The Hacker's Cache
The show that decrypts the secrets of offensive cybersecurity, one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
The Hacker's Cache
#12 Why OSCP Might Not Be Worth It - A Surprising Take by Evan Isaac
Kyser Clark and Evan Isaac discuss their experiences and insights in cybersecurity. They cover topics such as certifications, content creation on LinkedIn, web hacking resources, job searching advice, and the importance of offensive and defensive cybersecurity skills.
Connect with Evan Isaac on LinkedIn: https://www.linkedin.com/in/evan-isaac/
Takeaways
- Certifications like OSCP and eWPTX are valuable in cybersecurity, but other certifications like PMPT and CPTS are gaining recognition.
- Creating content on LinkedIn and other platforms can help build your personal brand and network in the cybersecurity industry.
- Web hacking resources like PortSwigger Academy, TryHackMe, and Hack The Box are great for learning and practicing web application security.
- When searching for a job, networking and building connections are crucial. Contact recruiters and professionals in the field, and consider posting content to showcase your knowledge and skills.
- Both offensive and defensive skills are essential in cybersecurity. Gaining experience in blue team roles can provide valuable insights for red teaming and penetration testing.
- Stay consistent, never give up, and continue learning and growing in cybersecurity.
Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY
Music by Karl Casey @ White Bat Audio
Attention viewers/Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.
The postings on this site are my own and may not represent the positions of ...
[Kyser Clark] (0:00 - 0:01)
Most overrated cybersecurity certification?
[Evan Isaac] (0:01 - 0:03)
The OSCP.
[Kyser Clark] (0:03 - 0:07)
You said OSCP and I did not see that one coming. Honestly, I did not see that one coming.
[Kyser Clark] (0:07 - 0:12)
What would you say to the people that might have a couple certifications and they're both they're not they're not getting any job offers?
[Evan Isaac] (0:12 - 0:28)
Rule number one is to stay consistent and never give up. The job market sucks right now. I'm just going to be honest, like it is so brutal.
You never want to lie on your resume. You never want someone to ever, you know, go out of their way to take the exam for you. It can only leave problems for you, not for the other person.
[Kyser Clark] (0:28 - 1:54)
Hi, I'm Kyser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one bite at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
Hello, hello. Welcome to The Hacker's Cache. My name is Kyser Clark.
I have six years experience in cybersecurity, and I currently work as a full time penetration tester. Today I have Evan Isaac, who has done four separate cybersecurity internships for about two years combined, did about a year and a half of tutoring and teaching assistant and currently works as a full time offensive security consultant. And he's been doing offensive security for about two years now for education, has a bachelor's degree in cybersecurity and networking.
And for certifications, Evan has the OffSec Certified Professional, that's the OSCP, the I&E Security Web Application Penetration Tester Extreme, that's the eWPTX, the I&E Security Certified Professional Penetration Tester, the ECPPT, and the I&E Security Junior Penetration Tester, that's the EJPT. And fun fact, he passed V1 and V2. So Evan, thank you so much for taking your time and doing this with me and having this conversation with me.
Go ahead and unpack your experience and walk me through your background and introduce yourself to the audience.
[Evan Isaac] (1:55 - 2:36)
Sounds great. Thank you so much for having me. This is an incredible opportunity.
So my name is Evan Isaac. Sometimes people call me a tennis player. Derives from me back in the day when I used to play tennis.
I used to play tennis in high school and I was a tennis player. I'm from Long Island, so player needs to come into the mix. Again, I do have two years of experience, full time.
I'm currently a senior offensive security consultant and the lead web app penetration tester at a cybersecurity firm. I have taken my OSCP and successfully passed. I give out tips and tricks on LinkedIn every Tuesday at 10 a.m. and I continue to educate and inspire other people trying to break into the cybersecurity industry.
[Kyser Clark] (2:36 - 2:54)
Perfect. That's exactly what I like to do. That's literally my mission statement, educating and inspiring people to help them break into cybersecurity.
That's one of the main reasons why I started the podcast. It's good to see that you're also putting out content on LinkedIn. So what kind of content are you putting on LinkedIn specifically?
Who's it for?
[Evan Isaac] (2:55 - 3:34)
It's for everyone, really. So sometimes it's more advanced stuff. So sometimes I'll talk about a bypass technique.
Other times I'll talk about how to break into the cybersecurity industry, like how to start a Linux server or how to go about running Nmap. Something as simple as that. But then we could also start talking about different kinds of penetration testing, like web application security, internal, external, mobile, anything that you can really think of, I normally talk about.
Now, my primary focus is web application security. So I try to focus mainly on that. But there are other times, for instance, when I was doing my OSCP series, I would start talking about Kerberos thing and ASRep roasting.
[Kyser Clark] (3:34 - 3:50)
With the OSCP, that's like, you know, probably the, well, it is the most in-demand certification in our field. So do you have any OSCP tips that you have that you haven't heard anywhere else that, you know, people might not hear from other creators out there?
[Evan Isaac] (3:50 - 4:18)
There's some fantastic blogs out there. Yeah, I really can't say much more than that. What I will say as just a pro tip is take your time and relax.
I know that when I was taking the certification, I was extremely nervous. I was terrified and I would always get up and move around. Now, that's a good thing, right?
Because that shows that you are human. But at the same token, it is an exam and you want to pass your first try. So being able to take a step back and do your standard enumeration can eventually lead you to success.
[Kyser Clark] (4:18 - 5:13)
Yeah, that's good advice. For me, I was pretty relaxed beginning. I was like, oh, I got 24 hours here.
There's no sense in rushing. But then when I got, you know, halfway through the day, I'm like, oh, my gosh, I am. I am not having as many flags as I thought I would at this point.
And I started, you know, my adrenaline started going a little bit. But, you know, it's important to to stay focused and really stay glued to the screen, which I did a live stream on Sunday. Someone asked me about what's the tip when it comes to enumerating OSCP.
And I came up with this brand new tip. I was like, get a comfortable chair. That way, you don't have to get up and walk around as much.
I was like, that was that's honestly was like one of the reasons why I was able to pass OSCP because I could just sit there and stare at the screen without having to get up and move around too much. So I don't know if it's a it's probably not the most healthy advice, but if I didn't stare at the screen for 15 hours, I wouldn't have passed because it really took me that long to pass OSCP. It's a very difficult exam.
[Evan Isaac] (5:13 - 5:33)
I was also having trouble and I've been doing, you know, I've been studying penetration testing for close to four to five years now. Yeah. So when I saw that I wasn't getting anywhere, I was like, all right, I got to take a step back and just relax myself.
And once I did that, I found, you know, some other things. And eventually it led to a successful submission of the OSCP.
[Kyser Clark] (5:33 - 5:48)
All right, let's go ahead and get our rapid fire questions. So for the new audience members, Evan's going to have 30 seconds to answer five questions. If Evan answers all five questions in 30 seconds, you will have a bonus six question.
So, Evan, are you ready for the rapid fire round?
[Evan Isaac] (5:49 - 5:49)
Let's give it a go.
[Kyser Clark] (5:50 - 6:00)
Your time will start after I stop asking the first question. Here we go. Most overrated cybersecurity certification.
The OSCP. Favorite command. LS.
Favorite security conference.
[Evan Isaac] (6:00 - 6:01)
RAICESCON.
[Kyser Clark] (6:01 - 6:03)
Most annoying cybersecurity myth.
[Evan Isaac] (6:03 - 6:08)
That you need to be good at a specific subject in order to be successful in the industry.
[Kyser Clark] (6:08 - 6:09)
Most important quality for a hacker.
[Evan Isaac] (6:10 - 6:11)
Knowledge and consistency.
[Kyser Clark] (6:11 - 6:41)
Boom. That was 28 seconds. Let's go.
You did it. That was the third person to do it. It's incredibly hard to do all those in 30 seconds because some of those questions are kind of hard.
So, yeah, congrats, man. Let's go ahead and do the bonus question here. And you can take as much time as you want on this.
You can provide a light explanation to this if you want. This is not cybersecurity related. It's just for fun, so no pressure.
Here's a question. Is it okay to eat the pizza crust first? Yes, if you want to get your hands dirty.
[Evan Isaac] (6:41 - 6:42)
That's all I'll say about that.
[Kyser Clark] (6:43 - 6:50)
I don't think it's okay. You can do it, but I'm not... I'm going to judge you a little bit.
I'm going to be like, what are you doing?
[Evan Isaac] (6:51 - 7:03)
You know, it's a little strange in my opinion. I'll get judged immediately because I don't eat pizza. Fun fact about me.
I don't like mozzarella cheese. Yeah, I'm from New York too. So it's a bit contradictory.
[Kyser Clark] (7:04 - 7:34)
They're going to kick you out. They're going to kick you out of the state for that. We're going to have to cut that out of the podcast.
So I don't... I feel for your safety now. All right.
