The Hacker's Cache

#3 Best Way to Learn Active Directory Hacking Skills ft. Robert O’Connor

Kyser Clark - Cybersecurity Episode 4

The conversation between Kyser Clark and Robert O'Connor covers a wide range of topics related to penetration testing, certifications, career progression, and personal experiences in the cybersecurity field. Robert shares insights on his journey from IT intern to senior analyst to penetration tester, discussing certifications, specialization in Active Directory assessments, and the challenges of transitioning into pen testing. The conversation also goes into the nuances of different types of pentesting, the impact of imposter syndrome, and the evolving landscape of pen testing roles in the industry.

Connect with Robert O'Connor on LinkedIn: https://www.linkedin.com/in/robert-o-connor-16634a164/

Takeaways

  • The journey from IT intern to senior analyst to penetration tester highlights the diverse career paths within the cybersecurity field.
  • Specialization in Active Directory and internal network assessments is a key focus for some penetration testers.
  • The challenges of transitioning into pentesting, including imposter syndrome and the need for support and collaboration, are important considerations for individuals entering the field.
  • The evolving landscape of pentesting roles in the industry, focusing on web app and cloud assessments, presents opportunities and challenges for aspiring penetration testers.

Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY


Music by Karl Casey @ White Bat Audio

Attention viewers/Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.

The postings on this site are my own and may not represent the positions of ...

**[Kyser Clark] (0:00 - 0:02)**
What's the best way to learn how to pentest Active Directory?

**[Robert O'Connor] (0:02 - 0:29)**
Probably Hack The Box, not specifically like their active machines, the pro labs that they have. In my opinion, of all, I've done a half of them, I think two out of four, I would say they're well worth it. I've done the introductory one, Dante, and then the more intermediate one, Offshore, which is super good. Highly recommend if you're wanting to specifically learn Active Directory testing, it has a couple of different forests or domains that you can test that are all Active Directory joined.

**[Kyser Clark] (0:29 - 1:54)**
Hi, I'm Kyser Clark and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one byte at a time. Every week, I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.

Hello. Hello. Welcome to The Hacker's Cache. My name is Kyser Clark, the host of the show. If you don't know who I am, I have been in the field for six years now. I am a full-time penetration tester. I have a bachelor's degree in cybersecurity and am currently working on my master's degree. I have 12 certifications.

Today I have with me Robert O'Connor, who is a penetration tester. He has been a pen tester for two and a half years now. Before that, he was doing cybersecurity analyst work. He has CASP, which is going to be called Security X soon, and OSCP, CYSA+, Security+, CEH, and he also has a degree in network engineering and a bachelor's degree in network security. So Robert, thank you so much for coming on the show. I really appreciate your time. Go ahead and unpack some of your experience and introduce yourself to the audience.

**[Robert O'Connor] (1:55 - 2:52)**
Yeah. Thanks for having me. So as Kyser mentioned, I'm Robert O'Connor. I started out mostly as a, I would say it's a pretty standard approach in terms of getting into the cybersecurity field. Starting out as an IT intern, just doing basic networking setup for a small business and then switching more towards a junior defensive analyst, and then working my way up to a senior analyst. Two and a half years ago, I switched to pen testing, which is where I currently am now, doing pen testing for a government contractor. I have a couple, like Kyser mentioned, certifications. I'm currently studying for the CRTO, and I'm going to try and get OSEP at the end of this year, OSED at the beginning of next year, and then OSEE at the end of 2025. That's the goal. So I'm going to try and stick to it.

**[Kyser Clark] (2:53 - 2:57)**
Nice. You're trying to go for the OSCE 3, right?

**[Robert O'Connor] (2:58 - 3:04)**
Yeah. I have a lot of the CompTIA certs and CH just because those are the certs that are government compliant.

**[Kyser Clark] (3:04 - 3:54)**
Yeah. The OSCE 3 is actually something that I aspire to get to. It's a huge mountain to climb, but once you get there, you feel like you're on top of the world when it comes to pen testing credentials. I have OSEP and have actually done the PEN-300, the OSEP course, twice. I didn't feel good enough to take the exam, so I stopped doing that and am currently going for the OSWA. Those 300 level courses, or at least the one I was studying for, are no walk in the park. It's significantly harder than OSCP. So yeah, if you can get those certs, hats off to you. That's a huge mountain to climb for sure.

