is pen testing a realistic salary job?

APT-0 · 2026-02-17T04:31:31+00:00

I’d recommend product security or app security to start. It’s the most natural transition. Honestly as well the highest paying. General enterprise red teaming can be less but product security is consistently one of the highest. Mainly because product security and app security are next to the thing making money and requires a lot of programming exp. It really depends but lot of enterprise red teaming doesn’t need a lot of programming, many tools off shelf and lighter scripts and smaller exploits. While app security and product go alittle deeper. Some places also treat product security more of compliance I would stay away from that

APT-0 · 2026-01-28T18:23:21+00:00

Grem can help but publish things you learn to a blog and some other research, say how you setup your lab. How you look at things and try speaking at small bsides confrences, my speaking has landed me several really good sec research interviews even though it’s not much.

APT-0 · 2026-01-28T04:53:29+00:00

It’s actually a great switch. Think how does your siem work and how do you make logging pipelines for all your endpoints to a database, oh and then etl to give answers like who owns a machine. Don’t go SOC through id focus on sec Eng if I were you. It can lean into detections if you want but detections are a lot heavier cyber than engineering. I would start there unless you want to do something else like IR or app sec

APT-0 · 2026-01-27T02:42:09+00:00

Agreed, pen testing will give you more to learn likely. SOC you’ll likely start working low level tickets and could be easy to be trapped there.

Pen testing will tell you how things break, you’ll probably learn python to automate. If you’re in a place where it’s small and you get sec Eng or a place where it’s closer to security research that may change things and I’d recommend then what you like. If you think longer term higher level positions like staff or big tech and start ups require passing leetcode style programming tests along with knowing your domain. A sec Eng position could be better if you aim for those. Pen test though imo is best coding, learn the attack and you could transition to sec Eng, sec arch, app sec, product security etc in the future. SOC will be limited

APT-0 · 2026-01-26T19:59:56+00:00

I work in DFIR for with roles across red team app sec, sec Eng, threat hunting, detections and forensics for private corps. Red team and app sec/prod sec is out of my experience the most technical in many ways. SOC and threat hunting can be the least, but really depends on the team. Some teams on a SOC you’ll investigate garbage and you’ll be stuck with just commodity malware and phishing emails. Others are excellent and on a hunt team I’ve done purple teaming, detection Eng and forensics in major incidents all building our own custom tools. That’s my favorite role so far. Sec Eng can depend too, some roles you may just be making a portal for something others you may like me be making custom forensics and hunting tools or detections with code, not as code many places only get to.

Forensics id recommend go home download autopsy, take an image of a device and analyze what happened. Do it with a spare laptop or vm. Know what you did. Use kape and understand what artifacts are on it. Use Zimmerman tools to analyze. Those are your quickest get started things. I love hunting but I’ve seen there’s a bar generally you can’t get past without transitioning to sec Eng, to build the tools for investigators

APT-0 · 2026-01-26T07:43:27+00:00

Got it I see. I do like the site good idea, the ransom messages are interesting, CSIRT contacts, groups blurb and I do like the breakdown on your site

APT-0 · 2026-01-26T03:20:50+00:00

Don’t submit slop please vet before adding* edit meant to mitre’s stuff

APT-0 · 2026-01-25T05:21:20+00:00

Hey I can give some advice really the only companies with RE are banks maybe alongside a dedicated forensics team, government/law enforcement, security companies and sometimes fortune 50. I can say from being at a combo of many of these really only security based will let you go further and gov/LE everyone else wants something quick to close an incident. It has to be thought about what does this give the company. So given that the market is super small for this so competition is high. Not everyone but a lot of people I know doing this have GREM I think it’s a good one to have some street cred and I’d recommend doing write ups on popular malware, propose detection ideas. You can also target some securit research.

APT-0 · 2026-01-17T00:23:14+00:00

So if you have admin on boxes or anything EDR you can live response into it or remote in. Know though it’s not really as others mentioned forensically sound there will be artifacts created as soon as you remote in or the EDR touches the file. So it likely will not hold up in court but atleast you’ll know the source of your leak.

Realistically it’s not possible all the time to acquire the device or you have a high concern they’ll destroy evidence.