Well, I think your most interesting response was most overrated cybersecurity certification. You said OSCP and I did not see that one coming. Honestly, I did not see that one coming.
You know, when I think of that question, honestly, I think CH. But you said OSCP. So I want to hear why you think the OSCP is the most overrated cybersecurity certification.
[Evan Isaac] (7:34 - 8:57)
Yeah. So when I took the course material, I didn't really go through the course. I really did the exercises.
And as I was doing the exercises, if anyone doesn't know what the exercises are, while you go through the course material, you have different exercises that you need to do. And in order to get the bonus questions, you need to do 80% of each section to get those bonus points. So as I was going through the course material, I was skimming through it.
And I realized that a lot of the material really wasn't anything new, especially for someone breaking into the cybersecurity industry. You could easily find things on, you know, Hack the Box for a lot cheaper, or even on YouTube. Yeah, there's a ton of great YouTube channels that go through Kerberoasting, ACE, Reproasting, you know, basic enumeration with that map.
And I realized that this course, I don't believe is really worth the $1,600. So as I was going through the exercises, I also realized that it took a lot of time to spawn up all of the different kinds of labs, which was not really appealing, considering that you have such limited time for the labs that you want to get done. In addition to that, doing the labs were fantastic, but they really don't show you how much pressure there is when it comes to the exam itself, right?
You have someone watching you, you have someone proctoring you, you have someone looking after every command that you do. So being able to be under that stress is completely different than just doing the labs. I think it just gave a false narrative to what the exam actually is.
[Kyser Clark] (8:58 - 9:14)
Yeah, I mean, that's a fair assessment. I mean, so when did you pass OSCP? A few months ago, I think three months ago.
So did you do the OSCP mock exams in the lab environment? Yes. So would you say those still doesn't simulate the exam very well?
[Evan Isaac] (9:15 - 9:52)
They do simulate to an extent. You know, again, the pressure is really on when you're being proctored, you know, because for whatever reason, right, whenever I get watched, even especially right with the podcast, getting watched and having other people see you is way more nerve wracking than you just performing your daily tasks. I perform penetration tests every single day in my job.
So having that ability is completely different than having someone watch over you. That's why whenever it comes to shadowing, I enjoy teaching rather than someone shadowing me and like criticizing everything that I do. It's just a completely different, you know, way of testing.
[Kyser Clark] (9:54 - 10:18)
Interesting. Yeah, I never, I never thought of it that way. I mean, I've done a lot of proctored exams.
So I was used to being watched at that point because I mean, I've passed, I have 13 certifications. So I've been proctored several times and I have been watched a lot during exams. So that I didn't really know that was a part of the testing anxiety experience.
So that's good to know. I didn't realize that was a, could be an issue with some people. So that's good to know.
[Evan Isaac] (10:19 - 10:56)
I'm not saying that the proctoring is bad. Proctoring is very much necessary in regards to legitimacy to make sure that someone isn't cheating on the exam, which again is extremely important, especially when it comes to cybersecurity. You never want to lie on your resume.
You never want someone to ever, you know, go out of their way to take the exam for you. It can only leave problems for you, not for the other person, whether it be you being banned from OffSec or from SANS or one of these proctoring companies or just not even being able to get a job, right? It's extremely challenging to get a job if you cheat.
So proctoring is extremely important. However, it does lead to some anxiety for some people, myself included.
[Kyser Clark] (10:57 - 11:43)
Yeah, I can see that. I can see that a hundred percent. So you was talking about like the course material in the OSCP wasn't, you said you had to use like external resources like Hack to Box and other courses out there.
And you mentioned the price tag of the OSCP. And I agree with you with that. You know, like it is, you can get the same and probably even better education for less money.
But I think the power of the OSCP is really that certification because that's what hiring managers and recruiters are looking for, unfortunately. And they're kind of like stuck in their ways, you know? So what do you think when it comes to like, do you think we'll ever see a time where, you know, the OSCP isn't the most prevalent certification on a job posting?
[Evan Isaac] (11:44 - 12:15)
I believe so. I think the PNPT is definitely going to come into play here soon with TCM security, as well as the CPTS from Hack to Box, I've heard is also very, very good. So there's a bunch of different exams that you could take.
You know, it's not always OSCP, OSAP, but yeah, like you said, a lot of people are still looking for that OSCP. So until we start to see more of those certifications like the PNPT or the CPTS or the CRTO start to play a role, I think it's going to be difficult to challenge the OSCP.
[Kyser Clark] (12:16 - 12:35)
Here's my thing with the TCM. So I know TCM doesn't do proctored exams. We were just talking about how important proctored exams was in preventing cheating.
