The Hacker's Cache

#76 I Don't Know If Cybersecurity Is Worth It Anymore

Kyser Clark - Cybersecurity Season 3 Episode 77

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 37:18

In this Q&A episode of the Hackers Cache Podcast, I answer one of the biggest questions in cybersecurity today: Is cybersecurity still worth getting into? I share my honest thoughts after a month of job hunting, interview rejections, burnout, and watching the industry change because of AI. We also take a behind-the-scenes look at what a real penetration testing engagement looks like from kickoff call to final report, including the parts no one talks about, and I break down exactly what penetration testers can expect to earn based on my own salary history and negotiations. If you're considering a career in cybersecurity or wondering where the industry is headed, this episode offers an unfiltered perspective you won't hear in most places.

Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY


Music by Karl Casey @ White Bat Audio

Attention Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.

Opinions are my own and may not represent the positions of my employer.

Hello, hello. Welcome to the Hackers Cash to share the decrypted secrets of cybersecurity one bite at a time. I'm your host, Kyser Clark.

 

And today I have another Q and A episode for you, where you, the audience drops comments, ask questions in the YouTube comments, and then I pick what I think are the best ones, and then I talk about them in depth here on the Hackers Cache podcast. So if you want to ask a question, just drop a comment, ask a question, and if it's good, I will feature it on the next show. By the way, the bar is pretty low with good questions, guys.

 

I don't really get in-depth questions. So if you really want to know something, just ask it and you're going to probably get selected if it's an actual good question. So the first question is with the emergence of AI, do you even see a point in getting involved in cybersecurity now? And man, this is a great question.

 

This is a fantastic question because this is something that I have been thinking about for the past few weeks. So going back two episodes ago, the one where I talked about what happened, why I took my long break and all that stuff, my second most watched podcast at this point, that episode, I was talking about how I was interviewing with like five companies and I was very close to getting a job offer. Well, turns out that I am no longer interviewing with any companies and that job offer I thought I was going to get, they pretty much ghosted me, which is absolutely insane because I did a very, very good video interview and then I did a very, very good in-person interview.

 

Like I went in person and met these people in person and just crickets, man. Crickets. I emailed them a follow-up and I had nothing.

 

They didn't even reject me. They didn't even give me nothing. So I don't know what's going on there.

 

I'm probably not going to get the job because it's been multiple weeks since I interview and I was supposed to be here back by the end of the week and every week I keep hitting them up and nothing crickets, crickets. So the job market, I keep saying the last two episodes, I keep saying how it's bad. You guys, and it really is bad.

 

It really is bad. You got people like me. I still get rejected, which is to me, mind boggling.

 

Like, I don't know, this might be my ego talking, but to me, it just, it doesn't make any sense. I have eight years of real world. Well, technically seven and a half years of real world experience.

 

That took a half year off. So nine years of real world production experience in, in real networks and real applications. I'm six as that is cyber defense operations.

 

And two of that is pen testing. Now there is an overlap between my, my cyber defense of pen testing. Cause I had an internship while I was transitioning out of the military.

 

So just under two years of pen testing experience, real, real world pen testing experience. I can't stress that enough real world. 19 certifications, two degrees, bachelor's and a master's.

 

And I'm currently working on my MBA and I have read dozens of hacking books and cyber security books. I have listened to hundreds of podcasts. I have produced dozens of podcasts myself.

 

I've produced hundreds of videos, walkthroughs. I have done 125 try hack me, sorry, hack the box machines. And I've done over 220.

 

I'm probably at like 230 tracking rooms now. And I've done a burp suite web security Academy. And I've, I mean, I've literally done everything.

 

Like I, I genuinely don't know what more I could do. The only thing that I haven't done that I could do that would maybe make my resume look better would be like, go get a CV. I don't have any CVs right now.

 

Maybe do a conference talk. That's another thing I haven't done. But for the most part, man, I I'm checking off all the boxes that these employees are asking for, but I still get rejected and I'm like, how am I getting rejected? Like, who's, who's beating me up? So it's just, to me, it's crazy.

 

So why here's what I think's happening. So I am applying to a lot of non pen testing roles. As you guys know that this hacker cash was made with offensive security in mind, because that's what I was geared towards in my career.

 

But now, ever since I left my last pen testing role, I've been applying it to more defensive cyber positions and I don't have as much defensive cyber experience. Now I do have six years of cyber defense operations experience in the U S military. However, that was more IT system administration and it was barely cyber security, barely cyber security.

