Transitioning to Cybersecurity: A Comprehensive Guide for Career Changers Exploring Hacking

• Intro
  • Understanding Penetration Testing and Red Teaming
    • Penetration Testing
    • Red Teaming
  • Key Differences of Penetration Testing and Red Teaming
    • Objectives
    • Scope
    • Methodologies
    • Collaboration
  • Essential Skills and Knowledge
    • Technical Skills
    • Certifications
    • Non-Technical Skills
    • Practical Experience
      • Bottom Line
  • Building a Career Transition Plan
    • Step 1: Self-Reflection
    • Step 2: Networking
    • Step 3: Set Clear Goals
    • Step 4: Develop a Timeline
    • Step 5: Allocate Time and Resources
    • Step 6: Monitor Progress
  • Staying Motivated and Adapting to Change
    • Stay Curious:
    • Seek Support
    • Embrace Failure
    • Celebrate Success

Do you have an interest in cybersecurity, but currently employed in a field no where near related? That's okay, I know that anxiety induced feeling of worry, fear, and "what ifs". What if I told you it could take less than 2 years of consistent learning to break into the field? Maybe even a single year!

With an initial background of 4 years as military police, I eventually took the leap of transitioning into the cybersecurity realm. It took me 2 years after leaving active duty to secure my first internship as a web app developer that with a background in information systems security. Drawing inspiration from my personal journey and witnessing the experiences of others, I'm confident that you, too, can successfully navigate a seamless career transition.

To help you on your journey, I've put together this comprehensive guide that will walk you through the steps to transition into cybersecurity, with a focus on Penetration Testing and Red Teaming since that was my personal experience in the ethical hacking space.

Note: If you were seeking content related to Blue Team roles, do not fear, this article is still valuable. In fact, the knowledge shared here can be effortlessly implemented in any cybersecurity field. However, if you are specifically interested in Blue Team content, do not hesitate to let me know. I can conduct interviews with my close friends and colleagues who specialize in Blue Teaming and provide you with their valuable insights.

These exciting disciplines offer the opportunity to protect organizations from malicious cyber criminals and make the world a safer place for everyone. By the end of this article, you will possess a comprehensive understanding of these two ethical hacking fields, the necessary information to determine the best-suited career path aligned with your interests and abilities, and actionable guidance to assist you on your journey.

Understanding Penetration Testing and Red Teaming

Before diving into the career transition process, it's essential to understand the difference between Red Teaming and Penetration Testing:

• Penetration Testing: Penetration Testers, or "pentesters," are specialized professionals who conduct targeted security assessments. They identify vulnerabilities in networks, systems, and applications, using a more focused and systematic approach without being mindful of stealth.

• Red Teaming: Red Teamers act as simulated adversaries, using a variety of tactics to test an organization's security defenses. They think like real-world attackers with specific objectives or missions. They identify vulnerabilities and weaknesses that might be exploited while evading detection to accomplish their objectives.

Penetration Testing

The thrill of penetration testing comes from the constant challenge of outsmarting complex systems. You'll need to master various tools and techniques, such as vulnerability scanners, password crackers, and exploit frameworks, to effectively evaluate an organization's security posture.

As your career begins to climb, you can dive into niche areas such as network penetration testing, web application security, or mobile app security, enabling you to sharpen your expertise and increase your impact even further.

Imagine the satisfaction of uncovering a security flaw that could have caused significant harm to a company or its customers! It can be very rewarding as a penetration tester. You'll be making a difference and continuously expanding your skill sets in this ever-evolving field through each and every assessment.

Red Teaming

As a red teamer, your mission is to adopt the mindset and tactics of cyber criminals, nation-state actors, and other adversaries. You'll design and execute comprehensive attack scenarios that target an organization's entire security ecosystem, from breaking into secure facilities, disrupting critical systems, to exfiltrating sensitive data. To succeed, you'll need to employ a diverse range of skills, including social engineering, physical intrusion, and, of course, technical hacking. Becoming a penetration tester is typically the first step, but I have seen career changers jump right into this role gracefully with a particular niche.

Red team exercises are designed to be as realistic as possible, often taking place without the knowledge of most employees within the organization. This creates a unique opportunity to test not only the effectiveness of security measures but also the response capabilities of the organization's incident response and security teams (Blue Team). The insights gained from these exercises are invaluable. You will be helping organizations identify blind spots and prioritize improvements to their security posture.

Picture this: You're leading a stealthy operation to infiltrate a company's headquarters, bypassing physical security measures and leveraging social engineering tactics to gain unauthorized access to sensitive information. As a red teamer, you'll have the chance to play a pivotal role in shaping an organization's security strategy, pushing the boundaries of traditional security assessments and making a lasting impact on their overall resilience against threats. All while having your adrenaline fired up trying to evade the blue team and accomplish your objectives in the set time frame. It can be very exhilarating!

Key Differences of Penetration Testing and Red Teaming

Overall both roles share a common goal: to strengthen an organization's security posture. Additionally, Red Teaming typically requires the initial path of becoming a Penetration Tester, or at least mastering some ethical hacking concepts.

