The Hacker's Cache

#40 Proof You Don’t Need a Degree to Succeed in Cybersecurity ft. Zach Winchester

Kyser Clark - Cybersecurity Episode 41

In this episode of The Hacker’s Cache, Kyser Clark and Zach Winchester talk about breaking into cybersecurity without a college degree and why it’s not the dealbreaker people think it is. You’ll hear a real-world story of going from firewall configs to full-time pentesting with just an OSCP and hands-on experience. We also get into hardware hacking, social engineering discomfort, AI/LLM security loopholes, and why the offensive security space is far from being automated. If you’re wondering whether a degree is essential to succeed in this field, this episode is your answer. 

Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY


Music by Karl Casey @ White Bat Audio

Attention Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.

Opinions are my own and may not represent the positions of my employer.

[Kyser Clark]

And what makes it interesting to me is that it's unlocking this entire new area, a new niche, a new discipline of pentesting or often security, because we're going to need people who specialize in finding those security loopholes in AI and large language models. And those exploits are, in my opinion, are pretty different than like a web app or a network test. And it's a whole another discipline that we have barely got our feet wet in as a community.

 

Hi, I'm Kyser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one bite at a time. Every week, I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.

 

Thank you so much for tuning in. Today, I have Zach Winchester, who has over a decade of hands-on experience. He began his career as a network operations specialist and spent several years as both a cybersecurity analyst and cybersecurity engineer, and now works full-time in offensive security as a penetration tester.

 

For education, he doesn't have a degree. For certifications, he has the OSCP. So Zach, thank you so much for stopping in and doing this recording with me.

 

Thank you so much for your time. Go ahead and introduce yourself, unpack some of your experience to the audience.

 

[Zach Winchester]

My name is Zach Winchester. I kind of got my foot in the door as in a network or cybersecurity operations center, doing particularly firewall configurations. From there, transitioned into network engineering, and that's when I ended up getting the OSCP, and I made the switch from engineering into penetration testing, and it's treated me well ever since.

 

[Kyser Clark]

So what made you want to go from engineer to pen testing?

 

[Zach Winchester]

To be honest, I always thought it was just really cool. I thought it was pretty neat. I always kind of wondered.

 

I mean, there's people out there that they can do things and then get away with it, and somehow the bad guys get away with it. How do they do it? And that's just always been a question that I've wondered.

 

So I then found out that there's a career doing that. So I'm like, okay, well, I'm going to try that out.

 

[Kyser Clark]

So you were interested in like the cyber crime aspect, like the cyber warfare, like dirty darknet stuff, that you're into that kind of stuff.

 

[Zach Winchester]

Yeah, like that's kind of how it all got started. At least that's what piqued my curiosity into it, or piqued my interest. And then, you know, as I got further into it, I kind of noticed that there's even more aspects of it to learn about.

 

[Kyser Clark]

Yeah, I chuckle because it's never ending. Like the more you learn, like you learn a new topic, then like three other topics that you didn't know existed now exist. It's like the Hydra.

 

You cut one dragon head off and three more sprouts. And that's how cyber security is. And that's how ethical hacking and pen testing and offense security is as well.

 

Because it's never ending. You think you start knowing stuff, and you're like, oh, wow, there's actually way more that I don't know. And that's like a never ending battle.

 

So you have to be very comfortable if you want to make a career out of it. Always having just not knowing everything about everything. So I specifically mentioned that you don't have a degree.

 

And the reason why I brought that up is because a lot of people know they wonder, hey, can you break in a field without a degree? And a lot of my guests up to this point, like, almost always have a degree. It's very popular to have a degree.

 

And it seems like, oh, yeah, if you see like a lot of people who have a degree or in the field, you're like, oh, then I need one. But in your case, you don't have one. And I want to bring that up, because I want to ask, like, how did you break in the field without a degree?

 

And do you think a degree, like, like not having a degree, like, held you back at all? Did it hurt you in any way?

 

[Zach Winchester]

So I won't say that it necessarily held me back or hurt me. Because it's still been very, um, like, it's still been a rather successful journey for me. It's, I will say that for each person, if somebody has a degree, then they can leverage that.

 

But if they don't have a degree, so like, in my case, I kind of fell back on, like my upbringing, and constantly being surrounded by computers and working on things as a child with, you know, with my uncle. And this is that kind of unraveled later in life. It was almost just second nature, more of a lifestyle, I suppose.