**[Robert O'Connor] (3:55 - 4:18)**
Yeah. I specifically didn't mention OSWE because although it'd be nice to get all the offensive security certs, I don't like web assessments whatsoever. I'm not a web person. I try and stay away from as many web assessments as I can. So I just try and specialize in internal network assessments or Active Directory environments and just love doing those.

**[Kyser Clark] (4:19 - 5:30)**
Nice. There were so many acronyms there that I thought you said OSEE. So my apologies. I thought you said that. But yeah, that makes sense. The more I do web apps, the more I don't like them. So I'm kind of with you on the networking because I have a network engineering background, I have a CCNA. So networking just makes, it's just, I have a lot of fun with network engineering. I tell people all the time, if I wasn't in cybersecurity, I'd probably be either a network engineer or a cloud engineer because I just like connectivity. I think connectivity is super fun. But let's go ahead and get into the rapid fire questions here that I have prepared for you.

So the way this works is I'm going to ask you five questions. You have 30 seconds to answer them. When you answer them, don't provide any explanation. Use one, maybe a few words for your responses. And then at the end, we'll go into explanations after the fact. If you get through all five questions in 30 seconds, you will get a bonus question that's not related to cybersecurity. Do you have any questions on how that works?

**[Robert O'Connor] (5:31 - 5:32)**
No, I'm ready. Let's do it.

**[Kyser Clark] (5:32 - 5:48)**
All right, let's go. Let me get the stopwatch ready. All right. So your time will start when I finish speaking on the first question. Do you think the cybersecurity industry is growing fast enough?

**[Robert O'Connor] (5:49 - 5:49)**
Yes.

**[Kyser Clark] (5:50 - 5:56)**
Does compliance equal security?

**[Robert O'Connor] (5:56 - 5:56)**
No.

**[Kyser Clark] (5:57 - 5:57)**
Favorite type of pen testing?

**[Robert O'Connor] (5:57 - 5:57)**
Active Directory.

**[Kyser Clark] (5:58 - 6:02)**
Worst advice you have received in cybersecurity?

**[Robert O'Connor] (6:04 - 6:11)**
Don't listen to your peers for advice.

**[Kyser Clark] (6:12 - 6:14)**
Which country has the most dangerous threat actors?

**[Robert O'Connor] (6:15 - 6:16)**
China.

**[Kyser Clark] (6:18 - 6:43)**
You did it in 30 seconds. That was 28 seconds. I actually stumbled on one of those questions. I almost said it incorrectly. It probably would have been more like 25 if I had asked that one question correctly. Congratulations. This is my third episode, and you're my third guest. You're the first one to get it done in 30 seconds. Let's go ahead and do the bonus question. Are you ready?

**[Robert O'Connor] (6:44 - 6:46)**
Yep. Is this rapid fire as well?

**[Kyser Clark] (6:48 - 7:12)**
Let's do semi-rapid fire. You can explain a little bit. Now, this is a really heavy-hitting question. This question is highly debated amongst the world. It's honestly a huge issue in today's society. Hopefully, you don't feel too overwhelmed with it. Does pineapple belong on pizza?

**[Robert O'Connor] (7:13 - 7:22)**
Nope. I don't like it. I've never tried it, but I don't think it belongs on pizza. I haven't tried it and I don't really want to. I don't plan on it.

**[Kyser Clark] (7:22 - 7:23)**
You've never tried it?

**[Robert O'Connor] (7:23 - 7:28)**
Nope. I feel it's the same thing as anchovies on pizza. It just doesn't go well.

**[Kyser Clark] (7:30 - 7:53)**
Yeah. I agree with you. I don't think it belongs on pizza. I'm never going to order it. The only time I ever ordered pineapples on pizza was when I was in Hawaii. That's the only time I feel it's acceptable, when you're in Hawaii. Other than that, if it's there, if someone else orders it and they're sharing their pizza with me, I'm going to eat it. But yeah, I'm not a big pineapple on pizza fan either.

