[Tyler Ramsbey] (0:00 - 0:28)

And I also think people need to recognize the OACP really is an entry level pen testing cert, which is confusing because pen testing itself is an entry level. But once you get the OACP and you think like, wow, that's the hardest thing. Just wait till you do your first internal as a pen tester and you have hundreds of hosts on an internal network and you have to be careful about password spreading.

You don't want to lock out accounts, but you're trying to get to domain admin like it is way more complex than anything you'll encounter on the OACP or really any other exams.

[Kyser Clark] (0:28 - 1:55)

Hi, I'm Kyse Clark and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one bite at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.

Welcome to the show. Today we have Tyler Ransby, who has about four years of experience working full time in IT and he currently works as a full time penetration tester. He's also a content creator.

He makes really good content on YouTube. He streams on LinkedIn and Twitch as well. And he is running the HackSmarter discord community for education.

He has an associates in business administration, a bachelor's of science in cybersecurity and information assurance, and a master of DaVinci. For certifications, he has OACP, CCSP, that is the Certified Cloud Security Professional from IEC2, Pentest Plus, CYSA Plus, Security Plus, Network Plus, A Plus, Project Plus, and he's got the Microsoft Azure Fundamentals. So Tyler, thank you so much for doing this episode and taking your time and being here with me today.

Go ahead and walk through your background and introduce yourself to the audience.

[Tyler Ramsbey] (1:56 - 3:51)

Hey dude, first, just thank you for the opportunity. I've been a big fan of your content, was just watching one of your videos before I jumped on the interview. So super excited to be here.

A little bit of my background. So I have a very much non-traditional path to go into the IT world. So I spent 10 years in pastoral ministry doing church planning and church leadership in that world.

And also very much on the academic side of things, I have a master's of divinity, which you said, which just sounds like some degree from Harry Potter, but it just means I spent like three years on the academic level studying like Hebrew, Greek, theology, philosophy, history, and was actually working on a doctorate when I switched over to IT. I was about one year into a doctorate and was working as a teaching assistant at a college teaching graduate level student. So that was sort of my background before diving into IT.

And then during this little thing that happened called the COVID-19 pandemic, like a lot of people, I just reconsidered what does health look like for me and for my family. I have a wife, I have two young kids, they make this sweet artwork behind me, but eight and five-year-old kids, so I'm busy with them. And during COVID-19, I decided to transition out of ministry into IT, started at IT support level one, four years ago, like you said, I think it was 2021 in January is when I first landed my job.

I might have the dates wrong, but that's roughly correct. And my goal was to become a pen tester. Problem is I live in rural South Dakota, there are more cows than people, didn't really see a way to become a pen tester.

So I just started the YouTube channel and started sharing what I was learning and streaming, try hack me as I stumbled my way through things. And somehow it worked out. I landed a job as a pen tester.

I've been a pen tester now for a little over two years, still have a YouTube channel, a lot of fun making content, streaming, and just doing whatever I can to give back to the community. So that's kind of my background and my experience in a nutshell.

[Kyser Clark] (3:54 - 5:04)

Yeah, that's interesting you say that because I come from a similar background. I don't think my town is as small as yours, but I come from a small town as well. And my town actually has a nickname called cow town because there's a lot of cows here.

So that's yeah, because like we grew up like not knowing tech, right? We come from like, no one really knew about like tech as a career for me. Like I didn't know that was an option for me, you know, and that's why I make the content that I do is because I want to show people like, yeah, this is a field that you can get into.

Because when I was growing up, like, you got to go in a factory, you got to go work, you got to be a welder, you got to be, you know, I worked when I got out of high school, I started working on oil rigs and chemical plants and oil refineries. That's what I did. And, you know, I got it.

I was doing that for five years. And I was like, there's got to be a better way. And I was like, I'm going to work in tech.

And but I didn't know how to do I thought I'd go to college and I didn't like school. So that's what I'm gonna go into military. But yeah, that's really interesting.

You bring that up about being in a small town because that it's, it's not common, you know, like those those types of tech jobs.

[Tyler Ramsbey] (5:05 - 5:08)

How big was your town? I'm just curious. We'll see who is more more rural.

[Kyser Clark] (5:08 - 5:11)

There's three, there's 3000 people that live here.

[Tyler Ramsbey] (5:12 - 5:38)

Oh, nice. So the town I grew up in was like 4000. The town that I live in now is 1000.

So a lot of people when they say small town, they have like 100,000 people is a small town for them because they live in like Chicago. So at least we're similar when we say small towns. We mean small towns like the maybe you have one stoplight in your town, you might have like some one grocery store, and like six bars.

And that's about the limit of a small town. Love it.

[Kyser Clark] (5:38 - 6:11)

Yeah, yeah, I think there's Yeah, they're like three stoplights. And you know, Main Street goes through the whole town and it's you're in and out of it, you know, five minutes takes you to drive through it. Yes.

All right, man. So coming from the the past your background, like how did that? How did that help you coming into cybersecurity?

