[Keith Coleman]

I think it is a waste of money. I think it is a waste of time. It's six months and they range from 7,000 to $30,000 for a bootcamp.

I think that is insane. I know a few people myself that went through that and they still haven't found a job and it's really unfortunate now they're in debt. So yeah, that is definitely my thing on bootcamps.

I think it is, to put this into fewer words, I think it's a scam.

[Kyser Clark]

Hi, I'm Kyser Clark and welcome to The Hacker's Cash, the show that decrypts the secrets of offensive security one bite at a time. Every week, I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.

Hello, welcome to the show. Today, we have Keith Coleman, who has over seven years experience in the field. He is a purple teamer, which means he has a wide variety of experience, including pentesting, security engineering, DevSecOps, AppSec, and compliance.

For educations, he has a bachelor of science in cybersecurity and information assurance. And for certifications, he has a handful of Microsoft certs, a handful of IBM certs, a handful of Google certs, as well as a ton of other trainings under his belt. So Keith, thank you so much for taking your time and doing this episode with me.

Go ahead and unpack some of your experience and introduce yourself to the audience.

[Keith Coleman]

Yeah, absolutely. Well, again, my name's Keith, and I come from more of an IT background first, and then transitioned my way into cybersecurity. As a kid, I was doing things on video games you really shouldn't be doing, right?

And cheating, Modern Warfare 2 on the Xbox 360. The modded lobbies. The modded lobbies, which a lot of them were mine.

And so I was doing a lot of that. And then of course you have your DDoSing as well, cause then you get the nuke, right? So everybody freezes and you just keep going.

So I start off that way. And as I got a little bit older, I think around maybe 13 or 14 years old, this STEM school actually opened up, and STEM stands for Science, Technology, Engineering, Mathematics. And this school went from sixth to 12th grade.

So what they had in there was actually a cybersecurity team, and they did CyberPatriot, which was ran by the Air Force Association. So I was part of that team for three years in total. And the first time I did it, we got second place at the Mayor's Cup, and then the next time was third place.

So that really started my love and understanding of what actually cybersecurity was, right? Cause I was already doing things as a kid that I didn't realize was actually in a way in the realm of cybersecurity, right? I was just watching a bunch of videos on YouTube back then where people were showing how to use certain tools like Cain and Abel, and then it led to that path where I stuck to it, and then I did VEX Robotics.

So getting my hands on programming and soldering and different things like that. And it just led to my love for cybersecurity even more and more. Yeah, and that's essentially how I started back then.

[Kyser Clark]

Nice. So that's, yeah, that's really cool cause you have such a wide variety of experiences and interests. So I guess what I wanna know is what made you go into cybersecurity as opposed to software development, network engineering, robotics?

Like what made you pick cybersecurity as a career as opposed to all the other tech fields that exist?

[Keith Coleman]

So a lot of my family background is actually like law enforcement, right? And military, so Navy and Marine Corps. And then, like I said, law enforcement, so police and detectives.

And naturally growing up, I've always had more of an investigative mindset, also paranoia, and that kind of helps play a role. And it definitely assisted with my experience in cybersecurity, so I kind of felt at home, if that makes sense. And with programming, I still do a bit of programming on the side, but I just never went the software engineering route or developer route, mainly because there was something about, it was just a whole different realm, something about cybersecurity itself and understanding the defensive nature of it, but also the offensive nature is what really led me to fall in love with it.

And mainly for me, it's offensive. I always found it fascinating about how there is really no way to hide. There's gonna be a digital footprint most of the time, I'd say, especially nowadays, right?

And to me as a kid, even knowing that is what fascinated me. And also knowing what kind of systems can be hacked and researching so many stories back then of different hacks that have happened. And to me, that was just, it was so crazy and mind-blowing that I had to keep, I just had to keep researching.

That's what made me fall in love with it.

[Kyser Clark]

Nice, yeah. Sometimes, well, not sometimes, all the time. I wish I would've gotten cybersecurity earlier because I mean, I was a gamer and I would tinker on a computer a lot, but I never really got into all the hacking stuff.

