How I became a Pentester

It’s the year 2018 at the beginning, of Summer. I found myself browsing Udemy and for some reason a course titled Learn Ethical Hacking From Scratch caught my eye. I was fascinated by Ethical Hacking for a while and I thought it might be a fun course. I decided to buy it and play around.

I began by getting hooked on Network Hacking. I picked up a USB Wireless Adapter that could use Monitor Mode to capture WPA2 PSK and perform MITM attacks. I spent my summer setting up networks and trying various attacks. Stripping SSL from HTTPS and learning about HSTS, cracking WPA2 captured PSKs with various word lists, reading data in captured packets in Wireshark, injecting JavaScript into captured web pages, and so on. It was a lot of fun!

After a while I moved onto Web Pentesting. I have a degree in Web Development, so I was excited to learn how to I could use my existing knowledge to gain a better understanding on how to secure and hack web applications.

Cross-Site Scripting and SQL Injection became my favorite exploits to perform. I remember using DVWA and OWASP Mutillidae Virtual Machines to practice and play around with various difficulty settings to see how good I could get. I also tried IDORS, Command Injection, and File Uploads. I was having a blast.

At the time I was working as a Web Developer and System Admin for a small college. I had been in the IT field for roughly ten years and the majority of my career was at this college. I started off really enjoying myself there, but as time moved on and leadership changes happened, I found myself really depressed. I did not agree with management on a lot of things. Long story short I ended up disliking my job and I wanted a change.

During the summer of 2020 I signed up for a service called TryHackMe. I don’t remember how I came across it, but when I saw it something in me decided to sign up and start completing rooms. I worked through rooms on Web Pentesting and even earned the Webbed badge a few days after signing up. I soon decided this was the path I wanted to take my career. I wanted to become a penetration tester.

I started off doing tons of TryHackMe rooms and learning everything I could. It is hard to remember the exact path I took, but I remember going for badges and being obsessed with them. I was always obsessed with the Xbox 360 achievements and this gave me the same sort of rush.

At this point I came across the various different certifications and knew that if I wanted to break into the cybersecurity field I should obtain some security certifications.

I started my journey to get Security+. This exam honestly really scared me more than any exam I have ever taken. I believe it is because I felt if I failed this exam, it meant I did not belong in this field. This felt like a gateway exam.

I stayed up for hours reading my Security+ book and listening to Professor Messer’s YouTube courses and Jason Dion’s Udemy course and taking practice exams. No matter how well I did on these practice exams, I felt so scared to take this exam.

When the day came I was really nervous. I had to take a number of deep breaths, but I found myself in a good grove during the exam.

When it came to the end I finished answering everything I went through and double checked my answers then hit submit… and the last thing that popped up was those stupid survey questions. I hated these because I just wanted to know the results.

After that the results came in and I passed… My first attempt. I was so relieved and happy. I had finally done it. I knew I could make it in this field.

It was at this point I decided to create this site and blog about my journey.

So as I took notes for CTFs I would try and make them into write-ups for this site and share them on my GitHub as well. I wanted to provide resources to the community and show employers I cared about my craft and helping others.

Next began my quest to take the Pentest+. I used Jason Dion’s courses and practice exams again and read from the Sybex book.

While studying and learning about all the Pentest+ I kept reading on Twitter about this super fun and entry level hands on exam called the eJPT. This caught my eye as I was intrigued about the idea of a hands on exam and not just memorizing flags for various pentesting tools.

I signed up for INE and began going over the study materials and all the labs. After a few weeks of studying and doing the labs I took a weekend off and took the exam. I felt comfortable with this exam and the labs because I was working on TryHackMe and Hack the Box a lot. I was working on the TryHackMe 365 day badge, so doing a hacking lab or CTF a day made me really comfortable with the material.

After about six hours in I was able to answer the questions and passed the exam! This was a huge confidence boost for me. I loved this exam and the cost for the exam and course. The exam voucher was $200 and the course was free. I will always recommend this as the starting exam for anyone that wants to be a penetration tester. It is inexpensive and beginner friendly.

After this I went back to study for the Pentest+.

My confidence was a lot higher after having the eJPT and Security+ under my belt. I put in a few weeks of studying and using Jason Dion’s courses and practice exams again and read from the Sybex book.

On my first attempt I was successful in passing the Pentest+!

My advice for both the Security+ and Pentest+ is to go down each objective they give for the exam and if you feel comfortable being able to explain each one to a child and have them understand it, then you should be ready for the exam.

At this point my job was really going down hill. I don’t want to stress on it too much, but I started looking for a new job.

I updated my resume and listed the basic stuff: education, certifications, experience, references, etc. I also added my TryHackMe profile, Hack the Box profile, Blog, and GitHub. I wanted to stand out as much as I could.

I ended up with multiple interviews for various IT positions, but I was still holding on hope for the pentester position.

With some good fortune, though I was able to land an interview to be a pentester. I did a few interviews with the company and later ended up doing a technical assessment along with a pentesting simulation to test various skills and my mindset as a pentester.

After waiting two weeks I was called by the lead pentester and offered a job. It will go down as one of the best moments of my life. All of my hard work paid off and I absolutely love my job.

I am incredibly proud of myself for putting in the time to study and learn as much as I could to become a pentester. The path here was incredibly hard and even though I am a pentester now, I am still studying and prepping for more certifications to hit that next level.

I recently passed the eWPT (which you can read about here) and I am close to taking the eCPPT and later this year I will start studying for the OSCP.

The field is growing and the demand is high for cyber security. If this is a path you want to go down, you can do it!

Final Notes:

  • I recommend the eJPT and secuirty+ as good starting points.
  • TryHackMe is more beginner friendly than HTB.
  • I don’t recommend the Pentest+. I feel eJPT was a better use of my time and money. I prefer hands on to memorizing flags and picking “the most correct answer”.
  • Create a blog and GitHub and contribute to the community in some way.
  • Be vocal on social media and network.
  • Make your resume stand out. Add HTB, TryHackMe, GitHub, Blogs, Videos, etc to demonstrate you love this field.
  • The OSCP is not required nor is a degree in cyber security required to land a job. I know tons of senior pentesters that do not have the OSCP.
  • Understanding basic networking.
  • Learn how to make a pentest report.

If you have any questions, feel free to send me a message on Twitter!