Sign in Subscribe
Overcoming obstacles Featured

Breaking Barriers: From College Life to Penetration Testing

A candid account of my journey to junior penetration tester: struggles, failures, and successes. Learn the power of being persistent, breaking down goals, seeking guidance, networking with others, and other lessons of trial and error to overcome obstacles to achieve your cybersecurity career dreams.

ibr0wse

34 min read
Breaking Barriers: From College Life to Penetration Testing

Introduction

I was listening to the professor give their lecture, an elective class about political science, when I glanced over and saw my Burp crawler complete. Excellent, the target site appeared to be vulnerable to Apache struts. A remote command execution (RCE) exploit that would allow me to take over the client's web server. Scanning client networks through a VM that was connected to my company's VPN was slow, but it allowed me to do some basic automated reconnaissance to manually review later when I was free. The lecture ended and I packed up my things to head out the door, but was stopped by a classmate right outside of class.

He was sitting behind me during the lecture and noticed I was running Burp, to which I let him know I do Penetration Testing as a part time job and was performing initial recon. He then asked: “How do I become a part time penetration tester like you?”. I asked him: “Well, what do you do when you go home? Probably play video games? Kick up your feet and watch Netflix? Do you get on any social media and just scroll through the feeds looking at what other people are doing?”. He replied with a shrug and said “Well, yeah I play video games and watch stuff”. I told him “When I go home I spin up some VMs from VulnHub, solve some puzzles from RingZer0, practice in my lab using the notes I took from the latest NoStarchPress hacker books. I had to remove my distractions after setting my goals. It’s not easy, but very doable. If you’re interested I can send you some resources”. He took me up on my offer. A year later we were working together. He’s now a prominent Red Teamer, and particularly good at Social Engineering and Physical penetration testing.

I told him my battle plan, the mission objectives I took to help accomplish my goals. Everything I divulged was something I enjoyed doing. I get a kick out of being challenged. I feel joy when I accomplish a task I set out because it frees up my mind. I get anxiety just thinking about what I have to do, but when I actually do it there is this euphoric feeling of being free. Feeling stress just fade away with each sense of accomplishment can be addicting, and it’s very easy to get hooked. Each accomplishment was one more boost of XP. One more level up. One more, one more, one more. In my mind they became whispers of: I am getting closer, even closer, closer, almost there. The best thing you could ever do is invest in yourself. I wanted to be a penetration tester, an ethical hacker that gets paid to legally breach networks. With zero computer skills at the age of 25, I knew I had to map out the battlefield and come up with a plan. I wanted to forge myself into a skilled hacker.

Sharpening yourself to be a powerful blade that cuts through systems and networks takes time and grit. Every sword starts out as a hunk of metal needing to be reformed by being hit hard over intense heat, several times in fact. The heat is the time it takes, the hammer banging away is each time you will be challenged, the dull edge being sharpened is each skill you are adding to your arsenal.

This article is about my journey to becoming a junior penetration tester, and how I managed to share that passion with others along the way. I learned a lot, and I believe others might benefit from these experiences.

Battle Plan

First things first, I want to make sure you understand what you are getting into when pursuing offensive security, either overt or covert operations, as a career. It is passion focused. Success in this career comes from continuous learning and adaptation. Staying curious and always pushing your limits is paramount to achieve that success. Without passion and drive, you may not succeed.

The thought of breaking into companies physically or virtually should be exciting! This field is about creative problem solving, not sitting around waiting for the answer to show itself. If you want something bad enough, you will go all out for it. That means waking up early and going to bed late. That means removing distractions from your life: streaming services, apps from your phone, video games. Focus on channeling your passion to funnel your drive.

“Every day must be hard for you. The days without difficulty are the days you do not improve. The days you do not improve are the days the men behind you close the distance. It’s then you give your enemies hope. Hope that, when they meet you in battle, they have done enough to finish you.”

- The Rage of Dragons by Evan Winter

Ok, enough pep talk. Let’s talk about what I did from 2014-2017 and what I think you should do to learn from my mistakes in order to accomplish your goal in achieving your first penetration test job. This is NOT a “HOW-TO” guide. It’s the mission objectives I set for myself to get my dream job. Some with failures, and others with successes.

Mission Objective 1: College Acceptance

My primary mission, goal, was to become a penetration tester. At the time, I was 4 years deep as a Security Forces Member in the United States Air Force (military police). I was just separating from the military and about to move to Canada with my beautiful Canadian girlfriend (now wife), Madison. We both knew I had to apply to institutions to learn about the IT landscape. I had zero practical experience in IT, no knowledge with computers, and terrible grades from high school to boot. But the idea of being great at something that I had an interest in was too much to pass up. Applying to universities and colleges was daunting, no one wanted me. I was an average “D” student in high school with no math skills, and I had not touched homework in 5 years. My study habits were not just lacking, they were non-existent.

