How I transitioned into security, and what I would do differently (2022 edition)

I was visiting my parents over the winter holiday back in 2018. The cold air nipped at my bare arms and the North East Coast breeze was a stark reminder of how much colder it gets versus the warmth of the West Coast; I was running outside to catch a phone call. My fingers had a hard time answering my phone; they were already too cold. Still, I had a call I was eager to answer.

This was my, at the time, future boss on the other end. Excited, and nervous, he pitched an offer to me to switch teams at the company I was working at. If you hadn’t guessed by now, the role was for transitioning into a cyber security role from a customer-facing role at a startup based out of San Francisco. Within a few minutes, now imbued with a sense of both excitement and imposter syndrome, I found myself celebrating a new job with another round of drinks with my family.

With the personal narrative aside, about four years have passed since I interviewed for my first security position. I often reflect on the journey to that point, and even to this point here, to work out what went well and what could have gone better. Now, with an additional few years under my belt, I decided to jot down what it took to get into my first security role without having a security background. In addition, without a clue what I wanted to do in security at the time, noting what I would have done differently along the way.

Note: The thoughts and opinions in this article are my own based on my own experience. I haven’t been contacted by any owners of the resources I’m going to mention. The thoughts here are my own and do not represent my employer(s) past and present.

Start somewhere, but always be curious

Security is hard; period. I knew studying to get into security would be difficult, but, even 7 years into my journey, and as problems become more complex, it seems to be only getting harder. Tell yourself right off the bat, this journey is going to be long, difficult, and tumultuous, but you can do it if you take it in stride. Start somewhere, anywhere, and let your curiosity guide you.

In the very early days of my self-taught security training, I grabbed courses on Udemy.com that seemed to be of interest. They were generally “hacking” and “wifi hacking” courses that taught the basics of cracking WPA and WEP encryption protocols in wireless access points to break into a network, or, if you really want to, DDoS your neighbors for blasting music at 3:00 AM (not like I’ve ever done that). While they helped, my learning was unfocused and often all over the place. If I had to do it again, and given the resources today in 2022, I’d recommend the following:

Tryhackme.com (Free) – Start picking up “Introduction” courses for security and/or penetration testing if those are of interest to you. The “paid” tier is also pretty affordable and I enjoyed the extra rooms I had access to when I subscribed to it.
Since you’ll be hacking, learn to create your own Kali Linux virtual machine. If you don’t know what that is, it’s okay. The experience for you to dig into what it is and how it gets set up will be of value to you.
Similar to the above note, Linux Basics for Hackers is an awesome resource for learning Linux, the terminal, and some essential commands you’ll most likely use daily in security. If not, they’re incredibly handy.
Udemy.com – Never buy courses at full price, but when the sales come focus on introductory security courses. After previewing some courses on my own, Security+ focused courses offer a good overall view of security for beginners as well as the different areas of security that are available to you.
For aspiring hackers and pentesters, pick up a copy of Penetration Testing from nostarchpress. Not only is it a great reference book, but it will also cover the essential tools and methodologies you need to be an effective tester.

Once you start using these resources, let your curiosity guide you and just be a sponge. Maybe you start learning about DevOps while you learn about security, dive into DevSecOps tangentially and learn how CI/CDs work and how they need to be secured.

Get technical, and don’t be afraid of getting too technical

Before I was employed in security, I met with the CISO (Chief Information Security Officer) at the company I was working at. I flat-out asked him to give me three things I should do if I wanted to get into security. In my last few years I also noticed that when I was an analyst, being technical made me stand out from other analysts who were more GRC-focused (which isn’t a bad thing!). I stand by my CISO’s answer today, but with some additional context I wish I had.

Any of the resources below can be found in courses on Udemy.com., but I highly encourage you to look up free tutorials online. Even YouTube can be a great starting point these days.

Learn Node.JS and build a webapp
1. Why? Node.js is hugely popular as a framework that makes use of JavaScript and the Node engine under the hood. What does that mean? It means a lot of companies, and I mean a lot, use Node to some extent. Not only will you become decent at programming, but you’ll also become familiar with modern frameworks for servers and clients such as Express.js, React, and NPM. With all of these names, you’ll also come across security best practices like guidelines from OWASP and their OWASP Top 10.
Learn Docker
1. Why? Docker is a way of containerizing, or packaging, an application into a single running instance. Modern companies use DevOps to “containerize” their workload in the cloud for availability and scalability. In addition, learning to secure Docker has many carryover concepts into Linux hardening and learning good DevOps practices.
Deploy your app
1. Why? Once you have an application, you’ll want to host it for the world to see. While you don’t need to deploy to AWS (which costs $$$$), deploy your application so you can access it on your home network. This will not only teach you how to deploy an application, but concepts about networking, how to serve applications in a private network, and, if you want to get fancy, maybe set up some DNS records to more easily access your application. You’ll also want to secure how your application is accessed – easier said than done.

With those three points in mind, I’d like to add a few other ideas.

