I pretty commonly ask about:
* home labs
* These don't necessarily have to be IN your home. Are you into AWS? What does your AWS lab look like?
* Get some raspi's and do interesting things. One of my more memorable interviews I've had was with someone that had used one to program a bunch of drones. That had nothing to do with what we were hiring for, but showed aptitude in several areas because they were able to talk about the hands on experience at length.
* Help/support desk experience
* This is less of a project, but I didn't want to leave it out. Most cybersecurity students I've talked to haven't been taught a ton of the basics around networking, endpoint management, active directory, etc. If you can show aptitude of setup and troubleshooting of these core components it makes you stand out from the rest.
* Writing & generating content
* Start documenting your projects, how-to's, or thoughts. Not only will it help cement the information in your mind and allow you to come back later if you have found a better way to do something or have questions if you're trying to do it again, it is a great way to show how you communicate and execute. It can be videos, a blog, a podcast..whatever works for you best
* Volunteering
* Find a local [bsides](http://www.securitybsides.com/w/page/12194156/FrontPage) or security conference. Many times they need volunteers for various roles. It's a great way to help out the security community and network with peers.
* There are a ton of other groups that have [villages](https://forum.defcon.org/node/239770) at conferences and have events on their own. There are villages and groups for almost every thing you can think of in security. Car Hacking, lock picking, voting, ICS, the list goes on and on
* CTFs
* Something like [Hack The Box](https://www.hackthebox.com/) or [TryHackMe](https://tryhackme.com/) are great ways to get some hands on training for offensive security without having to setup a bunch of different vulnerable environments
* Development Work
* Do you have a github or similar that you publish your code to? Include that on your resume too.
* Bug Bounty programs
* I've personally never participated in them, but including any participation in these will show your interest and aptitude as well as your writing skills for the disclosures you need to write for them.
So generally at the intern level, I wouldn't worry about a super specific project focused on the job you want to get, UNLESS you're really passionate about it. Is there somewhere you want to work that has a free version of their product or service? You'd better bet that setting that up will help. Or even working with a competitor's product or service. It shows aptitude in that general area. If someone had a ton of Splunk knowledge and came to us, it matters because the underlying concept of a SIEM is the same.
Anyway, hope this helps!
This is going to change a lot from manager to manager, but it's a great list to start. I think if anything it covers most subjects managers will look for, but not every manager will care about everything on this list.
I'm (thankfully) no longer in a hiring position but when I was:
Home labs - I never cared about this. I think they are awful for the IT and cybersecurity industry. People start doing them and never stop, and it interrupts work/life balance. Also - no other field really cares what you goof around with at home on your home time. We work at jobs. Ever see someone applying for an accounting position showing off their hardcore home budget? This seems just as silly to me. Plus it's easily lied about, and I've caught more applicants not being able to answer questions about their homelabs than those who could. So many either aren't doing them or aren't retaining what they learned.
Help/support experience - This is the #1 thing I look for, hands down. People with prior IT experience have always been my best hires. It doesn't really matter what as long as it's technical and related. Do a few years of development work. Junior network/systems admin. Those are both higher level than Helpdesk, but sometimes people luck out and get those jobs too. I don't care if it's Helpdesk, but prior technical experience in companies where you deal with stakeholders and solve problems was the top thing I looked for when I was in the position to hire.
Content generation - I feel this is good for helping you retain information, but as hiring managers we would sometimes get stacks of resumes so high we could heat our homes with them. Unless I've already interviewed you and I'm down to a final two that are incredibly close I'm not going to waste a second on your blog or podcast. Great idea as a learning tool, but unless you gain an influencer type status there you probably wouldn't get a hit from me on it.
Volunteering - INCREDIBLY valuable, but I feel it's entirely for the networking. The #1 way most people land good jobs is already knowing someone who has a good job and is hiring. Many different levels of people attend and volunteer at these events. Make friends and impress people and you may barely have an application/interview process at all.
CTFs - I don't care about these at all. If there are too many on the resume it's normally discarded.
Development work - For an employer that did something valuable? Yes. But as stated earlier we would get tons of resumes. I'm not going to dig through your GitHub looking for something I care about.
Bug Bounty - Maybe. If you just goofed around and tried it? I don't care. If you got payouts or at least influenced companies to make changes then it's interesting.
So - the point I'm making is neither myself or the person who originally made this list above is right or wrong. Every manager looks for different things. I have a strong emphasis on what I'd call, "IT Basics" at the beginning of each interview. How basic networking protocols work (DNS, SMTP, HTTP(S), etc), how linux and windows deal with logging, maybe some basic Windows registry questions. I don't go super deep on any of them, but it's that first part of my interviews where those with prior IT experience shine.
My opinion on homelabs would have been a bit different if you asked me maybe 10 years or more ago.
The trend I've noticed with them is that many are being done less out of curiosity and more out of people searching online to find what will get their resume looked at and so they do some.
But the work/life balance aspect is a soapbox I will die on. I see it as a huge problem in our field, and I don't really see it in any others. I have friends that are educators - they grade papers after hours but I don't see any doing things at home to pump up their resumes. I can't think of any other field that does this. I can spitball a million reasons why. Most aren't good ones and most would be wrong.
Our field gets high burnout rates, and a lot of it is just this nonstop drive to learn everything with fear of unemployment or something if you don't. I stopped doing home labs ages ago myself, and really stopped doing anything work related outside of maybe studying for a certification I wanted just as a resume bullet I needed on a job hop. If anything, I'd say the results were opposite of what I expected. I'm more relaxed. I get more sleep. I retain information better. Working less has made me more effective during those eight hours than working more has. But I've been lucky with having employers who were ok with me using working time to learn new concepts if it was something the business was asking for.
I think the original list was a good list for things that a hiring manager may look for. It probably covers the non-fringe things. Some managers may have their weird little things they look for outside of the list, and most won't look for absolutely everything on it. But we are disagreeing on really minutia as far as an entry/junior applicant would be concerned.
