After watching the video and reading the comments, sounds like the general approach you should go in to pentesting with, atleast for entry level, is “How can I help the client improve their security”, rather than, “How can I hack the client”. Very insightful!
we are at the same boat, as a plain pentester you cover literally every struggling that we find on the week tests, along side the exploitation totally agreed to everything you said.
Here is my personal opinion and experience: This totally depends on the company you work for and the clients you work with. Each has its approach. My current role focuses on displaying impact, so we are trying to get code execution and steal admin accounts via XSS but with longer engagement windows. My last role was focused on checking the boxes, finding vulnerabilities, and less on exploitation. Reporting among each org has been the most important aspect of the job and people do need to understand that before jumping in. You should have strong verbal and written communication skills… Great video man! 😊
Thanks for your comment! I love hearing the experience of others. To clarify, my role definitely is attempting to show impact and not just ticking boxes. We get those clients, and they get wrecked when we go through. My point was more that the HTB mentality can trip you up when you first start.
@@pr0tagnist To be quite honest, I feel like Offsec, HTB, THM, etc., are great for learning the latest exploits and building a methodology, but the job is so DIFFERENT. Sorry if I misunderstood my initial comment about impact. However, I guess it's still good that I said something because there are those box-checker organizations and scenarios where clients refrain from exploitation.
We have extremely similar career timelines… I too remember realizing the RCE sprint and local privesc drilled into me from HTB was so unrealistic. I used to do so many boxes but now getting “root” feels laughably convoluted. CTFs are fun but not very helpful past a certain point… red team labs though are however quite useful
@@wandererx86 I'm referring to larger networks of machines that simulate a real enterprise environment. Virtual user interactions, subnets, pivoting, etc. Learning to orient yourself in a large network is not easy at first.
@@twopoint-sec What would you recommend to get access to these types of networks to practice on? This sounds much more detailed than something like GOAD (game of active directory).
My pentest team does a htb session together on Friday afternoons. So we can do some of that depth testing. Best to keep up with how to do that. You so we don’t lose that depth test ability while pentesting.
@@DigitalLiquid high intensity brain always on. But this is definitely what I envisioned, I have all the freedom to learn as much as I want and I am pushing quite hard to become really really good at what I do. Pentests are great fun but as you might assume, reports kinda suck at first but you get used to it. The thing is, unlike with CTFs or HTB boxes, CONTEXT MATTERS. In the reports, you have to put yourself in the customers shoes a lot and try to understand what information gives them the most value... I could go on and on about this but its really tough at first. I guess Ill get better at this too like anything. But hey, Im still hacking for a living! Loving every second of it.
@@Siik94Skillz Thats amazing! How long did a take for you to land this role from the moment you began to study? Also, what resources do you find to be real world like?
Good to see you're confidence levels growing mate. Appreciate the content! I'm sitting my OSCP exam next month but still know very little coding. Will probably try to put a block of learning in after the fact. Were you able to code proficiently in any language prior to starting web app testing?
Most people just see the glamorized part of pentesting from movies, but in reality a good pentester is more 60/70% consulting and 30% actual hacking. I've seen lots of pentesters forget that the report and the interaction with the customer is the actual product, your technical wizardy comes second. I've had more impact helping a customer just talking to them for two hours brainstorm problems than a 60 page PDF document ever will do
First thanks for the insightful I definitely have the HTB approach I love it! However it lets me know I need to slow down. So, if you are looking for “Width,” as you say. Instead of “Depth” doesn't this make things a bit more easy… More work, of course. Sounds more of a bug bounty
Not in it yet, been trying to get into infosec for a while now with existing sysadmin experience for almost five years, seems impossible to break into it at times. Hard to pick and choose what to spend time on when it comes to learning, red teaming or general offensive security would be the dream for me right now.
System admin is an amazing foundation but what separates you from other applicants? I will say this (though I don’t fully agree, I’m not HR) but not having an entry level pentesting cert (OSCP, PNPT) you are likely going to find it really hard to break into the offensive side.
Pentesting is ethical hacking but not all ethical hacking is pentesting. Someone who does OSINT/digital forensics for the government is also an ethical hacker but they aren’t pentesting
I think that's a bit of an over generalisation. Also, a lot of technical people aren't your charismatic types. I have plenty of friends that are pentesters that love it.
@@pr0tagnist hehe I see. True. Some pen testers don't like their job, maybe due to other factors e.g. the work / company. Nice to know some pen testers love their job. I note some love to travel all over the world with their company.
Bro , u never mentioned any pen test product beginners can start learning n practicing , pls include in ur future videos. Thank you for this video time n effort n passion goes with its creation!!!
After watching the video and reading the comments, sounds like the general approach you should go in to pentesting with, atleast for entry level, is “How can I help the client improve their security”, rather than, “How can I hack the client”. Very insightful!
Great to see your progress.
we are at the same boat, as a plain pentester you cover literally every struggling that we find on the week tests, along side the exploitation totally agreed to everything you said.
It's nice to see others have the same experience.