 

So I don't really have real world, like cyber security near experience. I don't have real world sock handling experience. And because of that, these employers can kind of just redress me.

 

I'm like, oh, this guy has never done blue teaming and they just auto reject me. But even on pen testing jobs, I apply for these pen testing jobs. They want five years experience.

 

It was like, they see two years experience. This guy doesn't have five years experience reject. And it's like, it's crazy to me.

 

It's very annoying too, to be honest with you. And that's why I've been thinking about, is it even worth getting in this type of security? Because I look at people who are listening to this and watching this podcast and you might be watching, there's a lot of you watching and listening right now who have one, two certifications and no experience. And if that's you, like that, you, you're going to get rejected every time.

 

You won't even get an interview because the competition is that steep somehow. I don't, I don't know how, why it is, but that's just how it is. The conversation is that steep and it's really annoying.

 

So that begs the question, is it worth getting into? And honestly, at this point in my career, I'm, I am struggling with the fact of, is this career path even worth it? Because it's very annoying and it's very disheartening. I think it's the word I'm looking for, seeing those rejection emails coming in, flooding in my inbox. And like I said, I have gotten some interviews, but all five companies I interviewed with have rejected me.

 

I do have an interview tomorrow, but it's for a role. So it's for a cyber threat intelligence role that I've, I've never done cyber threat intelligence. So I'm not, my hopes aren't high because it's for like a senior level cyber threat intelligence and I've never even done regular cyber threat, cyber threat intelligence.

 

So I can easily see myself getting rejected here. I'm going to try my best. I'm going to study up on cyber threat intelligence, but I don't have any real experience with cyber threat intelligence, but I just applied anyways, because you never know.

 

It might be something I like. That's what, that's another thing. I'm struggling to figure out what I want to do in, in cybersecurity.

 

I do know what I want to do and that's AI security. I do want to get into AI security, but I'm still learning it. I'm feel like it's so new that, that before I didn't know how to get into it because as you guys who've been following me and watching me for a while and following my journey, like, you know, I like cyber cybersecurity certifications and that's how I learned the best.

 

So I wasn't able to really learn AI until these AI certifications came out. And now that there's like a handful of AI security certifications, I now have created my own path to learn AI security and I'm on that path. And you're going to see, you're going to start seeing me get some AI certifications under my belt.

 

And I already have a CompTIA SecAI Plus for a foundation. And then I'm going to work up my way up on difficulty until I become a true expert in AI security. And that's my goal.

 

That's the path that I'm personally going to take. And you're going to see that reflected in my content guys on my YouTube channel. And not non, the non-podcast episodes, you're going to see a lot of AI security videos and that's not your thing.

 

I'm sorry, but that's my thing because I think it's an opportunity for me because it's so new. I think with pen testing and really anything, cybersecurity, it's, it's kind of, it's been around for a while and there's a lot of, there's a lot of competition, but I think AI, a lot of people are sleeping on it and I think it's an opportunity. So I'm just, I'm telling you this cause that's what I'm doing.

 

I probably shouldn't tell you that because if you're following my channel and be like, Oh guys, that's right. I should probably get an AI security that I just, I'm just creating my own competition, but I have confidence that there is, I will end up doing something with AI security. But in the meantime, I am looking for just any cybersecurity role that I can get just to cover my bills because I'm, I'm starting to run out of money.

 

I only have a handful of months left before I really start being low in the funds. And speaking of funds, we're going to talk about money later in this podcast episode. So stick around for that because someone asked me a salary question, but it's going to be the last question because it's the order it's in.

 

So yeah. Is it worth it guys, man? I hate to say it. I really do.

 

But if you're brand new and you are, you don't have any certifications, you don't have any experience. I would not recommend getting into cybersecurity. I would not recommend it because you have someone like me who's quite literally put in over 10,000 hours into this craft and even I get rejected, dude.

 

And I, I mean, I agree. And I've only been looking for a job for a month and a half. It takes, it takes on average like three or four months to find a job.

 

But I feel like with my experience level, my, my certifications, my degrees and the amount of training and content that I have made and my connections I made, I feel like this should have happened a lot faster for me. And I thought it was because I was really close to getting a job offered to me. And I was at high hopes for that, for it wasn't, it was an AFSEC engineer, application security engineer position.

 

Something that was a little new for me. They told me it was going to be like 80% blue team, 20% red team, which was to me a really good mix. Cause I I'm more, I I've always identified as a purple team or myself anyway.

 

So I really wanted to get into a role that use both blue team and offense security. And I really was excited for that role. And then I just goes with me.

 

So it was an absolute role. It was, I guess there's a chance that they'll hit me up. I did email or did text a recruiter, um, right before I started recording like really late.

 

So hopefully they hit me up next. I was like, yeah, you got the job, but I highly doubt it. Cause they've been ghosting me for a while now, a few weeks now.

 

So that being said, guys, I don't think it's worth it. And even if you're in the field, like if you have experience, like I I'm struggling with, is it worth it? Like I've been thinking about career shifts outside of cyber security altogether, not just AI security. I'm learning AI security, but I'm trying to think of things I could do outside of cyber security that I might like, or something I might be good at.

 

And because there's just not that many opportunities out there, guys. It's unfortunate that they, and I was going to make an entire episode on this. And it might, this is going to take out the bulk of the episode, really, because I have a, it's a big rant of mine, but they basically lie to us.

 

You know, when I was getting into cyber security, when I was in U S air force, active duty, cyber defense operations, when I decided to go to school for cyber security, one of my first classes was to like research, like the opportunities in the field you're getting into and the research that I found and keep in mind, this is like college level research. It's not like, it's not like surface level research. I did some deep dives on yes.

 

Cyber security, 0% unemployment rate, millions and millions of unfilled jobs. There's so many jobs that they can't fill. That was in 2019.

 

And I just feel like that was a big lie to, for some reason. I don't know how those numbers came to be. Now, granted there was, there was a lot more opportunities back then, but now over since then, and now here in 2026, there's been less and less opportunities because I guess the economy and AI AI is replacing lower level work.

 

It is. And people who say it's not is full of themselves. It absolutely is.

 

And they're going to start replacing the mid-level jobs. And then after that, they're going to start taking over the expert level jobs. Like, I just, I feel like AI is ultimately going to end up taking over everybody's job eventually at this rate.

 

I guess it's just going so fast. It's compounding so fast and there's only going to be a very small amount of people who are actually working in this field. And it's just going to be like one person running 20,000 AI agents.

 

And then that's, that's going to be it. So that's why I'm like an AI security guys, because AI is taking over the jobs. And if you know AI, then well, you're going to be the guy that everyone wants to hire because everybody wants to have an AI agent in their apps and in their businesses and, and wherever they're putting AI everywhere, literally everywhere.

 

So it is frustrating. Job market's bad. Like I said, I could make an entire episode on this.

 

I almost did actually, but then I decided to turn it to a Q&A episode because I felt like it would have been too short of an episode. I do like to try to keep these podcasts episodes between 30 and 40 minutes. And this is a topic that I could go on about, but I've really said the main points here.

 

Overall, if you are brand new, I wouldn't, unless you're just absolutely dying. And I mean, like, you just have like a bleeding, like, like if you cut yourself, I'm not promoting self-harm, but if you cut yourself and you're bleeding cybersecurity, like it's running through your veins, like literally you see ones and zeros coming out of your veins, then go get into cybersecurity. Like it's worth it if you just have conviction in doing it.

 

But if you're like on the fence, do I kind of like this field? Do I kind of get out? Don't do it. Seriously. If you're on the fence, do not pursue this at all because it requires someone having a high passion, I have a high passion for this.

 

You don't just make 600 plus YouTube videos and get 19 certifications, two degrees and make a podcast if you don't have a passion for this. So I have a high passion and even I get burned out and even I'm fed up with this field, so if you have, if you're on the fence, I'm telling you, just do yourself a favor, go get into something else. I'm telling you.

 

It will be, you'll thank me later. But if you have that passion, it is worth it because you got to pursue your passions. You got to pursue your passions.

 

And I firmly believe that the more I do this, the less passionate I am about it, to be honest with you. At this point, I'm just like, I'm just kind of doing, I just want to do this for a paycheck. I hate to say that, but that's kind of where I'm at.

 

I just want to pay my bills and this is yeah, I can get a bunch of jobs to pay my bills, but this is going to help me allow me to live the most comfortable life because it is a high paying field. So we're going to be talking about money later now. Okay.

 

So that's, that's that guys, if you have any questions about that or any comments would love to hear, we already took up over half a time on that one question, but we only got two more questions here, so let's go into the next question. Next question is a long one. So bear with me.

 

Thank you for sharing what the real day-to-day pentest grind looks like to me. I watched so many cybersecurity videos, but no channels really talk about this deep real situation. I'm finishing my diploma and starting internship in six months.

 

I'm pretty nervous about the consulting side because English is my second language. Can you break down the whole project life cycle from zero? Hearing about the real deal would be extremely helpful because this is never taught. Hank, the box offset or colleges from the moment the sales team signs a client for a network or web API test.

 

How do you kickstart a job? Navigate gaining technical access and handle ongoing updates. What exactly do clients want to know or hear from the pentest before delivered the final results? Thanks again for your time and guidance. Excellent question.

 

So in a nutshell, the way I read this question is like, how does it, how does a pentest start to finish? Like what, what does that look like? So it all starts over the kickoff call in that kickoff call. You're going to meet with a client and you're, you should already have an idea of the scope, like how many IP addresses are retesting, how many web apps are retesting and how much time are we allocating this because the salesperson have should have scoped this roughly pretty good. Now, some salespeople do not know how to properly scope a project and they will, they will promise a lot that we can, that the pen tester can do a lot more than what they can in a week or two weeks or three weeks or however long the engagement is, but sometimes the salesperson does over promise.

 

So hopefully you don't work in to an organization that has salespeople who over promises, because there has been situations where in my last role, where we're like, there's no way I can pentest 16 web apps a week. It's just no way I'm going to, there's no way you can do this. You know what I mean? That's maybe an exaggeration, but there has been situations like that.

 

And hopefully you don't have that, but it's bound to happen. It's bound to happen. And this is going to vary from organization from organization.

 

And obviously I've only worked with two pentesting firms. I had an internship that was four months long and I had my last full time role, which was less than a year and a half. So your experience may vary because my, my experience with companies, I haven't worked for seven companies only two, but ideally the salesperson should have a, should give you a fair opportunity to complete with like a fair amount of time to complete the work that needs to be done.

 

And then you're going to get in this kickoff call and you're going to look at the scope and you're just going to confirm scope with the client. And then you're going to go over, you know, what, what does the client want? What are they looking for? Is there, is this a compliance requirement? Like ultimately what are they, what are they looking to do? And then you're going to ask them like, what's their environment look like? Like what, what kind of technology do you use in your web app? What's your network look like? What kind of device do you have in your network? And you're literally just take, figure out as much things as you possibly can. And you're writing it in your notes.

 

That way, when a pen test actually starts, like you're already somewhat familiar with what's going to happen. And these kickoff calls. Now, this is why I got burned out.

 

If we go back to that, that episode, two episodes ago, where we're talking about why I got burned out on a job. This is another reason, because a lot of the times you just ask a question, the client has no idea. They have no clue.

 

I'd be like, Hey, is your, what kind of servers do you have in your, in your environment? I don't know. I have no idea what kind of servers we have or like, how many devices do you have in your network? I don't know. Are you using actual directory? I don't know.

 

Like, it's just, it's crazy to me, like the clients, how unknowledgeable they are about their own environment, their own environment. And most of the time we're talking to, like when you're a pen tester, you are talking to another tech professional. You sound like you're talking to like, like the CEO of the company.

 

Now that does happen if it's a smaller company, but more times than not. You're if you're working on a web app, you're going to be talking to some developers. If you are working like on a network pen test, you're going to be talking to some like cybersecurity engineers.

 

And I'm sure many people who are insider defense, listen, that's so like they, if they get third-party pen tests, like they, they probably been through a kickoff call like this. But man, if you are one of those defenders, like, please know, and you're talking to a pen tester, please understand your environment because that helps a pen tester so much, and it's frustrating when the client has no idea, like what's going on in our environment. And then, yeah, you're just going to figure out where their weaknesses are, where their concerns are.

 

You ask them like, what is the biggest concern you have? Like, what, like, what is the worst case scenario for you? Like if, if a hacker broke your network, like where's your biggest vulnerability, where's your biggest weakness, and you want to know all this because where their concerns is, that's where you want to focus your attention on because there's no way. They're almost, most of the time when you do a pen test, you are not going to have enough time to, to test everything. And that's another reason why I get burned out because it's quite literally impossible to test every single aspect of every single thing, because there's just not a lot.

 

It's not like, it's not like a hack the box machine where it's one machine. We're talking, we're talking thousands of devices on a network. Sometimes hundreds to a thousand, thousands of devices, man, on a network.

