
How to progress in cyber sec - who-knows95
thank you for taking a moment to read this,<p>i&#x27;m very interested in cyber security, but i&#x27;m not sure what kinda progress i should be aiming at.<p>recently i did the CompTIA A+ exams and passed them both, but my goal is the Offensive Security Certified Professional (OSCP) qualification.<p>i have the privilege of working for a small, but successful IT support group as the junior cyber security analyst, but i don&#x27;t currently have a senior and i&#x27;m now gaining experience answering phones.<p>my guess the question is, what&#x27;s a logical next step, that&#x27;s beneficial for; me, the company, and the future progression.<p>do i learn more about Kali Linux?<p>do i move more into gaining sysadmin experience?<p>do i continue CompTIA course&#x27;s?<p>really any advice is welcome and i thank you again for reading this.
Joshua.
======
snazz
My advice is to ignore everything about Kali Linux. It’s a pen-drive
distribution loaded with every “hacking” tool imaginable. As far as learning
goes, you won’t gain anything from installing it and clicking randomly through
the options in Zenmap or other tools. The best you could learn from this kind
of “education” is how to be a script kiddie who presses buttons and gets in
lots of trouble for causing damage. Penetration testing requires more skill
than simply using Kali Linux and most penetration testers don’t use it.

Instead, focus on something that you have an interest in. Do you want to find
bugs in data file handling libraries (like libpng or libxml2)? Do you want to
reverse engineer software and hardware to find previously-unexplored attack
vectors, that could be sold to bug bounties for lots of money? Do you want to
help companies find errors in their software configurations that could lead to
security breaches? Do you want to hack hardware?

My point is not that Kali Linux is useless. It’s a convenient hodgepodge of
most every penetration testing tool in existence. My point is, however, that
you should find an interesting niche and get experience finding real bugs and
solving real security problems. You’ll build up a portfolio this way that
could help you get hired in a more senior position. It sounds like you’ll want
to focus on defensive protections and mitigating attacks, if you currently
work for a regular company as a cyber security analyst.

Good luck!

~~~
who-knows95
hello, thank you for this reply.

the only reason i mentioned Kali Linux is it's a requirement for the oscp? and
i guess kali would be used for basic pen testing.

i'm not sure exactly where i fall, id like to be a jack of trades for a few
things; defensive protections, pen testing, social engineering.

thank you for your advice, that's what i really want, to put myself into the
position where i can solve real problems and be a part of the sec community.

thank you snazz.

~~~
world32
There are not many jobs out there for jacks of all trades. Pen testing and
social engineering are not necessarily separate roles but you will not likely
find a job that lets you both be a pen tester and work from a defensive
standpoint.

~~~
who-knows95
i understand what you mean, i guess it's more my curious/autistic nature to
want to learn as much as i can.

------
elyrly
Start here -
[https://www.reddit.com/r/netsec/](https://www.reddit.com/r/netsec/)
[https://www.hackthebox.eu/](https://www.hackthebox.eu/)

Show your work, start bug hunting

------
world32
The OSCP is a great goal to have and will open many doors for you. Having that
cert along with experience as a junior analyst you should be able to get a job
as a penetration tester or something more senior.

However, there are a million and one resources online that will tell you what
you need to do to prepare for the OSCP.

~~~
who-knows95
thank you, i kinda see it as the rubber stamp before i can call myself a
proper cyber security member.

doing pen testing would be alot of fun, would i need to get the ethical
hacking cert

~~~
world32
When you say "the ethical hacking cert" do you mean Certified Ethical Hacker
(CEH)? If so then no. In fact having it on your CV might even hurt your
chances of getting a job because it is so meaningless most pen testers look at
it as a joke.

You don't need the OSCP to call yourself a proper cyber security member at
all, there are plenty of pen testers that do not have it. But it can be a
convenient way for a junior to break into the industry. The other option is to
do bug bounties which demonstrate that you are capable of going through the
entire pen test process in a real world context.

Also, one thing to point out is that reporting is a huge part of pen-testing.
Being able to write with perfect grammar and punctuation is vital.

------
k4ch0w
I think the OSCP is a great place to start. As others have said in the thread,
go bug hunting, do a technical write up and go to meet ups/conferences. I have
always been able to get a better job by networking and meeting people.

~~~
who-knows95
i see OSCP, is a rubber stamp for me.

i do believe networking is a important aspect of it.

thank you for your comment!

------
alltakendamned
If you want OSCP, go do the course. It's a course, not something unachievable,
it will guide your learning and you'll get there in time.

