[Paul Nieto III] (0:00 - 0:30)

There's hiring managers at both conferences. If you're going to go, and I tell people, I had a couple of people comment about being introverted, try talking to people at Target, going to the gym at just random people, Starbucks, et cetera. That's how you build up, that's a skillset to have.

Having that skillset is going to allow you into some places that people can't get in, right? Different circles, different areas. And those circles have other circles that can get you in.

Especially if you go on your own as a consultant or a business, that's avenues in, right? Because you're already known, you already have built those relationships and trust factors. So you have to take advantage of it and you have to build up that skill.

[Kyser Clark] (0:30 - 1:43)

Hi, I'm Kyser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one bite at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.

Welcome to the show. Today I have Paul Nieto, who has 22 years of security experience. He started in physical security and is now in cybersecurity and currently works as a full-time penetration tester.

He also creates YouTube videos under the 0x3 security channel. For certifications, Paul has the CBBH, the CPTS, the CRTO, the PNPT, the OSCP, and he also has the Dante and Rasa labs from Hyperbox, the pro labs. So Paul, thank you so much for taking your time to do this episode with me.

Go ahead and unpack your experience and introduce yourself to the audience.

[Paul Nieto III] (1:44 - 2:32)

Thank you, Kyser. It's a pleasure being here. My name is Paul Nieto.

I use the number three as my suffix just to keep my identity away from my dad, not that it's a bad thing, but I wanted to build my own self from where I'm from. Like Kyser said, I've been in physical security, workplace services, facilities, whatever they want to brand it as. I started in 2005.

Security as far as physical started in 2002 and pretty much has always been a hybrid in security, whether that's physical on the cyber side of things, building out physical security red teams, and then also finally making that transition in the last three years to the cyber side. And yeah, that's pretty much it. It's been my career and just been pretty consistent in trying to maintain and be ahead of the transit curves and learning and burying myself with certifications going forward.

[Kyser Clark] (2:35 - 2:39)

So why did you go from physical security to pentesting and cyber security?

[Paul Nieto III] (2:40 - 4:18)

I get asked that question a lot. The honest answer is the way my mindset was, and to give a little background and context, I've always been into the ethical hacking, offensive security side of things. In 1999, my junior year, I had San Jose PD show up to my high school because I used to boot people's DirecTV and Dish network cards.

So I've always been in that kind of mindset, concept, doing those type of things. So the thing why I switched is because the mentality of physical security is looked down upon as a red team, right? So let's just say an example.

If I'm doing a project management and I'm scoping out a system, a $3.5, $5.5 million system for a campus, for 500,000 square foot campus, the best practices for them is just spotting dots, access control cameras or access control readers, cameras, et cetera. That's it. Call it a day.

Root, root out the box for your cameras, which are now IOTs, devices. So me, my mindset was, is how can I break in and better harden these systems? While physical security mainly, and I am prior military, so I'm not talking crap, they have in law enforcement, they have that mindset where, oh, it's nothing's going to happen.

Why do you have that kind of mindset? Why do you think like a criminal? That was looked down upon.

And I didn't like that, right? So as a time hit by 2014, I had an opportunity to make that switch, but I didn't because I was comfortable. But overall, that is the reason why I did make that switch.

It just felt like I was just stuck and I couldn't advance anymore. And after a while, you can only do so much in physical security. It's just, you know, maintaining the machine pretty much at the end of the day.

[Kyser Clark] (4:21 - 4:46)

Yeah. Yeah. I can, I can understand why you want to pivot, especially like you said, with the military and law enforcement people saying, oh, why would you want to think like a criminal criminal?

Like it may it's to me, it's obvious. Like, well, if you want to be your adversary, you have to think like your adversary. Yes.

But I can see why, you know, some people might not be able to think that way, which is unfortunate. So you got bored. So, so you kind of got bored with physical security.

Is that safe to say?

[Paul Nieto III] (4:46 - 5:11)

Yeah, I got bored, especially, you know, at the time of Box, when I finally made that transition, you know, COVID just pretty much just made the switch for me to move. And it was a perfect icing on the cake scenario. And I did it.

And I had a lot of people at Box that told me, dude, you should do it. Why aren't you pulling the trigger kind of thing? And yeah, I just, like I said, COVID made everything just happen.

And it just happened naturally.

[Kyser Clark] (5:13 - 5:48)

What would you say to someone? Because when you say you got bored with your career, I think that might resonate with a lot of people, especially me, like, how do I know I'm going to like pen testing for 30 more years. So when you got bored with with physical security and transfer transferred into cybersecurity, there's similarities, but there's also a lot of differences.

