Should I focus more on like the network pen testing with the CPTS, OCP, and PNPT and get all three of those? Or should I just get one of those and then get a web pen testing certification like CBBH or OSWA or something like that? And you can do either one. Honestly, it does not matter. You can go wherever your heart desires, as long as you're doing something.

That's the main thing. As long as you're doing something, you can't really pick incorrectly. And if you go down a route and you get down with that route, and you're like, man, I didn't really like that.

It's okay. Like you still learn something and it's going to apply in other areas of cybersecurity 1000%. And you can pivot.

That's the great thing about cybersecurity. Welcome to The Hacker's Cache, the show that decrypts the secrets of cybersecurity one bite at a time. I'm your host, Kyser Clark.

In this episode, we have a Q&A episode, and I'm just going to go ahead and get right into it and start with the questions. If you want to know how to ask questions, the way to do it is just drop a YouTube comment on any video or go to my Discord server and go to the podcast question section and drop your questions there. So question number one, currently working on finishing the CPTS from Hack the Box.

Right now I'm thinking I'd like to specialize in web application and cloud pen testing in the future. I think there is a pretty clear path for learning web app stuff with Hack the Box, Port Swigger and other resources, but it seems like the learning path for cloud is a bit less defined, at least from my perspective. I believe you said you mostly do network slash web app, but would you have any resource recommendations for getting into cloud pen testing? And this is a good question because you're right.

It isn't just your perspective. It's everybody's perspective. The learning path for cloud, at least cloud pen testing, is less defined.

There isn't a whole lot of certifications. There's not a whole lot of learning paths out there for cloud pen testing. And you're also right when you said that I do mostly network and web app pen testing.

Now, I do network pen testings that are hosted in the cloud. And from my perspective, it looks like a regular network. It isn't.

I'm not doing a cloud pen test per se. I'm doing an internal pen test that happens to exist in a cloud environment. And from my perspective, as an internal pen tester, I can't tell the difference once I SSH into my attack box that's on in the internal network.

I can't tell if it's in a cloud or if it's on prem or whatever. It all looks the same to me from an internal network perspective. And I'm not really doing cloud pen testing.

But with cloud pen testing, yeah, not too well versed into it myself. And it is an area of weakness that I'd like to address in my future as well. So and like I said, the path is less defined.

There's not a whole lot of certifications. I like certifications. And that's usually how I learn my my stuff.

I would say the first step, if you're not already become a become a pen tester, either in web app or network, network would be more beneficial because cloud pen testing is more related to network pen testing because cloud is just someone else's computer at the end of the day. So I would say it's more, it would be more akin to network pen testing. So I would get something like that with CP, CPTS, or the TCM security PMPT.

You get one of those certifications, learn the, get an intermediate understanding of the fundamentals and, you know, land your first pen testing job if you haven't already. And then I would start learning the basics of cloud separately, not cloud pen testing. I'm just talking about the cloud in general.

I have the CompTIA cloud plus, I thought it was a very good certification. It's, it's not easy. It is a very in depth certification.

And honestly, I thought I was going to fail it when I was taking the exam and I ended up passing it. But it was, it was a challenging exam. And there's a lot of content in the CompTIA cloud plus.

Now don't confuse that with the CompTIA cloud essentials plus cloud essentials plus is an easier, more watered down version of the cloud plus. It's more for non-technical people, maybe a little bit technical, but people who don't really want to go that deep in the cloud. And even cloud plus isn't that deep, but it's much deeper than cloud essentials plus.

So I would recommend skipping cloud essentials plus and going straight to cloud plus. If you want to go that route, there's also the ISC2 CCSP, that's the cloud security certified cloud security professional. And that is a vendor neutral certification, just like the cloud plus that's going to teach you the fundamentals of securing the cloud.

And that's, I think knowing the fundamentals of securing the cloud is going to help you when it comes to pen testing the cloud, because you're trying to exploit the security of that. Cloud network. But when it comes to like cloud pen testing resources specifically, I think the only certification that I would even really consider at this point would be the GAC cloud pen tester.

And that's the GCPN. GAC and SanSearch are like $10,000. So that's a very, very hefty price.

So definitely don't pay that. If you, if you're the one forking out the bill, like I would try to get an employer to pay for it. If you can, if you, if there's an actual need for pen testing, cloud pen testing skills, then having your employer pay for that is beneficial and they should be able to, they should want to fund that education for you.