What skills that came from there apply to your current work that, you know, you didn't really think would would apply? At first?

[Tyler Ramsbey] (6:11 - 9:59)

Yeah. Great question. And honestly, I think it's something everyone should consider, especially for those coming from a non traditional background.

If you don't have a tech background, we tend to view that as a weakness. And I did initially as well. We can go more in detail on this, but I was actually interested in it when I was in high school, actually got banned from using computers when I was in high school for about a year.

So I had this real strong interest in it. But then when I graduated high school, I went a different path. And then when I decided during COVID-19, like, yo, I want to switch back to it.

And if I would have just started it from the beginning, I would be a lot further along. And I'd have these things figured out. But I'm kind of happy I did as a pastor, as many people know, I'm not don't want to get religious at all.

I don't want to preach religion to people. But one of the things I did is I did public speaking every single week, I stood in front of a bunch of people and would talk for 40 to 45 minutes on generally a well researched message and trying to help people on along the way. On top of that, I would meet with people to do some very like counseling, some like spiritual direction, helping people kind of figure out what they want to do with their lives all while I was still trying to figure out what I wanted to do with my life still trying to figure out what I want to be when I grow up.

But when I switched over to it, I recognize that a lot of that ability to communicate with people and really talk to people is a superpower. Unfortunately, we have this feeling in it that they view a hacker or someone chilling in their basement in a black hoodie. Now, I do work in my basement, I do always have a black hoodie on.

And I don't see people that often outside of my family. But when I have to talk to people, I am able to do that. And when it comes as a pen testers, you know, Kyse, we do debriefs, we meet with clients, we go through reports, there's so much more communication that people don't realize.

And from having 10 years of doing public speaking and talking and communicating, that was huge. I did not have to really struggle with that at all. It was super natural for me to do that.

And also the reason I started my YouTube channel is I thought, look, I'm not as technical as other people. Like I'm never going to be a Jon Hammond, I will probably never be able to communicate as good as Jon Hammond. He's kind of a breed of his own.

But there's people more technical than I am. But I thought, hey, I can talk somewhat well compared to your average person in IT. So let me see if I can use this ability to communicate as some type of superpower to get to where I want to be, which is as a pen tester.

So that's how I use it. It was just the ability to communicate and the ability, I think, to understand people. I had a few areas when I was in positions of leadership throughout my four year IT career, I spent some time on the leadership side as a manager.

And once again, just that ability to talk to people and lead them not from a place of like, yo, here's my title, you have to follow me because my title is your boss, but rather, from a place of personal influence and friendship and being a servant. I learned all those things through my time as a pastor. And maybe one more thing I'll throw out there, when it comes to leadership, what people don't realize between pastors and like, a boss in an organization, you show up for work, generally speaking, because you're getting paid to show up, right?

If you stop getting paid, you're going to stop showing up. Well, as a pastor, I was a church planner, which means I started a church in a small town, and my entire staff were volunteers. So they were not getting paid to show up.

So I had to have the ability to cast a propelling vision and to encourage people like, hey, here's the direction we're going. Here's all the lives that are being impacted by our work and by our movement. Like, let's keep moving forward.

There was no money I could dangle in front of them. It was all from a position of position of influence, friendship and casting vision, which I think has also been incredibly helpful, not only in IT, but with starting the HackSmarter community and some of the work I do in that field. So really long answer to that, but hopefully that covers most of the basis there.

[Kyser Clark] (10:00 - 11:29)

Yeah, great. I'm glad you dove into that because leadership. So I want to add a little bit to that leadership point that you made.

So come from the military, right? You know, when it comes in the military, a lot of the leadership comes from the rank, right? You have to follow the rank.

And that's one thing that like military service members, when they get out, they struggle with leadership because they had their rank to drive what they wanted to get done. And in your experience, you had to do it all through influence, which is the top tier leadership that you can have, because the best leaders are servant leaders and great leaders, they understand that. So that's good that you bring that up.

And another thing about leadership that I want to bring up is you don't always have to be a leader, right? So for me, I'm not a senior pen tester in my company. I'm not a manager in my company.

And I get on this podcast. I talk a lot. I make a lot of YouTube videos and I talk a lot.

But honestly, when I'm in my company meetings, I'm just listening. And I think that's a vital skill for some people to have. You don't always have to have something to say, right?

If you just listen, you can learn a lot and just be a good team player. And, you know, when leadership arises, then you can, you know, step in those shoes, but don't force yourself to step in those shoes. If you don't have to.

[Tyler Ramsbey] (11:30 - 11:32)

Wisdom there. That's so good.

[Kyser Clark] (11:33 - 12:22)

I'm excited to announce that memberships are now live for my YouTube channel. And if you decide to become a member, you'll get early access to videos, access to member only polls, loyalty badges for the YouTube channel chat and priority reply to the YouTube comments. Of course, if you can't or don't want to become a member, that is totally fine.

