Getting a Job in Infosec: From Noob to OSCP to Hired in 434 Days

This is a bit of a clickbait title but first, I am bad at titles and, second, I did indeed switch into from a software job into the infosec world (and pick up my OSCP along the way in X days.

I have helped others get started in the cybersecurity field before, and hope to do more of that with this post. Since cybersecurity is an applied field, the more diversity and cross-domain knowledge we have, the better!

This is an incredibly long (7500 word) post that roughly 20% on how I got into the cybersecurity field, and then the remaining 80% on how to turn this into a broad strategy to help you get into cybersecurity that basically works by reverse engineering what sounds interesting.

Of course, what worked for me might not work for others, but I tried to make this broadly useful as possible.

My story lol ๐Ÿ˜Œ

Some people fall into this industry, I definitely did not.

While I’ve been on computers since a very young age (hello fellow millennials), I did not have a particularly tech-y childhood. Once I did get into the tech field, some pretty bad imposter syndrome that kept me away from security even after I was interested.

I majored in electrical engineering, focusing on embedded systems (after getting a music degree, lol). I’ll talk more about college majors w.r.t. infosec in a minute.

I worked as an electrical engineer for a bit, and then did other software work (web, mobile, IoT, desktop) when the original planned projects fell through. I also helped run a software meetup group which exposed me to organizing events, and introduced me to a lot of cool software folks in the Midwest.

After a few years in this job, I was interested in security but didn’t know how to get into it, and generally felt like I was too stupid to meaningfully participate (imposter syndrome :/ )

Cryptography nerd

But anyway, a few years into this software job, I read “The Code Book” and got super interested in cryptography (lol neeeerdddd). I was trying to teach myself Rust at the time, and tried implementing some of the classical ciphers in the book. This was one of many unsuccessful attempts at learning Rust (Rust evangelical task force, I appreciate you but please do not contact me about this).

While the Rust portion was a failure, I incidentally found a use for my new nerd skills via this online “quiz” by USCC, which is a government program that helps get people educated in Cyberโ„ข๏ธ. Lucky me, that particular year’s quiz was cryptography focused.

I didn’t originally know this, but scoring well enough on the quiz meant an invite to a cybersecurity bootcamp (I almost didn’t go because wHaT iF I LiKeD iT tOo MuCh).

I went to the bootcamp, learned a ton about cybersecurity via 4 day-long classes hosted by SANS instructors, and then did a CTF. I absolutely loved the CTF. I was instantly hooked. I shared contact info with the other campers and we continued CTFing on weekends, remotely. We were terrible at it for a long time, but eventually started getting better.

Nearly a year after this, it turned out I did like this security thing too much, and decided to leave my current job without another job lined up, and without a specific path into the industry. I realize this is not an option available to most people, but I saved up money to take time off before job searching.

Leaving software

The original plan was to take a few months off, focus entirely on certifications, and then job search in earnest. What actually ended up happening was taking a year “off” while freelancing 20-30 hours a week to pay the bills, and doing certifications, CTFs, and self-taught learning in the mean time.

This year “off” started shortly after my first Defcon. I was dazzled by a lot of the speakers and compiled a list of bios that I thought were really cool, and used that to reverse engineer my way into infosec.

On my list was Security+, embedded systems experience, and OSCP.

Job searching

My top job pick (Grimm) also required embedded systems experience. As an EE, I had experience building and troubleshooting them, but not hacking them. Grimm specifically asked me to try some of the Microcorruption challenges so I did the first 18 (out of 19) and wrote up a blog post for each one. I also participated in a lot of Michigan meetups that Grimm folks either attended or contributed to in some way.

Some of the places I interviewed were kind of intense. One place had a 24 hour (!!!) evaluation similar to the OSCP exam, which did not well at all. Failing that was a pretty rough experience, but as with CTFs, you gotta pick yourself up and keep going.

About a year after leaving my previous job, I was hired by Grimm as a security researcher on the CyberPhysical systems team and have been there ever since.