**[Robert O'Connor] (7:54 - 7:57)**
That's understandable. You only have it in Hawaii because it's tropical mood.

**[Kyser Clark] (7:57 - 8:14)**
Yeah, and the pineapples are super fresh there. Let me dive, let's dive into your favorite type of pen testing. Why is Active Directory

 your favorite type of pen testing?

**[Robert O'Connor] (8:16 - 9:11)**
I guess it focuses less on specific types of vulnerabilities and more on misconfigurations. If you go into a more mature environment or a network that has a very good patch management cycle, you're not just going to find, in theory or hopefully, you're not just going to find EternalBlue sitting on an available machine that you can just get into and then you're done. It's more about finding misconfigurations within various user properties or computer account properties and finding ways you can build attack paths to get to the destination that you want or the highest privilege that you can, whether that's domain administrator or local administrator on a specific system.

**[Kyser Clark] (9:15 - 9:23)**
Yeah, that's an interesting take. Especially since I feel like Active Directory isn't secure by default, you know?

**[Robert O'Connor] (9:23 - 9:42)**
I think SMB signing isn't by default enforced until I read it somewhere, like Windows Server 2022 is where SMB signing is enforced by default. So any prior before that, it isn't enforced. So it's more vulnerable and misconfigured by default.

**[Kyser Clark] (9:43 - 9:59)**
Right. Windows are always like, it's not a bug, it's a feature. I can see why you think Active Directory pen testing is your favorite. What's the best way to learn how to pen test Active Directory?

**[Robert O'Connor] (10:02 - 12:13)**
I would say probably Hack The Box, not specifically like their active machines. That's the one downside I don't really like about Hack The Box, like their 20 active machines, because it's just one specific machine. I would say 75 to 90% of the time it's a Linux machine and it's running some type of web application. The pro labs that they have, you do have to pay a little bit to use them, but in my opinion, of all, I've done a half of them, I think two out of four, I would say they're well worth it. I've done the introductory one, Dante, and the more intermediate one, Offshore. Offshore is super, super good. Highly recommend if you want to specifically learn Active Directory testing because it has a couple of different forests or domains that you can test that are all Active Directory joined. I think there's only one or two systems where you have to bypass Windows Defender. I think by default it's disabled, so it's not necessarily teaching you evasion or stealthiness. It's teaching you the fundamentals of Active Directory testing, which I think is very important. I think the two harder ones are more evasion and red team focused, but they still have Active Directory components in them. I would say Hack The Box pro labs, probably the best place that I've specifically used. It's kind of hard to do Active Directory testing on your own system just because you need generally a couple of virtual machines running at one time and some laptops sometimes can't handle it. Depends if your desktop can, you can build your own and go through different setups that way. If you're not a pen tester by trade or where you're actually working, it can be difficult.

**[Kyser Clark] (12:17 - 12:54)**
I haven't done any of the pro labs. I do the weekly Hack The Box machines every week. Very rarely do I skip a week, but I haven't done any of the pro labs. I want to know, when it comes to the pro labs, when you get into that environment, is it strictly a challenge or is it training? Does it teach you anything or do you have to learn on your own and approach it as a challenge and find the resources outside of the pro lab? Or does the pro lab teach you some of those techniques?

**[Robert O'Connor] (12:56 - 13:21)**
I would say it's half and half. They don't directly teach you, like, this is the step that you're supposed to do. They try to build a story within the environment to encourage you to learn a specific topic. But it's half and half. It's not super direct, but they do try to build a little story if they can.

**[Kyser Clark] (13:23 - 14:25)**
Nice. I did not know that. I mean, I've heard good things about the pro labs, but I just didn't. No one ever told me that before. So that's good to know. That's a good balance between learning on your own and having a few nudges. So, yeah, that's definitely on my list to check out, especially like I said earlier, when I'm going through the OSEP, the Offensive Security, well, it's OffSec Experience Professional. I'm going through that course twice now. I feel like the pro labs is one of the common things people will say to go through. So that's on my to-do list for sure. So I appreciate you mentioning that.

**[Robert O'Connor] (14:26 - 15:19)**
I would say it's always been the dream or the ideal place I'd want to end up as a pen tester just because I find it more interesting to learn about. Gradually, in my spare time, I'll go learn about offensive security techniques and that kind of stuff rather than defensive. So I got into pen testing as complete, I wouldn't say luck, but it was good circumstances that allowed me to get into it. So I directly didn't, I would say, no, I was going from a security analyst position to a pen tester. It was kind of just a very random opportunity that I thought I might as well throw my name in the hat to see if I get it, and I thankfully did.

**[Kyser Clark] (15:21 - 15:32)**
Nice. Yeah. Congrats on that. I feel like that's a great opportunity that you had there because I feel like getting into pen testing is pretty difficult.

**[Robert O'Connor] (15:32 - 16:28)**
I always thought it was a super hard hill to climb to get into pen testing. If you go through, there are very few companies that will bring on pen testers from just an entry-level experience stance. Usually, the hard requirement is you have to have some kind of offensive security cert like OSCP or maybe CEH or CRTO, something related to that. Even that gold standard, like OSCP, although it's a harder certification to get than others, it's an entry-level certification for pen testing. So I always thought it was a super hard hill to climb.

**[Kyser Clark] (16:30 - 16:55)**
Yeah, I agree with you there. Pen testing is harder to get into. Like you said, I agree with you with OSCP. I have 12 certifications and that's still the hardest one I have achieved. Like you said, it is an entry-level pen testing cert. A lot of times, OSCP isn't enough to get your first pen testing job.

**[Robert O'Connor] (16:56 - 17:01)**
Yeah, it often isn't, sadly, which is very unfortunate.

**[Kyser Clark] (17:01 - 17:40)**
I think it's a good course. It's not perfect, but I really do like that certification a lot. There's a huge debate on OSCP on LinkedIn all the time. Tons of people are not fans of OSCP, but I really am a fan of it. When it comes to going from security analyst to pen tester, what's some advice that you would tell someone that was in your shoes as a cybersecurity analyst who's trying to make that transition to pen testing?

**[Robert O'Connor] (17:42 - 20:42)**
There are some things you can do to gain as much offensive experience without actually having any. Either through self-paced studying, if you're currently studying in college or university, I would highly recommend if your school isn't currently doing it already for them to sign up. I think it's called CPTC, Collegiate Penetration Testing Competition. Most colleges do CCDC, which is Collegiate Cyber Defense Competition. I think it's a group of colleges that come together and compete against each other for either offensive or defensive. So if you want that offensive experience, try and sign up for CPTC. Usually, your school would support you in building a team if you don't already have one or try and join it if your school already does have one. Another thing, if you're not in school, kind of just studying on your own, self-paced certifications. Although it's debated whether or not you like OffSec or CEH or eLearn Security, you may not like the course contents or maybe hunting for certifications, maybe that's not how you learn, but it's probably one of the best ways to get your foot in the door or at least pass those HR filters that are there. So certifications are a good thing to go after, even though you may not like them. Another thing is personal projects or self-taught learning. Hack The Box or VulnHub, those kinds of platforms. I was asked in my pen testing interview, what's your rank or level in Hack The Box? How often do you contribute and do those machines? Thankfully, I said, because I grinded Hack The Box essentially every week doing the machines. At one point, I was ranked number 20 or 25 in the U.S., which isn't competed as much as it was before, but it's still good in case that comes across as an interview question. You have that profile and that proven experience to back it up.

**[Kyser Clark] (20:45 - 21:45)**
Wow. That's actually really interesting that you had an interviewer ask you about your Hack The Box rank. I actually have my Hack The

 Box team. I straight up had someone say, yeah, I've never seen an employer care about my Hack The Box rank. They only care about whether I'm doing it or not. The rank didn't really matter so much. In my experience, that's what I've experienced too. I've never been asked that in an interview either, although I used to put my rank on the resume, but then I was like, oh, I don't think anybody cares about my actual rank, so I just put the number of machines I pwned. That's interesting that you guys asked that question. That's really cool because, in my opinion, the rank shows you how much you play the game rather than shows your skill level, I guess.

**[Robert O'Connor] (21:45 - 21:49)**
It's like consistency because your rank doesn't go down.

**[Kyser Clark] (21:50 - 22:36)**
Yeah. That's what the rank does. It shows your consistency. That's a good way of putting it. You got a high rank. You got high consistency, which is super important in this field, in my opinion. That's one of the reasons why I do Hack The Box every week and I try not to miss a week. If I do, then I go back and I'll do two the next week. I never miss two in a row. I agree there. Hack The Box is super helpful. I've been asked in interviews to explain some of the Hack The Box or my favorite Hack The Box machine I've done. My favorite was Cerberus, which is a hard machine. You probably have done it, but yeah, that was my favorite machine. I have a write-up on it and stuff. It was a super fun one.

**[Robert O'Connor] (22:37 - 22:53)**
Nice. I haven't done Hack The Box in a while besides the pro labs. I've kind of drawn away from the individual machines and just stuck to pro labs because it's more towards what I'm doing day-to-day and what I want to learn in the future.

**[Kyser Clark] (22:54 - 23:35)**
Yeah. It definitely sounds like I should probably stop doing the machines and start doing the pro labs myself, the way you're putting it and the way I've heard other people talk about them. I've never heard a single bad thing about a pro lab. I think the only negative thing is maybe the cost, but no one has ever said the training itself is bad. I've only seen people say good stuff about it. I actually had one of my teammates, he stopped doing Hack The Box weekly machines for weeks to do the pro labs, and it paid off for him. That might be something that I incorporate into my training myself. Thanks for bringing that up.

**[Robert O'Connor] (23:35 - 23:36)**
Yeah, of course.

**[Kyser Clark] (23:38 - 24:13)**
I came from a system administration background, so I wasn't a security analyst before I went into pen testing, but you did come from security analyst. Do you think being a security analyst gives you any kind of advantage going into pen testing? For example, if someone can skip security analyst and go straight to pen testing, should they do that? Or should they take that security analyst position for a little bit first and then get into pen testing? What's your take on that?

**[Robert O'Connor] (24:14 - 25:07)**
I would probably say change security analyst to what you did, system administration. I'd recommend that more towards being a security analyst before you get into pen testing because as a security analyst, you're not directly interacting with anything. You're kind of just looking at alerts. Maybe you're doing threat hunting, that kind of thing, but you're not actually doing any setup or directly interacting with any machines or services or components. Whereas if you're a system administrator, Linux or Windows, you're directly working and being experienced with either the network or the system or the environment. So I would recommend system administration before you get into pen testing rather than being a security analyst.

**[Kyser Clark] (25:08 - 25:51)**
Yeah. That answer kind of surprised me because I used to be a system administrator and I've worked with Active Directory a lot. The whole first role, I came from the Air Force active duty, and that's what the whole network is, Active Directory. So knowing how Active Directory works, how to assign privileges and stuff, definitely gave me an advantage. For some reason, I always thought maybe a security analyst would have an advantage, but I guess it's not the case according to you. So that's interesting to know. Thanks for highlighting that.

**[Robert O'Connor] (25:51 - 26:26)**
Yeah. I would say it's like that benefit of, in order to know how to break something, you have to be able to build it correctly and understand how it's being built and that kind of stuff. So system administration helps with that aspect over security analyst. You may see malicious queries as a security analyst. You may come across an actual attacker in your environment or maybe a pen test that's going on, but you're kind of just seeing the end of it rather than the entire process of it.

**[Kyser Clark] (26:30 - 26:42)**
So you mentioned that Active Directory is your favorite type of pen testing. Is that the type of pen testing you're doing the most often? And what other kinds of pen testing are you doing day-to-day right now?

**[Robert O'Connor] (26:43 - 28:05)**
It's the most often. It's definitely the most often that I'm doing now. I would say the second is probably web in some form, but most are Active Directory based, which is good. Hopefully, if you're in a good pen testing environment, I strictly shy away from trying to be good at everything just because pen testing is so broad. You can spend your entire life trying to learn it all and you're not even going to come close. So picking a specialty that you really love is really important. If you're in a good working and collaborative environment, hopefully your job leader or supervisor would help you mainly specialize and put you as a priority for the type of assessments that you want to do. I've done a couple. I've done the array. I think the only ones that I haven't really touched have been mobile and ICS, Industrial Control Systems. Usually the only two I haven't. I've done physical, on-site, red teaming, web, cloud, external, internal network. Trying to think if there's really any other.