I will always release the same free content you've come to expect. And your support just by watching is more than enough to keep the channel going. But for those who do join your contribution helps invest into new tools, technologies, and people to help the channel go further.

The goal is to create even more content and raise the quality of every video for everyone. Thank you for considering memberships. And as always, thank you so much for your support.

So let's go ahead and dive into our rap fire round. Are you, are you ready for the rap fire questions?

[Tyler Ramsbey] (12:23 - 12:30)

Yeah. So just so I understand this, you want me to answer with no explanation, just drop my answer. First thing that comes to mind.

Do I got that?

[Kyser Clark] (12:30 - 12:57)

First thing that comes to your mind, keep them as fast as you can. Like it can be one word, four words, whatever you want to say, but try to avoid explaining them because you're going to get the chance to explain the most interesting answer at the end. And if there's multiple interesting answers, we'll do multiple.

But, uh, yeah, there's a super low threat and should be pretty easy for you to answer. Uh, actually there's one that might be a little difficult, but we'll see. Let's see how you do.

[Tyler Ramsbey] (12:57 - 12:59)

Let's go for it, dude. Let's wing it.

[Kyser Clark] (12:59 - 13:20)

So for those that don't know, for those who are new to the show, Tyler will have 30 seconds to answer five questions. If he answers all five questions in 30 seconds, he'll get a bonus six question that's unrelated to cybersecurity. His time will start as soon as I stop asking the first question.

So here we go. Tyler, what is your favorite hacking distro?

[Tyler Ramsbey] (13:21 - 13:22)

Kali Linux.

[Kyser Clark] (13:22 - 13:34)

On a scale from one to 10, how important is a certification to a cybersecurity career? Four. Have you ever ran into an ethical dilemma while working in an off-site role?

Yes or no?

[Tyler Ramsbey] (13:36 - 13:36)

No.

[Kyser Clark] (13:37 - 13:39)

Least favorite part of the job?

[Tyler Ramsbey] (13:41 - 13:42)

Social engineering.

[Kyser Clark] (13:43 - 13:45)

Favorite hacker movie show or game?

[Tyler Ramsbey] (13:46 - 13:46)

Oh, Mr. Robot.

[Kyser Clark] (13:48 - 14:04)

Great. 27 seconds. And I'm excited for this bonus question.

And for this bonus question, you can explain as much or as low as you want to. So here's a bonus question. Are boneless wings just glorified chicken nuggets?

[Tyler Ramsbey] (14:06 - 15:00)

Are boneless wings just glorified chicken nuggets? Yes. And I eat them, but I also have the appetite of like a 10-year-old.

And my friends in real life make fun of me for this all the time. So like we go to Las Vegas for DEF CON, right? We go to these fancy restaurants.

I get like a cheeseburger and french fries or chicken strips every single time like a 10-year-old would. And anytime I get wings, I never eat wings with bones in them because I don't like my hands getting gross. I don't want to touch the stupid wing, but the boneless wings are exactly that.

Glorified chicken nugget. I can take my fork. I also don't like them spicy.

So I get like the very manly honey barbecue boneless wings, and I eat them like chicken nuggets. And I'm okay with that. So yes, they are glorified chicken nuggets, but that is why they are good.

You don't have to worry about choking and dying on a bone while you eat them. Yes.

[Kyser Clark] (15:00 - 15:37)

I'm so glad you mentioned that last part, choking on a bone and dying. So are you aware that here in my great state of Ohio that someone actually ordered boneless chicken wings and they choked because there was actually a bone in it? What?

And he had a lawsuit that he lost. And the judge said- What? How would he lose?

He lost. And the judge said, just because it says boneless chicken wings doesn't mean that it can't have any bones. So if you come to Ohio, you might die.

You might die on boneless chicken wings. That's a dangerous place, dude.

[Tyler Ramsbey] (15:37 - 15:38)

Straight out of Ohio.

[Kyser Clark] (15:38 - 16:08)

I love this state, but man, that was a bad call. That was a bad call. I think it was my state.

I read it a couple of months ago, but yeah, I was like, man, that's wild. I actually like traditional wings more times than not, but when I don't want to get my hands dirty, I'll get the boneless wings, which is what they're for, I suppose. But yeah, I agree.

They are just glorified chicken nuggets, but that's okay, like you said.

[Tyler Ramsbey] (16:08 - 16:21)

That's why they're good, dude. I hate having my hands have all the sauce on them. There's something sensory about that.

Just picturing it, I don't like it. I don't like it. That's why I work on a keyboard all day.

[Kyser Clark] (16:21 - 16:32)

You get it all over your hands. Yeah, it is a mess. All right, so moving on, I have to know, what is a cybersecurity myth that you wish would die?

[Tyler Ramsbey] (16:34 - 17:51)

Cybersecurity myth that I wish would die is that you need to have the OSCP to get a job as a pen tester. Anyone who follows me for any length of time probably knows me and Offset don't see eye to eye on a lot of things. Now, I do have the OSCP, and I'm very grateful I have it.

