Sign in Subscribe
11 min read offsec

So you wanna to be a Hacker?

HAckeRS WanteD
Photo by Kaur Kristjan / Unsplash

Intro

Over the last year or so I have been asked this question on many many many occasions "Hacking sounds cool, how can I join your team/department? I'm keen on getting into the Information Security world", and unfortunately it's often followed up by some potentially misleading advice.

That being said I'm sure some advice is better than no advice LOL,

So after my boss asked me how I would go about doing a blueprint to get potentially smart individuals into our team at work I thought I'd give my 2 cents to the already hotly debated topic and possibly help a few guys and gals find a way to getting started in infoSec.

As you guessed, most people are not sure where to start, or how to start and often ask "How do I become a hacker?", in my opinion here is a 10-minute ramble on how to get started...

The number one trait companies look for in a potential security expert

The answer is simple ... Self-motivated individuals. If you have a lack of motivation to learn on your own then your infosec journey and career, unfortunately, ends here. You're not going to get spoon-fed in this industry, 90% of the seasoned hackers you interact with have all done or made it themselves, they are all self-motivated and independent learners. That all being said, if you fall into the above-mentioned category the rest of this article is for you, presented as a possible guide on which infoSec rocks to look under to speed up your research into the field.

How long is a piece of string?

¯\()/¯ is the answer I give to this question normally :) as it's open-ended, ambiguous, and has all the similarities to the question I often get asked: "How can I get into hacking ".

 In the ever-growing, insanely huge world that is now information security, fields are so specialized and deep that you could spend the rest of your time trying to become an industry leader in a selected topic. Listed below are some example areas that are by no means an exhaustive list, but rather give you an idea of the options available.

 Most common fields

  • Web Application Security
  • Mobile Application Security
  • Network Security
  • Cloud Security ( the new hot topic)
  • Targeted Attack Simulation
  • Red, Blue, and Purple teaming
  • Reverse Engineering
  • Malware Reverse Engineering
  • Incident Response
  • Exploit Development
  • Forensics
  • Wireless Security

HAHAHA ok, so the list got a bit longer than expected...

 Learning

"Ok, I get the hint – I need to learn things myself, but can you at least give me a starting point?"

So a lot of this article is coming for the assumption that you have a decent grasp/understanding of the basics, if you have an IT background then I think you should be just fine 😄

Here is a brief breakdown of what you asked for .... So let's get to it 🥳 ...

Table of contents:

1. Formal

Outside of the free resources, you can also start getting technical certificates to make yourself more appealing to potential employers if you wish to transition into the infosec field as a career path.

The 2 major players at the time of writing are Offensive Security and eLearnSecurity or now INE.

The certifications I would highly recommend are:

In my personal experience, the OSCP and eWPTXv2 courses and certifications stand out as some of the most enriching educational experiences I have encountered. Engaging with these programs for a period of 3-6 months offered me more knowledge and skills than I had managed to acquire on my own over the course of a year.

2. Informal

This field is pretty cool and unique in that virtually all the necessary knowledge can be learnt without you need without spending a dime. There are loads of awesome free or cheap resources out there, depending on what you're into.

  • YouTube is great for learning pretty much anything.
  • INE has some solid free starter courses.
  • Udemy's got cheap courses, just pick them carefully.
    But my absolute favorite resource? Try Hack Me. It's a game-changer. If you put in the effort, it can get you from newbie to OSCP-ready in under six months!

3. Do you need a degree?

When it comes to college degrees, picking the right major is key. Yeah, you can have a background in Fine Arts or Finance and still break into the Security field, but you'll need to beef up that resume with some solid experience and certifications. This bit is especially for those still in high school or just about to hit college and wondering what to study.

My advice? Lean towards majors in the computer realm like computer engineering, computer science, information technology, or computer security. These programs cover different areas, so it's on you to pick courses that not only catch your interest but are also relevant to the security field you want to dive into. And don't forget to find extra material to deepen and reinforce what you learn in class.

Computer Engineering

if you want to learn things like C/C++, Assembly, ARM, electronics, design of individual microcontrollers, microprocessors, circuit design, embedded systems, reverse engineering, and be more low-level, software and hardware-focused in security.

Computer Science

if you want to learn C/C, Java, Python, Assembly, memory management, networking, computer security and cryptography, and be more software, low-level, and dev-ops focused.