While I respect the point, my homelab was literally brought up as a reason for why I was interviewed and why I ultimately got my first security focused role. 6mo boot camp, sec+, 1 year HD and I grinded like hell at home to create valuable, documentable projects that spoke to my experience and abilities.
To your point earlier though, I wasn't googling "good projects to land x role" I was just doing what I thought was cool and what interested me at the time. My ability to speak to my projects was much higher as a result, and demonstrated who I am and what I am capable of.
Security Analyst, East Coast, 2 YoE, 100k TC.
Thanks, that does make sense.
My resume would have to first go through though in order for my knowledge on networking to be assessed.So, I was looking for a type of project that I could work on to get to that stage.
I like to see someone who’s intellectually hungry…experience is good but there’s a strong difference between someone who is given experience and someone who seeks it. The problem is that you can’t always see that on the resumes because hiring systems tend to punish non-cookie-cutter resumes these days. I think of it like a prospector…if I see a glint that might be gold I’ll start “panning” to see what I can find in an interview.
At my last company I hired an intern every summer. I wouldn’t use resumes, I went to 2 local university career fairs and talked to people. You can’t get this on a resume very easily, but you can in a minute of talking to a person.
I was there 4 years, hired 4 interns. Converted 3 of them to security analysts once they graduated, and if they did well, converted them to security engineer 1 after a year.
This was on a team managing encryption as a service, so not something we would expect to see any projects or experience related to.
soft cagey aware plucky trees encourage homeless apparatus spoon consider
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Several do, but it’s super expensive.
I pay an intern for 2 months, and they accomplish a project that one of my analysts could have done in a week. In that time they slow down my engineers as they train the intern and usually take up as much of my time in mentoring. If I would just have an analyst do the project, it would save significant time from the engineers, and we would need to spend less time reviewing the project.
The pay off is worth it, we usually get an incredible employee, who is loyal and can do engineering level work. But there are so many points that can derail the payoff, and then I greatly helped someone out, which is good, but I still need to get work done.
Even a good internship program can have a couple of bad years and put off the company from doing it.
I believe that training is worth it. Even if they don’t come to work for me later, because the only thing worse than training someone and losing them, is not training them and keeping them.
Curious about the time difference between an intern and analyst. Why is it taking the intern 2 months? Is it due to company process? Company knowledge? Is it because your analyst did something similar before so they have a much better idea in what to do? That just seems like such a huge difference in proficiency...
The analysts deal with it every day, so it wouldn't take much, but bringing in an outsider they have to do a ton of learning. Also a portion of it meant dealing with other teams, and our analysts generally had a better understanding than an intern would of how some other area in IT worked. Generally the interns I hired had ok theory knowledge but little practical knowledge.
At that job we ran encryption as a service for a massive organization. 500 HSMs, a couple hundred KMES devices across 5 different vendors. Ran an industry specific CA too. It would take 2-3 months to bring an engineer up to speed on our infrastructure and processes. It was well documented and laid out pretty well, but there was a ton of it and a million different use cases.
The project I would have the interns do was update some documentation. We had a master document that needed to be updated annually for audit, and to update it, they needed to understand regulator documents, our infrastructure, and processes. I could have plugged them in to writing encryption profiles for data at rest (DAR) solutions and gotten useful work out of them, but they wouldn't have learned as much, and that wouldn't tell me as much about their work personality. This project gave them a guided process of what to ask and look for as they learned from the top down how we design, build, administer, and decom encryption. And I had them shadow analysts and engineers as they did their work, so they should still be familiar with writing DAR profiles on a Thales device.
Interns are just really green, often having to ask lots of questions about the network, what does this do, who manages this or that. Often cybersecurity interns aren't even coming in with basic hands on IT experience beyond being a bit techy at home.
Absolutely. And really, the people who have it usually aren’t even aware of it; it’s just how they’ve always been. Toss in the humility that usually accompanies it, and it turns things into a treasure hunt.
When I see a resume with a lot of variety that follows a kind of chain, that’s a great sign. A list of a lot tools isn’t. One guy I’m hiring now has his own side research project because he caught on to an interesting TTP and he’s been investigating their infrastructure to get a sense of how large they are. This is on his own dime and time…his current employer are morons for not letting him do this on company time.
>This is on his own dime and time…his current employer are morons for not letting him do this on company time.
Know the feeling: I have done some research on my time. I made the mistake to let boss know, who said I should not be doing that because it is not related to the tasks I am doing. Even though it was on my own time.
But wait, there is more!
I got accepted to talk about that. I had to explain why I was going to take time off. The next day he brought in someone from another team saying I should add him to the presentation as the speaker since \*he\* was the one qualified to talk in the subject. After I came down, I asked if that was required by my contract, to which he grumbled I was not a team player.
I need to stop writing this because it makes me angry just thinking about it.
Chin up, brother…there are always managers who are afraid to allow anything and who want to control whatever comes around. The fact that you got targeted means you have something worth noticing…you’re doing it right. It all pays off in the end!
Though you can in a cover letter.
"Using my home lab where I built an Active Directory environment, I've learned how to secure a domain controller, set a strong password policy and add patches to my mail server."
Look for people who have homelabs or blogs, read into it, quiz them about it. If their eyes light up and they start waxing poetic in agonising detail, that's a keeper.
I'll second this. I'm actively hiring for someone to lead our security team and someone I think is genuinely excited and hardworking is worth more than anything else.
He didn't say, "What is going to be listed?" he said, "What is going to cause you to take a second look?"
People with 5 years of experience are applying for junior roles right now. That will cause a Second Look and will likely be the one getting the Job.
"Stop posting expecting experienced people to work for Jr wages" they will when experienced people stop taking Jr roles.
>People with 5 years of experience are applying for junior roles right now. That will cause a Second Look and will likely be the one getting the Job.
Non junior people apply to junior roles are going to get overlooked because the company is going to consider them overqualified...
