.png)
The Hacker's Cache
The show that decrypts the secrets of offensive cybersecurity, one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
The Hacker's Cache
#38 Fired or Freed? Turning a Cybersecurity Layoff into Your Next Big Break w Justin Mahon
Getting laid off can feel like the end of the road, but what if it’s actually the beginning of something bigger? In this episode of The Hacker’s Cache, Justin Mahon shares his journey from military IT to offensive security, including how he bounced back after a cybersecurity layoff and landed in a better position than before. We break down the reality of tech layoffs, why they happen, and how to turn them into opportunities for career growth. Whether you're navigating a layoff, preparing for the worst, or just looking to future-proof your cybersecurity career, this episode is packed with insights you won’t want to miss!
Connect with Justin Mahon on LinkedIn:
https://www.linkedin.com/in/justin-mahon22/
Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY
Music by Karl Casey @ White Bat Audio
Attention Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.
Opinions are my own and may not represent the positions of my employer.
Ep 38 Transcript
[Justin Mahon]
Techniques are changing all the time. The last couple years, we've seen a lot of companies migrate to cloud and everything. And there's just so many different parts of cybersecurity, especially just offensive security, you know, there's cloud, Active Directory, ICSOT, mobile apps, you know, there's a lot to learn and that you could specialize in.
[Kyser Clark]
Hi, I'm Kyser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security, one bite at a time. Every week, I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
Thank you for tuning in. Today, I have Justin Mahon, who has over six years experience in the field. He started at the help desk in the U.S. Army. Then he moved to assistant administrator with Satellite Com Experience. Outside the Army, he became a security consultant and is now a full-time offensive security consultant. For education, he is almost complete with his bachelor's degree.
For certifications, he has a lot, so get ready for this long list of alphabet soup. He has the Certified Red Team Expert, that's a CRTE from Altered Security. He has several GIAC certifications, so he has the GIAC Web App Tester.
He has the Certified Intrusion Analyst, the GIAC Python Coder. He has the GIAC Certified Incident Handler. He has the GSEC.
He has the GIAC Information Security Fundamentals, the GIAC Foundational Cybersecurity Technologies. He has the Certified Enterprise Security Professional, that's the CESP, that is also from Altered Security. He has the Blue Team Level 1, the EJPT, and a pair of Fortinet certifications.
So, Justin, thank you so much for taking your time and doing this episode with me. Go ahead and unpack some of that experience and introduce yourself to the audience.
[Justin Mahon]
Yeah, no problem. Thanks for having me. So, you know, just to dive right in, you know, I'm Justin Mahone.
I'm currently 24 years old and I started cybersecurity, you know, studying and everything in 2019 while I was in the Army. And after that, I was able to land a offensive security position. And, you know, from there, it's been great.
You know, I have a family and I work remote and, you know, couldn't ask for anything better.
[Kyser Clark]
Nice. So, what was your biggest challenge coming out of the Army as a system administrator getting into security consulting? What was the biggest challenge there?
[Justin Mahon]
Yeah, you know, the biggest challenge, I think, was just, you know, trying to make that pivot from system administration to, you know, cyber, because, you know, even though I had that IT experience and, you know, I knew my job really well, it was just difficult to just find someone to give me a chance, so to speak, and just be able to gain that useful experience in offensive security. So I'd say that was the biggest one for me.
[Kyser Clark]
Yeah, and I'm right there with you. I was a system administrator in the Air Force and I had, you know, coming out of the Air Force trying to land my first pen testing role. There were several interviews where they would ask me, hey, how much experience do you have in pen testing?
I'm like, well, I don't have any paid experience, but, you know, I have a hundred hack-the-box machines done. I have OSCP, I have OSWP, and these other offensive security certifications. I, you know, I've been doing TriHackMe for a couple of years now, and I've completed over 200 TriHackMe rooms.