Like, how did you make the decision? Like, it's time for me to switch. And more importantly, like, how did you like deal with the reality of, like, kind of giving up everything you brought up to that point?

I mean, obviously, there's a lot of overlapping skills, but it's still a new industry, new field at the same time.

[Paul Nieto III] (5:49 - 6:42)

I guess for me, the thing that kept me going, and, you know, I see when I get bored, I'm gonna get in trouble, I'm gonna be at the bar hanging out with the girls, stuff like that, right? Like I said, physical security can only do so much, which is, which is the honest truth, it's going to stop, and it's going to top off. So the way my mindset is, and the way I think is I need to be challenged, where the red team and I already had that, you know, mindset doing stuff on the side as hobbies.

And also going in for my thought process for physical security, I needed something to challenge me every day. Now that on the flip side, that turns me into a crazy animal, because I'm constantly on hack the box, learning sector seven in the morning, C sharp for zero point security, CRT02. So I'm constantly on the grind, being accountable and showing up.

So that for me, is what, you know, made that happen. But yeah, that's, that's the best I could say it.

[Kyser Clark] (6:44 - 6:51)

Okay, yeah, because it's another one or like, like, am I gonna be able to do, you know, cybersecurity and pen testing for 30 years?

[Paul Nieto III] (6:51 - 7:45)

Like, I keep telling myself, yeah, but like, the thing with that, so touch on that for some more context, where the difference is, is where cybersecurity and pen testing, red teaming, you know, whichever route you go, or even web for that matter, they're always going to change with technology. And that's changing so fast. So you're always like I said, you always have to be on top of the curves and the trends are also going to die off be legacy, right?

Whereas physical security, I mean, like I said, after a while, after you reach so much, I mean, you could do all branches of physical security, and that's it you plateau, right? Unless there's some active shooter or something crazy. And you've actually had that stress factor scenario where you can put that on your resume.

Other than that, I mean, you know, you can't really go so far. So as far as that, I don't see I don't see how someone could get bored. Now, if someone does get bored, it's either it's either a managerial problem or, and or a corporate or their, you know, their where they're working at issue.

[Kyser Clark] (7:46 - 8:19)

Okay, yes, I mean, that makes a lot of sense. You've you mentioned offline that, you know, some people ask you about your age, and how, how to transfer career fields in the cyber when you're older, what are the challenges you face? And what would you say to someone who, who might be older that wants to get in this field that's already an existing career field that's probably even more different than what physical security like, for example, let's say they're like a doctor, a lawyer, or like a construction worker, like something that's like, completely not related to cyber, what would you recommend to them?

[Paul Nieto III] (8:20 - 9:22)

Yeah, so let me I'll touch on a lot of people that come from my background, workplace services, facilities. Number one, you got project and program management, right off the bat, you got procurement, right? Cyber teams don't really have that they, unless it's a bigger organization, they'll have a PMO team.

So unless that happens, you know, you could bring that skill set and utilize that under the red team under the blue team, etc, right? To do procurement process for RFPs for like bringing in CrowdStrike, Sentinel One, etc. So and then also, you know, the procurement side working with whatever teams you have to work with within your organization to bring those companies in vendors in doing the GRC process, third party security vendors, risk assessments, etc.

Right. And also managerial process. soft skills is big, right?

A lot of people in cyber security don't have that. They're real introverted, as we talked about offline. So that those right, there are skills that are key to bring into the table right off the bat.

[Kyser Clark] (9:25 - 12:06)

Yeah, yeah, we did talk about introvert and extroverts offline. And I told you, I'm introverted. People might shock some people because I got a whole podcast and stuff, but I am.

And one of the one of the best comments I ever got from one of my clients after I gave him a pen test was like, hey, you know, your technical stuff, but you're also you can explain it. Well, and I was like, wow, that's that means a lot to me. Because, yeah, you know, because it's not easy to talk to people, especially when you're talking about like, when you take complex security issues, and you boil down to something so simple.

But I would say that skill sharpened for me in the military when I was in cyber defense operations, which is mostly an IT role with like security baked in. And, you know, I have end user support. And I have to like, you know, someone in leadership calls me and like, hey, my whatever's not working, my email, my printer.

And I have to explain like, you know, why it's not working or and then fix it. And then or like, if I can't fix it, I have to explain why I can't fix it. I'm like, oh, there's like this thing that's in the way and this policy or whatever, you know.