By far, it opens up the most doors in the world of pen testing, but that being said, it's not the end-all be-all. So I landed my job as a pen tester before I had the OSCP. Now, I was scheduled to take it, and I took it four weeks after getting hired, but before then, I didn't have any of the hands-on certifications.

What I did have, though, was a YouTube video, a platform that I tried to do my best to teach people what I knew, and so it is possible to get a job as a pen tester without the OSCP or honestly, without any types of certs. I recommend building a platform and or doing like security research by finding CVEs, and you can get to a spot that's just as good as the OSCP or better without spending, you know, when I took the OSCP, it was $1,500, and I got a bloated PDF in a shared lab environment that drove me insane. I've heard it's much better now, but that was my experience with it.

So that's one myth that I hope will die, and that I think is slowly dying as people are seeing the value of doing their own security research and CVEs and things along those lines.

[Kyser Clark] (17:52 - 19:14)

Yeah, and I have been on a record saying, yeah, OSCP is the best one to get if you want to get a pen tester job, because it is, it does show up most on the job postings currently, but I think it's fading out slowly but surely, and I see some other certifications taking over as the king, and you know, I have OSCP as well, and I'm getting on my first pen test, and I'm like, I'm not sure how to Active Directory hack.

I'm like, what am I doing here? So that's what's prompted me to go after. I'm actually currently doing the TCM security PMPT, because I want to get those Active Directory skills, because the OSCP, when I did it, is lacking.

Now, they came with OSCP+, and they've updated it, but you know, when I went through it, it was, the AD section was there, but honestly, it was, I think, I thought it was too easy, honestly. It wasn't like the real world at all, and it was very CTFE, even though it was technically Active Directory, but yeah, it's, and Active Directory is so huge, because every internal you're going to be on is going to have Active Directory, and I felt like the OSCP let me down for the real world skills. Like, it got me the job, yes, but then when it came to the real world skills, like, it let me down.

So, I have a, I don't want to say it's a bad cert, but it's not the end all be all. It's not, there's other stuff out there.

[Tyler Ramsbey] (19:15 - 19:59)

Yeah, and right along with you, I still recommend it as the number one cert to pursue, but merely for the HR filter, and I also think people need to recognize the OSCP really is an entry level pentesting cert, which is confusing, because pentesting itself is an entry level, but once you get the OSCP, and you think, like, wow, that's the hardest thing, just wait till you do your first internal as a pentester, and you have hundreds of hosts on an internal network, and you have to be careful about password spreading, you don't want to lock out accounts, but you're trying to get to domain admin, like, it is way more complex than anything you'll encounter on the OSCP, or really any other exam. So, those exams, those certs are helpful, but only to a certain degree.

Experience still trumps all of them, but unfortunately, sometimes you do need them to get to that experience part of it.

[Kyser Clark] (20:00 - 20:17)

I'm so glad you mentioned that, because when I got OSCP, I was like, I made it. I'm done. I'm a hacking wizard, dude.

I'm here, and then you get on your first internal, you're like, uh, what? Yeah, because, you know, you get on your, my first internal was like 400 hosts. I'm like, what do you mean 400 hosts?

[Tyler Ramsbey] (20:17 - 20:21)

Not three? There's not a web server I breach first, and then get into AD?

[Kyser Clark] (20:21 - 20:44)

Yeah, it was, yeah, but like you said, it's a good cert to, you know, get the HR filter and land the first job, but that's only the tip of the iceberg. It goes way, way deeper, and that's one of the reasons why I go after other certifications, and keep hammering at the hack the box, try to hack me, and just keep the skill sharp, and try to get skills leveled up, because it goes way deeper.

[Tyler Ramsbey] (20:45 - 20:56)

Let me ask you a question. I'm flipping the tables real quick. You have all the certs behind you.

What's your favorite cert? Out of all the certs you've taken, your favorite one, you have 30 seconds to answer it. Go.

[Kyser Clark] (20:58 - 21:01)

OSWA, because I failed that one three times.

[Tyler Ramsbey] (21:01 - 21:02)

Nice.

[Kyser Clark] (21:02 - 21:16)

I failed it three times, and even though, because I passed OCP on my first try, OSWA, that one was hard for me, and it made me question my entire life, but after I got it, it was way more rewarding, because it was way more, way difficult.

[Tyler Ramsbey] (21:17 - 21:19)

The persistence, yeah, that's amazing.

[Kyser Clark] (21:20 - 22:18)

And I'm sorry, but we accidentally skipped over the explanation on your Rappifier quiz, so I'm going to rewind a little bit, and go back to one of the topics from the Rappifier round. So you said your least favorite part of the job is social engineering, and I'm going to go ahead and give you my sense on this, because I think we have a similar answer here, but I did my first social engineering engagement like two months ago, three months ago now, and I had to, well, it was an in-person one. I had to like talk to someone in person to go in the facility, and I had to come up with this pretext, and I had to get all this gear, and to make me look like I'm a different kind of person I actually am, and it was rough, because being like an honest person, like it's hard to lie, and that was hard for me.