 

So I will say that people that do have degrees, that's good. That's great. There's avenues that they can take and leverage those.

 

But people that don't, if they have the prior experience, then they can lean on that.

 

[Kyser Clark]

Yeah, I always tell people experience is king when it comes to breaking the field and growing and leveling up in your career. And you don't need a degree. I mean, it can help, but it's definitely not essential.

 

[Zach Winchester]

Right.

 

[Kyser Clark]

And, you know, I was this week, actually, I was doing my weekly one-on-one with my manager. And he didn't even know that I was going for my master's degree, because it's not something I just, like, tell everybody, because, you know, I'm working full-time and on full-time college students at the same time. And he's like, oh, my gosh, I didn't even know that.

 

But I was like, yeah, I was like, I'm about to graduate my master's degree. And, you know, here in a few weeks, I'll have a degree. And we talked about, we started talking about degrees.

 

And, you know, he had one as well. And I was like, man, honestly, like, my degree, I think the biggest benefit that I got out of my degree was learning how to write. I think it's like the big skill I got out of it.

 

But big caveat here, like my degree is in cybersecurity management policy. So it's not technical at all. I purposely put myself in a non-technical degree, because I knew I wanted to get some technical certifications and I was going to do hack to block to track.

 

I was going to do all this hands-on activities. And I didn't want my degree. I wanted it to compliment.

 

I didn't want it to be the same thing.

 

[Zach Winchester]

Right.

 

[Kyser Clark]

So that's why mine wasn't hands-on. But I guess, I mean, there are probably some colleges that are hands-on. But for me, it was learning how to write and just speak the lingo, you know?

 

[Zach Winchester]

Yeah. Which is very important as well, because there's a lot of lingo to learn.

 

[Kyser Clark]

Yeah, 100 percent, man. I'm excited to announce that memberships are now live for my YouTube channel. And if you decide to become a member, you'll get early access to videos, access to member-only polls, loyalty badges for the YouTube channel chat, and priority reply to the YouTube comments.

 

Of course, if you can't or don't want to become a member, that is totally fine. I will always release the same free content you've come to expect. And your support just by watching is more than enough to keep the channel going.

 

But for those who do join, your contribution helps invest into new tools, technologies, and people to help the channel go further. The goal is to create even more content and raise the quality of every video for everyone. Thank you for considering memberships.

 

And as always, thank you so much for your support. All right, so let's go ahead and dive into our rapid fire questions here. Are you ready for the rapid fire round, Zach?

 

[Zach Winchester]

I hope so. Yes.

 

[Kyser Clark]

So no pressure here. This is just a fun, fun little show, little game show here. For those who don't know, Zach will have 30 seconds to answer five questions.

 

If he answers all five questions in 30 seconds, he will get a bonus six question unrelated to cybersecurity. Zach's time will start as soon as I finish asking the first question. Here we go.

 

Zach, in your opinion, what is the most annoying cybersecurity myth?

 

[Zach Winchester]

Report ratings all bad.

 

[Kyser Clark]

Best way to keep up with cybersecurity trends?

 

[Zach Winchester]

Reddit, Twitter, or X.

 

[Kyser Clark]

Best advice for aspiring hackers?

 

[Zach Winchester]

Just keep learning. Just keep trying.

 

[Kyser Clark]

Most overrated cybersecurity certification?

 

[Zach Winchester]

CEH.

 

[Kyser Clark]

Favorite hacking gadget?

 

[Zach Winchester]

Flipper Zero.

 

[Kyser Clark]

Nice. Perfect. 27 seconds.

 

Congratulations. You have earned the right to answer this amazing bonus question that I'm super excited for. So let's go ahead and dive into it.

 

And this one right here, you can play as much as low as you want to. You can dive into it a lot, a little bit, whatever you want to do. So here it is.

 

If you could replace one body part with a cybernetic upgrade, what would it be?

 

[Zach Winchester]

That one's tough. Having an active radar would be pretty nice. Just being able to tell who's around me, especially for like physical engagements, it'd be kind of nice to know if somebody's coming around the corner or not.

 

I don't know. That's a good one.

 

[Kyser Clark]

I mean, radar is pretty cool. I mean, I never even thought of that. Like having a radar module installed on you and you just knew like where everybody was.

 

[Zach Winchester]

Just like a heads up display of all the little red dots or who you don't want to get caught by.

