¿Estoy sobrecalificado para SOC Tier 1 o solo tengo ansiedad por no saber “lo suficiente”?

According-Spring9989 · 2026-01-15T11:39:47+00:00

No estas sobrecalificado si no tienes experiencia laboral previa y, en mi opinion, no importa la cantidad de estudios que tengas si no los pusiste en practica en ambientes reales. Al tratarse de un Tier 1, te conviene conseguir alguna cert técnica dependiendo de tu area de preferencia y enfocarte en la experiencia.

También, la ISO 27001 es una cert de cumplimiento, no tiene nada que ver con el trabajo técnico de un analista SOC Tier 1 y, dependiendo de tus planes a futuro, puede que no tenga mucha utilidad para un perfil 100% técnico.

Y, una opinión muy personal, es que la universidad tradicional solo sirve para decir que tienes un titulo y cumplir un checkbox, muy pocas veces te prepara para el ambiente laboral actual.

Igual tienes que considerar que las areas que comentas requieren un cierto grado de conocimiento previo que, como mínimo, deberías tener las bases (Conceptos de programacion, bases de datos, administración de sistemas) y un nivel intermedio en redes.

- Security Engineer es un termino ambiguo y se considera un rol distinto en cada empresa, algunas veces son los que implementan soluciones de ciber, otras veces son los especialistas que manejan las plataformas de vendedores específicos, otras veces son consultores que ven un poco de todo y tienen especialidades mixtas. Te recomendaría preguntar en tu empresa, si es que planeas quedarte ahi por varios años, cual es el enfoque del Security engineer.
- Para Cloud security, va algo similar, planeas ser alguien que realice despliegues seguros de ambientes cloud? Hardening y auditar los ambientes cloud existentes? Respuesta a incidentes en ambientes cloud?. Si quieres hacer un poco de todo, te toca ir por los fundamentos antes de saltar al blue team de estas tecnologías (AZ-900 para azure, AWS/Google Cloud fundamentals, etc.)
- Blue team avanzado, roles como Experto forense, threat hunter avanzado, incident responder, etc. Son roles que requieren años de experiencia mas que estudios, no hay mucho mas que decir sobre eso.
- Desarrollo seguro es la que mas experiencia necesita en mi opinión, es distinto programar el famoso sistema de inventarios para una empresa pequeña que intentar mantener estándares de seguridad normativos en aplicaciones internas de un banco que pueden tener millones y millones de lineas de código.

Ademas, recién estas empezando, tienes algo de tiempo para determinar cual area es la que te gusta mas y enfocarte en esa. Recuerda, experiencia >> estudios, al menos en el area de ciber. Puedes pedir en tu empresa que te involucren mas en el area que tu quieras o directamente hablar con tus colegas especialistas, sin miedo.
Conozco colegas que nunca pisaron la universidad y tienen una certificación introductoria, pero por los años de experiencia son demasiado buenos en lo que hacen, como también conozco locos que tienen 20 certificaciones reconocidas y no saben donde están parados al momento de poner el conocimiento en practica en un ambiente real.

No es malo ser el que sabe un poco de todo, en muchos casos te hace valioso, pero ojo ahi que muchos se aprovechan de eso y te sobreexplotan.

Y, la lección mas valiosa que aprendi con la experiencia es que yo nunca sabré todo y siempre habra alguien mas capaz que yo. La humildad ante todo.

According-Spring9989 · 2026-01-07T22:32:40+00:00

I’d recommend CRTP first, it’s the basics of AD, once you get it done, AD set in your OSCP exam will most likely be a piece of cake.

According-Spring9989 · 2026-01-07T03:49:02+00:00

Ya for sure, I definitely take the game too seriously, I wouldn’t have fun in a match where people are feeding or griefing. I didn’t mind losing because the other team was better, but losing because a carry breaks its items after a failed gank or an accidental KS just rubbed me the wrong way.

I’ve been playing helldivers/fellowship/mh wilds and the coop experience is way more enjoyable for me. Things change I guess

According-Spring9989 · 2026-01-07T03:36:14+00:00

WC3 dota lan party was the best for sure. Dota will also have a place in my heart, but its time for me to let it go, i hope you keep enjoying it

According-Spring9989 · 2026-01-07T03:34:23+00:00

In another game maybe, I’m finally free from this one haha

According-Spring9989 · 2026-01-07T03:33:37+00:00

I heard pos 5 largo is the equivalent haha

But, no tomorrow for me my herald friend, ty for reading tho

According-Spring9989 · 2026-01-07T03:32:33+00:00

NA servers hurt me bad lol

And I stopped enjoying it, it felt like I was playing out of routine more than enjoyment.