So I got really good at talking to non technical people, because the first thing people would always tell me when they call my shop was like, I'm not good with this computer stuff. And it takes plans, though. That's how I built that skill.

I'm excited to announce that memberships are now live for my YouTube channel. And if you decide to become a member, you'll get early access to videos, access to member polls, loyalty badges for the YouTube channel chat, and priority reply to the YouTube comments. Of course, if you can't or don't want to become a member, that is totally fine.

I will always release the same free content you come to expect. And your support just by watching is more than enough to keep the channel going. But for those who do join your contribution helps invest into new tools, technologies and people to help the channel go further.

The goal is to create even more content and raise the quality of every video for everyone. Thank you for considering memberships. And as always, thank you so much for your support.

Moving on, let's go ahead and do the rapid fire questions. So for those who are new to the show, Paul will have 30 seconds to answer five questions. And if he answers all five questions, he will get a bonus six question not related to cybersecurity.

So Paul, are you ready? I'm ready. Let's do it.

Actually been practicing. This is a life hack, by the way, guys. I've been practicing, like just leave my phone in the other room, like not checking my room.

That's how you get work done, by the way, like do not put your phone and I don't have my phone here. So I'm gonna use my stopwatch on my computer. Just but yeah, phones, any other room, like ultimate life hack to get stuff done.

[Paul Nieto III] (12:07 - 12:07)

Oh, yeah.

[Kyser Clark] (12:09 - 12:34)

And that's why I don't reply to half people's messages, because I just, it sucks, man. I guess I'll get like, if I get in, like I'm in, you know, like I'm easily distracted. That's another topic for another day.

All right, here we go. Your time will start after I finish asking the first question. All right.

Paul, what is the best way to learn about new exploits?

[Paul Nieto III] (12:35 - 12:41)

The best way to learn about new exploits would be reading articles on Medium, in my opinion.

[Kyser Clark] (12:41 - 13:22)

Do you think passwordless authentication is the future? Yes. Favorite training platform?

Hack the Box. Is it better to be a specialist or a generalist? Specialist.

Are people born with hacking skills or are they learned? Both. You got 28 seconds.

That's pretty good. And that is obviously before 30. So you've unlocked the bonus question.

So the bonus question, completely unrelated to cybersecurity, and you can explain your answer as much or as little as you want to. So here it is. Is it acceptable to wear socks with sandals?

[Paul Nieto III] (13:24 - 13:37)

No. Coming from me being born and raised in California, no. I don't know how people do that in Texas, especially in the summer.

It makes no sense to me. Yeah, that's definitely a no. I just don't get that in the summer, especially.

It makes no sense.

[Kyser Clark] (13:39 - 14:14)

Yeah. Yeah. I'm not a fan of it either.

I think it's a little weird when I see other people doing it. I've never personally done it. Matter of fact, I don't really wear sandals at all.

I usually avoid it. I think the only time I ever will wear sandals is if I'm going to the beach, which as someone who lived in Ohio for their first 24 years of life and someone who lived in Alaska for the last four years, I haven't been on the beach much. I went on a few vacations, but yeah, that's the only time I ever wear sandals.

I would say if I'm going on the beach, I'm just not a sandals person, but it's usually, I mean, it's like seven degrees outside right now. It's like not sandal weather.

[Paul Nieto III] (14:15 - 14:20)

I'm more flip-flop, but not not sandal or the slides, whatever they call them. Yeah.

[Kyser Clark] (14:20 - 14:30)

Yeah. Slides and flip-flops. I mean, to me, it's, it's all sandals.

I guess I think they're all flip-flops and all slides are sandals, but not all sandals are slides and flip-flops.

[Paul Nieto III] (14:31 - 14:39)

Yeah, definitely no socks with flip-flops. I don't know how people do that either. That feels like it'll hurt, but all right.

[Kyser Clark] (14:39 - 14:51)

So I think your most interesting response was you said best way to learn new exploits. You said medium articles for me.

[Paul Nieto III] (14:51 - 15:08)

Yeah. That's how I started to learn them. Yes.

Yeah. Cause I was doing that on my, really on my own. I had a friend go over, go over them with me for a while.

But yeah, I just started digging in, learning them and then going to the GitHub route, going on YouTube then reaching out to friends if I needed help with anything.

[Kyser Clark] (15:11 - 15:28)

No one. So when you say medium articles, are you referring to like, like brand new exploits, let's say like CVE 2025 dash, whatever, you know, like you're talking about like, like brand new exploits that come out like CVEs, or are you just talking about like learning new to you exploits?

