Don't try to become an ethical hacker if you trying get straight to the money.
Let me breakdown the cybersecurity industry for y'all young boys.
There are defenders (example SOC analysts), GRC (governance, risk and compliance) and there are penetration testers (or ethical hackers).
Most jobs you can get are SOC analysts and GRC people.
SOC analysts are working 12 hour shifts in a windowless room chasing alerts. GRC people are pushing papers, sending emails and holding meetings at a cushy 9 to 5.
Most people in the cybersecurity industry don't have the technical ability to be a penetration tester or an ethical hacker. And for most people trying to get in, learning how to do so is a waste of time. You are going against people that used to be mid-level to senior web developers, software engineers, system administrators, cloud engineers, DevOps engineers and they are switching to cybersecurity because their skills in are highly desired and they can get 250K from some start up and work from home just by getting the OSCP, which would be easy for them to do.
Therefore ethical hacking certificates are bullshit and a waste of time for someone trying to change their career without any mid-level technical skills. You are gonna spend hours upon hours to get a certificate that teaches you how to do a buffer overflow or an SQL injection, but you don't know how to build software or a web application or administer users in Active Directory.
You learned a script-kiddie skillset that isn't really in demand at the junior level because they know that you need to know how to do all this other shit to even be worth their time to train and specialize in a technology. They rather take a computer science graduate straight out of a no name university that think cybersecurity is all about hacking. They don't know no better. They'll pay him 60K and he'll do whatever they'll tell him.
For example, web application penetration testing is in the most in-demand style of penetration testing. It's not network penetration testing because at this point, firewalls and shit are so advanced having someone test your network is pointless if you haven't done the basics to protect it.
That means you need to know how to read HTML, JavaScript and CSS and know a fucking tech stack but you wasted your time learning about buffer overflows, shit that nobody does anymore or an SQL injection by chasing OSCP or PNPT or eJPT.
You could've gotten CISSP, which is the an easy ass multiple choice test that you can pass if you studied for the Security+.
You can go from a HelpDesk to a SOC to a Cybersecurity Analyst in 3 years an easy mid-level cert like CySA+ and a college degree.
In fact, if you are smart, you would get AWS Solutions Associate and a mid-level cybersecurity cert and a college degree, go from Help Desk to SOC Analyst to a junior DevSecOps or cloud engineer in 3 years. Shit you might be able to skip the fucking help desk.
Ethical hacking is for the young and naive or the guy that was a mid-level software developer and got tired of refactoring Java and he plays HacktheBox in his spare time.
TL;DR: If you want to be a hacker, you have to specialize in a technology and have a technical skillset first to have a chance. Go for a GRC role, you can make 100K in 5 years and work at home, reading documents and going to pointless meetings, and all you had to do is go to college and a pass a multiple choice test.
Or you can ignore me, grind away to get a help desk job, grind away trying to be an ethical hacker while at the help desk job and wonder where your time went.
Don't fall for the cybersecurity certification game, learn a technology, whether web applications, cloud computing, or a software and learn a technical skill while at your cushy GRC job and go to the hacker events and meet real hackers and see what they are working on and how you can join. That's how you do it the smart way.
Last edited:
