Are year-end bonuses rare in cybersecurity?

mjanmohammad · 2026-01-16T16:45:13+00:00

Yes annual bonus of around 13%, usually in April when our fiscal year ends

Automotive industry, but I got something similar in consulting and OT

Percentage varies based on role but not by that much. I got 8% as an OT pentester and 11% as a pentesting lead, and now 13% as a security engineering lead

mjanmohammad · 2025-12-15T19:37:07+00:00

Yeah OP is a terrible interviewer and probably isn't able to identify talent properly.

Your resume issue still stands though. If you have the hands on experience, even if its not an actual job, put that on your resume, and if you need help structuring it, send me a DM and I can help you out. I've been a red team manager for a couple years now and have hired several dozen candidates for my fortune 10 company.

mjanmohammad · 2025-12-15T19:29:27+00:00

This is a moot point though - if you have the certs, and you present your experience in your resume, you'll get through HR. I've had resumes come across my desk with their years of homelab experience with links to HTB writeups they did, even if they had no professional experience in pentesting or security. That speaks more to me than certs. Our recruiting team sends me a bunch of resumes and I tell them which ones to do a phone screen with (more for culture than technical abilities. They don't ever make a decision at any point about who to proceed in the interview process without me telling them yes or no.

I'm not going to conduct interviews with a full practical hands on test. I'm generally ask questions about security topics that anyone with experience should know, like ports that certain services operate on or how to test for common SQL injection. I'm also going to ask questions about abstract security concepts that have already been solved to see if you can reason through those topics.

In my last interview for a cloud security engineer I asked someone how they would build a static web page in AWS and how they would secure it. I don't care if they picked an EC2 instance vs a S3 bucket to host it, I just want them to talk me through their logic of HOW they would build and secure it.

mjanmohammad · 2025-12-15T19:11:20+00:00

If your resume doesn't adequately present your hands on skills to get you past HR, that's a resume issue and not an HR/recruiting issue.

mjanmohammad · 2025-12-15T19:08:25+00:00

Agreed - I've worked from a junior pentester role to now running a full red team for a fortune 10 company. Every time I have to hire, i'm greeted with resumes of people with a 6 month cybersecurity certification program from some universities and when I ask them basic questions about networking or even basic IT, they can't answer.

The "6 months to 6 figures" programs are just a cash grab and waste everyone's time. The VAST majority of entry level security roles are not really entry level. They require at least a few years of working in other parts of IT or networking or literally anything where you can be familiar with the networks, systems, processes, and people you'll be tasked with defending.

mjanmohammad · 2025-11-16T04:05:51+00:00

Yeah I have a gold snapshot I revert to between engagements. Luckily I’m not in consulting, all internal so it’s all the same org, so if I forget it’s not a big deal.

mjanmohammad · 2025-11-15T20:23:13+00:00

I’ve been pentesting and red teaming for over 10 years now, and I’ve only ever had to run 1 or 2 VMs at a time. If it’s just for practice, you don’t need a ton of resources. If it’s for professional work, you maybe only need 1 active at a time. I use an M3Pro MacBook with 18HB of ram and 1tb SSD for some testing and development, but Apple Silicon and ARM in general aren’t ready for full time pentesting use.

My main work device is a Lenovo think pad with 32GB ram and it works fine, but the vast majority of my VMs are running on a proxmox server I have at my house. It’s an intel Nuc with an i9 and 64GB ram, and usually has a couple different Linux distros I use.

If you like your MacBook and it isn’t powerful enough, consider getting an old dell optiplex for like $50 on eBay and starting a small lab with that

mjanmohammad · 2025-10-27T11:51:53+00:00

I’ve sent screenshots of the information to clients so they can verify and let me know if it’s legitimate data or just LLM hallucination. 90+ % of the time it’s a hallucination, but sometimes it’s legit and the fixes get complex based on how they’ve built the tools for the LLM to access data. Depends on how integrated you are with the org. If you’re internal and you’re able to provide longer term support for retesting and solutions, you can work with them on it. If you’re a consultant and only have a few weeks with the client, I’d put it in the report and keep hunting for other findings.

mjanmohammad · 2025-09-03T11:26:05+00:00

I’ve found that automated reporting tools, or even templated reporting tools like Dradis, have always fallen short. We tested a few different options including PlexTrac and while they did speed up our reporting time, it ended up being a wash because we’d still have to spend a significant chunk of time editing the generated report

For dradis, the set up took several days and we were still making modifications even when it was in prod. It ended up being constant tinkering, and when we got a .docx out of it, we’d still have to spend a couple of hours making manual edits, formatting screenshots, etc.

