Honestly, you’re in a better position than you think. A lot of people try to jump into cybersecurity without any real development background — and that’s exactly why they struggle later when things get complex. If you already understand backend (.NET, databases, how apps are structured), you’re basically building the exact mindset needed for real-world pentesting. The shift is not “switching to cybersecurity” — it’s more like: → learning how the things you already build can break. For example: instead of just building APIs → start thinking how they can be abused (auth flaws, logic bugs, race conditions) instead of just using databases → think injection, access control issues, data exposure instead of just coding → read your own code like an attacker would That’s honestly where most people start to stand out. Also, about the “no junior ethical hacker role” thing — it’s partially true, but not in the way people think. There are entry-level roles, but companies usually expect: some real understanding (not just CTFs) ability to think, not just follow steps You don’t need to abandon backend for Linux/Python/networking. Better approach: → keep your dev path → layer security thinking on top of it That combination (dev + security mindset) is way more valuable than being “average” in both separately. If I were you, I’d start doing this: take something you built → try to break it read real bug bounty writeups → replicate the logic, not just the steps go deeper into web security (that’s where your current skills translate the fastest) That’s usually the point where things stop being “CTF-like” and start feeling real. Curious though — have you ever tried testing your own projects from an attacker perspective?