After applying to 5 or more institutions, we found a school that initially denied me but was the only one that provided feedback as to why they rejected me when I requested it:

Dear Kenneth,

Thank you for your interest in Sheridan. We regret to inform you that you were not selected for the PBAIS - Bachelor of Applied Information Sciences (Information Systems Security), Trafalgar Campus program for the following reason(s):

  • Mathematics, Grade 12 (U) or OAC or equivalent not met

If you would like to redirect your application to another program, please contact …

After inquiring for more details surrounding their decision, the school said I could not be accepted into the program until increasing my math average to a 65% minimum (yeah, I know it's low, I was not good with math). So to reapply after. I was able to find a math course they would accept as credits. Using this, we negotiated with them, and they agreed to take me in as a “conditional offer” on the condition that I improved my math grade to enter the program.

Hello Kenneth,

I have issued a Conditional Offer based on completion of the Grade 12 Math credit, you should receive it by email tomorrow.

Please note that your current average when converted to our Ontario grades is 64%, or a “C” excluding the pending Math credit. We require an overall average of 65%, or “C+”, for admission into the Bachelor of Applied Information Science program, so hopefully your grade in the Math course will help you meet the overall average.

Regards,

International Student Coordinator – Admissions

Don’t give up because a door closed. You are going to read about this exact quality throughout this article: Always be persistent. It’s an elusive yet indispensable quality that separates the truly successful from the rest. Quite frankly, it’s what this career is all about.

There were many highs and lows after this that do not have anything to do with getting skills for hacking. An unexpected emergency surgery, battling with U.S. Veterans Affairs to approve the program to use my military service benefits, and getting a study permit to enter Canada. Little did I know, these would be the least of my problems after going back to school.

I studied my butt off for that math course, passed the exam, and started my journey as a new information systems security college student.

Mission Objective 2: Acclimate to College Life

Pushing open the classroom doors, I walked over to the table I had become comfortable and complacent with the past 2 weeks in my Introduction to Networking course. I was just booting up my laptop and settling in, when the professor rushes in smiling and says, “Laptops closed and away, it’s time for your pop quiz”. Wait, what?! I looked around, heard a few sighs, but saw my peers take out their pencils and pens, prepared for something I clearly was not. My confidence plummeted.

I tried to rationalize what I was hearing: This isn’t real, right? It must be a dream, pop quizzes are only in movies. Nope, no, I am definitely panicking. This is actually happening. Why was I so nervous? I was certified in multiple weapon systems from small arms to heavy arms. I’ve anticipated and seen death, led multiple life-saving emergency contingencies for 48 hours straight, chased child-predators, been surrounded by mobs of angry drunks, and responded to many domestic violence incidents. But a pop quiz? I was sweating. Remember when I said that my study habits were non-existent? The quiz was on the architecture of a router and switch. I failed it spectacularly. I went home frustrated and angry with myself.

As military police, they made sure we were always prepared, no matter the threat, incident, call, day, night: didn’t matter what it was. We always made sure we were prepared. After realizing how cocky and unprepared I was for this college life, I made sure I would never take it for granted and would never be unprepared for school work again. I studied my butt off and took notes going forward. Made flash cards, completely unnecessarily half the time. No matter how hard I studied though, there were instances where I just wasn’t getting it. I received a “D-” on my first Computer Math midterm. I knew I couldn’t let my math grade drop or else I would risk getting flunked out of the program. I studied so hard for that midterm, yet it looked as if I walked in unprepared again.

Even though I vastly improved my study habits and did everything I could when preparing for that midterm, I still received a grade that was on the edge of failure. I kept asking myself, "How long could I keep this up?" It felt like a losing battle no matter how hard I tried. Later that evening, with those thoughts swimming in my head, an overwhelming feeling of hopelessness hit me like a tidal wave. I suddenly broke down in my kitchen, Madison consoling me as I laid on that cold tile floor with tears slowly running down my cheek. We were both trying to figure out what else I could do if I couldn’t adapt to college. We figured it might be best if I pursued a different career, one I was better suited for instead. Use my practical military experience. I could go to New York, so it's close to the border for Madison’s family in Ontario, get back into policing as a State Trooper. We went over our options, our retreat, the egress route to abandon this entire mission to instead come up with a new battle plan. Just then, we realized I did not try everything yet: tutoring.

The next day, I signed up for a math tutor on college campus. I was assigned someone who was very patient and caring; she took amazing steps in ensuring I understood any problems I may face. On the final exam, I received a “C+”, with a “B” in the course at the end of the semester. I had a math tutor for another 1.5 years.

If you can adapt and overcome obstacles, even if you fail a few hurdles along the way, then you are definitely suited for this career. I did not know that at the time, but if I did, it would’ve motivated me even more to just keep pushing forward. It would have reinforced my belief that I can achieve this mission of mine. If you are struggling with adapting to something right now, just take a step back and weigh out your options. Break each struggle down into separate components and identify “how can this be improved to help” yourself, someone else, or even your company. Don’t retreat until you’ve thoroughly mapped out your options to help accomplish the mission.