And TCM doesn't do proctored exams. Do you think that's a problem? And do you think that's preventing them from being like, you know, the top level certification?
Because how can we trust an unproctored certification? You know what I mean?
[Evan Isaac] (12:35 - 13:07)
Definitely. Yeah, I think that's definitely part of the problem that they have. Also that they just changed their model a little bit where you have to renew the certification.
Every three or five years, if I'm not mistaken. But you also have to go through that interview at the end. So if you didn't take the exam, you're not really going to know what you're talking about.
They can ask you any question like how did you perform the OSINT? How did you find the website? What did you do?
What was your methodology? All that stuff. So if you don't do the exam, you're not going to be able to answer those questions.
And they're going to know something fishy is going on.
[Kyser Clark] (13:08 - 13:18)
So they do have an interview at the end of every exam. I thought that was just for the career ready professional. They do that for all the exams now?
Yes. Oh, wow. I didn't know.
When did they change that?
[Evan Isaac] (13:20 - 13:29)
I think when PMPT came out, I'm pretty sure you had to do like a debrief with some of the technical folks that created the exam to go through your methodology and the report itself.
[Kyser Clark] (13:30 - 13:55)
Oh, okay. I did not know that the debrief was part of that. I guess I didn't look into it too much.
So that makes sense. I mean, that's probably a good way to prevent cheating. Obviously.
And maybe you don't need a proctored exam. If there's a debrief, you have to sit with an actual human being that knows that environment inside and out. Then yeah, there's no way.
So that makes sense. So that's good to know. Is the CPTS from Hack the Box?
Is that one proctored? Do you know?
[Evan Isaac] (13:56 - 14:17)
I am not sure. I do know a few people that have taken it and they've said that it's an extremely difficult exam. Someone recently told me that they took 20 days to take the exam because you have a free retake.
So he took 10 days. He knew that he was going to fail and then he took the other 10 days and just completed in 20 days, which is kind of funny. You know, take an exam for almost a month is pretty comical.
[Kyser Clark] (14:18 - 15:14)
That's what a strategy, though, because I know you get 10 days and it seems like a long time, but I haven't done that certification. But yeah, I mean, that's a strategy. Take your free retake right after.
That's a really good idea. 10 days or 20 days block to block off the world, I guess, is for an exam. That's a commitment.
It's hefty. That's for sure. Yeah, and everybody that talks about the CPTS, everybody that I know who has it speaks really, really highly of it.
And a lot of people say it is better than OSCP is in terms of like real world skills. So now I want to get into consulting with clients. So you are a consultant and I had a request from a viewer slash listener and they wanted to know more about how does consulting with clients look from start to finish?
How does a kickoff call look? How does checking calls look? How does a wrap up call look?
Can you kind of explain that whole process?
[Evan Isaac] (15:15 - 18:38)
Yeah. So for the most part, what you'll do, at least for the kickoff call, is you'll just go through the application. Now I'm going to talk from a web application security standpoint, since I don't really do a ton of internal, external.
So bear with me. With web applications, you're going to want to ask a ton of questions in regards to the API that they're using. Are they using GraphQL?
Are they using a MySQL database? Are they using a NoSQL database? What exactly is going on in the backend?
What frameworks are they using? In addition, just scope out the web application, right? Go through it with the client.
Tell the client, hey, is there a way where you can go through the application step-by-step just so I have a clear understanding of the functionality? Because you don't want to go in blind. If you go in blind, there's a chance that you're going to miss an endpoint that could potentially lead sensitive information.
And the client is not really going to be too happy if you miss that endpoint. So you want to make sure that you find all the endpoints that the client is referring to. Additionally, if they have, let's say, a GraphQL database or a schema, as other people call it, you want to make sure that they have, let's say, introspection disabled, right?
So something that you'll ask inside of the, you know, inside of the kickoff call will be, in your GraphQL configuration, is there anything that we need to know before we get started with the test? Sometimes they'll say, yes, we have introspection disabled. Other times they'll say, nope, everything looks good.
If they do say that, then you can go in and check for GraphQL introspection. If it's enabled, well, you have your first finding, and then you can go on to start enumerating it a bit more and see what other endpoints there are. In addition, you're going to want to ask basic questions like, is it going to be a production environment?
Is it going to be a staging environment? Is there a WAF involved? Am I going to get emails?
How many roles are there? You know, just being able to really understand the application before it even starts is crucial, especially when it comes to a kickoff call. During the penetration test itself, you're going to be sending out start and stop notifications.
