Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
How to progress in cyber sec
13 points by who-knows95 on Jan 2, 2019 | hide | past | favorite | 12 comments
thank you for taking a moment to read this,

i'm very interested in cyber security, but i'm not sure what kinda progress i should be aiming at.

recently i did the CompTIA A+ exams and passed them both, but my goal is the Offensive Security Certified Professional (OSCP) qualification.

i have the privilege of working for a small, but successful IT support group as the junior cyber security analyst, but i don't currently have a senior and i'm now gaining experience answering phones.

my guess the question is, what's a logical next step, that's beneficial for; me, the company, and the future progression.

do i learn more about Kali Linux?

do i move more into gaining sysadmin experience?

do i continue CompTIA course's?

really any advice is welcome and i thank you again for reading this. Joshua.



My advice is to ignore everything about Kali Linux. It’s a pen-drive distribution loaded with every “hacking” tool imaginable. As far as learning goes, you won’t gain anything from installing it and clicking randomly through the options in Zenmap or other tools. The best you could learn from this kind of “education” is how to be a script kiddie who presses buttons and gets in lots of trouble for causing damage. Penetration testing requires more skill than simply using Kali Linux and most penetration testers don’t use it.

Instead, focus on something that you have an interest in. Do you want to find bugs in data file handling libraries (like libpng or libxml2)? Do you want to reverse engineer software and hardware to find previously-unexplored attack vectors, that could be sold to bug bounties for lots of money? Do you want to help companies find errors in their software configurations that could lead to security breaches? Do you want to hack hardware?

My point is not that Kali Linux is useless. It’s a convenient hodgepodge of most every penetration testing tool in existence. My point is, however, that you should find an interesting niche and get experience finding real bugs and solving real security problems. You’ll build up a portfolio this way that could help you get hired in a more senior position. It sounds like you’ll want to focus on defensive protections and mitigating attacks, if you currently work for a regular company as a cyber security analyst.

Good luck!


Addendum: Real experience (presentations, papers, blog posts with real issues and real solutions) as described above is likely more valuable to a future employer than completing certifications and courses.


hello, thank you for this reply.

the only reason i mentioned Kali Linux is it's a requirement for the oscp? and i guess kali would be used for basic pen testing.

i'm not sure exactly where i fall, id like to be a jack of trades for a few things; defensive protections, pen testing, social engineering.

thank you for your advice, that's what i really want, to put myself into the position where i can solve real problems and be a part of the sec community.

thank you snazz.


There are not many jobs out there for jacks of all trades. Pen testing and social engineering are not necessarily separate roles but you will not likely find a job that lets you both be a pen tester and work from a defensive standpoint.


i understand what you mean, i guess it's more my curious/autistic nature to want to learn as much as i can.


Start here - https://www.reddit.com/r/netsec/ https://www.hackthebox.eu/

Show your work, start bug hunting


The OSCP is a great goal to have and will open many doors for you. Having that cert along with experience as a junior analyst you should be able to get a job as a penetration tester or something more senior.

However, there are a million and one resources online that will tell you what you need to do to prepare for the OSCP.


thank you, i kinda see it as the rubber stamp before i can call myself a proper cyber security member.

doing pen testing would be alot of fun, would i need to get the ethical hacking cert


When you say "the ethical hacking cert" do you mean Certified Ethical Hacker (CEH)? If so then no. In fact having it on your CV might even hurt your chances of getting a job because it is so meaningless most pen testers look at it as a joke.

You don't need the OSCP to call yourself a proper cyber security member at all, there are plenty of pen testers that do not have it. But it can be a convenient way for a junior to break into the industry. The other option is to do bug bounties which demonstrate that you are capable of going through the entire pen test process in a real world context.

Also, one thing to point out is that reporting is a huge part of pen-testing. Being able to write with perfect grammar and punctuation is vital.


I think the OSCP is a great place to start. As others have said in the thread, go bug hunting, do a technical write up and go to meet ups/conferences. I have always been able to get a better job by networking and meeting people.


i see OSCP, is a rubber stamp for me.

i do believe networking is a important aspect of it.

thank you for your comment!


If you want OSCP, go do the course. It's a course, not something unachievable, it will guide your learning and you'll get there in time.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: