Tips for an Information Security Analyst/Pentester career - Ep. 78 - Nothing is impossible
Updated April 26, 2023
My story
This post comes from an email exchange between me and Eugene Belenski with Peerlyst (an amazing security community, unfortunately no longer active).
Eugene thought sharing my experience of how I found a job as a penetration tester could help other people who are still trying to break into the penetration testing industry, struggling to find their first gig.
So here's the whole story of how I could find a job as a penetration tester, and how later I got to work with a market leader in the cyber security space.
So here's the whole story of how I could find a job as a penetration tester, and how later I got to work with a market leader in the cyber security space.
In late October 2018, I had just quit my previous position (which was a joke, and I'll leave it at that) and I was thinking about what to do next.
I decided to go back studying full time for PWK, while I kept publishing posts for my series.
A couple of weeks after quitting, I got an email through Peerlyst from a guy I had never heard of, named Fred Mastrippolito.
He asked me if I was interested in joining a company dealing with hacking and forensics.
I had, at that time, published 67 posts for my Pentester/Security Analyst career series.
Those posts helped me stand out, and that's how Fred found me.
He was looking for a junior pentester but he wanted someone who tried harder and wouldn't hesitate going the extra mile.
I sent him my resume and checked his LinkedIn profile.
Things matched up: the guy resulted to be legit. He's the CEO/President and founder of Polito, Inc. which is a small company dealing with penetration testing, forensics and incident response. Though being a small company, Polito, Inc. had often held workshops in major hacking conferences such as Defcon and BSides, so it was a perfect match to me.
I sent him my resume and he said he'd have to talk with his team first and then he'd contact me back.
After a couple of days, I had an invitation for a conference call with the whole team for an interview.
In the email Fred mentioned he thought I'd be a great addition to the company, but he wanted to run this through his team because they made decisions like a team.
Things were moving quite fast.
I thought I had done great in the team interview that day, but I still had mixed feelings.
Too often before I thought I had done awesome and then I’d end up back into a void.
I mean, these guys had looked for me out of their initiative, I hadn't applied for any positions.
If they wanted, they could've had way better guys than myself.
Maybe the fact I was starting out (and I was cheaper) helped my case.
A couple of weeks went by and, just when I started thinking maybe I hadn't done that great in the end, Fred sent me an employment offer.
I started out as a part time remote pentester for 3 months, and we'd go from there.
My dream had finally come true when I least believed in it, and I didn't know how that could've been possible.
I started working in real-world penetration testing engagements from home and now I was using all the tools I had played with for years (Nmap, Burp, Nessus, etc.) against real targets, dealing with complexity levels I had never seen before.
At first I was mostly involved with the fun parts of my job: recon, validation and exploitation. I started learning my way around Burp and perfecting my Nmap skills to deal with very large subnets.
I started getting all the excitement coming from real-world shells. That never stops.
The adrenaline shot coming from obtaining a real-world shell is something that I never stop feeling.
I'm like a bloodhound when it comes down to getting a shell. I smell it.
I recently had 30 Meterpreter sessions at the same time in an engagement, and that's been the most fun I had so far.
Sadly, that's not always the best thing to do, though, especially when time is a concern (I'm going to talk about this specific point in more detail in a different post).
After moving to a full time position with Polito in June 2019, I started being involved more and more in the real work: increasingly complex engagements, technical troubleshooting, and especially reporting.
I feel I've gotten much better at that, even though I'm nowhere close to where I wanna be and there's still something new to be learned every day.
I've gotten quicker, more accurate in reporting and more conservative when running an exploit. At first, I felt the red teamer kiddo rush (let's break things and pop shells).
Sure, I love popping shells but I don't want to crash the client's servers either, so I'd rather be sure I can safely run something, than go ahead and do it like that.
Time went by faster than I could even think possible.
In the meantime, I co-presented a workshop at Defcon 27 with my company and I summed up a multi-year experience as a professional penetration tester, by now, dealing with all sort of scenarios, internal and external networks, web apps, wireless networks, quirks and vulnerabilities, all from the comfort of my own house.
And I got to know Fred.
I think I'm never gonna be able to express how much grateful I feel to him for taking a chance on me.
I feel a great responsibility to deliver every day and showing him he was right making that decision.
I hope I did so far, and I will continue to do so.
Now the same conference call I had to go through that day for my initial interview has become a working routine, and the same guys who interviewed me have become my colleagues, with whom I share concerns, thoughts and collaborate every single day.
How I landed a job as a Security Consultant, Attack & Pen, with Optiv
When I reached the 4-year mark of my experience with Polito, I came to the realization it was time for a change.
I got to a point when no further growth opportunities in the company seemed to be available. I was the pentester with the most seniority and I had trained all the other team members, but I ended up running always the same types of projects for the same repeat clients.