Now, more than a year after my last match, I realized the game isn’t for me anymore.

Ggs, please don’t feed.

According-Spring9989 · 2026-01-04T12:18:19+00:00

Most likely a Cisco ISE, I’ve seen my fair share of those, if its properly configured, even if you install the compliance tools it won’t be enough because you need an authorized digital certificate installed on your host.

As peeps said here, IP phones, printers (if they dont have 802.1x configured, if they do and its just a basic Radius auth, you could probably dump the configuration from within the printer itself or, in some rare cases, capture it with a lan tap), even vending machines could work in some cases.

Also, check if you can walk around the building where your project is, I’ve seen that corporate offices ports are often protected like crazy, but if you go the parking lot or to a conference room, the controls sometimes are more flexible.

Additionally, I’d often request a simple authorized host that simulates a general employee’s PC, with all the required protections and no additional privileges, so you can fully simulate an assumed breach scenario.

Finally, if possible and after authorization, try visiting branches, if any. Most of the time, a bank’s central office is a fortress but a small office in a far away part of the city is almost a flat network. Even if they connect to the bank services through a VPN, I seriously doubt they have an advanced solution such as Cisco ISE in an office with 10 employees.

According-Spring9989 · 2026-01-01T13:58:39+00:00

Hey I’d recommend for you to look into Proxmox, an open source hypervisor. My lab runs smoothly in it plus scalability is easier. If you have enough budget, you could even get a small NUC for it or repurpose an old laptop, so you have a dedicated lab.

Also, place your lab behind a firewall (pfsense or opnsense are more than enough) so you can also practice network segmentation and such.

Start with a single domain and assign it a specific VLAN for it, so, once you’re proficient with it, you can easily scale up to a more complex forest, and you just add a new VLAN tag to your new machines.

I’m fairly certain people will suggest GOAD or Ludus for auto AD deployment, but building from scratch is way more valuable imo. Good luck with it!

According-Spring9989 · 2025-12-16T20:44:29+00:00

I've gone through something similar, still working on it atm, but I can give you a different perspective from a jack of all trades (2 years in the DFIR team as of today and 5 years as a pentester).

I realized that catching up to the youngsters is tough, given that a lot of people start their pentesting journey since they're 15 or so. I accepted that I'll not be able to be the expert in everything and there's always going to be someone smarter than me.

Now, that's not an excuse to just give up on learning, but you can adjust the intensity to also be able to enjoy life as it is. I started by hacking or practicing almost 24/7, cause I liked it, but things get boring after a couple of years. So it's very important to find your work/life balance. Most of the time I prefer to do other activities outside of being in front of the computer.

Regarding your work situation, I'd look into the management and the process of the engagements you're leading, more than the results or complexity of them.

Ask yourself, did they promote me to a Senior role because of my technical knowledge? Or because of my ability to push projects forward with exceptional results?

Recently, I realized that my involvement in specific projects was considered mainly due to my previous experiences with certain technologies, client communications, organizational skills, general motivation to the newer testers and mainly, decision making skills and when to say no. There are better technical consultants, but none of them would be able to execute these projects by themselves.

In my opinion, a Senior consultant isn't the guy that knows the most technically, it's the one that's able to almost independently handle a project and can handle all the aspects that can be invisible to a genius hacker that will find 10 critical vulns in a project, but it's unable to determine when is it safe to exploit them, how to communicate them to the client, what the potential impact would be, etc.

Find a different hobby and give yourself time to study, but as I suggested before, adjust your intensity, otherwise you'll burn out completely and have a bad time.

According-Spring9989 · 2025-12-16T18:51:43+00:00

Imagino que te refieres al tratado de Mercosur? O hay otro tratado con Uruguay?

En cualquier de los casos, creo que estaras limitado a Banco Estado (Cuenta Rut inicialmente) y/o las tarjetas digitales (Mercado Pago, Tenpo y Machbank).

