And I'm just gonna harp on one more time. It's okay to have that feeling like when you see Like my live streams or like my technical videos and you just don't know what's going on That's perfectly normal. That's perfectly.

Okay. I would say Most of us feel that way before we even get started. But like I said take that thought throw it in the trash And just take one small step At a time and you will make it as long as you work out every day.

Hi I'm Kyser clark and welcome to the hacker's cache the show that decrypts the secrets of offensive security one bite at a time Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners If you are a penetration tester bug bounty hunter red teamer or blue teamer Who wants to better understand the modern hacker mindset whether you are new or experienced this show is for you Today we have another q a episode where I take what I would consider the most interesting best questions from the youtube comments and I Answered them in depth On the show here at niger's cache podcast So if you have questions Drop them in the comments and on my feature on the show So with that being said guys, I'm going to cut out all the fluff and we're just going to go straight into it So question number one, I was wondering are comtia security plus and comtia network plus Mandatory, even if you were to get for example comtia appendix plus or certified ethical hacker Do you still need to have the first two? And you put in parentheses no previous it Background here just learn everything from scratch Okay So I can understand why This question is asking I see where it's coming from Because if you guys watch my Roadmap videos I say hey, you know get this sir. Get this sir. Get this sir in this order, right? That's what I recommend now why do I recommend it in that order because In my opinion, there's a certain order a certain sequence of events that you need to Do to build up the skills to get to the higher level certifications But those lower level certifications None of them Are mandatory heck even the high upper level certifications are not mandatory.

There's no mandatory certification in cyber security, right? I just tell you get those certifications because for example It's easier for me to say hey go get the comtia security plus Rather than listing out What the comtia security plus consists of right? It would take me literally an hour just to tell you Hey, you need to learn what man-in-the-middle attacks are you need to learn what Firewalls do you need to learn what dumpster diving is you need to know what a man trap is? You need to know What udp is you know what tcp is you need to know what port 22 is and all the ports and protocols all every number Like instead of me telling you all this stuff. It's just easier for me to say Go get comtia security plus because everything the comtia security plus is going to give you all the fundamentals you're going to need, right? I'm not going to sit there and like I said, i'm not going to spell out every single Thing that you need to know because there's a lot that goes in the comtia security plus by the way when I say security basics people Might think like oh, it's just the basics like there's a lot that goes into it, right? I mean, yes, it's the basics and it gets way more advanced but even the basics are hard cyber security is hard Right. There's a reason why there's so many cyber breaches Because this stuff is hard.

There's a reason why employers expect you to have Experience and all these skills all these certifications because it's not easy. Okay and That's what I try to stress. So back to what i'm saying No certifications are mandatory and when I when I recommend a path, it's just because I think it's It makes sense to learn things in that order, right, you know learn networking right the fun fundamentals Learn security basics.

That's why I recommend security plus go learn Python go learn Linux right and I would recommend maybe like conti linux plus or another certification It's just easier for me to say go get that certification because those certifications have 100 maybe even more Different skills and different topics in that certification, right? You go pick up a security plus book You go pick up a network plus book like there are Probably dozens if not hundreds of bullet points for what is expected you what is expected of you to know to pass that exam So that's why I recommend those Those foundational certifications because you need those skills. You don't need the certification. You need the skills and in my opinion it's easier to follow that cert path because Like if you take a conti security plus training course, for example Like it's going to have everything you need already there you don't need to google Hey, what's a man trap? All right, and then spend you know So much time Trying to figure out what a man trap is and you know, then the next google gets a bit Oh, what's dumpster diving, you know, instead of googling for each and every single bullet point.

You can just watch like A training course or read a read a book that's already has information Therefore you don't have to go searching for it. That's what That's the power of certification. You don't have to search for the information All you do is go buy the study guide go get a video course do some practice questions And you'll get you'll get the information that you need and people say oh, yeah You can get all the information for free online.

You can get all the information free on youtube. Yeah, that's true But the amount of time you're going to spend researching What topics you even need to know Is a lot and then you need to figure out How do you learn it right you got to find a good video on that topic and finding good videos on these topics are are Not exactly easy and that's why I recommend professional training that you that you actually pay for So i'm kind of getting off topic, but you know, I think a lot of people mistake when I say google gets certifications to You need to have these and that's not the case. It's the skills.

It's the skills and I Me I learned the skills to certification. That's why I like certification. Some people don't like certifications They learn the skills because they'll go out and they like to do their research.

I personally don't I You know i'd rather like I said i'd rather go watch the cbt nuggets course. I'd rather read the read the certification study guide It's gonna have everything there for me I do not have to go search for the information and i'm susceptible to distractions when i'm on youtube, right? There's a lot of content on youtube. That's not cyber security related and my feed has tons of Distracting videos, right? I have other hobbies.

I like to play video games. For example video game videos pop up You know, I got I get on youtube nowadays. I see elder scrolls oblivion remastered videos And they're like hey, it's the mages guild versus the the fighters guild and i'll sit there and watch a half hour video and waste a half hour of my time because I was like I just happen to be on youtube and I spend a lot of time on youtube because well I make youtube videos So I can't just get rid of youtube completely but you know, I try to try to stay away from those videos and uh when I was before I was making content like I I didn't really use youtube to learn this stuff and that's why I recommend certifications.

I can't stress that enough You know, it's my cup of tea. It's not everyone's cup of tea but To get to your underlying question. I know i'm like really diving deep in here and i'm kind of like being around the bush The question asks can do you have to get those certifications? If you go out for the high level certifications and the answer is no right, like I said, they're not mandatory and you can You can definitely skip certifications and if you you can then go for it.

I me I don't like to skip certification. I'm the kind of person that like I like to take baby steps I like to learn a little bit and then take one more step. Take one more step.

Take one more step and And baby steps I call it the baby step approach. This is why I have a lot of certifications because E-certification there's a lot of overlap between certification between e-certification like for example never plus security plus Both they have a lot of overlap, right? You're gonna learn tcp udp and ever plus you're gonna learn tcp udp and security plus and a lot of it is review when you when you go get as many certifications as I do, but I that's what I like to do. I like to go through the concepts multiple times And that's why I know them so well, and that's why I harp on uh You know doing the fundamentals multiple times over because I know them better than the back of my hand honestly But if you for example, if you want to get pentest plus and you can go straight to pentest plus Go for it.

Right pentest plus is higher than security plus like you don't have to do the path That other people were in myself recommend if you can skip the certification you can do it It's going to be difficult. It's going to be more difficult and there is going to be things that you miss, right? There's going to be things in the pentest plus. Yes.

It's a high level certification But there's things in the pentest. There's things in the security plus that's just not going to be in pentest plus Furthermore, I would say most of the pentest plus like it's going to assume that you know that security plus knowledge, right? Um, here's another thing. Here's another example I got security plus first.

That was my first certification and It was hard for me because I didn't have the networking fundamentals down, right? I'm like he's like i'm watching the videos and he's like Dude, he's ip address and he's doing slash 24. I'm like, why does he always do a slash 24 at the end of uh, At the end of an ip address like I don't understand what that means. I had no idea I ended up passing security plus not knowing what a subnet mask was.

No idea. I passed security plus not knowing The difference between switch and router. I'm not even kidding so that network plus yeah, security plus is a higher level than Network plus and some people assume like oh, yeah, just because you have security plus you have the network plus knowledge It's not that's not the case So that's why I recommend as many certifications as I do And you know a lot of people they don't like certifications Like I said, and if you want to skip certifications go for it If you don't even want any certification go for it The the main thing here is you just want to learn the skills I like to learn the skills through certifications and that's what I recommend.

I just i'm basically telling you What has worked for me and that's all I can do, right? I'm not going to sit there and tell you like All the things that might work I know that certifications work for me. It might not work for you, right? I might not be The content creator for you, right? There's there's other You know the way I explain things the way I recommend things it's going to be different than other people Everybody's got a different path, right? and You know, you don't have to take my word for the gospel. As a matter of fact, you shouldn't you need to build your own path That's going to be more rewarding.

And if you're if you're doing exactly What everybody else is doing? Then you're not going to stick out so you It's I think in my opinion it's essential to kind of veer off these roadmaps and kind of build your own path All right moving on to the next question Can I get a pen testing job without experience but with a college degree plus certs you recommend? So this kind of builds off the last question Because it's talking about certification So we got the certifications already out so we can not really talk about certifications for this question For college degree it helps I have an entire video on whether it's worth it and If you don't want to spend I think I spent there's 13 minute video the moral of that video is If you could afford college do it if you got to go into debt or you can't afford it comfortably then don't do it But can you get a pen tester job without experience but with a college degree and the certs and the answer is Yes Yes, you can but This is a big but it's unlikely And it's going to be very challenging and very difficult and it's going to take a long time and by the time You the time you spent trying to take that path without having experience but with a college degree and the certs You could have went and got experience Okay, so this is why I recommend You know you get out of college get a college degree. You got your certs and by all means go for Start applying for pen testing jobs. I don't have a problem with that But while you're applying for pen testing jobs I would recommend to apply for general it jobs or maybe even Quote unquote entry-level cybersecurity jobs.