I mean, maybe that was good for the best. Maybe I would've gotten in trouble if I would've done that when I was a kid, but I was just a strict gamer. I think the most I ever really hacked was on Modern Warfare 2, you could buff your stats for offline accounts.

So what I would do is like, you could take your offline profile and we would play split-screen with each other. And you could take the games file and you can go to a hex editor and you can edit the hex. Right.

And we would have everything unlocked. That way we didn't have to like sit there and grind out if we just wanna play a quick split-screen game, which was probably the last game to really have split-screen gaming. But yeah, that was pretty much the only hacking I ever did when I was a kid.

[Keith Coleman]

Yeah, exactly. Yeah, I always hear the Modern Warfare 2 stories too. So it's pretty funny.

I'm not alone, you know? So it's cool. Yeah.

[Kyser Clark]

I'm excited to announce that memberships are now live for my YouTube channel. And if you decide to become a member, you'll get early access to videos, access to member-only polls, loyalty badges for the YouTube channel chat, and priority reply to the YouTube comments. Of course, if you can't or don't want to become a member, that is totally fine.

I will always release the same free content you've come to expect. And your support just by watching is more than enough to keep the channel going. But for those who do join, your contribution helps invest into new tools, technologies, and people to help the channel go further.

The goal is to create even more content and raise the quality of every video for everyone. Thank you for considering memberships. And as always, thank you so much for your support.

All right, let's go ahead and dive into the Rappafire questions. Before we dive into, we got a spicy first question. So we're gonna do the Rappafire question before we get into the deep end here.

[Keith Coleman]

Sure.

[Kyser Clark]

So for those who are new to the show, Keith will have 30 seconds to answer five questions. If he answers all five questions in 30 seconds, he will have a bonus six question unrelated to cybersecurity. And I'm actually rooting for him because this one unrelated to cybersecurity is actually a funny one.

But if he doesn't get it, then the next guest will, I guess. So Keith, are you ready for the Rappafire round? I think so.

All right, here we go. Your time will start as soon as I stop asking the first question. What is your least favorite part of the job?

The long hours. Most overrated cybersecurity threat? Cross-site scripting.

Best way to keep up with cybersecurity trends? Definitely going on podcasts and articles. Favorite tool not many people know about?

Burp suite. Best hacker movie, show, or game? Watch Dogs.

Nice, 23 seconds. That's a very good time. And I agree with you.

Watch Dogs would probably be my answer to that question as well because I don't watch a lot of movies. I did watch Mr. Robot. I really liked Mr. Robot. And I played Watch Dogs, which was really cool. And I actually want to play the second one. I haven't played the second one yet.

It's kind of old at this point.

[Keith Coleman]

It's fun still. I like it. It's cool.

[Kyser Clark]

Sorry, go ahead. Oh, I was just going to dive into our bonus question because I'm super excited for it, like I already said. All right, here it is.

This is a very important and very pressing question. Should we bring back the dinosaurs if we could?

[Keith Coleman]

Yes, even though there's a ton of movies to show why we shouldn't, I'm going to tell you right now, I am all for it. So if we have a private island for it and everybody could just fly in there like it's almost universal or Disneyland, I am all for it to see that again. I would love to see that.

[Kyser Clark]

Yeah, I was thinking about it as I was putting in my notes for this episode. And I was like, you know, old, like a couple of years ago, I probably would have said, no, we probably shouldn't do that. But now with AI just running rampant, I'm like, well, you know, we've got AI going to take over the world anyways, but why not?

What's the dinosaurs going to do? They might even help us in the battle against AI when Skynet takes over, you know what I mean? Totally, yeah.

Why not? Just add more chaos to the world because we got to end it with a bang, you know? Yeah, just have Skynet watch the dinosaurs, you know what I mean?

I'm all good for that. Oh gosh, could you imagine Skynet riding on the dinosaurs in the battle? We're done.

[Keith Coleman]

Yeah, we're so done. There's no coming back. There's no John Connor.

There's nothing. So that's it.