 

[Kyser Clark]

Yeah. So for me, this was a hard question for me because I knew the question going in, so I thought about this and I still don't really have a good answer. Like I was thinking like, oh, maybe if I could just like put like a CPU, like a computer chip in my brain, just to process information faster.

 

But then I was like, well, if I do that, like what I lose, like my human creativity, what I lose, my human emotions, you know what I mean? And sometimes I wish I had less emotions because like they kind of get in the way of things. But I was like, well, that kind of makes like emotions make the human experience what it is, you know?

 

So I don't really know. I always think about like, yeah, just put some kind of like processor in my brain so I can just think faster. I was like, well, is it going to make me like, you know, lose my human emotions and lose my human skills, you know?

 

[Zach Winchester]

Yeah. And I've noticed as well, especially whenever it comes to like physical engagements or social engineering, you kind of have to like flip the switch in your mind, as in you're not being mean to that person. It's, you know, it's helping the company out, but you still have to flip that switch.

 

Just don't forget to flip it back whenever you're done.

 

[Kyser Clark]

As you bring that up, this came up in an episode with Tyler Ramsey. Actually, we were talking about social engineering. And one of the things that I've done in person, social engineering engagement before, and I didn't succeed, most because they had a really good policy, right?

 

No one in my company was able to break into there because they just have a really good, like, yeah, don't let people in this building, like at all. They're really good. But me doing it, like coming up with a lie and lying to someone's face, it was weird for me because it's not something I normally do.

 

You know, when you're a trust, like when you're an honest person, it's like, it was really outside my comfort zone. You know what I mean? You know, if you can, I can talk to people all day, but then when you tell me to lie, I'm like, oh, all right, well, that's a little different here.

 

And I know it's for a good cause, but it's like, I don't know, it just went against the grain of like who I am. So how do you flip that switch? And what advice could you give to someone like me, who's like, who is an honest person who wants to, you know, be that guy who can provide value to a client or a company, but doesn't necessarily know how to flip that switch for social engineering mode?

 

[Zach Winchester]

It is, it's a really, it's a very uncomfortable feeling at first, I suppose. But once you remind yourself that this is for the greater good, this is truly to figure out where the shortcomings and where the weak points really are. It's not so much just telling yourself that over and over.

 

It's really understanding and feeling that this is a good thing. And all that comes to light at the end of the assessment. So, yeah.

 

[Kyser Clark]

And so how many, do you do social engineering a lot or is it just occasional or?

 

[Zach Winchester]

I've done lots of phishing campaigns, lots of those. As for in person, um, like physical pen testing only a handful of times and I'm kind of is in the same boat. Not very successful.

 

I don't know if there was, you know, chatter amongst the organization and they kind of knew beforehand or if their security like really was pretty good. I'm going probably vote the second one, but yeah.

 

[Kyser Clark]

Well, that's a good point you mentioned too, because you know, my first and only in-person social engineering event, physical social engineering assessment was like, it was at the same time every year. So it was like the fourth engagement they had four times in a row. And literally I like the last year's report.

 

It happened on the same exact day, just on the next year. So they, they just already knew that was coming. You know what I mean?

 

[Zach Winchester]

I see.

 

[Kyser Clark]

So, um, that's a factor. Cause like they, they kind of understand like when their next engage is going to be, especially if it's a routine client, you know? So that's a good point.

 

You mentioned that. Uh, so it kind of makes it hard. Um, so you can't, so for anybody that's listening, like he gets into social engineering, you're like, don't beat yourself up too much if you don't succeed.

 

Cause I definitely didn't feel good when they didn't let me in the building. I'm like, man, I worked, I had to come with this pretext and I had to like get all these nerves out and everything. And, and I just, I tried and I'm like, oh man, fell, came short, you know?

 

So don't bring yourself up too bad over it. And it's easier said than done, but uh, yeah.

 

[Zach Winchester]

Yeah. I mean like the goal is technically to get caught. It's just, what all do you have to do to get caught?

 

[Kyser Clark]

What a great way of looking at it. I like that. So moving on another, another, uh, topic that you are passionate about is AI and LLM security loopholes.

 

So is that something that you're actively studying? Like tell me about like what makes you intrigued about AI and LLM security loopholes?

