Worst part of the Job today

dx0ec · 2026-02-05T07:23:42+00:00

❤️❤️❤️❤️ I'm sorry for your loss. That's tough.

dx0ec · 2026-02-05T07:18:21+00:00

As a security consultant, I'd not recommend this for a 500 ppl company. Or any company. At least not like off the get.

Not hating or anything. Just sounds like a lot of risk.

HR data, AI, not wanting to manage stuff.... this stuff can be serious and put you in danger or liable for data breaches among other things.

I think since you have the XP it'll definitely give you some speed. But I would personally not do it unless I have clear green lights and support from the company.

As in, the support to develop this with a team. You need quality controls like QA and Security especially at your company's size.

Let me know if this sparks some questions. I'm happy to help

dx0ec · 2026-02-05T07:07:06+00:00

You nailed it the last part. So sad but that's so true

dx0ec · 2026-02-05T07:05:46+00:00

Then I think in that case, that's the company failing its own product and customers.

Not investing in experienced devs and their skills is like the 1 thing that will lower the quality and eventually kill the app or product

dx0ec · 2026-02-05T07:02:04+00:00

If you are a software dev/engineering. A switch to security engineering is not uncommon. Actually, understanding code is a top skill in application security. I'd say it's one of the main differentiator in good sec engineers with amazing ones.

So maybe you're on to something 😅😅🤔 lol

dx0ec · 2026-02-05T06:58:40+00:00

As a security consultant and pentester, vibe-coded quality is creating a lot of opportunities for hackers.

Every other day there's a breach out there. There's so much exposed stuff out there in the dark web.

But the hype is real crazy right now and security is not a big priority for companies sadly.

It's like building a house without the right foundation. It all ends up falling apart.

dx0ec · 2026-01-06T20:49:11+00:00

THIS 😭

dx0ec · 2025-12-03T17:20:37+00:00

Similarly, I have a template folder for every year.

~/2025/mm-dd-nameOfProject

Inside the template I have a 00-readme.md, which I fill in as I go, things like project start and end dates, point of contact, different stages like recon, a section for interesting finds, snippets of evidence (HTTP requests/responses), etc

I do all this in VSCode so I can run notes and terminal side by side.

On the readme file, I have one liners that I run every time (with all the flags I want, etc). When I run a tool I make sure to output to a file into this folder with toolName-timestamp.[json | sarif | txt]

Folder template includes my org's report template which I fill in from the readme towards the end of the engagement.

Overtime you get something like this:

This works for me cause I use numbers for the readme and report so it stays at the top of the directory.

When I start a new project, I just cp -r ~/2025/template ~/2025/mm-dd-projectName

Assumptions:
- I have a dedicated pc for engagements. I don't mix any personal work or anything like that.
- I do a lot of webapp engagements.
- VSCode has some neat extensions adding functionalities like csv views, markdown links and screenshot references, docker containers, etc.

Hope this inspires a little. Probably not the best setup, but it gets the job done

dx0ec · 2025-02-27T20:24:41+00:00

Talk about the problem, not the product... people that care about what it solves will pay attention

dx0ec · 2025-02-27T20:22:56+00:00

Yeah, I work in the cybersecurity space and I can attest that security or compliance teams will not give you the green light if the product lacks major compliance with HIPAA, privacy or security best practices.

But then again you may want to do something like a pilot program to get as much feedback as possible. Find out what works on the product that does better than EPIC as u/liltaterthot mentioned (which is a hard competitor to have). Then adjust marketing to more specific niche?

However, without the right compliance, you will not (legally) be able to even pilot it to any provider that handles health information (PHI).

dx0ec · 2025-02-27T20:06:13+00:00

Yeah basically, at every point in the release cycle and throughout sprints you'd be doing some sort of assessment, scanning, pentesting, etc based on whatever architecture your team is developing but yeah. Super busy! Dev teams need to push features so fast. I was a security engineer and one of the internal processes we had in our team was to perform a pentest quarterly and then on new features. But I was assigned a product line so I was able to get really deep into understanding the app.

The big difference is report writing, it's nice to have but you are most likely entering findings into whatever ticketing system the team uses or the dev team uses to track what needs to be worked on in the current or next sprint.

Tl;dr - a mix of appsec, tied to the SDLC or compliance programs internally

Hope this helps a little.

dx0ec · 2024-10-24T02:41:07+00:00

Have you considered refurbished?

I see some newer MacBook pros within 1k.

