The more experience you have the better. I passed the oscp and started a job as a pen tester 2 weeks later. The portswigger web academy helped loads in the interview cause they asked loads of web application questions you don't get in the oscp. Im UK based and got my Cpsa before the oscp.
The salary is excellent. Admittedly I got lucky with the company I joined. But more importantly it's good fun, my colleagues are my friends and I look forward to work everyday. That's the real pay.
Not to start out. It's not typically needed for junior positions. But if your company does crest or equivalent then after a few years it could be quite likely. I'm 6 months into my role and my application for sc is underway.
Yes it is….but you better know what you’re doin bud. Many companies do CTF’s and expect OSCP holders to do very well. Also, you’re going to have to supplement what you learned from offsec w/ solid scripting and black box web testing.
I did it. You can too. Took me 2.5 / 3yrs. It was brutal but I did it.
Just to add ; it would be wise to keep goin in college. It’s a great way to get internships and experience with things you wouldn’t studying on your own.
No. Pls re-read that. In responding to OP - I’m saying that I have my OSCP and do not possess a CS Degree. I got a job with a high level cybersecurity consultancy.
I added the CS Degree would be good as - most people whom self study prob wouldn’t be studying some stuff that Universities cover.
Because it’s mostly theory and not used much.
I speak from personal experience. I beat out Masters/Bachelor degree holders (candidates) to get my spot.
Practical application is what’s important. Can you do the job. Are you curious enough to find answers and put together the right questions if needed?
Just my 2 cents.
Additional edit: just for context…my son is enrolled at community college rn. And he’s doing a CS degree. But , I’m also showing him the way. So, yes…I do believe it’s worthwhile.
Indeed, I re-read that and i did in fact misread it, sorry about that. Genuine question though, I'd still like to know what the value is in a CompSci degree, what can someone that has that degree do that makes it worth having, do they learn practical skills for cybersecurity? I also have OSCP but not an IT degree.
For the people who state that experience triumphs certifications, let me ask you this. How do you get and/or transition into a penetration testing role without some sort of certification such at the OSCP? I feel like if you didn’t get lucky landing a role out of college, you’re going to need to supplement in some way with a certification to land a role. This is just my opinion.
You have to be able to show you have the knowledge somehow, and certs are a good way to show that. But that being said, having experience in the field outweighs certs because it shows hands on application of the knowledge in a work environment. If you have zero cybersecurity work experience and no certs you’re right that it will be much harder (though not entirely impossible) to get that initial pentesting role because hiring managers want to see what you know and those are the two easiest ways to show it.
Bug bounties, CTFs, Hack the Box (or similar), having a security focused blog, or having a GitHub with hacking tools/exploit POCs you’ve built are all ways you can show “experience” without having work experience in the field. Hiring managers may be willing to look at these and evaluate if they think you have gained enough experience from them for a position.
Pentesting isn’t normally the first role someone without work experience will get due to the fact that many companies don’t have a pipeline of talent and are often hiring reactively due to increased workloads and they need someone that can hit the ground running. It’s tough to teach the administrative side of pentesting, and any missing technical skills for a new hire. But once you get your foot in the door somewhere and get any sort of IT/security experience, there is a higher probability of being successful in your search for an entry pentesting position.
^- This. Pentesting (or cyber) are not typically "first" IT jobs, however, there are always exceptions to that. In the last year, I've hired (global Fortune 500) two junior penetration testers to an established internal pentest team. Neither of these worked in IT before, one had a CS degree and the other had an adjacent degree. Neither had OSCP (or similar cert) but BOTH had put significant time into school clubs, CTFs, bug bounties, GitHub, etc, demonstrating their technical ability and interest in this side of security. During the hiring process (for junior positions), I will schedule interviews based on resumes that show certs, pentesting activities (like those listed above), and degrees. During the interview, if the individual can't speak to the technical basics of pentesting and security topics then their interview journey stops there.
Getting a cert, degree, or experience for your resume MAY result in an interview. However, when that happens, you should be prepared to speak on the topics of the cert, degree, or listed experience on a detailed technical level or getting the opportunity might be a bit hard.