But, you know, even with all that, they were like, well, you don't, you've never been paid as a pen tester. You haven't done a real-world engagement, and that was very hard. And even when I was completing real-world engagements, because I had a skill bridge where I was doing an internship and I was doing real-world engagements for my DOD skill bridge, they still looked at it like a risk because I had one employer flat telling me, like, yeah, you got to have two years experience in pen testing.
I'm like, man, it was hard. I put in probably a hundred and so applications, and I finally got some company to give me an offer, and then they later withdrew that offer, and then I found the job I am now after that offer got withdrawn. So it was really hard coming out of the system administration experience, even with six years, because it wasn't offensive security, you know?
Right. Yeah. So, yeah, it's nice to know it.
Well, I don't know if it's nice to know, but it's interesting to see you had a pretty similar story there, because, you know, a lot of people think, oh, like, this guy was a system admin. Like, what does he know about offensive security and cyber security, you know?
[Justin Mahon]
Yeah, exactly. And, you know, that just goes into, you know, figuring out how things work, how they should be configured, you know, just the proper ways of doing things, and then just using that knowledge to, you know, use it to break things too, or find loopholes and everything. So, you know, it goes hand in hand.
[Kyser Clark]
Yeah. And so another thing about your background that I noticed was you're, so you was a security consultant, and then in your LinkedIn, you had a gap for a layoff. And what advice could you give someone when it comes to layoffs?
Like, what was the challenge there with that layoff? And can you just walk me through the process of, receiving the news of the layoff, and what do you do to overcome that challenge? And just give me the whole story of that layoff, if you don't mind.
[Justin Mahon]
Yeah, definitely. You know, I'm not gonna lie, it was, you know, disappointing and stuff. It was, you know, a punch in the gut and everything.
But the biggest thing I learned was just, you know, perseverance. You know, I had a wife and, at the time, two kids and one on the way. And it was just one of those things where it's like, you know, I love this field, and I have to support my family.
And the biggest thing is just don't give up, you know, submit applications every day. And the biggest thing is just, you know, continue to learn, you know, while you have that time and that gap, because, you know, you may be able to apply for jobs, but as long as you keep learning, and, you know, keep getting that knowledge and harnessing your skill, you know, that's really going to help you down the road.
[Kyser Clark]
Yeah, that's good advice. And what do you think a cybersecurity professional can prevent a layoff? And if so, how could they do it?
[Justin Mahon]
I don't really believe in that. You know, it's gonna just come down just, you know, how the company's doing and your management and everything like that. You know, the biggest thing is just staying on top of, you know, what your duties are.
And just how good you can be at your job, you know, just be the best you can be. You know, I try to do that in everything I do. And, you know, it's worked well for me.
[Kyser Clark]
Yeah. And I think it's important for people to understand it's like, just because you get laid off doesn't mean you are bad at your job, because the company can be poorly managed. Or the marketplace could, you know, hit a, you know, whatever company you're working for, it could hit a road bump.
And the management says, well, you know, we got to make some cuts. And typically, cybersecurity is considered a cost center. For those who don't know, that means it costs the company money, like you're not making money for the company, unless you're in a consulting role like me, who goes out and does pen tests for clients.
But if you're in like a traditional cybersecurity role for a company, you're a cost center, and you are an expense to the company. So when things get bad, cybersecurity is typically one of the first things to go. And that's why you see a lot of tech layoffs.
It has very little to do with your skill. I mean, there was, I think I saw something like some guy that worked at Google for like, 19 years, and he got laid off. It was like, he was like one of the higher, higher ups, too.
So it's like, it can happen to anybody, you know. So if you do get laid off, you can't take it. I mean, you can take it personally.
But like, at the same time, you can't take it personally. But the way you should take it personally is like, well, you know, this is going to get open up some more doors for me. And I can use this as an opportunity to to go further in my career.
And a lot of people have taken layoffs and made it gotten to better situations. In the end, would you agree that is that's what happened to you that you think you're in a better spot now after the over 1000%?