Here is my personal opinion and experience: This totally depends on the company you work for and the clients you work with. Each has its approach. My current role focuses on displaying impact, so we are trying to get code execution and steal admin accounts via XSS but with longer engagement windows. My last role was focused on checking the boxes, finding vulnerabilities, and less on exploitation. Reporting among each org has been the most important aspect of the job and people do need to understand that before jumping in. You should have strong verbal and written communication skills… Great video man! 😊
Thanks for your comment! I love hearing the experience of others. To clarify, my role definitely is attempting to show impact and not just ticking boxes. We get those clients, and they get wrecked when we go through. My point was more that the HTB mentality can trip you up when you first start.
@@pr0tagnist To be quite honest, I feel like Offsec, HTB, THM, etc., are great for learning the latest exploits and building a methodology, but the job is so DIFFERENT. Sorry if I misunderstood my initial comment about impact. However, I guess it's still good that I said something because there are those box-checker organizations and scenarios where clients refrain from exploitation.
Thanks for sharing your experience!
Slowly, and methodically, poking, prodding, researching, and documenting. Probably not a career path for everyone, but it's what I'm working towards.
When I was watching this video the words were not aliened with the mouth, did someone hack my computer?
I’m afraid so
We have extremely similar career timelines… I too remember realizing the RCE sprint and local privesc drilled into me from HTB was so unrealistic. I used to do so many boxes but now getting “root” feels laughably convoluted.
CTFs are fun but not very helpful past a certain point… red team labs though are however quite useful
Red team labs?
@@ultravioletiris6241 something you can basically only do when you are already a cybersecurity pro
can you expand on "red team labs"? thanks
@@wandererx86 I'm referring to larger networks of machines that simulate a real enterprise environment. Virtual user interactions, subnets, pivoting, etc. Learning to orient yourself in a large network is not easy at first.
@@twopoint-sec What would you recommend to get access to these types of networks to practice on? This sounds much more detailed than something like GOAD (game of active directory).
My pentest team does a htb session together on Friday afternoons. So we can do some of that depth testing. Best to keep up with how to do that. You so we don’t lose that depth test ability while pentesting.
I have my first gig as a Pentester/Red Teamer/Trainer starting in October. Ill report back on how I experience all of this
Congrats 👏🎉
What have been your 1st impressions?
@@pr0tagnist thank you very much!
@@DigitalLiquid high intensity brain always on. But this is definitely what I envisioned, I have all the freedom to learn as much as I want and I am pushing quite hard to become really really good at what I do. Pentests are great fun but as you might assume, reports kinda suck at first but you get used to it. The thing is, unlike with CTFs or HTB boxes, CONTEXT MATTERS. In the reports, you have to put yourself in the customers shoes a lot and try to understand what information gives them the most value... I could go on and on about this but its really tough at first. I guess Ill get better at this too like anything. But hey, Im still hacking for a living! Loving every second of it.
@@Siik94Skillz Thats amazing! How long did a take for you to land this role from the moment you began to study? Also, what resources do you find to be real world like?
Good to see you're confidence levels growing mate. Appreciate the content! I'm sitting my OSCP exam next month but still know very little coding. Will probably try to put a block of learning in after the fact. Were you able to code proficiently in any language prior to starting web app testing?
Keep in mind clients are not paying for you to hack them. They are paying for the report you give at the end of the test.
Most people just see the glamorized part of pentesting from movies, but in reality a good pentester is more 60/70% consulting and 30% actual hacking. I've seen lots of pentesters forget that the report and the interaction with the customer is the actual product, your technical wizardy comes second. I've had more impact helping a customer just talking to them for two hours brainstorm problems than a 60 page PDF document ever will do
100%
First thanks for the insightful I definitely have the HTB approach I love it! However it lets me know I need to slow down.
So, if you are looking for “Width,” as you say. Instead of “Depth” doesn't this make things a bit more easy… More work, of course. Sounds more of a bug bounty
Thank you for this video.
how can I get in touch with you?
You can always connect with me on LinkedIn.
Not in it yet, been trying to get into infosec for a while now with existing sysadmin experience for almost five years, seems impossible to break into it at times. Hard to pick and choose what to spend time on when it comes to learning, red teaming or general offensive security would be the dream for me right now.
System admin is an amazing foundation but what separates you from other applicants? I will say this (though I don’t fully agree, I’m not HR) but not having an entry level pentesting cert (OSCP, PNPT) you are likely going to find it really hard to break into the offensive side.
man you room is too cool 😁😁
Thank you. I'm sitting next to a freezer hahaha 🤣
Nice video man!
Thanks
Thx
Is there a difference between ethical hacking and pen testing?
Pentesting is ethical hacking but not all ethical hacking is pentesting. Someone who does OSINT/digital forensics for the government is also an ethical hacker but they aren’t pentesting
most pentesters say their job is boring. Or you can hear it in their tone.
I think that's a bit of an over generalisation. Also, a lot of technical people aren't your charismatic types. I have plenty of friends that are pentesters that love it.
@@pr0tagnist hehe I see. True. Some pen testers don't like their job, maybe due to other factors e.g. the work / company. Nice to know some pen testers love their job. I note some love to travel all over the world with their company.
Bro , u never mentioned any pen test product beginners can start learning n practicing , pls include in ur future videos. Thank you for this video time n effort n passion goes with its creation!!!
Thanks for the suggestion, I'll put it on my list of videos to make
That was not the point of the video lol