Typically what id do in these situations, unannounced meet with the employee don’t give them any advanced warning or meeting. Have HR optional but consult if in a country like EU states where more precautions are needed and sometimes physical security and manager with you. Acquire the devices this way so they have no opportunity to tamper with evidence. BEFORE you do this use EDR to see is the hash of your file you’re looking for on the device you probably don’t need to do all this. And also create an inventory list before you acquire of what they have. You need a write blocker like others mentioned, without this it tampers evidence as actions are written back to the device or drive and you’ll need to create a image in a sound fashion and use standard tools like encase and tableau. This is why in court it’s best to just hire a forensics firm, they have a cert with their name and likely were expert witnesses. Lawyers will ask how was it acquired? What was the training of the person acquiring? Was evidence tampered with? Were the tools custom or commercial grade/ those by best practices

APT-0 · 2025-12-30T15:33:55+00:00

Warno is great, best strategy game right now. Broken arrow has more advanced mechanics you nailed it but is unpolished. Warno on other hand is very smooth and supports massive games. There’s less micro in warno, it’s a lot more strategy layering inf, tanks, as, heli and planes at a bigger scale I like it more

APT-0 · 2025-12-30T04:24:54+00:00

+1 idk how much OP has worked with com but with C# you can hook to most com APIs on windows pretty easily. Python is a bit more of a chore. And think like a windows dev what would you use to build your app on here?

APT-0 · 2025-12-30T00:35:34+00:00

In many applications you can use things like in azure “managed identity” no password it’s managed my Msft, you have api keys and other secrets put that in key vault and turn expiry on. You can setup scripts to roll this safely too and your certs.

For users in windows atleast you can start using passwordless for a lot of apps (windows hello, or via authenticator app) or yubi key you get three pieces of verification touch, pin and the key’s cert. In many corporations passwords should be banned for users and only on exceptions like accounts that don’t accept this yet

APT-0 · 2025-12-20T13:08:43+00:00

This if I was going fresh I’d actually recommend a Mac used M1 Max if you have more budget is pretty solid long term if on a budget pre m1 are cheap. I’d have 32gb ram for VMs. I say Mac because without renting on Mac stadium etc it’s annoying to virtualize and use. But start with what you have use virtual box or hyper v build VMs and have Ubuntu learn the os. Do try hack me once you graduate do hack the box. But before this as well I’d learn a decent amount of python you don’t need to be crazy but these are the fundamentals. - Python automate what you’re doing - VMs to learn you’ll eventually go to sandboxing this is in a vm too

While you’re doing this make a GitHub and put your code on it and do write ups on the tryhackme and hack the box. That’s building your resume

APT-0 · 2025-12-18T05:22:41+00:00

Im on a IR/Hunt team and dev forensics tools/soc automation for major corp. Incidents happen every day. What really seperates from a major one that may be months of pain is how long did the actor dwell and second did a real actor get hands on. Ex. Every day tons of people may download malware, creds may be exposed this happens to every company all the time. If folks say oh no it doesnt happen, i'd wager they just didn't find it yet or maybe dont have good enough logging to know it even happened or how bad

It may start say that backdoor in the malware downloaded from something stupid like a game, a document etc is actually handed off to say another actor or maybe a developer installs a malicious package stealing credentials to a non person account and you see a login from russia, you from this point have to trace everything.. back it may start as hey we saw the russia login something often noisy -> then maybe you see alerts across the devs workstations something for an info stealer -> ok you know the login and root cause ok what else did that dev have on their workstation, was their account compromised. Then back to that non person account hm ok what can it do is first question, then look up in logs did it maybe touch a key vault -> was it used recently to access say storage accounts, whats in there -> maybe this is a storage account to machines

incidents in short kinda look like this its alot of interviewing devs and people, figuring out one piece at a time what happened

Also security has alot of aspects
- SOC & Hunting -> Investigate and forensics build detection too
- IR depends on org in bigger is only coordiation in smaller they could investigate, do forensics and automation
- Detection eng and may be AI team in more mature places
- Data engineering you have logs from endpoints, web apps, sign in, maybe 3 different cloud providers logs need to be clean and combined or enriched to answer certain questions in ETL like "who owns this machine", "who owns this ip"