The interviewing process

By the time I was hired, I had known the team for the better part of a year via meetups and conferences. It wasn’t like there was a switch that flipped on where all of a sudden, I was eligible. Instead, they knew me, I had demonstrated interest and skills over time, and they finally had an opening. I’ll admit that most people do not have such a flexible interviewing timeline but the slow burn approach meant that they had already (implicitly) interviewed me over time and I had a huge advantage over other applicants when the position opened up.

Okay, cool story… how does this help me?

This post is about helping you get a job in infosec, so let’s get to it.

First let’s acknowledge that job searching sucks. I have not met anyone who enjoys doing it, and it feels pretty unnatural to most folks. In software, there are entire websites centered around helping you study for interviews. While I understand their intent, I don’t like the idea of “studying to pass the test” and optimizing purely for the job search process.

We’ve all got limited time and energy so let’s try to focus in on the important parts, reverse engineer a strategy from what sounds cool, double up on useful skills, and then represent that effort as best we can during interviews.

The strategy

  1. Narrow down the infosec field to a few specific sub-areas
  2. Find job roles or resumes within the areas you’re targeting, and identify the most important requirements
  3. Make sure you’ve got the basics down in programming, networking, and any niche-specific areas you’re interested in.
  4. Determine which certifications (if any) are necessary and make a plan to tackle them.
  5. Take the non-formal requirements and find ways to get experience through self-taught technical learning.
  6. Help others with your newfound knowledge and make things better for others in the industry, and double-dip on this by demonstrating “soft skills” at the same time.
  7. Learn how to put your hard work to use while interviewing
  8. Get u a job

Narrow down the field

Your goal in this section is to narrow things down to assess which broad areas are interesting to you, and then narrow the list down a couple areas.

When someone says “I want to get into infosec/cybersecurity” my first question is, which area(s) in infosec?

Because there are tons of different areas within the cybersecurity field. Red team, blue team, compliance, pen testing, industry-specific areas (car hacking, industrial control systems, medical devices), cryptography, and so on.

If you don’t know what you like, that’s fine! Nothing like testing things out:

Your decision in this section doesn’t need to be set in stone, but you’ll make things a lot easier on yourself if you have a general idea of what is interesting and also what you know you want to avoid.

Reverse Engineering a path into your desired field

Your goal for this section is to take the list of industries and drill down into specific jobs that appeal to you, then make a list of “requirements”.

You narrowed things down from all of infosec to a few industries/areas. Now let’s shop around for some cool sounding jobs and see what it takes to get into those roles.

Finding cool people and jobs

Earlier I mentioned that I went to Defcon and made a list of people whose jobs sounded cool. I read the bios of talks I was interested in, and note of the bios where I thought “wow I wish I had this person’s job / career history / research role” and dumped those into a notes doc. Of course, speaking at Defcon != entry level, but seeing all of these bios let me pattern match how people got into cool jobs, and helped me reverse engineer how I might get a cool job too.

You can do the same thing with job postings. You should know that most job postings have way more “requirements” than what’s actually required, but they can still be useful for this step. Same approach here, I found some jobs (maybe 5-10) that sounded cool and dumped the requirements into a document.

Where do you find job listings? From the earlier section, you probably watched some talks or saw people on Twitter. Pull up the websites of the sponsors or speakers and look through job listings. That can give you an idea of what other job titles to search for.

These jobs might not still be open by the time you are ready to apply. That’s okay, we’re just looking for a blueprint.

Pattern matching

Between these two approaches, what keeps showing up? Certifications? Help desk experience? Industry-specific domain knowledge? Certain languages or skillsets?

Try to keep the order of requirements from each job post intact, this will help you figure out what keeps rising to the top. Most requirements are not hard requirements but the point here is to identify things that have outsized influence and focus on these in later sections of this blog post.

