An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Enjoy!
After being a red teamer for nearly 5 years I'm not sure I want to continue doing the job, I feel like I could be amazing at IT but also that it isn't nearly as glamorous or pays enough.
I thought about DevOps but that also seems to not interest me enough... Maybe security Researcher? I dunno
I've found the good $$ is finding just a good ol' "security engineer" title somewhere (most likely a tech company). If your title is "red teamer" or "pentester" and you're not at a well-paid boutique consultancy you're likely being underpaid compared to what you'd get on the engineer track. Where have you applied before/recently? Right now is a frustrating time to job hunt but better now than never, especially if you are bored or disgruntled in your current role. On the "security researcher" front, have you considered (or are you already doing) a blog or something? I've found that supplementing my day job with my own research and publishing it has the combined effect of keeping me interested in security in general as well as being good material to share with prospective opportunities.
So the thing is I can't really be bothered with blogging rn , not sure if I'd make a good blogger cause I usually have small tips and tricks and not full blown posts. Also I'm currently locked in my contract for atleast another 9 months then I'm free to go. What's the difference between a security engineer and security researcher?
I understand the obstacle to blogging. But that's where micro-blogging comes in! Twitter is out of vogue so I'd say use Mastodon (or similar Fediverse-ey microblogging platform, e.g. Calckey, etc..). You can post all your tiny tips and tricks and other thoughts there rather than having to pull together full-fledged blog posts. This will help you build a portfolio of contributions to the community as well as build a network.
As for sec eng, vs sec researcher? These are merely titles. A security engineer could certainly be a researcher as well. I'd say you have a lot of "independent" security researchers who day-light as engineers. In some cases you have folks who are researchers as their day job but to get these sorts of roles I would suspect you would need some history of published research (like CVE's, talks, papers, blogs, etc...).
I have a year of experience as a Red Teamer and I'm taking my first cert now. Not sure which path to take next, I feel like as a Red Teamer I work in a broader set of skills and I sometimes wonder if I'd be better for me if I moved to consulting to focus on honing my offensive skills there, and then maybe come back to other companies to do red teaming.
What cert/training are you working on? Red Teaming is kinda niche and requires (think "Taken"), a "special set of skills". Depending on the program you are currently in and how well they actually support a real internal red team, you may want to invest more time there as it's not particularly easy to come by. That said, if your growth has stagnated you should absolutely see what else is out there. If it was me, and I was early in my career and didn't care too much about money in the short term I'd apply for infosec roles in the military, NSA, CIA, etc... You get to do the REAL stuff there and after putting in your time you could easily come back to commercial industry and make a killing.
it's the OSWE, and I'm not a US citizen, so I don't have those options
OSWE is a legit training/cert. Good luck! I too am kinda working on it but need to dedicate real time to it one day. As for being non-US, maybe your country has their own version of these things you could look into =). Beyond that, consulting may be your next best bet as youll see lots of environments, work fast-paced and presumably have senior folks you can learn from.
Hey, I am looking for a remote information security entry level job/internship. If you know any decent company hiring, or a job portal, please let me know, I would really appreciate it. Most of the jobs on job sites I know are only for US citizens... I can work in any time zone! Thank you!
Maybe you could have some luck here https://search.flockingbird.social? Also try posting on Mastodon with the #fedihired, #fedihire hashtags. Outside those fedi-ish methods, Linkedin is probably your friend here. It would be cool to have a hiring thread here one day if/when the community has enough eyeballs to support it. Good luck!
Thanks a lot buddy! You are doing a great service to the community!
How good is the job market for freshers?
Good question. I haven't heard too much lately on how the market is looking, though I suspect it's still a bit down compared to a year ago.
Oh. Is there a downward trend? Or will it go up again?
I feel like there was a sharp downward plummeting when the economy soured but things have started to tick back up slowly.
Thanks! :)
I'm not sure if this is the right venue for this question so please let me know if that is the case -- happy to ask elsewhere!
I've been in various IT roles for the past 10 years and seem to have gotten stuck in a support capacity. My career goal is to be more of a DevSecOps or Security Engineering role but I honestly can't get the time of day with an interviewer. I've got experience with programming, cloud infrastructure, web application security, and am currently going for my CKA but I don't have a ton of experience "on paper". Most of my experience is either me doing things myself to further my knowledge or taking on security things within my current role -- for ex. in one support role I did a web application penetration test to make sure there weren't any gaping holes before we deployed it.
How can I make sure that I have the right experience down on paper for when I'm applying to roles? Has anyone here "broken out" of a support role into security? What was your experience with it? I also have a lot of interest in doing research work and I know this can dovetail with the two roles I listed above but maybe I need to focus on the core ideas of those roles more?
This is what I made this playbook for. This will always vary from hiring team to hiring team but for me I look for practical skills/experience & the desire to learn more. Enthusiasm is easily mastered for interviews but proving your skills is harder. Fortunately, there are lots of ways to demonstrate your capabilities, many of which I talk about in the playbook. I'm not saying it'll be easy, because for w/e reason this industry still hasn't figured out how to not gatekeep for one reason or another but I think you'll make it easier on yourself by focusing on practical, demonstrable skills and documenting them. Hopefully that helps!
Awesome! I really appreciate your help and will absolutely start going through this and what my resume looks like.
Also, right?! How is it that in an industry that has a deficit of security personnel in it already is so damn hard to break into?!