[Paul Nieto III] (15:29 - 15:34)

Oh, like learning how to do it. Like I thought you were talking about learning how to do the actual exploit or like just learning about it in general.

[Kyser Clark] (15:35 - 15:40)

It don't. I mean, I'm just trying to figure out which one you like, which way you interpret. It don't really matter.

I'm just curious either way.

[Paul Nieto III] (15:40 - 15:44)

I was doing it from a starting off standpoint, like get breaking into it.

[Kyser Clark] (15:45 - 18:05)

Yeah. Okay. Yeah.

For me. I mean, I learned a lot through certifications. I'm just, I, I'm a kind of person.

I just need some kind of structure, right. Because certifications make me like, Hey, we're going to learn about this. I mean, it's like, well, why do I want to learn this?

And it's like, well, because I said so, if you want to get the search and you got to learn this. So certification, that's what it gets. That's one of the reasons why I like certification so much.

I don't have, I would say my curiosity is probably not as high as it should be as an ethical hacker. Cause I like, when I see those medium articles, I'm like, Oh, this is cool. But I don't, I don't dive into those like just for fun.

You know what I mean? I don't, I would only dive into those if like, if I want to pen test and I'm like, Oh, you know, Nestle's pop for this exploit. Let me see if I can find, you know, a POC code for this or something.

Or like if I'm on a cert exam, like I'm doing OCP and I see like, Oh, they're this, this version's out of date. Let me see if I can find a POC. And by the way, for those who are don't know POC is a proof of concept code.

So yeah, I would say my go-to certifications, but yeah, medium is a great way because people write a lot and explain things very well. And that's actually a good way to stand out from the crowd is just make content and make, make technical articles or videos or something. And then another question we're going to dive into is I want to do two for one this episode, because this was actually a question someone recently asked on my YouTube channel.

So the, is it better to be a specialist or journalist? And for me, I mean, I don't, I don't know if I'm a specialist or journalist, like I'm a specialist because I'm a pen tester and that's like what I do. And I don't want to, I don't want to be like cyber defense.

I don't want to be a network engineer or, you know, it's pen tester or nothing. But at the same time, I'm, I like to do web apps and networking. That's kind of, in a way, I'm a journalist.

You know what I mean? I like to do web apps and networking. So what can you say, like for, for people who are trying to become a pen tester and like, should they focus on only network?

Should they focus only on web apps? Is there, and what's the pros and cons to, you know, learning both or combining them as a single skill set?

[Paul Nieto III] (18:06 - 18:54)

Yeah. So for the generalist or specialist, again, I would do, I would start off with the least, the networking side, external, internal network and web apps. That for me, that's going to be the core.

You're going to utilize those for both. Now, if you want to get into like RFID, IOT hacking, that's more niche, more specialist. NFC, car hacking, et cetera.

So I would do that. If you're looking for that, I would go more of the specialist route. Now, if you want to up your career, going to a manager, even director level, then you're going to have to be the generalist, understanding those, being able to understand and present those vulnerabilities, finding et cetera, meetings to C-suite level.

So it depends on your career route where you want to go to, to be honest.

[Kyser Clark] (18:56 - 20:59)

Yeah. Yeah. And I like, I like being a journalist as in that, like I'm a network tester and a web app pen tester.

There's people on my team that are only network testers or only web app testers. And I believe I add a lot of value to my company because they can put me on either or, and that's mostly what we get to network in and web apps. I did do a wireless assessment for the first time last month, and that was really cool.

The OSWP was a good certification to learn how to do a web application, sorry, a wireless assessment. And being someone on the team that's like one of the only people that knew how to do wireless as I was, it came in clutch. And another thing that I might be looking into is getting the IOT hacking because we might have a client that needs IOT hacking and I might get the, I don't know what's the practical IOT hacking from TCM.

And so I'm thinking about getting that because my company needs it. And we have a customer that's going to want some IOT pen testing done and no one on our team has that. And I'm like, well, I'll step onto the plate and learn it.

I mean, that's a good one, by the way. That's good to hear because, oh, I still haven't heard anything bad from TCM. TCM, if you're listening to this, you're watching this, you're killing it.

I've never heard anybody say anything bad. Yeah, from my experience as well. The only thing I said negative about TCM security certs was that they just don't show up on a lot of job applications or job postings, which is true.

And I think it's going to change. I think like in the near future, I think it's going to change because everyone loves them. Like all the people in the field are loving them.

And as the people like who are getting in the field now, once these people start becoming managers, I think like once those people start becoming managers, the TCM certs are going to be in the job postings when people who went through that content start to post the jobs and start to do the interviews and stuff.