When I was looking for pen testing jobs, I found that OSCP kept showing up. So that went on my list of things to tackle. It also appeared across multiple listings so I felt that, if I was unable to get a job at one company, I would not have wasted any time by focusing on that certification.

Note that some of these requirements are going to be very industry specific. Government jobs, for example, might require specific certifications more than commercial roles.

Get your foundations in place

Your goal here is to assess your programming and networking skills. Write down the skills you already have with a description of how you’ve applied them (at work, side projects, self-taught learning), and identify what you still need to learn and make a plan.

With some exceptions, it is incredibly useful (and dare I say required) to have some sort of technical background. This does not have to be a formal background. There are some “cybersecurity” degrees offered now, but this is still very new. I don’t think any of my coworkers have a cybersecurity degree. A lot of folks I know have tech degrees, such as in engineering, IT, or CS.

If you don’t have one of these, that doesn’t (necessarily) mean you need to go back to school. But you will need to need to demonstrate that you have the necessary skills (and if possible, show some kind of cross-industry relevance).

In general, I’ve found that infosec people have one of two backgrounds: programming, or networking.

Programming

You don’t need to be a programming genius, but showing proficiency in the area(s) you want to get into will help your prospects and future learning a lot.

So, where do you learn this? There are a lot of free online courses, you do not need to pay for this. My approach is to take a beginner guided course such as a free Codecademy course. Then, I try a small project to grow my skills (emphasis on SMALL, something you can get done in a weekend. do not fall prey to Side Project Syndrome). For example, maybe you write a C program that demonstrates some basic web socket idea, or you write a script that scrapes the provided URL and returns a list of links from the HTML.

Remember that your end goal is (probably) not to be a programmer but to get into infosec, so focus on getting to a level of understanding where you know what to Google, and you’ve “learned how to learn”. Being able to ramp into a new skill is very useful. Figure out what approach is useful for your brain and make note of it.

If you have never programmed before, you might need more guidance (this might also be available online for free but I am not up-to-date on this). I love everything that I’ve read from No Starch Press but I’m sure there are other resources too.

Networking

The length of this section is going to make it obvious that this is not my forte. But this is equally as useful in infosec, and I think can also be learned through some basic primers, and then some hands-on IT experience. Bonus points if you had help desk experience.

How much is enough?

In either of these categories, it’s difficult to judge whether you’ve learned enough. But when you get to the Learning section later, try to gauge whether you are getting stuck more on understanding the code/networking part or the applied security part. That will give you an idea if you need to work more on foundational concepts.

While more knowledge is of course useful, you do not need to master both of these to get into infosec. In my experience, most people are strong in one and have a basic (or greater) understanding in the other.

Niches

Depending on what you want to get into, there might be other foundational skills that are a bit out there. For example, my team at Grimm does car hacking. So car experience, like doing your own maintenance, rally car racing, or car modification is a big plus. Other examples include PLC experience for an ICS job. This is not necessarily a replacement for programming or networking experience, just to point out that there are some edge cases.

Credentials and Certifications

The goal here is to identify the most useful certifications for the jobs you are targeting, validating that these are required, and then getting the certs.

Looking through our compiled list of requirements, are there any certifications?

As I’ve already alluded to, there are not many formal credentials in infosec compared to other industries. Cybersecurity-specific college degrees are still fairly rare, and certifications have largely filled that void.

Much has been written about certifications. Let me just say that as a woman in tech, I have noticed a lot of cis white dudes getting the benefit of the doubt where others have not. Of course, this is frustrating to me, but for the purpose of this blog post, my takeaway is to “backstop” all of your resume points. If I say that I have experience in $topic on my resume? You can find it in a certification I’ve earned, on my GitHub, or on my blog, or in a talk I’ve given. Maybe I’m being overly paranoid or doing unnecessary work, but I make a point to back up everything with receipts.

If you are brand new to the industry, CompTIA’s Security+ certification is a good beginner cert that is affordable and can open some doors. CEH is useful for DoD jobs.