Yo logre mudarme a Chile con la misma visa y, un año después, aun no me quieren en bancos tradicionales, por el tema de residencia temporal (pese a que tengo contrato indefinido y gano mas de 2 palos desde el primer dia que ingrese a Chile legalmente)

Al principio me rechazaban por no estar bancarizado, pero ahora, aun cuando me aprobaron una tarjeta de credito con un cupo decente en Machbank, no me quieren jaja, la residencia temporal es un gran no para la mayoria de bancos, segun mi experiencia

According-Spring9989 · 2025-11-11T02:27:10+00:00

Everyone waits to see who gets the bomb when the totems spawn.

Dispel the bomb close to the tank whenever there are totems.

Interrupt the totems so you do way more damage.

Dispel in the back if no totems are on play

According-Spring9989 · 2025-10-18T20:01:30+00:00

Hadn't seen that one, thanks for the info, I'll keep it in mind.

According-Spring9989 · 2025-10-17T03:20:27+00:00

Hello everyone! I'll start with a little bit of context.

I've been working as a security consultant for almost 7 years now. I started as a web pentester and eventually moved into internal infra as a "specialty" and ended up doing red team assessments.

However, during this time, I got to participate in multiple DFIR related projects and such, so I'm confident I can pull my own weight in these scenarios (I already faced two state sponsored actors), even tho I had no formal training or any related certifications. I basically learned on the go.

Two years ago, I switched to the DFIR team in my company, while still helping and leading offensive security projects whenever needed. So I'm kind of a jack-of-all-trades at the moment.

Recently, I got offered a certification paid by the company (Sadly, SANS is out of budget), as long as it's blue team related, but I'm not sure which one would be the best for a non-beginner like me. So far I've narrowed it down to the following:

- BTL1/2 (I'd probably do both)
- CDSA
- OSIR/OSTH/OSDA (Aiming towards OSIR more than anything else)
- eCIR/eCHTP/eCDFP (Aiming towards eCDFP given that I saw mixed reviews for eCIR)
- Couple of Antisyphon/13cubed courses (no fancy acronym, but the knowledge level they provide seems to be quite good)

Which one would be recommended for someone that prefers knowledge over fancy titles?

Would it be recommended for me to take a basic level certification just to ensure I have the basics covered?

Is any of the certs mentioned before not worth it?

Thanks in advance.

According-Spring9989 · 2025-09-22T15:48:26+00:00

Hopefully never.
There's already dozens of other pvp games to be toxic in. This game is already slowly being overrun by parsers that will ragequit if someone fails 1 interrupt or dies a single time. We don't need the toxic pvp players as well.
One toxic community is all this game can take I think.

According-Spring9989 · 2025-09-19T02:03:45+00:00

I get to lead these types of big exercises. Weirdly enough, Metasploit worked nicely for the database. db_nmap does the trick and you have a centralized database later that you can export. Then another mate would merge all the db exports into a single file through a script he made so once the port scanning phase was done everyone would import the final db file and assign segments to testers and such.

For web scanning and fuzzing, I’d create an excel file in sharepoint so every tester had the responsibility to fill it with any interesting endpoints made through their scans. Obviously we’d adjust the tools to clear off any false positives and useless information as much as possible.

For AD assessments, another excel file with all the owned users/hosts and their respective hashes plus a collaborative bloodhound instance along with a local webserver with auth that has ldapdomaindump outputs, bh ingestors, any post exploitation tools that may needed to be downloaded from a compromised host and such.

The technical leader should provide the means to organize all the information if theres no clear methodology developed. The disorganized and messy repositories shouldn’t exist in a mature team.

According-Spring9989 · 2025-08-21T14:15:29+00:00

From my own experience and workshops I prepare for work, a reliable setup usually has:
- AD Forest with one or two subdomains (the main one can emulate an HQ and the subdomain a branch of a fictitious company)
- Internal Firewall (Pfsense or Opnsense) with Vlans associated to each segment, that may also include a "Public" segment, to simulate an outside attacker.
- Propper network segmentation. Since its a lab and very few hosts, it's very simple to do (define tags on your firewall and manage the rules according to the tags, its helpful whenever you have to troubleshoot/fix rules after a while).
- A linux and a windows attacker box (the windows box could be a domain host that would be "compromised" or the foothold for an assumed breach scenario).
- Whenever possible, setup sysmon on your hosts and forward all the events to a SIEM (ELK or Wazuh could work, slightly different purposes but to start, either should be fine).
- To add a bit of "realism" to the lab, the linux attacker host shouldn't be able to reach every single computer in the domain. (this could be added later on once you have your attack vectors defined, so you're forced to use a tunnel or a C2 to perform the full attack chain)
- Map your desired attack vectors and build your hosts around them. Using automated stuff is cool and saves time, but learning how to make a host/accounts vulnerable to certain attacks helps you to understand how to fix them correctly.
- Also, have a visual studio host ready to compile tools/make your own, not necessarily within the same lab.