[Kyser Clark]

All our hacker friends, all our skills combined will not be enough.

[Keith Coleman]

Yep, exactly. We could try our best, but you know, we might get in for like a good month, you know? And then after that, so.

[Kyser Clark]

Man, that would be a good movie.

[Keith Coleman]

That would be a good horror game. Oh, I did want to talk about my, real quick if I can, the questions that you just asked me for that rapid fire. Yeah.

I'm not sure if you want me to talk about that later, but I totally can lean in on why that was, why those were my answers.

[Kyser Clark]

Yeah, so yeah, I usually pick what I think is the most interesting one. And the one I thought was the most interesting, you said most overrated cybersecurity threat. You said cross-state scripting.

Why do you think it's cross-state scripting?

[Keith Coleman]

So here's the thing, when it's overrated, I guess it's overrated in the sense, the reason why I thought what you meant was, it's usually always happening. So it's the one you always hear about, even though it's really prevalent. I just, I only say it's overrated because it's always spoken about, right?

But it's still an actual threat. And it's always a threat. I always find them in web apps all the time.

So even in mobile apps. So it's, I guess in that sense, it wouldn't be overrated, but to me just hearing about it all the time, I would like to hear about something new, something more crazy, you know? But in general, those are like some, they can cause havoc in some cases, but in general though, yeah, that's why I said that.

Yeah.

[Kyser Clark]

Yeah, and like you said, I find them in web apps all the time too. Like I was actually surprised. I'm like, oh my gosh, like it's actually kind of easy to find cross-state scripting.

It is. It's easier than the certification exams. Exactly.

Like it's so, it's like the most basic payload too. You're like, how did this work? Exactly.

And I was mind blown when I first started doing web apps. So I was like, this is, I was, well, I was excited. I was like, dude, I just found my first cross-state scripting, but then I kept finding, I'm like, oh, this is actually really common.

[Keith Coleman]

Yeah, no, I'm right there with you. Totally.

[Kyser Clark]

Yeah. And yeah, feel free to dive into any of those other questions you want. I know if you have something else you want to say about why you chose.

[Keith Coleman]

Yeah. When you said most people, I say Burp Suite only because people that are not in the field don't realize that they're actually gonna have to utilize this tool more often than they think. So that's why I chose Burp Suite.

And I do urge people to go on Port Swigger and go take their training on there and actually get a really good understanding of what it is because it is a tool that they're gonna use more often than they could ever imagine, in my opinion. And then also the other one where it's like the long hours. When I said about the long hours, it's definitely true, especially depending on what kind of role you have in cybersecurity.

But for me, and I think you know this too, Kyser, it's when you're doing a penetration test for a company or client or whoever, you're going to have multiple at once for different organizations. So you're gonna have longer hours and you have set hours to get the certain thing done and you're writing the report as well. So I know that can go over in time.

But then for me, I used to love long hours because I was learning a ton. I had no problem with it whatsoever. I still don't really, but it's different when you have a family or you have a relationship so that's when things change.

So that's when you have to really manage your time well. It comes down to just managing your time and your studying separately. So between work, studying, and whatever relationships you have on the side, it's really important to be able to figure that balance out.

So that's kind of why I said the long hours.

[Kyser Clark]

Yeah, back to the Berksley one. I'm glad you mentioned that because when I was first getting in the field, I went, so I enlisted in the United States Air Force. I went to base training, went to my technical school.

They make you get security plus. And then I went to my first base and I started to learn how to be a class as a technician. And after a handful of months, I was like, okay, I'm going to go to college because it's one of the benefits I get from being in the military.

And I decided to go for cybersecurity for my bachelor's degree. And during that time, I was like, well, what do I want to do? Like, what do I want to do for a career?

I know I wanted to be cybersecurity, but there's so many different options, cybersecurity. And I chose, I want to be an ethical hacker, penetration tester. And one of my career development courses, which is like, I think it was the first or second course I did for the school.

It was a mandatory course. It's like a career exploration course. It's all about just trying to figure out what you want to do with your life.

