The Hacker's Cache
The show that decrypts the secrets of offensive cybersecurity, one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
The Hacker's Cache
#7 Think Outside the Box to Land First Pentesting Job ft. Ryan Daub
In this conversation, Kyser Clark interviews Ryan Daub, an Offensive Security Analyst Associate, about his journey in cybersecurity and his current role as an internal penetration tester for healthcare organizations. They discuss topics such as landing a job in cybersecurity, the role of AI in penetration testing, the differences between internal and consulting pentesting, the importance of collaboration between red and blue teams, and the value of continuous learning in the field. Ryan also shares his advice for aspiring cybersecurity professionals.
Connect with Ryan Daub on LinkedIn: https://www.linkedin.com/in/ryan-daub-b87b9b216/
Takeaways
- Landing a job in cybersecurity requires dedication, self-awareness, and demonstrating your skills through personal projects and documentation.
- AI is a useful tool in penetration testing, but it is not yet capable of fully automating the process due to the complexity and constant evolution of technology and environments.
- The role of an internal penetration tester in healthcare organizations involves conducting compliance testing, red team engagements, and collaborating closely with the blue team.
- Continuous learning and staying up to date with industry trends and certifications, such as OSCP and CRTO, are essential for career growth in offensive security.
- Collaboration and knowledge sharing within the cybersecurity community are crucial for personal and professional development.
Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY
Music by Karl Casey @ White Bat Audio
Attention viewers/Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.
The postings on this site are my own and may not represent the positions of ...
**Ryan Daub** (0:00 - 0:12):
Just vulnerable boxes like Metasploitable and some of those other vulnerable systems that you can set up. So I would do that, go through pen tests, type up reports, and I actually submitted one of my pen test reports with my application.
**Kyser Clark** (0:13 - 0:21):
Wow, that's great. I never heard that before, uploading a pen test report to the application. Awesome for you for coming up with that. Did you come up with that on your own, or did someone tell you to do that?
**Ryan Daub** (0:21 - 0:30):
No, honestly, I did come up with that on my own because I was, like I said, I was so into making that transition. I was just ready to do whatever I could to land something.
**Kyser Clark** (0:30 - 1:52):
Hi, I'm Kyser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one byte at a time. Every week, I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
Hello, hello. Welcome to The Hacker's Cache. My name is Kyser Clark, the host of the show. I have six years of experience in cybersecurity, 12 certifications, a bachelor's degree in cybersecurity, and I'm currently working on my master's degree in cybersecurity, and I work full-time as a penetration tester. Today, I have Ryan Daub, who has three months of IT intern experience, just under two years of IT support technician experience, three and a half years as an information systems business solution analyst, then he went on to system administration for two years, and then has been an offensive security analyst associate for almost a year now. For education, Ryan has a Bachelor of Science in Information Sciences and Technology, and for certifications, Ryan has OSWP, Pentest+, Security+, and Microsoft Certified Azure Fundamentals.
So Ryan, thank you so much for your time, and thank you for doing this recording with me. Go ahead and walk through your background and introduce yourself to the audience.
**Ryan Daub** (1:52 - 5:31):
Hey, first off, thanks Kyser. Thanks for having me. I appreciate it. I enjoy following your content on LinkedIn. I'm looking forward to this. Yeah, so as Kyser said, I'm sort of a newbie, I guess you could say, in the cybersecurity field. Kind of a long, a long time coming. A little bit of my background, I kind of got the interest, you know, at first in cybersecurity actually in college, and I know college is kind of a hot topic these days. You know, I see some discussions out there on LinkedIn. Should you do college? Should you? I always err on the side of, you know, everybody's different. It's really dependent on your situation and what you are looking for, particularly, but I did go that route, and actually that's where I found my passion in cybersecurity originally was in college at Penn State. So I took, it was a network security course, and it was essentially just an ethical hacking course. We had a pretty good instructor who set up a nice lab for us, and we would just go through the hacking exercises, and I even remember like, I don't know, our final project, final report was like breaking into a SQL box, and I just thought it was just crazy. Like, it was awesome. I was so into it. You know, but at the same time, I've always been, you know, self-aware, and I knew like cybersecurity in general and the ethical hacking stuff was not necessarily like a baseline like skill. I knew it was going to take some time and effort. I just saw the writing on the wall, essentially, you know, it was going to take some work to get there because, you know, I want to be comfortable in the role that I'm doing. So that's kind of where it got the gears turning back in college days.
So I kind of just, you know, I went on, and I did some of the standard path that you would see out there, and I did the help desk stuff. Learned a ton. That's where I learned a lot of my core networking skills, you know, and system administration skills and, you know, basic computer work. Just like anybody else, you know, you look for other opportunities at times things come up. So there was an opportunity at a bigger corporation, you know, I wanted to get some more, you know, bigger experience. And I did like some systems analysis type stuff there, but, you know, cybersecurity was always in the back of my mind, you know, so I would just, even as a systems analyst, I would, you know, reach out to the internal security teams. I would engage them and find work and find cybersecurity work to do because it's just stuff that I wanted to continue working on and building towards. So I would do that type of stuff, document everything I did. And I took one more step then to a local college, and I did some more in-depth system administration stuff. And that's where I really was like, you know, I had a common moment there at that role as a sysadmin. I was like, you know, I think I'm at a point now in my career where I really want to make that next jump now. Starting to feel a little more comfortable with the experience I have. So I just started kind of going the cert route. I know you're really into that, and I know a lot my colleague is as well. So, you know, while I was in that role, doing the sysadmin stuff, it was kind of crazy at the time. I had, I was, I started having a family then and having kids and everything. So it was getting tough, but, you know, I would do my day job and then at night I would do a lot of my studying here and there anytime I could. If I was doing dishes, I would, you know, watch some videos when my kids were sleeping or taking naps or this or that, you know, I'd be in the lab or reading up on things or watching videos. So I, you know, I just continued to build upon that for years upon years upon years and got to a point where, you know, I was ready to make that move. So I was, you know, very fortunate and lucky enough to land where I'm at today, but that was kind of a general story of how I got there. You know, it was a lot of planning, a lot of dedication and self-awareness. So yeah, I'm very excited where I'm at now and looking forward to building from here.
**Kyser Clark** (5:31 - 5:50):
Great. Yeah. It's always happy to be in your current role. That's always a huge positive. I'm curious on, so you said you were lucky and you're, you're thankful for, you know, your current situation. So I'm kind of curious, how did you land your current role? Was it a referral or did you go through an online application? Walk me through how you ended up where you are right now.
**Ryan Daub** (5:50 - 7:47):
You know, I would just, part of that process, you know, when I was in that sysadmin role and doing all the Pentex stuff, I was also getting back on LinkedIn too. That was a lot of the advice I see. So I hopped on LinkedIn, started networking more and I would actually just, I would follow recruiters specifically. And there were some recruiters out there that I liked and they were just giving advice on what to do, you know, and I was kind of just doing this all on my own and feeling it out. So I kind of did it on my own and I would just apply externally, but I would go as far as, you know, tailoring my resume to the roles that I wanted. And even, you know, practicing and looking over my resume and getting ready for interviews, practicing for interview questions.
So essentially for this role, though, I did apply externally, just like anybody else, just browse and browse and browse. And like, this was one that was local, well, locally to me. So, and it was a junior role. And I was like, you know what? I was like, I do stuff on my own at home and I document everything I do. And I was like, I'll take a chance. I was like, it's a junior type role. Let's see what happens. And, you know, it just, it kind of just rolled from there. And I did well in the interviews. And I even went as far as, you know, during that process, I actually, you know, I work on my stuff in my lab at home and I would go as far as even typing up my own pen test reports internally. Like I set up, for example, like an internal like AD that I spun up an AD environment on my own with just virtual machines and on my own hosting and just vulnerable boxes, like Metasploitable and some of those other vulnerable systems that you can set up. So I would do that, go through pen tests, type up reports. And I actually submitted one of my pen test reports with my application. And I know from feedback that that was key to getting the job actually, because it was, you know, demonstrating that I know the material, I can talk about it and, you know, do the job. So I did well in the interviews and they liked
what I was working on at home in the lab, essentially.
**Kyser Clark** (7:48 - 9:03):
Wow. That's great. I never heard that before, uploading a pen test report to the application, because as someone who, you know, I transitioned from system administration to pen testing as well. And that's why I asked that question, like, how did you get your current role? Because it is hard to make that transition from system administrator to offensive security practitioner, pen tester, because a lot of companies are looking for that experience. And when you have zero years of paid pen testing experience, even if you have, for me, I had six years of system administration experience. They still was like, yeah, but you haven't done paid pen testing. And it was incredibly challenging. And I've never heard that before. Upload your report. So that's super beneficial. I'm so glad you mentioned that. And I'm sure that's going to help the audience out there because that is, because yeah, when you get the opportunity in most applications to upload files, exactly. I'm just uploading my resume and I uploaded a cover letter, but I never, it never occurred to me to like upload a pen test report. So that is actually super good advice. Wow. That is, thank you so much for mentioning that. Cause that is, yeah, that does set you apart if you're doing that, because I don't think many people are doing that, but yeah, they are because it's, it's on the podcast.
**Ryan Daub** (9:03 - 9:43):
No, yeah, I got that. I got that feedback from the hiring managers. They really appreciated that. So yeah, I always tell people that, you know, I've faced that as well. You know, I was like thinking, I don't have pen testing experience or any offensive experience. I mean, I do just not in a professional setting. So I was like, just trying to think outside of the box, like, how did you demonstrate that you can do this job? And that's kind of what I came up with. And it obviously worked and went a long way. So yeah, that's, that's a big piece of advice that I give people work on stuff at home and, you know, include that, include that in your resume, document it, be able to talk about it and submit stuff like that. Yeah, it goes a long way.
**Kyser Clark** (9:45 - 10:18):
I believe it does because, I mean, I did do a couple right up for hack the box machines and try hack machines and they're on my blog on my website. However, I wasn't taking those and uploading those to the website and they, you know, they're, they probably never saw them because I just assumed that they would just go to my website and just see them if they were interested in me. But that's uploading those reports probably would have been way, way better. So yeah, great advice. And that's, that's killer. Thanks, man. Awesome for you for coming up with that. Did you come up with that on your own or did someone tell you to do that?
**Ryan Daub** (10:19 - 10:44):
No, honestly, I did come up with that on my own because I was, like I said, I was so into making that transition. I was just ready to do whatever I could to land something. And I had already been, you know, doing stuff in my lab. So I was like, you know, this is part of the job too. Let's just type something up. It was just, you know, basic attack, like setting up Responder and setting up an AD environment to, you know, capture hashes and yada yada.
**Kyser Clark** (10:46 - 11:45):
Nice. Yeah. Like you said, you had offensive security experience in your home lab, but to demonstrate like, because you have zero paid experience. That's the hard part for me. It was like, well, like, you know, at the time I was in my, before I got my current role, like I had, you know, 50, almost, almost 60 hack the box machines hacked. I did 216 try hack me rooms. It's like, well, I've been hacking. I have OSCP, like I've, I've hacked tons of stuff, but it had, you know, zero paid months. And that's what, that's what recruiters see sometimes. And you're like, you know, it's hard. So great advice. I was going to move right on to our rapid fire round. If you are ready for that are for the new audience members, Ryan will have 30 seconds to answer five questions. If he answers five questions in 30 seconds, he'll get a bonus sixth question. That's unrelated to cybersecurity. So are you ready? Ryan is ready as can be. All right, here we go. Your time will start after I stop asking the first question. What was your first computer?
**Ryan Daub** (11:49 - 11:53):
It was a Dell. I don't remember the exact model, probably early 2000s.
**Kyser Clark** (11:54 - 13:04):
Will AI cause the apocalypse? No. Are people born with hacking skills or are they learned? Learned. On a scale from one to 10, how useful are security audits? Repeat that. On a scale from one to 10, how useful are security audits? Uh, this is eight. Let's go with eight. Most annoying cybersecurity myth? Uh, AI is going to take our jobs. Great. This was 45 seconds. So we're not going to get to the bonus question, but great responses to these. Let's talk about most annoying cybersecurity myths. You said AI is going to take our jobs and that is a hot topic. And I've seen people saying that same thing. And then I see people saying, no, they're not going to take their job, take our jobs. I'm under the impression like, they might take our jobs, but I don't think it's going to happen within the next 10 years, but we'll see what happens. So go ahead and talk about your thoughts on AI and automation and penetration testing and offensive security specifically. Can a pen test be fully automated with AI and how soon do you think it will take for that to happen?
**Ryan Daub** (13:05 - 14:25):
First off, I use AI. I mean, I like AI. It's definitely useful for the job. Definitely good for scripting, just looking up some quick things or even research at times. Report writing, all that stuff's pretty good. I think it'll be there as far as assisting with pen testing and offensive security. It's a great tool and it's a great assistant. But even from what I see internally, there's so many nuances, there's so much context in an environment. Yeah, like AI, maybe it obviously can identify vulnerabilities, but maybe not the actual context of the environment or the nuance of the environment, the way it's configured or set up. And not only that, moving forward, technology and environments are going to continue to change in advance. So AI is going to have to evolve with that. Will it be able to pen test the new technology coming out, like quantum? I'm just throwing something out there arbitrarily, like the quantum computing and stuff. Is AI going to be able to keep up? So that is going to be useful, but our environments and technology are constantly changing with it. So I think, I don't know, it's going to take some time. And I see it as just a tool to assist at this point. Definitely, I like having a human looking over the reporting and interpreting and understanding the context of the situation. So that's kind of how I feel about it.
**Kyser Clark** (14:25 - 15:01):
Yeah, I agree with you. That's how I feel about it too. Because, for example, I use ChatGPT all the time. And like you said, it's a great way to augment your work. It's a great way to speed up your work, but you still have to double check everything it says because it doesn't always give you the most accurate information. And you have to give it a lot of information to do what you want it to do. And even then, it still doesn't produce exactly what you're looking for. So yeah, like you said, you kind of have to handhold AI a bit. And I think we're a very long way from being automated out of jobs. So if you're worried about that, I wouldn't be personally. I'm personally not worried about it.
**Ryan Daub** (15:01 - 15:16):
Even early on in my career, it takes a lot of custom work to make attack paths work and exploit things. So I don't know, can AI do that? Probably, I'm not going to say never. But right now, I see it as just a useful tool. Right, same.
**Kyser Clark** (15:16 - 15:27):
Okay, so moving on to your current role. So you are an internal pen tester for healthcare organizations. Can you explain how that might look compared to the consulting world?
**Ryan Daub** (15:27 - 17:28):
Yeah, that's a great question. This is definitely a topic of discussion I wanted to bring up. And you know, I talked to my senior colleague about this often. And that's really one thing when you're looking for jobs or trying to get into this field, especially like specifically offensive security, even the company you go with, there can be major differences. Like even you and I, I know you're out in more of the consulting world, whereas I'm an internal guy doing internal testing. So from what I understand, like in the consulting world out there, I mean,
you guys are cranking out, it's definitely more experience, like if you want to get the experience, probably do the consulting side of it. Because I would assume you're cranking out a lot more engagements and reporting and testing and all that. But then, you know, it's a faster pace, probably a little bit more pressure. Whereas internally, you know, we have assessments and things that are on the books and scheduled and planned. And it's pretty much a set amount of engagements that we do per year. And then, you know, just odds and ends requests that come from internal colleagues looking at things here and there. So internally, like for an example, we typically do around five or six full out engagements a year. And that's between two of us, like there's only two of us internally to do these. So we do the compliance testing, specifically PCI testing, two different environments for that. And then two big red team engagements, we do some network segmentation, validation assessments. And then like I said, just other odds and ends tasks that come through, like recently, I just created like a password filter list for our organization. So they'll come to us for stuff like that. And it's a lot of the day to day work as an internal guy, you're going to be doing a lot of administration stuff, you know, submitting change requests for your infrastructure, maintaining your infrastructure, your tools, your scripts. So it's a lot of that day to day stuff on top of the engagements that we do. So that's kind of what a role looks like as an internal guy.
**Kyser Clark** (17:28 - 18:28):
Yeah, like you said, I am in the consulting world. And that's the only world I've been in. So I've had two pen testing roles, I had a pen testing internship, I did that for four months. And then I'm in my current role as a full time pen tester. And both of those are consulting. And the way it works is like, yeah, you get a week, two, maybe three on an engagement with a client. And then you go in this environment that you've never seen before. And you have to learn a lot of stuff on the fly. And you have to, you know, crank out a report pretty quickly. And there is a lot of pressure, especially if you're new. And that was one of the things that was hard for me to kind of get a hold of was, and I'm still, you know, battling with that, like, yeah, you have to deliver this report by, you know, the end of the week. And it's a lot of there's a lot of pressure there. And I like how you mentioned how, you know, there's a lot of pressure in the consulting world. So I'm assuming there's probably less, a little less pressure when you're an internal pen tester, because I feel like you don't have as strict of a deadline. Is that is that accurate to say?
**Ryan Daub** (18:28 - 18:44):
Yeah, that's fairly accurate. And not only that, it's just we have a newer team. And like some of these teams for the corporations for offensive security are kind of newer. So you know, we're kind of developing our, our own processes internally and what we're doing. But yeah, yeah, that's good to know.
**Kyser Clark** (18:44 - 19:30):
Because when I was applying for positions, obviously, I was looking for so I was only applying for places that said penetration tester. And I was wanting to be in a consultant role, which is because I do like that, helping clients fix problems. I think that is just kind of my nature. I do enjoy that a lot. And I really enjoy even though there's a lot of pressure, I do enjoy getting thrown into a random environment. And it changes from week to week, you know, so it doesn't get boring, it doesn't get stale. And that's what I was worried about when it comes to internal pen testing. So in your world, what would you say about anybody who's worried about like the work getting stale? Is it? Is it a problem? Or do you think there is an actual legitimate worry there when it comes to internal pen testing getting boring after a while?
**Ryan Daub** (19:30 - 20:23):
Great question. I would say it gets boring, you know, because you look at the requests that are coming through daily, like the changes and things to the environment, our environment changes daily, like, seriously, daily, it's it's crazy how much just new, new, new infrastructure gets spun up. So that opens up the network, depending on what apps are running on it, this or that just new technologies implemented infrastructure. So I mean, at the end of the day, the environment's changing daily. So you will find you'll still find new things to work on new attack paths for sure. And I think that's that's always going to be the case as an internal guy, because it's a constantly changing environment. So yeah, I think it's definitely still diverse. It's just really, like you said, the timeline of completing the work, maybe a little more, you know, relaxed than in the consulting world. But I wouldn't say it's boring.
**Kyser Clark** (20:23 - 20:29):
No, that's good to know. So in your organization, do you guys have a blue team?
**Ryan Daub** (20:30 - 21:24):
We do. Yep. And we really, we work with them hand in hand, that's definitely part of the job. So on our red team engagement for really any engagements, you know, we're working hand in hand, even the pen, the straight penetrate network penetration tests, and the compliance tests, you know, we'll just work with them hand in hand throughout testing, letting them know what we're doing. It's like a constant chatter back and forth. And then the red team engagements, we're doing more of the tracking, and actually tracking what alerts are doing and helping them tailor the detections. I know my colleague, you're aware of him, he's working on some intense stuff with them right now. And I'm sure maybe he could go over that with you at some point. But yeah, we definitely work hand in hand with them pretty much on a daily basis, you know, because we're always working on stuff, working on tools, and, you know, they'll reach out to us. Was that you? Was that you? Nice.
**Kyser Clark** (21:24 - 21:31):
Yeah, that sounds really fun and really cool. Purple teaming, they call it. You guys call it purple teaming as well? Like, when you guys deal with the blue teaming?
**Ryan Daub** (21:31 - 21:52):
Yeah, like we have like a purple team chat channel, and we'll communicate that way through chat most of the time. Nice. That's amazing. No, we definitely improve the detection capability, that's for sure. So yeah, it's another aspect of the job too. It's really why we're here is improving the blue team and the tools and processes.
**Kyser Clark** (21:53 - 22:17):
Yep, exactly. Even if you're off in security or red teaming, pen testing, whatever you're doing, it all is to make the blue team better. It's always about cybersecurity. So that is a very good point that you mentioned there. It's always to make the blue team better, even if you're an external or an internal pen tester. So does your organization bring in any external pen testers, or is it always internal penetration testing?
**Ryan Daub** (22:17 - 23:18):
Yep, another great question. I must have messed up, but yeah, that is another part of the job. We coordinate really for mainly compliance purposes. As a healthcare organization, we have to meet certain compliance efforts. So we are mandated to get external pen tests as well. So we've done like, yeah, mobile, I think we've done some mobile tests, but we just had to coordinate that and an external one, all for compliance purposes. And then we just coordinate with the vendor then, setting up the scope, the rules of engagement and all that. So we'll work through all that. And then obviously going through the reporting after the fact and assisting our remediation team with following up on the remediation. By the way, the remediation that I just mentioned, that's another nice aspect of the job is that we have an internal remediation team. So we really get to focus on doing the testing and then our remediation team, we'll consult them. We'll as a consultant to help them track down and remediate vulnerabilities that we find.