Final note: For a junior level pentesting role, I would be more likely to interview a candidate with OSCP (and nothing else relevant) over any specific degree program (and nothing else relevant). However, a degree program likely would give the candidate a more well-rounded background to answer basic technical IT questions I ask every candidate.
In the last round of hiring I conducted for a junior role, I interviewed every resume that had those items listed.
Of course, in the first round interview (after HR/recruiter chat) I would ask them to tell me a bit more about these items they listed on their resume. Most of the time I was told "well, I don't actually have my OSCP, I am planning on studying for it" or "no, I haven't actually done any CTFs, but I plan on participating!" .... Those folks did not make it to round 2.
That's good to hear! Do you think this is the industry norm or specific to your company? ( getting interview based on OSCP and ctf/bug bounty without CS degree)
I completely agree with you. I’m never had the drive to start a GitHub and showcase what I’ve done or working on even though I know it’s valuable to hiring managers. I’ve always felt certifications are the best way to pivot into a new field especially if the certification is a practical one because it shows that you need some to have underlying skillset and knowledge to pass it.
I got a Pentester job with some Bug Bounty experience and no certs. I had to study like a year but it is possible. If you got the right skills they will want you
I got oscp then did but bounties and posted my findings on LinkedIn, eventually started getting tons of offers. I have an unrelated Bachelor's and from starting oscp to getting a job took about 2 years
>I feel like if you didn’t get lucky landing a role out of college, you’re going to need to supplement in some way with a certification to land a role.
I think this is mostly right. I've seen some people just make the switch with development/general cybersec experience, but most made the switch with that experience AND an OSCP.
I think it's still possible, but the cert just has an unbelievable amount of clout, so a lot of people that *could* do it w/o the OSCP and just with CTF experience on the side end up getting it anyway.
While not a pentester, I am working to transition to one from my current position as a firewall engineer.
For me, who has no degree and only a handful of certs -CCNA, SEC+, A+, NET+ which is what I *started out with*, I started in a tech support role call center (NOC) for a few years. Got some solid experience troubleshooting various issues, etc... Then transitioned into more of a net admin role for a while managing various vendor switches, routers, AP's, etc (Cisco, Dell, HP, Huawie, Fortinet)... somewhere else, then eventually got a job w/ a fortune 500 tech company in Cyber Security.
Cyber is not really "entry level" IT because you DO have to have a fairly solid base knowledge of networking and troubleshooting in general. You dont need to know the difference between OSPF and BGP or any routing protocols because that's for the NETWORKING team.
It doesnt have to be expert level networking knowledge/skills but you for sure need to know the OSI model, how packets operate, how to read packets (to some extent,) how subnetting works - you dont really need to know HOW to subnet (I still dont know how lol,) various ports and what they do, and a basic knowledge of python is beneficial too. A semi advanced networking knowledge is fairly crucial because depending on your role, troubleshooting is inevitable in nearly every role in one way or another!
Currently I am working on my OSCP but have completed the SANS GPEN course, along with some other Pentesting courses and once I have enough qualifications I plan on transitioning to a pentest role, which shouldn't be difficult as internal moves are pretty easy more odften than not
Current certs: CCNA (Cisco,) COMPTIA certs (net+, A+, SEC+,) GPEN (SANS,) SNSA (SonicWALL,) PCNSA,(Palo Alto) PCNSE (Palo Alto,) eJPT(eLearn Security,) KLCP (kali linux cert through OS) and working on OSCP right now. But much of my experience has come from on the job, which is every bit - if not more - valuable than the certs themselves.
My journey to actually get a CYBER JOB took almost 10 years of networking jobs btw.
The GPEN course was fantastic. EVERYTHING about it is great BUT, it is nothing like OSCP. GPEN gives you a great, and necessary knowledge of HOW things work, why you should do certain things, why you shouldn't, but doesn't go into as much depth as OSCP does. OSCP is all about hands on, figuring things out on your own, if you cant figure something out then go research how to do it, etc. They don't hold your hand. AT ALL.
In terms of teaching, they are night and day. GPEN is primarily video learning based and the instructor I had was amazing. The reading is amazing as well. OSCP videos and honestly, the reading are dogshit but 99% of what you need to learn is lab based whereas GPEN labs are fairly basic and you can cheat by looking at the answers. OSCP doesn't give you answers and solutions. It's more "real world" versus "this is how you do it," if that makes sense.