 

And in web apps, it's not like you're doing a OSWA, right? OSWA there's like five web apps, but they're like tiny web apps. And like in real world, like you might work with one or two web apps, but they're like huge. They have like hundreds of pages, dude.

 

And you got to, there's just no way to test them all within a week. Another reason why I got burned out. And that's another reason why a lot of people get burned out.

 

I've been talking about burnout the last few episodes, because that's just what my recent experience has been. And I'm coming out of that burnout now. I'm fresh.

 

I'm ready to work again, but I want you guys to get an idea. Like, why did I, why did I take a six month break? Like, these are the reasons why. So that's the kickoff call.

 

After the kickoff call, you need to do some kind of setup to where like you have access to this, to the systems or the web app for websites, usually just credentials. Like they have, they'll give you a credentials to log into their web app. And then you're off to the races.

 

If it's posted online, if not, then you need to get some like VPNs or maybe they need to give you like internal network access and then you can pen test from there. But there's a lot of VPNs. Like, like we're talking VPNs within VPNs within VPNs.

 

Like it's not uncommon to go through two or three different VPNs just to get an access to a client environment. And those VPN, that's another reason I got burned out. Cause like setting up those VPNs are just, it's so annoying.

 

Like getting access to their network to just test. And this is why I got like a last job, by the way, is because it was like a 30 step process and it just burns you out. Cause it's not, to me, that's not fun.

 

That's not fun. I just want to test, man. I just want to go in and start testing.

 

It's not like a hack the box machine where you type an open VPN, boom, done. No, you got to do open VPN, boom. And then open up another VPN, get four sets of creds.

 

Cause you got to go through like five different machines before you can even get in their internal network. So you need to work with the client to get your access. And again, this is where it gets frustrating.

 

A lot of clients, they don't have a way to get you to your access or they don't know how to get your access and there's errors. And this is why I got let go. Cause I wasn't working with a client the right way.

 

Like I was saying, Hey, I can't get my access. Hey, can you try this? Yeah, I tried this. And it's just like a back and forth, back and forth.

 

And I just, I just got fed up with it. I just, I just couldn't do it anymore, man. I just could not do it anymore.

 

And I didn't raise that issue to my leadership because it was just to me an annoying situation. Now, some clients are obviously easier to work with than others, but it is frustrating nonetheless. So there's that.

 

So after you get your access, what's next? We're going to do the actual testing. So you're going to do your actual work, whether that's in every engagement is different. Sometimes I've heard some companies only do like three, two, three day pen test.

 

Uh, for me, I've had pen tests where they're usually a week long, but I've heard a lot of, a lot of pen test companies, they'll sell like two, three day pen tests, which is wild to me. Cause it's hard to do it off in a week or two, let alone three days, two, three days. After the testing, you're going to be reporting.

 

So after the report, you are, you're going to take notes as you go as many notes as you can, and you're going to write your reports. And then once you're ready to report, you're going to submit that to the client and then you're going to walk through all your findings. And with my last pen test company, we, we had a findings call where we walked through all the findings.

 

And that's where you explain all of the vulnerabilities and how to fix them and answer any questions that they might have. And then you're going to do a wrap up call, wrap up call. That's typically where you're going to run into the findings.

 

It's like I said, depends on the pen test firm, but our firm, we did a findings call, then a wrap up call. Some firms like you'll just do just a wrap up call, but the wrap up call is essentially the same thing. And then it's just an opportunity to finalize the engagement essentially.

 

So, I mean, it sounds pretty straightforward, right? You got to kick off call, then you got getting your access and you got to get a lot of information from the client when you're doing that kickoff call and getting your access, then you do the testing and then you do your reporting. And then you present your findings and keep in mind as you're doing this, you're working with multiple clients. I didn't mention this in that episode where I talk about why is there a break, but I got burned out.

 

Another reason why was because you're doing so many meetings, guys, you're doing so many meetings, you're doing so many emails, because like I said, in that video, in that podcast episode, I forget the number, but it was two episodes ago, you know, I'm talking to five clients pretty much every week, right? I'm, I'm talking to the current client and then the previous two clients and the next two clients, and you're always seems like every week you got all, you got a kickoff call, sometimes you got multiple kickoff calls and then every week you got a rival call and then you also have to do remediation testing. So remediation testing, some pensive services offer, Hey, we'll retest your findings for free if you fix them. So essentially you present your findings and you give them 30 to 90 days.