There's not really entry-level cybersecurity jobs It's kind of a hot take but I I stand by that. I think you do you should and most employers want you to have Some it experience before you can get your first cybersecurity job and that's just the facts most employers What they're asking for and You can sit around and cry about it Or you could do something about it and I would recommend doing something about it Go get the it experience go get the help desk job. Go get the sysadmin job That's where I started.

I started at sysadmin then I moved to the help desk. Actually, it seems like almost like a step backwards And then I went, you know from uh back to sysadmin role to cyber cyber defense operations and network operations got out of the military and then a full-time pen testing job and that Was vital I would not be The pen tester I am today if I didn't have all that all that experience six years of cyber defense operation experience from the military and like I said, it's it's I say cyber defense operations, but it's basically it work With security baked in right? It was like it's like it work But you got to take security seriously as well Like I said, I was a sysadmin. I worked on help desk.

I did network operations So go get the experience Okay Yeah, when you get out of college and you get your certs Apply for those entry-level it jobs. There's no shame in that and it's going to set you up for success When I was getting out of military even with six years of it experience And 12 certifications and a college degree I was still getting rejected for when I applied for pen testing jobs So i've had employers tell them in my face. You don't have enough experience to work for our company And I appreciate that by the way, I like I wouldn't hiring managers and recruiters If you're watching this, I really do appreciate when you can just straight up say hey You don't have enough years experience to work here To my face and rather than having the hiring manager recruiters like oh We'll we'll consider you and then just go to you, you know, or and send you an email saying um, you know, we we select other candidates or whatever like when you tell me to my face like oh, yeah, you don't have enough years experience like Okay, I understand.

Um, and that doesn't I actually prefer that kind of rejection over the The Ones that are seem like they're friendly, you know but i'm a blunt kind of person, but Yeah, I had I said to my to my face You don't have enough years experience. You need to have two years experience as a pen tester to work here despite having oscp and what 11 other certifications and six years of cyber defense operation experience And that's going to happen and A lot of people I would say the majority of people like they don't have the six years experience. I had they don't have they don't have 12 certifications like I had when I was coming out of the military It's going to be a struggle being your first pen testing job without experience very much.

It's a struggle with experience Let me tell you what. I mean, I probably applied to I don't know 100 or so, maybe 150 different Pen testing jobs granted. I only applied for remote jobs Because I want a remote job.

I I know I wasn't applying for Positions that were in person or hybrid So if you're applying for in-person hybrid jobs, your chances are significantly increased because I would say a lot of people Want those remote jobs because remote jobs are in high demand for employees so Yeah, just get your experience. It's possible. Yeah, you can do it, but It's going to be rough and it's going to be unlikely.

So just get your experience And you know why why you're working the help desk Keep applying for a pen testing job, right? There's nothing stopping you from working help desk for six months And then hopping to a pen tester if that's possible, but realistically these these employers they want multiple years of IT experience Before you get your first cyber security job Now it's easier to break in on the blue team If you're a blue teamer or you're aspiring stock analyst There's more positions available and the barrier to entry is a lot lower. The bar is a lot lower so That's also a path to like if you get a stock analyst position It's it's easier to get than a pen testing position and then pivot into pen testing. It would be easier in my opinion to go from stock analyst to pen tester rather than help desk at pen tester because stock analyst is more closely related to pen tester than a help desk person for example All right moving on to the next question Bro, I feel so demotivated and stupid I tried my first box and couldn't do it watched the video of ipsec doing it and it's totally crazy How can I become so good? This is an excellent question.

The reason why it's an excellent question is because You're not alone you are not alone in that feeling I felt the same exact way I vividly remember watching a John Hammond video And he's doing all this stuff. He's so fast at typing and he's like doing netcat dash lmvp. I'm like, bro, like What is it? What I don't even know what this is.

I was so confused and I was Mind blown. I'm like bro. Am I ever I literally doubted myself like can am I ever gonna gonna be able to do this? I doubted myself for a second and I and I when I get that doubt The first thing you need to do is just take that thought and throw it straight to the trash like just get rid of it Right.