Information Technology

if you want to be more generalized and learn things such as Java, Python, C/C++, SQL, databases, networks, Windows, and Unix administration, and be more high-level with a focus on web applications, corporate technologies, and network pen testing. Just do note that for this degree you will need to choose your classes wisely to focus on what you would like to do. For example, instead of taking database management take a class on cyber security or computer engineering.

Computer Security

if you want to be directly security-focused and learn C/C++, Java, Python, secure coding, cryptography, network security, and some computer hacking. This initially will allow you to be more Web App/Network Pentesting focused, but like in Information Technology just make sure to supplement classes that don't fit in or that would be more interesting/beneficial to you.

So will a University education teach you everything that you need to know? No! Far from it!

Think of it as a stepping stone into your career. While it can provide you with a lot of knowledge and the basics, the rest solely relies on you to supplement your learning with additional material, training, and practice.

4. What should my first certification be?

Certifications are a great additional learning tool, which can excel in your career while teaching you at the same time. Now do note that a lot of people in the Information Security industry are torn between certificates, meaning that some prefer a particular route - everyone has an opinion about them.

Certifications are also a great addition to your resume and show a potential employer that you can learn and retain information about certain topics. Just make sure that when you're doing a certificate it's because you want to learn, and not just get a few additional letters after your name. So many people pursue certificates thinking it will help them get their foot in the door, only to fail the interview because they never really learned anything… I've seen some of the guys with fake OSCP certs out there!

At the same time, be careful of what certificates you take. Take into consideration their reputation, their cost-to-befit ratio, student reviews, and curriculum.

So what certificates do I recommend .....
I highly recommend the following courses to get you on the way:

  • eLearnSecurity Web Application Penetration Tester - (eWPT)
  • eLearnSecurity Web application Penetration Tester eXtreme - (eWPTXv2)
  • Offensive Security (Pen-200 - OSCP)
  • Offensive Security (Web-200 - OSWA)
  • Offensive Security (Pen-300 - OSEP)
  • SANS SEC542 GWAPT
  • SANS SEC560 GPEN
  • Amazon Web Services Certifications

Just note that these are a few of the certifications I like. This doesn't mean that you need to go and get them all done, these are there to just give you an idea. Do some research about these certificates and choose what you want, while SANS is expensive, they are good. This blog post is already getting long as it is, so I rather not ramble.

5. Get experience part time!

If you're a student or already working, you re going to need to kick off your learning journey while juggling your other work commitments. I get it, this sounds like a tough balancing act. But hey, if you're reading this and you're set on "becoming a hacker," then deep down, you probably expected me to say this.

6. Get some Exposure

GitHub, YouTube, and blogging are like your best buds in this journey. All the stuff you learn, the code you write, the Try Hack Me labs you do – write about it, save your work on GitHub, and share it with others! Doing this is super valuable when you're applying for a job in info sec someday. It's a great way to show that you've alreally put in the effort. It proves you're not just into the cool "hacker" image from the movies, but that you're actually willing to put in the time and work to be the real deal!

7. Training and Practice

Alongside college, self-learning, and certifications, training and practice are key. Yeah, training is often part of certifications, but I think it deserves its own spotlight. There's a heap of resources out there for training. In this section, I'll share some spots where you can practice your hacking skills safely, without the risk of a jail stint. Trust me, you're way too good-looking for jail!

Before I dive into the list, remember it's not all-inclusive. These resources are here to teach you the basics and broaden your know-how. And hey, if you're ever stumped, curious about a new topic, or can't find what you're looking for, just Google it! Being a hacker means you've got to be a whiz at Google-Fu!

So, here's a bunch of resources to help you get your practice in!

8. The " In house" Path

The internal path is a bit slower but often simpler. On this route, you aim to join an Internal Security Team, focusing on stuff like Red Teaming, pentesting, and security audits just for the company. Landing a role can be tough, so, try to grab internships or junior positions in a company that either has a security team or is setting one up.

Most companies will look for a college degree, a certification or two, and some past experience in roles like a system administrator or security analyst. These teams need you to really get the ins and outs of their network, the security measures in place, and where the weak spots might be.

Starting early in a junior role helps you learn all this, making it easier to prove you're up for the job. Plus, getting a promotion or a new position internally is often smoother than applying from outside, since people already know what you can do.

