CYBERSECURITY JOB HUNTING GUIDE
Penetration testing as career
Author: Stefan Waldvogel
Penetration testing as career path
Overview
Now, many people are going into penetration testing. There are many reasons for this: The most significant factors are salary and reputation. As a junior penetration tester, you can make $100,000. This value is a lot of money.
Universities and Community Colleges offer Cybersecurity classes, and it looks like a simple way to earn a ton of money.
Why do employers pay so much money?
The reason is simple; there is a significant shortage, and there are not enough qualified people with work experience to do an excellent job. This statement sounds weird because so many people are going into this field and cannot find a job.
You have a Master’s in Cybersecurity and feel prepared: Sorry, that is not enough. You have to know so much more! It will help if you have more hands-on. If you do not believe me, read the matching job offers in this field. 3 to 5 years of work experience is the hidden hint for hands-on.
What is the problem?
The other reason is the word: “qualified.” To be a good penetration tester, you need to know a lot of things and have a (deep) understanding of five to six separate topics:
A systems administrator in an entry-level position earns less, but it is usually above $50K.
source: https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/
How to become a penetration tester
It would help if you realized that this path is nothing for people with little time. The good thing is, we have many ways into penetration testing. It should be clear that an employer will not pay $100K if you do not have IT or another robust and challenging background.
Some paths are:
Now, many people are going into penetration testing. There are many reasons for this: The most significant factors are salary and reputation. As a junior penetration tester, you can make $100,000. This value is a lot of money.
Universities and Community Colleges offer Cybersecurity classes, and it looks like a simple way to earn a ton of money.
Why do employers pay so much money?
The reason is simple; there is a significant shortage, and there are not enough qualified people with work experience to do an excellent job. This statement sounds weird because so many people are going into this field and cannot find a job.
You have a Master’s in Cybersecurity and feel prepared: Sorry, that is not enough. You have to know so much more! It will help if you have more hands-on. If you do not believe me, read the matching job offers in this field. 3 to 5 years of work experience is the hidden hint for hands-on.
What is the problem?
The other reason is the word: “qualified.” To be a good penetration tester, you need to know a lot of things and have a (deep) understanding of five to six separate topics:
- Basic IT knowledge
- Wired and wireless networking
- Windows with Active Directory
- Linux
- Web applications
- A programming language, e.g., Ruby, Python, Bash, Powershell…
A systems administrator in an entry-level position earns less, but it is usually above $50K.
- A good pen tester can do both jobs; therefore, the salary is high.
- An excellent pen tester is good enough in all areas.
source: https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/
How to become a penetration tester
It would help if you realized that this path is nothing for people with little time. The good thing is, we have many ways into penetration testing. It should be clear that an employer will not pay $100K if you do not have IT or another robust and challenging background.
Some paths are:
These are examples, and there are more paths. If you put a lot of afford into it, you can become a pen tester in years.
Do you not have the “right” background? You can still get a job, but it is much more challenging. Stand out positively. A blog or a YouTube channel can help.
Gain the knowledge and prove that you know!
The Help desk position path
A help desk position is a pleasant start because you can learn how to deal with customers and you will learn the basics of IT. Both skills are essential, much more than you might think.
It is a plus to have CompTIA A+, but it is not always necessary to take the certification. If you have a help desk position, skip A+, you are already beyond that.
Do you not have the “right” background? You can still get a job, but it is much more challenging. Stand out positively. A blog or a YouTube channel can help.
Gain the knowledge and prove that you know!
The Help desk position path
A help desk position is a pleasant start because you can learn how to deal with customers and you will learn the basics of IT. Both skills are essential, much more than you might think.
It is a plus to have CompTIA A+, but it is not always necessary to take the certification. If you have a help desk position, skip A+, you are already beyond that.
It is time to plan your next step. Study something useful. Check the local job market, your interests, and look for the next job.
Let us say you want to be a Network Administrator. A help desk position is an "easy" 9 to 5 job, be ready to study at home and take CompTIA's Network+. Watch good YouTube channels, e.g., Professor Messer's, and take the certification if you feel ready. This certification is about $320, but many employers will pay for it, and it is a relevant certification for DoD 8570 (IAT Level I).
If you have time, you can try to get a sponsored CCNA course at your local Community College. Without sponsorship, the course is about $5,320.
The Network Administrator path
With a CCNA certification, you will most likely get a job offer. Why should you start with a help desk position if you can start as a network admin? Use the community college's internal job market, Indeed, LinkedIn, or other platforms to find a job. Most important: Do networking and ask your friends and your professor. In this position, you are making the first good money. Use it to your advantage and increase your horizon!
