Pursuing a white hat hacker, otherwise known as a penetration testing career, is one of the best decisions of my life. In this blog post, I share the 4-step blueprint I wish I had when I was a beginner. Whether you are a student or have an unfulfilling job with limited prospects, this guide will help you become a white hat hacker and jump-start your professional career.
Do you want to experience the job of a white hat hacker in action? This mini-course will walk you through a practical example of a penetration testing mission.
Step 1: Learn the required skills is a must
This step is crucial; you won’t have anything to offer the industry without the proper skills. At the same time, it’s one of the most challenging steps you will take due to many factors:
- The paradox of choice: Beginners must constantly choose between the countless resources that teach the technical skills required to become a white hat hacker. This introduces mental fatigue and reinforces the lack of confidence. Ultimately, these poor beginners abandon the journey before it even begins.
- Compounds skills: One of the biggest mistakes beginners make when learning the required skills is underestimating their complexity, probably due to misleading movies. But the reality is different, and beginners set wrong expectations that inevitably prevent them from pursuing their dream job.
- Time and effort: This is one of the most significant setbacks that result from false expectations. Becoming a penetration tester requires dedication. But the good news is that it doesn’t have to be painful, as you will see shortly.
For these reasons and more, the following tips will help you navigate the dark waters of the learning process while staying engaged and without getting frustrated.
Divide and conquer using focused challenges
Deconstructing complex skills is one of the best tricks to learn the technical skills required for penetration testing. Instead of learning web application hacking, divide it into several sub-objectives. For instance, you might start by learning how to exploit a SQL injection. Since there are many types of this vulnerability, you can first tackle the error-based flavor, which is the most straightforward.
I hear you asking: “But I don’t know how to divide a compound skill.” That’s a great question! Nowadays, many online platforms provide a set of focused challenges. I mainly learned from root-me.org back when it was the only best resource online. Today, there is also tryhackme.com and hackthebox.com. You can find a demo in this video.
Start with web hacking skills
Penetration testing requires various technical skills, but you don’t have to learn them all. As a junior penetration tester, you will mostly hack web applications and APIs. Start with this comprehensive guide.
Once you are familiar with web application vulnerabilities, you can learn how to achieve privilege escalation and pivot in a network to reach the objectives of the pentest engagement.
Write good reports
Beginners typically focus on learning the technical skills, but soft skills are equally important, and writing professional reports is one of them.
You will deliver a report to your client at the end of every penetration test. You could find critical vulnerabilities or completely control the target, but your client won’t see any value if you write a poor report.
To develop this skill, get in the habit of writing thorough write-ups about the challenges you solve. With time, writing good reports will be natural.
If you are thinking: This is not easy. I agree! But with time and dedication, you will make it, just be patient and consistent.
Step 2: Build your reputation
Most people will directly apply for penetration testing job offers once they gain the necessary skills. Unfortunately, they frequently fail to get noticed, no matter how many applications they send. Here is why:
- You can’t sell yourself without having a good reputation: The job market has supply and demand, just like any market. Think about it; you can’t sell your skills without proper marketing. Employers can’t just trust you. If you want to have a competitive advantage, you must have something to show, a track record of your professional abilities.
- With reputation comes confidence: When you have a track record, you gain confidence that increases your chances of getting hired.
These three tips will give you a competitive advantage, build your reputation to stand out from other candidates, and have the confidence to sell yourself during job interviews.
Build an online presence
Having an online presence is one of the best things to boost your reputation. A simple static website containing write-ups of the challenges you solved in the past is a good start. Once you publish a write-up, share it with your social networks to gain visibility. Besides, mention your website in your resume and during job interviews. It adds a great deal to your reputation, gives you confidence, and helps support your credibility.
Engage with the hacking community
Hacking alone is good, but in a team is better. Not only do you push yourself to solve more challenges and interact with a team, but you also build relationships, which might lead to potential job recommendations if any of the team players happened to work in a company in need of a white hat hacker.