9. The "Consulting" Path

The consulting route is often quicker, especially if you've got the skills and know-how. Here, you aim to be a security consultant in a big company or firm. You'll be hired out to test other companies' web apps, networks, hardware, etc. To snag a spot like this, you usually need a 4-year BSc or Engineering degree and go through a 3-6 month grad program before potentially becoming a junior security consultant/pentester.

In the past, most consulting firms trained about 80% of their staff, with a few hiring only top-tier experts after tough interviews, technical challenges, and face-to-face meetings. They test you on everything from web app security to network pentesting and even reverse engineering.

Once you're in, these companies are keen on upskilling you. They'll give you resources, a training budget, test labs, and shadowing chances. Just make sure to learn quickly! After they invest in you, they expect you to be ready for client projects within 3 months max!

10. Impostor Syndrome

Alright, I've got to say, this isn't unique to security, but because of the field's nature and the kind of smart, intense folks it attracts, it can be a pretty intimidating career! Everyone in this field, at some point, feels this pressure or even deals with it daily. It's pretty common in infosec, where there's this expectation to always be on top of the latest exploits or the newest fancy lateral movement tricks.

But remember, everyone's in the same boat with this. Just because there are other security whizzes out there doesn't mean you're not great at what you do, or that you can't rise to become the next big star in infosec.

11. Misconceptions vs Reality

Misconceptions

  • All Hackers are Bad, Right?
    Reality: Not at all! There's a big difference between ethical hackers who help improve security and those with malicious intent.

  • A Vulnerability Scan Equals a Pentest?
    Reality: Nope, they're different. A vulnerability scan identifies potential vulnerabilities, while a pentest actively exploits these vulnerabilities to test a system's security.

  • Hacking is Easy Because of Tools, Right?
    Reality: It's not just about tools. Hacking requires a deep understanding of systems, networks, and various technologies.

  • Hackers are Just People Sitting at Their Computers All Night Stealing Passwords
    Reality: Hacking isn't a Hollywood movie scene. It's a skilled, technical profession that involves a lot of complex problem-solving.

  • Can You Hack My Boyfriend's Phone?
    Reality: Ethical hacking doesn't work that way. It's about improving security, not invading personal privacy.

In reality, hacking involves a lot more than what people typically think: it requires technical expertise, a strong ethical framework, continuous learning, and a deep understanding of both security systems and potential threats.

Reality - What Hackers Actually Do:

  • Fixing Code:
    Hackers often spend time identifying and resolving code vulnerabilities to enhance security.

  • Writing Tools:
    They develop specialized tools to automate or assist in various security tasks.

  • Hours of Research:
    A significant amount of their time is dedicated to researching new technologies, vulnerabilities, and security techniques.

  • Writing Security Reports:
    Preparing detailed reports on security assessments and vulnerabilities is a key part of their job.

  • Dealing with Clients:
    Communicating with clients is crucial, especially when explaining security risks and needed measures.

  • Discussing 'Bug' Fixes with Developers:
    Collaborating with software developers to discuss and resolve security bugs is another important aspect of their work.

This behind-the-scenes work is essential to improving and maintaining the security of digital systems, far beyond the stereotypical image of a hacker.

12. Conclusion

A Good hacker will always actively seek out new and updated information, not wait for others to gift or share it with him.

The real difference between a script kiddie and a budding hacker is that burning desire to learn and understand the underlying principles of what he is working on.

Do your research to figure out which areas in the field excite you the most.

Honestly, I could go on for another 30 pages about becoming a pentester – this is just scratching the surface!

So, go out there, have a blast and enjoy pwning those boxes! Info security is an incredible field where you're always picking up something new. There's no one-size-fits-all way to get into this field; you've got to dive in headfirst. Once you've got the basics down, the rest starts to click as you identify what else you need to know.

I get it, you might want to become a pentester right this second, but these things take time. Remember, Rome wasn't built in a day. Take your time to soak up all the knowledge you can. Relish the learning journey, and before you know it, you'll reach your goal.

Happy Hacking!

Published by:

Jeff Blane

You might also like...

07
Jan
2025

Web Application Security: Balancing Depth and Efficiency

2 min read
24
Aug
2015

Offensive Security Certified Professional

3 min read