But if you're funding it yourself, I, I used to recommend the attack and defending AWS course on TriHackMe because they have a specific learning path called attacking and defending AWS on TriHackMe, but it's a paid add on. And I used to be like, yeah, I don't know what this costs, but it might be worth it because TriHackMe is pretty affordable. So I didn't really know.

I just assumed it was affordable. Right. Cause it's, it's a paid add on from the base subscription at the pay your base subscription plus paid add on.

And then before the show, I was like, Oh, I'm just curious. Like, let me look at that and see how much it is. And it's like $445, which is a very steep price.

It's, I mean, it's definitely cheaper than the SANS route, but you don't get a certification with that. So there's that option. I don't think that's the best option.

I think right now your best option is Tyler Ransby, who is an awesome dude. By the way, I met him at DEF CON for the first time and he was on the podcast as well. Episode 36.

He has a course called Introduction to AWS Pentesting and it's like 35 bucks. So I think that's your best starting point. Honestly, I would pay the 35 bucks, take that course.

And he's not, he's not endorsing me. He didn't tell me to say that or anything. It's just the fact of the matter is that's the best bang for your buck.

I haven't done the course yet, but when I want to get into cloud pentesting, that's going to be my first option. And then maybe even get my employer to get the GCP in later down the road. I also want to get the CCSP for my IC2, but like I said, that's more of a cloud security general foundation.

And when I say general foundation, I'm not expecting an easy certification there either. IC2 certs are extremely difficult. Some people say it's even just as hard, if not harder than CISSP.

And CISSP is a brain melt, dude. So any certification is challenging. Let's just put it that way.

But yeah, I would, that's what I would do. So learn pentesting as a base if you don't already have it, and then learn the base fundamentals of cloud if you don't already have it. And then once you have a base foundation of pentesting and a base foundation of cloud, you can marry those together, take Tyler Ransby's introduction to the AWS course for 35 bucks.

So that's what I would do. And then after you do that, you know, the world is your oyster. I would say at that point, you'd have to look for some of the resources.

Like I said, the attack and defeat AWS course on tryhackme445. And then there's the GF cloud pentester cert. Moving on to question number two, do you have courses? And no, I don't.

And there's a reason for it because I don't think that I'm ready to be a course creator just yet. I'm still fine tuning my editing. I'm still fine tuning the way I speak.

So I'm getting better as a content creator over time. And I want to get more experience under my belt before I start creating courses. But courses are something that I've heavily thought about.

And if you guys want that, definitely leave a comment and let me know what you think about courses. Would you purchase a course from me? And if there's demand there, then I'll absolutely do it. Another reason why I've been thinking about it is because YouTube keeps taking down my technical content.

They've taken out several videos of mine. I'm currently on a strike as we speak. As the time of this episode is being released, my channel is on a strike.

So if I make one technical video that's quote unquote harmful or dangerous, that's what they say it is. I mean, when I made that Wi-Fi hacking video, took it down, gave me a strike. If I get another strike, they banned me for two weeks.

If I get three strikes, my channel gets deleted. So I have to be careful with the technical content. And when I said that I'm going to start looking for other avenues to make technical content, and that's what I was considering was courses.

So yeah, if you guys want to see something like the real deal courses that YouTube won't let me put on YouTube, then that's definitely an option. One thing that's been, another thing I've been waiting on is I've been wanting to grow the newsletter more. So I told myself once I reach 500 subscribers on my newsletter, I would start to develop a course.

Right now I'm like, last time I checked it was like 323, but it's been like a week since I checked. So it might be like 330 now by now. So, you know, I need like 170 more people to subscribe to the newsletter to hit 500.

And once I hit 500 subscribers on my newsletter, I will seriously consider developing courses. Because in my opinion, the super fans, you guys, I would say the people who subscribe to my newsletters are the ones that would be interested in my courses. And I have to have a fair amount of people to be in the newsletter before I would even consider courses.

So if you want courses, subscribe to the newsletter, help me get those numbers up. And like I said, once I hit 500, I'll probably start developing a course. And let me know what kind of course, if you're interested in courses, let me know what you want to learn.

Because there's all kinds of topics out there for courses that I could do. Because, you know, I do web apps. I do web app pen testing.

I do network pen testing. I do Wi-Fi pen testing. Those are my three main things.

I started getting the IoT, but honestly, I'm not really liking IoT that much. I don't feel strong enough to teach a class on it yet. But Wi-Fi testing, network testing, and web app testing is definitely my jam.

