Skip to content

Preparing for a Career in Offensive Security

A few of my thoughts and recommendations on preparing for a creer in offensive security (I'm currently a Staff Red Team Engineer at Adobe).

Career Path

In this blog I’ll share a few of my foremost thoughts and recommendations on preparing for a career in offensive security (OffSec). The primary audience this blog is intended for is college students, but it can also be relevant to young adults or others in the pre-career or early career phase of life. This content can also be applied in other life circumstances, as it outlines how to plan ahead and prepare for long-term life choices and investments. For context, I’m a staff-level red teamer at Adobe.

Intro

Let’s begin with an assumption that you want to land a sweet job and get paid big bucks — I imagine this encompasses the goals of most readers. Generally speaking, the sooner you know your goals in life, the sooner you can start preparing for a smooth road and avoid unpleasant, time-wasting course corrections. Below, I’ll offer my personal recommendations that can help prepare you for when you graduate and start applying to full time jobs. These strategies are: know your options, gain the necessary skills, and prove your worth.

Know Your Options

Imagine all your friends are really into rock climbing, so you save up over several months and buy your own gear so you can tag along. You all go on a day trip to a nearby canyon and hike up a trail to the best wall in the area. You have a good time with your friends, but when you get home and have some time to think, you realize you actually preferred the hike over the actual climbing. Then you remember you just spent a small fortune on new climbing gear. Whoops.

Although this example is relatively inconsequential, it shows that there is value in understanding your options before committing too deeply. When this thought exercise is applied to your career, a wrong decision (or no decision) can set you back several years in specialization and experience, and tens of thousands of dollars in more student debt and/or lost revenue (opportunity cost).

First, do some research around the various career options in OffSec. Many will be very specifically offensive, while others may somewhat straddle that line. Here’s a broad, non-comprehensive list:

  • bug bounty
  • penetration testing
  • red teaming
  • infrastructure/systems design and implementation — C2, attack surface scanning, etc
  • generic offensive security roles
  • application security — can often have a splash of hands-on testing or scanning
  • blue teams — detection engineering can include exploitation validation, etc; threat hunting can include research on latest exploits and adversary tactics and sometimes some adversary emulation

There is plenty of online content available to learn about each of these — blogs, videos, books, websites. You may also consider meeting with a few mentors in various roles to learn about their experiences. The day-to-day job functions are obviously important, but don’t forget other things like expected total compensation, working location, travel requirements, etc.

As you begin to understand the options and narrow the list down to several of interest, the next step is to try to get some experience in those that attract you the most. At the beginning, start small, like side projects or elective courses. These are good trial areas that don’t require huge investments. As your positive experiences guide you towards your preferred specialties, you can then start to invest a little more, as we’ll discuss in the next section.

PS, I can’t count how many times I’ve heard college-grad new-hires mention they’re still unsure about what role they want to be in. This is normal, as experience is often required for us to know what we like and dislike. You’ll likely jump around a few different entry-level roles during your first few years as you understand working environments and job functions, but each should be as close as possible to your field and desired role so the experience you gain can easily translate over to your next gig and move you forward in the industry. Do note however that shifting roles later in your career can set you back in relevant experience, seniority, compensation, etc. Find a balance between deciding/moving too early, and deciding/moving too late.

Gain The Skills

OffSec skills take a long time to build because they often encompass multiple specialized skillsets. For example, an application penetration tester should be proficient at programming (multiple languages), systems design and development, systems administration, research, networking, databases, and business communications, to name a few off the top of my head. And then of course there’s the functional tradecraft — or your working capabilities — on top of those fundamentals: reconnaissance, scanning, specialized toolsets, network traffic manipulation, defense bypass, report writing, etc. I don’t mean to demotivate you, but rather to set expectations. A career in OffSec takes a long, long time to prepare for, as there is so much to learn. Specialized professions like surgeons — or in our industry, Red Teaming — take a lot of study and practice to get good at. For example, for me to get onto a Red Team, I did a Bachelors, a Masters, and then obtained 6 security certifications for the next 4–6 years while working full time in security roles, while trying to focus my projects and job roles and certifications in OffSec areas. You can read more about my career path in my Breaking Into Red Teaming blog. Not everyone needs to take this lengthy or deep of an approach to their career entry, but this was my path as I moved through various roles and eventually chose to settle on a Red Team.