Mission Objective 3: Understand Essential IT Skills

From April 2015 - April 2016, I was starting to get the hang of IT concepts. College definitely boosted my skills. Initially, I had no idea where to even look when wanting to learn what would be required for this profession. From network devices, information security definitions, programming concepts: I was a sponge just trying to soak up as much knowledge as possible. Just one problem though, I am a slow learner and all the classes weren’t necessarily building upon each other in a real-world scenario for me to fully understand.

In the military, we would listen, watch, and then drill each new process in real-time. We would then combine these processes into the tactics necessary to accomplish our given tasks. It demonstrated how crucial it is to rehearse what you learned as soon as possible. For myself, it helped in understanding the big picture and end result.

I mean sure, each college class may have had a lab like for networking with switches, and programming courses would have an IDE to correct my code, but I wasn’t putting the concepts together: Where do web apps live, DMZ? Internally? I can ping a system from this network to that network but there is no web app there to examine or database to access. Where do the backups go, and how? How does all of this work on a corporate network when using the same employee username and password to authenticate to services? Why is “Active Directory” so popular and what does it mean? That’s when I started to build my own lab.

I am not going to go into complete detail about how I built the lab, there are a ton of guides out there on how to do this with a vast amount of different technologies. I HIGHLY encourage you to start building your own lab. Seriously, once you start building a lab everything starts to make sense. Not only do you gain practical, hands-on experience with various tools, techniques, and technologies (which is invaluable in the professional field) but you also learn:

  • Debugging and troubleshooting skills: Building and maintaining your own lab helps you develop essential debugging and troubleshooting skills, as you'll inevitably encounter issues that require problem-solving and a deep understanding of the systems you're working with. These skills are so highly valued in the professional field and it can set you apart from other aspiring penetration testers who decided to overlook this crucial process.
  • Trial and error: A personal lab allows you to make mistakes and learn from them without the pressure of real-world consequences, helping you build confidence and improve your skills.
  • Portfolio building: A well-documented personal lab can help showcase your skills, dedication, and knowledge, making you much more attractive to potential employers.
  • Continuous learning: As technologies and threats evolve, maintaining a lab enables you to keep up with the latest advancements and stay current in the cybersecurity field.

And guess what? After you set up your lab for the first time, you can easily convert it to be deployed automatically! I will definitely post about automating lab deployments later, but it’s important you first manually deploy one so you can learn about the points above. As they say: walk before you run!

Mission Objective 4: Enter the IT Field

With summer 2016 approaching, I knew I had to at least try to get into the IT field. My resume was void of any IT related experience but stacked with military fluff words to really help get my foot in the door. During a holiday party in 2015 at Madison’s workplace I was introduced to a cybersecurity professional in charge of IT operations for their Canada division, who I’ll just call “George”. He gave me some good advice: have as many people you know in the industry review your resume. Doing this allows them to provide valuable insight with the added bonus of maybe knowing of any job openings.

If you can make your resume interesting enough for a potential employer to give you a call then that’s a win, even if you don’t get the job! You have to be attractive on paper to be noticed. Up to this point though the only “experience” I had was my Lab and playing on CTF sites.

So what? Even though it's not “job experience”, it's still practical experience! The way I see it, if you can demonstrate your knowledge and skills to a potential employer without on-the-job experience and they continue you through the interview process then they are likely a good employer. They aren’t taking a chance when you think about it, because you’ve demonstrated resourcefulness and passion in the field.

Do you think I followed my own advice to put information about my lab and extracurricular CTF activities in my resume at the time? Nope, I didn’t realize this until later. I wish I had put everything about my lab and what CTFs I had done. The reason being because I learned later that many employers in the cybersecurity field actually do look for that when going through resumes of inexperienced candidates in hopes of giving them the opportunity to land the role!

I knew it was a good possibility that I wouldn't land anything for the summer. I did not let that stop me, though. Certainly, I didn't exhaust my options fully, but I definitely could have looked harder back then. Any business, big or small, could have been anything. Any company or organization that needs assistance in improving their IT infrastructure, systems, and applications to enhance efficiency, productivity, and customer experience, could have been a potential opportunity for me to work with them as a student:

  • Gyms and fitness centers
  • Tax offices and accounting firms
  • Insurance companies
  • Banking and financial institutions
  • Healthcare facilities (hospitals, clinics, pharmacies)
  • Retail stores and e-commerce platforms
  • Manufacturing companies
  • Logistics and supply chain management firms
  • Telecommunications providers
  • Hotels and hospitality establishments
  • Real estate agencies
  • Legal firms and law offices
  • Educational institutions (schools, universities, tutoring centers)
  • Marketing and advertising agencies
  • Software development and IT consulting firms
  • Travel agencies and tour operators
  • Restaurants, cafes, and catering services
  • Event management and planning companies
  • Utility providers (electricity, water, gas)
  • Media and entertainment companies (film, television, music, gaming)

I would only recommend others do this if it's something they can handle, of course. It is crucial to NEVER OVEREXTEND ONESELF. Otherwise, if I didn't land a job to gain practical experience, I knew I would have to invest in myself by boosting my skills further during my time off between semesters.