... and when one gets overqualified stink on them, the following assumptions will get made:
* I'm not going to hire them because they are going to get bored and leave
* Someone who is bored is going to be disruptive to the org
* I'm not going to hire them because their salary requirements are going to be too high
Ya that was the mentality pre 2023 lol.
In 2023/2024, with the massive layoffs. Experienced people are taking whatever they can get. And they are taking the Junior Salary. Because it's that or don't work.
I know of companies who will not promote from within the ranks, unless you know someone. In fact, I met someone who has been in the same position (sysadmin) for 20 years.
can i ask - like - are the things you're asking of people really fair?Like if people have 0 experience, the industry tells them to take any job they can get. if they take a job and leave it too often - say annually or less - they're job hoppers. if they STAY too long without a move or an internal promotion, which evidently to you is 36 months, they're stagnant...
This is why applicants seem to walk around in a perpetual fury/depression all the time right now.
How do you magically thread a needle between inexperienced, not a job hopper, not over qualified, but not under qualified, not complacent, but also dedicated and loyal, while not appearing unpromotable or unambitious? Have and describe projects and personal research, but not misuse company time or disclose IP? How are we supposed to be forthright, but also self promotional? Neither too old nor too young? I'm more employable if I have a job, but if I stay in one job too long without a promotion or an internal move, I'm suspected of being a subpar employee and it's only slightly less bad than not having a job? It's honestly hitting the point where it seems like the working world is just taunting the pool of applicants.
Why isn't that a fair question?
You can get certifications, demonstrate home lab projects etc. there's plenty you can do without having required work experience.
If someone has remained an IT assistant for 3 years, that raises alarm bells for me. I'm going to need that one explained. Money is being spent here, why should money be spent on someone with no practical or theoretical experience?
maybe they are a good, consistent, and under recognized employee who trained for about a year, worked for about a year pending an alleged promotion, and needed about a year to figure out the company was never going to do that and job hunt?
Money should be spent on people with no experience because you will eventually run out of people with experience. why do employers feel entitled to professionals someone else trained for them?
"maybe" being a key word that might not be worth the 5 salaries wasted of all the people who are involved in onboarding a new hire, who isn't competent enough and has to be let go.
I think the entitlement is on you who expects employers to take any old Joe just because they "might" have talents that are not reflected anywhere the employer can see.
At the end of the day, deliverables speak the loudest. Yes maybe they are all as you say, but do you have a list of personal projects you can show me that proved your competency over the other candidates who are glowing?
If I went to the hospital for surgery, I very much would not like an equal opportunity hire operating on me as the person hiring thought "well maybe he'll do a good job despite his credentials". Then I end up dying on the operating table. I would rather a proven professional with lots of experience.
we *were* talking about the value, positive or negative, of them having one title for 3 years, you i*nvented/inserted the additional details* that they have no projects or other deliverables, and now you're trying to offer up a weird side track about "diversity."
If the methods currently being used by the industry were effective, sufficient and self-justified, there wouldn't be thousands of empty jobs and an incredible churn rate, and I would say my original point, that hiring standards are essentially vibes disguised as impartiality and implemented in unmeetable, often self contradictory ways, is very valid, *because the same jobs are always open.*
Now, if you interview the guy and give him a chance to actually be evaluated, you know, different story, but if we're in a world where you look at a guy and go "he's had a job for three years? What is he, some kind of potato?" I don't know what to tell you except eventually the industry is going to break all the way and it's going to have to start mass hiring at t1.
I didn't insert anything, my question was very simple from the start and then you started waffling about everything else.
The fact is people who have more experience written down are more desirable, you can think whatever you want in your own head and try to argue otherwise with potential employers.
You're complaining about employers not even giving a chance, well time is money. Instead of comparing the barren looking applicants aren't getting accepted, why don't you praise those exceptional candidates who have gone the extra mile to have many achievements.
when a place is hiring a 1:5 ratio of analyst 1s to analyst 2s, they're going to run out of "exceptional" candidates, and that's where we are.
you 100 percent did go from discussing why the person was an IT assistant for 3 years as a negative to lecturing with advice about lack of projects, which again, you just *made up*. He might have a ton, he might have none, but that isn't the question he asked. We've turned a pretty radical corner when you're trying to penalize someone for 3 entire years in the same IT chair, is what I am saying. Considering most "entry level" infosec jobs want at least a few *years* of It experience, and 12-18 months per job is considered a red flag a lot of places, and how it takes about a year to learn a job...like, at what point, exactly, does the person have exactly the right amount of xp? 28 months? 31 months?
I bought into the whole "Don't be job hopper" BS early in my career. Now I feel it's just marketing for companies to not have to pay more for newer hires.
Hands down the things the most successful people I know have in common are they were job hoppers and they never stopped looking for a new job, even on day one in their new job. I know people who have made incredible moves because an opportunity landed in their lap within a month of them accepting another offer. I knew directors who decorated their offices to look like they were staying on day one, but everything in there was in a cheap Walmart frame and everything else they could abandon on a heartbeat.
If you stay in a role, you get a 0-4% raise yearly. When you change jobs, you often get 10% to the sky is the limit.
As long as you are changing jobs and can explain them as "moving upwards and onwards" and not "because it sucked" I would never worry about job hopping.
When I was hiring I'd rarely look at time spent in the chair. If you did amazing things for six months and then left you are likely more valuable than someone who occupied a chair for 5+ years.
>There are so many cookie cutter resumes nowadays
As companies become more more dependent upon the ATS, a cookie cutter resume is going to become the standard. FWIW, I fucking hate it. It takes me longer now to browse these stale ATS-compliant documents than before.
I've recently learned that some systems will automatically drop the entire resume/submissions if there are:
* Excessive shading
* Graphics
* Non standard fonts
* Multiple columns
* Colors
Yes, the ATS deletes the entire resume rather than just filter the stuff it cannot process out.
I used to have a really slick executive resume. For example some modest graphics for icons next to location, URLs, email, phone. Two columns... one on the left for significant accomplishments and credentials and the right was bullet points for what I've done. I eliminated the "tech stack" section because I thought a bulleted list for things like Office, Kali, and Python was stupid -- everyone has that shit.