At this phase in your career preparation, you need to start getting more than the basics. As you progress closer to areas of interest (listed in the last section), you’ll start to invest a little deeper in these areas. So instead of a mile wide, and inch deep, you should probably be honing in on a few areas of particular interest, and seeking to identify next-step opportunities to strengthen those skills and gain more experience. If we were to say that the previous section about knowing your options required spending several hours studying each job function, then we would say that this section requires spending several weeks or months in areas of particular interest. Here are several ideas to help you gain relevant skills and experience, while still not overcommitting:

  • After completing a class on a topic you really enjoyed and that you may be interested in working around in a full time job later (like networking for example), then becoming a TA for that class is an excellent way to keep your skills fresh, get paid doing it, have a teacher mentor, and put it on your resume as relevant working experience.
  • Similarly, taking an advanced course is another great way to take another step deeper into an area of interest. This will set you above the average, as most people around you or in your program don’t move on to the same elective advanced courses as you — they’re likely exploring their own different paths.
  • After you’ve built a decent amount of skill in an area, make sacrifices to obtain a job in that field. For example, I avoided jobs that I knew wouldn’t help me progress towards a career in cybersecurity, and I changed jobs every semester or two to make sure I was continually learning and improving and getting raises as I got closer and closer to security-related jobs. I was pretty much always looking for the next, bigger thing. I say sacrifice above, because you may avoid a $20/hr job and pick up a $15/hr job in your area of interest. Although this may feel like an expensive loss as a poor college student, in the long run, it’ll prepare you with career confidence, relevant skillsets, a boost to your resume, and likely a larger salary later, and all these vastly outweigh losing out on that +$5/hr increase for a short period.
  • Look for opportunities to center school or work projects around security-related skillsets. For example, I was a TA for an Intro to Information Systems Management class where one of the student project was to build a webpage using basic html/css/js. I had about 100 submissions to grade, so I took the opportunity to build a python script to scan through the project requirements and spit out a grade for each submission.
  • Clubs are another decent way to surround yourself with like-minded students and mentors with similar goals, and can offer unique learning experiences that you may otherwise miss out on. For example, sometimes clubs participate in CTFs and conferences that could end up on your resume.

Ultimately, the strategy here is to find different ways to gain OffSec/IT skills and experience, while also obtaining value in other areas (compensation, addition to resume, new mentors/relationships, community impact, etc), as opposed to just private research. It’s really hard and unique to find a job doing OffSec in college, but there are plenty of other IT jobs that can build your core pillars that you will heavily rely upon later in your OffSec career.

Prove Your Worth

As you start becoming more proficient in several IT/security-related areas, you’ll need to prove your value to your potential employer. One way to sell yourself and beat the competition is by having a robust portfolio of bona fides.

While resumes are the industry standard document for applying to jobs, they’re also very private. Most people usually don’t post these in public places, rather they send them to specific hiring managers at specific companies. The point is, not many eyes see them. Alternatively, public work can reach a lot more eyes, and also serves as a reference on your resume so it doesn’t take up precious space, yet still acts as proof of your experience. Here are some examples of public bona fides:

  • Contributions to public code bases (open source tools, your own tools)
  • Participation in bug bounty or vulnerability disclosure programs and getting onto their leader or appreciation boards
  • Publishing your own analysis or walkthroughs of CTFs or new vulnerabilities (blog, video, X, LinkedIn, GitHub)
  • Speaking at meetups or conferences about how you solved a problem, or your experience in a topic, etc
  • Obtaining security certifications. While organized study can help you learn and provides an authoritative measurement of your knowledge at a point in time, it should not be relied upon as a sole means to prove one’s capabilities. In my opinion, many are simply proof that you could regurgitate some memorized answers, or that you know your basics, or that you’ve shown interest beyond baseline university classes. They’re beneficial to have, but be wary of relying too much on them. Try to be well-rounded. Also, the hands-on exams like the OSCP are much better than written/problem-based exams for proving your skill.

After you’ve accomplished a learning feat, don’t forget to publicize your achievements via social media or another appropriate channel. Sometimes it can feel a bit boastful, so be humble about it, and recognize that you do have to sell yourself to get hired. You can also usually reach more eyes if you have a more-seasoned mentor repost your work as well.

Also, learning of others’ experiences is a great way to consider and plan your own path. Here’s a reference to a college-grad’s experience applying to OffSec jobs after college, and ultimately making it onto the Google Red Team.

Ultimately this section is about standing out from among the crowd by proving your abilities. An interest or some study in OffSec (like just certs or classes) probably isn’t enough to get through the door, but experience acting inside the industry, or deliverables (bona fides), will go a long way.

Conclusion

Knowing the different roles in OffSec, gaining skills and experience in a few, and then showing your bona fides is the strategy I’d recommend for approaching a career in Offensive Security. Agile, incremental steps towards the areas you like will keep you from over-investing, while also progress you confidently in the right direction.