**Kyser Clark** (23:18 - 23:30):
So I saw on LinkedIn that your top bullet point is PCI testing. So is PCI testing like the most common thing that you're doing right now, day to day?
**Ryan Daub** (23:30 - 24:02):
Yeah, that was probably my most experience. That was actually a funny story. It was the very first day of my job, we were doing a PCI pen test. So it's probably the most experience I have at this point now. I've been through a couple of them at this point. So that's why I listed that first. Like I said, it goes back to tail and your resume to what you're strong at and what you do. And yeah, I feel pretty comfortable with just the methodology and the whole process in general of conducting an end-to-end pen test. So that's why I have that first. It's probably closest to my skill set up.
**Kyser Clark** (24:02 - 24:27):
Just so we're clear for the audience, PCI means payment card industry. So it's a huge compliance framework that's built around payment card industry. And pen testing is vital for organizations to process the payments
because the payment card industry is really strict on cybersecurity requirements. And pen testing is a requirement under the long list of requirements that they have.
**Ryan Daub** (24:27 - 24:40):
Exactly. Yep. So we'll do the testing and we'll do our reporting and all that. I believe the QSAs, the external QSAs then come in and review our reports and sign off on everything. That's kind of how that goes.
**Kyser Clark** (24:41 - 24:45):
In your free time, what are you doing to keep your skills sharp nowadays? Offset.
**Ryan Daub** (24:45 - 25:53):
I have a subscription to the Pen 200. So I'm really just cutting my teeth and really digging in. I think you worked through the course. It's super long. It's a lot of work. That's basically been my main focus right now. And that's my main goal is the Pen 200. I'm going through that at this point and really trying to focus on that and mastering the basics of penetration testing specifically. That's my goal. That's my short term goal is to do the OSCP. And then probably after that, the recommendation I got was to focus more on the red team, which I will say that's a lot of organizations these days, that's what they're going to value the most, red teaming. That's kind of the big trend now these days with the EDR bypassing and all that other good stuff. So I want to probably pursue some red teaming certs after OSCP and get more into red teaming. So probably looking at the CRTO, Certified Red Team Operator. My colleague recommends that one next. So those are probably the two training courses I'll be going through here in the next year.
**Kyser Clark** (25:54 - 26:14):
Nice. Yes. So your colleague recommended the CRTO over the OSEP because the OSEP has some evasion in there too. And I know your colleague is really big in the offset world too. So I'm actually surprised that he would recommend the CRTO over the OSEP. So is there any particular reason? Have you talked to him about that?
**Ryan Daub** (26:16 - 26:56):
Yeah, just because, well, to back it up a little bit, just the philosophical difference. I mean, we conduct both types of engagement. So I guess I should say it's dependent on what your goals are and what your roles are. And like I said, we do both penetration testing, network penetration testing, which is slightly different than red teaming. So in my type of role, I want to try to get exposure to both types of testing and assessment. So that's probably why he recommends that over OSEP for me, but I'm sure OSEP is just as good for actual red team engagement. So it would, you know, that skill set I'd like to build upon as well.
**Kyser Clark** (26:56 - 28:23):
Okay. Yeah. So from my experience, so I don't have the OSEP. However, I've went through that course like twice now and I haven't sat for the exam yet because that's an incredibly difficult course. It's like, it's definitely way harder than OSCP. Like, yeah, it's naturally the next step above OSCP, but it's a big step. Let me tell you what, in my opinion, and it is pretty hard and it is, honestly, it's, it's kind of like basic AV bypassing, right? It's not going to teach you how to bypass EDR from what I can see. It will bypass Windows Defender and it will bypass a lot of your standard off the shelf antivirus. But if you get some advanced EDR protection like CrowdStrike, I don't think it's those techniques that they teach you is going to pass. But we'll see, you know, as I get more experience, because, you know, I'm right with you, man. You actually have been a paid Pentester longer than me. So, you know, I have very limited experience in the field. I'm still learning and that's kind of my next step too. I think that's naturally where we like to go as offensive security professionals. You start as like a Pentester, then you, you know, you build on your advanced skills and you work your way up to doing more red team engagement. That's naturally the next step for a lot of people's careers, I think. And I think it's a good goal to have. So we'll see how you, how it goes further in your career. And yeah, I'm right there with you, man.