And one of the assignments was you have to interview people in the field, the job that you want. And at the time, back then, dude, I knew nothing. I mean, I knew no one.

All I knew was my military friends that was in my office. That was it. And none of us were pen testers.

And I was like, dude, how do I find a pen tester? So I'm sitting here, I'm joining every LinkedIn group, every Facebook group, I'm blasting on Twitter. I'm like, and I'm just like putting all these groups.

I was like, hey, I need it. I would like to get an interview with any pen tester here. Like, it doesn't matter.

Just anybody who works as a pen tester, I would love to interview you and ask you questions. And I had all these questions lined up for what I was going to ask this person just so I can learn about the field and stuff. And this person did not even let me ask a question.

They just started talking. Like, they just talked for like 45 minutes straight about all this information. And I'm just like, I had like two pages of notes.

I'm like, shh. I had to, I actually recorded it because I couldn't digest it all at one time. And the reason why, this is kind of a long answer, but he mentioned Burpsweet.

At the time, I'm like, what the heck is Burpsweet, dude? He said, he's like, I use it every day. I'm like, I don't even know what this is.

How do you use this every day and I don't even know what this is? SecPlus didn't teach me this. You know?

So you're right. People get new in the field, they don't know what Burpsweet is. And it's a very popular tool and it's used, I use it every day, or at least when I'm on web apps.

I don't use it as much on network pen tests, but for web apps, every day.

[Keith Coleman]

Yeah, and that's my point too, right? There are certain tools that you're going to utilize all the time. I mean, network pen testing tools are, you're going to have to learn those as well, no matter what.

If you're trying to become a penetration tester, red teamer, just in general, all around ethical hacker, right? I guess that's the term that everybody likes to use, but in my sense, in my experience, it's always just been penetration tester, but you know. Yeah, so I agree with you.

It's pretty crazy. I actually had the same experience, by the way, when I was interviewing others as well for cybersecurity. And I got kind of lucky, because I found a thread where someone was like, willing to let me interview them, and they worked in cybersecurity.

And I got lucky with my professor, because they weren't a penetration tester though. They were just a cloud engineer. And then another one was a IR engineer, incident response.

So, but I got away with it, because it was coming close to time. And so they let me just put those two in. So I got really lucky, to be honest with you.

Nice. Yeah.

[Kyser Clark]

So speaking of degrees, so there's a debate in cybersecurity. It's one of the spicy ones. It's one that always comes up, and it's one that we haven't really explored deeply on the podcast yet.

So it's going to be nice and juicy. So you worked in different areas of security. How important do you think each one is, and what is your personal take on how professionals should approach them, certifications versus degrees?

[Keith Coleman]

Yeah, so let's put it this way. I didn't start off with the degree at all. I was back then, just because I was really taking care of myself as a young guy and working multiple jobs.

And my goal was to get into the tech industry, because I was actually working physical security, by the way. I was a security officer. I was doing graveyard shifts.

There was times where I was doing 16 hour shifts. It was killing me. And then I became an armed guard, right?

And a patrol driver. So while I was studying, and I did not have enough time to go and start my degree. It was just insane.

I could not do it. And then I also saw the criteria for it. And now that I actually have taken all those courses, and I have all that experience, I can 1000% say, well, in my opinion, that the degree is nice to have, and it looks great on your resume.

I'll tell you that, if it's an additional thing that you have. But it actually did not teach me anything or anywhere near the certifications I got. When you get a certification, it's usually specialized.

And I know I'm probably gonna get heat for this. Maybe, I'm not sure. But yeah, the degree was, it looks good on paper.

It's nice to have, but I knew a lot of people who had the same degree, and they still didn't know anything, and they didn't go after the certifications. And then over time, they realized that they really need to go after certain certifications to get a better understanding of how to use certain tools, or dependent on the area in cybersecurity that they were going for. So that is definitely one of my experiences.

And I also have a thought about bootcamps. That might be a very heated topic. And I know I'm treading on thin ice here.

So I'd like to hear what your thoughts are on a bootcamp first, before I tell you mine.