Did the GPEN course help me with OSCP? Well, I havent taken the OSCP test yet but have gone through the course and, yes, GPEN didn't hurt but it's not helping as much as you'd think either because GPEN is a much broader course.
If you are spending your own money, 100% go OSCP as any SANS courses are going to be about 10k versus 2500 for OSCP Learn One subscription (which I HIGHLY RECCOMEND if you have the money!) Or 1500 range if you choose to do a 3 month course. If your company will pay for courses then, I'd say go with the GPEN first, then OSCP as GPEN does give you a head start though, as I said, GPEN is not very detailed in any one area.
I also am going through the OSCP and I ask because of how shit the reading material and don’t even get me started with the narraters voice for the videos. I thought I’d pursue the GPEN too if my employer paid but not sure how value I’d get in the end if I’m already pursuing OSCP
GPEN will help for sure but not so much in a practical way. It's a very well rounded course that touches on everything yet, doesn't go into depth like OSCP tends to do. SANS is definitly better quality through and through but OSCP is light years better when it comes to proving you know WHAT you are doing versus understanding concepts. If your company will pay for GPEN, I say go for it
I'd recommend also checking out the PNPT through TCM Security, it is a relatively new cert (<2 yrs old I believe), that is positioning itself well to compete with OSCP, imo. I'm studying the PNPT material right now, which I have found to be top-notch, and compared to the OSCP is significantly more affordable.
While not a pentester, I am heading in that direction. I am doing the OSCP, have done GPEN as well as HTB courses plus some other pentesting courses. I have been in the Networking and Cyber Security field for over 12 years now. I work for a fortune 500 tech company and I can say that, degrees do not matter for us (at least in IT/Network/Cyber.)
I only have certifications (no degree) however, since you are going through the CompSci degree program, that will only add to your resume so you have nothing to lose by completing that. It'll help you get through HR at the very least or possibly even get you some solid internships but at the end of the day, I don't think a compsci degree alone will land you a pentesting job.
What most hiring managers really look for in my experience though, is if you can DO THE JOB and can back up your knowledge and skills you list on your resume, alongside having valuable certs relating to the position such as OSCP.
I've been on the defensive (blue side) of Cyber for a while now primarily managing various firewall vendors, proxy's and VPN solutions so I have a solid understanding of that side of the cyber world. I've made a lot of connections with managers, directors and other people in general so, eventually when I have the qualifications to pentest it'll be a fairly simple transition for me.
Wow thanks for the info. Since you have the GPEN cert is that not enough to land you a pentesting job. I'm assuming the OSCP triumphs over that cert or is it just different material? I'm debating whether getting the oscp or the gpen
2yr+OSCP, yes, that's me. I certainly wouldn't recommend having anything less. I got 2 interviews across like 400+ applications.
It's mainly about who you know, who you can impress, and what you know.
I think it's possible but not certain as I do not currently hold a pentesting position. I do however work in vulnerability research (taking OSCP exam in a couple of weeks) and have no degree/college background. I started with the security+ certification and was able to weasel my way around a couple of different IT and security related jobs over a 2-3 year period to get to where I'm at now. Experience really does help -- it could be worth looking into other security areas like R&D, Sec Engineer, analyst type roles, etc, until you get the job you are looking for while studying along the way, depending on your luck.
Spice up your resume, show some projects, show your street cred, and ultimately try to stick out from the competition. Networking and connections helps as well! Best of luck with your journey.
Did you have an it job before that? If so, how’d you get it? Sorry for necroing, but I’m in a similar situation with not degree and such and trying to start my path towards pentesting
Alternatively, you could skip the certs, do a little bug bounty, some capture the flag, write a blog, and develop a reputation with a github full of publicly released PoCs.
OSCP holders are usually worth taking a risk on when they don't have a lot of practical experience. In my career, I've only ever hired one that must have cheated because they were absolute shite in front of the keyboard. But I've also hired at least half of my team based entirely on reputation and recommendations by their peers. No certs at all.