So is that why you dislike social engineering, or is it something completely different?

[Tyler Ramsbey] (22:19 - 24:02)

Yeah, it's sort of a mix. So even like where I work, the on-site component is optional. No one's ever forced to do that, and I just straight up told my team I'm not doing it.

Like there's an amount of social engineering I can do over like pretext calling and phishing, but yeah, looking another person in the eye and intentionally deceiving them and manipulating them, although I know clearly it's for a good purpose. Like I'm happy other people can do it. I celebrate that.

That part is hard, but I've never done that. So the reason I said I don't like social engineering, I'm talking mainly of pretext calling. Phishing emails are just phishing emails.

There's not much person-to-person interaction with it, but when it comes to pretext calling, what people don't realize is if you're set up to do that, you might make like 40, 50, 60 calls in a day. A lot of the times people aren't answering it, and when they do answer it, I just feel like a bad telemarketer, and what doesn't come across in my YouTube videos, I'm very, very, very much an introvert. So I much prefer hands-on keyboard.

Like I work from home in my basement. My only interaction generally is with my wife and kids, and I'm happy with that. When I have to do a day of pretext calling, of making phone calls and trying to social engineer over the phone, I'm just like, after the first few calls, I'm exhausted.

I'm depleted. Like I want to get back to technical work, hands-on keyboard. Unfortunately for me, I'm relatively good at it because once again, I spent 10 years as a pastor.

I know how people work. I know how to gain their trust for good or for bad, but I'm just exhausted at the end. It's a mix of trying to keep up a fake story the entire time and lying to people, which I don't think we're made to do that, and just having to talk all day, which I don't like talking all day.

It kills me.

[Kyser Clark] (24:03 - 24:59)

Yeah. I'm the same way. I've said it multiple times on this podcast.

I'm also introverted despite my streaming and podcasting and YouTubing. When I work help desk, answering phones all day, I can do it, and I'm good at it, but at the end of the day, my head's thumping. I'm driving home from work, and this is when I was in the military.

I drive home from work, and my head's hurting, and I would just sit down for like a half hour before I even did anything. I'm like, I got it. Yeah.

That's hard to just talk on the phone all the time if you're introverted because I've seen definitions saying like if your energy gets drained when you talk to people, then you're introverted. If your energy increases when you talk to people, then you're extroverted. I think it's a good way to look at it, and that's how I know I'm introverted because it literally drains me.

[Tyler Ramsbey] (25:00 - 25:37)

Yeah. People often think introversion is shyness, which they're not the same thing. I mean, extroverted people can be shy.

Being shy is more about social situations, but exactly what you said. It's where you draw your energy from. Even at DEFCON, DEFCON's a lot of fun, but I'm so glad when I can leave the craziness of Las Vegas and return to my town of 1,000 people where everything's quiet again for the next 12 months until I go back to DEFCON.

It's that one time a year, but yeah, my energy comes from being alone, reading books, studying, not from talking, so yeah, spot on.

[Kyser Clark] (25:38 - 25:55)

Great. Now you've been a Pentester for a little over two years now, right? Yes.

What are some rookie mistakes that you see new Pentesters make or maybe heard of new Pentesters making, and how can they avoid them?

[Tyler Ramsbey] (25:56 - 27:25)

Yeah, let's see. Rookie mistakes. I say rookie mistake number one is not knowing how to do documentation.

If you are doing any type of engagement, you should be documenting everything that you do, especially anything that might be important. As you would know, Kyse, when you're doing a Pentester, there might be a service on the other end that goes down or the client has an issue on the other end, and as a Pentester, whether you like it or not, you are guilty until proven innocent, and you need to make sure you have good documentation when they say, hey, did you run this command or did this thing happen? You need to be able to say with confidence yes or no, which I would say leads to rookie mistake number two, an unwillingness to say, I don't know, which is what I see a lot of junior Pentesters making.

Let's say they're in a debrief with a client and the client asks them a technical question and they don't want to look dumb. They're struggling from imposter syndrome. They want to look like they know what they're talking about, and they give confidently the wrong answer.

Then I have to message the project manager and be like, yo, what they said was completely wrong. We should probably clear this up with the client. If you are starting your job as a Pentester, make sure you have the courage to say, I don't know, but I will research and get back to you.

Do not confidently give the wrong answer to clients or other teammates because that'll get called out really quickly. That'd be the two probably biggest rookie mistakes I make, a failure to document what you're doing and a failure to honestly say, I don't know, when you're struggling with the technical question, especially when asked by a client.

[Kyser Clark] (27:26 - 27:49)

Yeah, that's really good advice. That's really important because everyone wants to sound smart, but you don't want to be wrong. That will make you look worse in the long run.

You look good immediately, but when people find out that you told them the wrong information, they will never trust you again. That is not what you want.

[Tyler Ramsbey] (27:51 - 27:52)

Spot on. Yeah, exactly.