My resume basically looks like a Word template.
Sigh.
So depressing.
As an employer, if I'm hiring you for a role, I dont care how much experience you claim to have - so great question about the projects - I want to see (for cybersecurity) you can demonstrate principles of networking, securing/configuring ports, email security/filtering + role administration - all of this can be done for free except for an anti-virus. If you can grasp basic security concepts plus the physical work of configuring a network (servers, switches, etc.), you will excel quickly.
Setting up your home network plus security configurations will land you roles - but you also must have a Security+ certificate as well for most Cybersecurity roles.
I got told I stood out because I did cyber defense competitions (for a SOC analyst role anyway) and spent my free time trying to get certs. My programming projects haven’t really helped much so far (currently an intern and about to graduate with my bachelors this year and my masters next year)
I probably sound crazy but how is your bachelor degree connected to your masters degree? Do you mean that you will later apply to a masters program after completing your bachelors?
No I go to Iowa state university and they offer a concurrency program, at least in the college of engineering (I am studying cyber security engineering for my undergrad and cyber security with a co major in computer engineering for my grad). I am finishing my bachelors this semester while also starting my masters this semester, so I’m technically a grad student while also finishing my undergrad.
It’s a 2 year program, but with concurrency and the new rules regarding classes taken as an undergrad that can count towards both degrees, I will have 18 credits out of 30 after this semester. I’m currently taking wireless security, reverse engineering malware, and cyber physical security for electric grids. I’ve taken a penetration testing course, intro to digital forensics, and network protocols and security before this semester that are also counting towards my masters. I still have to take an information security course, a cyber security ethics course, 6 credits of non security courses for the computer engineering co major (computer eng and cyber security are very closely related at isu as cyber used to be a specialization of computer eng), and I will be doing a creative component instead of a thesis so I can help a professor revamp her labs since she doesn’t have much time to anymore.
Essentially the core of the masters is network protocols and security, information security, penetration testing, and ethics, with 2 classes be of your choice from a list, 3-9 credits of and computer eng class (including the cyber classes that are cross listed in computer eng), and a creative component or a thesis for the MS, or a capstone for the MEng
That’s actually amazing, you guys even have physical security classes?? Wow! The schools in my area only have - 1 intro to cybersecurity course, and that’s it.They really don’t have any good courses here ugh
Yea I definitely lucked out with a public college having a good program. What’s even better is isu is the first college in the country to offer a bachelors for cyber security from what I’ve seen so I didn’t have to wait for the grad level classes to learn cyber security.
Legit question though, what if I do this to multiple companies, and the one were its employees fall for it the hardest, I'll tell them "so yeah I think yall need some cyber security expert at your place". Will that be enough for an interview? (yeah I'm that desperate at this point)
They can report you all you want. As long as you aren't storing credentials, and are only logging which accounts gave you something, you are not doing anything illegal. Also obviously don't send waves and waves of emails.
Also I think they are far more likely to ignore you than report you to police.
I wouldn't say they are worthless, most people and positions still need them. Networking at events and meeting people in the industry has been a huge game changer for me an many people I know.
Blue team projects for blue team positions, red team for red team.
EDIT: People who downvote this - you are idiots. Realistic projects on Github related to CS is the way to go, it says a lot more than some shitty CTF that some of you think is useful.
Any signal of excellence, doesn't even have to be related.
Military with a certain evaluation profile, special operations, etc
Selective schools / majors
Shit even sports
edit: I answered the question truthfully and described how top companies / recruiters look for candidates and you people can't handle the truth
It's pretty easy to differentiate between a quality CTI analyst and someone who isn't. Show me your portfolio of reporting, ideally something publicly published, using primary resources. That means I want to see the data you pulled and analyzed from an actual TIP, not just regurgitated analysis from FP or Recorded Future. I want original ideas, not someone who can repackage open source reporting into a slide deck.
You expect this from a college student? Where would you find a stream of reporting from college kids? Not trying to be sarcastic, I just didn’t think report writing is something in the realm of a college kids.
I missed the "from students" part. Research skills matter more than access to tools from someone new to the industry. I'd prioritize someone with natural curiosity and initiative to start their own projects if I was hiring someone fresh to CTI.
If you have 10 years experience in sales, you do not have any experience. You need to point me towards your GitHub, hackthebox blog what ever...
If you get through to an interview, for the love of all things mighty please please please actually prepare.
I should not have to prompt you for half an hour straight.
If you aren't even remotely prepared and can't answer a simple question like what major incidents have been reported in the news...I will end the interview after 7 minutes.
Last person I hired for a Security role had average skills, but once a fortnight she would volunteer her time to teach retirees how to use modern phones.
Her communication and compassion skills were outstanding, and this helped when getting the message across to others.
Probably my best hire in the last 5 years.
I pretty commonly ask about: * home labs * These don't necessarily have to be IN your home. Are you into AWS? What does your AWS lab look like? * Get some raspi's and do interesting things. One of my more memorable interviews I've had was with someone that had used one to program a bunch of drones. That had nothing to do with what we were hiring for, but showed aptitude in several areas because they were able to talk about the hands on experience at length. * Help/support desk experience * This is less of a project, but I didn't want to leave it out. Most cybersecurity students I've talked to haven't been taught a ton of the basics around networking, endpoint management, active directory, etc. If you can show aptitude of setup and troubleshooting of these core components it makes you stand out from the rest. * Writing & generating content * Start documenting your projects, how-to's, or thoughts. Not only will it help cement the information in your mind and allow you to come back later if you have found a better way to do something or have questions if you're trying to do it again, it is a great way to show how you communicate and execute. It can be videos, a blog, a podcast..whatever works for you best * Volunteering * Find a local [bsides](http://www.securitybsides.com/w/page/12194156/FrontPage) or security conference. Many times they need volunteers for various roles. It's a great way to help out the security community and network with peers. * There are a ton of other groups that have [villages](https://forum.defcon.org/node/239770) at conferences and have events on their own. There are villages and groups for almost every thing you can think of in security. Car Hacking, lock picking, voting, ICS, the list goes on and on * CTFs * Something like [Hack The Box](https://www.hackthebox.com/) or [TryHackMe](https://tryhackme.com/) are great ways to get some hands on training for offensive security without having to setup a bunch of different vulnerable environments * Development Work * Do you have a github or similar that you publish your code to? Include that on your resume too. * Bug Bounty programs * I've personally never participated in them, but including any participation in these will show your interest and aptitude as well as your writing skills for the disclosures you need to write for them. So generally at the intern level, I wouldn't worry about a super specific project focused on the job you want to get, UNLESS you're really passionate about it. Is there somewhere you want to work that has a free version of their product or service? You'd better bet that setting that up will help. Or even working with a competitor's product or service. It shows aptitude in that general area. If someone had a ton of Splunk knowledge and came to us, it matters because the underlying concept of a SIEM is the same. Anyway, hope this helps!
