Roadmap to get started as an Ethical Hacker | Pentester Roadmap ft. @tadii - Clip

[00:00:00] These are some clear and actionable steps to becoming an ethical hacker. On our most recent episode of the Tech Certified Podcast, we spoke to Taddy, an ethical hacker and more specifically a penetration tester. And he shared a roadmap that anyone can use to get started in this area. If you're on this path to getting into cyber security and getting into offensive security, then by the end of this video, you'll have some amazing steps to get started. Just listen to this.

[00:00:26] Generally, if you ask me how someone would get into what I do specifically, I would say research, publish actionable research, contribute to open source tooling. There's a lot of companies that produce tools. You could contribute to those because they are open source. They are on GitHub. I know there's tools like Scout Suite by NCC Group, Project Discovery releases a bunch of stuff. You could push updates if you want to.

[00:00:56] So I would say do those things because they would get you noticed quickly. But if you're starting from zero and you don't even know how to code, you don't even know what the terminal is in Linux. I would say start on tryhackme. I think it's the best value for people.

[00:01:16] For anyone that's starting from zero. Generally, tryhackme would be the best value. People usually talk about hack the box and all that stuff. But I think hack the box would be jumping the gun a little bit. I think it's a bit more for people that know a bit more than, you know, the person starting out. So tryhackme. Do labs like Portswinger. Absolutely amazing labs. Absolutely amazing research. And it is free.

[00:01:41] Of course, Portswinger is free. Tryhackme is like 14 US dollars a month, I think. Could be a little less in pounds. And then, you know, from there, you could do things like TCM security. They have affordable courses.

[00:01:54] You could do the bug bounty course. You could do the practical web application penetration testing course. That also comes with a certification if you pass that.

[00:02:04] And then maybe at that point, you know a few things. You know actually how to, you know, navigate your way through an application.

[00:02:10] You could then try to get into bug bounty and follow creators that do bug bounty.

[00:02:16] Generally, even if you don't do bug bounty or you don't want to get into it, because usually some people, you know, either love it or hate it.

[00:02:23] I don't think there's an in-between with bug bounty.

[00:02:25] Even if you don't like it, I would say follow bug bounty creators in this space.

[00:02:31] People that post about bug bounty, people that make money and do it full time.

[00:02:36] Those people are the best web application hackers, the best mobile application hackers on the planet.

[00:02:42] I had a few guys on my team at my previous role.

[00:02:46] I could look at an application and find one or two things and they find 10 more things on top of that.

[00:02:52] So following them, learning from them, even if you don't necessarily do bug bounty, I think would be a good option.

[00:03:00] And at some point you want to add code review to your skill set.

[00:03:05] Like I said, looking at code, writing code to potentially build your own tools eventually.

[00:03:11] But code review is important.

[00:03:13] If you get a white box test, which is where you get access to the application, you can look at the code, get users, ETC.

[00:03:21] You need to learn or at least you need to know how to read the code.

[00:03:25] So that's usually the path I would take.

[00:03:27] I think this is more like a condensed version of it.

[00:03:31] But I do have a newsletter.

[00:03:33] It's called Navigating Security, NavigatingSecurity.net.

[00:03:36] I have the whole roadmap lined out.

[00:03:38] I wrote it a few weeks ago.

[00:03:40] Goes into more depth, has links to everything that I mentioned and more.

[00:03:46] People can check it out if they want to.

[00:03:48] But that's how I would say get started now.

[00:03:51] But if you're not starting from zero, if you're pivoting from something else, I would say get into research.

[00:03:57] Post about stuff you're finding.

[00:04:00] There's a lot of research opportunities in security.

[00:04:04] So I know I usually have problems and I just write them down.

[00:04:07] And those are all the research opportunities.

[00:04:10] I think I could post it at some point.

[00:04:11] Or I'll give it to you and you can show it on screen where I bump into a problem and I'm like, there's no research for this.

[00:04:18] And then I just note it down.

[00:04:19] Maybe at some point I can circle back and look into it, post about it, maybe give a talk if I want to.

[00:04:29] Or, yeah, contribute to open source.

[00:04:31] Like I said, that's if you're not coming from zero and you already know how to code, you already know what some of this stuff is.

[00:04:38] Maybe you're pivoting from cloud or an IT background.

[00:04:42] I think that's a decent pathway.

[00:04:48] Amazing.

[00:04:49] Amazing.

[00:04:49] And that's a really good.

[00:04:52] I think this interview so far has really demystified to a lot of people who are trying to get to this point, you know, getting into offensive security, getting into pen testing.

[00:05:04] Yeah.

[00:05:04] This has really demystified the role of a penetration tester and how to get there.

[00:05:11] I think it's super helpful to understand a lot of these things, but it's even more helpful to understand how to get started as a beginner.

[00:05:24] Yeah.

[00:05:25] Because a lot of people definitely look at roles and look at things and look at the requirements for things they need to know and understand and think, how do I even get started with this thing?

[00:05:36] Like it's so crazy.

[00:05:38] It seems so impossible.

