How to Get Into Penetration Testing
One of the questions we get most when at hiring events, conferences, trade shows, etc. is how can someone get into penetration testing or break into the industry as a penetration tester? There are many avenues to becoming a penetration tester, but today we will touch on a few strategies to help get your foot in the door.
Attend Local Conferences
We were recently hiring for a junior penetration testing position and I was shocked by how many applicants were not attending and/or not aware of the various cyber security conferences available to them. These conferences are very educational, are excellent for networking, and one of the best opportunities to meet other like-minded individuals. While this alone will not get you a job as a penetration tester, it enforces the fact that you are interested and take the time to learn and engage in the community.
BSides is an international community driven framework for building events for the information security community. Below is map showing all of the local BSides events just in the United States:
As you can see, there are a plethora of events across the United States. We highly recommend you attend your local event, engage in the discussions, join a Capture the Flag team, attend the networking events, etc. There are so many ways to get involved and learn at these events that you want to be sure you take advantage of.
Obtain Certifications
There are many different information security certifications out there, all with varying degrees of complexity, focus, and prestige. By obtaining certifications, you are able to differentiate yourself from other candidates, improve your knowledge along the way, and demonstrate your technical abilities. Below are some of the most common that we would recommend:
Certified Information Systems Security Professional (CISSP) – This certification will cover almost every aspect of information security at a high level, but will not require a deep-dive in any of them. Often described as a mile wide but an inch deep.
Certified Ethical Hacker (C|EH) – The certified ethical hacker certification is a great starter certification if you are hoping to one day find a job in penetration testing. This exam introduces a lot of the core concepts, and even provides some rudimentary labs that let you get hands-on.
GIAC Security Essentials Certified (GSEC) – Another entry-level certification that covers security concepts, but this one is from SANS so while it is a great course, it does come with a much higher price tag.
Offensive Security Certified Professional (OSCP) – This is a more advanced certification specifically for penetration testers. With this certification you have 24 hours in a test environment to try to hack into and elevate permissions on different systems. Simply put, if you have this certification it can be a significant help in bypassing HR filters to find a job in penetration testing or at least get an interview.
Self Study Programs
There are many different educational resources available online these days, both free and paid. These are great ways to get a foundation to improve you penetration testing skills. We recommend both labs to practice penetration testing techniques as well as classes and tutorials on various penetration testing related activities.
Perhaps the most well known lab based tool is Hack the Box. Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field. This is an excellent source for getting hands on learning and improving your craft.
Udemy is a great resource for finding online tutorials and educational videos to learn penetration testing. We would caution that there are many to choose from with varying degrees of difficulty and topics. Be sure to read the description, comments, and ratings to ensure that the course is right for you.
As mentioned, there are many paths to getting into penetration testing whether you are fresh out of school or have spent the last 15 years on a blue team. We hope these recommendations help you as you pursue a career in penetration testing. While we are not always hiring, we are always happy to assist and provide feedback and advice on what you can do today to get started. Feel free to reach out and we would be happy to discuss.