If you want to work in formal government settings, requirements for certifications are likely to be actual requirements instead of nice-to-haves.

While I believe that certifications are important especially for underrepresented groups, do not get certifications for the sake of getting certifications! Like a college degree, this costs you time and money, and you want to be sure this isn’t better spent elsewhere.

If you are unsure, ask around in security groups (discussed later) to get a better idea of how it might apply to your situation. Once again, asking good questions is key. Ask specifics like “I’m interested in this forensics role for $bigCorp and am thinking of going for $certName. Is anyone in a similar role that could give me feedback on whether this is a good choice?” instead of just “should I get my $certName”. Likewise, I’ve seen people share their certification progress, as well as encouragement and resources in security groups.

With a few exceptions (like OSCP), certifications are not demonstrative of hands-on experience. So you’re gonna have to get that elsewhere.

Learning, Learning, Learning

Our goal here is to prioritize the most valuable non-certification requirements in our job listings, and then identify ways to teach ourselves the information. As you go through this, keep an updated list of what you’ve learned.

Now we’re on to the fun part of our compiled list, which is the domain knowledge that these jobs are looking for.

Note: I do not like the show that you're passionate OUTSIDE of work bullshit thing that the tech industry does. A lot of the below recommendations do require effort outside of your normal job and while I know that is difficult for a lot of folks who have other life obligations, I do not currently have a better suggestion. Where possible, try to align this with things you already do (school/etc groups).

The lack of standardized credentials in infosec is both good and bad, because it’s essentially a “create your own learning path” adventure. This can be daunting, and also time-consuming.

Most of infosec, like the tech industry in general, suffers from gatekeeping, particularly in the hiring process. For example, how can you get experience if you can’t get the job to get experience? We’re going to go for the next best thing, which is teaching yourself (this section) and sharing with others (future sections).

Earlier, we identified the sorts of skills or requirements that might match jobs that you are interested in. Before we get into how we’re going to pick up those particular skills, let’s clear up a few things:

Since you already have an idea of what you’re interested in from the prior sections, look for those topics in the following sections (for example, a car hacking CTF, or a book on web pen testing, or a course on blue teaming).

While it’s important to have a plan (as you created earlier), you don’t need to stay on that singular path the whole time. A lot of stuff in a given cybersecurity domain has usefulness in other domains, so don’t turn down something that seems interesting just because it’s not on your list.

If you find something you’re really passionate about (say, Bluetooth) you might become the “Bluetooth Person” in a future pen testing role, even if that wasn’t in the original job role.

For the love of god please keep it legal if your goal is to get a job. I’m not trying to moralize, it’s just that we (tragically) don’t live in the 90s anymore.

In this vein, I don’t recommend any kind of freelance pen testing, because of the legal risk. You may be able to improve security at your current employer, or help with IT in a group you’re currently involved in, like a church or community center.

Give Back

The goal here is to take each thing that you’ve taught yourself (or maybe certifications you are working on, if it’s something you can share) and turn it into something that makes the field better for others. Keep updating your self-learning list, and add details for each thing on how you’ve applied or shared it.

You should taught yourself a whole bunch of new stuff. Why not share it? This will helps you solidify your own knowledge, help others, and creates proof of what you taught yourself.

I’m not suggesting that you make the next $fancyNameHere open source tool or to create a whole framework from scratch.

But there are plenty of things you can do that will be immensely useful to yourself, and to others:

Note: when commenting on other people’s stuff, please ask yourself first if they asked for the type of feedback you’re offering.

Note2: you might think that if everyone takes this advice, it will no longer work. I suppose this is true, but conferences and meetups are always short on help, repos are always behind on issues, etc. The likelihood of our industry being oversaturated with too many helpful solutions is, uh, low.