Now, learn to do the job very well. Learn a lot of tricks and get ready to widen your knowledge. If you have time to drink a coffee during work hours, you can do that or study something related to your goal.
After some months to a year, you will feel more comfortable, and you know a lot about networking. From this point on, you have multiple options: Go deeper in networking and take more advanced certifications, e.g., CyberOps Associate, CCNP, or something similar. If your employer pays for a job-relevant certification, take it!
Let us say: You decided to go more into the Cybersecurity field.
What next?
This article highlights penetration testing, but Cybersecurity is much more than that! There is a red side (attacker side), a blue side (defender side), and a purple side (mix). There are many more blue jobs than red jobs, and you are in a suitable position for both jobs. As a Network Administrator, you know most likely what a SOC (security operations center) is. Many times these people told you to fix something security-related. Maybe they called you in at 3 am in the morning….
Both jobs have unique paths, different certifications, and use other tools.
The blue side (quick introduction)
The blue side is about defending a company from different threads like APT, DDoS, MitM. Malware, Ransomware, (spear) phishing attacks, XSS, SQL-Injection and much more.
In a SOC as an analyst, you use Snort, Nagios, Ettercap, tcpdump, or use a SIEM (e.g., Splunk) to analyze logs. The salary starts at $42,500 (a number for your orientation, which could be different now) without experience. It should be possible to jump directly from a help desk position into a SOC, or if you have hands-on (e.g., Chris Long Detection Lab or the BTL1 certification), you can jump directly into it.
If you had a different IT position, a Security Engineer is a wildcard job title that may entail something you are familiar with and find comfort in it.
It is possible to start with the blue side before going into the red field because there are many more jobs. Some of them are very advanced and challenging (e.g., Malware Analyst, Reverse Engineers, Incident Responders). If you are good enough with a lot of experience, it is possible to earn more than $100k per year.
Blue Team has the BTL1 certification.
If you google for "CISO mind-map," you will see how big and important this field is, and it should be clear it needs its article to cover it better. The blue side can be very challenging, and a single mistake can cost the company millions of Dollars... I mention the blue side because if you do not get a job as a penetration tester, it is "easy" to switch to the blue side.
Free material and ideas (blue):
Let us say you want to be a Network Administrator. A help desk position is an "easy" 9 to 5 job, be ready to study at home and take CompTIA's Network+. Watch good YouTube channels, e.g., Professor Messer's, and take the certification if you feel ready. This certification is about $320, but many employers will pay for it, and it is a relevant certification for DoD 8570 (IAT Level I).
If you have time, you can try to get a sponsored CCNA course at your local Community College. Without sponsorship, the course is about $5,320.
The Network Administrator path
With a CCNA certification, you will most likely get a job offer. Why should you start with a help desk position if you can start as a network admin? Use the community college's internal job market, Indeed, LinkedIn, or other platforms to find a job. Most important: Do networking and ask your friends and your professor. In this position, you are making the first good money. Use it to your advantage and increase your horizon!
Now, learn to do the job very well. Learn a lot of tricks and get ready to widen your knowledge. If you have time to drink a coffee during work hours, you can do that or study something related to your goal.
After some months to a year, you will feel more comfortable, and you know a lot about networking. From this point on, you have multiple options: Go deeper in networking and take more advanced certifications, e.g., CyberOps Associate, CCNP, or something similar. If your employer pays for a job-relevant certification, take it!
Let us say: You decided to go more into the Cybersecurity field.
What next?
This article highlights penetration testing, but Cybersecurity is much more than that! There is a red side (attacker side), a blue side (defender side), and a purple side (mix). There are many more blue jobs than red jobs, and you are in a suitable position for both jobs. As a Network Administrator, you know most likely what a SOC (security operations center) is. Many times these people told you to fix something security-related. Maybe they called you in at 3 am in the morning….
Both jobs have unique paths, different certifications, and use other tools.
The blue side (quick introduction)
The blue side is about defending a company from different threads like APT, DDoS, MitM. Malware, Ransomware, (spear) phishing attacks, XSS, SQL-Injection and much more.
In a SOC as an analyst, you use Snort, Nagios, Ettercap, tcpdump, or use a SIEM (e.g., Splunk) to analyze logs. The salary starts at $42,500 (a number for your orientation, which could be different now) without experience. It should be possible to jump directly from a help desk position into a SOC, or if you have hands-on (e.g., Chris Long Detection Lab or the BTL1 certification), you can jump directly into it.