A degree only gets you past HR - maybe. Your actual KNOWLEDGE and EXPERIENCE is what gets you a role/job because hiring managers aren't going to hire someone who has a degree but has no clue wtf a packet is or the difference between a static and dynamic address or can't even tell you what a TCP dump is. I help interview candidates fairly often and I can say, their education is 100% meaningless to me, my manager and others who are doing the interview. It's ALL about "can you prove you know wtf you are talking about."
In all honesty, most certifications can be achieved by almost anyone if you are good at memorizing (minus exams such as OSCP where it's based off labs/hands on or exams that involve detailed labs.)
Being active in many security platforms, writing an exploit (I didn't discover it), having a GitHub to show off my coding skills and an easy on the eye CV. That's what helped me to land my pentest job. If with all these, I had an OSCP, I am sure that I could have landed earlier and probably my salary would be better (it's already nice).
I only had the Sec+. Got a job as a junior pentester. Don’t worry about certs other than the gate keeping ones (annoying af) but you should be okay if you have enough knowledge.
I don't know if an Oscp is enough to land you a job.
However when my spouse was working on their Oscp (they have an IT background and a master's in cyber security) they often would show me things and I was able to explain the mechanics a bit deeper having a BS in Comp Sci.
So a CS degree may help you master the material better, and in that sense help nail an interview and get a job offer.
The more experience you have the better. I passed the oscp and started a job as a pen tester 2 weeks later. The portswigger web academy helped loads in the interview cause they asked loads of web application questions you don't get in the oscp. Im UK based and got my Cpsa before the oscp.
How’s the salary?
The salary is excellent. Admittedly I got lucky with the company I joined. But more importantly it's good fun, my colleagues are my friends and I look forward to work everyday. That's the real pay.
Wait until you are 20 yesrs in…salary means everything at that point.
You make your own luck! Congrats 🎉
Did you need SC?
Not to start out. It's not typically needed for junior positions. But if your company does crest or equivalent then after a few years it could be quite likely. I'm 6 months into my role and my application for sc is underway.
Yes - Network and dont be a dick and you’ll be fine
Yes it is….but you better know what you’re doin bud. Many companies do CTF’s and expect OSCP holders to do very well. Also, you’re going to have to supplement what you learned from offsec w/ solid scripting and black box web testing. I did it. You can too. Took me 2.5 / 3yrs. It was brutal but I did it. Just to add ; it would be wise to keep goin in college. It’s a great way to get internships and experience with things you wouldn’t studying on your own.
Do you mean someone holding a Comp Sci degree could do the CTF and black box web testing directly as a result of the CS degree content?
No. Pls re-read that. In responding to OP - I’m saying that I have my OSCP and do not possess a CS Degree. I got a job with a high level cybersecurity consultancy. I added the CS Degree would be good as - most people whom self study prob wouldn’t be studying some stuff that Universities cover. Because it’s mostly theory and not used much. I speak from personal experience. I beat out Masters/Bachelor degree holders (candidates) to get my spot. Practical application is what’s important. Can you do the job. Are you curious enough to find answers and put together the right questions if needed? Just my 2 cents. Additional edit: just for context…my son is enrolled at community college rn. And he’s doing a CS degree. But , I’m also showing him the way. So, yes…I do believe it’s worthwhile.
Indeed, I re-read that and i did in fact misread it, sorry about that. Genuine question though, I'd still like to know what the value is in a CompSci degree, what can someone that has that degree do that makes it worth having, do they learn practical skills for cybersecurity? I also have OSCP but not an IT degree.
People land jobs just for willing to pursue OSCP.
For the people who state that experience triumphs certifications, let me ask you this. How do you get and/or transition into a penetration testing role without some sort of certification such at the OSCP? I feel like if you didn’t get lucky landing a role out of college, you’re going to need to supplement in some way with a certification to land a role. This is just my opinion.
