Career advice for aspiring ethical hackers, pentesters and application testers

Sep 20, 2020

Coming from a pentesting background and having led many Red Team engagements for over 15 years, I’m noticing changing industry trends with respect to vulnerability, red teaming, and other technical assessments.

Until recently, there was a huge demand for technical assessments as organizations were required to test and validate security issues by third-party vendors, as mandated by compliance requirements by PCI, HIPAA, and Sarbanes–Oxley This trend will still continue but not as much as it used to be.

Back in the day, companies were charging a premium for application, network, and wireless pentesters. But the trends are changing now for very good reasons. Why you might ask? Thanks to tools such as Nessus and Qualys. Even people with limited skills can run these tools and make sense of the vulnerabilities. Majority of the findings are related to patching and default configurations. You don’t need to pay a fortune to third party companies to tell you that unless they bring in more value other than what’s in those reports.

In addition to that, many innovative companies like Cymulate and Pcysys are propping up to perform automated red team and breach simulations. Not to mention the machine learning and artificial intelligence based scanning tools that are showing up from everywhere. I’ve not used any of these automated platforms, but it looks interesting and my guess is that similar tools will start to increase over the next few years.

Okay where does it put me and what should I do? Glad you asked. With the hype and career promises, many training schools and independent instructors started Ethical Hacking and other similar courses. The main goals of these trainings are to demonstrate the tools rather than teaching the fundamentals. Who doesn’t like to hack and own the world with a couple of clicks? They make it look so easy, and the TV shows and movies about hacking show no justice to it as well. Only realistic show I can recommend is the Mr. Robot. If you haven’t watched it, check it out. Don’t fall into that trap!

The only way to succeed in this profession is to have true passion, willingness to learn, and put in the effort that is required to learn the skill the right way. My advice is to learn the basics about networking and operating system fundamentals. To be an effective security analyst, you need to understand the underlying operating systems internals, networking concepts, protocols, etc. And learn scripting skills such as Powershell or Python. If you get a deep grounding in the fundamentals, you’ll be able to sustain in this field in the long run and not lose your job to automation, which is a significant threat to many technology fields.

Focus on basics, be passionate, and learn every day is the best advice I would give to be marketable in these trying times. I’ll share some good resource on how to start in my next article.