[Paul Nieto III] (20:59 - 21:10)

That's true. Yeah. And managers also need to start doing their own requisitions, not just having the HR recruiter or HR business partner copy and paste from what they see from their friends, et cetera.

So that's also another issue too.

[Kyser Clark] (21:11 - 21:33)

Yeah, that's it. Wow. That's a whole discussion itself.

It's like, yeah, because they're just copying and pasting job postings from their competitor. Like, what do we want? I don't know.

Yeah. The job postings are, I don't know, a little weird. And that's why networking is so important because if you're going to avoid the portal, especially at workday, dude, have you ever done an application on workday?

[Paul Nieto III] (21:33 - 21:34)

I do. Yeah.

[Kyser Clark] (21:35 - 21:39)

I'm not a fan of it. I don't know. Are you?

No, absolutely not.

[Paul Nieto III] (21:39 - 21:39)

It's the worst.

[Kyser Clark] (21:40 - 21:44)

They're like, give us your resume and then fill out the same stuff as already on your resume.

[Paul Nieto III] (21:44 - 21:49)

Also, if you do a PDF, it doesn't even upload correctly. You got to go back and change some stuff.

[Kyser Clark] (21:49 - 22:20)

Yeah. And then it's like, also you need to create an account for every company you apply to. Like, why can't you just keep my data one time?

If they just kill my data one time, then I could just use that same information, apply to multiple positions. Man, that was so annoying. And I hope I don't have to do that again.

So staying on the topic of web app versus network contest, what are you seeing more often in the real world? Are you seeing more networks or more web apps?

[Paul Nieto III] (22:22 - 23:02)

I'm seeing more web apps, to be honest, from where I'm at. Yeah, more web apps and API. Networking, it's there, internal, external, obviously.

But we're running tools like Horizon. There's other tools like NetSpeed, NetSpy, Pantera, now BreachLock, which is really good as well. But they're utilizing it, doing mainly more of the automation stuff.

However, it's not the end all be all, just to let that out there for everyone. So yeah, that's going to be mainly more from, at least from my experience, and in my opinion, web and API right now.

[Kyser Clark] (23:03 - 24:22)

Yeah, that's what I'm seeing. I mean, for me, it's almost 50-50. I feel like it's slightly in a favor of web apps and APIs.

And that's the reason why I started getting web apps and APIs is because when I got my internship, my SkillBridge internship, I only had OSCP. And I did hide the box and nothing really to do with web apps. And they're like, hey, we need you to learn web apps.

And that's what prompted me to get into web apps. And it paid off for me because the company I'm at now, I got in a technical interview. And half the interview was networking-based questions.

And the other half of the interview was web apps. And the fact that I studied both disciplines really, really helped me break into my current role. Because I think having both opens up more doors for you.

But there is a lot of value in specializing because then you can be a true expert. Honestly, I don't think it's the right answer. It's really just what you want to do, I think, is the best way to approach it.

Yeah, I agree. I heard you you don't like multiple-choice certs. And I understand why you like practical certs.

Matter of fact, I've been pursuing practical certification myself. But for beginners, do you still think multiple-choice certs have their place?

[Paul Nieto III] (24:25 - 25:02)

I do, but not in pen testing. I would say that would be more for the GRC roles, just because that's going to fall under from previous experience in physical security, more business continuity, crisis management, disaster recovery. Because that's going to be more of a consulting role, because each organization is going to be different.

So you've got to have your baseline foundation. So for instance, GoPro is not going to be the same as Facebook, where they're not going to be the same as Apple. They're going to require different things, different audits, different compliances.

So I could see the multiple-choice there. But as far as pen testing, no, I don't see the value in it at all.

[Kyser Clark] (25:05 - 25:57)

Interesting. I think I do like multiple-choice certs for beginners, even if they want to be a pen tester, because if I didn't have a ton of certifications for a while after OACP, I would have just not even been pursuing it. I would have been like, this is too much.

When I was reading through OACP content, when watching the videos, when they say VPN, I already know what a VPN is. I know how it works. When they say TCPIP, I already know what that is, just because I studied the certifications that were multiple-choice.

Plus, I wrote a report today, and I feel like because I read the books and because I understand the terms and definitions, I can write a better report. I think they have a place, but I can understand why you wouldn't like them.

[Paul Nieto III] (25:58 - 26:31)

For context, just to be clear, I say that because for an actual true beginner, there really isn't one off the bat, right? CEH is what, over three grand. SANS is over eight grand, eight, nine grand just for the course, plus you got to pay another eight, one grand for the exam.

