root@v1g1lant3:~#
Created by potrace 1.16, written by Peter Selinger 2001-2019 A3h1nt

Learnings From My First Cybersecurity Job

 
  • Dec 10, 2024

ReadME!

Before you continue to read this blog, there are few things i want you to understand, the thoughts and ideas presented in this blog are solely based on my experience and more importantly the kind of people i interacted with, within the firm. It does not represent any particular employer, but rather experiences that any new comer faces, including me. I’ve worked in the industry for 1.5 year, which is not a lot of time. Hence, my experience is limited, think of this blog as me talking to my younger self, explaining things to make it a little easier. This blog doesn’t talk about cybersecurity concepts, topics or skills that’ll help you in your cybersecurity career but rather mindset and experiences that you’ll likely encounter in not just cybersecurity but any work environment.

t

1. You know very little

  • Once you get your first cybersecurity job, you will find people who are better than you at a lot of things, they talk about things you’ve never heard of, use words that goes straight above your head, pop shells using methods you don’t even know about. These people will motivate you the most, try to be around such people, learn from them as much as you can, even if you are unable to work with them, you can still take inspiration from them and their experiences. Ask as many questions as you can.
  • Surrounding yourself with people who are much better than you, might discourage you and make you feel like you know very little. Well, it is true, but hear me out. Once you start putting your hundred percent consistently, after that it’s just a matter of time and experience, it took these people a lot of time and practice to reach a certain level, they did not turn into good hackers overnight. Even if you can cover something in 14 years, that took them 15, you’ve won.

Just be patient and push forward. Do what’s in your hand and leave the rest on universe. These people should work as a fuel to your burning desire of being the best.

2. No one cares, but you need to

  • Not everyone in the cybersecurity industry wants to become a pro hacker. Like any other profession, there is mediocrity in hacking too. There are people who aren’t in love with the subject, but in love with getting work done. It’s no biggie, but if you are not learning, rather just copying pasting things, then it’s a serious problem and this is where learning takes a backseat. I remember I was once asked to not write my own recommendations but copy it from the previous reports :/

  • Let me give you a few examples, let’s say someone tells you one of the following.

    1. “You don’t know how to test android application? Take a previous report, do the same checks, do the test and generate the report”
    2. “You don’t know how to test a X type of application? Don’t worry, just use these Metasploit modules, run them and make the report”
    3. “We need you to test the application in two days and give the report.”

  • The above statements might not look very scary to you, but let me show you the outcome of these practices.

    1. “I have done android pentesting, but i don’t understand the android architecture, how android application runs and interacts, what content providers are, etc”
    2. “I don’t understand what an X type of application is or how does it work, but i can do X testing using Metasploit”
    3. “I have tested this application, but i am not confident if i have gone thorough enough, i just did some basic checks”
  • If you are a cybersecurity client, you know how much you are paying, and it’s simply sad when you pay so much for quality, but you get reports on applications that might be superficially tested.
  • Now, i don’t have anything against new comers, or people who are new to X technology. I understand they are trying to learn and they will learn by doing. The solution here is shadowing a project to learn. Let’s say a newcomer does not understand X technology, let’s him shadow a project with X technology tested by an experienced tester.
  • Another way to ensure quality is report review. An experienced tester, reviews the report thoroughly before it is released to the client.

The only person who needs to care or should care about expanding your personal knowledge pool is you, no one gives a shit about whether learn or not. Don’t speak, show.

3. Skill != Awards

  • Company awards or titles are not a right matrix to measure your pentesting skill progress. The awards that you get in your company are not directly proportional to your skill set, there are multiple factors that dictate the probability of someone getting an award. This involves, skill, your relation with your manager, your willingness to show up for work other than 9 to 5, your willingness to do miscellaneous tasks, and obviously politics.

  • So if you don’t get an award, don’t be discouraged, it might not be because of your skill, but could be due to you being straight forward, being honest, saying no to work other than office hours or maybe you accidentally offended your senior by correcting them.

There’s a difference between being the best employee and being the best in your field of work. You decide your scope, is it local or global.

4. Certifications Post Job

  • First of all, i don’t think certificates should solely be done to get a job, your primary focus should be to improve your skills and then get certified. I understand, doing certs just for learning is not feasible for everyone, obviously it is an investment in the long term. So, if you really want to do just one cert, I would suggest OSCP, no matter what the noise says, it is what it is.

  • One might think that certificates only play a role in getting you a job. But that’s not the entire truth, certificates also play a role, even after you get a job. For example, some clients only ask for OSCP holders to work on their assets.

Do certificates to learn and test. That’s all it is, a document that acknowledges a skill.

Conclusion

That’s pretty much it for this blog, everyone’s experience is different and a lot of things mentioned in this blog are subjective, take what helps you and keep the rest in mind. After all, it’s a marathon, not a race, unlike bug bounty.

Stay Safe & Keep Hacking

© A3h1nt 2024
Search