I remember applying to every role I could: Helpdesk or IT support, developer positions, a few security related roles but I knew it wasn’t likely they’d give me a call. Still, I kept trying:

Hello,

I am writing to inquire about any summer job openings you may have for a student? My name is Kenneth Hartlaub, and I am currently finishing my second year at Sheridan College in the Bachelor of Applied Information Sciences, Information Systems Security, directed by Victor Ralevic. My program is geared towards everything your firm offers. I would love to learn and grow from an award winning cyber security firm.

I have attached my resume and cover letter, and I look forward to hearing back from you at your earliest convenience.

Regards,

Kenny

You should always apply to everything when first starting out, even if it’s not your ideal role. I talk about why outlined here under “Tip”. I was creating cover letter after cover letter, cold calling and emailing reception desks, quite a few times I went in-person to deliver it. Both big and small name companies too. My resume looked something like this at the time:

Untitled

During all of this, Madison worked as a Tax Accountant at an HVAC & Plumbing distribution company. Her coworker I mentioned earlier at the holiday party, George, no longer worked there. I learned this after connecting with him over LinkedIn (I took his advice and wanted him to review my resume after all!).

Summer Job

Hi George!

I hope you are doing well, and enjoying this April snow storm.

I wanted to finally connect with you on here - Madison kept reminding me to, but I was always caught up in one project or another.

I am finishing up my semester at Sheridan and wanted to touch base with you to see if you knew of any job openings, or anyone looking to hire a summer student in the IT field? My program focus is on Information System Security, and I was hoping to get a job in the IT field in order to gain some experience.

If you do not, and have the time, would you mind looking over my resume? You are the only one I know in my field, and I want to make sure it is up to par.

I appreciate any help you can provide me!

Take care!

-Kenny

He replied back, saying he would be happy to review my resume and offered some great advice on how to improve it.

Still, Madison asked her IT department if they happened to be hiring, and they mentioned that they recently started looking for summer co-op developers. She brought a copy of my resume to them, and within a few days, I got a call from their HR department. They were looking for summer interns to help develop some stuff in .NET and JavaScript programming languages. I knew neither of these languages, and my resume reflected that. This was the conversation over the phone:

  • HR: “I see you have Java on your resume as a technical skill, so you are good at JavaScript, yes?
  • Me: “Uhm, no, not exactly. Java is an object-oriented programming language, while JavaScript is a static scripting language. But JavaScript is used with many HTML applications, so I could definitely help with it somehow. Are there other languages the company is looking to develop in that I would be better at?
  • HR: “Oh, no, ok, well I also see the team is looking for C# development, but I assume that’s not good for you either?
  • Me: “Actually, yes, I could do C#. It's similar to Java because it’s object-oriented, and I could become familiar with the syntax within a week if that’s okay?”
  • HR: “That could work, I’ll talk to the team and get back to you.

I was booked for an interview the following week. I signed up for all the free courses and watched as many YouTube videos I could for C# development. I became familiar with Visual Studio, .NET, and IIS servers as quickly as possible. During the in-person interview, we mostly talked about my teamwork experience while in the military and then a handful of C# programming questions. They understood that HR was not tech-savvy with programming languages but offered to give me a chance and appreciated the fact that I at least sought a solution to familiarize myself with C#. They gave me some resources to check out to become better acquainted with .NET concepts before my start date of May 1st, 2016.

I owe it to the team who hired me at that company. I worked with two other co-ops that summer, who I learned a lot from. Those other interns were much better programmers. One of them was practically a full-stack developer. I would ask them questions and fully envelop myself in their world so I could keep up with them. I struggled many times trying to stay on their level, but I actually had a few opportunities to provide value using my cybersecurity background. I helped them deploy Web Application Firewalls, create a Secure Software Development Life Cycle (SSDLC) program, and perform vulnerability assessments against applications other developers deployed.

During my co-op, I learned I really did have a passion for hacking instead of developing as a full-time job. I loved the idea of spending the whole day hacking away, even if I didn’t find anything! It was the process I enjoyed. Naturally, I made it a new objective of mine, with the money earned during the co-op, to attempt the certification all cybersecurity professionals loved to see on a resume: the Offensive Security Certified Professional (OSCP).

Mission Objective 5: Obtain OSCP (First of 2 failures)

Spoiler alert: I failed my first and second attempts at the OSCP. It wasn’t until my third attempt, in 2019, that I successfully passed and obtained the certificate. But I am not going to talk about the other two attempts, they don’t matter yet for this battle plan. The only attempt that matters is the first. Here is the story about the objective I fought so hard to obtain, only to fall short miserably. I hope this very important and pivotal failure of mine leads you down a path of success instead.