[Kyser Clark]

My opinion on bootcamps, I wrote an article about it on my blog, Kyserclerk.com. And my take is, they're not worth it, because they're extremely expensive, and because I think there's just better bang for your buck when it comes to certifications. And moreover, employers, they're not asking you to complete a bootcamp.

Like when you go to a job posting, it doesn't say, hey, must complete four bootcamps before you can work here. It says, hey, we want you to get this cert, this cert, and we want you to have this experience, and maybe this degree. Nowhere does it mention bootcamps.

So I personally don't think bootcamps are worth it.

[Keith Coleman]

I absolutely agree. So I'll tell you this. The degree is fine to get.

I think if you want to wait till later on to get a degree, I tell people that that's absolutely okay. But I do say that you should have a few certificates underneath your belt, and make a portfolio if you can, depending on the certain projects that you're making. With bootcamps, I absolutely 1,000% agree with you.

I think it is a waste of money. I think it is a waste of time. It's six months, and they range from 7,000 to $30,000 for a bootcamp.

I think that is insane. I know a few people myself that went through that, and they still haven't found a job. And it's really unfortunate.

Now they're in debt, right? So there's that issue. Certificates, I'm telling people, if you're trying to just get your feet wet, you can go on Coursera.

You can go on Udemy. They have amazing courses on there, right? Go get your...

My favorite platforms, though, are TryHackMe and HackTheBox. I love those. I haven't uploaded all my other certs yet to my LinkedIn account yet.

I mean, I have like 64 on there right now, but I think once I upload those, I'll have about 89 certifications in total, right? And so I just love to continue learning. And believe me, people do look at the certs you have, Now there's industry certs that look great.

I don't agree with a lot of them, because again, they're more terminology-based, not hands-on, which is why, again, I recommend going to TryHackMe, going to HackTheBox, go to TCM. TCM's really cool too. Go check all that out.

And like right now, I'm doing the mobile pen testing course on TCM. I think it's great. So just for fun, because I wanna see what their strategy is, right?

So yeah, that is definitely my thing on bootcamps. I think it is, to put this into fewer words, I think it's a scam. I think bootcamps are a scam.

And I think going to find certification out there, like Coursera is cheap. It's 50 bucks a month. You go on TryHackMe, it's like 120 bucks a year, I think, which is incredible to go get some great experience and also just knowledge, right?

HackTheBox is not expensive either, and they're all hands-on. And I think it's an amazing, it's amazing that they even do that, right? So that's definitely my thing.

And then go get a degree later. And my last point to this is, when I say go to smaller companies first to go work for them when they're looking for security professionals, because you'll finally get your feet wet. They love people who are hungry.

I wouldn't recommend going in there and not being excited about the job. You definitely wanna go in there showing that you're so excited, that you're ready to get started, that you have these certifications underneath your belt. And a lot of times what they'll do is they'll put you probably in an IT position first, and then you work your way up.

And that's kind of what I did. I started as an IT remote tech, and then I started doing security compliance. And then from there, I just continued on doing engineer work.

And I lateraled and finally got into pen testing.

[Kyser Clark]

So sticking with the theme of getting into cybersecurity. So there's no single way to break into cybersecurity. Some start in IT, some come from non-technical backgrounds, and others jump straight into security.

Based on your experience, what are some of the best optional roads for getting started? And which do you think are the most underrated?

[Keith Coleman]

Underrated, ooh, okay. I mean, I've worked with quite a few people who have come from really interesting backgrounds to work both in cybersecurity and software development. So it's really interesting.

I knew a musician that was a musician at a church and then went into software engineering. And then I knew someone who was a, he worked in construction. And then the next year, I mean, he had 10 years of experience in construction.

And then he was 33, I believe, when he started in cybersecurity. He got his first role as a junior analyst, right? So it is absolutely possible.

Now, underrated. This is interesting, because a lot of things are technically underrated for people who don't have any experience, right? So I would like to say, go check out certain websites that offer training that for really affordable prices, but also the best bang for your buck.