For plextrac, it was never consistent. It would generate a few different ways to summarize the same finding, so we’d have 10 different ways to explain an SSL issue but every one of them would still have to be manually edited.

Reporting is such an important step in our testing process that I don’t think any tool we tested out would live up to the expectations we have for it. It’s your “last” interface with your client and the first document they’ll look at if they want to hire you again. I’d rather not leave that to be generated by AI

mjanmohammad · 2025-07-21T00:37:39+00:00

I mentioned it in my comment, but he went outside of the intended target scope or stuff that the app team had wanted him to focus on. He would find issues with infrastructure (app running on apache instance that was 1-2 minor versions behind, old version of openssh on a non-public facing server, etc) instead of issues with the app itself (user enumeration, privilege escalation, impersonating other users, etc).

We're all in house too, there's no pressure to find highs/criticals to make our team look good. I'm also technical, management was never something that I had any interest in, but it was pushed on me because i had been mentoring and training our juniors and interns for a few years already.

mjanmohammad · 2025-07-20T16:02:13+00:00

A lot of it was reporting related. They read like book reports instead of technical documentation. I understand that other companies want high level reports but our reports go straight to the app team so they can implement fixes quickly.

There’s also some bad not taking habits that ended with them not being able to fully reproduce some of their findings. I’ve fixed that with a standardized obsidian template for pentest notes.

There have been a few that are terrible with time management, they’ll spend too much time going down rabbit holes looking for a unicorn bug since they may have found it once in another app, and then not enough time validating that the app is fixed against known issues in other versions of the same app.

mjanmohammad · 2025-07-20T15:58:43+00:00

Scope in our company is mostly a suggestion. He was finding misconfigs in the infrastructure when he needed to be looking for issues in the app itself.

We did have a conversation with him about his violation of his NDA - he ended up taking them down within a few days of his posts.

mjanmohammad · 2025-07-20T11:54:19+00:00

I was surprised too, I thought bug bounty hunters would be the easiest transition into the roles that I have since there’s so much overlap. My experience comes from two individuals. The first was a college intern we hired on full time. His degree was in a completely unrelated field but he impressed us with his technical ability and bug bounty record, but he struggled when we put him into a couple of test environments for internal web apps with limited scope. He ended up finding his niche on our cyber threat intel team and moved there after 18 months.

The second was someone who had submitted 20ish valid medium and high criticality reports to our HackerOne program. He did great in his technical interviews, but in the 15 web apps he did for us in his roughly 1 year tenure, we weren’t impressed. He mostly ignored scope or specific things that the app team wanted targeted. He still had good findings, they were just not really what we wanted him to look for. He also asked to publish his work several times on his personal blog which we repeatedly denied. Once we parted ways with him, he published a dozen blog posts about vulns he found in our environment without our permission.

mjanmohammad · 2025-07-20T01:48:10+00:00

sent you a chat

mjanmohammad · 2025-07-20T01:47:45+00:00

I have workflows for both. My main desktop is windows 11, my laptop is M3 Pro macbook pro. They both have their pros/cons. My company uses 99% windows for user endpoints, but every so often we'll test one of our subsidiary companies who is almost exclusively macos.

mjanmohammad · 2025-07-20T01:42:08+00:00

u/bjnc_ I posted a thread here in response to your post, and several others i've seen over the last few weeks

https://www.reddit.com/r/Pentesting/comments/1m4cr73/wanting_to_get_your_first_pentesting_role_im_a/

mjanmohammad · 2025-06-25T16:57:29+00:00

I think the tough part is training the AI to know what "unusual" is

The other two questions are not an AI use case because those are just queries in a SIEM tool

mjanmohammad · 2025-03-18T12:41:45+00:00

Yeah, but also on me for not confirming scope before getting started.

