Gaining a Foothold: Transitioning into a Penetration Testing Career

Penetration testing is an exciting career field with numerous projected growth opportunities. However, transitioning into this field can be intimidating—particularly when your previous skills and abilities are not always aligned well with specific job descriptions. But with proper preparation and planning, it is possible to make a successful career transition into penetration testing.

 

This blog post breaks down the career transition process into 3 phases: preparing to apply, making the shift, and surviving the first 6 months after gaining employment. I will provide techniques, advice, and recommendations throughout.

 

 

Phase 1 – Preparation (> 3 months)

Phase 1 begins when you decide to become a penetration tester, and the length of this phase can vary widely. This is because your previous work experience, technical aptitude, and time available for preparation activities will all impact the time needed to meet the objectives of this phase. While you will likely want to start early, I recommend that you begin this phase no later than 3 months before you intend to begin applying for penetration testing positions.

 

 

Creating a Skill Inventory

You should accomplish 3 key objectives during this phase. The first one is to complete a skill inventory. Put simply, this is a list of professional experiences, education, and skills. This skill inventory is an important step in identifying where you should focus your efforts in order to gain the skills and knowledge required to become a penetration tester. You can complete a skill inventory in 3 steps:

 

  1. Determine the skills and knowledge required for penetration testing. You can find these from job postings, recommendations from mentors, or from internet research. Figures 1 and 2 below are adaptations from The Pentester BluePrint: Starting a Career as an Ethical Hacker by Phillip L. Wylie and Kim Crawley, which I referenced during my transitioning into penetration testing.

  2. Conduct a self-assessment of your current skills and knowledge. Once you’ve compiled a list of the technical and soft skills required to succeed in penetration testing, give yourself a score on your ability to perform each skill. The scoring system can be simple (i.e., basic, intermediate, and advanced) or complex, depending on your preference. What is most important is to devise a scoring system that you understand.

  3. Identify your strengths and areas for improvement. Completing a self-assessment will provide you with a good understanding of the skills you’ll need to develop, but it should also offer insights into the strengths you have developed in previous jobs or experience. Take note of these strengths and save your notes for phase 2.

 

Image
Figure 1 Skills Inventory.png

Figure 1: Sample Technical Skill Inventory

 

Image
Figure 2 Soft Skills.png

Figure 2: Sample Soft Skill Inventory

 

 

Certification and Skills-Focused Training

Once you’ve completed your skill inventory and understand your skill and knowledge gaps, you are ready to address the second objective of the preparation phase—developing any skills you lack. Training resources for penetration testers have become more widespread. Whether you prefer books, YouTube videos, or formal training courses, there are multiple options available to help you develop necessary skills. I’ve compiled a list of recommended resources used by myself and my colleagues to help you get started.

 

At some point in your learning, you should take a course to pursue a penetration testing certification. Employers often value applicants with certifications. This is because, unlike many other IT certifications, penetration testing certifications typically include a practical, hands-on component to validate that you can successfully enumerate and attack vulnerable hosts. Based on your personal preference and career goals, you can pursue any of the commonly known and accepted certifications.

 

To develop any skills you are lacking, you should also build some experience using the tools, techniques, and procedures (TTPs) that you have learned about in theory and practice. This knowledge will help you demonstrate to potential employers that you not only learned the necessary material of “what” adversaries do, but that you also developed a deeper understanding of attack methodologies and “how” adversaries pursue their objectives. Numerous training platforms host “capture the flag” exercises, where users can safely attack vulnerable machines to develop skills and build experience. Most of these platforms have both free and paid tiers with flexible learning options. I recommend subscribing to one or more training platforms and working through a variety of challenge types to gain a broad understanding of the various attack methodologies and technologies leveraged by both adversaries and penetration testers. Keep track of the number of challenges solved on each platform, as this will be helpful in phase 2.

 

 

Brand Development

The final objective of the preparation phase is to refine your personal brand. If you are transitioning from a non-IT career field, then your personal brand and social media presence are likely tailored to your current career field. To assist in the transition, it is important to shape your brand to demonstrate your interest in cybersecurity and to make network connections in the field.

 

Refining your personal brand requires effort, but you can achieve this by focusing on 3 aspects. First, you need to expand your current professional network to include cybersecurity professionals and penetration testers. Networking can feel intimidating. But, luckily, a lot of us in the penetration field have been in this transitional position and are eager to help forge a path for others. If you make your intentions known, plenty of individuals are more than willing to connect and assist you on your journey. Some good ways to meaningfully expand your network include attending industry conferences, joining online groups and message boards, and connecting with individuals on social media. Ideally you can develop mentor relationships with penetration testers and have at least one trusted advisor to discuss your training and certification plans with.