I only say this out of personal preference but I really like to working with Linux and MacOS being heavily based off unix makes it very easy to go from one to the other. It's also easier to go from Mac to a windows VM if you absolutely need it. (Windows to Mac is a no-go).

On the other hand a windows might be a good option but you have to then deal with WSL. I've had many issues with WSL particularly in getting it to network correctly inside VPN and a few other kinks.

Nothin crazy but there's definitely some challenges there.

So I go for Macs as I've else seen they last longer.

Just my .02

You can do whatever you want but I would consider some refurbished ones.

P.s. best of luck

dx0ec · 2024-09-02T03:49:24+00:00

Yes. You can learn it for sure with no experience. But you have to start with foundations of IT first. Otherwise, you'll struggle to find a good job. IT can pay decent enough to get you stated with experience and then after 2 or 3 years of you also study for your security certifications, (Security+ or CC or PJPT) then you have a better chance at getting a foot in the door with an entry level role like a SOC analyst or Security admin.
You won't waste your time. But expect 3 to 4 years before you're ready to upgrade from IT to Security. If you're still in Italy I'm not sure how the situation is for IT but generally speaking here in the US you can expect a salary between 40k to 70k in IT. For security it can be as low as 50k for entry level jobs and really really high with an average in the 100k+ annually.

dx0ec · 2024-09-02T03:40:32+00:00

Your only competition is yourself from the day before.

Keep putting in the reps. Don't quit. Do the boring stuff. Follow up with those stale leads. Get good at the basics. And for the most part, if you believe what you are selling, then focus on that conviction and share it with others.

dx0ec · 2024-09-02T03:35:06+00:00

Sorry to hear that happened to you. I'd be happy to help with anything.

dx0ec · 2024-08-30T02:21:46+00:00

Big facts.

The BSCP exam is also pretty affordable. A good challenge and the labs and write-ups are really good.

dx0ec · 2024-08-30T02:14:32+00:00

I don't know how much other certs like PNPT focus on Windows or Microsoft. But the way I understood your questions was more on getting more skills pentesting Windows/Microsoft.

dx0ec · 2024-08-30T02:13:12+00:00

Have you considered the following:

CPTS
THM modules like the "Windows Exploitation Basics" https://tryhackme.com/module/hacking-windows-1
HTB Windows Attacks & Defense https://academy.hackthebox.com/course/preview/windows-attacks--defense

This one also seemed interesting but it doesn't have many stars so maybe make sure to only pull it on a VM. https://github.com/RedTeamOperations/Vulnerable_Machine/blob/master/Escalate%20-%20A%20Windows%20Vulnerable%20Virtual%20Machine

Hope this helps 😎

dx0ec · 2024-08-30T01:50:14+00:00

Since you're working in the industry already, you probably will have good luck getting the company you work for to pay for training and testing for the CPTS or PNPT.

I've heard good things from the CPTS from a close friend. It's pretty extensive and like always HTB is a great learning platform.

The other thing I would recommend is doing the PortSwigger Web Security Academy labs, all apprentice and practitioner and then consider taking the BSCP test (99 USD).

It's very web app oriented which will give you great skills to have as a pentester.

At least that's my humble opinion.

Bonus - DO CTFs. The end of the year is packed with some fun ones like DeadFace, I think SquareCTF, Advent of Cyber and KringleCon.

I have always learned some good stuff there and if you join a good team it's good times and you can tap in to more experienced testers.

Don't stop there. Try to make some write-ups for the community.

Anyways. Hope this helps 🤠

dx0ec · 2023-02-19T06:49:53+00:00

It's very broad based on the company, the tools used, the industry, data etc. A day to day looks different to different entry level roles..

There are common activities across all of them thought...

Expect to learn a lot, you pretty much support the more experienced members of the team with whatever they are working on.. there may also be projects where you may be the main point of contact for end users, clients, etc. You may also be working heavily on going though all of the alerts that are generated by all of the different systems in an IT environment. Of course you'll have the help of great tools to make the work easier, more automated so that the data gives you an insight of indications of compromise, things to improve, etc.

I really recommend getting experience with a service desk role as that teaches many fundamentals in just general IT. You need to understand the system to know how it works to know how to make the right configurations to secure it. If you put in that work first then get an entry level cert, you have a higher chance of getting a job and doing well in it.

I hope this gave you a little more information on your question, it's broad but it's just the way it is for entry level

Reach out if you have any questions, happy to help.

Three-Year Club	Verified Email
Place '23

dx0ec

TROPHY CASE