However, their methodologies and scope of work typically differ. Below are some unique challenges and rewards associated with each discipline that revolves around their objectives, scopes, methodologies, and teamwork.

Objectives

Penetration testing primarily focuses on identifying and exploiting vulnerabilities in systems, networks, and applications, while red teaming aims to assess an organization's overall security posture through realistic attack scenarios. Even though both fields share the goal of improving security, red teaming takes a broader, more holistic approach that encompasses the physical, digital, and human elements of an organizations security posture.

Scope

Penetration tests tend to be more targeted, concentrating on specific systems or applications within an organization. On the other hand, red team engagements have a wider scope, often simulating multifaceted attacks that span multiple areas, such as breaking into physical locations, conducting spear-phishing campaigns, or compromising critical infrastructure.

Methodologies

Penetration testing follows a more structured methodology, with defined phases like reconnaissance, vulnerability scanning, exploitation, and reporting. Red teaming, in contrast, embraces a more fluid and creative approach, requiring adaptive strategies and tactics to emulate the behavior of real-world adversaries. However, nearly every red team engagement will begin with reconnaissance and end with reporting regardless of their strategy. After all, reconnaissance and reporting can deliver the most value for all facets of the engagement for both you and the client.

Collaboration

While both disciplines involve working with others, red teaming often demands a higher degree of collaboration and coordination, as it involves a diverse group of specialists with various skill sets, such as evasive malware developers, social engineers, physical security experts, internal security experts, web application specialists, and mobile application specialists.

Essential Skills and Knowledge

When you initially start on your journey into the world of offensive security, it's essential to develop a strong foundation of skills and showcasing your knowledge to set yourself up for success. Both penetration testing and red teaming require a diverse set of technical and non-technical abilities, as well as ongoing professional development to stay current in this rapidly evolving field.

Technical Skills

A solid understanding of networking, programming, and operating systems is crucial for both penetration testers and red teamers. Familiarity with various hacking tools is also important (see the top 6 tools I used when starting out).

As you progress in your career, you'll have the opportunity to specialize in areas like web application security, network security, or social engineering, allowing you to deepen your expertise and start participating in more Red Team style engagements.

Certifications

Industry-recognized certifications can accelerate your career by demonstrating your knowledge and commitment to professional growth. Some popular certifications for penetration testers and red teamers include CompTIA Security+, Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), and GIAC Penetration Tester (GPEN).

I failed the OSCP twice before I finally succeeded. In fact I was a pentester before receiving my OSCP because just practicing in the lab environment boosted my skills enough to work my way through interviews. It demonstrated my passion and drive to pursue this as a career. Most employers love both drive and passion.

It just goes to show that pursuing these certifications not only strengthens your skills but also helps you validate your understanding of the concepts discussed above. Honestly just leveling up and grinding after each failure can still be enough to succeed.

On top of that, you get to network with like-minded professionals when pursuing certificates. This is due to the friendly and motivating communities they provide to help career-changers such as yourself (see the communities I joined here).

• Tip: Does this mean you need certificates to succeed? No, absolutely not. I work with some of the best pentesters/red teamers on the planet and there are a few who do not have a single certificate.

Non-Technical Skills

Effective communication, creative problem-solving, and critical thinking are essential skills for both penetration testers and red teamers. The ability to clearly explain complex security issues to non-technical stakeholders and work collaboratively within a team is crucial for success in these roles.

Practical Experience

Gaining hands-on experience is invaluable for building your skill set and credibility in the cybersecurity field. Start practicing in your own environment or online using platforms such as these.

Look for internships, freelance projects, or volunteer opportunities to apply your knowledge in real-world situations. Participating in Capture the Flag (CTF) contests will also aid in honing your skills and demonstrating your capabilities to prospective employers.

Learn how to spruce up your resume with the hands on experience you've obtained while trying to break into this field. For example, I made sure parts of my resume discussed what I did using VulnHub and creating a homelab environment to learn different ethical hacking skills. This shows initiative, passion, ethics, and the ability to accomplish a technical task.

• Tip: Additionally, if you land an IT support role like HelpDesk but not a traditional cybersecurity role: fear not! This means you now have time to take initiative within the company to identify vulnerabilities, responsibility of course, in between your normal duties. For example: maybe you noticed the company uses a weak password policy, lack of multi-factor authentication (MFA) for external or internal resources, or maybe you discovered the company is running an out of date version of a service. Do your due diligence and be a security consultant they weren't expecting to receive but thankful they did.

Bottom Line

By investing in your abilities, qualifications, and professional growth, you'll be well-equipped to forge a lasting and fulfilling career in either penetration testing or red teaming. You do not need a certificate, just participating and actively learning can be enough to get you through the front door in this cybersecurity space.