[00:05:39] What course do I start with?

[00:05:41] What training do I do?

[00:05:42] What do I, all this kind of stuff.

[00:05:44] And it seems really overwhelming when you look at it.

[00:05:46] But what you've given is a good place for someone who wants to go on this path to get started and an amazing way to do that.

[00:05:58] I'll say this as well.

[00:06:00] I didn't necessarily, I did go to college.

[00:06:03] I didn't finish.

[00:06:04] So I'm considered a dropout.

[00:06:06] I probably will finish at some point because in the future, some of the companies I want to work for would require me to have a degree, I think.

[00:06:13] So I will finish at some point.

[00:06:14] But if you wanted to do the college route, I would say do it.

[00:06:18] Who am I to tell you not to go to college?

[00:06:20] I'm just another guy on the internet.

[00:06:22] But you need to go to a college where they have really good cybersecurity pathways into the industry.

[00:06:28] I know one of the ones that's usually talked about the most is RIT, which is in New York.

[00:06:33] Absolutely expensive school, but you get picked up before you even graduate.

[00:06:38] So that's another pathway.

[00:06:41] If you want to do the college route, you just have to go to a good school, even though it is expensive.

[00:06:46] You make that initial sacrifice in the beginning and then it'll pay off in the long run because I know people that went to RIT, they have jobs lined up before they even graduate.

[00:06:57] So they have a good program out there.

[00:06:59] So you kind of just have to look for a school like that.

[00:07:02] And then if you want to do certifications, pick your certifications wisely.

[00:07:08] Don't do a certification just because someone else said so.

[00:07:11] If you can't afford it, don't do it.

[00:07:14] I'm not a fan of debt.

[00:07:16] So just borrowing money just so you can take a certification because a couple of guys on the internet said so isn't a good idea.

[00:07:22] You can't afford it.

[00:07:52] Where you want to go.

[00:07:53] Does it suit the skill set that you want to build?

[00:07:56] That's super helpful.

[00:07:57] And I'm glad we touched on that.

[00:08:01] Really interesting that you dropped out of university and you can see it going back.

[00:08:07] But even the fact that you left university without a degree, you're still able to go forward and get a role in this area.

[00:08:17] Yeah.

[00:08:17] It's pretty interesting.

[00:08:21] I consider myself blessed in a sense.

[00:08:23] Some people try, try, try, and then they end up going back to school before they even get a job, which was kind of where I was at because I was really in school at the time, like my first semester.

[00:08:33] But I told the company I was working for, I will drop out and focus on this as soon as the semester ends.

[00:08:40] And they're like, cool.

[00:08:41] Well, you know, we kind of like you or whatever.

[00:08:44] And then so they hired me.

[00:08:46] But I think it's doable getting into the industry without a degree.

[00:08:51] You just have to have something to show the people that you want to work for.

[00:08:55] Like I said, I've been posting on LinkedIn.

[00:08:57] I've been posting on YouTube.

[00:08:58] So I kind of had that track record of, okay, he's doing something at least, even if it's not the most groundbreaking research or whatever.

[00:09:05] He's, you know, doing something and he can probably qualify for an entry level role.

[00:09:11] Let me give a bit of background.

[00:09:13] I moved to the US in 2021, actually 2021.

[00:09:17] I'm getting confused.

[00:09:18] But I had only done a year of college in computer science at the University of Cape Town.

[00:09:23] School here in the US is expensive.

[00:09:24] So I didn't want to go back to school.

[00:09:26] So I gave myself a year just to try out different things, certifications, labs, build a home lab, do some CTFs, ETC, and then try to get a job by adding those things to my resume.

[00:09:38] I also started a YouTube channel at the time just so I could be seen more, posted on LinkedIn quite a bit.

[00:09:46] And then my year ended.

[00:09:47] The time was up.

[00:09:48] I needed to go back to school because I hadn't found a job.

[00:09:51] But as soon as I started my first semester here in the US to continue school, I ended up getting a job because I passed the OACP, which was one of the certifications I took, which was great at the time.

[00:10:04] I don't know how it is doing now.

[00:10:05] There's a lot of controversy with like OACP plus, OACP getting acquired, which, you know, it's a whole different can of worms.

[00:10:13] But I passed the OACP, posted about it on LinkedIn.

[00:10:16] That post, for some reason, went mega viral.

[00:10:19] I think it had like 300,000 impressions, probably like 2,000 comments.

[00:10:24] And then so I don't know why it went viral, probably because I've been posting about, you know, my studies with the OACP and all that at the time.

[00:10:32] And then eventually I posted that it passed.

[00:10:35] So recruiters kind of hit me up from there.

[00:10:37] And then that's when I ended up getting my first role.

[00:10:41] But now that I've been working for close to three years now, I would say things have changed and I have a different answer.

[00:10:51] Those were some amazing steps.

[00:10:53] And it was amazing to hear his journey as well and how he did it.

[00:10:56] If you want to continue watching this and watch the full episode, just click right here.

[00:11:01] And then I'll see you next time.