[Kyser Clark] (27:54 - 28:55)

Speaking of rookie mistakes, let me share one that I made. One of my internal assessments that I did for my current company. It was one of the first ones I did.

I get into the environment and I look at the scans and I see this many hosts on a network. There was quite a bit. We're talking about some of these internals can be thousands of hosts.

There was a lot of hosts on a network, but what I didn't do was I didn't see the host count that was in the scope and compare it with what I was seeing. The scope was much larger than what I was seeing. The reason why I didn't see it all was because they had a firewall rule blocking me and they didn't want that rule in place.

It wasn't supposed to be there. I was supposed to reach this other section of the network, but I didn't reach out to the client and be like, hey, I can't reach this other section of the network. I just accepted like, oh, I can't reach it.

I'm done. The client was not happy with me. We fixed it in the long run, but yeah, that was a mistake that I made.

[Tyler Ramsbey] (28:57 - 29:09)

Yeah, always verify scope. That's a good lesson as well. When you're unsure, ask the questions.

It comes back to that, but yeah, good lesson there. Very uncomfortable lesson in the moment, but a good lesson.

[Kyser Clark] (29:10 - 29:41)

Today, I actually sent an email to my client because I'm supposed to be doing a web app assessment. I get in there and the web app doesn't show me what it should be showing me. It's pretty empty.

I'm not reaching it. They got me blocked or something. I learned my lesson.

I go like, hey, I can't access this web app. Is there a whitelist that you guys didn't implement? Hopefully, they get back to me and give me what's the...

It's like, oh yeah, sorry, I blocked you. Here, you can do the test now.

[Tyler Ramsbey] (29:42 - 30:18)

Yeah, and the nice thing about communication, we have a spot on our reports where we have constraints. It might be something that's legit broken on their end, but if we don't ask specifically in writing, is this feature available? Is it broken?

It's on us, but as soon as you ask in writing, if they respond to you, if they don't respond to you, you can add it as a constraint on the report. When the pen tester the next year looks back at it and they find some crazy zero day that led to RCE and they're like, yo, how did Tyler miss this last year? Well, they can look at the report and be like, yo, this feature wasn't even enabled in the app and it answers some of those questions.

That's some good things I've learned as well stumbling around this world of pen testing.

[Kyser Clark] (30:19 - 30:31)

Yeah. Yeah, that's good to know. And so speaking of web apps and internals, do you have a preference between web apps and internals or do you just like both of them equally or what's your take on, you know, what's your preference?

[Tyler Ramsbey] (30:33 - 32:38)

I would say internals are probably a little more fun. As you would know, web apps are often the first thing a company signs up for because most, if not all companies have a web app. It has the largest attack service because it's internet facing.

So you want to begin with the web app pen test, but for most web apps, they have very similar functionality. You might be able to find some cross-site scripting, maybe some injection attacks, but it's kind of rinse and repeat. Once you've seen enough web apps, like I can open up a web app right now and tell you all the things that might be vulnerable with it and all the things that you should check right away.

It doesn't even take much thinking once you've done enough of them. Internals are a little bit different. Like the internals that I've done, they all have unique attack paths, things that dig into enumeration you have to do.

And there's just more complexity in place. And it feels, you feel more like a hacker for lack of a better word. When you see the hacker movies and you're like, I'm in and you're hacking away, that always feels good.

I know like my first internal that I did, I was able to get domain admin, I think in like in two days or so. And that just was one of the most amazing feelings. And it helped with my imposter syndrome as well, because up to that point, I did some labs, but never did a real Active Directory environment.

And when I was able to get domain admin that quickly, I was like, yo, the things I learned on like Hack the Box Academy, they actually work. This is crazy. This is mind blowing.

So I would say internals are a little more fun, but I enjoy all of it. And where I work, I do basically every assessment type. So I do the web apps, I do networks, I do mobile apps, I do cloud, all three cloud providers.

If you name it, I probably do it. And my philosophy from the beginning was anytime they were like, hey, Tyler, do you know how to do mobile apps? My answer would be, I have no idea.

But I guarantee you, I can figure it out if you give me a little bit of time. And they're like, do you want to try the shadow on this? And my answer is always, yes, yes, I will shadow and I will see if I can figure it out.

And I've just said yes to every single thing. And each time I do that, I grow a little more. So I'm not an expert at anything when it comes to pen testing, but I know enough about every service type that I can do an assessment and usually find some cool bugs along the way.

[Kyser Clark] (32:39 - 33:41)

Yeah, in the same way. You know, I do mostly web apps and internal pen tests and external pen tests as well. And but I did one wireless assessment, which was pretty cool, because not a lot of people do wireless assessments.

And my company were like, hey, we need someone to do an IoT pen test. And we need a volunteer. And I just reached out to my manager, I was like, I'll start with a plate, I'll learn it.

So I'm actually going to go through the TCM security, was it practical IoT penetration test associates, I'm gonna go through that course and learn how to do some IoT hacking. And but yeah, that's, I think that's really good career advice. Like if your company has a need to learn, if they're willing to teach you a new skill set, then take it, don't be afraid to learn new stuff.