Someone coming out of college or learning it out of high school, more than likely, they won't be able to afford that. If there was one true beginner cert that's affordable, like TCM, if they could pull that off, then I'll be all for it. For a beginner, hell yeah.

[Kyser Clark] (26:33 - 27:22)

Yeah. Okay. Yeah.

I see what you're saying. Yeah. And to finish what I was saying there, I definitely think if you only have multiple-choice certs, I don't think then you're really going to survive as a pen tester unless you've actually done some labs.

If you've done a hands-on stuff on your own and you didn't have a certificate, that's one thing. But if you think a CEH is going to land you a pen testing role, you're sadly mistaken. Exactly.

I thought the CEH was like, oh, that's not going to take it in. And then when I started doing more research, I was like, oh, this is not to take it in. Matter of fact, my CEH expires in 15 days and I'm seriously considering just letting it expire.

[Paul Nieto III] (27:22 - 27:23)

Got to get those reviews, right?

[Kyser Clark] (27:25 - 28:17)

Yeah. Well, it doesn't expire. They make you pay for every year.

It's $80 a year. Oh, I remember that. Yeah.

It's $80 a year. And it's good for another year, but you still have to pay for every year. And it's still the worst thing.

Why do I have to pay $80 for this? So, I think I'm going to ask my company, I'm like, hey, you guys want to pay for this? If they say no, I'm just going to let it go.

If they say yeah, then I'll keep it going. It's not a good cert. I don't like it.

Matter of fact, I have a meme video coming out here soon that's kind of going down a little bit. I'm looking forward to it. So, in your latest video on YouTube, you talk about conferences.

I didn't watch that video. Can you give me a review on what you're doing? Because in the video, I'm just going off the title.

It was like your 2025 conference plan. So, what are your 2025 conference plans?

[Paul Nieto III] (28:17 - 29:42)

Yeah. So, I like going back to the Bay Area because that's where I'm from. I call it my home and then I end the conferences at my home here in DFW B-sides.

So, I like going to RSA, meeting with my old tech buddies that I used to work with, kind of get some quote unquote insider trading on what's going to happen with some of the tech industries, not stock market stuff. So, you know, and again, just like meeting everyone, you know, just catching up and stuff like that. And then also, you know, going to do some B-sides in San Antonio, going back to Blackhat and Defcon.

And I always tell people Blackhat and RSA are more of the networking, more managerial, more that type. Whereas Defcon for me, I stayed in my video as soon as I get my badge. That's that day.

That's the final day of, you know, Blackhat. I don't drink alcohol because I take Defcon serious. And this year, I'm going to be more involved, like doing some CTS and stuff like that.

So, there's no happy hours or none of that stuff. And then after that, some B-sides, like I said, I'm going to try to go to the Romania B-sides with a couple of buddies, but I got to pull off a sitter. But pretty much in that video, too, is what it's telling people, you know, go to your local B-sides.

You don't need to spend the money, you know, the two or three grand for Blackhat RSA to network. Start off local. And that's pretty much what it does.

[Kyser Clark] (29:45 - 30:39)

Yeah. And I mean, everyone says go to conferences and I've only been to one conference and it wasn't even really like one of the big ones. It was AWS reinforced.

It's more of like a cloud security certification. And as a pentester, I just felt completely out of place. I didn't find a single other pentester there.

I was like, what do you do? I'm a pentester. What do you do?

Everyone's a security engineer, like, or a cloud engineer. And I mean, I had a lot of fun. It was pretty cool.

But I definitely need to make my way into some more pentesting and hacking conferences and like other cybersecurity conferences. So when it comes to conferences, like what is the value? Is it just networking?

Like, do you really get a lot of value out of it? Because I've seen some hot takes out there. It says like people tend to like not network as much as they think they're going to do.

And they just kind of stick with their friends.

[Paul Nieto III] (30:40 - 32:21)

Like, yeah, I don't do that. So for instance, Blackhat, that's usually when people have their roadmap or not people, companies like Horizon AI, that's when they're going to be released. So you get to see all those products before they're released, get to try them out, ask some questions and stuff like that.

Have some lunch and learns. So you get to see some of the new products coming out. And also they're going to envision sometimes they're down the future roadmap for the next year.

And they're also going to take customer feedback if you have questions, integration, stuff like that. So that's kind of key for me as well. As far as DEF CON, it's more hands-on, more learning, more experiences, learning more as a niche specialist, etc.