[Justin Mahon]
Yeah. You know, my the new company I'm with and the team I'm on, you know, they're amazing and stuff. You know, we all share our knowledge openly.
You know, we don't, you know, put each other down or anything, you know, it's a very open, cohesive team. So I'm really grateful to have found that opportunity. And I plan to stay for a while.
[Kyser Clark]
Nice. Yeah, that's really good to hear. And I've never been laid off from a tech role.
But I have experienced layoffs in my life before I joined the military. I was an industrial sandblaster, painter, fireproofer. And I got laid off every winter because you can't paint when pipes are frozen.
I painted pipes and tanks and stuff and oil refineries and you can't paint when when it's frozen, you know, I mean, it's negative 10 degrees outside here in Northeast Ohio and there's snow everywhere and ice everywhere. So I was like, that was one of the reasons why I ended up joining the military was because like, getting laid off every winter. It was just awful, you know?
[Justin Mahon]
Yeah. And, you know, the reason I joined at the time I was 18, but I didn't want to go to college, I actually didn't know what to do. I wasn't interested or knew anything about, you know, technology at the time.
So the army kind of helped me, you know, get into that and show me that. And then from there, I just, you know, took it and ran, you know, studying all the time whenever I could. You know, it was crazy because, you know, for example, like, I'd have to, you know, leave my house at 530 in the morning, and then I'd be home probably by six o'clock at night.
You know, I have a wife and a kid at the time. And the hardest thing was I would be waking up at 230, three in the morning, I would study for, you know, two, two and a half hours, get ready, and then leave. And I do that every day.
Because I really wanted to break into the field and just learn and just do anything I could, because I knew it's what I wanted to do.
[Kyser Clark]
That's, that's intense waking up that early to do your studies. That's commendable. And that's definitely not easy.
And I tip my cat off to you because I mean, I've done a lot of study my day, but I've never woke up that early. Now I've stayed up that late studying, but I never woke up that early. You know what I mean?
So yeah, man, that's cool. And yeah, well, it seems like it's paying off for you, man. Like perseverance is the key to success.
You know, I'm actually reading this book called the dip. I think it's a kind of goes along with the theme of like not giving up or basically what, what this book is by Seth Godin, by the way, it's like, it tells you like, you know, when you should quit something and when you should stick out the tough times. I've only read it like for half hour so far.
I just started today, but it's a very short book. I'm already like a third of the way through it. And it might be a book worth looking into for anybody that might be struggling like, Oh, should I keep pursuing this?
Or should I switch it up? I'm excited to announce that memberships are now live for my YouTube channel. And if you decide to become a member, you'll get early access to videos, access to member only polls, loyalty badges for the YouTube channel chat and priority reply to the YouTube comments.
Of course, if you can't or don't want to become a member, that is totally fine. I will always release the same free content you've come to expect. And your support just by watching is more than enough to keep the channel going.
But for those who do join your contribution helps invest into new tools, technologies and people to help the channel go further. The goal is to create even more content and raise the quality of every video for everyone. Thank you for considering memberships.
And as always, thank you so much for your support. All right, Justin, let's go ahead and do the rapid fire questions. Are you ready for the rap fire round?
Yep, I'm ready. All right. So for those who don't know, Justin will have 30 seconds to answer five questions.
If he answers all five questions in 30 seconds, he will get a bonus six question unrelated to cybersecurity. And his time will start as soon as I stop asking the first question. Here we go.
Justin, is it okay to get into cybersecurity just for the money?
[Justin Mahon]
I'm going to say no. It has to be a passion.
[Kyser Clark]
Have you ever collaborated with law enforcement on a case?
[Justin Mahon]
I haven't. No.
[Kyser Clark]
Do you think cybersecurity will ever be fully automated? No. Most unique device that you've ever hacked?
[Justin Mahon]
An on prem Active Directory environment to a hybrid Azure environment. Do you think cybersecurity jobs are stressful?
[Kyser Clark]
At times? Yes. We got like 31 and a half.