**[Kyser Clark] (28:05 - 28:06)**
IOT hacking?

**[Robert O'Connor] (28:07 - 28:13)**
No. Yes. That's the other one. I kind of put that as ICS, but they're not the same.

**[Kyser Clark] (28:14 - 29:09)**
Yeah. For me, right now I'm doing internal and external assessments and web applications. I feel like I'm being assigned more write-ups than anything. I've only been a full-time pen tester for less than half a year now, and I'm discovering what I like and what I don't like. I always tell people to go into the field being a generalist, like for me, going in as a pen testing generalist and doing different types, and then maybe specialize later on. That's really good advice because you're going to find one that you like more than others. I feel like that's inevitable. Like you said, you can't know everything about everything. Even senior web app pen testers don't know everything about web apps. That's what makes the field fun because you can't know everything about everything and there's always something new.

**[Robert O'Connor] (29:09 - 29:09)**
Right.

**[Kyser Clark] (29:09 - 29:14)**
That's what makes it feel fun. You can't know everything about everything and there's always something new.

**[Robert O'Connor] (29:15 - 29:59)**
Yep. That's one of the best parts. The thing I haven't liked about pen testing, not the community, but what I would say it's gearing towards more in the past couple of years is if you go on LinkedIn and search for pen testing, most of what recruiters or companies are looking for is web app pen testers. If you're not a web app pen tester, it's like there are very few places that are not strictly doing web app testing, but most of their pen testing is web apps. So as a person who loves Active Directory and internal network assessments, I don't really want to move jobs because I don't want to strictly do web app assessments. I would hate it.

**[Kyser Clark] (30:00 - 30:39)**
Yeah. I can see that. In my experience, which has been limited so far, web apps have been a little bit more common. That's actually one of the reasons why I stopped pursuing the OSEP and started going for the OSWA. That's the OffSec Web Assessor for those that don't know, because I wanted to get more web app training because I kept running into it and I'm like, well, I have to learn this if I want to stay relevant in this field. I do think you should have at least a little bit of web app experience before you specialize. In your opinion, what is the hardest aspect of pen testing?

**[Robert O'Connor] (30:42 - 32:15)**
I guess I would say if you're thrown into the deep end of a new type of assessment and you don't have a lot of support for it, if you're like your coworkers, that's probably one of the most difficult aspects. If you're a pen tester and you get put solely on a

 project for cloud assessments and you've never touched cloud, it's super daunting to go up against that with no prior experience. You're essentially having to learn an entire new field, but technique and methodology and tools while you're doing an assessment. You have a very limited timeframe because usually, at least for me, pen testing assessments are two weeks. At least for internal networks, the first week is usually remote scanning, that kind of stuff. The second week is what we're actually doing for any kind of exploitation. I would say that's probably the introductory part of pen testing is probably the hardest just because it can seem overwhelming if you don't have direct support or collaboration and you're kind of thrown into the deep end of the pool. To try and learn everything on your own if you're on an assessment in a limited timeframe is super difficult.

**[Kyser Clark] (32:17 - 32:20)**
Yeah, I agree with that. That makes a lot of sense.

**[Robert O'Connor] (32:20 - 33:06)**
You definitely want to get into... I say that because my first assessment was exactly like that scenario. I was not the sole project, but the first pen test I was brought on to was a cloud assessment. I had never touched cloud before, never done professional pen testing and had to do that within one to two weeks. Although I had coworkers, I didn't really want to bug them too much when they actually had other tasking to do and take up a huge amount of their time. That's probably the biggest downside of right when you get into pen testing, it can seem overwhelming.

**[Kyser Clark] (33:07 - 33:21)**
When you were thrown into that project, in the deep end, never done a cloud test before and just go like, hey, here it is. I'm assuming there's probably a major sense of imposter syndrome at that point.

**[Robert O'Connor] (33:22 - 33:40)**
Yeah, you're going to get imposter syndrome in this field. A hundred percent. I was like, oh, that's great. I finally got pen testing. I've been working for this for so many years, thrown into a cloud assessment with no prior experience. It's like, great. I'm just going to hang up the towel. I have no idea what I'm doing. There's no point for me to even try.