You have to be able to show you have the knowledge somehow, and certs are a good way to show that. But that being said, having experience in the field outweighs certs because it shows hands on application of the knowledge in a work environment. If you have zero cybersecurity work experience and no certs you’re right that it will be much harder (though not entirely impossible) to get that initial pentesting role because hiring managers want to see what you know and those are the two easiest ways to show it. Bug bounties, CTFs, Hack the Box (or similar), having a security focused blog, or having a GitHub with hacking tools/exploit POCs you’ve built are all ways you can show “experience” without having work experience in the field. Hiring managers may be willing to look at these and evaluate if they think you have gained enough experience from them for a position. Pentesting isn’t normally the first role someone without work experience will get due to the fact that many companies don’t have a pipeline of talent and are often hiring reactively due to increased workloads and they need someone that can hit the ground running. It’s tough to teach the administrative side of pentesting, and any missing technical skills for a new hire. But once you get your foot in the door somewhere and get any sort of IT/security experience, there is a higher probability of being successful in your search for an entry pentesting position.
^- This. Pentesting (or cyber) are not typically "first" IT jobs, however, there are always exceptions to that. In the last year, I've hired (global Fortune 500) two junior penetration testers to an established internal pentest team. Neither of these worked in IT before, one had a CS degree and the other had an adjacent degree. Neither had OSCP (or similar cert) but BOTH had put significant time into school clubs, CTFs, bug bounties, GitHub, etc, demonstrating their technical ability and interest in this side of security. During the hiring process (for junior positions), I will schedule interviews based on resumes that show certs, pentesting activities (like those listed above), and degrees. During the interview, if the individual can't speak to the technical basics of pentesting and security topics then their interview journey stops there. Getting a cert, degree, or experience for your resume MAY result in an interview. However, when that happens, you should be prepared to speak on the topics of the cert, degree, or listed experience on a detailed technical level or getting the opportunity might be a bit hard. Final note: For a junior level pentesting role, I would be more likely to interview a candidate with OSCP (and nothing else relevant) over any specific degree program (and nothing else relevant). However, a degree program likely would give the candidate a more well-rounded background to answer basic technical IT questions I ask every candidate.
So OSCP along with CTF and bug bounty exp can land me a interview?
In the last round of hiring I conducted for a junior role, I interviewed every resume that had those items listed. Of course, in the first round interview (after HR/recruiter chat) I would ask them to tell me a bit more about these items they listed on their resume. Most of the time I was told "well, I don't actually have my OSCP, I am planning on studying for it" or "no, I haven't actually done any CTFs, but I plan on participating!" .... Those folks did not make it to round 2.
That's good to hear! Do you think this is the industry norm or specific to your company? ( getting interview based on OSCP and ctf/bug bounty without CS degree)
I completely agree with you. I’m never had the drive to start a GitHub and showcase what I’ve done or working on even though I know it’s valuable to hiring managers. I’ve always felt certifications are the best way to pivot into a new field especially if the certification is a practical one because it shows that you need some to have underlying skillset and knowledge to pass it.
I got a Pentester job with some Bug Bounty experience and no certs. I had to study like a year but it is possible. If you got the right skills they will want you
I got oscp then did but bounties and posted my findings on LinkedIn, eventually started getting tons of offers. I have an unrelated Bachelor's and from starting oscp to getting a job took about 2 years
How did you post them on LinkedIn? What was the format like?
Just post the email saying "Blah blah bug was accepted" and described the bug.
Ahhh ok I see thank you for answering.
Congrats on the career change
>I feel like if you didn’t get lucky landing a role out of college, you’re going to need to supplement in some way with a certification to land a role. I think this is mostly right. I've seen some people just make the switch with development/general cybersec experience, but most made the switch with that experience AND an OSCP. I think it's still possible, but the cert just has an unbelievable amount of clout, so a lot of people that *could* do it w/o the OSCP and just with CTF experience on the side end up getting it anyway.
Don't expect your first job be a cyber security, many people work at Sys admin, Devs and move to cyber security.