You just missed it. You just missed it. But thank you for providing your insights.
And that's still a good time, by the way. We've had some worse times than that, for sure. So don't feel bad.
It's hard on purpose. So diving into your most interesting question. I actually forgot to tell you that before the recording that you get a chance to explain your most interesting question.
But your most interesting response, I would say, is it okay to get into cybersecurity just for the money? You said no. It has to be a passion.
Can you can you dive deeper into that? Why do you think it has to be a passion? And why do you think it's it's not a good idea to get in just for the money?
[Justin Mahon]
Yeah, definitely. My biggest opinion on that is just in this field, it's constant learning. And you're going to have to take constructive criticism sometimes.
And it's for the better good to improve yourself and your skillset and everything. But doing it for the money, I can't really see how I would do something. Like I said earlier, wake up 2, 3 in the morning studying just for the money.
It's just definitely not something that's that would be worth it. And in the end, money is money versus doing something you love. And I'd like to look back at the end of my life and just know that I did something I loved.
[Kyser Clark]
Yeah, I totally agree with you there. I definitely do not recommend getting in just for the money. Now, the money can help you overcome those moments where it's getting tough, you know.
But if you're not enjoying it at all, then it's definitely something you should pursue. Because my argument is like, if you're going to get into something just for the money, like time security ain't it because you have to study constantly. It's a lot of work.
And there's other routes to similar salaries that, in my opinion, are easier that will pay about the same. That are easier because this is a hard field to break into for one. And for two, it's a hard field to stay in because you have to constantly learn the newest things.
You have to be up to date in the news. And it's I always tell people it's not a nine to five. If you're not using any of your free time to advance your career, then you're you are in trouble, you know, because this this field demands people to be up to date with the latest trends.
Exploits are always changing. And you know, if you're an elite hacker today, your exploits and your techniques and your tools, they're not going to work five years from now, you know.
[Justin Mahon]
Yeah, exactly. And, you know, techniques are changing all the time. You know, last couple of years, you know, we've seen a lot of companies migrate to cloud and everything.
And there's just so many different parts of, you know, cybersecurity, especially just offensive security. You know, there's cloud, Active Directory, ICSOT, mobile apps. You know, there's a lot to learn and that you could specialize in.
[Kyser Clark]
Yeah, speaking of specialization, do you think do you think specializing in a certain area is the way to go for to advance in your career? Or do you think being a journalist is OK? What's your take on journalizing versus specializing?
[Justin Mahon]
Yeah, that's a really good question. You know, personally, I would say I'm currently specialized in Active Directory. You know, I'm really big on it.
You know, I know it pretty well, but I'm also, you know, fell in love with cloud and everything. And, you know, next year I plan to really get into ICSOT. So the biggest takeaway is just, you know, finding like one or two areas to, you know, really specialize and really know, you know, the detailed knowledge and everything.
It's hard. You can be a generalist, but I feel like if you're a generalist, you know, unless you're dedicating hours of study, you know, almost every day, I don't really see how you really master a specific area. It's just there's so much knowledge to know and, you know, be aware of.
And, you know, like you said, it's constantly changing, constantly updating. So it's something that's hard to stay on top of.
[Kyser Clark]
Yeah. Yeah. That makes a lot of sense.
And right now I feel like I'm specializing in network pentesting and web testing at the same time. And I'm dabbling in like Wi-Fi and IOT. So I'm kind of like a generalist right now, but I feel like maybe eventually I might specialize in one.
I'm kind of just throwing my hand into a little bit of everything and then just seeing what I like, what I don't like, you know, because right now I'm going through IOT stuff. And I guess it's, I've discovered that it's a little less exciting than I thought it was going to be, but I'm still learning. And once I get to a point like, like, okay, maybe I know enough to, you know, point someone in the right direction for IOT hacking, but, you know, it might not be for me, like something I want to specialize in.
So I think, you know, starting early in your career, by the way, like as, you know, I've been in the field for almost seven years now, but my first six years was cyber defense operations and system administration. And I'm still a pretty new pentester. I don't even have a year of paid pentest experience yet.