 

It depends on the firm. My firm did 30 days. Like you have 30 days to fix the vulnerabilities and then you tell us what you fixed and then we'll go in and retest it.

 

So you have to do that every week as well, because so you're all, so not only are you doing your, your test for the week, but you're also doing your remediation test. Now, my pent this firm remediation testing was supposed to be a half day effort. Sometimes it took a little, sometimes it took almost an entire day, depending on how many things they fixed and how many things you had to test and how hard it is to get that access.

 

And that's another thing too. You work so hard to get your access. And then after the test, they revoke your access for security purposes, obviously.

 

And then the remediation, remediation testing comes along. Then you got to fight to get your access again. And that's it's again.

 

So you're essentially doing two tests a week easily because I mean, remediation tests isn't the same as a regular test. Cause like a remediation test, you're, you're just testing the things that you've already tested just to see if it's fixed and then you got to write a remediation test report. So again, that's two reports a week, two tests a week.

 

And then you got to present those findings as well. And then clients like to argue the findings. I've talked about this at length.

 

And then they'll, they'll even still argue remediation tests because they think they fixed something, but the vulnerability is still there. And then one time, one time a client did fix a finding, but because they fixed another finding, it opened up something else or like the vulnerability was still there, but I found it in a different way the second time around. And they got so mad.

 

They're like, we fixed it. I was like, I was like, yeah, you did fix it, but it's still, the vulnerability is still there. I'm seeing it in a different way.

 

And they're like, why didn't you tell me this way existed before? I was like, I didn't see that way the first time, but now that you fix this, another door opens, you know? So that was, they were really frustrated about that. And I'm like, I can't re I can't say it's remediated because the vulnerability is still there because I can still see the same information. Just slightly differently, just slightly differently, just ever so slightly.

 

And they were so upset about it. And that's, like I said, man, consulting pentest work is very demanding, very frustrating, and you're, you're answering emails all the time. And I should have said this in that episode, a few episodes ago, but you're basically only testing like 20% of your time.

 

I feel like 80% of your time is meetings, answering emails, getting access, asking questions and meetings, meetings, meetings, emails, emails, emails, and then testing. Like, and then I don't know about you guys, but it's, it takes a long time for me to get in a flow state. So if I'm testing for an hour and then boom meeting, you know, and then it takes me another, at least 15, 20 minutes to get back into flow, back in my test.

 

So you just, you waste so much time in meetings. A lot of meetings aren't, aren't really necessary. Like a lot of, there's been a lot of meetings where like, I would hardly say anything and it's like, why am I even here? Um, then my last company did knock the meetings down quite significantly after I first got in, which was really nice, but there was still a lot of meetings even, even then.

 

So that's a pen test in a nutshell from beginning to end. And, uh, you gotta be on your A and guys, you gotta be really, you have to really like communicating with clients. Cause if you don't, if you're not a people person or you're like stupid introverted, then it's going to burn you out.

 

I'm not even, I'm, I lean more on the introvert side, which is crazy to say. Cause I, I make all this content. I can talk on this podcast for a half hour straight and it's probably going to have been a 40 minute episode.

 

But even then guys, I still, I'm not big on meetings mostly because I don't know. Talking to other tech guys, just, I don't like it. Everyone's got an ego.

 

Everyone's got an ego, bro. Like, well, how dare you find a vulnerability in my app that I developed? Like, you think you're better than me? Like they literally like, that's, that's the way they come off, man. Like these developers, they got an ego.

 

A lot of cybersecurity engineers got an ego. They think they're really good at what they do and they are, but you know, and not, no one's perfect. That's the thing.

 

No one's perfect. So then you find one vulnerability, it bruises their ego and they just get mad at you. It's like, bro, I'm not trying to bruise your ego.

 

I'm not trying to, I'm not trying to, you know, say I'm better than you or I pwned you, I just happened to find this vulnerability and like ethically I have to report this, like, I don't want to report this bro, you know how long it takes for me to, to take the screenshots, draw boxes, draw arrows on the screenshots and then write pages about this vulnerability and how and research and it takes so much time for me to write this finding. Like, I'm not doing this just because like, if I, I wish I would find zero findings because that would make my job easier because I could just be like, nothing, you're good. Blank report.

 

Here you go. But that never happens. No one gets a blank report because it's always a finding and people, yeah, it's like, I'm not writing this because I like writing reports, man.