**[Kyser Clark] (33:41 - 33:55)**
Yeah. I definitely felt that way myself. I can definitely relate to that. What advice would you give someone who is experiencing that early in their pen testing career?

**[Robert O'Connor] (33:56 - 34:08)**
I would say try not to get overwhelmed, but that's really hard to do in the moment. Lean on your colleagues. It's probably the biggest thing I would say. They're there to help you and support you.

**[Kyser Clark] (34:10 - 34:41)**
Yeah. Sometimes it's hard to reach out for help when you first start your first pen testing job because they brought you in to do a job and you're going in pretty confident, but then you're thrown on your first test and you're like, well, I've never done this and this and this before, but I don't want to ask about it because then I'm just going to look like a big fake and like I don't belong here. It's definitely challenging. That's definitely some good advice that I actually probably need to be using myself.

**[Robert O'Connor] (34:44 - 35:32)**
It kind of goes back to what you said earlier. Dabble in everything just so you get that baseline experience to try and limit... Even though you don't specialize in everything, try and dabble into every kind of sub-pen testing field that you possibly can just to lessen the feeling of being overwhelmed when you get thrown into the assessment. Even if you didn't specialize in cloud, if you studied a little bit about Azure or AWS, at least the tools that are being used, how it's kind of built a little bit, you'd have a better understanding going into it rather than just like, oh, I have no idea what I'm doing. I'm screwed essentially.

**[Kyser Clark] (35:34 - 35:51)**
Final question. Do you have any cybersecurity hot takes or hidden wisdom you would like to share? I feel like you've already dropped a lot of hidden wisdom, but feel free to drop more if you got more.

**[Robert O'Connor] (35:51 - 37:31)**
I would say the hot take of pen testing is gearing more towards web app assessments. I would say web app and cloud are probably the two biggest. If you prefer doing those, great. That's awesome. Keep studying up on it. If you're not, it can seem, at least right now, companies that are hiring for pen testers, it can seem kind of discouraging that the testing you're most interested in isn't necessarily being supported. But if you genuinely want to get in this field and you feel like your only shot is doing web app testing, then you're going to have to go for it. Maybe you have to hold out for maybe a year or two to get that pen testing experience, provable experience under your belt. So you can then either move internally within the team that you say you want to do more, like IOT assessments or mobile rather than specifically web or cloud, or move to a different position or company that has that role available but needs a little bit more provable, just general pen testing experience.

**[Kyser Clark] (37:35 - 37:49)**
Well, thank you for the words of wisdom there. I agree with you there. That makes a lot of sense. That's really good advice. If the audience wants to get ahold of you, what's the best way they can do that?

**[Robert O'Connor] (37:50 - 38:21)**
Probably on Twitter, I would say. I don't actually post anything on there, but that's probably the best way to reach me. I think my handle is Eternal Knop because it's the name of my two favorite things for this field. Eternal is half of EternalBlue, my favorite exploit of all time, and Knop is my favorite assembly instruction because it does nothing. So I kind of put the two together.

**[Kyser Clark] (38:21 - 38:27)**
That is a really good Twitter handle. Thanks for explaining it too. Yeah, that's sweet.

**[Robert O'Connor] (38:28 - 38:35)**
And it goes well together. Eternally doing nothing. I love it.

**[Kyser Clark] (38:35 - 38:37)**
This is what you do when you're feeling imposter syndrome.

**[Robert O'Connor] (38:37 - 38:37)**
Yep.

**[Kyser Clark] (38:39 - 39:16)**
Well, this has been a great discussion. Unfortunately, we're out of time. Man, that time just flew by. I can't believe we're already almost at 40 minutes. To close things out here, audience, if you want to get ahold of me, the best way to reach me is on LinkedIn or go to my website, KyserClark.com. Whatever platform you're watching this on, do me a favor, leave a review and some constructive criticism. I do value feedback and let me know what you want in the show going forward. Hopefully, I'll see you on the next episode. Until then, peace out. Take care. Have a good one. Kyser, out.

People on this episode