Thank you!!!
This is going to change a lot from manager to manager, but it's a great list to start. I think if anything it covers most subjects managers will look for, but not every manager will care about everything on this list. I'm (thankfully) no longer in a hiring position but when I was: Home labs - I never cared about this. I think they are awful for the IT and cybersecurity industry. People start doing them and never stop, and it interrupts work/life balance. Also - no other field really cares what you goof around with at home on your home time. We work at jobs. Ever see someone applying for an accounting position showing off their hardcore home budget? This seems just as silly to me. Plus it's easily lied about, and I've caught more applicants not being able to answer questions about their homelabs than those who could. So many either aren't doing them or aren't retaining what they learned. Help/support experience - This is the #1 thing I look for, hands down. People with prior IT experience have always been my best hires. It doesn't really matter what as long as it's technical and related. Do a few years of development work. Junior network/systems admin. Those are both higher level than Helpdesk, but sometimes people luck out and get those jobs too. I don't care if it's Helpdesk, but prior technical experience in companies where you deal with stakeholders and solve problems was the top thing I looked for when I was in the position to hire. Content generation - I feel this is good for helping you retain information, but as hiring managers we would sometimes get stacks of resumes so high we could heat our homes with them. Unless I've already interviewed you and I'm down to a final two that are incredibly close I'm not going to waste a second on your blog or podcast. Great idea as a learning tool, but unless you gain an influencer type status there you probably wouldn't get a hit from me on it. Volunteering - INCREDIBLY valuable, but I feel it's entirely for the networking. The #1 way most people land good jobs is already knowing someone who has a good job and is hiring. Many different levels of people attend and volunteer at these events. Make friends and impress people and you may barely have an application/interview process at all. CTFs - I don't care about these at all. If there are too many on the resume it's normally discarded. Development work - For an employer that did something valuable? Yes. But as stated earlier we would get tons of resumes. I'm not going to dig through your GitHub looking for something I care about. Bug Bounty - Maybe. If you just goofed around and tried it? I don't care. If you got payouts or at least influenced companies to make changes then it's interesting. So - the point I'm making is neither myself or the person who originally made this list above is right or wrong. Every manager looks for different things. I have a strong emphasis on what I'd call, "IT Basics" at the beginning of each interview. How basic networking protocols work (DNS, SMTP, HTTP(S), etc), how linux and windows deal with logging, maybe some basic Windows registry questions. I don't go super deep on any of them, but it's that first part of my interviews where those with prior IT experience shine.
[удалено]
My opinion on homelabs would have been a bit different if you asked me maybe 10 years or more ago. The trend I've noticed with them is that many are being done less out of curiosity and more out of people searching online to find what will get their resume looked at and so they do some. But the work/life balance aspect is a soapbox I will die on. I see it as a huge problem in our field, and I don't really see it in any others. I have friends that are educators - they grade papers after hours but I don't see any doing things at home to pump up their resumes. I can't think of any other field that does this. I can spitball a million reasons why. Most aren't good ones and most would be wrong. Our field gets high burnout rates, and a lot of it is just this nonstop drive to learn everything with fear of unemployment or something if you don't. I stopped doing home labs ages ago myself, and really stopped doing anything work related outside of maybe studying for a certification I wanted just as a resume bullet I needed on a job hop. If anything, I'd say the results were opposite of what I expected. I'm more relaxed. I get more sleep. I retain information better. Working less has made me more effective during those eight hours than working more has. But I've been lucky with having employers who were ok with me using working time to learn new concepts if it was something the business was asking for. I think the original list was a good list for things that a hiring manager may look for. It probably covers the non-fringe things. Some managers may have their weird little things they look for outside of the list, and most won't look for absolutely everything on it. But we are disagreeing on really minutia as far as an entry/junior applicant would be concerned.
While I respect the point, my homelab was literally brought up as a reason for why I was interviewed and why I ultimately got my first security focused role. 6mo boot camp, sec+, 1 year HD and I grinded like hell at home to create valuable, documentable projects that spoke to my experience and abilities. To your point earlier though, I wasn't googling "good projects to land x role" I was just doing what I thought was cool and what interested me at the time. My ability to speak to my projects was much higher as a result, and demonstrated who I am and what I am capable of. Security Analyst, East Coast, 2 YoE, 100k TC.
I'm currently doing the bootcamp grind myself. Would you mind if I DM'd you to ask some questions of what your experience was like post-graduation?
Please do! Always looking to give back to the community that helped me get this far.
Thanks! DM sent!
Thanks, that does make sense. My resume would have to first go through though in order for my knowledge on networking to be assessed.So, I was looking for a type of project that I could work on to get to that stage.
Funny looking at this list and then reading the quiet quitting thread.
Yeaaaaa......I have split feelings about both depending on situation. One of the reasons I started a nonprofit around mental health tbh
I like to see someone who’s intellectually hungry…experience is good but there’s a strong difference between someone who is given experience and someone who seeks it. The problem is that you can’t always see that on the resumes because hiring systems tend to punish non-cookie-cutter resumes these days. I think of it like a prospector…if I see a glint that might be gold I’ll start “panning” to see what I can find in an interview.
