Cybersecurity is an extremely fast moving field. While there are some tried and true things in cybersecurity, there are just as many things that are constantly changing. As soon as new malware hits the news, researches are jockeying to be the first ones to release an analysis on it. To be the first ones to create signatures and detections for it. Even with Offensive Security. As soon as a new technique is released red teamers and pentesters are rushing out to try it out, play around with it and potentially use in on their very next (or current) engagement.
In order to stay relevant and up-to-date with new techniques and tools, it requires a certain amount of focus day after day, week after week, year after year. That focus being constant improvement. If we, as pentesters, don’t get better, we can’t help businesses defend better.
So that’s what this blog post is about. Constant improvement and showing that off to the world. We are going to talk about WHY you would want to show off your skills as a pentester as well as 7 awesome ways to do just that, show off your skills as a pentester.
Why would I want to show off my skills as a pentester?
Before we dig into the HOW, it probably makes sense to talk about the why. As Simon Sinek says, “People don’t buy WHAT you do, they buy WHY you do it.” So WHY should I show off my skills as a pentester? First, let’s address the topic of ambition.
First, and foremost, I fully believe that you do not have to do any of this, if you don’t want to. If you just want to clock-in do a good job and clock-out. I see no issue with that. I think everyone should be themselves and live up to their own ambitions, not those of others. If that’s you, that’s fine, but I doubt you will get value from this blog post from this point forward.
Now that we have that out of the way, I assume you’re continuing to read this blog post because you do have aspirations and ambition and gumption. You do see value in improving your skills, sharping your sword, and showing it off to the world. So back to my initial question.
Reasons to show off your skills as a pentester
Everyone should have their own reasons for wanting to show off their skills, should they chose to do so. Those reasons may not be unique to you but their meaning or purpose should be. Here’s 3 reasons you may want to show off your skills:
- To get your first job as a pentester
- To land a new pentesting job
- To become more valuable to your current and/or future employer
- To build your personal brand and differentiate yourself from “the competition”
Now that we know why we may want to show off our skills, lets dig into the tactical stuff, the how.
How to show off your skills as a pentester
1) Start a personal blog
Writing on a personal blog is a really great investment in yourself. It shows gumption and can be a sign that you take your career seriously. It can be an outward display that you “know your stuff.” A person blog is also a great place to link to open source projects you work on, or tools you’ve written or CTFs you’ve participated in.
A personal blog is your resume in landing page form from which you display or link to all the things that make you uniquely qualified to do whatever it is you do. I think everyone who has the ambition of continual professional growth should have a personal blog and contribute to it regularly. Now I say that, having not contributed to my blog in over a year. To be fair, I have been contributing to the SecurIT360 content machine lately.
2) CTFs (HTB, TryHackMe, Holiday Hack Challenge, etc.)
Capture The Flag (CTF) is another really great investment in yourself. CTFs are especially great for those who do not yet have “hands-on experience.” I’ve seen many times where those looking to hire security people take CTFs into consideration in lieu of hands-on experience.
CTFs are awesome because it helps you hone your troubleshooting, problem solving, critical thinking and thinking-outside-the-box skills. All are essential skills for pentesters to harness. They expose you to tools, techniques and technology that you may have not otherwise been exposed to. This is especially true if you’re working in a non-adjacent field to Cybersecurity. The added benefit of being exposed to a wide range of technologies is the exposure may help you decide what “niche” of cybersecurity you want to pursue. Reverse engineering, Threat Hunting, Pentesting, etc.
They are also fun and great team building opportunities. Many CTFs have unique scenarios or stories, such as the Holiday Hack Challenge. In doing so, you get much more invested and involved in the CTF and you end up learning more because you’re having so much fun playing along with the story of the CTF. It’s common for CTFs to be team-oriented, so you get a group of friends together and hack away and some challenges. It’s a great opportunity to foster relationships amongst team mates.
Many CTFs also have a wide range of challenges for any skill level imaginable. From those just starting out who may not know how to open a text file, to those who are seasoned veterans working on reverse engineering a binary to solve a challenge. These challenges of varying skill levels allow you to work at your own pace and ensure that you continue to sharpen your sword.
CTF badges and ranks look good on resumes. Being top 1% on HackTheBox or TryHackMe is pretty impressive. Show those badges and those accolades with honor, on your blog of course.
3) Videos (Walkthroughs, Tutorials, Demos, Talking Head, etc.)