 

[Zach Winchester]

It's definitely, I wouldn't say it's something I'm so much studying, but it's definitely something that I'm dabbling in. Like whenever chat GPT came out, it kind of took the world by storm, especially, you know, when it really blew up. Um, but people really didn't know that there could be security implications on it.

 

I mean, and this kind of goes hand in hand with social engineering. If this thing responds like a human, then what else is it susceptible to that could be, I don't know, human avenues of attack. Like you can gaslight an AI really hard and more times than not, it'll kind of deteriorate slightly.

 

Anyways, you might notice a few things here and there. Um, some of them are really good though. Some of them are really good in maintaining their composure.

 

But, um, and there's just different ways to kind of get around like their security mechanisms, like censorship. Um, you know, nobody wants to go pay for a service and talk to an AI. And then all of a sudden it just starts, I don't know, shouting obscenities.

 

But, um, there was a recent jailbreak method that I can't remember who wrote the white paper. But it was essentially just using lead speak in different ways over and over again. And it would eventually do what it was told.

 

I mean, another one was using ASCII art to spell out certain things. And the LLM would pick up on that and actually do what it was instructed through the ASCII art. I thought that was really neat.

 

Um, um, aside from tinkering with like the security mechanisms that LLMs have built in, whether that be baked into the LLM or some, something in between the user interface and the LLM itself. Um, everything else has just been me, I don't know, not developing, but trying to develop something, I guess. I just don't know what it's turning into yet.

 

[Kyser Clark]

Yeah. And so when it comes to like AI and LLM security, one of the things that I like to think about is like how, like you said, it took the worldwide storm HIDBT when it came out and everyone's throwing an AI chat bot on every website now, basically replacing customer support with AI. And you're in a certain, I mean, the conversations of people's jobs getting replaced by AI is already happening.

 

And at this point it's inevitable. And we're going to go out in public and we're going to start seeing positions that used to be filled by a human now being ran by an AI. And those security loopholes, you know, they could exist in, out in the wild.

 

Like for example, you go to the restaurant and you, you got like an AI taking your order or whatever, like there's potential security loopholes that you can exploit there. And what makes it interesting to me is that it's unlocking this entire new area, a new niche, a new discipline of pentesting or often security, because we're going to need people who specialize in finding those security loopholes in AI and large language models. And those, those exploits are, in my opinion, are pretty different than like a web app or a network test.

 

And it's a whole nother discipline that we have barely got our feet wet in as a, as a community. I mean, I haven't touched it at all, really, but even the people who are spending a lot of time on AI and all, and there's still so much to learn. And I'm, I've imagined that, you know, you're going to start seeing some more specific training, specifically focusing on AI and LLM exploitation.

 

And the training that I've seen so far has been pretty basic. And I know there's going to be some more advanced stuff coming out. And if you're a training company listening, I think it's like, there's really like, I'm a huge fan of certifications as you can tell from the wall of behind me, you know, I would be interested in, in like a certification for that.

 

Like, Oh yeah. You know, AI pen testers or whatever vendor does it, you know, if you're a training company, I think, I think you should, that's, that should be where some of these training companies should be going, because I think it's important because like I said, we're going to running, running into literal robots and literal machines that are running on AI in the wild. Like you're, we already see it like delivery, delivery drones.

 

And I even saw like a, like a, uh, this like police bot thing. Like, I don't, I think it was in China, like they're using this bot that was like a police bot. Like dude, everything, the world, it's like, it's, it's literal cyberpunk going to be in the future.

 

It's coming by 2027, like cyberpunk 2027. Like that's, that's going to be a reality, dude.

 

[Zach Winchester]

I mean, I like where you're going with that though, with needing more people that are knowledged in essentially how to test whether or not AI or like machine learning models, LLMs, everything, all of the above are secure or not. And the fact that AI are, you know, helping well, somewhat taking people's jobs, the security testers position, and some people may disagree with this. They think that even that position may be in danger.

 

But personally, I think it's the opposite way. Like that just gives us more stuff to test.

 

[Kyser Clark]

Yeah. And I mean, I can see some of like, some of like the easier often security tasks, like the mundane stuff that we have to do automated, but those, those outside the box, cleaning the exploits together and the manual exploits that we have to do to like actually uncover these vulnerabilities. Like, I don't know for anybody that's ever watched any of my Twitch streams, like I use chat ABT during my Twitch streams on doing a hack to box machine.