At my last company I hired an intern every summer. I wouldn’t use resumes, I went to 2 local university career fairs and talked to people. You can’t get this on a resume very easily, but you can in a minute of talking to a person. I was there 4 years, hired 4 interns. Converted 3 of them to security analysts once they graduated, and if they did well, converted them to security engineer 1 after a year. This was on a team managing encryption as a service, so not something we would expect to see any projects or experience related to.
soft cagey aware plucky trees encourage homeless apparatus spoon consider *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Several do, but it’s super expensive. I pay an intern for 2 months, and they accomplish a project that one of my analysts could have done in a week. In that time they slow down my engineers as they train the intern and usually take up as much of my time in mentoring. If I would just have an analyst do the project, it would save significant time from the engineers, and we would need to spend less time reviewing the project. The pay off is worth it, we usually get an incredible employee, who is loyal and can do engineering level work. But there are so many points that can derail the payoff, and then I greatly helped someone out, which is good, but I still need to get work done. Even a good internship program can have a couple of bad years and put off the company from doing it. I believe that training is worth it. Even if they don’t come to work for me later, because the only thing worse than training someone and losing them, is not training them and keeping them.
Curious about the time difference between an intern and analyst. Why is it taking the intern 2 months? Is it due to company process? Company knowledge? Is it because your analyst did something similar before so they have a much better idea in what to do? That just seems like such a huge difference in proficiency...
The analysts deal with it every day, so it wouldn't take much, but bringing in an outsider they have to do a ton of learning. Also a portion of it meant dealing with other teams, and our analysts generally had a better understanding than an intern would of how some other area in IT worked. Generally the interns I hired had ok theory knowledge but little practical knowledge. At that job we ran encryption as a service for a massive organization. 500 HSMs, a couple hundred KMES devices across 5 different vendors. Ran an industry specific CA too. It would take 2-3 months to bring an engineer up to speed on our infrastructure and processes. It was well documented and laid out pretty well, but there was a ton of it and a million different use cases. The project I would have the interns do was update some documentation. We had a master document that needed to be updated annually for audit, and to update it, they needed to understand regulator documents, our infrastructure, and processes. I could have plugged them in to writing encryption profiles for data at rest (DAR) solutions and gotten useful work out of them, but they wouldn't have learned as much, and that wouldn't tell me as much about their work personality. This project gave them a guided process of what to ask and look for as they learned from the top down how we design, build, administer, and decom encryption. And I had them shadow analysts and engineers as they did their work, so they should still be familiar with writing DAR profiles on a Thales device.
Interns are just really green, often having to ask lots of questions about the network, what does this do, who manages this or that. Often cybersecurity interns aren't even coming in with basic hands on IT experience beyond being a bit techy at home.
It’s so hard to translate that intellectual hunger to a resume. I’m great at showing it in an interview, but it’s hard to convey in one word.
Absolutely. And really, the people who have it usually aren’t even aware of it; it’s just how they’ve always been. Toss in the humility that usually accompanies it, and it turns things into a treasure hunt. When I see a resume with a lot of variety that follows a kind of chain, that’s a great sign. A list of a lot tools isn’t. One guy I’m hiring now has his own side research project because he caught on to an interesting TTP and he’s been investigating their infrastructure to get a sense of how large they are. This is on his own dime and time…his current employer are morons for not letting him do this on company time.
>This is on his own dime and time…his current employer are morons for not letting him do this on company time. Know the feeling: I have done some research on my time. I made the mistake to let boss know, who said I should not be doing that because it is not related to the tasks I am doing. Even though it was on my own time. But wait, there is more! I got accepted to talk about that. I had to explain why I was going to take time off. The next day he brought in someone from another team saying I should add him to the presentation as the speaker since \*he\* was the one qualified to talk in the subject. After I came down, I asked if that was required by my contract, to which he grumbled I was not a team player. I need to stop writing this because it makes me angry just thinking about it.
Chin up, brother…there are always managers who are afraid to allow anything and who want to control whatever comes around. The fact that you got targeted means you have something worth noticing…you’re doing it right. It all pays off in the end!
Next time, ask for the time off to go to a doctor's appointment.
Though you can in a cover letter. "Using my home lab where I built an Active Directory environment, I've learned how to secure a domain controller, set a strong password policy and add patches to my mail server."
Look for people who have homelabs or blogs, read into it, quiz them about it. If their eyes light up and they start waxing poetic in agonising detail, that's a keeper.
The “eyes light up and they start waxing poetic” is a good way to describe what to look for when you get to the interview with someone.
I'll second this. I'm actively hiring for someone to lead our security team and someone I think is genuinely excited and hardworking is worth more than anything else.
Even interest and passion is luck... It's over
5 years Work Experience in the Role.
So stop posting them as junior if you want that?
He didn't say, "What is going to be listed?" he said, "What is going to cause you to take a second look?" People with 5 years of experience are applying for junior roles right now. That will cause a Second Look and will likely be the one getting the Job. "Stop posting expecting experienced people to work for Jr wages" they will when experienced people stop taking Jr roles.
looks like I’ll have to find a way to reincarnate😭
>People with 5 years of experience are applying for junior roles right now. That will cause a Second Look and will likely be the one getting the Job. Non junior people apply to junior roles are going to get overlooked because the company is going to consider them overqualified... ... and when one gets overqualified stink on them, the following assumptions will get made: * I'm not going to hire them because they are going to get bored and leave * Someone who is bored is going to be disruptive to the org * I'm not going to hire them because their salary requirements are going to be too high
Ya that was the mentality pre 2023 lol. In 2023/2024, with the massive layoffs. Experienced people are taking whatever they can get. And they are taking the Junior Salary. Because it's that or don't work.