Imposter syndrome hits a lot of us pretty hard and it can feel difficult to believe that you have something important to add when there are all these l33t h4xx0rs out there making ATMs spit out money. Not to get all cheesy on you, but you do have something to contribute. Maybe you’re funny, or are good at coming up with metaphors (god knows I am not), or you have some kind of arcane weird knowledge that would be useful for the community? Maybe you’re great at illustrating abstract concepts? Maybe you’re empathetic, or you’ve faced unique challenges, or you simply have a different way of thinking? All of those things help new people understand important concepts, and when there are more ways of thinking and explaining things in an industry, that can help bring others in and make it a more welcoming and knowledge-full place.

Even if you’re a total newbie, you have a useful perspective. A lot of folks who have been in the industry for a while do not see the gaps in the same way you do (have you ever listened to someone who explains things in a way that assumes you already know everything about the topic?)

You don’t need to turn EVERYTHING you learn into a blog post / whatever, but aim for maybe one or two things per area you want to have proof of proficiency in.

So: write, volunteer, answer questions, participate in conversations, work on CTF challenges together, fix issues, help out other people. And even if exactly zero people read your blog post or watch your video, trying to help others is good for you mentally, and it also helps solidify your knowledge. You will not believe how many gaps there are in your understanding of a topic until you try to explain it in-depth to someone else.

And it also helps you…

Demonstrate “Soft Skills”

The goal here is to take each of the things we’ve learned and turned into something useful, and figure out how this “counts” towards the non-technical requirements.

You probably noticed that some of the job requirements weren’t technical, but instead fall under the category of “soft skills” (which of course is a pretty shitty name for something that makes up the entirety of how we actually share our ideas with other people).

Chances are you’re a tech person who finds it easier to focus on technical skills rather than soft skills. And it probably sounds like I’m adding another thing onto your to-do list. But you’re likely already demonstrating soft skills in the “give back” section, so let’s take note of that.

Why this is important

Soft skills are not some kind of flowery HR bullshit, they are actually useful for your job. While I’d like to imagine that my job is like this:

It’s more full of explaining to the client what is going on and how to fix it. I get to find cool vulnerabilities, but it does me or the customer no good if they don’t “get” it and fix it.

And even if you’re a l33t h4xx0r who doesn’t interface with customers directly, you still need enough soft skills so that people can actually understand how l33t you are.

You’ve probably got some specific non-technical requirements in your job requirements doc, and you should focus on those first. But I’ll talk generally about speaking, writing, and managing people/time.

We all hate the “what are your weaknesses” question, but if soft skills are legitimately a weakness for you, then pushing yourself in this area (while giving back) gives you a solid interview answer.

Networking

Your goal here is to join communities and meaningfully contribute, both to grow your skills and to meet people.

If you’re like me, you probably recoiled a bit at the word “networking” because it sounds, well… slimy. How do you make it non-slimy?

Put yourself in the shoes of a manager trying to hire someone new. You’ve put up a job posting and you know you need to find someone who has the technical chops, who won’t ruin the team vibe, and that can be trusted to do the work. You get dozens of resumes back… so, who are you going to choose?

It is a rough game being just another resume in the pile. I’m sure you’re aware of the incredibly depressing stat that most managers only look at a resume for ~6 seconds.

Managers want a sure option, and teams want to have cool coworkers. It’s hard to telegraph all of that through a single piece of paper (although I’m sure you’re a cool and talented person!). So the way to get around this is networking.

This is essentially “who you know” but before you roll your eyes at it, I am not suggesting that you go to events and hand out your business card and brown nose in hopes that someone will give you a job later.

What I am suggesting is that you meaningfully contribute to the community throughout your learning and job search process. People take notice of those who help out and participate, and in my experience, opportunities go disproportionally to these folks.

The infosec world runs (largely) on the contributions of individual people. Yes, there are big companies throwing expensive and boozy Defcon parties but there’s also a lot of open source tools and community-run conferences. A huge part of infosec is people coming up with cool ideas and then bootstrapping it into reality (ex: all the Defcon villages are community-organized).