You're going to be communicating a ton with the client to let them know what is going on. If you find a high or critical vulnerability, you'll most likely be messaging them constantly saying, hey, here's the vulnerability. Here's how we found it.
Here's the payload. Let us know when you remediate it, and we'll get back to you whether or not it's been fixed or if we were able to bypass your filtering system. After the penetration test is over, you'll move on to the reporting phase.
Now, depending on what your company uses, whether it be Plextrack, AttackForge, SysReptor, PawnDoc, any of the reporting tools, or even just manual WordDoc, you'll write up the report. It'll go through Quality Assurance or QA, and then you'll send it off to the client as a draft report. During that time, you'll have a debrief call where you'll go over the report with the client, see if they have any questions, any concerns regarding the ratings or severity of each vulnerability, and then you'll mark it as a final report.
Now, depending on the scope and the agreement that the company's made, there may be a chance that you'll have some retesting hours. All this retest does is goes through the vulnerabilities that you previously found on the initial test just to verify that all of the vulnerabilities were properly configured correctly and they were remediated, and that's a retest report that you'll send. So all in all, you'll get most likely three reports from the vendor.
You'll get a draft report, a final report, and a retest report sent over to the client.
[Kyser Clark] (18:40 - 19:49)
What a great explanation. I don't even have anything to add there. That was one of the best explanations I ever heard for how a client engagement works from start to finish, so good job, and thanks for providing the insights.
And hopefully that helps everybody out there who is kind of curious on that because that's half the battle as a pen tester is you gotta provide value to clients. You're not gonna hack away in your basement all day, every day. You have to turn your microphone on, turn your camera on, and explain these findings and get information out of them.
And yeah, it's definitely a huge part, and the better you do that, the more likely they're gonna repeat business with you and build a relationship with you. Definitely. So you are a web hacker, and I wanna know what are some of the best web hacking resources out there?
What's the best places to learn how to do web hacking? Because we're talking about the OSCP, and that's not really a web hacking certification, so I can understand why you don't think it's as useful as maybe as a network tester. Yeah, I wanna know, what's the best place to learn web hacking, in your opinion?
[Evan Isaac] (19:49 - 20:54)
I would say Port Swigger is obviously number one. They are the creators of Burp Suite. So they have everything related to web application security.
They have fantastic labs that you can get for free, as well as Over the Wire. I forget the exact gamified lab that they have, but they also have a fantastic way to learn web application security. Also just following a bunch of people on LinkedIn or on YouTube, or myself on LinkedIn, right?
Again, I go through some of the web application tips and tricks. Jake Murphy has some fantastic things. He was my mentor for a while over at my current employer.
So he has some fantastic tips. I believe he has a website called webhackingtips.com as well, which is funny. So he does have content there as well, if you wanna learn some advanced web application security testing.
And just really exploring Google, honestly. Asking ChatGPT if you like AI, just to see how do you perform an XSS attack? How do you remediate an XSS attack?
Fantastic way to learn cybersecurity.
[Kyser Clark] (20:54 - 21:03)
And what certifications do you think are the best for web hacking? If someone wanted to prove competency to an employer, what are the top web hacking certifications in your opinion?
[Evan Isaac] (21:04 - 21:45)
So I'll say the eWPTX definitely opened my eyes to a lot of bypass techniques. Now the eWPTX is a bit outdated. So just be wary that the lab environment is a bit unstable.
But once you get the certification, you'll feel proud to get the certification because it is a very tough exam. Another tough exam that I've heard that I've yet to take is the OSWE. So that's the Offsec Web App Expert.
And they go through white box pen testing where you have to go in, look at code, but also identify the vulnerabilities in that code, chain them together and exploit them. At the end, you'll have to create an exploit framework basically, where it's just a one click exploit script.
[Kyser Clark] (21:46 - 22:10)
Nice. And with the Web Application Penetration Tester, Extreme. So with that certification, is it very similar to like the EJPT?
Because I've only done the EJPT for I&E security. And that one was like, you get in an environment and there's, obviously everything's hands on, but there's some multiple choice stuff. Does the Web Application Penetration Tester Extreme, does it have like the multiple choice type questions like the EJPT did?
[Evan Isaac] (22:11 - 22:52)
No. So the only certifications that have it are the ICCA, which is the Cloud Associate or Practitioner Cert from I&E as well as the EJPT. Those are the only two so far that have multiple choice questions.