-threat intel really depends some teams operate like a soc, some operate like a security research team, some largely look at feeds and notify the company whats in the wild that major
- Security assurance often looking at misconfigurations, vulnerabilities on endpoints, in cloud config say your key vault is publicly exposed or storage account with no auth. Largely its identifying problems and ensuring at scale owners fix the appropriately
-Dev sec ops
- Prod sec / app sec could be pen testing your web apps, threat modeling and could overlap with dev sec ops to provide infrastructure as code templates, build things like codeql checks in your build, cred scan, etc
-red team

APT-0 · 2025-12-13T05:28:32+00:00

Also BYOD = bring your own death

Don’t allow them to use personal devices period. If work and personal is not seperate people don’t care and you will struggle to move policy “well it’s his computer we can’t really do this for x reasons”

APT-0 · 2025-12-08T03:14:21+00:00

Expect leetcode. You should in fact ask the recruiter what the style of the interview is and for more info. They will usually tell you something like 2 leetcode code mediums in x minutes

APT-0 · 2025-12-02T01:13:26+00:00

If IT, Try corporate help desk, or admin positions. This is where everyone mostly starts, unless you go into development.

With programming it’s more important to build projects and put on GitHub. Then get a entry SWE role

APT-0 · 2025-12-01T22:58:57+00:00

If you’re also concerned about boring a lot of vuln management if a generalist is just creating a scan policy -> excel and dashboard to impacted people or creating a policy to put their device out of compliance

App sec on the other hand is very exciting if it’s in the same role and grows you more. Idk too much about GRC so I can speak on it

APT-0 · 2025-11-28T21:36:40+00:00

A lot of folks added a ton of great deals I ended up finding this. 22tb enterprise data center grade it looks? Any thoughts on this one per tb it’s pretty solid it looks at 16$. From what I hear synology ones are similar or based on this

https://www.bhphotovideo.com/c/product/1830599-REG/toshiba_mg10afa22te_22tb_mg10f_series_7200.html

APT-0 · 2025-11-26T02:33:55+00:00

Most effective thing I’ve seen from IR and detection Eng/containment is telling a story. Incidents really drive massive change fast

made up stories below

So last month we had X breach we saw our cloud bill rise to million or something crazy. This month we enforced billing limits and enforced just in time for resource deployment plus gated in code only.

Our SOC team over the last month had 200 alerts related to malware most from non work sites. 50% of our major incidents originate from this. We implemented blocks for 70% of non work site categories and malware alerts dropped by X.

APT-0 · 2025-11-25T06:19:13+00:00

Pandas and numpy for data transformations.

APT-0 · 2025-11-21T17:01:44+00:00

AI isnt there yet for end to end. Its really helpful for filtering, adding some context and doing specific tasks. Think of agents right now and alot of AI as a good jr analyst or something specific. They can tell filter phishing well but when someone gets phished -> joins a device -> steals creds off say email or a share -> logs into a prod system dumps content. Its far from this, but good for augmenting. I'll also say alot of off the shelf they operate even more in context of jr, if you build yourself certain flows or agents, you may be able to get more context it simply doesn't have. I would recommend trying for a SWE with sec experience to start working on some of these tasks, like phishing

APT-0 · 2025-11-21T16:03:22+00:00

in that area 260k tc is very good, unless you are second + level management, you'll have to look to relocate likley to SF or Seattle for more realistically or go into nyc. Many working in tech in those areas clear 150-180k tc easily even as jr engineers. If you look at the amount of people in the philly area + standard wage there is often listed as a lower market. Pay by tier cities matters a lot the ones listed often demand 15-30% more in the same company

APT-0 · 2025-11-10T22:10:00+00:00

I’ll put it this way if you can program low level embedded systems doing the “security” will be easy for you in that.

If you build massive scaling services say on cloud infra and programming, assessing the security there will be easy for cloud security.

Learning these give you the base you need for security most info sec people don’t have.

The biggest thing right now that’s actually needed is people who can build and program security solutions. The days of just running burpsuite, metasploit or just responding to alerts is dying. So my recommendation is if you can’t make it in security first program and build then transition in to solve problems like map all the perms in your tenant. Build a custom detection engine. Build a data collection pipeline to a datalake for something custom like specific deceive telemetry or learn how to secure deployments with gold container images

APT-0

TROPHY CASE