I’m once again suggesting the “give back” ideas from the previous section, while emphasizing that helping other people in the infosec community naturally means that you’re going to start meeting other people, and that it also makes you a desirable job candidate.

It might bother you that your resume won’t be judged solely on its technical merits. But you do the same thing–if you’re getting something to eat, do you opt for a restaurant you already know or one that a friend recommended, or do you look through every restaurant in town from scratch? (I know, the metaphor’s a bit stretched). I’d bet that you’ll go with the more sure option 9 times out of 10, and your interviewer will be no different.

If you’re participating in these security groups, and they know you as a person who participates and helps out, and who’s looking for a job, most people will want to help you out. In Slack and Discord groups, this means seeing job postings before they’re widely shared, and getting to ask one-on-one questions of the person who posted it. Same thing for local meetup groups, where someone might refer you directly to a hiring manager. You might even get tips about jobs that aren’t publicly advertised at all, or not advertised yet.

You still need the technical chops to do well at the job, and you still need your resume to convince HR, so don’t think you can skip the certifications and learning portion. But going through the job search process with social proof ($employee met you and can vouch for your involvement in security groups) makes things a lot easier. The interview will probably be more chill too, since you’ve front-loaded a lot of the effort in proving that you’re a good hire through your helping and participating.

So, no feeling slimy or attending “networking events” with business cards. Just genuine participating in groups that share your technical interests, where you’re able to learn and give back.

And all of this is way easier than just applying to job postings that you have no prior connection with.

Interviewing

I realize this is going to make me sound insufferably square but you can (and probably should) practice your resume and interviewing skills.

While the previous sections might make the interview process less intense, depending on the size of the company, you might be interviewing with people you haven’t met before. Either way, you want to make sure you’re prepared.

Resumes

You’ve likely got a bunch of new skills to add to your resume now anyway, and these folks can help you represent yourself well. Consider putting your self-taught learning, blog writing, etc. in an extracurricular section.

A lot of conferences have (free, online) resume “villages” now. Take advantage of them! This is likely a good way to get on people’s hiring radar, too.

Interviewing

As for the actual interview, you didn’t come all this way to get certifications, do extracurricular learning, practice soft skills, etc just to flunk your interview. You worked hard, so let’s demonstrate your effort well!

Here’s what I mean by “backing up your answer with something you’ve done”:

Interviewing is a pretty contrived situation. And, a lot of people struggle with talking themselves up because we’re taught not to brag about ourselves. But hiring is a financial/business decision. So, give them some examples so they can pattern match against their job requirements and let them decide from there. If you’ve put in the work, might as well represent it well and increase your bargaining power in the job process. Getting paid more is diversity work, gurl.

Cover letters

I’m officially square now that I am talking about cover letters. I don’t think that cover letters are needed for most cases, but they are great if you are doing something like switching industries. Otherwise, it might look like this person (with little to no security background) applied to the wrong job. But you don’t want to half-ass this.

Google “cover letter template” and use the middle sections to describe what you’ve been working on (again, from your list). Call out parts of your background that might be relevant (worked in retail? great, this person can be customer-facing). If appropriate, this letter can be an official cover letter or pared down into an email body to jog the member of anyone who offers to forward your resume.

Disclaimers

I am but a single person so of course, this will not be representative of all hiring experiences. But I hope it will be somewhat useful.

Other disclaimers about getting into infosec:

Strategy Recap

Our cybersecurity career roadmap, altogether:

  1. Figure out what broad area(s) you want to go into
  2. Reverse engineer the role(s) you want: based on interests, local options, etc
  3. Get your foundation: programming or networking. You don’t want to be clueless in either, but work on building up some expertise in one or the other in a way that will help you.
  4. Determine what formal credentials you need (if any) and make a plan to tackle those
  5. Build up knowledge through experiential learning.
  6. Give back and support others through whatever method best suits you
  7. Practice your interviewing so that your hard work doesn’t go to waste.
  8. Get paid to hack!

Best of luck! ๐Ÿ€