And that your company will be very appreciative of that. Because I know my manager was like, oh, thank you for, you know, taking initiative on learning how to do web apps. I haven't done mobile, but you know, maybe down the road, I will.

[Tyler Ramsbey] (33:43 - 34:08)

You might not want to. Android's okay, dude. iOS just sucks, like jailbreaking an iPhone that's new enough that you can do pen testing on.

And there's all these things that go into it. But every time I do a mobile app pen test on iPhone, I swear, I have to spend like a day resetting up my environment, jailbreaking my iPhone, everything's changed since the last time I did it. So if you can avoid mobile apps, I'd recommend it.

But the rest of them are a lot of fun.

[Kyser Clark] (34:09 - 35:10)

Nice. I'll keep that in mind when it comes to mobile. Speaking of that, there was my manager reached out, he was like, hey, I'm sick.

I can't take this call. This client wants to learn more about mobile pen testing. Does anybody want to take this call?

I was like, look, dude, I don't know anything about mobile pen testing, but I might know enough. I was like, if we determine that I'm the best one to do this, give me some heads up and I'll do as much research as I can. Well, luckily I didn't have to do that.

But that's one thing I go back to that team player thing, like just step up to the plate, you know, when people need you. And that's super vital when it comes to adding value to your company, which adds value to your client. And for me, when you add value to a client, like you're adding value to the whole world because, you know, I pen tested an application that so many people that I know use and that felt good to me.

You know what I mean? So I feel like that's my way of like helping the world.

[Tyler Ramsbey] (35:11 - 35:13)

Yeah, that's amazing. Good perspective there.

[Kyser Clark] (35:15 - 35:33)

So you, one of your favorite topics is mental health. So why is that so important for you to talk about in your content? And I remember specifically you talked about mental health when you were on the Simply CyberCon, was that what it's called?

[Tyler Ramsbey] (35:34 - 39:28)

Yeah, Simply CyberCon. Yes, their first like virtual conference. And I think we did a live stream.

I don't remember what we all talked about, but yeah, let's talk about mental health. My passion for that goes back to my own journey. So back when I was a pastor and was going through COVID-19, I was just exhausted and really burnt out dealing with all the division and fighting among people and trying to lead through that and got to a point where with a wife and two young kids, like I just did not have any emotional energy or availability for them after dealing with just the craziness of what that period was like and spent a pretty good chunk of time in professional therapy. I'm actually still in professional therapy now just to kind of figure out my own like family origin issues and emotional things that I'm dealing with, trying to be a healthy person. And once I switched over to cyber, I saw that this was a thing that a lot of people struggle with, but they're not able to put the right words on it.

So one thing I've noticed, at least in our industry, is we have a tendency to ourselves to other people. So we might compare ourselves to like the John Hammonds of the world who are just incredibly talented or other people along those lines. And what I try to remind people is we all have different journeys.

We all have different perspectives. So like for me personally, I've shared this already. I have a wife and I have two young kids.

I'm not John Hammond. I believe he has a fiance that he's engaged to, but he doesn't have any kids. Like he can pull the all-nighter and dig into stuff.

Like I have to wake up at 7am, bring my kids to school and I want to be a present dad to them. At the end of the day, I don't care about my career. I don't care about my title.

I don't care that much about my salary. I will happily leave this field fully and completely if it begins to affect my family in a negative way. Whereas I see a lot of people who are trying to get into the industry or move up in the industry.

They sacrifice their family, their partner on this altar to whatever, however they define success. So for them, success might be a certain salary. It might be a certain title.

It might be a certain spot in cyber. But if you succeed in your career, but you fail as a partner or you fail as a parent, you're not a success. If you succeed in your career, but every single day you are self-medicating with alcohol or drugs or pornography, whatever you want to throw your addiction in there, you're not a success.

You succeeded on the outside, but inside you are broken and you are emotionally wounded. And until you realize like the reason you stay up late at night, and the reason you are self-medicating with work is because you have this trauma that's happened to you that you haven't dealt with. And the reality is hurt people, hurt people.

So if you don't get well yourself, if you don't heal yourself, you're just going to take that trauma and you're going to spew it all over other people and you're not going to be emotionally healthy. So what I try to encourage people all the time is the best thing you can do for your career is not to get the next cert, not to finish the next try hack me room. The best thing you can do for your career is to become an emotionally healthy person.

And life is much more important about who you're becoming and less about what you're doing. And when we mix that around and we find our identity in our work, well, when you get laid off, your identity crumbles and you end up in a really dark place because you are finding your identity and your purpose in the wrong things, namely what you do rather than in the person that you are becoming. So that's kind of my simply cyber talk in, I don't know, three minutes or so, but I suck at all that myself.

So even when I share that I'm preaching to myself, like I need to remember these principles. I need to remember these things. You know, this guys are someone who makes content.

It's so easy to live for people's applause. And when you do that, you die when they're not happy with you. And so it's really finding your identity and the right things and being willing to walk away from all of this, if that's what greater health would call you to.