It was in the middle of June of 2016, nearly midnight, the sound of the keyboard taps and mouse clicks was keeping Madison awake in the room next door while I was hacking away in the PWK labs. We were still living in someone's basement, going on for about a year and a half, a 1 bedroom “apartment” with a combined kitchen + living room area. You could only fit a couch, TV, and desk all in the one area. It was really nice to be honest, a good neighborhood and cheap rent (it was in someone's basement after all). The only downside was that for 2 people it was very tiny and my late night habits kept Madison awake most of the time. My computer desk was nestled in the corner near the bedroom door. She was trying to sleep, and politely asked if I “could be quieter with the mouse clicks and keyboard taps.” Like I said, it was a tiny “apartment”.

“Almost done,” I said, ”figured out how to get into Bob! Once I upload my reverse shell it’s over and I’ll have his flag!” I was not almost done, it was another hour before I was finished. While powering off the computer I wrote down how long it took me from start to finish with Bob. The next morning we talked and agreed that I’ll have to get a new quiet keyboard if she’s ever going to get some sleep. Thankfully, she knew why I wanted this certificate so badly. She understood I woke up early to hack away in the PWK labs, went to work, the gym, and then back home to continue hacking away. To learn. To grow. I did this everyday for the entire summer. I definitely did not get adequate sleep but the thrill of learning new hacking techniques, applying the concepts, and chipping away at the lab environment was so exciting. How could I not want to stay awake!?

We bought a whiteboard and hung it up above the desk. Every time I popped a box the name would go up on the board and she would comment on it: “I see Alice and Phoenix up on the board today. 8 hours total, nice!”. It helped having support. I know many others might not have that kind of support with them everyday, physically, but don’t be afraid to reach out to find it. I made friends in the OffSec IRC channels (now Discord) and forums. We would keep tabs on one another to ensure motivation was high. So in a way, I had two support groups: one at home and one on the internet. Both helped me. I encourage you to find a mentor or family member, even someone who hasn’t obtained the OSCP but would still love to cheer you on. Explain to them what the certificate means to you and your career, how it can help you and how you can use it to help others. Having a support structure, no matter the goal, is always a benefit.

By the end of the summer I finished my co-op and had 1 week until my testing date with 33 boxes up on that whiteboard. Each box had the time it took for me to root it, with around 400 total hours. There was one box that was so elusive for me. It haunted me, and I could only ever get the user flag for it. I had a week to prepare for the 24-hour practical exam so I put it out of my mind. My thinking at the time was: Passing is my only option, so no point in worrying about that system, I would never have to see it again after this. Boy was I wrong.

Here’s my biggest mistake during all those hundreds of hours in the lab: I used the forums for hints. It was a private forum, only for students taking the PWK, but the moderators allowed subtle hints that users could submit. They were subtle enough that the reader looking to find a way to root the system would have an “AHA!” moment. This was a false sense of achievement. It was only obtained through bias when reading the hint. Each time I read a hint I was unknowingly setting myself up for failure and weakening my position in obtaining the certificate. There are ZERO hints on the exam. The only lab boxes that weren’t allowed to have any discussion threads or hints were these “super-hard-exam-like boxes”. At least they were rumored to be similar to boxes you might encounter during the exam (they weren’t, in fact). Each time I got stuck I would hop on the forum and essentially set myself up for failure.

I wish I had known the dichotomy of searching for answers versus deconstructing problems back then, as I now understand the significance of navigating these two approaches. The subtle dance between hunting down solutions and slicing up problems into bite-sized pieces lies in the equilibrium of seeking a little guidance and polishing your problem-solving skills. Sure, it's tempting to scour the web for answers when we hit a rough patch, but it's crucial to first take a swing at solving the problem solo. Doing so helps you nurture tenacity, critical thinking, and a richer grasp of the subject at hand. By dissecting the problem, we get to wrap our heads around the foundational concepts and garner a more all-encompassing solution. This very process will help you pinpoint gaps in your knowledge and areas where you might need some extra guidance.

Now, I will admit that on the flip side, sometimes searching for answers can lay the groundwork for further learning. It's important to acknowledge when you’ve run out of problem-solving steam and need a helping hand. That being said, it's extremely vital to first exhaust your solo efforts to reinforce learning and make sure it sticks in the long run. Trust me.

My preparation procedures were based on word-of-mouth (or typed word) from other PWK students. They said to prepare for this specific vulnerability that was heavily touched on during the course modules. I did that and marked it off my “prep” checklist. At the time, if you turned in the answers to exercise questions for each of the lab modules you received points towards your exam, so I did that too and marked it off my checklist. I figured I already popped 33 boxes, practiced the specific vulnerability, and did the exercise questions so it should be enough, right? It was not. Not even close. But in my head it was.