 

I, I, I genuinely stopped getting excited over critical findings because of this guys, like you, like a lot of people, you think you're like, oh man, I found SQL injection and I dumped the database. I own the database. This is cool.

 

And it's like, man, I found a SQL injection, critical vulnerability. And it's like, I got to document this now. I got to write about this now.

 

That's, that's the thing I like. It's fun hacking. Like I love that part, but the documenting and then find and then.

 

And reporting them and going over with the client. That's the annoying part because like I said, everyone's got an ego and every tech person, it seems like it's really introverted and it's just, just like a dull conversation, you know, you ask them like how they're doing and it's like, it's just like, it drains your energy, bro. Like, especially if you're introverted like me, like if I'm with, like, if I'm having a fun conversation, like I can get into it, but like a lot of these guys, they're burned out too.

 

That's the thing they're burned out too. So you, you got two, you got a burned out pen tester and a burned out developer or burned out cybersecurity engineer talking about cybersecurity. It's just, bro, it's not fun.

 

It's not fun, bro. So that's the last thing I'll say on burnout. That gives you a little bit more of an idea.

 

Like, what does it, what does it look like day to day as a pen tester? You definitely need to prepare, prepare for that. And I thought, you know, people were talking about burnout. I never thought we'd get burned out because no one really told me this stuff.

 

Like no one really like, yeah, I heard about the burnout, but like, why did people get burned out? I didn't really know until I got in it, but now I'm in it and I can tell you guys like, this is why it's why burnout is so prevalent guys. All right. As promised, we're going to talk about money.

 

I had a question since you mentioned salary, what range of salary were you making per year, like a rough estimate? So now that I'm on my current role, I really don't mind sharing this information and I think sharing this information is going to help you guys land your roles and make sure you guys are getting paid appropriately. So when I was coming out of the military, guys, I didn't really know how much a pen tester made either. Right.

 

You can look up online and there's like a huge range online. You don't, you don't know what's true. What's not true.

 

So I ended up doing a salary survey and shout out to anybody who's listening to this podcast, who's helped me with the salary survey. But I basically hit up at the time I was only connected with like 40 different pen testers and I hit up 40 real world pen testers and I said, Hey, what is a good starting salary for a pen tester? And I only got, I think nine responses, unfortunately, but the average salary between those nine responses was $103,000. I keep mine.

 

This was in 2023, right at the beginning of 2024. So it's $103,000. So that was my target.

 

My goal was to make at least $103,000 into my first pen testing role and hopefully get more. So that was my goal. And, you know, obviously the range was higher.

 

Some people said they're like 90,000. Some people said I entered over, it should be 120,000. It depends on where you live, guys.

 

It depends on where you live for sure. And if the company's based in certain States, like, like you can make more money if they're based in a different state. So it really, there's a lot of factors at play there.

 

Cause location, like money is more and less valuable depending on where you're at. Now we're talking about us, by the way. I know I have a lot of you guys, not in the U S I think half my audience is us.

 

And then half my audience is like not us, but the bulk, you guys are in us or at least half you are, and I'm in the U S and that's what I can relate to. I think outside of the U S you're going to be making significantly less money because constantly living in the U S is like extraordinarily high. You guys, I've been, I've traveled a lot, guys in the military.

 

I've been to, I've been all over Europe. I've been in multiple Asian countries. I've been, I've been around and I go, I go to your guys' country.

 

So I'm like, bro, everything's so cheap. Everything's on discount, you know? So that's why the, we make a lot more money over here in the U S because it's everything over here is like stupid expensive. And I think a lot of people who's visited the United States from other countries, like you're starting, you, you understand that, but that's what the average pen tester makes in 20, 2003, it should be a little higher now because of inflation.

 

So I would say like, if you're going to get a junior role, guys, I would not accept a role under $105,000 for a junior pen tester role, like your first pen testing role, definitely not below a hundred. If it doesn't, if it doesn't start with a hundred, then just don't even accept that dude. Seriously.

 

Pen testers is a field that requires high amounts of knowledge. You should be making at least a hundred thousand dollars a year easily. Now, my first ever job I ever accepted, how much money did I make that we're going to be, I guess I don't even care.

 

I'm just going to give you the numbers right here. So the first ever job offer I got coming out of the military, it was for a senior penetration tester position. I got this job offer and I ended up negotiating and that's huge.