And yeah, like I said, if you want to see courses, let me know what you would like to see in those courses and subscribe to my newsletter if you haven't already to also show your interest in courses. And if you're not familiar with my newsletter, the way my newsletter works is called the Cyber Mindset Digest. And every week, at least I try to do every week, some weeks I do miss a week.

I will admit, I'm not a machine after all. And life gets in the way sometimes. And I feel bad for missing some weeks here and there.

But I do post pretty consistently on the newsletter. And I'm going to be writing one right after this recording, actually, and dropping it. I drop them on Mondays typically, but it can happen anytime during the week.

I try to release them every week. But the Cyber Mindset Digest is really just like motivational stuff, mindset, shift, mentality. It's really the unfiltered version of me.

And it's really where I put my ideas out before I put them on the podcast, before I put them out in my blog, before I put them on my YouTube channel, before I make a LinkedIn post. If you guys follow me on LinkedIn, those carousel posts that I do, those are all summaries of my newsletters. And these newsletters have been around for a while.

And like I said, they are just kind of like early bird insight into my brain. And then I will develop this idea, write about it. And then I will rope that into my future content.

So if you want what's on my mind at that very moment, the newsletter is a place to be. So don't miss out. And if you want to subscribe, go to my website, kyleclerk.com slash newsletter.

Next question. So this question was dropped on my last solo episode. And the name of that episode was, do cybersecurity certifications really get hired in 2025? And the thumbnail for that says certs equal job offers question mark.

That's episode number 56. And the question is, are you suggesting stack like CPTS slash OSCP slash PMPT if looking for a pen test role or more stacking a pen test cert like OSCP then covering other certs like cloud AWS cert thing, bug bounty cert like CBBH, et cetera. So you are more well-rounded.

This is a good question because yeah, I can see where this one came from because I do say stack source, give me a search as you can. And with your question, so you're asking, you know, should I focus more on like the network pen testing with the CPTS, OSCP and PMPT and get all three of those or should I just get one of those and then, you know, get a web pen testing certification like CBBH or OSWA or something like that. And you can do either one.

Honestly, it does not matter. I did say that in that video in that last episode. And you can go wherever your heart desires, as long as you're doing something, that's the main thing.

As long as you're doing something, you can't really pick incorrectly. And if you go down a route and you get done with that route and you're like, man, I didn't really like that. It's okay.

Like you still learn something and it's going to apply in other areas of cybersecurity 1000% and you can pivot. That's the great thing about cybersecurity. Like if you learn something and you realize you're not really liking it, like for example, I started going to IOT pen testing.

I realized it's not really my jam and I'm kind of slowing the brakes down on it because I'm like, I'm not really having fun with this. I have more fun with web apps and networks and that's okay. But did I waste time learning IOT testing? No, absolutely not.

There's plenty of valuable information I learned during that journey and I can use that in the other disciplines of cybersecurity. And even though I thought I might want to do IOT pen tests or at least specialize in that area or make it one of my specializations, now I'm realizing like it's not really my jam and that's okay. That's going to happen.

You should not feel bad about that, even if you spend money on training. But back to what your question, so should you be a real runner or should you specialize? That's kind of what you're asking. And we cover that on this show, The Hacker's Cash, quite often, and everyone's got a different opinion.

And my opinion is be a generalist until you have to be a specialist or until you want to be a specialist. Once you find something you love, double down, triple down, quadruple down on the thing you love. But until you find something you love, then it's okay to be a generalist.

And I actually replied to this YouTube comment already and I said something along the lines of this, you can do either or, or you can do both. And I am sticking with both. For me personally, I'm doing both.

I have the OSCP, I have the OSWA, that's the Ofsec Web Assessor, it's a cousin of the OSCP, but in web app form. I have the TCM Security PWPA, it's a professional web pen testing associate, PWPA. And so I have a handful, I have two web app pen testing certs, and I have one network.

I'm working on my second network, I'm working on PNPT now. So as you can see, I'm focused on being a generalist, I'm all around it. And when I say generalist, I mean like web networks.

I'm not really worried about mobile right now. I've dabbled in IoT testing, and I have a very good grasp on Wi-Fi testing, because Wi-Fi testing really isn't that complicated. You can get OSWP in a week if you really focus on it.