So I think early in your career, like generalizing is something that I, that I've been doing. And I, but I think long-term, you know, when you, when you start getting in, start adding the years, like you definitely want to start specializing in something because like you said, it's the only way you can become an expert on something. If you're generalizing, then you can't be a true expert.
Like that, that saying like jack of all trades, a master or not, I'm a firm believer in that saying. So if you want to be a master of something that you definitely need to specialize in something, but it's okay to generalize in a bunch of stuff because you got to figure out what you like, what you don't like first before you commit to something. I mean, I'm specialized in pentesting, but there's so many different types of pentesting.
Like you talked about, you said ICS and OT, something I didn't even touch yet. And that might be something I want to touch in the future just to see what it's all about. I mean, reading about it hasn't been something that's interesting to me, but I won't know until I actually, you know, throw my hand in there, you know?
[Justin Mahon]
Yeah, definitely. And, you know, at one point, like I was interested in web applications and, you know, after doing a lot of boxes and, you know, getting some knowledge there, I just realized it wasn't really my passion. You know, it was kind of someone else's passion.
It was actually my mentor. And, you know, I'm really grateful for, you know, him giving me that guidance and that knowledge. But I realized that and it kind of moved to Active Directory more in social engineering at the time.
And I was actually really good at it. And, you know, like my first social engineering assessment, you know, like the primary assessor was kind of shocked like how well I did, you know, on a phone call and everything. And it's just one of those things where it's like if you're a natural at it, you know, it may be something you want to look into deeper because, you know, you may you may really like it.
[Kyser Clark]
Yeah, exactly. So with AD, that being your area of focus right now, where are the best places to learn AD if someone wants to specialize in AD? What's your favorite resources?
[Justin Mahon]
Yeah, you know, personally, as far as like certifications and labs, I'm really big on altered security. I think they have a great learning and training program and they really push you to your limits. On top of the lab time, there's also flag verifications.
So as you go through the lab, you collect flags and learning objectives and you'll submit them as you go through the course and everything. And, you know, that's definitely helpful. You know, really leveled up my game with that vendor.
I plan to get a lot more certifications from them, especially with Azure. As far as other resources, there's a book for Active Directory Pentesting, I believe, by Denis Isakov. And he really breaks down like all the different attacks and techniques.
And on top of that, he even shows like the mitigations for them and the patches and everything, you know, because that's the thing with pentesting. You know, it's great to know how to break stuff and, you know, really have that knowledge. But you also have to know how to mitigate it, because if you're talking to clients writing these reports, you know, they at least need some type of basic guidance to lead them in the right direction.
[Kyser Clark]
Right. Yeah. And that's for that's been one of the challenges for me, because like it's like it's nice to know how to how to exploit something.
But and then sometimes you like you'll give kind of like a generic advice in your report. And they are like, hey, what does this mean? And you're like, oh, man, I got to do some research to like answer this question.
And I'm sitting there trying to figure out how to like disable cipher suites, you know, and I'm like, well, because in the report, I'm like, oh, yeah, just disable those cipher suites. And they're like, well, how do you disable those particular cipher suites? I'm like, that's a good question.
Let me do some research and get back with you on that one. So I had to do like like an hour or two worth of research just to figure out how to disable these cipher suites in their environment. And I didn't know how to do that before.
So I think I think the skill just comes over time, you know, especially because I would say a lot of the reports I get to do are kind of generic advice, because I don't know even I mean, I pen tested their environment, but I don't know the ins and outs of everything in their environment. So I've had to try to stick with some generic advice because I don't know everything about the environment, even though I was pen testing it for a week or two. But obviously, if I know more about the environment, then I'll write more in their recommendations.
But yeah, that's definitely important skill to have for sure.