If you had a different IT position, a Security Engineer is a wildcard job title that may entail something you are familiar with and find comfort in it.
It is possible to start with the blue side before going into the red field because there are many more jobs. Some of them are very advanced and challenging (e.g., Malware Analyst, Reverse Engineers, Incident Responders). If you are good enough with a lot of experience, it is possible to earn more than $100k per year.
Blue Team has the BTL1 certification.
If you google for "CISO mind-map," you will see how big and important this field is, and it should be clear it needs its article to cover it better. The blue side can be very challenging, and a single mistake can cost the company millions of Dollars... I mention the blue side because if you do not get a job as a penetration tester, it is "easy" to switch to the blue side.
Free material and ideas (blue):
The red side
The red side is about legally attacking a company to test its security. Typical jobs are a penetration tester or web-application tester. A penetration tester is a “white hat” because this person has a signed agreement between him/her and the company.
Two words about universities and the certification industry:
Universities:
If you are smart, you do some certifications during your university time. Standard certifications are Network+ and Security+. These certs are “cheap.” You can take them because HR loves these certifications for entry-level positions.
Certification industry:
In America, certifications are everywhere. We highlight them in many blogs and posts. Get 11 certs in 5 months.... CompTIA, EC-council, SANS, and other companies spend nearly unlimited money advertising their products.
It is essential to know that certifications alone may get you an invitation to a job interview. Still, you can not pass the most straightforward practical tests without hands-on experience. An employer is not interested in a “question-warrior”, and your boss wants to know if you can do the job.
I have CompTIA’s A+, Network+, Security+, Server+, but all these courses only brought me theoretical knowledge. I studied for SSCP as well and finished the materials, but I did not take the certification. Why? Many certifications are not good for life, and you have to spend money every year, over and over. It is expensive and most times not worth it...
If you spend your own money on certifications, look for these things:
CEH
During university time, you might see advertisements about the EC-Council's CEH certification. In my opinion (everyone has a different view), it is not helpful to take the CEH class or exam because this certification is costly ($2,800) and for the price not useful (except you want to work for the government and you do not like CySA+). It is one inch deep and 100 miles wide. CEH is still known, and HR loved this certification in the past, but you can use this money for better things. The exam answers many “easy” questions… and some are not even related to reality or very outdated. A while ago, it was a valuable certification, but you can take much better certs, especially for the price.
Does it have value? At least not in the US. Take LinkedIn and look for jobs with this requirement. In Austin, we have 105 out of thousands of open Cybersecurity jobs with this requirement (June 2021). All of those jobs have cheaper certs as a requirement, too. Therefore there isn't a single need for such an expensive and outdated cert.
On top of that, EC-Council damaged their reputation over the last years a lot. If you are interested and want to build your own opinion, use Twitter to learn more about plagiarism, deleting legitimate critique, mistreating women and other things EC-Council might stands for.
The red side is about legally attacking a company to test its security. Typical jobs are a penetration tester or web-application tester. A penetration tester is a “white hat” because this person has a signed agreement between him/her and the company.
Two words about universities and the certification industry:
Universities:
- Many go to a Community College or a University and get a degree in Cybersecurity.
- Many of them think they are now ready for a job as pentester, but… that is not true at all.
If you are smart, you do some certifications during your university time. Standard certifications are Network+ and Security+. These certs are “cheap.” You can take them because HR loves these certifications for entry-level positions.
Certification industry:
In America, certifications are everywhere. We highlight them in many blogs and posts. Get 11 certs in 5 months.... CompTIA, EC-council, SANS, and other companies spend nearly unlimited money advertising their products.
It is essential to know that certifications alone may get you an invitation to a job interview. Still, you can not pass the most straightforward practical tests without hands-on experience. An employer is not interested in a “question-warrior”, and your boss wants to know if you can do the job.
I have CompTIA’s A+, Network+, Security+, Server+, but all these courses only brought me theoretical knowledge. I studied for SSCP as well and finished the materials, but I did not take the certification. Why? Many certifications are not good for life, and you have to spend money every year, over and over. It is expensive and most times not worth it...
If you spend your own money on certifications, look for these things:
- Good for life -> unlimited valid, without renewing costs
- 100% hands-on experience -> it will boost your knowledge more than answering 1000 questions.