It's it's gonna pop in your head but your goal is to Remove it out of your head as soon as it gets there and in my opinion, it's normal to experience that self-doubt I still experience it to this day And that's that's what imposter syndrome is. We always talk about that in this field It's very real because there's so much information That you gotta have that you need to know but Yeah, I was right there with you. I was like, man.

How am I gonna learn this stuff, man? I don't know how to do any of this stuff But the thing you gotta know is it just one step at a time You just learn a little bit at a time And this is another reason why I recommend so many certifications and take baby steps because when you take baby steps It's more manageable, right? Don't take quantum leaps in your training. Just learn a little bit Out of time if you learn a little bit every single day Then you will eventually get there it's long it's a long journey And it can be frustrating at times But it's in my opinion less frustrating when you take baby steps. You're like, oh, that's that's not that hard Just learn a little bit here.

Take another little baby step. That's easy. Uh, all right, we're learning We're learning and then you'll get stuck eventually, but when you take those baby steps It's more manageable and it builds up your confidence along the way and that's Yet another reason going back to that first question why I recommend so many certifications and I understand if you Those certifications are expensive.

So if you can't afford them then You don't even really need to go get the certification You just need you can literally go get like a security plus book and just read it now The security plus does have a lot of value but For like another certification like the network plus for example, like there's plenty of people That don't have a comp to network plus it's doing fine as a pen tester or stock analyst Like just go get the network plus book for 30 40 read it and And that's pretty much all you need. You don't need to go get the cert. The cert's like 360 something like that like The skill is what you need But yeah, baby steps baby steps one step at a time.

You can do it And that's that's what I did and that's what I still do to this day Like I feel like I should be much further ahead in my career right now. Like I should have you know an osce3 which is For those that are in this field for a minute like you know that those are those upper expert level Offset exerts and those are hard to me for me. Like i'm still Trying to figure out how to even bat in that league Like to me that feels like the major leagues and I feel like i'm in the minor leagues like oh I got my oscp yeah, and I got to learn some other skills before I can really you know bat and know those expert level certifications and rather than me just Forcing it Because I I did do this training.

I tried to go take the next step because it makes sense I go from oscp to osep. That's pen 200 to pen 300 I tried to do that because it seems like a logical next step and I'll tell you what. I got my butt handed to me and I I'm like, all right.

Well, i'm a little too low level for this. Let me back up and Let me go learn some other stuff. So i'm doing some other certifications doing some other training and i'm gonna Get even more certifications just preparing for the next level Uh, because like I said, I like the baby step approach I don't take quantum leaps in my learning and I never have and I probably never will So that's one way to approach it and that's what I would recommend and I'm, just gonna harp on one more time It's okay to have that feeling like when you see Like my live streams or like my technical videos and you just don't know what's going on That's perfectly normal.

That's perfectly. Okay. I would say Most of us feel that way before we even get started.

But like I said take that thought throw it in the trash And just take one small step At a time and you will make it as long as you work out every day. That's a key step key thing Take a small step every single day Do not skip days and you will make it. I promise you it's all learnable All right for the last question here We have so how do you actually get into a red team? And this is a really good question and I am not the best one to answer this one But i'm going to try my best and why am I not the best one to answer this guys? I've i've never been on a red team.

I've never done a red team assessment I have some red team skills as a pentester. There's a lot of overlap between Pentester and red teamer and there is a difference between pentester and red teamer, right? Uh for those who have watched my other content you already know, but for those who are new to the show the difference is I'm just going to summarize it A red teamer is emulating a threat actor a pentester Is just looking for vulnerabilities not necessarily Emulating a threat actor a pentester Isn't being stealthy whatsoever. They're just trying to find as many vulnerabilities as they possibly can a red teamer They're just trying to find one maybe two holes in their network and break in and Perform what a threat actor would do and they're going to spend way more time Exploiting obscure vulnerabilities Than a pentester would because a pentester has to cover the entire network a red teamer does not need to cover the entire network They just need to find a single hole in That's the difference red teamer also Is testing the blue team's response To a simulated cyber attack a pentest is not a simulated cyber attack I am not Testing the blue team.