**Ryan Daub** (28:23 - 29:00):
Yeah. Yeah. Yeah. It's just like internal organizations too. Like the SOC is very, you know, the fatigue and all that. So a lot of our management, you know, they want to keep alerting down and noise down. So like if you're, that's another thing to consider too. If you're going into an internal, like look at the role, like exactly what they're asking for, if it's penetration testing or red teaming, because if you're doing the red teaming, it's obviously going to be a little more in depth and wide ranging. You're going to be doing more malware development, AV bypassing and all that for sure. And C2 infrastructure. So.
**Kyser Clark** (29:00 - 29:42):
And for the audience, so we always mentioned red teaming and I never really clarified it up to this point, if you've listened to every episode. So if you're unsure, like what red teaming is, red teaming is really threat actor emulation, whereas pentesting isn't so much threat actor emulation. It's more just like testing and quality assurance of cybersecurity controls. Whereas red teaming is advanced exploits, advanced attacks, and it really tests the blue team's detection and incident response measures. And it's, it's, it's a true, it's a more true threat actor simulation compared to a pentest. It's a little more in depth if you are wondering. All right, Ryan. So let's go ahead and do the final question here. So do you have any additional cybersecurity hot takes or hidden wisdom you would like to share?
**Ryan Daub** (29:42 - 30:09):
Just general wisdom, getting back to what I said before, just throughout your journey, try to envision yourself in a role, really think critically, even between industries of what you want to do. Document all the work you do at home, put it on your resume, get it out there, show people and, you know, just continue to learn and you just got to keep at it and not get discouraged. It'll eventually come. It just takes some time and anybody else is capable of it.
**Kyser Clark** (30:09 - 30:52):
Great advice. And that's one thing I like to tell people like, yeah, you're not going to learn everything right away. It takes a long time. It takes consistency, it takes discipline, and you need to focus on getting 1% better every day. And it doesn't feel like you make progress. But if you get 1% better every single day, over the course of a year or two, you're going to make a lot of progress. And between the days, it doesn't feel like you made a lot of progress. But you add, you compound that over a year or two, then you look back and you're like, wow, I was only studying for, you know, two hours a day. But I've learned so much, you know, so that is that's really good advice. Yep, yep. So Ryan, where can the audience get ahold of you if they want to connect with you?
**Ryan Daub** (30:53 - 31:12):
Pretty much LinkedIn, I'm on LinkedIn, I try to stay active as much as I can on LinkedIn. So feel free to send me an invite, reach out, DM me willing to help anyone. I'm happy to give advice, tips, or technical questions, even whatever comes my way, just reach out and let me know. I'll be happy to happy to help.
**Kyser Clark** (31:12 - 31:49):
And that's what I love about our industry, man. We have so many people that are willing to help out. That's, it's great. There's a lot of information out there. And if you're new to the field, and you're trying to break in, just just ask people questions. And when you do that, you'll be surprised, you're gonna get some really in-depth answers. Because that is knowledge sharing is a very critical part of our profession. And for those who have experience, I would, you know, if you're not sharing information, then I would recommend sharing information, because it helps you out either if you're asking or if you're helping people. So that's what that's one great thing about our field that I really, really love. Yep, absolutely.
**Ryan Daub** (31:50 - 31:50):
No doubt.
**Kyser Clark** (31:50 - 32:06):
All right, Ryan, thank you so much for taking your time and doing this podcast recording with me. It was great. There's a lot of a lot of insights and a lot of wisdom that you shared in this episode. So I, I believe the audience is getting a lot of value out of this episode. So thank you so much for taking your time and doing this with me. Thank you.
**Ryan Daub** (32:06 - 32:14):
And likewise, I really appreciate the opportunity. And hopefully we can maybe do this again sometime or at least keep in touch and it was a good podcast.
**Kyser Clark** (32:14 - 32:28):
And for the audience, the best way to reach me is also LinkedIn. I'm on there all the
time. And if you want to connect with me, you can also check out my website at kyserclark.com. Thanks for watching. And if you haven't already, check out the other episodes. Until then, this is Kyser signing off.