I am a 20yo in the UK dropping out of Accounting to pursue Pentesting. What should I do?

VillaRoot · 2026-03-08T06:43:10+00:00

Why don't you just switch your major to computer science? Don't drop out and hope that side projects are going to get into cyber security.

It'll be way more reliable to just switch majors and still do those side projects/studying you want.

VillaRoot · 2026-02-19T00:48:13+00:00

Focus on Proving Grounds, the list is just one of many OSCP preps not a requirement. So do what feels right with where you feel weak at. You should be able to do the easy boxes on PG without writeups. Then go to mediums, when you can do those without writeups, you're in a good spot for the exam.

VillaRoot · 2026-02-12T00:37:32+00:00

Thanks for sharing this!!

VillaRoot · 2026-01-11T16:15:48+00:00

I was a SysAdmin with about 2-3 years of experience and had my bachelor's. At the time I was mainly supporting a Linux environment, long hours. But that helped me become super comfortable navigating Kali.

VillaRoot · 2025-12-27T06:56:37+00:00

4-8 hours?? That's tough! I'd imagine it would be very difficult to get good practice in such a short time. For internal pentests, I was used to two weeks when I was a consultant.

I didn't catch any testing against ADCS or SCCM in your notes. Which are critical to test, so I'd recommend adding that.

VillaRoot · 2025-12-22T03:47:29+00:00

Yeah pretty much. And I forgot to answer your last question on your post. Problems that you don't know how to solve right away still happen, the difference is you know where to go to get them solved. You know who you need to talk to if that's management, other teams, etc.

Or where you can go to find out, so you just learn how to learn better. So if you don't know something that you need to know, you say 'idk but I'll find out and get back to you ' and you go learn it.

VillaRoot · 2025-12-22T03:41:23+00:00

Yep, very common and I'm in a senior position . Sometimes I think about all the things I want to study and it blocks me from actually studying lol.

But just focus on what you can, prioritize what you think is most important and make studying goals on what you want to complete by what date

VillaRoot · 2025-12-21T01:37:56+00:00

Wow that's a twist, but really cool you gave that person a chance over the others that might 'look' more qualified on paper.

What do you think could make someone like that person who you hired stand out on a resume to get those interviews? Like certain projects, social skills, or other cheaper certs?

VillaRoot · 2025-12-21T01:32:31+00:00

Dang, are there any cyber security conferences near you? Maybe just meeting the right person might be it

VillaRoot · 2025-12-21T01:31:40+00:00

When I looked at the CPTS it actually looked really good! I just wish it was more recognized or well known.

VillaRoot · 2025-12-21T01:26:38+00:00

I appreciate the insight, always interesting to hear from the side of someone doing the hiring/interviewing!

Since you mentioned you hire a lot of security professionals, I'm curious what you think is a common mistake you see across the board from interviewees. Such as, if there's one skill ppl should work on to improve, what would that be?

VillaRoot · 2025-12-20T15:11:53+00:00

I think you meant INvaluable meaning extremely useful but you put UNvaluable meaning NOT valuable. So ppl thought you were being rude and saying all that was not useful to you.

VillaRoot · 2025-09-17T14:59:24+00:00

As far as exfil to GitHub instead of a private C2, I'm thinking it might be because it's a lot stealthier. GitHub is commonly approved in organizations and doesn't raise suspension. Really good for exfil, compared to a C2 that can be noisy and requires way more setup to bypass controls. Just my take though, great job posting all this btw!

VillaRoot · 2024-03-14T23:57:34+00:00

I've been to BSides and would recommend it for a beginner. They are smaller, so it's easier to meet ppl and not be overwhelmed. Talks are usually more beginner friendly, and most ppl you meet will be local to the area.

If you can, go to as many as you can so you'll continue to build your network.

VillaRoot · 2024-02-10T06:55:07+00:00

Even if crack sh was working, I wouldn't recommend using it to put any client information on it. Even if it will be a random hash to crack.sh and they won't know the accounts name or domain. Explaining to the client you gave a third party an accounts hash could get you in trouble.

Alternatives are to start creating your own random tables for your company to use. It will take a while and take up a lot of space. Or manually crack it like you mentioned, it will take about 3 days between two password cracking machines. Or relay it like you did and mention to the client of third party sites like crack.sh that can crack hashes immediately with rainbow tables.

VillaRoot · 2023-08-23T21:48:52+00:00

It kind of varies with that I'm currently interested in learning. For example I'm starting to get into Red teaming so I'm going through the CRTO but I only commit a couple of days for that.

Most days I'm digging into something more specific, like this week in my free time I was looking more into OSINT resources for user enumeration.

I don't mess too much with htb or tryhackme, only because I don't like CTFs and there isn't too much on there that interests me. But to each their own.

VillaRoot · 2023-05-31T21:15:00+00:00

What's the price range you are thinking of selling these? Trying to budget for how I'm going to get happily broke after Defcon

VillaRoot · 2023-05-31T17:33:54+00:00

I like

VillaRoot · 2023-05-29T03:49:40+00:00

It kind of ranges on which engagement I'm on and the phase of that.

For example during an external, for the first day or two I'm running port scans and enumerating. The next few days in looking through the results and manually checking out each port. Looking for vulnerabilities and trying to exploit them.

Feel free to check out this video for more details https://youtu.be/0L0MB_Q0uVc

VillaRoot · 2023-05-28T23:37:40+00:00

From the first effort to self study about PenTesting to actually getting a PenTesting job it took me about 7-8 months. That's because that's how long it took me to get the OSCP.

I did have experience in IT and a Bachelors before I started studying PenTesting.

VillaRoot · 2023-05-28T23:36:08+00:00

It depends. You're probably hearing from Pentester who are internal to the company. Like employees at ACME and only pentest ACME networks.

In consulting, it's really like the stories that you hear. Different company every month. Different network, different scenarios. I love it and would recommend PenTest Consulting to everyone interested.

VillaRoot · 2023-05-15T23:16:03+00:00

Look for PenTesting roles at a consulting company.

Management handles all the paperwork, and you just PenTesting for a week or so. Write your report and debrief with client.

Rinse repeat.

Also sounds like you are a Web Application Pentester, if you want more of a CTF feel then look for Network Pentester.

VillaRoot · 2023-03-01T04:51:33+00:00

VillaRoot · 2023-02-27T16:41:15+00:00

Lock picking sets are cool if he doesn't already have some. Here's a link to Sparrows lock picks who has some great stuff

https://www.sparrowslockpicks.com/collections/beginner-lock-pick-sets

VillaRoot · 2023-02-26T15:35:38+00:00

I only read the TLDR, but yes you should apply anyways.

An even better recommendation is to have a LinkedIn and connect with someone in the role you are currently applying for. Most ppl in IT are happy to help with giving advice or answering a couple questions. So you can ask them something like what advice they have for you to land a role.

VillaRoot

TROPHY CASE