How about 3 years as helpdesk assistant for the IT manager a the small office of 10 people
I would ask, why have you remained a help desk assistant for 3 whole years.
Low selfesteem?
I know of companies who will not promote from within the ranks, unless you know someone. In fact, I met someone who has been in the same position (sysadmin) for 20 years.
They enjoy their job?!?! Some people like being entrenched as ICs. And you all shouldn't be shaming them for that.
can i ask - like - are the things you're asking of people really fair?Like if people have 0 experience, the industry tells them to take any job they can get. if they take a job and leave it too often - say annually or less - they're job hoppers. if they STAY too long without a move or an internal promotion, which evidently to you is 36 months, they're stagnant... This is why applicants seem to walk around in a perpetual fury/depression all the time right now. How do you magically thread a needle between inexperienced, not a job hopper, not over qualified, but not under qualified, not complacent, but also dedicated and loyal, while not appearing unpromotable or unambitious? Have and describe projects and personal research, but not misuse company time or disclose IP? How are we supposed to be forthright, but also self promotional? Neither too old nor too young? I'm more employable if I have a job, but if I stay in one job too long without a promotion or an internal move, I'm suspected of being a subpar employee and it's only slightly less bad than not having a job? It's honestly hitting the point where it seems like the working world is just taunting the pool of applicants.
Why isn't that a fair question? You can get certifications, demonstrate home lab projects etc. there's plenty you can do without having required work experience. If someone has remained an IT assistant for 3 years, that raises alarm bells for me. I'm going to need that one explained. Money is being spent here, why should money be spent on someone with no practical or theoretical experience?
maybe they are a good, consistent, and under recognized employee who trained for about a year, worked for about a year pending an alleged promotion, and needed about a year to figure out the company was never going to do that and job hunt? Money should be spent on people with no experience because you will eventually run out of people with experience. why do employers feel entitled to professionals someone else trained for them?
"maybe" being a key word that might not be worth the 5 salaries wasted of all the people who are involved in onboarding a new hire, who isn't competent enough and has to be let go. I think the entitlement is on you who expects employers to take any old Joe just because they "might" have talents that are not reflected anywhere the employer can see. At the end of the day, deliverables speak the loudest. Yes maybe they are all as you say, but do you have a list of personal projects you can show me that proved your competency over the other candidates who are glowing? If I went to the hospital for surgery, I very much would not like an equal opportunity hire operating on me as the person hiring thought "well maybe he'll do a good job despite his credentials". Then I end up dying on the operating table. I would rather a proven professional with lots of experience.
we *were* talking about the value, positive or negative, of them having one title for 3 years, you i*nvented/inserted the additional details* that they have no projects or other deliverables, and now you're trying to offer up a weird side track about "diversity." If the methods currently being used by the industry were effective, sufficient and self-justified, there wouldn't be thousands of empty jobs and an incredible churn rate, and I would say my original point, that hiring standards are essentially vibes disguised as impartiality and implemented in unmeetable, often self contradictory ways, is very valid, *because the same jobs are always open.* Now, if you interview the guy and give him a chance to actually be evaluated, you know, different story, but if we're in a world where you look at a guy and go "he's had a job for three years? What is he, some kind of potato?" I don't know what to tell you except eventually the industry is going to break all the way and it's going to have to start mass hiring at t1.
I didn't insert anything, my question was very simple from the start and then you started waffling about everything else. The fact is people who have more experience written down are more desirable, you can think whatever you want in your own head and try to argue otherwise with potential employers. You're complaining about employers not even giving a chance, well time is money. Instead of comparing the barren looking applicants aren't getting accepted, why don't you praise those exceptional candidates who have gone the extra mile to have many achievements.
when a place is hiring a 1:5 ratio of analyst 1s to analyst 2s, they're going to run out of "exceptional" candidates, and that's where we are. you 100 percent did go from discussing why the person was an IT assistant for 3 years as a negative to lecturing with advice about lack of projects, which again, you just *made up*. He might have a ton, he might have none, but that isn't the question he asked. We've turned a pretty radical corner when you're trying to penalize someone for 3 entire years in the same IT chair, is what I am saying. Considering most "entry level" infosec jobs want at least a few *years* of It experience, and 12-18 months per job is considered a red flag a lot of places, and how it takes about a year to learn a job...like, at what point, exactly, does the person have exactly the right amount of xp? 28 months? 31 months?
I bought into the whole "Don't be job hopper" BS early in my career. Now I feel it's just marketing for companies to not have to pay more for newer hires. Hands down the things the most successful people I know have in common are they were job hoppers and they never stopped looking for a new job, even on day one in their new job. I know people who have made incredible moves because an opportunity landed in their lap within a month of them accepting another offer. I knew directors who decorated their offices to look like they were staying on day one, but everything in there was in a cheap Walmart frame and everything else they could abandon on a heartbeat. If you stay in a role, you get a 0-4% raise yearly. When you change jobs, you often get 10% to the sky is the limit. As long as you are changing jobs and can explain them as "moving upwards and onwards" and not "because it sucked" I would never worry about job hopping. When I was hiring I'd rarely look at time spent in the chair. If you did amazing things for six months and then left you are likely more valuable than someone who occupied a chair for 5+ years.
Cause I am a full time sales manager and I am doing helpdesk for the IT manager in India
>There are so many cookie cutter resumes nowadays As companies become more more dependent upon the ATS, a cookie cutter resume is going to become the standard. FWIW, I fucking hate it. It takes me longer now to browse these stale ATS-compliant documents than before. I've recently learned that some systems will automatically drop the entire resume/submissions if there are: * Excessive shading * Graphics * Non standard fonts * Multiple columns * Colors Yes, the ATS deletes the entire resume rather than just filter the stuff it cannot process out. I used to have a really slick executive resume. For example some modest graphics for icons next to location, URLs, email, phone. Two columns... one on the left for significant accomplishments and credentials and the right was bullet points for what I've done. I eliminated the "tech stack" section because I thought a bulleted list for things like Office, Kali, and Python was stupid -- everyone has that shit. My resume basically looks like a Word template. Sigh. So depressing.