The big day came and I was feeling good. I woke up early, went for a walk, had my coffee, ate my breakfast, and sat down to take the exam. I set off my scans while I worked on the challenge I was expecting to encounter. I popped the first box about the time the scans came back. Here are the exact thoughts running through my head at the time: “I AM CRUSHING IT! All of my practice is paying off! I am going to get this certification! Onto the next!”

For the next 15 hours I struggled. Time flew by and yet it seemed to stand very still. I was going down rabbit holes while looking over every path available with no real methodology. My stomach developed a sickening feeling, growing more intense each passing hour. I had owned one box and had user privileges on another. That means I’ve only completed roughly 30% of the exam with no success in sight. It was soul crushing to say the least. I began to accept defeat… it just seemed so inevitable.

With my head hung low and on the brink of tears, I crawled into bed on the 24th hour of the exam. My access to the OSCP network was cut off which meant it was over. The next day I worked on the report and turned it in, hoping for pity points, but was given the bad news soon thereafter. Failure.

I was in a bad state for the next few weeks. In fact, I remember I couldn’t look people in the eye. Friends and family would ask "How did your exam go? Did you pass?" They knew I was trying to obtain it because it’s all I worked on that summer. I felt ashamed. All of that hard work, countless hours spent, long nights and early mornings all for nothing - was my initial perspective.

It wasn’t until the acquaintance I made nearly a year before this failure dropped a line. Remember George from that holiday party? Even though he no longer worked at that company anymore we had connected on LinkedIn before I started that co-op. In addition to reviewing my resume he also knew someone in the industry, particularly with knowledge of the field I was ttrying to get into. So let's take a step back in time, during the summer co-op and before failing the OSCP, to talk about how I linked up with cybersecurity professionals.

Back when I reached out to George before the co-op position he and I were a bit too busy to meet in person. We went back and forth trying to meet but life sometimes gets in the way. He knew I was already set at my co-op since he helped me with my resume and I knew he was busy with his own professional goals and family. At any rate, he opened the door I needed into the industry of penetration testing. One of his replies was:

I actually might have a great lead for you -- he's based in Ontario, and was a competing business to mine when I had it, but we became good friends over the years. I am not sure if he is looking for a summer student or would just want full time employees

A few messages later we exchanged numbers and eventually met at a Starbucks in the middle of the summer. I told him about my current endeavor to obtain the OSCP and how I recently signed up to take the course. He asked me some questions about my goals and what exact niche in the field I wanted to get into so without hesitation I told him penetration testing. From there we talked about this “guy” he knows, who we will call Fred. So Fred runs his own cybersecurity business in the area that provides a managed security operations center (SOC) and penetration testing services to clients. George says he will introduce us to each other over LinkedIn because he feels I would be a good fit for Fred and his company.

My heart was skipping beats and my adrenaline was at it's peak. I got shaky and excited because I might finally be able to talk to someone who can mentor me in penetration testing! Even if I don’t get a role at the company, I just wanted to have someone in the field help guide me. Any advice they could provide would be invaluable.

Months later I failed the OSCP, and, like I mentioned before, I was feeling pretty down about it for a few weeks. One day I logged into LinkedIn to see a discussion thread with George and Fred:

Sep 15 2016

Hey Fred!
Let's have a chat in the next few weeks maybe to do a proper catch up!

The purpose of this note is to introduce you to a guy I met along my journey, who in my opinion is your exact type of protégé - he is a security nerd through and through (and I mean that with the utmost respect). I wanted to connect you both to pick up the ball and get in touch and have coffee, as I think that way you either grab a cup of Joe and part ways as friends, or can figure out a way to fit into each others' world.

Let me know if you want any more info, or just drop a line to connect. Give me a few dates and times to set aside some time to chat in the next few weeks?

Cheers buddy, and hope all is well!

George

Great to hear from you George.
Yes, let's do a catch up and yes, I would like to hear more about this security guy.
I'm around all next week. You open for lunch one day?

my direct email is fred@example.com if you want to email me directly.

Fred

555-555-5555

Sep 27 2016

Sorry Fred - been a busy few weeks - Kenny is copied on this thread, and I think it would be great for you two to connect - Is it OK for Kenny to get in touch with you to arrange to connect? You and I shall certainly get together but I don't want to stand in the way of a good connection...

Chat soon,

George

Not sure (if) how Kenny is on the thread. I'm not a big linked in user. You can have him email me.

-Fred

I remember seeing LinkedIn email notifications but simply ignored them. To this day I still have no legitimate excuse as to why I ignored the notifications but that didn’t matter anymore. It was a bad look on my part that I needed to rectify ASAP. Right after I read the thread I immediately messaged them back and followed up with an email to Fred.

Sep 30 2016

Hello George and Fred!

