP (Plaid Parliament of Pwning), but probably not.
On your journey to getting your dream ethical hacker job, you need to make money and continue building your skillset. The Junior SOC Analyst role is everywhere now, or at last frequent enough to score a spot if you follow this guide.
SOC Analysts are exposed to all kinds of technologies and attacks, especially at an MSP who does 24/7 monitoring. If you luck up, you may even be able to get on the Incident Responder Team, work with malware, or do forensics.
Regardless you will be learning about security at the enterprise level. This experience and the knowledge gained from researching alerts will serve you as a hacker.
Don’t forget about the education budget. Most organizations will pay for certifications or courses to improve your skills. Often they let you choose. Yup, they will pick up the bill for you to get better.
How long you stay as an analyst is up to you. I recommend staying for no more than one to two years unless you really like your job. As long as you are happy and they are continuing to give you appropriate raises, why not? But from my experience, most people are beyond burned out by then.
5. Get More Certifications
At the beginning of your career, you should be able to knock out two certifications a year. This is a relatively easy to sustain pace. If you have seen my pen tester training program, I recommend getting the CompTIA PenTest+ certification next.
This certification puts fundamental soft skills in place to serve you in the SOC and as a future penetration tester. Understanding your role better and why pen testers exist is essential to providing valuable information to your clients. The exam material does a great job of skimming the service of penetration testing.
Next, I recommend you look at INE’s courses. The organization now provides the training for eLearnSecurity’s certifications. You can get an annual subscription for $749 that gives you access to all of their cyber security material.
Start with Penetration Testing Student track and then move on to the Penetration Testing Professional track. These will provide you all the skills you need to land a Junior Penetration Tester position. Make sure to take and pass the certifications exams to add more eye-catching material to your resume.
Again, work should pay for these certifications. Just make sure that your employment contract doesn’t have education benefits payback clause. Some organizations will force you to pay back the money if you leave their employment within a certain period of time after using the benefits. Just be aware of this so that you aren’t caught unaware.
None of these certifications cost a ton. If work doesn’t pay, you should be able to afford them out of pocket.
There is no single path to becoming a penetration tester but it does require years of work. Do you need a degree? No. But so many people are graduating with a piece of paper that I wanted to speak to them.
Work hard and take the journey one step at a time. Before you know it, you will be getting paid to break into companies all over the world.
Feel free to comment with any questions. I love the feedback and I love watching people succeed!