So my answer is, it doesn't matter, do what you want. And it's okay to do both. And it's okay to pick one or the other when it comes to choosing between being a well-rounded or being a specialist.

Next question, question number four. Came from the same episode by the way. And just to give you some context, I was talking about fake influencers.

And someone asked, who are those influencers, if I mind asking? It's just that I'm following everyone in the field. Thank you so much. And I did reply to this comment as well.

I replied to all my comments by the way. And I said something along the lines of, I don't want to start drama. I don't like to tarnish people's reputation for two reasons.

One, that's just not who I am. And two, I don't like to be involved in drama. I just don't.

I just refuse to engage in it. And then three, another reason is I don't know these people, man. I see people who I would consider fake influencers, but I don't know them.

So I can't assume what their background is. I don't know what they know. It might look like they're a fake influencer on the surface, but they might not be.

I could be wrong. So that's why I'm not really highlighting specific influencers. But there's been enough talking about the field about fake influencers.

And when people talk about it, they don't really mention names either, which is the way it should be. This community's professional and this community, the InfoSec community is wholesome. And I would say, I mean, don't get me wrong.

There's people that like to talk crap about other people, but that's not who I am. And that's not the behavior I'm going to engage in. So my recommendation is here, look at someone you're following and look at them carefully.

Look at their work history, pay attention to their work history a lot, because that'll tell you a lot. And then just listen to their content and then form your own conclusion. And that's what you need to do to survive in this field when it comes to what search you get, what people you follow, what people you connect with and all this stuff.

And it's okay if you start following someone and you start liking their content. And then later on the road, you're like, oh, wow, maybe this isn't the right person that I should be following. That's okay, too.

So, yeah, that's what I would recommend. I'm not going to say specific names because, one, like I said, I don't like drama and two, I don't know these people and I cannot talk crap someone that I do not know. And we'll leave it at that.

Moving on to the next question. Question number five, the final question. What is the difference between an ethical hacker and pen tester? So I would imagine most people listening and watching probably knows the answer to this question, but if you're new, this one's for you.

So what's the difference between an ethical hacker and a pen tester? So in my own words, I would say all pen testers are ethical hackers, assuming they're not doing black hat stuff at nighttime and they're off time. But not all ethical hackers are pen testers. What do I mean? So there's different flavors, different types of ethical hackers.

There's pen testers, there's bug bounty hunters, there's social engineers, there's security researchers, and there's other ones. There's even there's like 20 different types of pen testing out there, too. And they're all different roles.

They're all different, unique roles. Like a bug bounty hunter and a pen tester, two different roles, two completely different roles. There's some similarity in the way they accomplish their mission, but different nuances there.

And a bug bounty hunter is a type of ethical hacker. Social engineer is a type of ethical hacker. But a social engineer and a pen tester, completely different.

Social engineers are hacking people, whereas pen testing, we're hacking technology. Security researchers, same thing. I would consider a security researcher a form of an ethical hacker, but not quite a pen tester, not a bug bounty hunter, not a social engineer.

So all of those roles I just mentioned are types of ethical hackers. So once again, I would say all pen testers are ethical hackers, but not all ethical hackers are pen testers. They could be a bug bounty hunter, they could be a social engineer, they could be security researcher, like I said.

And that is the last question. This has been a quick episode, and that's all I have to say. So if you guys have more questions, definitely drop a comment on this episode or any of my YouTube videos.

I pull these questions from all the videos, and if they're good, I will feature them on the show. And if you want a more guaranteed way to get your question on the show, then go to the Discord server, link in the description, and drop a post in the Hacker's Cache questions section. There's a dedicated section for that.

I check that right before I record a Q&A episode, and if there's questions there, I pull those out. And that's where the first question came from, actually. So thanks for asking that question.

It was a really good question, too. Yeah, so I would say if you post it to Discord, you're going to compete with less people, and you're more likely to get your question on the show. YouTube comments, it's just whatever I think is the best out of my recent videos.

All right, guys. Thank you so much for watching. Thanks for listening.

Hit the subscribe button if you're on YouTube. If you're on audio, give me a five-star review if you think the show deserves it. And share the show with your friends.

It would help the show tremendously if you shared this with like-minded friends who are also looking to either break into security or level up their existing cybersecurity career. And if I met you at DEF CON recently, it was a pleasure meeting you. It was a great time.

The community is so great. And yeah, I can't wait to see everyone at the next conference. So this is Kyser signing off.

Thanks for watching. Thanks for listening.