- Microsoft (renewal: you have to pass a free assessment to keep the certification)
- OffensiveSecurity
- TCM Security with PNPT
CEH
During university time, you might see advertisements about the EC-Council's CEH certification. In my opinion (everyone has a different view), it is not helpful to take the CEH class or exam because this certification is costly ($2,800) and for the price not useful (except you want to work for the government and you do not like CySA+). It is one inch deep and 100 miles wide. CEH is still known, and HR loved this certification in the past, but you can use this money for better things. The exam answers many “easy” questions… and some are not even related to reality or very outdated. A while ago, it was a valuable certification, but you can take much better certs, especially for the price.
Does it have value? At least not in the US. Take LinkedIn and look for jobs with this requirement. In Austin, we have 105 out of thousands of open Cybersecurity jobs with this requirement (June 2021). All of those jobs have cheaper certs as a requirement, too. Therefore there isn't a single need for such an expensive and outdated cert.
On top of that, EC-Council damaged their reputation over the last years a lot. If you are interested and want to build your own opinion, use Twitter to learn more about plagiarism, deleting legitimate critique, mistreating women and other things EC-Council might stands for.
Pen tester’s knowledge
As mentioned before, to work as a pentester, you need a massive amount of knowledge. That is not something that you can get in one or two years.
Start with free YouTube videos. Some great YouTube channels are The Cyber Mentor and Hackersploit, but there are many more. Build a lab at home. Use VirtualBox, HyperV, or a different Hypervisor and set up your virtual machines. Download Kali Linux and some Windows machines. Use these resources to learn more about penetration testing.
Some materials:
As mentioned before, to work as a pentester, you need a massive amount of knowledge. That is not something that you can get in one or two years.
Start with free YouTube videos. Some great YouTube channels are The Cyber Mentor and Hackersploit, but there are many more. Build a lab at home. Use VirtualBox, HyperV, or a different Hypervisor and set up your virtual machines. Download Kali Linux and some Windows machines. Use these resources to learn more about penetration testing.
Some materials:
I worked years in IT as a database administrator/systems administrator, and I took each CompTIA A+, Network+, Security+, and Server+ exam in about two to three weeks. The learning material was not complicated or challenging. I felt I was well prepared to go into this field, but it was not true at all! It was super tough to learn the first steps in Cybersecurity.
Do not underestimate the massive amount of knowledge that you have to learn.
Next steps:
There are many ways to get more knowledgeable. You can learn with:
If you want to try something new, you can go for HackTheBox Academy (academy.hackthebox.eu/). The fundamental courses are free.
A comprehensive list of things to learn is here: github.com/StefanAustin/awesome-red-teaming This list is massive and many times beyond OSCP level. If you want to learn pen-testing for free, it is one way to get a deep understanding.
Helpful certifications for penetration testers
Starting point
There are many valuable certifications to get ready for your first junior penetration tester position.
A good starting point to test your knowledge is INE's PTS course. It is possible to get the PTS basic, including the labs, for free. Subscribe at https://checkout.ine.com/starter-pass, and you will get access to the course material but can not take the certification (eJPT). If you feel confident enough, you can read the slides and skip the certification (eJPT).
Entry-level certifications (selection)
Other more advanced courses and certifications are CPEH, PWK (OSCP), PTP (eCPPTv2).
These certifications are "entry-level" certifications. You most likely need about 500 hours to pass it (without prior experience in IT), so do not underestimate them.
Do not underestimate the massive amount of knowledge that you have to learn.
Next steps:
There are many ways to get more knowledgeable. You can learn with:
- Hack-the-box, (subscription and free, capture the flag)
- TryHackMe (subscription and free, capture the flag)
- VulnHub, (free, capture the flag)
- CyberSecLabs (subscription and free, focuses on more realistic content rather than CTF professionals. Teaches Active Directory)
- VirtualHackingLabs (subscription and demo access, 40 labs)
- DVWA, (free, web application)
- HackThisSite, (free, web application)
- Metasploitable 2 or 3, (free, it is a VM with a lot of exploits)
- Mutillidae, (free, web application)
- WebGoat, (free, web application)
- project-juice-shop (free, vulnerable web application from OWASP, very good for beginners and teaches more advanced attacks, if you master all included tasks and tutorials, you are very good and you do not need to spend money on web application certificates)
- cryptohack.org (free)
- https://hackmyvm.eu/ (free)
- https://github.com/Audi-1/sqli-labs (free)
- RangeForce Community Edition (free)
- Port Swigger Academy (free, web application)
- and other resources.
If you want to try something new, you can go for HackTheBox Academy (academy.hackthebox.eu/). The fundamental courses are free.