And I can't stop talking about them enough, truthfully, and it's gonna be TriHackMe. They're literally one of my favorite platforms. And same with Hack the Box.

Those two are some of the most, just awesome platforms. And then also going to Udemy and looking up penetration testing courses. They have great, what they call boot camps on there, but they're not really boot camps, you know what I mean?

And they're super affordable. I get them all the time for like 12 bucks, because they always have sales. So you get a whole thing and you get to learn everything you want about ethical hacking, or at least quite a bit of it, right?

So I do think all those are really underrated personally, and don't go to an actual boot camp from a college or a private company that offers those six month boot camps. If you see anything like that, stay away. So that's what I'm gonna tell you right now.

And now the path itself is different. Again, I started in IT. You have to work your way up.

It's pretty difficult to just go straight into cybersecurity, to be incredibly honest with you. It's not impossible, but it is difficult. So starting off in an IT role is great and letting them know your intentions and advancing.

My goal is to be in cybersecurity eventually, right? Now you could go get internships totally, but if you're looking where you actually need to get paid, like you need a paycheck, internships aren't always gonna cut it. I couldn't do that.

So, but I do know it's possible. So I'm not gonna just say that it's not. But my experience has been that I've met in, I started in smaller companies.

And the one thing that I always got great feedback from the CEO, the CFO, and CTO, the best feedback I got from them was that they loved my energy. They loved the fact that I was driven, that I was willing to work hard to get to where I wanted to go to. And eventually they let me go into the path that I wanted to be in.

And again, going in IT, you're gonna get some cool networking skills depending on the type of IT role it is. I mean, I know I did. So you are gonna get some cool skills that will lateral to your next position, right?

They will propel you forward. So that's kind of my take on that.

[Kyser Clark]

Yeah, I'm gonna briefly touch on something that I believe it's underrated and that's the route that I took, is the military option. I mean, my whole career was set up because of the military. And I know military is not for everyone, but you'd be surprised that how well it might work for you because I didn't plan on joining the military.

I joined the military at age 24. And I didn't think I was gonna, like when I was in high school, like I used to make fun of the kids in JROTC and all this stuff. And I just, I didn't think it was gonna be a thing for me.

And when I hit 24, I need to make a career change, a life change. And the military was my, what I did. And it was the best decision I ever made.

So just because, you might not think that military is worth it, but you might be surprised. And furthermore, like I said, I joined at 24, but you can join later in life and still make a worthwhile career out of it. You don't need to join right out of high school.

You don't need to join when you're young. Generally speaking, yes, military is a young person's game, but I've met plenty of people who had successful careers joining in their mid-20s and even in their 30s.

[Keith Coleman]

Yeah, I actually wanna touch on that. I have a few friends who did join the military for that. I mean, for more reasons than that, obviously, right?

And they're doing amazing now. They got out and you're right. They do actually work in the roles that they were doing.

And before they got out, they made sure that they were applying first and things like that. So they did, I'm sure you probably did the same thing, right, applying before you got out or before your contract ended, right? So yeah, you're absolutely correct.

You could totally do that. It was funny because I was actually in the process of joining the Air Force and then I got offered that first IT role and that was my way of getting started. I didn't wanna let go of that, right?

Even though I really wanted to serve and I still think about it to this day. I just turned 27 recently, right? So I got into the IT world kind of young-ish, but I also grew up pretty quickly.

I've been living on my own since I was a really young kid. Things happen in people's lives, right? You come from all different backgrounds.

So I really had to make it here myself and create structure myself. And I think the military could also provide a heck of a structure, right? So it depends on the type person for sure and what they're going through, no doubt.

[Kyser Clark]

Yeah, and then the last two things I will mention about the military is I don't come from a military background at all. Like my family, all my close friends and family, not military. It was like a whole adventure, completely unknown to me.

And I think that's what made it fun, honestly. Because I didn't know what to expect. I knew it was gonna be physically demanding when I was in basic training.