 

You guys need to learn salary negotiation by the, by the way, I've always asked for more and I've always gotten more than my initial offer, but I ended up, I ended up with $133,000 a year for the senior penetration tester position. Now I didn't end up making that money because they ended up revoking the job offer because I guess the work that they had lined up got canceled or their client dumped them or whatever. Not entirely sure, but they revoked my job offer.

 

So I didn't end up getting that money and that's why I never had a senior pen tester position. I almost did have a senior position as my first position, which is crazy, but that was kind of how it happened. But after that got revoked, I had to go back into job search and then the company, my last company.

 

I was told that I would be making about 115,000 after negotiation. Keep in mind, I've always asked for more. I always, always ask for more guys.

 

Always, always, always. Any job offer you get, always ask for more, but I ended up negotiating and they came back and they said, we're going to give you 85,000 base salary plus revenue. So my last company does like a revenue sharing thing where they give you part of the revenue for the pen test.

 

So the way my mind was worked out was I got 4% of the money from every single pen test that I worked on. And then I got 1% of the money from every other project in the company. And they told me, cause it was hard to understand.

 

I was like, I don't understand like how much revenue share am I going to get? It was very vague because like, what's for like, how much are you selling pen test for? I didn't know that at the time. Now I do. That's another topic for discussion.

 

Like how much does a company sell a pen test for, but 4% for every project I worked on 1% for every other project. That was very, I had no idea what, like, what, what does that even mean? Like 85 base salary seems low, but revenue share, like it had a high ceiling. Like, but they basically told me you're going to be, you should be around $115,000.

 

I was like, Oh, $115,000. It's pretty good salary for me. I accepted.

 

Ended up after my first year working for my, my last company that I was at, I ended up making $104,000. I was pretty disappointed to say the least. And I ended up asking for a raise after my first year.

 

Keep in mind, I got five certifications during my first year, plus finishing my master's degree. And I did really good, high quality work. And because of that, I was in position to ask for a significant raise.

 

So I had asked for $130,000 base salary with no revenue share. They came back and they're like, yeah, we, you, the whole company does revenue share. We don't like one-offs.

 

So we're going to give you two offers. We're going to either offer you a hundred thousand dollars plus revenue share or $120,000 base salary with no revenue share. And based off my revenue share out the first year, it was like, I think I made like 20, 27,000 in revenue or like 25,000 in revenue extra.

 

So I ended up doing the math and I was like, well, if I take a hundred thousand base salary plus the revenue share, I should be somewhere at around $127,000 for my, for a year. Or I could take 120 flat rate. Doesn't change.

 

Always a consistent. Uh, I was like, ah, I'll take the 127 with a hundred, a hundred thousand plus revenue share. I should end up with anywhere between 125 to $130,000 in revenue share.

 

Like I said, average is like 127. So that was, that's what I was making my last role guys. It kind of gives you an idea of what, what you can make as a pen toucher and that's what you should be aiming for.

 

I, I know money's kind of a taboo topic, but, um, since I'm not working that role, I don't have any qualms with like telling you that information, but that, that's what I was making. I'm not making any money now. And when I get a new role, I probably won't talk about my current salary, but I'm, I'm pretty open about things.

 

So I have no problem, like sharing like my past salaries, but key, key thing is guys always, always, always, always ask for more money when you get a job offer, even if you're desperate for the job. And then also after, after you increase your skills or your responsibilities increase or at like a milestone for me, it was a year. Ask for a raise, don't be afraid to ask for a raise.

 

And I'll probably make a separate video about like my exact email that I sent to get my raise. I think it'd be pretty insightful for you guys, but that's it guys. Hopefully you guys have value out of this one.

 

We hit some topics that I haven't hit before. So that's really nice. And we've also expanded on some other topics that I've covered, but that's kind of what's on the forefront of my mind is, is all I can do.

 

You know, he's unscripted always. I just got the questions and I just answer them and I just speak from the heart guys. So, oh, we got some value out.

 

If you did, if you're on YouTube, hit the like button, hit the subscribe button, if you're on audio rate to show five stars, because I know nobody else has gave you those knowledge nuggets that I just did, so you owe me that like, and you owe me that five stars. No one is that transparent about salary. And no one's that transparent about like, what does a pentest job look like? I know that's a fact.

 

So I think I deserve, I like, I think I deserve my five stars. So hopefully you enjoyed it guys. Hopefully I see you in the next episode until then this is Kyser signing off.