Yes I am attached to this thread, only just now responding. I too am not much of a LinkedIn user. Thanks for the introduction George.

I will definitely be emailing you Fred, looking forward to chatting.

-Kenny

Regardless of the career field you are looking to break into, ensure you are on top of your networking skills. That does not mean to be glued to your phone each and every minute waiting impatiently for someone to drop you a line. It means keeping to a schedule if you are looking for connections or expecting to hear from prospective employers. I dropped the ball on this one and was not nearly as active on LinkedIn as I should have been.

That’s not to say I have completely eliminated this issue in my life either, but I do make a substantial effort. I login often now to provide mentorship to aspiring penetration testers or red teamers. However, I see a lot of others making my previous mistake. I've lost track of how many times I have been sent some aspiring cybersecurity student’s resume by people I know, only for me to reach out to help mentor this student and they never get back to me. Email, social media, phone, whatever it is you put down as a way to contact you then make sure you are prepared to answer! You must follow through. It demonstrates so much to a potential employer AND it does not waste your mentors time. Seriously, someone is taking the time to help you, either through guidance or employment, so be respectful.

Ok, rant over. Now onto the part where Fred and I meet.

I was sitting on a cold, hard steel chair at the Starbucks patio downtown Toronto near Lakeshore. It had just started getting brisk outside due to the early fall weather in Canada and I was wearing my best suit, completely overdressed, while waiting to meet Fred in person. I wasn’t sure if I would look the part in a t-shirt and pants so I figured the suit would be more impressive. While keeping my hands warm with the hot cup of coffee, I watched people on the sidewalk rush by, all in a hurry to get to wherever they were going. I examined each person, trying to pick out the man who might shine light into the career field I’ve been fighting to break into for the past 2 years. This man ran his own cybersecurity company and managed to come out on top when competing with others in his field. To say I was nervous was an understatement.

Fred was walking up the sidewalk when he spotted me (how could he not, I was wearing a tan colored suit, sitting nervously alone, who clearly appeared to be waiting for someone) and gestured me over to him. We greeted, shook hands, and walked along Lakeshore. Fred is a no-beat-around-the-bush kind of guy; he is direct while being very charismatic. He asked “You going to a wedding or something?” I smiled and replied ”Nope, I figured it was best that I make a good impression. I never wear suits.” He chuckled and shook his head as we found a bench to sit on. Clearly he is a well-versed business man, and already we were getting along and making each other laugh. I knew then and there this man, who took time out of his busy schedule to meet up with me, was genuine and looking for talent. I knew I just secured a mentor for this battle plan, which was very likely soon accomplished.

Mission Objective 7: Obtain Junior Penetration Tester Role

Fred was taking his lunch break from a conference at which his company was being awarded; he was wearing the entry ticket on a lanyard around his neck.

We talked for a bit and he asked me some very important questions that were along the lines of:

  1. What do you know about my company
  2. Why are you trying to become a penetration tester
  3. How can I trust your ethical decision making skills when hacking against my clients

I told him what I knew of his company based on our initial introduction with George. I hadn't done any research on him or his company. He followed up asking if I had ever heard of it before to which I replied with “No, never”. He definitely looked disappointed in my answers, but I did not want to lie. Some people might say this is just common sense, “Of course you should do research on a potential employer before talking with them!” But for someone like me who was too focused on themselves and not accustomed to proper job seeking techniques, be it interview or informal meet & greets, it was an afterthought. I should have done more research for sure, even asked around or talked to George about it. If you ever get the opportunity to talk to a professional that works in the field or runs the company do your research! Don’t be like me and fall short, always be prepared.

I answered his second question without hesitation by explaining why I enjoyed the challenges and thrill of penetration testing. How it helped boost the confidence within me and bestow a sense of fulfillment each time I was helping the company, like the one I worked for during my co-op. Then we discussed the more serious topic, the third question: proving my ethical decision making.

How would you let a potential employer know they can trust you with breaking into a client of theirs? What would you do if you came across credit card data just laying around that no one knew about which you could easily just take for yourself? What steps would you take if you accidentally discovered a critical vulnerability in a system that was not part of the original scope of the penetration test? What about if you find out someone else has already broken into the company with artifacts they left behind? Let’s say the client asks you to perform an action that you believe is unethical, how would you handle that situation? These are all critical questions you should be able to answer correctly.

My answers were simple, I described situations where my ethical decision making was challenged. One example that he appreciated was how I found a vulnerability (without exploiting it) on a web hosting platform that one of my family members used for their website. I described the vulnerability I found, how I contacted the managed service provider, and gave them a detailed description how someone could potentially exploit it. From there we discussed the lab I created and how I used it to safely practice new techniques I learned. On top of that, I talked to him about how dedicated I was to obtaining my OSCP to prove I am passionate about protecting organizations. I was upfront in my failure of it too, but highlighted the many hours of dedicated time it took to vastly enhance my technical skills. Lastly, I explained my approach of how I would keep him informed throughout the penetration testing process using regular status updates, detailed reports, and debriefings.