[Kyser Clark] (39:29 - 39:43)

That's really good advice. And yeah, thanks for summing up that talk and providing your perspective because that's a topic that we haven't touched on this podcast. And I thought it was important for you to mention that for the audience members who needed to hear that.

[Tyler Ramsbey] (39:44 - 39:45)

Yeah, thank you. Thanks for the opportunity.

[Kyser Clark] (39:46 - 39:58)

So we are running out of time. So we have to get to the final question, which is the one everyone gets. It's really just a free for all to say whatever you want.

Do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share?

[Tyler Ramsbey] (40:01 - 41:32)

Yes. Yes. Before you pay a coach or an influencer, hundreds of dollars to meet with them for a one-on-one session or to join their stupid boot camp that promise you six figures.

Join hack smarter. The whole premise behind hack smarter for those who are unaware of it is it's a all volunteer. I make no money outside of like $200 a month from YouTube, but I make no money from hack smarter.

And we have a team of like 10 plus coaches who work as pros in the field who volunteer their time to meet with you for one-on-one sessions. We do a resume review, mock interviews, designing a career path for you. All of these things, not as a way of making money out of you, but we believe that, hey, we're good enough at our jobs.

We don't need to charge people trying to get into the industry. So I'm not opposed to paid education or even paid coaching. I am opposed to the coaching that it's targeting people who are brand new to cyber with unrealistic promises that if you join my boot camp, you'll be making six figures in 12 months or less.

That's simply unrealistic. It's predatory. And they're praying off of your emotions and your desire for financial stability.

So if you're new to the field, don't pay those stupid influencers, join a community like hack smarter or TCM, all these other communities with a bunch of people who are more than willing to help you form friendship and be with you on this journey. So don't know if that's really a hot take, but I'm also passionate about calling out some of the crazy coaching I see in the industry today.

[Kyser Clark] (41:33 - 43:39)

It's a little bit of a hot take. And yeah, I agree with you there because, and you know, I actually, I just, I had a hunch he was going to say that because you made a post about on LinkedIn today. And if you're listening to Washington, this episode is going to be like two weeks in the future.

So, but yeah, you called out someone like directly, you tagged him and everything. I was like, I was like, that's bold. I was like, Oh, I like the buggy Peter chair.

I was like, that's wild. But yeah. Yeah.

And I want to throw my little, little hot take here, if you don't mind. I think so my hot take is this, like, there's enough information out there that you can get for free that you don't need a mentor to, to guide you every step of the way. In my opinion, like I've never had a mentor.

I've never had a mentor. And I get all my information just from Googling and searching on YouTube and reading blogs. There's so much free information out there.

Cause I, and the reason why I say you don't need a mentor, cause I get, that's one of the most common questions I get, Hey, will you mentor me? Will you mentor? And I'm like, I'm like, look, every, all my best advice is on my YouTube.

Watch all that. Once you watch all that, ask me whatever question you want, because everything that I will tell you right now is probably one of those YouTube videos. And I'm not saying you don't, they say mentorship's important and there's, it does help you, but I think you don't want to have an over-reliance on it.

You know what I mean? Because it is your own path after all, and you want to create your own path. And I think that's what people don't understand.

Like they look at like a path that I might do or one that you might do. And I try to emulate that. It's like, no, you got to make your own path.

And I think people don't really understand it that much. Mentorship's okay, but I don't, I think it's important to realize that you need to not over-rely on it. You don't need to tell you every single step like, Oh yeah, get this cert.

And then you want this cert and then call this guy and this recruiter. Like it's okay to have some general guidance, but having a reliance on it, I think it's not, not that crazy important.

[Tyler Ramsbey] (43:39 - 43:58)

Yeah. Wisdom. And if it is important for you, honestly, pen testing and cyber probably isn't a good career because it takes so much of that, your own research and problem solving and thinking through things.

If you can't do that, probably not the best, best career for you. Do some self-selection there, but yeah, I agree. Good, good hot take.

Good wisdom there.

[Kyser Clark] (43:59 - 44:05)

All right, Tyler, thank you so much for being here. Where can the audience get ahold of you if they want to connect with you?

[Tyler Ramsbey] (44:06 - 44:37)

Yeah. Go to HackSmarter.org. On invite link.

It's a cool website too. It's like a terminal emulator. It feels like you're in a terminal.

You can like cat out discord.txt to get our discord invite link. So HackSmarter.org, you can find all of my information there and Hey, guess what? You don't have to pay me money to meet with me.

So if you have questions, DM me on discord. I check all my comments on YouTube as well, and I'm not going to charge you money, but I'll do everything I can to help you along on your own journey.

[Kyser Clark] (44:38 - 44:54)

Thank you, Tyler. And audience, if you want to get ahold of me, best place is my website, Kyseclark.com and on LinkedIn audience. Thank you so much for watching.

Thanks for listening. Hopefully I see you in the next episode until then this is Kyse signing off.