A comprehensive list of things to learn is here: github.com/StefanAustin/awesome-red-teaming This list is massive and many times beyond OSCP level. If you want to learn pen-testing for free, it is one way to get a deep understanding.
Helpful certifications for penetration testers
Starting point
There are many valuable certifications to get ready for your first junior penetration tester position.
A good starting point to test your knowledge is INE's PTS course. It is possible to get the PTS basic, including the labs, for free. Subscribe at https://checkout.ine.com/starter-pass, and you will get access to the course material but can not take the certification (eJPT). If you feel confident enough, you can read the slides and skip the certification (eJPT).
Entry-level certifications (selection)
Other more advanced courses and certifications are CPEH, PWK (OSCP), PTP (eCPPTv2).
These certifications are "entry-level" certifications. You most likely need about 500 hours to pass it (without prior experience in IT), so do not underestimate them.
- CPEH is the new underdog of certifications. The cert and the training are about $400 and it offers the most realistic exam. The course includes Active Directory, and it is based on an own lab, TryHackMe, and HackTheBox. The certification is not HR-relevant.
- OSCP is the most famous certification in Cybersecurity, and it is an HR certificate (Golden Standard). It is about $1350. During the last months (March 2021), OffSec increased the difficulty level a lot; be prepared. Even the most challenging PWK lab machines are easy against the exam.
- eCPPT is a less known certification (927 cert holders on LinkedIn, Match, 2021), but it gains a lot of attention due to the great practicability. The cert is $400, and you can get the course via INE's Cyber Security Pass for $750. This pass includes much more to learn, including the blue side.
It is essential to take 100% hands-on certifications to improve your skills. Simple question certifications like CEH, Pentest+ or CySA+ will not increase your practical knowledge. You should only take these courses if you have an excellent reason to do so. Reasons could be:
- want to work for a certified company that requires these certs
- government job,
- the employer pays for it
- just for fun, you are a cert collector.
Note: CySA+ is a "cheap" alternative for CEH if you want to work for the government and you need an Approved Baseline Certification for DoD 8570.
From this point on, you should know what your goals are. There are many options and paths. Learning is time-consuming. Pick one specialization to be indispensable for a company.
CREST certifications
Some countries prefer CREST certifications and the flagship is "CREST Registered Penetration Tester". Right now (until June 2021), you can substitute CRT (CREST Registered Penetration Tester) with OSCP.
Advanced Certifications
Many companies offer advanced certifications, and I mention the two most prominent with a 100% hands-on exam.
- eLearnSecurity / INE
- OffensiveSecurity
OffensiveSecurity offers the PEN-300 (OSEP) and AWE (OSEE) courses. Both of them are very difficult.
Other certification companies (selection)
- www.pentesteracademy.com -> cheaper offers a lot of courses (40+). Monthly ($39) or yearly subscription ($240). The "Attacking and Defending Active Directory" course is an excellent example of one of these courses. I never tried one of these, but many well-known people recommend this company.
- SANS -> very expensively, most of the time not worth it if you have to pay the fee out of your pocket. They have respected certifications like GSEC, GPEN, GCIH, and many others.
- ICSI -> not known in the industry offers a free course (https://www.icsi.co.uk/courses/icsi-cnss-certified-network-security-specialist-covid-19)
- https://www.eccouncil.org/ -> famous for C|EH (Certified Ethical Hacker), an HR paper cert. They offer other courses like L|PT (Licenced Penetration Tester), but expensive and not respected in the industry.
- Mossé Cyber Security Institute - https://www.mosse-institute.com/certifications.html
- ATTACKIQ - https://academy.attackiq.com/
- Cisco - https://www.cisco.com/c/en/us/training-events/training-certifications/certifications.html (network and network security)
- paloalto - https://www.paloaltonetworks.com/services/education (network)
- Juniper - https://www.juniper.net/us/en/training/certification/ (network)
Companies do not need a security clearance for every single position, and you will need it if you want to work for the government or touch government equipment.
What you most likely need is US citizenship. Some jobs require a permanent resident card (Green Card), but it is rare.
Specialized career paths
Many people want to be a penetration tester, but the job market is limited, and the non-influenceable requirements are high. Sometimes you have the wrong nationality, you can not get a Green Card/citizenship, or made a mistake years ago. Network penetration testing is not the only way to find a job in Cybersecurity.