 

Cause I go in those black box, which means I don't have any knowledge of the machine ahead of time. I'm just going in raw, just figuring out as I go. And I get stuck a lot because that's what hacking you.

 

There's no way you're not going to get in my opinion. Like, no one, no one can hack into something like, like that being stuck. Yeah, it's, you're going to be stuck, you know, wait, like you said, more than half the time.

 

So anyways, what I was trying to say was chat ABT. I'll use it as like a way to assist me. I'm like, Hey, this is what I found in this box.

 

And I'm trying to get to this user. What are some things you can suggest to help me progress in the CTF? And don't give me the answer.

 

Cause it understands I'm doing a CTF. It's not malicious or anything. It used to not give you the answer at all, which was really frustrating.

 

But now that at least gives you something. But even then like everything I suggest doesn't work. And like, it's completely off from the actual solution.

 

And it's like, it's almost like you can't even use it to help. Like very rarely. Can I use it to help me like progress on a hack to box machine, for example.

 

[Zach Winchester]

So it is nice to be able to like bounce ideas off of I'm not somebody, but you know, something that seems like somebody it's just nice to be able to like converse with it just because, I mean, shoot, it might even say something that will give you an idea of something you didn't think of prior. It's like brainstorming through conversation with a robot.

 

[Kyser Clark]

Yeah. Yeah. And like I said, it's, I just feel like it's, we're so far away from being fully automation penetration tests.

 

Like I am not worried about losing my job at all as a pen tester. And by the time it gets to the point to where it might even start to like, I'll probably be retired by then. So if you're in the field now, I wouldn't, I honestly wouldn't worry.

 

Or even if you're about to get in the field, I also wouldn't worry either. Cause it's, we're so far away from that in my opinion, but I could be wrong. Cause AI is kind of, it can kind of grow at a rate that we don't even comprehend yet.

 

[Zach Winchester]

We'll see where the future takes us there.

 

[Kyser Clark]

Yeah. It's exciting to talk about though. So moving on to the next topic here, you are also interested in hardware hacking.

 

So what kind of hardware hacking are you doing and what can you say about hardware hacking or in comparison to like a web app pen tester or network pen tester?

 

[Zach Winchester]

So my hardware hacking experience has been, it's been different. Way before I got into cybersecurity, I, you know, I was very young. I think I was like 18 or 19.

 

I was working in this plant manufacturing circuit boards and they had these machines where you put the circuit board in it and it would, there were like these little fingers that would reach down. It was called an ICT machine. And I think that is in circuit testing.

 

And like these little fingers would go down and it would just touch these little points on the board. And after seeing what it was doing, it was actually going in and verifying that like all of the, it was essentially verifying that the board itself was manufactured properly. But what I didn't know is that commands can be issued to the board depending upon, you know, if it's designed to be able to accept commands through these points.

 

These are called JTAG points, joint test action group, I think they're called. It's just a standard, essentially it's a serial connection just by having a connection made to different points on a board. And then I was like, wait a minute, well I've seen a bunch of circuit boards that have these little points on them.

 

Can this be applied to other stuff? And it turns out, yeah, a lot, most of them you can. And there's even, I forget the name of the site, I've got some little USB sticks that you can solder wires to to then solder onto a board's JTAG points in order to gain a serial connection to whatever the device itself is.

 

I thought that was really cool. As for other experience in doing so, I worked on an enormous 3D printer a long time ago where the serial port on the board within the printer, this thing was like the size of my fridge, but the serial port was no longer functioning so I was actually able to go in and find the JTAG points that correlated to the serial pins and kind of bypassed it in order to. I can't even remember precisely what it was for, but I got the job done.

 

That was pretty neat. Other than that, I mean, hardware hacking can be really fun. You burn up a lot of voltmeters in the process.

 

[Kyser Clark]

So when you're doing your hardware hacking, have you done it on the job, like paid to do hardware hacking, or has this been all recreational in your free time as a hobby, or a little bit of both?

 

[Zach Winchester]

A little bit of both. It is a little bit of both. It's been a while since I've done it for a cyber security role, per se, just because I feel like most companies that manufacture a product that they need tested, they're going to outsource that, or their R&D team is going to probably do some kind of internal testing.

 

But when it, I would like to, I think it would be very fun to. I don't know, I guess it all just really depends on what the client would, hmm, it's really all dependent on the circumstances.