Building a Career Transition Plan

Venturing into a new career can seem intimidating, but armed with a well-crafted plan and a clear vision, you can make the shift to cybersecurity smoother and more gratifying. Just keep in mind how these niches align with your passions, strengths, and long-term career goals. Both fields offer immense opportunities for growth, and a structured plan can help you stay focused and track your progress as you transition. Here are some steps to create an effective career transition plan:

Step 1: Self-Reflection

Begin by assessing your strengths, interests, and values. Be brutally honest with yourself. Are you drawn to the technical challenges of penetration testing, or do the strategic thinking and creativity of red teaming excite you? Do you thrive in structured environments, or do you crave the freedom to tackle problems in unconventional ways?

Step 2: Networking

Reach out to professionals in both fields through online forums, social media, or local meetups. Seek their insights and advice, and ask about their day-to-day experiences, challenges, and successes. Networking not only helps you gain valuable information but also establishes connections that could lead to potential job opportunities.

Step 3: Set Clear Goals

Define your short-term and long-term career goals. Map out a detailed plan for the education, certifications, or experience needed to land an entry-level job in your desired field. Do you want to become a certified penetration tester within a year? Or do you aim to land a role as a an IT Support Specialist within six months? Establishing clear objectives will ensure you remain focused, driven, and accountable throughout your journey.

Step 4: Develop a Timeline

With your goals in place, create a realistic timeline to guide your progress. Break down your goals into smaller, manageable milestones and set deadlines for achieving each one. Take advantage of online courses, workshops, and training programs to gain the skills necessary to accomplish your goals. Explore platforms like Coursera, Udemy, or Cybrary for affordable and accessible learning experiences. This will help you maintain momentum and track your progress as you work towards your career objectives.

Step 5: Allocate Time and Resources

Your career transition will require time, effort, and potentially some financial investment. Set aside dedicated time each week for learning new skills, networking, and applying for jobs. Consider enrolling in courses or certifications to boost your knowledge and credibility in the field. Allocate resources wisely, it's very important that you commit to your schedule as it helps keep you on track and ensures you're making steady progress towards your goals. Remember: that investing in yourself is essential for long-term success.

Step 6: Monitor Progress

Regularly review your plan to assess your progress and make adjustments as needed. Celebrate your successes along the way and learn from any setbacks. Remember that failure is an inevitable part of the journey and it's how you respond to those setbacks that define your success.

“There is no growth in the comfort zone.” - Jocko Willink

Myself and many others took the leap you are considering or thinking about taking. We made goals and still failed at some which caused setbacks. We persisted. It's all part of the journey.

Staying Motivated and Adapting to Change

Embarking on a new career path can be demanding and nerve racking with uncertainty, yet maintaining motivation and embracing adaptability are crucial for achievement. To help you remain focused and committed to your goals, here are four essential strategies to keep you concentrated and tenacious: continuously learn, seek support, embrace failure, and celebrate your successes.

Stay Curious:

It's vital to stay current with the latest trends, tools, and techniques.
This means committing to ongoing education, attending workshops and conferences, and attempting relevant certifications. By embracing a growth mindset and becoming a lifelong learner, you'll not only stay motivated in your journey but also prove your dedication to potential employer
This will keep you engaged and motivated to grow your skills. Learn what you want to learn, don't force it, enjoy the process.

Seek Support

As you embark on your journey, you'll undoubtedly face challenges that may seem insurmountable. That's why it's important to surround yourself with a strong support group, including mentors, peers, and industry professionals. Engage in online forums, join local cybersecurity groups, and participate in hackathons or CTF events to connect with like-minded individuals who can provide guidance, encouragement, and resources.

Embrace Failure

It's an undeniable truth that failure is an integral part of any learning process, and cybersecurity is no exception. As you delve into ethical hacking, you'll likely encounter setbacks and obstacles that may feel overwhelming. Embrace these experiences and view them as opportunities to grow and refine your skills. When you view failure as a valuable learning opportunitiy, you'll develop resilience and adaptability, qualities that are essential in the rapidly changing world of cybersecurity.

Celebrate Success

While it's crucial to learn from your failures, it's equally important to celebrate your successes, no matter how small they may seem. Each time you master a new skill, accomplish a personal goal, or receive recognition for your hard work, take a moment to savor and acknowledge your accomplishments. This positive reinforcement will not only keep you motivated but also help you maintain a healthy work-life balance as you forge ahead on your cybersecurity journey. Just make sure you don't slip into the trap of complacency.

Sticking to this all-encompassing guide will allow you to make a smooth transition into the exhilarating field of Penetration Testing and Red Teaming in the realm of cybersecurity. As you embrace these strategies, you'll not only become a better red teamer but also discover an empowering sense of purpose and passion in your work.

Taking the leap you're contemplating is a courageous and exciting step, one that many of us have embarked upon before you. Along the way, we set ambitious goals and, inevitably, faced failures and setbacks. But through it all, we persevered. Embrace the journey, knowing that both triumphs and challenges are integral to the process. Each experience shapes you, strengthens your resolve, and ultimately propels you forward on the path to success. Dare to dream, stay resilient, and remember that you're in great company as you navigate the thrilling adventure ahead.

Stay tuned for a follow-up post detailing the steps I took in college to land my dream job as a penetration tester using the techniques outlined in this guide, which may help you achieve your own cybersecurity dream job.