IoT, car hacking, etc. So you take advantage of that. And also key things too, there's hiring managers at both conferences.

So that's the other thing. So if you're going to go and I tell people, I had a couple of people comment about being introverted, try talking to people at Target, going to the gym just random people, Starbucks, etc. That's how you build up, that's a skill set to have.

And having that skill set is going to allow you into some places that people can't get in, different circles, different areas. And those circles have other circles that can get you in. Especially if you go on your own as a consultant or a business, that's avenues in because you're already known, you already have built those relationships and trust factor.

So you have to take advantage of it and you have to build up that skill. I think that's a skill that's becoming less and less having from people, especially being online, kids growing up on video games, etc. It's not like, you know, how it was when I was growing up.

It's completely different nowadays.

[Kyser Clark] (32:23 - 33:22)

Yeah, definitely. Yeah. As time goes on, you know, more people are less, they're more online and less in the real world.

And then when you go in the real world, you just kind of like, people freeze to interact with people. Like when I walk by people, I feel like nine times out of 10, like, I don't even like acknowledge their presence. Like, they're just, it's like, they're like an NPC to me.

And I'm like, that's like a bad habit. I need to like, you know, I try to wave at people where I can. And like, when you go to cash register and check out, like, actually, I was at the grocery store just a little bit ago.

And the two cashiers were like, making fun of each other. I was like, I kind of weighed in there. I was like, well, what happened?

Like the one cashier was like, not at the cash register. And then the one girl yelled at him and he was like, see what to do with. I was like, I was like, yeah, this is why I left the cash register.

So it just makes some jokes like that. You know, like you said, just talk, just talk to people and you build up the skill. And yeah, it's something that I can work on more myself.

[Paul Nieto III] (33:23 - 34:21)

And one key thing is too, and this is a factor and I know some people take this the wrong way, but it's like coming from Box, right. I had a CISO to me, the best one ever. Her name was Lakshmi, but she was, she was, she knew her stuff.

And you know how they say, when you write pen test reports, right. They don't want the technical technical stuff. She wanted everything and she would drill you if she didn't understand.

I mean, she knew her stuff. So the thing with that is, is I tell, especially guys, like younger generation, I'm like, if you can't go just, I'm not saying you have to go ask the girl for a number, ask her out. But if you can't talk to women like that, how are you going to talk to a CISO that knows her stuff in front of people in a meeting?

Like say, if it's an actual incident, you got to, you got to know your stuff. You can't go in there, stutter, your voice crackles and don't know what sounds like, you know what you don't, you don't know what you're talking about, right? You have to have that confidence.

You have to build that rapport with people. So that's kind of the things that I show people or try to tell people is you got to build up that skillset.

[Kyser Clark] (34:22 - 35:38)

Yeah. And now that you mentioned that I've, so you know what, do you know what Toastmasters is? Toastmasters?

Yeah. I've heard of that. I've heard of that before.

It's like a public speaking organization and they have, it's all, it's all over the world. And they have basically, they're like little meetups, kind of like, like security conferences, but they're like meetups or you can have local meetups. And all you do is you just do public speaking.

That's what you do. And the goal is just to talk to a group of people, just to build up your, your speaking skills. And I've been debating on doing that.

The only thing that's been, the only reason why I haven't done it yet is because my local one is like an hour away. I'm like, man, I don't want to drive an hour every week to practice my speaking, but it would do so much for me. But man, an hour one way.

So it's like two hours out of my day, just by driving, you know, I was like, Oh my God, I got so much more work to do. But I would highly recommend that because I took a speech class in college and my professor was Toastmaster and I watched him Toastmaster. I'm like, dude, this is, this is a real deal.

And yeah, that speech class in college definitely helped me out. So if you're in college and you can have the opportunity to take a speech class, take the speech class. That will help you out for sure.

[Paul Nieto III] (35:39 - 36:29)

Yeah. And you know, the other thing I tell people and, you know, especially I have experience, especially in the tech industry and, you know, some people, I don't know why they take it the wrong way, but it's not even going down that route. The best people to get to know network are the HR recruiters.

They have friends, they have so much connections and most of them are female. And they, if they trust you and you have good rapport, you build those relationships. That's an easy, that's, that's even pop to me.

That's probably even better than networking at conferences because they have the straight direct contact with the hiring managers. They know them, they go to happy hours. They go to happy hours at lunchtime to get all their stuff that they need to put out for their requisitions, et cetera.

So going to, you know, building outside of that, I think it's a parallel knowing and building relationships with HR recruiters or business partners. And then also at the conferences, I mean, it's a win-win you can't lose.