 

[Kyser Clark]

Yeah, and I'm, so speaking of hardware hacking, so I've recently gotten into hardware hacking. I don't have a lot of experience in it, but my company, or one of our clients, needed some hardware hacking done, some IoT testing done, and our entire team, no one had IoT testing experience, so they asked for volunteers to learn, and I raised my hand, like, hey, I will volunteer for this. So I'm going through some hardware hacking training.

 

Specifically, I'm doing the TCM Security Practical IoT Pen Test Associate, that's the PIPA, PIPA certification, so I'm doing that training now. Hopefully, I get that certification soon, but if not, at the very least, I've completed the training, and at least took the exam, but yeah, stay tuned for that, and I also read through the Practical IoT Testing, or Practical IoT Hacking book from Nostrack Press, and I read that book, so I'm learning how to do some of this hardware hacking stuff, and I've already done, like, some of the physical stuff, like I did my first solder not too long ago. I can't believe it took me this long to get to do my first solder, and then, yeah, using the multimeter and all this stuff, and learning about network, not network, electrical engineering, so it's been, it's definitely been different, and it's been kind of piqued my curiosity, and it was, it's been fun, because, like, it's completely different, from my experience, and in my opinion, than, like, traditional pen

 

[Zach Winchester]

testing. Oh, for sure, very much so. There's a, there's just a few other things that might go wrong.

 

I mean, if something smells like it's burning, it's, it is, like, wall outlets hurt, things like that.

 

[Kyser Clark]

Yes, yeah, that's a good point, you know, when you do pen testing on a network, or you pen testing on a web app, like, there is no danger of electrocuting yourself, or burning yourself, so that's, physical danger is something you got to be ready for.

 

[Zach Winchester]

Yeah, it tingles. It'll wake you up real quick.

 

[Kyser Clark]

So, moving on, so your one and only certification is OSCP, and I just want to see and hear from you, like, what, from your perspective, how has OSCP helped you in your career? Was it, did it play a significant role to, because we just, we got done talking about how you didn't need a degree, but how much did the OSCP help you?

 

[Zach Winchester]

And, so, the OSCP, it, it helped me in a way that I didn't foresee. I mean, I'm glad that it taught me what I needed to know. It was very, very nice to, like, have everything laid out, and explained in such a way that I could grasp.

 

Time management is very, very important whenever it comes to doing any kind of pen testing. Even with the OSCP exam, when I took it way back in 2019, it was, I mean, 24 hour exam, you can't just sit there and hammer away at it for 24 hours. I'm sure that some people can, and have, and have passed, but for me, I really needed to learn how to manage the time in order to get the rest that I needed, because taking a break, walking away, getting your mind off of it, and then coming back to it, it's like a fresh mindset, and that can be applied to pretty much everything in cyber security, I think.

 

There's been times where I would be on a phone call with a client for three or four hours, and you can't just sit there the whole time and try to come up with a fix to the problem, because it's gonna drain you. You gotta step away, and the OSCP did teach me that. So, that was, and then I've applied that to pretty much every aspect of my life, and nothing but benefits come from it.

 

[Kyser Clark]

Yeah, I was smiling when you said, when you were talking about time management, how you said, like, during your OSCP, you would take a step back, and, you know, recharge your batteries, and then come back, and I was smiling, because it reminded me of my OSWA. So, for those who don't know, that's the offset web assessor. It's the web 200.

 

It's like the cousin of OSCP. It's web app pentesting, and not network pentesting, and for those who don't know, I failed that certification three times before I passed. I my fourth try, and on my fourth try, this is the sequence.

 

This is what happened. So, it was literally Thanksgiving, right? Like, I took this exam the day before Thanksgiving, and the reason why I took it the day before Thanksgiving is because I figured that I was gonna be hanging out my family on Thanksgiving, and my mom's like, no, I gotta work on Thanksgiving, and so we're gonna have Thanksgiving the day before.

 

We're like, mom, I can't do it the day before. Like, I have an exam that day. So, we did Thanksgiving dinner with the family two days before.

 

So, I was with my family, and I stayed up till like one in the morning over just hanging out with my family, and I'm like, dude, I gotta exam at seven o'clock in the morning. I'm not getting no sleep. So, anyways, I go to bed.

 

I only get like four or five hours of sleep, wake up, do the check-in process, and I'm not even kidding. I think I spent 40 minutes just like doing my initial recon on the exam, and I'm like, dude, screw this. I'm going back to bed.