According to LinkedIn, there are about 527 open positions (July 2020) for a penetration tester. This number is small compared to other jobs in Cybersecurity. In the US, there is no standardization for job titles; therefore, you have to google a lot to find a matching job. The numbers on LinkedIn are unreliable guesses, but you can compare the numbers.
Web application tester
A web application tester tests websites, and if you want to go in this direction, there is a lot of free material available. The bounty community and OWASP community are very active and helpful.
According to LinkedIn, there are about 55 open positions (July 2020), but this number does not reflect reality.
Mobile application tester
A mobile application tester tests web applications before publishing them on Google Play Store or Apple store. This job is particular, and it is not that easy to get the required knowledge. Work with android and iOS.
One possible certification is eLearnSecuritys MASPTv2. The v2 certification is a bit outdated (3 years old), but other options (CMSTP, Perfecto Mobile, CAST, ISTQB) from different companies are available.
Reverse engineer
A reverse engineer needs an excellent understanding of assembly languages and programming. Some people call the job a Malware analyst. This job is on the blue side, and many more open positions are available.
There are a lot of possible certification companies available. Corelan, GIAC, eLearnSecurity, IACRB, CREST, mosse-institute are some options.
According to LinkedIn, there are about 10,300 open positions (July 2020).
Security researcher
This job description describes a wide field of possible jobs. Sometimes it is a more Reverse Engineer, and sometimes you work for an anti-virus company or a software company like Microsoft. According to LinkedIn, there are about 3,700 open positions (July 2020).
Next step beyond OSCP
To get a job as a penetration tester is an entry-level position. Penetration testing requires constantly studying, and you will reach a level far beyond OSCP and other entry-level certifications.
Red team / Tiger team member
A red team member is more than just a simple penetration tester. The duration of a simple pen test is maybe one week or two weeks, but a Red team attacks a company for a longer time. It simulates more of an APT attack. Only the most prominent companies and governments have such groups to defend their systems, and the Tiger team is the highest possible and technically advanced job as a penetration tester. The term Tiger team is not protected or precisely defined. The meaning in each company can be different. Sometimes it is an older term for the red team.
Advanced Red Certifications (selection)
There are some certifications available, but few people have these certifications. If you have one of the following certifications, you are one out of less than 100. OSCE with at least 1,400 / 1700 certification holders is the big exception.
[Prices and numbers: July 2020 / March 2021, source LinkedIn. The order is alphabetically ascending.]
- eLearnSecurity/INE - Penetration Testing Extreme - eCPTX ($750 1 year), > 81 / 108 cert holders 3 hours of course video, 2000+ interactive slides, 11 scenarios with 100+ challenges (This course does not exist anymore, you can buy it, but INE is ending it mid 2023)
- Pentester Academy - Active Directory Attack Defense Lab - Certified Red Team Professional (90 days $499), > 242 / 589 cert holders “entry” level certification
- Pentester Academy - Red Team Lab - Certified Red Team Expert (90 days $699), > 106 / 249 cert holders
- Pentester Academy - Global Central Bank - Certified Enterprise Security Specialist (PACES), (90 days $749), > 9 / 26 cert holders highest possible Pentester Academy certification for red teamers
- Offensive Security - Cracking the Perimeter - OSCE (60 days $1500), > 1,400 / 1700 cert holders 3.5 hours of course video, 145-page course guide
- {the OSEP a brand new cert}
- Zero Point Security - Red Team Ops Course - Certified Red Team Operator (CRTO), (90 days £649), > 32 / 163 cert holders infinite access to the newest course updates, it one of the Golden Standards for Red Teamers.
- https://cyberwarfare.live/RedTeamLab.php
--> Between July 2020 and March 2021, the numbers of certification holders grew a lot, and there are two reasons for it: many people move in the field, and people in the area gain knowledge. This fact means every year, and it gets harder to break into Cybersecurity.
INE bought Pentester Academy and is removing or removed a lot of certs. I do not recommend INE or INE owned platforms anymore.
Conclusion
Becoming a penetration tester is a great goal and a fascinating journey. It is a long journey full of hurdles and pain. It requires a lot of research to become successful. You can get the knowledge for free/cheap or spend a significant amount of money.
Even though the "red side "is the most respected, the "blue site "can be an excellent alternative.
You did your research, and you cannot find a job... have a look into the cloud. There are four times more cloud jobs in some areas compared to Cybersecurity. If you have cloud knowledge and security, you make much more money. The salary jumps at about 20%.
Thank you for reading. I hope it was helpful.
© 2021. This work is licensed under a CC BY-SA 4.0 license