Shared thoughts after 6 years in Pentesting

1. You definitely do not need to make security part of your &quot;lifestyle&quot;, much less spend 80 hours a week working at it. The irony is that the author is a netpen person, which is sort of infamously the least demanding specialty in offensive security. If people writing browser drive-by exploits can stay on top of their game with a 40 hour work-week, I think the netpen people can too.<p>2. Don&#x27;t get certificates. If you meet a prospective employer who seems intensely interested in them, that&#x27;s a red flag about that job.<p>3. The idea that you should aspire to being able to do your whole job from a Linux terminal is pretty silly. Use what works for you.<p>Maybe it takes more than 6 years in offensive security to realize this, but the #1 bit of advice for this field is: learn to enjoy coding. The worst possible place to end up in security is as a captive to available tooling.

Yeah...stopped reading at 80 hour weeks. I don&#x27;t care how esteemed someone is in their industry, if they have to completely destroy their life to get there I question their judgement and don&#x27;t want their advice.

We just had some consultants do pentesting on our medical device and its software components. I was pretty impressed by all the problems they found quickly. As developer I find it pretty hard to stay up-to-date with all the possible ways hackers can get into your systems.<p>To me this was money well spent.

I would say certs have value in security management, compliance and audit. In fact, if you want to take one of those paths, certs are mandatory. If you want to do technical security (which is totally different), then get a CS or EE degree and maybe a few SANS certs (optional unless you are in a regulated&#x2F;compliance oriented industry). Finally, having a security clearance will help as well, especially if you or your employer want to do government contracting.<p>Edit: To expand on the cert topic... if you want to do computer forensics for law offices, police departments, etc. You&#x27;ll need a technical cert (GCFA, etc.). And having a CS&#x2F;EE&#x2F;CE degree won&#x27;t hurt either. You&#x27;ll have to have a cert to do serious forensic work.

&gt; There is a huge need for InfoSec&#x2F;NetSec professionals<p>I know far more people that moved from Security to development than the other way around. Security work has become less pioneering and more routine. The fun part of security is learning, not work.<p>The demand for developers increased faster than infosec and so did salaries.

I am always fascinated by pen testing and studied computer networking in security to fall into a software engineering job. I just never knew where to start with heading a leg up on the tools and practices to be able to go into pen testing professionally... I couldn&#x27;t find any apprenticeships or junior roles for it so ended up shelving it as a &#x27;maybe one day&#x27; &#x27;dream&#x27;. Where would be the best place to start? Most of the books I have are pretty dated now.<p>Also the article was a great read. Pinning it to go over again on the weekend as my lunch is now over.

this is gold and so inspiring.

So many years pen testing.<p>Is blue better than black?<p>Do red pens last longer?