Contact Form


Email *

Message *

Tips for an Information Security Analyst/Pentester career - Ep. 78 - Nothing is impossible

My story

This post comes from an email exchange between me and Eugene Belenski with Peerlyst.

Eugene thought sharing my experience of how I found a job as a penetration tester could help other people who are still trying to break into the penetration testing industry, struggling to find their first gig.

So here's the whole story of how I could find a job as a penetration tester one year ago.

In late October last year, I had just quit my previous position (which was a joke, and I'll leave it at that) and I was thinking about what to do next.

I decided to go back studying full time for PWK, while I kept publishing posts for my series.

A couple of weeks after quitting, I got an email through Peerlyst from a guy I had never heard of, named Fred Mastrippolito.

He asked me if I was interested in joining a company dealing with hacking and forensics.

I had, at that time, published 67 posts for my Pentester/Security Analyst career series..

Those posts helped me stand out, and that's how Fred found me.

He was looking for a junior pentester but he wanted someone who tried harder and wouldn't hesitate going the extra mile.

I sent him my resume and checked his LinkedIn profile.

Things matched up: the guy resulted to be legit. He's the CEO/President and founder of Polito, Inc. which is a small company dealing with penetration testing, forensics and incident response. Though being a small company, Polito, Inc. had often held workshops in major hacking conferences such as Defcon and BSides, so it was a perfect match to me.

I sent him my resume and he said he'd have to talk with the team first and then he'd contact me back.

After a couple of days, I had an invitation for a conference call with the whole team for an interview. 

In the email Fred mentioned he thought I'd be a great addition to the company, but he wanted to run this through his team because they made decisions like a team.

Things were moving quite fast.

I thought I had done great in the team interview that day, but I still had mixed feelings.

Too often before I thought I had done awesome and then I’d end up back into a void.

I mean, these guys had looked for me out of their initiative, I hadn't applied for any positions.

If they wanted, they could've had way better guys than myself.

Maybe the fact I was starting out (and I was cheaper) helped my case.

A couple of weeks went by and, just when I started thinking maybe I hadn't done that great in the end, Fred sent me an employment offer.

I started out as a part time remote pentester for 3 months, and we'd go from there.

My dream had finally come true when I least believed in it, and I didn't know how that could've been possible.

I started working in real-world penetration testing engagements from home and now I was using all the tools I had played with for years (Nmap, Burp, Nessus, etc.) against real targets, dealing with complexity levels I had never seen before.

At first I was mostly involved with the fun parts of my job: recon, validation and exploitation. I started learning my way around Burp and perfecting my Nmap skills to deal with very large subnets.

I started getting all the excitement coming from real-world shells. That never stops. 

The adrenaline shot coming from obtaining a real-world shell is something that I never stop feeling.  

I'm like a bloodhound when it comes down to getting a shell. I smell  it.

I recently had 30 Meterpreter sessions at the same time in an engagement. 

Sadly, that's not always the best thing to do, though, especially when time is a concern (I'm going to talk about this specific point in more detail in a different post).

After moving to a full time position with Polito in June this year, I started being involved more and more in the real work: increasingly complex engagements, technical troubleshooting, and especially reporting.

I feel I've gotten much better at that, even though I'm nowhere close to where I wanna be and there's still something new to be learned every day.

I've gotten quicker, more accurate in reporting and more conservative when running an exploit. At first, I felt the red teamer kiddo rush (let's break things and pop shells). 

Sure, I love popping shells but I don't want to crash the client's servers either, so I'd rather be sure I can safely run something, than go ahead and do it like that.

Time went by faster than I could even think possible.

In the meantime, I co-presented a workshop at Defcon 27 with my company and I summed up over one year experience as a professional penetration tester, by now, dealing with all sort of scenarios, internal and external networks, web apps, wireless networks, quirks and vulnerabilities, all from the comfort of my own house.

And I got to know Fred.

I think I'm never gonna be able to express how much grateful I feel to him for taking a chance on me.

I feel a great responsibility to deliver every day and showing him he was right making that decision.

I hope I did so far, and I will continue to do so.

Now the same conference call I had to go through that day for my initial interview has become a working routine, and the same guys who interviewed me have become my colleagues, with whom I share concerns, thoughts and collaborate every single day.

How is all this relevant to you?
I know, you could legitimately think, "OK, well, what do I care about this? Good for you, but..".

This story should hopefully motivate you to take action, because it shows you nothing is impossible.

There were a bunch of factors holding me back:

  • Not a youngster any more: I was 54 already when I started working as a penetration tester
  • No long-time info sec experience: I only had a brief parenthesis as a SOC analyst but I wanted to move to red teaming. Even though I had played for 4 years in my lab, I had never done it for a living.
  • Not a programmer: Sure I can write a Bash script, but I need to greatly improve my programming skills, especially with Python, PowerShell and Assembly, to up my game. I still need to that, and I hope I can find time to finally become more proficient.
  • No specific education, or not the right one: At first I didn't have an IT degree, then I achieved two associate's degrees but employers wanted a Bachelor's.

I was held back for years because of all these factors but I refused to give up and took action to overcome them.

I achieved two degrees, two certifications (and I'm working toward other ones), kept writing, posting, studying, updating my skills, hoping for the right opportunity to come up, and it did.

But it's not a matter of luck, I created the opportunity by showing up, delivering contents all across the board, until someone finally noticed I was there and I could've been an asset to them.

Nothing is impossible.

I showed it to you, if you had (for some weird reasons) enough time and will to follow my journey.

I'm by all means no genius and I'll never be, but I worked hard to overcome all the excuses a possible employer could have, until I met a mentor who opened the right door to me.

But that door wouldn't open up if I didn't work my butt off day in and day out to get there.

So, no matter what they tell you, work towards your dreams.

At first, I was rejected because I didn't have an IT degree.

So I said, " OK, let's go back to college and get one". 

I enrolled in the college at 50 and, two associate's degrees and 3 years later, I kept getting doors shut because I didn't have a Bachelor's.

Then it was my lack of experience.

I kept playing with my lab to overcome this, I achieved Security+ and eJPT certifications to beef up my resume.

No excuses is my philosophy, at a certain point you gotta tell them, "OK I'm willing to do whatever it takes, even help for free, would you give me a chance?".

I was willing to go through internships, too. I applied for an internship in Seattle, and they didn't take me, but they gave me some advice on what to learn and the guy who rejected me told me I was on the right track.

Nothing put me down, I knew I'd succeed, and I did it.

And, believe me, if a guy like me, who hates math, can't stand physics, isn't in love with science necessarily, is no hardware wizard and isn't exactly the Bill Gates of the situation, can make it, SO DO YOU!!

So, zero excuses

By the way, I’m planning to go back to OSCP soon, so this is also a way to get pumped up and ready to go for my new exam attempt.

So, ask yourself this once again.

Are you interested or motivated?


Related Posts Plugin for WordPress, Blogger...

Popular Posts