And then the ECPPT, eWPTX and any of the other ones from an offset standpoint, I believe are hands-on where you have to submit a report. So this report is a professional report, right? With an executive summary, technical findings, understanding the vulnerability describing, remediating all that other fun stuff.
So definitely worth checking out. I&E is a tad bit expensive. I believe it's like 750.
So a bit expensive, but you do get all the course material on the platform, which is a pretty good deal.
[Kyser Clark] (22:53 - 23:42)
Yeah, and I really liked the Junior Penetration Testing course that they had there. I felt like that's pretty much what I used to pass OACP. If it wasn't for that, then I wouldn't have passed OACP as fast as I did.
Cause I did, I passed OACP on my first try in three months, which is a lot faster than most people. But the reason why it was so fast is because I spent two months working on eJPT prior to that. You know, so I did really like the I&E security training.
I thought it was very streamlined and it was a good training. So that's good to know because I was considering going after some of those web application certifications from I&E. So what do you think about like catch the flags in web app hacking?
So do you think like Hack the Box and TryHackMe is going to teach web app hacking too much? How do you feel about Hack the Box and TryHackMe?
[Evan Isaac] (23:43 - 24:36)
I think they're fantastic. You know, that's how I started. I started out with TryHackMe and slowly moved to Port Swigger.
Hacker, you know, Hack the Box, not so much. Just because I feel that yes, they do still give off that same vibe when it comes to you have to exploit a web application to get into the internal system. And then from there you can do privilege escalation.
But TryHackMe is a bit more user-friendly in a sense that even, you know, someone who has no knowledge can really go in and do it. Whereas you have to pay a lot of money for Hack the Box to even get to the retired machines, which then have write-ups. So if you're an aspiring cybersecurity professional looking to break into penetration testing, I would strongly encourage you to look at Hack the Box first, sorry, TryHackMe first and then Hack the Box later because Hack the Box is way more advanced, I feel, than TryHackMe.
[Kyser Clark] (24:37 - 25:30)
Yeah, I agree 100%. That's why I tell people to do TryHackMe first, especially do the free stuff on TryHackMe. And then if you finish that, then start paying for TryHackMe.
And then once you finish all the offense security paths or what are they called? Yeah, learning paths. And then you graduate to Hack the Box.
And that's what I did. And that's what I recommend people because a hard room on TryHackMe is easier than an easy box on Hack the Box, at least in my opinion, from my experience. I agree.
So you're talking about the Portswigger Academy. So there is also a Burp Suite certification. Do you think that's worth getting for someone who wants to get into web hacking or do you think those other certifications from INE Security and OffStick are better to pursue if someone had to pick just one certification?
How do you feel about the Burp Suite cert?
[Evan Isaac] (25:30 - 26:19)
Yeah, I haven't heard too much about the Burp Suite. Certificate, so I don't really know a ton about it. I do know that it is advanced.
Yeah, a lot more advanced than the EWPT from INE, right? You really need to understand all of the labs going into Portswigger. In order to even take the exam, you need to complete all the labs, even the advanced ones.
So yeah, that kind of gives you a scale of how difficult it is. I would say to stick with OffSec, which again, I'm going to contradict myself just because again, they're relevant. INE is slowly creeping up there.
There's still a lot of work that needs to be done, especially on their eWPTX track and EWPT. But I do believe that they're slowly revamping all the OffSec certs. So hopefully we'll hear something soon from them and maybe there'll be a contender against the OSWE.
[Kyser Clark] (26:19 - 26:47)
What are some things, like some job searching advice that you could give someone that's trying to break into their first role? Because it's pretty hard. The job market's incredibly difficult right now, at least I think it is.
I think it's definitely, from what I know, it seems like it's harder now than it was in past years. So what are some job searching tips that you could recommend? And what would you say to the people that might have a couple certifications and they're not getting any job offers?
[Evan Isaac] (26:48 - 29:47)
Rule number one is to stay consistent and never give up. The job market sucks right now. I'm just going to be honest.
It is so brutal. I get people messaging me being like, do you have any job for me? I'll take anything in cybersecurity.
And I'm like, I don't. It's just so tough right now. Companies are, I don't know what's really going on in the industry at the moment, but companies are just not hiring as frequently as they used to.
So what I'll say is definitely continue connecting with people either on LinkedIn or on Discord. I find Discord to be a fantastic resource. There's a ton of fantastic servers out there like Republic of Hackers, which that's my Discord.
But we basically help people with their career and break them into cybersecurity. Another great one is the John Hammond Discord, where they just go through a ton of different resources to help you break in. I'm sure there's a ton of different recruiting, you know, Discords out there.