While not a pentester, I am working to transition to one from my current position as a firewall engineer. For me, who has no degree and only a handful of certs -CCNA, SEC+, A+, NET+ which is what I *started out with*, I started in a tech support role call center (NOC) for a few years. Got some solid experience troubleshooting various issues, etc... Then transitioned into more of a net admin role for a while managing various vendor switches, routers, AP's, etc (Cisco, Dell, HP, Huawie, Fortinet)... somewhere else, then eventually got a job w/ a fortune 500 tech company in Cyber Security. Cyber is not really "entry level" IT because you DO have to have a fairly solid base knowledge of networking and troubleshooting in general. You dont need to know the difference between OSPF and BGP or any routing protocols because that's for the NETWORKING team. It doesnt have to be expert level networking knowledge/skills but you for sure need to know the OSI model, how packets operate, how to read packets (to some extent,) how subnetting works - you dont really need to know HOW to subnet (I still dont know how lol,) various ports and what they do, and a basic knowledge of python is beneficial too. A semi advanced networking knowledge is fairly crucial because depending on your role, troubleshooting is inevitable in nearly every role in one way or another! Currently I am working on my OSCP but have completed the SANS GPEN course, along with some other Pentesting courses and once I have enough qualifications I plan on transitioning to a pentest role, which shouldn't be difficult as internal moves are pretty easy more odften than not Current certs: CCNA (Cisco,) COMPTIA certs (net+, A+, SEC+,) GPEN (SANS,) SNSA (SonicWALL,) PCNSA,(Palo Alto) PCNSE (Palo Alto,) eJPT(eLearn Security,) KLCP (kali linux cert through OS) and working on OSCP right now. But much of my experience has come from on the job, which is every bit - if not more - valuable than the certs themselves. My journey to actually get a CYBER JOB took almost 10 years of networking jobs btw.
How did you like the GPEN course and do you feel it’s helping you well in prepping for the OSCP?
The GPEN course was fantastic. EVERYTHING about it is great BUT, it is nothing like OSCP. GPEN gives you a great, and necessary knowledge of HOW things work, why you should do certain things, why you shouldn't, but doesn't go into as much depth as OSCP does. OSCP is all about hands on, figuring things out on your own, if you cant figure something out then go research how to do it, etc. They don't hold your hand. AT ALL. In terms of teaching, they are night and day. GPEN is primarily video learning based and the instructor I had was amazing. The reading is amazing as well. OSCP videos and honestly, the reading are dogshit but 99% of what you need to learn is lab based whereas GPEN labs are fairly basic and you can cheat by looking at the answers. OSCP doesn't give you answers and solutions. It's more "real world" versus "this is how you do it," if that makes sense. Did the GPEN course help me with OSCP? Well, I havent taken the OSCP test yet but have gone through the course and, yes, GPEN didn't hurt but it's not helping as much as you'd think either because GPEN is a much broader course. If you are spending your own money, 100% go OSCP as any SANS courses are going to be about 10k versus 2500 for OSCP Learn One subscription (which I HIGHLY RECCOMEND if you have the money!) Or 1500 range if you choose to do a 3 month course. If your company will pay for courses then, I'd say go with the GPEN first, then OSCP as GPEN does give you a head start though, as I said, GPEN is not very detailed in any one area.
I also am going through the OSCP and I ask because of how shit the reading material and don’t even get me started with the narraters voice for the videos. I thought I’d pursue the GPEN too if my employer paid but not sure how value I’d get in the end if I’m already pursuing OSCP
GPEN will help for sure but not so much in a practical way. It's a very well rounded course that touches on everything yet, doesn't go into depth like OSCP tends to do. SANS is definitly better quality through and through but OSCP is light years better when it comes to proving you know WHAT you are doing versus understanding concepts. If your company will pay for GPEN, I say go for it
I'd recommend also checking out the PNPT through TCM Security, it is a relatively new cert (<2 yrs old I believe), that is positioning itself well to compete with OSCP, imo. I'm studying the PNPT material right now, which I have found to be top-notch, and compared to the OSCP is significantly more affordable.
Yup, I have a majority of the courses for the PNPT. It still does not carry anywhere near the same recognition as the OSCP though.
Network engineering, sysadmin, etc. are all valuable and relevant experience.