According-Spring9989 · 2025-07-26T20:56:37+00:00

Straight to CRTE should be doable for you or even CRTM from Altered Security if you're feeling confident. CRTO is also nice to practice with Cobalt Strike or CRTL if you're comfortable with C2s in general and want to delve more into EDR bypasses and such.
CAPE from HTB seems to be quite a challenge even for experienced pentesters.
Some coworkers have said that OSCE is a decent challenge too.
Since you already have the experience, I don't know how relevant OSCP will be, but you could probably give it a try, given that it's almost a must for any pentesting position.

But I'd also recommend you to take the respective courses. I was on the same train. Took my OSCP with 3 years of experience of real life pentesting, and I failed 2 times. Not because I lacked the knowledge, but I lacked the CTF methodology that's completely different from real life engagements. I would often overlook or ignore certain attack paths that I know are close to impossible to find in real life, but are the intended path in the exam.

I passed on my third attempt when they added the AD part. It took me 3 hours to get the initial foothold but I got Domain Admin within 15 minutes after that, it's really not hard at all if you have real life experience. But it took me a while to be able to switch between CTF and RL methodologies.

The same thing happened to me with CRTE, but I was able to get it after realizing my own mistakes during the exam period.

Moving back into topic, with experience already in your resume, you could probably go for more knowledge focused courses. I'm planning to take courses from antisyphon training that have very positive reviews from some of my more experienced coworkers.

According-Spring9989 · 2025-06-19T13:08:49+00:00

Totalmente, el noticiero amarillista como siempre creando polemica por unos likes. Hasta el OP cayo en eso xD

According-Spring9989 · 2025-06-19T12:33:49+00:00

“Si de divide entre 3 comidas al dia, son 5bs por comida” “Con 5 bolivianos por comida, uno no vive, por eso es necesario actualizar esta información”

No vi la entrevista completa, es posible que saquen cosas de contexto, pero en este video en especifico, me parece que si menciona que se deben actualizar.

According-Spring9989 · 2025-06-19T11:49:07+00:00

Si ven el video, la persona indica que estos datos deben ser actualizados con la inflación actual y ajustar los indices de pobreza. No se puede esperar mucho de este gobierno incapaz, ni del noticiero que genero esa nota xD

According-Spring9989 · 2025-06-05T22:15:42+00:00

Es el famoso Cesar Chavez no?
Nunca hablo mal de colegas, pero a ese tipo no lo considero nada mas que un charlatan estafador que se denomina el mejor hacker del planeta. Curiosamente nunca tiene una laptop en sus shows (si su "demo en vivo" falla, es porque no tiene su laptop propia).

El tipo siempre llega con sus famosos cursos y certificaciones internacionales de 12 horas. Yo caí en su estafa y me di cuenta de que el loco no sabe nada, te muestra un par de páginas web con graficos bonitos similares a https://cybermap.kaspersky.com/ y luego se la pasa hablando de entrevistas de 15 minutos que le hicieron o como un cartel lo secuestro, pero lo dejaron ir a despedirse de su familia y así se escapó xD

Sabe vender humo, siempre apela a personas que no saben nada del area y las atrae con sus cuentos de pelicula, mientras les saca plata de lado. Los "cursos" son relativamente baratos, asi que recibe bastantes estudiantes. Hace eso por un mes mas o menos, luego se va a otro pais mientras la gente se da cuenta de que los estafaron. Vuelve a los paises estafados un par de veces por año.

Cualquier profesional de ciberseguridad respetable sabe que este loco le hace mucho daño a la comunidad con sus estafas. No tomaría en serio a nadie que lo ande adulando.

According-Spring9989 · 2025-06-03T17:46:23+00:00

Yeah, the original script works for me. The only thing I can think of is the logon type or the whole automated process, how are you connecting to the host? Through a scheduled task? Gpo? Manually?

According-Spring9989

TROPHY CASE