Being able to interact with a team has an added benefit: You demonstrate to future employers that you can easily work with a team and be a team player.
Being certified is nice to have in your resume. It gives you credibility. However, you shouldn’t rely solely on it to land a job. Besides, not all certifications are created equal. You have to look for job offers in your area, and find the most famous ones. Then, choose the easiest based on online reviews.
Most likely, it’s safe to say that earning OSCP will be valuable in your resume. I find it in almost any penetration testing job offer.
Do you want to discover more about the job of a white hat hacker? I have prepared a mini-course that will walk you through a practical example of a penetration testing mission.
Step 3: Apply to many job applications to maximize your chances of becoming a white hat hacker
With the strong technical and soft skills you’ve built, and the reputation and confidence you gained, you are now ready to start hunting for penetration testing jobs.
Write a good resume, intelligently
Do you apply to so many job offers, but you don’t receive any replies? Your resume may be the problem.
A resume is a must in any job application, and penetration testing job offers are no different. However, not every resume will pass the bar. Companies typically use Automatic Screening Software (ATS) to filter only resumes that match predefined criteria. If you write your CV without taking these systems into consideration, you will be disqualified from the beginning.
Craft an engaging a cover letter
Alright, you have applied the tips in the video above but still don’t get any replies? It might be related to your cover letter. Have you ever found a cover letter input in an application form but did not attach yours? Then you are one of the many job applicants who think that sending as many job applications as they can will get them a foothold.
A cover letter should be tailored to the company’s values, job requirements, writing style, etc. Naturally, it requires more work. But you should never underestimate its impact. I got a response from a job I later won from a cover letter.
So, next time you come across a job offer you really like, take time to craft an engaging cover letter to maximize your chances of getting feedback.
Hunt for jobs while you’re sleeping
Do you actively hunt for penetration testing jobs on the one website you like? You may be missing on opportunities present on other job websites. From my experience, companies typically publish the same offer on multiple websites, but there are exceptions. Therefore, use multiple websites, such as LinkedIn and indeed, as well as cybersecurity-related websites, such as hackthebox’s job board.
Besides, you can configure most of these websites to receive notifications. That way, you won’t miss any new offers.
Don’t forget to note the salaries shown in job offers to have an idea of the range you should provide during job interviews.
Step 4: Succeed in job interviews
Ok, you have found interesting penetration testing job offers, sent a killer resume and an engaging cover letter, and hopefully got some job interviews. It’s time to demonstrate that you are the best candidate for the job.
First impressions matter
It takes less than a second for people to judge someone and make a first impression. Therefore, “we immediately form impressions from appearance, we agree on these impressions, and we act on them.” says Alexander Todorox, a researcher at Princeton University and author of Face Value.
Being punctual, wearing professional clothes, and being confident can help you give a good first impression that will play in your favor early in the interview.
Practice the most famous job interview questions
What are your strengths? Why should we hire you? What’s your professional plan for the next 5 years? What are your salary expectations? There are classic questions you should be familiar with.
However, the most important question you will surely receive is: Present yourself. I recommend you take time to answer this question before you go to any job interview.
You will also get technical questions. Common questions will include explaining a vulnerability, asymmetric encryption, and what’s the difference between TCP and UDP. If you’ve done your homework in step 1, I’m sure you can answer them.
Negotiate your salary
You have aced your job interviews for the penetration testing position of your dreams, and you finally receive an offer. Congratulations! But, how do you know you will be paid fairly?
Offers typically contain your gross salary, which will mostly be the lower end of the range you provided during the job interview. However, you should also take benefits into consideration, such as healthcare benefits, relocation package, training budget, and company car.
Getting a job as a white hat hacker is one of the best career choices you can make. I hope my guide equipped you with the necessary knowledge to land the job of your dreams and kick-start your professional career.
This mini-course will walk you through a practical example of a penetration testing mission. Click the image to learn more.