 

So, I went back to bed about, like I said, it's sort of like seven in the morning. I went, I crawled back into bed like 7 40, 7 45. I didn't wake up until like noon.

 

I took a really, and it was like, that was the best nap I've ever had in my life. The best nap I've ever had in my life. I just woke up, and I just went back to the exam, and everything was solved.

 

Like, I figured it all out. Like, I passed the exam a few hours after that. I'm like, dude, I was enlightened in that nap.

 

[Zach Winchester]

Yeah, like during my OSCP, I failed it twice and passed on the third try, but I did something different on the third one, and that was whenever I would actually say, okay, I need to take a break. You know, stand up. I'd go outside.

 

I'd go for a walk, which I had done before, but in the first two attempts, I would just walk around and think about it, and that was not getting my mind off of it. So, I would call my friends up and be like, hey man, let's talk about anything other than what I'm doing, and actually just talking with them about their life and stuff, and coming back to it, clarity.

 

[Kyser Clark]

Yeah, that's good you mentioned that, because yeah, when you clear your mind, you come back, and you're able to solve the problem that's in front of you. That's taking breaks like during the day. You know, people have been consuming my content, especially people who read my newsletter, and people who read my newsletter, shout out to you guys.

 

You guys are real MVPs. You know, I'm a big fan of working a lot, you know, putting in extra hours, putting in the time, but at the same time, it's like if your brain ain't working, you got to give yourself a break. You know, I'm not a machine.

 

You know, like I do like to work a lot of hours, and I did for my OSCP exam, I did put 17 hours in, and I only took a break for like two of those hours. So, I was like spent 15 hours on the computer, because that's what it took for me to get that passed, but you know, day to day, like if I'm not feeling it, dude, I'll go take a nap. I'm like, you know, that's if I like sometimes I'll just catch myself.

 

I literally just I'll fall asleep watching the video. Before we started recording, we were talking with OSCP how it puts me to sleep, like it will put me to sleep, and I'm like, all right, got time to take get a step away from the computer. Let's go take a quick nap, and we'll tackle it again later, and then sometimes like, you know, we'll just we'll hit harder tomorrow, you know.

 

[Zach Winchester]

For sure. Yeah, it's we're only human.

 

[Kyser Clark]

All right, well, this has been a great discussion so far, Zach, but we need to wrap it up. So, let's go ahead and do the final question, which is, do you have any additional cybersecurity hot takes or hidden wisdom you would like to share with the audience?

 

[Zach Winchester]

There's always a way, whether it's to get into cybersecurity, or if you're already in cybersecurity, or you're doing pen testing, and you're trying to, you know, compromise an organization, whether it be assumed breach or external, there's always a way. There is always a way. No, that's just it.

 

Some people think that, look, they're super secure, and nobody can ever get in. Sorry, there's a way. It's just, it's not that there isn't a way, it's just maybe nobody's found that way yet.

 

[Kyser Clark]

Yeah, and or they haven't spent enough time on it, you know, that's another thing to do. That's great, great advice, and words of love by, for sure, because like you said, there is always a way. And even if you are secure today, it doesn't mean you're going to be secure tomorrow, because there's new exploits, and methods, and attack vectors coming out every single day.

 

[Zach Winchester]

Every day.

 

[Kyser Clark]

That's why it's important to stay vigilant if you are in this world of cybersecurity, especially if you're a defender, securing your assets in your network, or even in your personal life, like your personal assets, your home security, and stuff.

 

[Zach Winchester]

Mm-hmm, I agree.

 

[Kyser Clark]

All right, Zach, well, thank you so much for taking your time and being here with me today. Where can the audience get ahold of you if they want to catch up with you?

 

[Zach Winchester]

Let's go with LinkedIn, probably. Yeah, linkedin.com slash IN slash Zachary dash Winchester.

 

[Kyser Clark]

Okay, audience, LinkedIn is also a great place to get in touch with me. Also, check out my website, Kyserclark.com. Audience, thank you so much for watching and listening.

 

Thanks for hanging out. If you got value out of this episode, do me a favor and share the show with your friends. Leave a five-star rating if you're on audio, and like the video, and subscribe if you're on YouTube.

 

And I'll see you in the next episode. Until then, this is Kyser, signing off.

People on this episode