Fred began to focus a lot on the reporting example I gave him. I learned he already had a penetration tester, but he did not work well with others. He said he would consider hiring me, mostly because he thought I would benefit from learning from the penetration tester while also demonstrating to the other team member how to work better with others. Nothing was concrete yet, and he made sure I understood that. So we bid farewell and Fred said he would keep in touch.

A few weeks go by and Fred emails me to send him my resume and cover letter. Before sending it off, I added a small description underneath my education section about the PWK/OSCP course. It briefly described the 400 hours of skills I gained during my time in the lab. The next day Fred replies:

Hi Kenneth,

I am going to send a list of target subnets and a report template for you to perform a vulnerability assessment. The targets belong to my company but some of the IPs may hold client data so DO NOT EXPLOIT or cause a Denial-of-Service! Make sure this does not interfere with your school work, send back the finished report once you have time.

Fred

Immediately I got started. The doubt and worries I had about not passing the OSCP washed away. My new objective was ensuring I just did what he asked. It didn’t mean I needed to find a way to root the target systems, I just needed to prove to him I can do the tasks he has given me, responsibly. After 5 days of reconnaissance against the target subnets and diligently taking notes of everything I discovered, I began writing the report. The following week I emailed him the report. He replied:

Thanks

That was it. Again, he’s a busy guy.

Months went by with no word from him. I cannot begin to describe the anxiety I had, not knowing if he hated or loved the report. Do you know how many times I read through my report before sending it off to him? And then reviewed it again after the fact because I hadn’t heard from him in 2 months since? Countless, almost obsessively so. I read it over and over and over again, each finding ingrained into my very being, analyzing each word with such scrutiny. I was, and still to this day, a terrible critic to myself.

Eventually I abandoned hope I would hear back from him. I went back to focusing on getting better. Some of the people I met during the OSCP reached out to check in on me. I wasn’t active on the IRC channels for a long time. One of them gave me some solid advice: “Make sure you write down what you did wrong and focus on how you could get better at it”. I began programming a lot more in Python, trying to automate my reconnaissance methodology because I knew that was something I definitely needed to improve on. My therapy has always been coding, it helps me solve problems. If I had a problem I wanted to automate or make faster I would break it down into smaller functions in my program. It’s exactly like any other style of problem solving: You have an end goal and you break it down into smaller tasks.

After recently returning to classes from the holiday break in January 2017, the systems database professor was giving his lecture about auditing Oracle databases (unenthusiastically) when I heard an email hit my mailbox. It was from Fred:

Hi Kenneth, I hope all is well.

Do you think we can meet later next week to discuss possible part time hours with my company?

Fred

It’s hard to put into words the euphoric feeling that hits you when something you’ve been working so hard to achieve reaches out to catch you. Almost like if it were prepared to embrace you, telling you everything is better now, even after the mistakes and lessons you learned along the way.

I was shaking with excitement. Everything I was striving for had finally led me to my dream job. After meeting the following week he sent me an offer letter. I worked 20 hours a week while in school, and full time when there were no classes. He always made sure school came first and would not let work interfere with my studies. To this day he is was one of the best boss’s I’ve ever had. He believed in me and provided an opportunity.

Conclusion

That’s the end of my journey to becoming a junior penetration tester. Don’t get me wrong, I was still a very dull sword, maybe just a little shinier than I was previously, but not sharp at all. In fact, there are many instances where once you achieve your dream there are always more aspirations and desires beyond that. There are always more challenges that lie ahead, it’s practically endless. Embrace them. There are so many other failures and struggles beyond this goal of my life, as I know many others have faced when trying to achieve their dreams. Don't be afraid to ask for help if you need it when facing those hurdles. Myself, and many others in the industry, still ask for it.

"Asking for help should never be an ego thing. It's just another tool. I've been at this for a long time but I need to ask people for their suggestions, feedback, or advice almost daily. I don't feel bad about it. It's just part of work. If you're a student, please ask your professors for help. Yes, it's normal to think of them as some kind of weird unapproachable authority figure because they give you grades but I guarantee you, all they want is for you to get a job in your field and they want to help you do that. In 11 years of being a professor I can probably count on two hands the number of people who came to my office hours for anything other than signing administrative forms."
- Nicholas Johnston, Cyber Security Professor at Sheridan College

I will write more about failures in the actual career field (on the job) later. For now I hope my detailed struggles and failures, as well as their eventual success, help you obtain your own goal of breaking the barriers in your life to get into the field. If you could take anything from this article I hope it's how much I’ve emphasized the importance of being persistent, breaking down your goals into actionable objectives, getting help when you need it most, networking with like-minded professionals, and making the right choices with regards to ethical decisions in this industry.

Subscribe for more tips and insights.

Enter your email
Subscribe