Learn Python
1. Why? Python is one, if not the most, important tool you can learn when it comes to security. Not only is Python incredibly easy to learn, it has a wide range of applications when it comes to automating repetitive tasks, writing exploits and proof-of-concepts, writing integrations, and data analysis (logs or other globs of data). There isn’t anything I haven’t been able to do in Python and learning it early in my career has helped me to work with other languages such as JavaScript, Go, Bash scripting, and even older languages like C.
2. How? Automate the Boring Stuff with Python really helped me get started, but I really recommend writing your own basic tools with Python to get the hang of things. Even if you’re automating something as simple as port scanning or network recon, getting down the mechanics really opens up the door for you as a security practitioner.
Don’t neglect traditional networking
1. Why? Know your CIDRs, your NATS, your subnets, and VPCs! When you’re in security, networking is a huge part of understanding the environment that you’re tasked with protecting. Even though there are a ton of resources on IaaS providers like AWS or GCP (learn those, too!), you should always know the traditional tools, protocols, and vernacular being used. If you don’t know what someone says when they say, “rescan but with a slash 16 CIDR”, then it’s time to take a step back.
Dip your toes into some more specialized areas of security to learn other disciplines are out there.
1. Why? I’m not saying to become an expert, but it’s important to know what else there is in the security space. Looking at sites (again) like Tryhackme.com and hacktheebox.eu, don’t be afraid of learning a few topics such as:
  1. Reverse engineering and decompilation using tools like Ghidra
  2. Mobile Application Testing (OWASP has some great resources just for mobile)
  3. Web Application Security
  4. IoT Security
  5. SAST, DAST, and CI analysis tooling (more of DevSecOps, but interesting stuff out here)

It’s also worth mentioning Humble Bundle here. While their “pay what you want” model typically applies to video games, I often see a lot of great computer-related bundles with topics ranging from programming languages and linux all the way to cyber security bundles. The quality may vary, however, I believe it’s worth keeping these books in your digital library for a rainy day reference.

Learn from others, but craft your own path

It is ironic considering you’re reading this off of my personal blog, but there are a lot of Security influencers out there. The topic is somewhat controversial depending on who you ask, but I want to frame this section around how you take in information and from where – not just who.

I’m a big fan of writeups in general. Even if it’s the same topic, you’ll learn how others think and work to discover, essentially, the same conclusion. When I worked on cars a master mechanic always taught me, “there’s more than one way to skin a cat” – absolutely gross, but should be applied to your own work. Here are some resources I like to use to learn about, well, anything.

Retired HackTheBox writeups
- Hot take here, but HackTheBox writeups for their labs are invaluable. Considering most machines have more than one entry point, there’s a huge chance that even the machine you pwned has another way to root/Administrator. Learn “how” someone did a box, but, most importantly, take note of their methodology and apply it to yours.
Conference talks
- I started going to conferences back in 2019, and I had no idea what a lot of folks were even talking about – I was really focused on snagging free swag – but I wrote everything down. Fast forward a few years I still have those notes and things make a lot more sense. Even better, I have been able to use some of those old notes to spark new ideas in my own work. Sit down for a talk, buckle up, and write it all down. Your future self will thank you.
Influencers worth being influenced by
- John Hammond – https://www.youtube.com/c/JohnHammond010
  - Amazing overall security practitioner with well-produced videos. He focuses on the core of the issue while also addressing some neat subject, like malware analysis, I otherwise wouldn’t have exposure to.
- Jenny Radcliffe – “The People Hacker”
  - More along the lines of Social Engineering, but she has some amazing stories you can listen in on via Darknet Diaries.
- Ippsec – https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
  - I would put Ippsec’s videos on almost 24/7 when working and studying for my OSCP. He tackles a lot of CTF challenges, but also covers a lot of classic and emerging TTPs. The videos are long, yes, however, they show the entire hacking process – even when things don’t go as planned and when you need to regroup!
- LiveOverflow (Fabian) – https://www.youtube.com/c/LiveOverflow
  - A brilliant security engineer and IT security consultant, LiveOverflow’s videos spend a lot of time unraveling more complex security issues and topics. Education is top of mind for him as he talks through topics like how XSS was discovered in Google’s search engine, or reverse engineering bots.
- Computerphile – https://www.youtube.com/user/Computerphile
  - While there might not be a ton of security-specific videos, and the ones posted are top-notch, the interviews with engineers cover a lot of really cool computer topics from the inception of the bit all the way to how modern AI works.

Proving your value as a candidate

I get asked about certifications a lot and while a few years ago I would have had a few I would highly recommend, these days it’s not as clear. Security training is highly commercialized, expensive, and, oftentimes, not great in terms of reliability or quality. With that in mind, here are some recommendations I would suggest taking with a grain of salt.

OSCP from Offensive Security
- I passed my exam in early 2021 right before a big change in the exam as well as the price for the materials. Still, this certification is seen as the industry gold standard for pentesting in the field. It helps get interviews when you otherwise would have no experience.
Pentest+, CEH, eJPT, etc
- Personally, I have not taken courses for these certifications, however, they seem hit or miss in terms of curriculum. Pentest+ and eJPT seem to have good guidance on methodology and practical pentesting work, and the eJPT even has labs. When I started studying for the CEH as a beginner in security, I did not see the value of the materials and quickly switched to the OSCP training path.
eWPT and eWPTX
- I studied for a long time for the eWPTX specifically and was a fan of the content so I assume the eWPT is also a good learning track. While I did study during a time that INE had some serious site/lab reliability issues, I did like that I was learning and came with tactics I quickly brought with me into the field.

One last note, I would recommend checking out folks on LinkedIn who currently work in roles you’re interested in. If you see a “Penetration Tester” on LinkedIn, look at their past experience, certifications, and companies worked for – maybe learning badges as well. Looking where you want to be can help iron out your own learning path.

Words of wisdom to my younger self

For a few years, security was all I slept. While all the work has paid off, I felt like, and often still feel like, I’m constantly playing catchup to someone else. Even though most of this article is written in hindsight, here are just some things I’d say to myself a few years ago to help a younger me out:

Write it down, even if you don’t understand it. You’ll have plenty of time in the future to look into it.
The gym closes in two hours, your computer can stay on all night.
You’ve put in plenty of work, take a break and treat yourself.
It’s okay if you don’t understand what you’re looking at, try to break it down into pieces.

Anyway, thanks for reading. 🙂 Now go get some sleep.