By now, I could've done a copy/paste from the previous quarter reports.
In fact, other than some occasional changes in the scope, I already knew what I'd find before even starting testing.
I realized I was getting complacent and needed to meet new challenges. A hacker should avoid getting complacent like a plague.
I then decided to start looking and see what might've been around for me.
At that point I had a 4 years' background in penetration testing, so landing an interview was quite simple. I wasn't a rookie anymore, and my demands had changed, too. I decided it was time for a financial upgrade to go along with my move.
As it happened before when I broke in the industry, all the jobs I had applied and interviewed for left me dead in the water after two or three rounds of interviews, however I ended up having the breakthrough I wanted without even applying.
A recruiter contacted me offering a job as a Security Consultant, Attack & Pen, with Optiv. I knew the company, of course, as a market leader. I couldn't believe they were looking for me, so I accepted and he submitted my profile.
Within a couple of weeks, I went through three interviews and the last one was tough because it was meant to test how I'd do in a client call.
Five minutes after the last interview ended, I got a call from the recruiter: they wanted to make me an offer.
The rest is history. I've started with Optiv in July 2022, and I've done more in this time than I did over my whole prior experience. I'm constantly challenged and on my toes, and there's always something new to learn. I've been branching out to types of engagements I couldn't have the opportunity to take on before.
Also I have way more responsibilities, as I'm in charge of the whole project and of communication with the client, especially when technical expertise is needed.
Having to constantly interface with the client helped me grow as a consultant.
In my previous experience my interactions with the client were way more limited.
Plus, the people in my team make a great difference.
I don't want to sound cheesy, but the team is very helpful and has the right culture.
No one tries to throw you under the bus, at least for what I experienced. Plus, they're amazingly smart guys, so much that sometimes my imposter syndrome takes over and I end up asking myself how I ended up being in the same team as them.
I was told how great the company culture was over my last interview but I can confirm it's true.
Even when I take on something I've never done before, I'm positive I can make it because the team will help me figure it out, so I'm confident I'll deliver, no matter what.
How is all this relevant to you?
I know, you could legitimately think, "OK, well, what do I care about this? Good for you, but..".
This story should hopefully motivate you to take action, because it shows you nothing is impossible.
There were a bunch of factors holding me back:
- Not a youngster any more: I was 54 already when I started working as a penetration tester
- No long-time info sec experience: I only had a brief parenthesis as a SOC analyst but I wanted to move to red teaming. Even though I had played for 4 years in my lab, I had never done it for a living.
- Not a programmer: Sure I can write a Bash script, but I need to greatly improve my programming skills, especially with Python, PowerShell and Assembly, to up my game. I still need to do that, and I hope I can find time to finally become more proficient.
- No specific education, or not the right one: At first I didn't have an IT degree, then I achieved two associate's degrees but employers wanted a Bachelor's.
I was held back for years because of all these factors but I refused to give up and took action to overcome them.
I achieved two degrees, multiple certifications (and I'm working toward other ones), kept writing, posting, studying, updating my skills, hoping for the right opportunity to come up, and it did.
But it's not a matter of luck, I created the opportunity by showing up, delivering contents all across the board, until someone finally noticed I was there and I could've been an asset to them.
Nothing is impossible.
I showed it to you, if you had (for some weird reasons) enough time and will to follow my journey.
I'm by all means no genius and I'll never be, but I worked hard to overcome all the excuses a possible employer could have, until I met a mentor who opened the right door to me.
But that door wouldn't open up if I didn't work my butt off day in and day out to get there.
I don't believe in luck, good things only happen when preparedness meets opportunity.
So, no matter what they tell you, work towards your dreams.
At first, I was rejected because I didn't have an IT degree.
So I said, "OK, let's go back to college and get one".
I enrolled in the college at 50 and, two associate's degrees and 3 years later, I kept getting doors shut in my face because I didn't have a Bachelor's.
Then it was my lack of experience.
I kept playing with my lab to overcome this, I achieved Security+, PenTest+ and eJPT certifications to beef up my resume.
No excuses is my philosophy, at a certain point you gotta tell them, "OK I'm willing to do whatever it takes, even help for free, would you give me a chance?".
I was willing to go through internships, too. I applied for an internship in Seattle, and they didn't take me, but they gave me some advice on what to learn and the guy who rejected me told me I was on the right track.
Nothing put me down, I knew I'd succeed, and I did it.
And, believe me, if a guy like me, who hates math, can't stand physics, isn't necessarily in love with science, is no hardware wizard and isn't exactly the Bill Gates of the situation, can make it, SO DO YOU!!
So, zero excuses.
So, ask yourself this once again.
Are you interested or motivated?
Comments
Post a Comment