I am testing the technical controls that are in place In a network or a web application. So that's different if you don't know So with that out of the way How do you actually become a red teamer? Like I said, i've never done it And but that's something i'm working towards every single day And in my opinion the first step Is to be a great pentester. You have to be a great pentester Now there's been people i've had them on this show That went straight to red team that is possible You you do not need to follow a path That's what I keep I can't stress that enough when I give you a road map when anybody gives you a road map I covered this in my My how to get started in cyber security video that I just released not too long ago I highly recommend watching it if you're brand new to to cyber security You have to make your own path And every road map is a mere suggestion Including mine, right? Like I said, do not take my word as a gospel or anybody's word for the gospel for that matter Now you can follow these road maps and you can have success but I argue that If everyone if you're doing the same thing everyone else is then you're not really setting yourself up for success also Everybody's unique We all have different dreams goals aspirations For life and in our career So your journey is going to reflect that and it has to be unique because if you take the same path that I took then You might not be living the life that you want to live.

So I recommend taking your own path but back to paths, right? some people skip straight to red teamer from Working at the post office some people take a path like me. They worked in it They went into pen testing and then they go in our team and that's my goal. My goal is to be a great pen tester first Because like I said, i'm the kind of i'm the kind of guy.

I like to take baby steps I don't like to take quantum leaps I would I wouldn't even know how to go from When I worked in an oil refinery straight to red team or some people do that kind of stuff They go straight from some unrelated field straight to red team and they're like Hacking like like they're mr. Robot. I don't know how to do that Uh, and that's why I recommend, you know taking baby steps Like I said, I went to IT went to Pen testing and then trying to get into red team And part of that path for me for me I want to be a great pen tester Right and there's still so much more I can learn as a pen tester so much more to learn and There's probably never going to be a time where there's not something to learn but when I feel like i'm starting to plateau as a pen tester and I Really feel like I got it In like all the ins and outs of being a pen tester once I feel that Then I want to try to make a pivot in the right thing. That's my goal.

That's my career goal and I normally don't share my career goals on here, but I think Sharing sharing that definitely helps you guys out, especially for this question of the person who has this question so Like I said, I would recommend becoming a great pen tester, but that's not a formal prerequisite, right? But I think it helps a lot and I and I would imagine most red team positions actually Require you to be a pen tester first almost all not all But now I think about it just part of my mind. Actually, I actually when I get out of the military I actually got a job as a red team engineer. I got a job offer And I also got a job offer to be a pen tester And that's the job i'm working on right now so I had an opportunity to work at the job I'm in right now or be a red team engineer and Why did I choose what I chose? Well, first of all, I felt the culture of my company was Way better Felt like a better fit for me in terms of culture And then another reason why is because it was remote fully remote the other job was hybrid And it required a security clearance And typically does it require security clearance you have to show up on site for Which means I had to move to a state that I didn't want to live in so I didn't take that job and it was it paid more too actually, uh, it paid more And i'm like, I don't feel like moving and I feel like it's the better fit for me so that's why I chose the Position i'm currently in over the red team engineer.

So i'm proof, you know, I could have easily took the right team engineer I could have went straight from Military it straight to red team. I could have skipped the pen testing part So it is possible and I could have very I could have done that but for me I like I said, I want to be a good pen tester first. I didn't feel calm That's another reason why I do I didn't feel comfortable being a red teamer I just didn't really know how a red teamer really worked and I still don't because i'm not a red teamer I haven't been on engagement yet, but i'm striving to make progress every single day By being a great pen tester first so if you're gonna be a red teamer, that's what I recommend but There is Infinite paths into whatever you want in cyber security, you know, if you're listening you're like red teamer pen tester I just want to be a cyber security engineer That's same advice applies, right you can use the all the advice that I put in This episode and you can apply it to any position.

Okay and the roadmaps Are nice to have and they're a guide but it's just a guide. It's not set in stone, okay, and I have a few roadmaps and I fully intend to release those roadmaps Revisit those roadmaps once a year because the field is constantly changing And as I learn more i'm going to get more information to better help you guys So those roadmaps are constantly going to change and because they're constantly changing it's in your best interest to make your own path But like I said, if you follow someone's roadmap from a well-respected Cyber security professional then you can end up where you want to go. But There's a chance that you're not going to end up In the exact position that you want to be in So that being said That's all I have for you Thank you so much for watching.

Thanks for listening If you enjoyed this show you got value out of it share the show with your friends You are trying to level up in your cyber security career Or trying to be a better ethical hacker If you are on audio Do me a favor rate the show five stars if you're on youtube Hit the like button and hit the subscribe button And hope I see you in the next episode until then this is Kyser signing off