There are many fields within cyber security, but the one many people have an interest in ethical hacking. Becoming a hacker is very appealing to new cyber security enthusiasts. However, many newcomers may become flustered with all the knowledge required, and struggle to find entry level positions. Unfortunately, this branch of cyber security is not an entry level area. It requires a lot of knowledge such as networking, operating systems, web technologies, and more. Companies often look for people with high level certifications and years of experience conducting penetration tests. The good news is there are many ways to get started, and I’m here to lay out how you can carve your own path into offensive side of cyber security.
Who am I? You might be asking
I am a Cyber Vulnerability Specialist, a fancy way of saying penetration tester, but I didn’t start here however. I first heard about ethical hacking when I was 16. When I discovered I could get paid for hacking into computers legally, I knew that’s what I wanted to do. At the time companies required a bachelors degree for any cyber security position. I took a job with a financial institution right out of college. However, it wasn’t what I expected as a fresh-faced professional. My responsibilities consisted of conducting various risk assessments for regulatory requirements. I spent a lot of time in excel; asking other security teams about the controls we had in place. Although this wasn’t the job I wanted, I threw everything into it. The company had great leadership and my boss encouraged me to pursue my goal of joining the red team. A little over a year passed before a position opened up, but not under the red team. It was under the application security (AppSec) team. AppSec focused on web-based assets. I applied for the position, and was given an interview. I was ill-prepared and felt defeated after getting feedback from my interviewers. One of them provided the hard-to-hear feedback,
“You’re not doing enough outside of work.”
This was a kick in the rear. So I took their feedback and began working towards growing my technical skills. I took advantage of any free resource they had recommended. I interviewed with both managers from the AppSec team & the red team, this time better prepared. To my surprise a few weeks later I received an offer for the position. I began as a supporting analyst, helping write reports; but quickly began solo assessing. Now, at 28 years old, I’ve leveraged that position into my current position in the healthcare industry.
Jumping Into Ethical Hacking

Senior pentesters and red team managers are often asked the question: “How do I become a pentester?” To some it’s an annoying question. Many have little faith anyone will put in the same effort they did. However, I like to answer that question with another question: “What are you doing to become a pentester?” When my coworker told me I wasn’t doing enough outside of work hours, he was right. The role requires much more preparation than other roles in the field. So where should you start? Learn Linux!
Linux Fundamentals

Everyone knows of the two operating systems (OS) MacOS and Windows. However, there’s a third OS which most ethical hackers will choose to test various systems. Linux is an open-source OS that’s derived from the Unix kernel. Learning basic Linux commands, common tools, the Linux file system, and how to set up a virtual machine is the first step into wedging your way into the red teaming world. There are several Linux courses, but your best friend will be YouTube. I recommend NetworkChuck’s Linux for Hackers, and The Cyber Mentor’s Beginner Linux for Ethical Hackers. But knowing how to navigate Linux doesn’t make you a qualified ethical hacker – although you might feel like it. You have to learn how to actually hack things!
Networking Fundamentals
Understanding networking fundamentals is instrumental in being able to understand how different systems connect, how to find interconnected systems, configuring networks, common ports and their purpose, network protocols, etc. Networking itself is a huge field in with several positions in the information technology/cyber security space specializing solely on networks. The Cyber Mentor covers the basic concepts you will need to know in his video Networking for Ethical Hackers. What’s on the net you might ask? Websites, web applications, and APIs! Now that we have a better understanding of networks and how they function, it’s time to move into Web Application Security.
Web Security
Websites and web applications are abundant in modern day. Various websites are full scale businesses, to which could contain vulnerabilities that have serious impacts. Starting with the most valuable web security resource, Port Swigger labs is a fantastic way to become a web application security expert. Port Swigger is the company behind the most popular web proxy tool, Burp Suite, which has both a free and paid version. Investing in a professional license (about $400) would be ideal for anyone wanting to jump into web application security full time. However for our purposes, the community edition will work just fine. The best part about the Port Swigger labs is they’re all FREE! You can access & complete almost every lab as long as you have an account with Port Swigger and can complete the task presented. Each lab has a PortSwigger solution and a community solution in case you get stuck.