But if you want to go down the LinkedIn route, I'll say this, look for small businesses or look for recruiters in the industry who you can start talking to. Whether you want to take a job with them or not, just being able to connect with them, speak to them and understand what they're looking for is better than just randomly applying. Because if you start to create friendships and you start to create connections with these people inside of the company, they'll think about you more.
Where let's say you want to get into a penetration testing position and you want to go to Bishop Fox. What I would do is I would look for a recruiter at Bishop Fox and I would just start messaging them. You know, like, hey, how's it going?
I'm brand new to the field. I'm just trying to break into the cybersecurity industry. Do you have an internship position?
Or do you have any sort of associate position available at this time? Something very polite. And if they say no, be like, OK, thank you so much.
I look forward to speaking to you soon. In the next three months, maybe there's a position that comes out from Bishop Fox that says, OK, an associate penetration tester with one year of experience is what they're looking for. You'll go back to that recruiter and say, hey, I just wanted to touch base.
I saw that there is a brand new application out there. I'm still available. I just recently applied.
I really hope that you and I can work something out. Very polite, very straightforward, very simple. Don't start bombarding them with a ton of messages being like, hey, I need this job.
Like, if I don't get this job, I'm going to lose my like, relax. Yeah, take it easy. I know people that have done that and just gets them into deeper water than they already are.
So just relax, stay put and just continue to grow your network. That's how I started. I started the Discord simply because I didn't know where to go inside of cybersecurity.
I was trapped. I couldn't find internships. I was losing my mind.
I was like, I can't get into the field until I started the Discord. When I started the Discord, I was able to connect with professionals in the field. I was able to connect with a ton of fantastic, fantastic connections and they knew other people that were hiring.
It slowly led to more internships and eventually my full-time position.
[Kyser Clark] (29:47 - 30:39)
Nice, and you talking about, you know, don't go into interviews and say, hey, I need this job or I'm going to lose my house. So, you know, even if you are like, don't say that in an interview because you don't want to be desperate. And it's a big turnoff for hiring managers, for sure, and recruiters too.
And another thing that I would throw in there is LinkedIn is a powerful networking tool, but don't go on LinkedIn and complain about, you know, not finding a job because that's also has the same effect. People are like, you know, everyone's going to be like, well, he can't find a job, but why can't he find a job? And then they're going to look at the flaws before they see the good in you.
So I would not go on LinkedIn and complain about not finding a job. I see that a lot. And I'm like, I was like, you know, I'm not even a hiring manager.
I'm just like, man, what are you doing? You're messing it up. So do you feel the same way when it comes to like, when you see people like complaining on LinkedIn about how hard a job market is and stuff?
[Evan Isaac] (30:40 - 32:30)
Yeah, I definitely get a turnoff when that happens. I'm like, you know, I don't know how to help you if you're just going to start posting that stuff. So again, what I normally do is I'll just go out and I'll try to find some sort of position for that person.
I get a ton of people messaging me asking me for help. So I'll go out, I'll try to find a position that suits them the best or I'll help them revamp their resume to fit whatever they're trying to go into. Once that happens, I'll start to reach out to a few friends, you know, a few connections, see if anyone is hiring.
And if they are, I'll push them forward. But you need to be respectful. You need to understand that other people are also in line.
They're also doing the exact same thing as you are doing. They're trying to get that job in cybersecurity and it takes time. You know, I know some people who they went down the IT route first before they got into cybersecurity.
It's just how it is. It's really who you know, not what you know, unfortunately. Currently, I will say in this industry, you know, maybe down the line, things will change.
But as of right now, I think it's best to start networking, even producing content on LinkedIn. I started doing that about a year ago and now I have over 9,000 followers on LinkedIn. So just being able to go out of your way to help the community and share your experience, even if you have none, being able to go out and say, hey, look, here's the research that I did.
Or here's the trihack me room that I did. Here's what I learned from it. Here's my takeaway.
Something as little as that can really boost not only your motivation to learn more about cybersecurity, but it can show the recruiters that I'm willing to not only help out myself, but help out the community. I'm not selfish. Now it's not for everyone.
I know imposter syndrome is definitely a thing. So yeah, if you're too nervous to do that, maybe take it slow by posting once every month or maybe every three months, but just try to get your name out there a little bit.
[Kyser Clark] (32:31 - 34:05)
Yeah, I 100% agree with that. You talk about LinkedIn and creating content. That's actually how I got my current role.