[Justin Mahon]
Yeah. And just to touch on that a little bit, it's something you want to be wary of because, you know, you don't want to tell a client, oh, disable this registry key, you know, to fix this problem. And then they go and disable it and a whole bunch of stuff breaks in their environment.
And, you know, guess who they're going to point the finger at you because you told them to do it. You know, so the biggest thing is just, you know, like know the mitigations and the recommendations, but also know, you know, like what could happen if, you know, someone implemented this or did this, you know, so that's just something to be wary of and, you know, just to do your research on.
[Kyser Clark]
Yeah, that's a good point. Yeah. Because if you recommend something and they implement it and then something else breaks, you know, they're pointing the finger at you and that's going to be not a good day for you.
Right. So with cloud pen testing, what are your go-to resources for that?
[Justin Mahon]
Yeah. Altered security. You know, I'm going to keep saying it.
Altered security is amazing. You know, just with the course content and the hands-on and everything, you know, they have a lot of Azure content right now. The other ones I'd recommend, there are some books out there.
To be honest, I can't remember who the author is. It's just like basic cloud pen testing handbook. The other one is Hacktricks.
They've came out with some certifications recently and they have like apprentice level certifications and expert. And you don't really need any prior knowledge to pursue those. And I just think that's great just to have a course that can, you know, bring you from zero to hero.
And as long as, you know, you learn and, you know, do the hands-on and everything. So I'd say those are the biggest ones. And then just something to get some basic knowledge about is AWS Flaws.
It's basically like just like a little cloud lab playground. And you just learn some, you know, basic cloud attacks and, you know, how to enumerate, things like that. So those are kind of the biggest ones I'd recommend.
[Kyser Clark]
Nice. And dude, I didn't even know Hacktricks came out with certifications. So that's interesting.
No, I have a look into that more. Those are brand new, right?
[Justin Mahon]
Yeah, they have GCP and AWS and I think they're about to release their Azure one. I think it's releasing at the end of this month.
[Kyser Clark]
Huh. Well, that's nice to know because I personally thought, I mean, I'm on the record saying this somewhere. I can't remember where I said it or who I said it to, but I said like, oh, it'd be nice if we had some more cloud pen testing certifications because there wasn't a whole lot, if any at all.
So that's really interesting to know. That might be something that I want to pursue because there's a lot of cloud. I mean, almost every company nowadays is using the cloud in some shape or form or fashion, you know.
So knowing the cloud is, in my opinion, essential to your career now. It is no longer optional. So when it comes to cloud pen testing, like what are, what makes it different between like cloud pen testing and like on-prem pen testing?
Like what's the biggest difference in your opinion?
[Justin Mahon]
You know, I'm not super knowledgeable with cloud yet. You know, it's something I'm diving, really diving in this year and plan to be really good at it by the end. But just the amount of services and just different things you can do, especially with Azure, you know, I don't remember the amount, but I want to say there's like 60 different services or something.
So just trying to get used to those and understanding what they are, what they do, the ins and outs and everything, it's going to take some time. And yeah, it's just definitely a lot, I'd say it's a little bit more in depth in a way just because, you know, everything kind of builds off of each other, so to speak in the cloud. And there's a lot of like prerequisites to, you know, accessing stuff or, you know, like authenticating and just other things like that.
[Kyser Clark]
Yeah. Yeah, that makes a lot of sense. And yeah, no worries about not knowing much about cloud pen testing because I'm not there either, man.
And that's why I got to do some, that's why it's important to train all the time. And that's another reason why I like to be a generalist because, you know, like if I just focus on on-prem stuff, then I'm not going to learn that cloud stuff. And like I said, I would say almost every client, I would say very rarely does a client not have anything in the cloud, you know?
So it's nice to know that cloud pen testing stuff. And that's something that I need to start working on as well. And it's just one more thing that I got to, I look at it like, like a feather in your cap, you know, like, oh, here's cloud pen testing, here's Wi-Fi testing, you know, it's like, because being a consultant that, you know, clients, they have a wide variety of needs and for the type of stuff that they need to test.
