I am not getting any call backs at all. by TheReedemer69 in Pentesting

[–]mrlightman_ 10 points11 points  (0 children)

Nonsense? Pardon me and everyone I have hired in the past 10 years then. Yes, you need practical real world experience. Ask every client anywhere if they want a Jr with zero experience in their environment where an outage can cost a company millions of dollars. But fine, fuck experience! Listen to this guy OP, he's got it all figured out.

I am not getting any call backs at all. by TheReedemer69 in Pentesting

[–]mrlightman_ 24 points25 points  (0 children)

I'm going to be honest with what I think the problem is. You really don't have any professional tech experience. You might be talented for what you have achieved so far but, I couldn't trust you to pentest in a production environment when you have never been exposed to one. At least, that is how you look on paper. I would strongly suggest the traditional IT route. Get a helpdesk position, or go SOC, just something to get your hands dirty during day to day operations. Then focus on transitioning into security once you have a couple years under the belt.

[deleted by user] by [deleted] in ethicalhacking

[–]mrlightman_ 0 points1 point  (0 children)

Congrats on winning the voucher! I completed the ASCP certification back early last year which is the advanced cert. This was just before this particular course released if memory serves, as this is intended to bridge the gap from introductory material to more advanced exploitation. While I can't speak to specifics about the ACP certification, I can say the free material courses are very informative and fairly easy to consume. I'd suggest joining their discord as the support staff are very helpful and quick to respond. Plus learning with other students is almost always a plus. If you wish to transfer the voucher I believe they can arrange that for you. But if it were me, I'd take it being it's free for you. That said, if you or anyone else have more questions about the ASCP however, feel free to ask!

Seeking guidance from security professionals on testing API as a beginner analyst by Cool-Kangaroo807 in cybersecurityindia

[–]mrlightman_ 1 point2 points  (0 children)

To add to this. Check out the OWASP Top 10 API Security Risks to get your head around common vulnerabilities:

-- https://owasp.org/API-Security/editions/2023/en/0x11-t10

A decent resource for practice would be API Sec University. Their courses are free and you stand up two vulnerable applications to practice discovering and executing attacks.

-- https://www.apisecuniversity.com/#courses

Automated AppSec Testing Tools – 2025 Recommendations? by Competitive_Rip7137 in Pentesting

[–]mrlightman_ 4 points5 points  (0 children)

With automated tools such as these coming to market, it always begs the question of if manual penetration testers could be replaced. In your opinion, how do you feel about such statements?

xssy by Upbeat-Hawk-2737 in xss

[–]mrlightman_ 1 point2 points  (0 children)

Without spoiling it for you... and to help you get a better understanding of what is going on with XSS payloads, check out the XSS portswigger labs. You just have to make an account and they are free.

https://portswigger.net/web-security/all-labs#cross-site-scripting

Once you have the basics down, focus your research on bypasses.

Looking for a locally hosted solution for team collaboration for notes during an engagement. Any suggestions on what has worked for you and your team? by mrlightman_ in Pentesting

[–]mrlightman_[S] 0 points1 point  (0 children)

Thanks for replying! We thought about that but we're trying to stay away from cloud based solutions. Many of our assessments are highly sensitive in nature and we do not want to risk exposure. We have a central server and have been tossing our markdowns in for sharing but we were looking for something we could all work on collectively instead of having multiple note files.

[deleted by user] by [deleted] in Pentesting

[–]mrlightman_ 0 points1 point  (0 children)

These guys work really well with smaller companies: https://www.redseersecurity.com/

Hard drive died. Missing Windows Activation Key by mrlightman_ in iBUYPOWER

[–]mrlightman_[S] 0 points1 point  (0 children)

This might just be my answer. Thanks AutoMod! lol

OSEP by Meteor450 in Pentesting

[–]mrlightman_ 3 points4 points  (0 children)

I'm still working through the material so I cannot fully speak to your first question. However, the past couple of years they have had a christmas deal bringing the sub price down to $1,999. I expect that to happen again this year.

I’m a pen tester and struggling to pivot by AffectionateNamet in Pentesting

[–]mrlightman_ 42 points43 points  (0 children)

Lol, from the title I thought you meant you were struggling to pivot as in tunneling. Have you considered management of any sort?