I knew I was gonna get yelled at, but other than that, I didn't. I knew it was gonna be strict and all this stuff, but I didn't know exactly what it was gonna be like because I didn't know anybody that was in the military. So if you are one of those people, you don't have to come from a military background, like a military family or anything like that.

And then furthermore, if you do consider that option, make sure that you go to the recruiter with a, it's a negotiation, right? Because I went in there with a guaranteed job in the cyber defense operations. If you wanna go in for IT, make sure you go in for IT.

You don't have to go in for the random job that they recommend to you. And that's what I'll end on now about the military because I know most people, only 1% is gonna be taking it, so we're gonna move on to the next. If you're really interested in the military, just hit me up and I'll talk to you all day about it.

So Keith, moving on here. A lot of newcomers, they focus on hacking skills, but things like threat modeling and application security don't get as much attention. Why do you think those skills are so crucial and how could someone start developing them early in their career?

[Keith Coleman]

Yeah, absolutely. So again, assessing threats and anything in that realm is incredibly important because you have to understand the scope. You can't, you know, people sometimes think of hacking as like, I'm just gonna destroy this platform.

I'm just gonna destroy everything, right? I'm gonna try to find different attack vectors. And that's not always what a company wants.

So, because you can't just shut off their servers. You can't completely put their system down or their website down or whatever it may be, right? I've mainly worked for SaaS companies.

So they definitely don't want their systems down. And, you know, you have to come at a certain project with, there's, essentially they give you a list and criteria of what's in scope versus what's out of scope. So what's in scope means what you're allowed to do, you know, and what's out of scope is essentially just what you're not allowed to do.

Don't DDoS the platform essentially, right? Now, when you're trying to learn about it, you know, I've actually, again, what's really cool is they do kind of teach a little bit about this on TriHackMe. I've also learned a lot about this through certain, like the Microsoft cybersecurity professional certificates, same with the Google cybersecurity professional certificates.

You can go check that out. On Udemy, there's different courses that are kind of a GRC. So that's more of like security compliance.

And they do have policies and procedures that they go through. And parts of that is with, you know, threat modeling and have you done certain like, how can I put this, scenarios per se, right? So a lot of that's part of the job too.

So again, I really do recommend going through TriHackMe engineering pathway because you're actually gonna find it through there. And then also going to Udemy, looking up like ISO 27001, you know, looking up certain GRC pathways, looking up like certified ethical hacker, looking up through that, because the actual EC council course isn't that great. Personally, I didn't like it that much.

It's nice to have, but I didn't like it that much. And then also watching podcasts as well as videos of people explaining it is incredibly helpful. And I feel like a lot of people don't do their own research.

And the only reason I say that is because I've actually witnessed it, right? I've had people work in certain positions and sometimes you ask like, how did they get there? And it does happen all the time, not trying to put anybody down, but if they can do it, I'm telling you right now, you can too.

So definitely do your own research, go on articles, understand what it is, look at the entire pathway when it comes to penetration testing or red teaming, right? Offensive security, you need to look at both of those, not just sticking to figuring out how to exploit vulnerabilities, but really the whole concept around it as well, right? So look up compliance too, it's really important.

[Kyser Clark]

So you've worked at different sized companies from startups to large organizations. What's the biggest difference between working in security at a small company versus a large enterprise? And what do you think is better for someone early in their cybersecurity career?

[Keith Coleman]

Ooh, so that last part's interesting. So yeah, I've worked at small, I've worked at medium, I've worked at large now. When you work at a small, it depends on the organization, but in my experience, I've had more leeway to kind of introduce new platforms, right?

Different automation tools and kind of build that process from there and do actual security engineering all from the ground up. And what I can say is, even if you're brought in as a cybersecurity analyst to a small organization, you're probably gonna end up being what's called an SME, subject matter expert, and you're gonna end up doing compliance, you're gonna end up doing analyst work, you're gonna end up doing engineering work, and then eventually you may just cross paths with penetration testing. It happens and that's what happened to me.