And that's, I think that's one of the reasons why I like to be a generalist because I can help a wider variety of clients, for example, because you don't really know what they're going to ask you to pen test, you know? Right.
[Justin Mahon]
Yeah. And, you know, just being a generalist, you know, even just being an expert too, you know, you're going to be Googling things all the time. There's stuff I forget, even though it's in my notes or, you know, I know already, it's just, it's just something you have to constantly familiar, familiarize yourself with.
[Kyser Clark]
Yeah. So as a office security consultant, what is, what's your favorite part about being a consultant and what's your least favorite part about being a consultant?
[Justin Mahon]
That's a good question. I'd say the best part, honestly, is just, you know, the experience, like just the different environments you encounter and, you know, just, you know, you're going to encounter some environments that are, you know, really well, well kept. And then some that are just, you know, haven't been maintained in years, you know, sometimes password resets, you know, occurred 20 years ago.
You know, it just varies client to client. So, you know, just giving them that guidance and just getting that experience, I'd say are the best things and it's just fun. My least favorite part, it's hard to answer because I haven't really encountered anything too negative.
I'd say the biggest negative I've just dealt with is, I guess, dealing with scoping and sales part of it, just because, you know, sometimes in sales, if someone doesn't really know or understand what they're doing, you know, it will be underscoped or, you know, you'll find out last minute that the client wanted a second report or something or some other requirement. So I'd say that's probably my least favorite part that I've encountered.
[Kyser Clark]
Yeah, I've encountered that as well, where it was the salesperson promised the client all these things and you're like, well, we can't feasibly test all this in a week, you know, and then you'd have to tell the client that and they're like, well, you guys sold it to us this way. You're like, well, it's like not feasible to like pen test this much in a week, you know. Right.
And the sales guy like isn't even in the company anymore, you know, so stuff like that I've experienced. And if I was asked that question, I would say my least favorite would be just the clients arguing my findings. No one really prepared me for that.
I don't know if there is a way to prepare for that, where you like you find the vulnerability, you write it up and you take the screenshots, you explain it the best you can in a report and in person. And by in person, I mean like through a video call. And they're like, well, I don't think it's a finding.
You're like, and it's like, how do you not think it's a finding? And they don't understand like the severity of it. And they argue with you.
And you're like, that's that's hard. That's to me, that's the hardest part, because I understand like a lot of clients, they want that squeaky clean pen test report, you know, and it'd be like a low finding, too. It's like not even a big deal.
You know, they're like, well, we want this squeaky clean report. And yeah, that's hard for me to deal with, because like, you know, for me as a pen tester, like I'm not putting this on the pen on your report to just say like, oh, look at me. I'm an elite hacker.
I'm better than you. Like, that's not why I'm putting it there. I'm putting it there to help you, you know.
And I think people, you know, when I see some of their reports are like, oh, man, like, they're just trying to get me on this nonsense. It does. You know what I mean?
Yeah.
[Justin Mahon]
Yeah. Real quick. I heard someone, you know, had an issue with a client and basically their tech team was blaming us basically saying, you know, that we configured something in their environment to make it vulnerable or something.
And we were like, well, you know, even if we wanted to do that, we don't have the time to do that. And that's, you know, very unethical. So, you know, sorry, but they have to be lying to you or, you know, like forgot something or something just because it's not something that, you know, as ethical hackers that will go out of our way and do, you know, it's it's a fine line between, you know, doing the right thing and, you know, helping people and then just, you know, doing the opposite.
[Kyser Clark]
Yeah, right. And that's the thing with ethical hackers, too, is like I was like, I'm not like I don't enjoy putting things on a report because I have to write about it. You know what I mean?
Like it would be easier if I didn't put this on the report, but I'm putting this on a report because I believe it is a risk that you should be aware of. Now, sometimes it's not always a huge risk, but just because it's not a huge risk doesn't mean there's no risk there. And that's why great things is a low finding, you know, and they're like, well, it's a low finding.