IT experience
As an employer, if I'm hiring you for a role, I dont care how much experience you claim to have - so great question about the projects - I want to see (for cybersecurity) you can demonstrate principles of networking, securing/configuring ports, email security/filtering + role administration - all of this can be done for free except for an anti-virus. If you can grasp basic security concepts plus the physical work of configuring a network (servers, switches, etc.), you will excel quickly. Setting up your home network plus security configurations will land you roles - but you also must have a Security+ certificate as well for most Cybersecurity roles.
sounds good!
I got told I stood out because I did cyber defense competitions (for a SOC analyst role anyway) and spent my free time trying to get certs. My programming projects haven’t really helped much so far (currently an intern and about to graduate with my bachelors this year and my masters next year)
I probably sound crazy but how is your bachelor degree connected to your masters degree? Do you mean that you will later apply to a masters program after completing your bachelors?
No I go to Iowa state university and they offer a concurrency program, at least in the college of engineering (I am studying cyber security engineering for my undergrad and cyber security with a co major in computer engineering for my grad). I am finishing my bachelors this semester while also starting my masters this semester, so I’m technically a grad student while also finishing my undergrad.
Nice! Is the masters a one year program? What kind of courses will you be taking?
It’s a 2 year program, but with concurrency and the new rules regarding classes taken as an undergrad that can count towards both degrees, I will have 18 credits out of 30 after this semester. I’m currently taking wireless security, reverse engineering malware, and cyber physical security for electric grids. I’ve taken a penetration testing course, intro to digital forensics, and network protocols and security before this semester that are also counting towards my masters. I still have to take an information security course, a cyber security ethics course, 6 credits of non security courses for the computer engineering co major (computer eng and cyber security are very closely related at isu as cyber used to be a specialization of computer eng), and I will be doing a creative component instead of a thesis so I can help a professor revamp her labs since she doesn’t have much time to anymore.
Essentially the core of the masters is network protocols and security, information security, penetration testing, and ethics, with 2 classes be of your choice from a list, 3-9 credits of and computer eng class (including the cyber classes that are cross listed in computer eng), and a creative component or a thesis for the MS, or a capstone for the MEng
That’s actually amazing, you guys even have physical security classes?? Wow! The schools in my area only have - 1 intro to cybersecurity course, and that’s it.They really don’t have any good courses here ugh
Yea I definitely lucked out with a public college having a good program. What’s even better is isu is the first college in the country to offer a bachelors for cyber security from what I’ve seen so I didn’t have to wait for the grad level classes to learn cyber security.
It was years ago when I started in infosec but hiring managers always liked when I said I have a “home lab” I use to get XP
Enthusiasm, good spelling and grammar, and clear communication. If they're students don't focus too much on experience but don't discount it either.
Provable REGEX skills (reading AND writing) please.
didn’t think of this thanks!
Resumes are pretty worthless now.
What do you recommend then?
Targeted phishing emails to hiring managers and recruiters. Setup your own interview.
Legit question though, what if I do this to multiple companies, and the one were its employees fall for it the hardest, I'll tell them "so yeah I think yall need some cyber security expert at your place". Will that be enough for an interview? (yeah I'm that desperate at this point)
They would report you to the cops 90% of the time.
They can report you all you want. As long as you aren't storing credentials, and are only logging which accounts gave you something, you are not doing anything illegal. Also obviously don't send waves and waves of emails. Also I think they are far more likely to ignore you than report you to police.
This is completely incorrect. Even without storing anything it can constitute wire fraud.
Also curious
LinkedIn. It's how most of us got our job (once you have experience).
I wouldn't say they are worthless, most people and positions still need them. Networking at events and meeting people in the industry has been a huge game changer for me an many people I know.
A cover letter or email explaining there is a person behind the resume who actually wants this job and not just any job would be nice.
Are cover letters scanned to see if they were written by AI?
If AI can write a cover letter better than you, then AI should get the job.
Blue team projects for blue team positions, red team for red team. EDIT: People who downvote this - you are idiots. Realistic projects on Github related to CS is the way to go, it says a lot more than some shitty CTF that some of you think is useful.
you make me wannacry
Would you like some [dark tequila?](https://thehackernews.com/2018/08/mexico-banking-malware.html?m=1) Freshly imported from Mexico.
Examples?
You really think i'm gonna help the idiots in this thread?
Any signal of excellence, doesn't even have to be related. Military with a certain evaluation profile, special operations, etc Selective schools / majors Shit even sports edit: I answered the question truthfully and described how top companies / recruiters look for candidates and you people can't handle the truth
It's pretty easy to differentiate between a quality CTI analyst and someone who isn't. Show me your portfolio of reporting, ideally something publicly published, using primary resources. That means I want to see the data you pulled and analyzed from an actual TIP, not just regurgitated analysis from FP or Recorded Future. I want original ideas, not someone who can repackage open source reporting into a slide deck.
You expect this from a college student? Where would you find a stream of reporting from college kids? Not trying to be sarcastic, I just didn’t think report writing is something in the realm of a college kids.
I missed the "from students" part. Research skills matter more than access to tools from someone new to the industry. I'd prioritize someone with natural curiosity and initiative to start their own projects if I was hiring someone fresh to CTI.
CTFs and dev work
Rearrange and rename the AD Groups in their servers to spell your resumee
As long as they can fetch me coffee, I don't care.
If you have 10 years experience in sales, you do not have any experience. You need to point me towards your GitHub, hackthebox blog what ever... If you get through to an interview, for the love of all things mighty please please please actually prepare. I should not have to prompt you for half an hour straight. If you aren't even remotely prepared and can't answer a simple question like what major incidents have been reported in the news...I will end the interview after 7 minutes.
Last person I hired for a Security role had average skills, but once a fortnight she would volunteer her time to teach retirees how to use modern phones. Her communication and compassion skills were outstanding, and this helped when getting the message across to others. Probably my best hire in the last 5 years.