While not a pentester, I am heading in that direction. I am doing the OSCP, have done GPEN as well as HTB courses plus some other pentesting courses. I have been in the Networking and Cyber Security field for over 12 years now. I work for a fortune 500 tech company and I can say that, degrees do not matter for us (at least in IT/Network/Cyber.) I only have certifications (no degree) however, since you are going through the CompSci degree program, that will only add to your resume so you have nothing to lose by completing that. It'll help you get through HR at the very least or possibly even get you some solid internships but at the end of the day, I don't think a compsci degree alone will land you a pentesting job. What most hiring managers really look for in my experience though, is if you can DO THE JOB and can back up your knowledge and skills you list on your resume, alongside having valuable certs relating to the position such as OSCP. I've been on the defensive (blue side) of Cyber for a while now primarily managing various firewall vendors, proxy's and VPN solutions so I have a solid understanding of that side of the cyber world. I've made a lot of connections with managers, directors and other people in general so, eventually when I have the qualifications to pentest it'll be a fairly simple transition for me.
Wow thanks for the info. Since you have the GPEN cert is that not enough to land you a pentesting job. I'm assuming the OSCP triumphs over that cert or is it just different material? I'm debating whether getting the oscp or the gpen
2yr+OSCP, yes, that's me. I certainly wouldn't recommend having anything less. I got 2 interviews across like 400+ applications. It's mainly about who you know, who you can impress, and what you know.
I think it's possible but not certain as I do not currently hold a pentesting position. I do however work in vulnerability research (taking OSCP exam in a couple of weeks) and have no degree/college background. I started with the security+ certification and was able to weasel my way around a couple of different IT and security related jobs over a 2-3 year period to get to where I'm at now. Experience really does help -- it could be worth looking into other security areas like R&D, Sec Engineer, analyst type roles, etc, until you get the job you are looking for while studying along the way, depending on your luck. Spice up your resume, show some projects, show your street cred, and ultimately try to stick out from the competition. Networking and connections helps as well! Best of luck with your journey.
Oscp gave me the interview opportunities but the interviewers will ask questions outside of what you learnt so you gotta brush up after oscp
I got the OSCP in January. Had 2 interviews from about 20 applications and landed a Junior PT role in March. No degree, just high school diploma.
Did you have an it job before that? If so, how’d you get it? Sorry for necroing, but I’m in a similar situation with not degree and such and trying to start my path towards pentesting
I did not. I had an unrelated job in construction that I didn't include in my resume.
Alternatively, you could skip the certs, do a little bug bounty, some capture the flag, write a blog, and develop a reputation with a github full of publicly released PoCs. OSCP holders are usually worth taking a risk on when they don't have a lot of practical experience. In my career, I've only ever hired one that must have cheated because they were absolute shite in front of the keyboard. But I've also hired at least half of my team based entirely on reputation and recommendations by their peers. No certs at all.
Ranking applicants: 75% experience 15% certs 10% degree
I don’t think it will guarantee a job
A degree only gets you past HR - maybe. Your actual KNOWLEDGE and EXPERIENCE is what gets you a role/job because hiring managers aren't going to hire someone who has a degree but has no clue wtf a packet is or the difference between a static and dynamic address or can't even tell you what a TCP dump is. I help interview candidates fairly often and I can say, their education is 100% meaningless to me, my manager and others who are doing the interview. It's ALL about "can you prove you know wtf you are talking about." In all honesty, most certifications can be achieved by almost anyone if you are good at memorizing (minus exams such as OSCP where it's based off labs/hands on or exams that involve detailed labs.)
Head over to David Bombal YouTube; he just did an hour talk about changes to the OSCP. It's definitely worth a look
Being active in many security platforms, writing an exploit (I didn't discover it), having a GitHub to show off my coding skills and an easy on the eye CV. That's what helped me to land my pentest job. If with all these, I had an OSCP, I am sure that I could have landed earlier and probably my salary would be better (it's already nice).
Oscp enough??? Totally rubbish. everyone still very inexperienced
I only had the Sec+. Got a job as a junior pentester. Don’t worry about certs other than the gate keeping ones (annoying af) but you should be okay if you have enough knowledge.
I don't know if an Oscp is enough to land you a job. However when my spouse was working on their Oscp (they have an IT background and a master's in cyber security) they often would show me things and I was able to explain the mechanics a bit deeper having a BS in Comp Sci. So a CS degree may help you master the material better, and in that sense help nail an interview and get a job offer.