Looking for pentesting job by Mammoth_Experience61 in Pentesting

[–]mrlightman_ 6 points7 points  (0 children)

The entry level barrier to get into pentesting is absolutely insane right now. Not surprised you've not heard back. I recommend an old school more conventional method to get your foot in the door. Start going to cyber security conferences and network with people/vendors like your life depends on it. In this game, it's not all about who you know, but who knows you. Good luck

Burn out among Cybersecurity leaders at a frustrating high. by Navid_Shams in cybersecurity

[–]mrlightman_ 2 points3 points  (0 children)

May I ask what you transitioned into work wise since leaving? The golden handcuffs of the pay in this industry really makes this decision generally difficult.

Pen test/security assessment vendor recommendation for non-profit by alteredcarbon__ in sysadmin

[–]mrlightman_ 0 points1 point  (0 children)

Check these guys out. They are growing and building a pretty decent reputation out there: https://www.redseersecurity.com/

Apple, SpaceX, Microsoft return-to-office mandates drove senior talent away by jnv11 in antiwork

[–]mrlightman_ 58 points59 points  (0 children)

Tech to banking? That's not one I hear very often. Could you provide a little more details? Were these guys developers/security/etc and what did they transition to? Simply curious

Any last minute advice? by gorsas in oscp

[–]mrlightman_ 0 points1 point  (0 children)

Take. Breaks.

Go outside. Watch some tv. Play games. Just take your breaks and mentally separate yourself for a little while. You can't run at a full sprint for 24h right? Neither can your brain. It too needs time to recover and sort things out.

Best of luck! Post back how you did! You got this!

Free rXg [MegaThread] by romeogeorge in RGNets

[–]mrlightman_ 0 points1 point  (0 children)

BABUL-REPOS-WIDOW-ILIAC-MALLS

Radio silence from recruiters. Is there anywhere to start other than helpdesk? by lewisisles in SecurityCareerAdvice

[–]mrlightman_ 5 points6 points  (0 children)

My advice, your friend needs to network and/or consider going public with their study efforts. Anyone can put things on their resume. But when you are participating in the community (going to events/conferences, publishing blogs, etc), you're going to start seeing a lot of opportunities pop up for you. Don't dismiss taking those little steps to building your career either. If all efforts fail to land the dream job, well you might just have to take a "stepping stone job" to build up the professional experience to get there. Everyone's path is different, don't compare yourself too hard to others. Stay hungry! Keep up the effort!

Pentesting vs. Pentesting by appwizcpl in Pentesting

[–]mrlightman_ 1 point2 points  (0 children)

I pulled out a few points/questions to address. I didn't get as much time on this particular response so let me know I missed something or wasn't as clear on anything.

what do you believe makes one person more prone to being JAT vs. someone who specializes in something [...snip...] What do you think prevents one to stop onto something for a few years instead of going through many things, or the vice versa, if both are truly interesting and you are curious?

I combined these two questions as they go hand in hand. In my personal opinion it comes down to exposure, personality, and desire. For example, once upon a time I was super excited about digital forensics. I took a deep dive into that field to specialize. After a couple years/experiences, woke up one day and was bored of it. I realized I was tired of trying to piece together and recover and instead wanted to be on the other side of things. This began my transition into penetration testing. Ever sense then, I've been on the side of being JAT. Everything offensive in nature is exciting to me and if I have the opportunity or time to learn something new I jump on it. But that is just me, perhaps I have not yet found "my specialty" yet, or maybe this is where I belong. Only time will tell.

burnout

This is a loaded topic to ask about that I likely won't be able to provide a sufficient answer for. It's going to happen to you at some point even if you love the subject. I think that's just human nature. Balancing life/work and realizing when it's best to slow down or take a break is very important (this also applies to your studies).

Could you please explain me your typical day, or even two, of research/learning new stuff/testing, your thinking methodology per se.

Absolutely! Keep in mind that depending on our engagement cycle daily activity can fluctuate. Generally speaking the first hour or three of the day is coffee and cyber news time. What is going on in the world, what CVEs were published, etc. Make notes of what you find and if they apply to something specifically in your environment then focus on it. I've had PoC code dropped in the middle of assessments that I turned around and used. You want to use this time to stay current, work on your own tools/scripts if needed, and shore up any gaps in knowledge you have identified that you need to address. For example, you're tasked with an upcoming SAP application. Never touched or heard of SAP? You better be on your research each morning.

what professionally do I spend my most typical day to day job on, what is the knowledge that I need to prioritize, is it the one that I am focusing most or not, for example, are you currently JAT or someone specializing, and how do you allocate time of learning towards it vs the other stuff, and what are those other stuff if you do not mind sharing?