Once you’ve got a blog setup and you’re contributing content to it, you’re playing in CTFs, doing HackTheBox or TryHackMe, the next step in showing off your skills is to start making some videos. That could be as simple as a video of you talking about something cool happening in the news or the industry. This is commonly referred to as a “talking head” type of video.
You could record yourself doing HackTheBox or TryHackMe. Quick note, be sure to check the rules for those services. For example, it’s against HTB rules to give solutions for active machines and it’s poor judgement to do so. The great thing about videos is you get to work on your presentation skills. You get to show off your thought process, how you tackle problems, and how your hacker mind works. It’s common for people to have similar approaches to solving a problem but your approach is unique to you. Show it off. Talk about your methodology and your thought process. It’s what makes you, you.
4) Open Source Projects & Tools
Another awesome way to show off your skills as a pentester is to contribute to open source projects, create your own or even create your own tools that help you with your job.
There’s a seemingly infinite amount of open source projects that are actively seeking help in maintaining their projects. This could be anything from documentation to actually contributing code or reviewing code. Even better if it’s a Cybersecurity project such as a tool or library that’s commonly used in day-to-day pentesting wotk. Not only is this a great way to show off your skills and get better at coding it’s also a great way to meet people in the industry.
Take it up a notch by creating your open open source projects or writing your own tools. This is very common in the cybersecurity industry and especially with pentesting. One way to learn how a tool or a technique works is by creating a tool that does that thing. Maybe you write it in the same language as the original author or maybe you write it in a different language with the sole purpose of learning more about that language. It is such a great opportunity to learn how things work and learn a programming language along the way. This is never time wasted.
Contributions to open source projects and creating your own projects looks very good on resume’s. So don’t be surprised when you’re in an interview and the hiring manager asks about those GitHub repos you’ve got.
5) Conference Talks
Once you’ve worked on your presentation skills by making some videos and you’ve got some understanding of a topic. Now is the time to give some real live presentations. Yes, like to an audience.
The most well known version of this is conference talks. These can be in-person or online. Typically there is a process called CFP or Call For Presentations, whereby you submit an abstract of your talk for review and hopefully approval. For many conferences only a few out of many get selected to present their talk at the conference.
As an alternative to conference talks, at many organizations there’s opportunities to present to your fellow co-workers. That could be in the form of presenting on secure code development practices or security awareness topics. This can be a great opportunity to start working on your presentation skills and a lower stress environment than a conference talk.
Giving presentations at some of the bigger and more well-known conference can be very rewarding for your career. Giving a talk at events such as DEFCON or BlackHat is a badge of honor. These are resume worthy events, take advantage of them!
Alas we’ve reached the “controversial” part of this blog post. I’m going to give you my two cents in the form of a tldr and then discuss it a bit further.
Tldr: Yes certifications matter. How much? Not as much as you think.
Ok so, yes certifications are great for a number of reasons. They show, on some level, you understand the topic. They can help you land a job or pivot to a new job. They can help you differentiate yourself and stand out among the crowd. They can help you get passed the infamous “HR filter.”
Certifications, even ones such as OSCP are not a replacement for hands-on experience. Simply because there is no replacement for hands-on experience. Now, the OSCP and others get you close. Just like CTFs get you close. But at the end of the day practical exams and CTFs are not real world.
Some certifications have more weight than others and some certifications are just not worth your time. When thinking about what certifications to go after, think about the skills you will learn in the process and how valued and sought after the certification is.
7) Vulnerability Research/Bug Bounty
This is a field of cybersecurity that has really exploded over the last several years. According to cvedetails.com in 2012, there were 5,297 CVEs assigned. Total for the whole year of 2012. In 2022, at the time this blog post goes live there has been about 11,816, and we are only halfway through the year. Last year, in 2021, there were over 20,000 CVEs assigned. That is a lot of vulnerabilities. Those are just the ones that made it to a CVE and were published.
Vulnerability Research and Bug Bounty can be very lucrative and rewarding careers, but it doesn’t come without a cost. These fields require specialty. Most researches will dedicate their time to being a specialist in some area or class of vulnerability and only research and hunt vulnerabilities and bugs of that same class. While I do believe anyone with just a little it of knowledge and experience can begin researching vulnerabilities and hunting bugs, many of the top experts in this area have devoted countless hours to learning this craft. So it doesn’t come easy by any means.
CVEs and Bounties are also an indicator of how well you know your stuff and can be a good way to show off those awesome skills you have been honing over the years.
Well, that’s it folks. That’s my list of 7 awesome things you can do to show off your pentesting skills. If you got value from this post or if you have any feedback or have ideas of your own that you think deserve to be on this list, let me know!