Why is this a big deal? It's like, well, I mean, it's low, but it's still there's still a chance that it could turn into something bigger down the road. And that's why it's a low, you know.
But I think, like I said, there's no way to really prepare for that. You just got to get on the job and start doing it. And, you know, when you get in, hopefully you have some like senior pen testers that will help you out.
And, you know, that's actually in the situation I'm in now. I have a client that's kind of arguing a finding that I've put on a report and, you know, the pen tester, he's like, hey, I'll jump on a call and, you know, help back you up with that finding. And that's if you're you should have that kind of guidance if you're like new to the field, you know, and if you're a senior in the field listening, then you should be helping your juniors with that.
And that's my goal. Like when I get to the senior pen tester status, like my goal would be to, yeah, let me jump in a call with you and I'll help, you know, back up your report with the junior pen tester or the mid-level pen tester, you know, when I hit that level.
[Justin Mahon]
Yeah, it's all about, you know, when you're on a team just leaning on each other, you know, there's a lot of things I've taught, you know, seniors and principals, and there's a lot of things they've taught me. It's just that part of the field where, you know, everybody knows something that you don't and just being open about it and just, you know, sharing that knowledge, you know, it's important in the field and it really, you know, creates good friendships and everything. So, yeah.
[Kyser Clark]
Yeah, that's a good point you mentioned there because just because you're new doesn't mean you're doesn't mean you can't add value because there's been times where, like I said earlier in the episode, like I don't even have a year of paid experience. I'll approach a year here in like two months, but I still get questions from people who have five, ten years experience. They'll ask me a question, ask me my opinion, and I'm flattered.
I'm like, oh my gosh, like I can add value here. And just because you're newer doesn't mean you can't add value because like you said, everybody can add value in some way, shape, or form, and not everybody knows everything about everything. Everything changes so fast.
So, you know, it's not it's very common for people who've been in the field a lot to not know something a new person knows, you know?
[Justin Mahon]
Yeah, definitely. And, you know, like going back to how you talked about seniors and everything, you know, just finding the right ones too because, you know, you know, I won't go into details, but, you know, there may be people that don't that just don't want the best for you or, you know, just don't care. And, you know, the biggest thing is just, you know, blocking those people or, you know, just ignoring and just finding someone who's actually willing to help you and actually, you know, give you that guidance.
I think, you know, everyone should have some type of mentor in the field, I think, even as like a principal or a senior or something because there will be people out there who just, you know, pray on your downfall, you know, they just won't help you.
[Kyser Clark]
Interesting and good, good advice. And yeah, watch out for that. Well, Justin, we are running out of time.
So I'm gonna ask you the final question. And that is, do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share? So anything you want to tell the audience that we haven't already covered yet?
[Justin Mahon]
As far as, you know, haven't covered yet? No. But, you know, I'll say it again, you know, keep going, you know, don't give up, you're gonna learn so much and continue learning.
And, you know, find those right people who, you know, are not against you or, you know, want to help you. There's people out there, a lot more of those people who will help you than those who won't. So, you know, just keep going and just know every day is a new day.
[Kyser Clark]
Great advice. So, Justin, thanks for being here. Thanks for doing this episode with me.
Where can the audience get a hold of you if they want to connect with you?
[Justin Mahon]
Yeah, definitely. They could just find me on LinkedIn. That's the easiest way, Justin Mahon.
I'm probably gonna put my GitHub profile on there because I just, you know, made my account on there. But yeah, that's the main area, I'd say.
[Kyser Clark]
Yeah. And audience members, I'll put Justin's LinkedIn link in the show notes of this episode. And audience, LinkedIn is also a great place to get a hold of me and my website, Kyserclark.com.
Audience, thank you so much for watching. Thanks for listening. If you haven't reviewed the show, give it a 5-star rating if you think the show deserves it.
And if you're on YouTube, hit the like button, hit the subscribe button. And until then, I will see you in the next episode. This is Kyser, signing off.