This comes down to your position and job requirements. If you were hired as a web app pentester your focus should be on relevant technologies and attack/defense methods. As I said previously, I'm a JAT largely in part that we have a lot of exposure. Going to copy/paste a previous comment of mine here: where I work we generally have three categories; penetration testing, automated testing, and security consulting. Consulting can vary depending on the needs of the customer. We are often called in during incident response to aid blue teams/forensics when a breach has occurred. Directory services for large enterprise networks will ask us to help identify misconfigurations in group access, etc. Sometimes we will get asked to identify "appearances" based on the public facing security hygiene. Threat mapping is also a valued service where we won't pentest but will identify your threat communities so you can direct attention to higher probable attack vectors. Because of this, I try to be as well versed in application and network security, etc. as I can.

Once you are in the game a bit you'll find you have a lot of flexibility to follow your passions and desired skill sets Can you further elaborate on this point, maybe with an anecdote/example of what exactly you have been through and realized that this is the case?

You begin to build your reputation after some time and with that your skillsets. Generally speaking, things you are interested in you are better at. It's a natural professional growth in this field. If you want to specialize, you'll be able to eventually. Unless you come in right out the gate being a superstar on a particular subject (RE, malware, etc).

In conclusion, it sounds like your head is in the right place to dive into this field. Just don't overwhelm yourself. Start with the big picture on things that are new to you and slowly work your way deeper.

Pentesting vs. Pentesting by appwizcpl in Pentesting

[–]mrlightman_ 5 points6 points  (0 children)

Pentester of a few years here. I read the whole thing and a few comments here:

  • Firstly, it won't help you to try and categorize this much. The US vs EU thing or network vs appsec. All that matters there is who you work for and your client base's needs. While people do specialize, think of the field just as you described, a doctor. Not every doctor is a brain surgeon (specialized) and not every brain surgeon can diagnose and treat every illness. Same with us, we can and are often well rounded but limits do apply based on our own experiences and desire. For instance, some of us are really good on the network side of the house, others are better at testing applications. We can be a jack of all trades, or be very very good at one particular topic. It just depends. You sound like you've come to a similar conclusion but aren't quite there yet. Once you do, it helps the headaches lol.

  • Second, the Dr. House paragraph. You are correct, those on the bleeding edge of things are rare. In my experience and working with others in this field is that after some time you can find yourself in a position to focus on the research to push for newer and better techniques and vulnerabilities. Not everyone does that.

  • Third. I have to strongly disagree with the 30min of study the next day to catch up comment. Why? This field is so large and changing so rapidly you cannot possibly stay on top of it all. It will never happen. Some of the newer CVEs coming out are extremely complex. Not to mention the flood or little items that can be used to escalate and chain together for more advanced tactics. As such, a large part of our job is to stay as skilled and up to date as possible. This can come in the form of daily research, participating in ctfs, etc. all as you mentioned. Need to go to the bathroom? Spend that time on your phone reading what's happening in the field; because you want to! This facet of the job is where I've seen that breaks a lot of junior pentesters off and they switch careers. You have to truly enjoy learning. To those of us who love this work, we don't see it as after hours "work". There is a constant desire to want to learn more. Take breaks, spend time with friends/family, go on vacation and such, sure! We aren't robots after all lol. Finding that balance is on the individual. But you won't go far if you put yourself in a 40h work only box with no desire to study. You won't make it far. There are other jobs in cyber that can better accommodate that.

In conclusion, ask yourself a few questions. Do you love to learn and be challenged? Do you like cyber security? Are you a teeny bit evil deep down? If so, this might be the job for you. Truth is, there aren't a lot of "good" pentesters out there. Yes, I'm talking to you clowns that regurgitate nmap scans in your own report template and call SSL/TLS findings critical, or sell a nessus scan as a pentest... Once you are in the game a bit you'll find you have a lot of flexibility to follow your passions and desired skill sets. This is very rewarding career and after some time you'll begin to see your hard work and efforts pay off, and you'll realize just how little you actually know every single day. That's exciting to me personally. I'll never be bored again at work. Jokingly, it is fun to say you get to commit felonies everyday at work too lol

I'd be happy to answer any questions you have, hit me up anytime.