So that's kind of the benefit of it because you get to touch quite a bit of different paths with a smaller company and you get to determine where you really wanna be, right? Because some people may think that they wanna be a pen tester or a red teamer and stick to that side of things like the red team, but then they realize how much more work goes into it and sometimes they just rather stick to the blue side, right? And that's absolutely okay, right?

That's why it's great to touch all paths in my opinion and get to see what you like. And some people fall in love with compliance, reading a bunch of documentation, putting things together, right? Getting their company certain security certifications that's needed in order to have clients, right?

It's very important for a software company. And then working at a larger organization, there's more structure. Usually you'll have your CISO, right?

Chief Information Security Officer who runs the show and they have a very select way of making sure that everybody's role is doing what they're supposed to do. And you'll be usually stuck in that one position unless you work with them and you wanna kind of lateral to a different position in cybersecurity. But, and that's the nice thing because I guess you know your job role, you're sticking to that, everything's kind of structured, you just have to maintain.

And that's the nice thing about being at a bigger place is maintaining. But then again, I think starting at a smaller place first, building up and learning about different areas is awesome. And then moving to a large organization or who knows that organization may grow and you get an amazing CISO.

So it just depends on also who you work with.

[Kyser Clark]

That's good insights. Yeah, right now I'm at a smaller company. So I don't really have any experience with large companies.

I mean, United States Air Force is a huge organization, but that's way different than working for like an Amazon or a Walmart or something, you know. But yeah, that's good to know. So we're running out of time, Keith.

So final question. Do you have any additional cybersecurity hot takes or hidden wisdom you would like to share?

[Keith Coleman]

Yes. If you see an influencer on any social media or on YouTube, it don't matter where it is. And they're saying that, hey, follow my course or hey, take this bootcamp.

You're gonna get a job in six months or three months, whatever it may be. If it's too good to be true, it most likely is. So again, I was able to get in after tons of studying you know, I worked my butt off to get into this field.

And I'm not saying that you necessarily have to do the same things I did to get there, taking all these certifications and, you know, staying up late nights to do these things, but it definitely helps. And it's not, you can't just take a bootcamp and get that last cert, whatever it may be, and then get in. And if you do, awesome, great for you.

But a lot of times it's quite the opposite, unfortunately, and it's really expensive. So I really say, use your money wisely and put it towards more affordable options that will literally get you farther.

[Kyser Clark]

That's really good advice and I totally agree with you, especially on the influencer part. So you guys are listening. If you guys listen to every episode of the Hackers Cash Podcast, you're guaranteed a seven figure job in however long it takes you to listen to every episode.

I'm just kidding, I can't make a guarantee like that. That's jokes, if you didn't catch up with that sarcasm. But yeah, thanks for the insights, Keith.

I really do appreciate it. And yeah, it was a great discussion. Where can the audience reach you if they want to connect with you?

[Keith Coleman]

Absolutely, so you make sure you have to have a LinkedIn account because I made it so that only LinkedIn members can see my account, but you can find me under Keith Coleman. I have like a, I guess what, pink purple background behind my face.

[Kyser Clark]

It's a nice background, it shows up really good.

[Keith Coleman]

Thanks, yeah, I appreciate it. It was definitely trying to make it more vibrant, I guess. But yeah, you can find me on there for now and then in the future, I'll definitely have my own site with a lot of my projects on there.

And so I would say, again, if anybody has any questions as well, I actually do have PDFs that I put together on all the courses I've ever taken. And I even made it so that there are certain paths that depending on the type of role you're getting or wanna go into, I have paths I put together for people so they can kind of go through that. It's way more affordable than going to boot camps, right?

So you just go to those and if anybody ever wants those, just hit me up and I have no problem sending it to you.

[Kyser Clark]

Great, and audience, best place to reach me is LinkedIn and my website, Kyserclark.com. Keith, thank you so much for your time. Thank you so much for your insights.

And audience, if you haven't reviewed the show on Apple Podcasts and Spotify, if you're on audio, leaving a review would help the show out a lot. If you're on YouTube, drop a like and hit the subscribe button. Thank you, audience, for watching and listening.

And hopefully I see you in the next episode. Until then, this is Kyser signing off.