There is also the Open Web Application Security Project, aka OWASP. Regarded as a gold standard in web application penetration testing, and as such provides open source tooling and even a playground known as the OWASP Juice Shop which you can use to learn about different vulnerabilities. OWASP provides their own web proxy & security testing tool known as ZAP. It comes fully featured for those missing out on the Burp Suite Professional features. Another great web security resource is TryHackMe. There are several paths you can take within information security as a whole, but their Web Fundamentals and Web Application Pentesting learning paths are great ways to improve your AppSec knowledge. You can gain full access to these courses for around $5-$10/mo.
Certified Ethical Hacker

Once you get your head around web application security tactics, now you’re ready to start to mature your skills. Completing certifications such as INE’s Junior Penetration Tester (eJPT) or courses from The Cyber Mentor are great ways to bolster your credentials. These are great courses and certifications to prepare for the Offensive Security Certified Pentester (OSCP) certification from Offensive Security. This certification is widely accepted prerequisite for Red Team/Ethical hacking positions and is quite the challenge. Their motto when dealing with failures or difficulties during the coursework and exam: Try Harder. Offensive Security also offers many post-OSCP courses including the OSWE, OSEE, etc.
Entry Points
If you’re not already in a cyber security position, this is where I would start. Look for the following entry-level positions within a cybersecurity/information security team of an organization:
- Information/Cyber Security Analyst
- Risk & Governance Analyst
- Junior SOC Analyst
- IT Auditor
- IAM Analyst
These are excellent positions which require broader, beginner level certifications in order to have the baseline understanding of cyber security. Look for mid-sized companies or companies with a reputation of investing in their employees and those which encourage lateral movement. When I started my career our information security team was somewhere around 30 people. It was easy to have lunch or schedule time to speak with managers of other teams. These environments are excellent for young cyber security professionals looking to get some experience in areas that would otherwise be considered more advanced.
Ethical Hacking Projects
If you’re already in a cybersecurity position and wondering what you can do to improve your ethical hacking portfolio, look into working on the following projects:
- Keylogger
- Packet Sniffer
- Invoker
- Image/Network Steganography Program
- User Authentication System
These projects will show you are investing time to better yourself and take steps in the direction of an ethical hacking career.
Capture the Flag
Capture the Flag (CTFs) & Hackathon events are great ways to put your hacking skills to the test. There are many ethical hacking groups in various areas all across the U.S. and other countries. These groups are great ways to network with other individuals interested in ethical hacking and even reach out to other cyber security professionals who may have some open positions within their company. If there’s not a group near you, there are many sites, such as Hack the Box, that will allow you to participate in capture the flag events.

Bug Bounty Programs
You’ve done the work, you’re killing the CTFs, but you just can’t seem to get any bites on professional red team positions. Fear not! Bug Bounty programs are set up by companies as a way to open source vulnerability discovery & remediation. This is a great way to put your skills to the test while maybe being able to make some money for finding a vulnerability!
Some Final Advice
One of biggest factors that jumpstarted my career was communicating my career goals. By doing this, my superiors were able to ascertain whether investing in me would pay off. I was given opportunities that I was otherwise unqualified for on paper. Companies invest in young professionals who they can see will amount to a qualified individual that will benefit the company. Don’t be afraid to do the grunt work. My first position felt like we were doing the work that no other team wanted or had time to do. I always met assignments head on. I was never afraid to take on new projects and always willing to jump into the fray. Those skills that I fostered as an analyst helped me both in penetration testing and in my freelancing endeavors. You never know what skills you’re going to pick up and where they’ll be useful!
Happy hacking!
Leave a Reply