[Kyser Clark] (36:30 - 36:50)

Yeah. That's really good advice for sure. And definitely need to wrote that into my, well, I'm not looking for a job, so I don't know.

What would you say for someone that's like, you know, you're already in a position, like, I feel like talking to recruit all the time, like would I kind of be like, well, why are you talking to a bunch of recruits? I don't know.

[Paul Nieto III] (36:50 - 37:46)

You can't look at it like that, you know, because I've been part of layoffs. I've had a, not only on the, you know, get laid off, but I've also had to give boxes out to my friends, being on the physical security workplace services side. You always have to have those relationships.

You always have to have it ready because I mean, people experience it this past, you know, four years or three years with that economy, right? And all it takes is one bad incident from our end, from cybersecurity to next day, you're handing out people boxes. So you have to have your resume up to date every day.

You've got to build those relationships. It's not meaning you're going to look for a job every five seconds or every day. If you need it, they're there, right?

And don't just, you build those relationships and use those people, get value back. If they need to find a role, let me ask my friend or post it on your LinkedIn, share it, right? So that's how I look at that.

Always be ready and always be prepared because you never know what's going to happen.

[Kyser Clark] (37:47 - 38:38)

Yeah, that's a good point. And that kind of goes similar with the recommendation I do with people like, don't get on LinkedIn when you're looking for a job, like that's the worst time to start posting on LinkedIn. You should be posting on LinkedIn all the time.

And then when it's time to look for a job, someone's going to take notice and take action on that. That's what happened to me. When I was in the military, I was making a bunch of content and doing pretty much what I'm doing on LinkedIn now.

And when I put my open to work banner up, I had an influx of people who were like, Hey, I got an opportunity for you here. And the community was so good because I put in the work prior to that. So definitely, I think LinkedIn, we're talking about networking, we're talking about in-person networking, but I think LinkedIn is a great way to network.

It's not in-person, it's not as powerful, but you can reach a lot more people and a lot more, a lot faster too. I love LinkedIn.

[Paul Nieto III] (38:40 - 39:07)

And also too, I would say pay for the, I think it's like 30 bucks, the lowest one premium, instead of blowing your money on video games or whatever, it's worth it because if you are looking for a job, you can always keep those and they're only hidden for recruiters of what you want. So, you know, that's kind of like the ROI, right? Investment in case you need it.

It's kind of like insurance technically. If something happens, it's there, it's ready. And like you said, you're posting and being engaging, that's going to help out even more.

[Kyser Clark] (39:10 - 39:22)

Yeah. All right, Paul, we're unfortunately out of time. Man, we flew through this.

So I got to ask you the final question. Do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share?

[Paul Nieto III] (39:22 - 39:58)

Yeah, especially for people that are transitioning, don't be afraid. You're not going to get everything. Have patience if you're into offensive security.

You need to build patience. It's a lot of headbanging. It's frustrating sometimes.

The number two, the two things I could give you is be accountable and consistency. Show up when you're sick. Don't make excuses.

For me, it's like going to the gym. Show up, do your training, learn, ask questions, and you know, it's going to pay off in the end. That's the best advice.

That's, you know, best advice you could give anyone. And it's true.

[Kyser Clark] (39:59 - 40:44)

Yeah, a hundred percent. Yeah. I take that same mentality.

And that's one of the reasons why I'm releasing podcast episodes every week without fail, releasing videos on every week without fail and the consistency. People notice that. And I was on, I was supposed to hack the box.

That's how I landed my current job. Like I was supposed to hack the box. Like I do a hack the box machine every week, post about it and people will take notice of that.

Like if you're posting and being public about that, people definitely see that. So yeah, great advice and definitely wrote that in if you're not already doing that. So Paul, thank you so much for being here.

Thanks for sharing all your insights and wisdom. Where can the audience get ahold of you if they want to connect with you?

[Paul Nieto III] (40:45 - 40:53)

Yeah. LinkedIn, Paul Nieto III (with ones), Ox3 Security on YouTube, and then also on Instagram as well.

[Kyser Clark] (40:54 - 41:22)

Great. And audience, the best place to reach me is also my LinkedIn and my website Kyserclerk.com. Audience, thank you so much for watching.

Thanks for listening. If you're on the podcast and share the show, if you haven't already with a friend, if you're getting value out of these episodes, share the show with a friend and rate it on Spotify and podcast if you haven't already. Thank you so much for watching.

Thanks for hanging out. Hope I see you in the next episode. Until then, this is Kyser signing off.