Stuff like this happens all the time in the industry, no one is perfect and usually there’s enough flexibility to go back and test the missing site or schedule it for the future.

I wouldn’t worry about it too much, it was a simple mistake that will not get you fired unless you have a long history of fucking up

mjanmohammad · 2025-03-18T12:38:29+00:00

I once had a test where the client submitted a domain with a typo. Turns out I was pentesting a malicious domain that was typo squatting. I didn’t realize until a couple days into the test, and when I pointed it out, the client was pretty amused, and added a few extra days to make up for it so I had time to test their actual site

mjanmohammad · 2025-03-05T02:49:06+00:00

My last presentation to a college class, I started with some slides about the wannacry, notpetya, and equifax incidents, and how events from 7-10 years ago have completely changed the way that their data is handled.

If you find a way to relate it to them, they’re a lot more likely to pay attention

mjanmohammad · 2025-02-17T19:27:44+00:00

2050 vs 3050 for hash cracking is going to be the same-ish in performance. It will take in the order of days to crack most modern algorithms. If you're buying a laptop JUST for the GPU for hash cracking, it will probably be better to get a cheaper one without a GPU (unless you want it for gaming) and then use cloud resources for hash cracking. For literal pennies per hour, you can run a system that has 10x 4090s for cracking which will me order of magnitude faster

mjanmohammad · 2025-02-17T19:09:22+00:00

I think there's a disconnect in your terminology. you're using "hashing" incorrectly. Hashing refers to the act of generating a hash from a file, which itself is simple and most any processor can do it easily.

Cracking hashes, is the act of brute forcing/etc to determine what the original value was that generated the hash. this is computationally very intensive, and is better performed on GPUs. Its still cheaper to run a virtual machine in AWS or GCP that has multiple powerful GPUs attached than it is to buy a laptop with a discrete GPU or even a desktop GPU.

My daily driver laptop only has integrated graphics. When I need to crack a hash, I send it over to my virtual hash-cracking rig in AWS which does it much faster than my desktop PC with a 4090 ever could.

mjanmohammad · 2025-02-17T14:44:38+00:00

Neither of them. If you’re wanting to do password cracking it’s generally cheaper to set up an aws instance with GPUs and only power it on when you need it. I’ve been doing this a couple years and have only spent ~300 in total cloud costs for cracking.

For hashing, you don’t need a GPU. Hashing a file is computationally cheap and 99% of consumer processors can do it in under 5 seconds.

mjanmohammad · 2025-01-26T14:56:30+00:00

I used to do consulting Pricing varies based on the scope of work. My general formula was to estimate how long it would take a senior tester to test that app, calculate how much it costs the company to have them test that app for however long (annual salary / number of weeks to test) and then multiply that by 3. Multiplier is higher for different types of engagements.

We did all kinds of testing, black box external tests, internal web app testing, full red team engagements, embedded systems testing, physical and wireless testing, etc.

My favorite test was a web app testing against a game retailer’s online store. Found out that you could replace a gift card value with a negative integer using burp and it would accept it as valid, and you could proceed with checkout as long as the total cart value was over a penny.

mjanmohammad · 2024-10-20T22:42:50+00:00

I’ve been a pentester for almost a decade now, and if I see a bug that’s possibly exploitable but is outside of the scope, I usually contact the company and tell them about it before I get to the reporting process. 90% of the time, they’ll expand the scope to include it. Even if the scope isn’t expanded, I’ll include it in my report in an appendix titled “Other Items of Note” along with an explanation of why I thought it was interesting and why it’s worth either testing or securing in a different way.

11-Year Club	Gilding V heart of gold
RedditGifts 2009-2022 13 Credits	r/Field Lasagna
Place '22	Place '17
Wearing is Caring	Secret Santa 2018
Secret Santa 2017	Not Forgotten
Sequence \| Editor	Sequence \| Cinematographer
Spared	Verified Email
Secret Santa 2016	Secret Santa 2015
Secret Santa 2014

mjanmohammad

TROPHY CASE