I didn't even apply to my current role. I just, I put my open a work banner up and someone reached out to me and be like, hey, I see you post hack the box stuff every single week and I see you make content and it's awesome. And basically that's how I got my foot in the door with my current company.
So definitely, yeah, if you put stuff out there to help the community, people notice, and especially if you're consistent, people notice that. And that's one of the things that's helped me out the most because I didn't really know anybody in the field either. I was coming from the military and all my connections are still mostly in the military.
So I was like, getting out was kind of hard, but just making content helped me out a lot. And I definitely would agree with you there. It's like, even if you feel like you don't know that much, like if you spend an hour learning how to configure something, right?
You now know more than a lot of people. If you just share that experience, you can help out so many people because if you spend any amount of time, like you are gonna know more than somebody and there's people that are behind you, they're gonna play that content and they're gonna be like, wow, thanks for sharing that. And the newest content is always the most relevant.
So I always tell people, yeah, share your stuff because eventually I'm gonna be 10 years in the field and my OSCP recommendations aren't gonna apply anymore because I did it 10 years ago. But the person that just did it, that's when it's the most important.
[Evan Isaac] (34:06 - 34:46)
Definitely. Yeah, a great example is one of my buddies. I told him, I'm like, hey, just start posting things, something random.
Now at the time, he had an internship. I was like, just post something on LinkedIn. It doesn't have to be anything relevant to cybersecurity.
So I reviewed his post and he posted it and it turns out he got more likes than I've ever gotten on any post. He got over a thousand likes on that one post and he grew over a thousand followers because of it. And because of that, he's grown so many connections.
So just going out there and even posting once and see if it blows up. People wanna hear your experience. So even if you don't think that people care, they do.
They just want you to go out of your way to do it.
[Kyser Clark] (34:47 - 35:13)
Yeah, the cybersecurity community is very good about sharing information and supporting each other. We do have a very good community. It's not toxic.
I mean, there definitely is toxic in the community, but I would say compared to other communities, it's probably one of the most least toxic communities you can really be a part of. So that's really good about our field. So Evan, we're running out of time already and I wanna know, do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share?
[Evan Isaac] (35:13 - 35:59)
Don't go for just red team roles. I see a ton of people looking for the red team, the offensive security team, trying to break into the penetration testing sector. That's not always the best case.
I started out as an information security analyst at a bank. So just take my word for it. It helped me a ton to learn more about the blue side, understand how I get detected in a pen test and then how to go about performing a pen test.
So being able to look at a SOC and saying, okay, here's the event log to log in, or here's an event log for lateral movement. Something along those lines, being able to detect and understand what's being logged can only make you a better offensive security operations individual.
[Kyser Clark] (36:00 - 36:22)
Great advice. I totally agree with you. And one thing I will add is I think in my opinion, I could be wrong on this, but I think there's probably more blue teaming positions out there than red teaming positions.
And I think the red team is a little bit more competitive because there's less available opportunities. So I think the blue team, in my opinion, again, is easier to break into than the red team side of things. Definitely.
[Evan Isaac] (36:23 - 37:02)
Yeah. I would say also, it was probably a bad term to say red team versus blue team. It's more of a defensive team versus an offensive team, just because red teams and penetration tests, completely different things.
And blue team can mean a ton of different things as well. So definitely just focus on what you believe you can accomplish. Anything cyber related will get you through the door.
Don't just hone in on a specific sector. If you want to go into the SOC, maybe look at pen testing. You may find it more fun or more beneficial for you down the line.
If you want to go into a CISO position, understand how a threat actor thinks. It may help you in the long run. So just really figure out exactly what you're looking for.
[Kyser Clark] (37:02 - 37:08)
Well, thanks, Evan. I appreciate you taking the time and doing this. Where can the audience get ahold of you if they want to connect with you?
[Evan Isaac] (37:08 - 37:17)
LinkedIn is the best place to connect with me. So I'm sure Kyser will put it in the description. But yes, LinkedIn is the best place to connect with me.
[Kyser Clark] (37:18 - 37:50)
And audience, LinkedIn is the best place to connect with me as well. That's actually how I contacted Evan. That is actually how I contact pretty much every guest on this show, because that's the place where people are at, in my opinion.
So definitely get on LinkedIn if you're not already on it. And my other place is KyserClerk.com. I put all my content there.
So if you want to check out my other stuff, KyserClerk.com is a place to go. Audience, if you haven't reviewed the show, leave a five-star review for the show that would support the show the most right now. Thank you so much for watching.
Thanks for listening. Until next time, this is Kyser, signing off.