 

Finally, you will want to craft your personal narrative. This includes creating and practicing your “elevator pitch,” as well as developing 2-3 stories from your previous work experiences that you can use to demonstrate your interest in the field. These stories do not have to be overly complex. But they can help you curate your social media messages and create ice-breaking discussions as expand your professional network.

 

 

Phase 2 – Execution (~3 months to offer acceptance)

The execution phase begins approximately 3 months before your desired start date and continues until you accept and employment offer. This primary activities during this phase include reshaping your resume, applying for positions, and conducting interviews with potential employers.

 

 

Resume Revisions

The first step is to reframe your resume to appeal to potential employers. If you are pursuing a career transition, then you likely you already have a strong resume suited to your current field. Your goal is twofold. First, highlight the skills required for pen testing that you already possess, which you identified in your skill inventory. For me, this primarily included soft skills that I developed during my previous career path, such as communication, collaboration, and time management. These skills are your value proposition to a potential employer, and they will set you apart from recent college graduates who have not yet had the opportunities to develop and refine these skills. Second, provide details on the training, certification, and experience building that you conducted during phase 1. Once your feel that your resume is ready, send it to a mentor—preferably in cybersecurity—to get feedback. This will help to ensure that you have accurately conveyed the above items, caught any errors, and gained insight into how potential hiring managers will interpret your resume.

 

 

Job Applications

Once you have prepared your resume, you are ready to apply for positions. You should start applying approximately 8 weeks before your desired start date. This reduces the likelihood of hiring managers passing over you because your availability date is too far into the future, as well as leaves ample time for the hiring process to unfold. It is important to tailor your resume for each application that you submit. Begin by reviewing the position listing carefully—identifying specific keywords, technologies, and desired skills. You can then revise your resume to highlight your skills and experiences that are most relevant to each specific role. This will help your application stand out in application tracking systems and increase your chances of being invited for an interview.

 

 

Interviews

The final activity in phase 2 is interviewing for desired positions. As someone with significant previous work experience, this is your chance to distinguish yourself from entry-level applicants. When interviewing, you should be honest and humble about your technical abilities. Be sure to discuss transferrable skills and how your previous work and life experience will prove beneficial in the position you are applying for. Interviews are a great time to share stories that you developed when refining your personal brand. Finally, take some time to prepare before for each interview. Most technical jobs will require several rounds of interviews. You should know who will be interviewing you and prepare accordingly. It is also important to plan your responses to common interview questions ahead of time.

 

 

Phase 3 - Survival (Your first 6 months as a penetration tester)

Your transition into penetration testing does not end when you begin your first job in the field. There is a considerable amount of self-reflection, change, and growth required to ensure your success as a penetration tester. Below are recommendations for what you should both do and avoid as you prepare for your first 6 months:

 

Do

  • Get clear guidance from your leadership about job expectations

  • Set goals for your own professional development

  • Leverage strengths gained from previous experiences

  • Share your experience (when it’s welcomed!)

  • Learn, learn, learn

  • Find ways to fill connection gaps

 

Don’t

  • Don’t live in the past—your experience is valuable, but your role has changed

  • Don’t expect special treatment

  • Don’t discount what, or from whom, you can learn new things

  • Don’t suffer in silence

  • Don't set unrealistic expectations, either for yourself or for advancement

 

Transitioning into a new career is a journey that requires dedication and perseverance. Penetration testing is a dynamic and rewarding field with significant career opportunities, making it an excellent choice for a second career. By following the 3 phases outlined in this article, you can pave the way for a successful and rewarding career as a penetration tester. Happy (ethical!) hacking!

William Giles
Security Consultant II | Optiv
William (Billy) Giles is an offensive security consultant who specializes in adversary emulation and network penetration testing. He has over 10 years of experience in cybersecurity and in leading, planning, and executing offensive cyber operations. His experience ranges from medium to large organizations across a multitude of industries. Prior to joining Optiv, Billy was a career U.S. Air Force officer, serving for over 24 years in various positions in intelligence, cyber operations, and special operations.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Would you like to speak to an advisor?

How can we help you today?

Image
field-guide-cloud-list-image@2x.jpg
Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation
Image
OptivCon
Register for an Upcoming OptivCon

Ready to speak to an Optiv expert to discuss your security needs?