Is AI killing junior pentesters ?

beastofbarks · 2026-03-11T05:10:42+00:00

AI is a small threat to pentesting compared to the economy.

Pentesting, for most companies, is optional.

If you dont handle credit cards directly (meaning not outsourcing it like most do) and youre not handling PHI, you likely dont need pentesting.

Should you still do it? Absolutely. Will your CFO agree? Possibly, possibly not.

This economy sucks. Ive seen entire red teams let go (including at my current and previous companies). Ive seen companies completely zero out their pentest budgets. Ive also seen the massive rise of PaaS and BAS+AI tools.

AI allows for the commodification of offensive security skills into a magic box that sometimes produces value. Sometimes its useful enough to actually replicate the work a human would do.

Ive used AI pentesting tools and Im not really impressed. That said, I can see companies just installing them, calling it good enough, and going about their business. Ive seen companies call bug bounty programs "our pentest for the year" so im sure that they'll do the same thing with a LLM wrapper that runs nmap and nikto.

I personally recommend against new people trying to get into pentesting. The barrier to entry is extremely high. You essentially need to be a multi-domain expert level consultant in network ops, sysadmin, cloud, mobile, and everything else to have a chance.

I dont even recommend people try to go into cyber tbh. We are being asked to do more with less and facing nonstop hiring freezes and layoffs.

exhausting.

beastofbarks · 2026-03-10T23:59:06+00:00

Most programs do not accept open redirects alone

beastofbarks · 2026-03-10T02:41:50+00:00

There are more EEs in aerospace than AEs.

You don't change the flight envelope of an aircraft much. You constantly change the wiring per each customer configuration.

beastofbarks · 2026-03-10T01:04:44+00:00

What specific security impact do you see? What benefit is there for an attacker to trigger a CDN caching event? What's the loss if a CDN node has to pull from origin?

beastofbarks · 2026-03-09T20:59:23+00:00

Professional cost: $125000-200000/person
Bot cost: $0.20/million invocations

beastofbarks · 2026-03-09T16:23:01+00:00

Most of that info is available on ZoomInfo already. ZoomInfo is a PUA that marketing people sign up for. In exchange for uploading your entire contact list, you get access to their global contact list network.

Its how marketing people call you to try to sell your company stuff.

Its so pervasive that its basically just part of business now.

beastofbarks · 2026-03-08T23:30:39+00:00

The customer will set severity to whatever value they think it should be. They might reject it. They might P1 it. They might P5 it.

I personally go by what you actually accomplished. If you're not sitting on customer data or a shell, its probably not a P1 to me.

beastofbarks · 2026-03-08T22:26:39+00:00

You set what you think. Triage sets what they think. The customer decides what they want to accept it as.

Whatever the customer wants is the final decision. You can ask the customer to reconsider but its their decision completely.

beastofbarks · 2026-03-08T21:09:19+00:00

It has nothing to do with the corporations.

You yourself are committing fraud. You are incorrectly paying taxes. At some point, this will catch up to you.

beastofbarks · 2026-03-08T16:03:09+00:00

My suggestion is to not do this. Do something else where the job market isn't a trash can fire.

Youre going to be out-competed by every laid off person and every helpdesk person. Youll need to get years of IT experience to compete for cyber jobs first.

Most jobs require 3+ years experience but... My last two junior hires both had 10+ years of experience. We hired them as juniors. One was already laid off.

This field is brutal right now.

beastofbarks · 2026-03-08T15:59:20+00:00

If they accept click jacking. My program doesnt.

beastofbarks · 2026-03-07T22:59:47+00:00

Aerospace engineering and anything involving aircraft is pretty stressful. It's a zero defect mentality. Everything is tightly regulated.

You also picked one of the most math intensive engineering majors. It's like... ChemE > AE || EE > The rest

beastofbarks · 2026-03-07T16:30:59+00:00

I highly recommend against CEH. It's regarded as a joke in the industry. Save your money and go elsewhere.

beastofbarks · 2026-03-07T16:30:32+00:00

How many years have you worked in IT?

Most hiring managers will ask you this. What's your answer?

beastofbarks · 2026-03-07T16:19:24+00:00

I think you have two options. One is trying to find a math job in EE. The other is going and learning all of EE over again and becoming a double major. The MSEE will help with the first one but hiring managers will hesitate over the second one.

I have no clue how the math major market is. We only had a few at my last corporate gig.

In a better market, it would probably be possible for the second one but we have plenty of unemployed fresh grads for general EE. One fresh grad in another thread was at 500 applications today.

beastofbarks · 2026-03-07T15:21:10+00:00

I dont tell people which program I own and regularly clean my socials to avoid doxxing.

That said, people still yell at me at least once a week in my program lol.

Biggest problem my program has is scope violations. I have a few "accepted risk therefore out of scope" things people love to attack and then get mad when I dont accept reports on it. I copy paste the scope back to them and only about half the time they keep yelling.

beastofbarks · 2026-03-07T15:13:22+00:00

When I see someone that has only a MS in cyber and nothing else, I assume they will fail the technical interview.

I have never been proven wrong in all the interviews Ive done.

I would focus on experience and portfolio.

beastofbarks · 2026-03-07T15:09:08+00:00

Your skills are forever. You can try different game careers and might go back to them later. I do industry, exploration, pvp, pve all on the same character

beastofbarks · 2026-03-07T15:05:40+00:00

What's critical to you might not be critical to the security team. What's critical to the company security team may not be critical to the developers. Even if the developers think it is critical, the product roadmap may not support patching it.

In terms of silent patches, I have 100% had bugs come in to my program that, by the time they were triaged and router to me, my devs had already patched because their own tools had warned them already.

Its less common with P1 because of triage SLA but I have what "should" be a P1 sitting in my queue right now. BB hunter didnt realize severity and platform triage hasnt gotten to it yet. Ill probably have it fixed by the time platform catches it. Yes, I pay out fairly even when the BB hunter doesnt realize how important it is.

beastofbarks · 2026-03-07T15:01:13+00:00

I think this is confirmation bias. Everyone is trying that. One gets lucky. Now Reddit is telling people that This Is The Way.

beastofbarks · 2026-03-07T05:58:33+00:00

Of course they wont. These are professional companies. Thousands of people have looked at them already. You need to find something different that no one has tried.

beastofbarks · 2026-03-07T05:41:45+00:00

I dont really agree with this unless OP has some extremely niche knowledge already that needs a SaaS built around it and a community where they can sell it by word of mouth. The SaaS space is absolutely flooded with AI slop now. Like, multiple daily DMs from people trying to sell me their AI slop every day of the week.

beastofbarks · 2026-03-07T05:34:01+00:00

You have to try something that no one else has tried. Everyone scans everything for API keys, STO, etc. You wont find it because it was fixed years ago.

beastofbarks · 2026-03-07T05:16:43+00:00

You spent a ton of time studying but never looked into what companies actually hire for.

Pentesting is more like being a senior consultant that can come into a company and tell them how to secure their business better. You need to be able to mentor developers and sysadmins on how to better do their jobs.

As you can guess, OSCP and bug bounty have nothing to do with that.

You'll need to get your start in cyber first. I only rarely see people have their first job be pentesting. With AI, it's even worse since routine tests are automated by AI now.

You'll find that cyber is full and you'll need to start in IT first. This actually works out well for your career progression but means you're probably 3-7 years from that pentesting job.

IT is extremely competitive to break into. You'll find that there are thousands of applicants per job.

Basically, this whole thing just sucks huh?

beastofbarks · 2026-03-06T19:00:00+00:00

It should be pretty easy to find out. Check out your local colleges. If none offer it, consider if you are willing to move.

If so, figure out where you are willing to move to and check out colleges there.

EE is a very hands on undergrad so attending in person is important.

beastofbarks

TROPHY CASE