How to start your offensive security career

Is hacking like in the movies? How do I start? What do I need to know? What skills should I have? These are questions that each of us had when we started. This article aims to provide a high-level overview of the security industry and give you actionable steps that you can take to start building your career.

Disclaimer: Information Security is a broad industry. The intended audience for this post is those who want to start a career in the offensive security space (e.g., pentesters, security engineers, ethical hackers, bug bounty hunters, etc.).

Introduction

So you decided to start a career in information security, but have no idea where to start and what to learn. No worries, we’ve all been there. There are tons of resources, hacking tools, and research papers, but still, breaking into information security is harder than ever. So…where do you start?

First of all, it is essential to understand that there is no magic recipe on how to become an ethical hacker. Success in this industry is a combination of soft skills, personality traits, and technical knowledge. Don’t believe me? Check out #MyWeirdPathToInfoSec hashtag on X, and you will see that no two paths are the same. The odds are that your journey to a career will not be like ours, or anyone else’s. So, instead of focusing on the path you need to choose, we give you a framework of thinking about your information security career. The information in this lesson should provide you with a broad understanding of this industry and offer you some useful tips on how to start.

Expectations vs. Reality

Let’s start with a reality check

What is the first thing that comes to your mind when you think of a hacker? A hoodied, shady-looking guy in a dark basement where the only source of light is his at least three monitors glowing some green binary code?

If you think hacking is like what you saw in the movies or stock photos, well…I’m sorry to disappoint you. It is not — not even close. In reality, you work in a friendly office, spend much of the time writing reports, ~~staring at a screen~~ visually analysing things and trying to understand what’s going on behind the scenes, rather than randomly typing tens of commands per second into a command-line terminal. However, that doesn’t mean working as an ethical hacker isn’t rewarding. It is, but it might just not be that glamorous.

What do you need to get started?

Being a successful ethical hacker isn’t all about technical knowledge. While being smart, passionate, and technically skilled can help, your ability to think differently from others is what really stands you out from the crowd. Your job as an ethical hacker is to understand how systems work, where their vulnerabilities are, and how a hacker can benefit from those weaknesses. If you can think both like an attacker and a defender at the same time, then you are probably a good fit for the information security industry. Everything else can be learned. Hence, let’s start with the soft skills.

Soft Skills

The most important soft skill for an ethical hacker is creativity and being able to switch between different thinking modes, based on a given circumstance. For instance, code review requires you to think analytically, while testing an upload file feature leans towards a more creative approach. Different situations call for different thinking methods. Below are just a few types of thinking used in ethical hacking:

Creative / Lateral Thinking
Critical Thinking
Analytical Thinking
Abstract Thinking
Holistic Thinking
Probabilistic Thinking (Bayesian Updating)

Being a skilled thinker means that you continuously ask questions and analyze the information you receive. This way, you can come up with new ideas and unusual testing scenarios that can make the difference between success and failure. For every single feature, e.g., reset password, there are hundreds of possible test cases that can lead to a vulnerability. Your job is to find that working path.

Before diving into technical stuff, try to improve your creativity by doing lateral thinking puzzles. In the beginning, you may feel like the most uncreative person in the world, but no worries. Creativity is a capability that you can learn and a skill that you can develop with practice.

Also, try to build your own toolbox of mental models and start using them. Here are some excellent resources to help you:

Revamping your thinking process is not an easy task. However, if you want to become a skilled ethical hacker, this is something you should master.

Of course, you don’t have to know all the concepts from above to start hacking. In fact, you don’t have to know any of them, but learning the basics of the other disciplines would improve your problem-solving skills and lead to a more in-depth understanding of ethical hacking. It’s all about increasing the chances of finding cool vulnerabilities.

In addition to thinking skills, an ethical hacker should also possess excellent communication skills, both oral and written. In your day-to-day job, you encounter many situations where you need to explain various technical concepts to peopleyour colleagues, managers, clients, etc. that don’t necessarily have a technical background. For instance, you may need to explain to a client why using outdated software may have catastrophic security implications. Or, you may find yourself in a situation in which you need to tell how to fix a CSRF vulnerability to a developer that has no idea what’s that CSRF. Not to mention that you have to write summary reports of your findings for each security audit you perform.

If you are not able to communicate clearly, you will be significantly less effective in your job.

Technical skills

When it comes to technical skills, whether you are at the beginning of the journey or you already work in the industry but want to improve your knowledge, the rule is simple: learn the basics. Experts in security are people who dedicated a significant amount of time into understanding the basics and how to apply those concepts.

I know—it isn’t fun, but necessary. Most people avoid this as it requires too much effort. But here is a good reason for you not to skip this step of the journey: if you invest time in learning the fundamentals, you’ll have an advantage over every other ethical hacker that didn’t bother to do so (and believe me, there are many out there). Did I convince you?

Great! Now let’s find out what exactly you should learn. We recommend you to start with the following areas:

Programming

This is the part that terrifies some of the people, mostly because of the countless myths they hear before stepping into it. First, it is necessary to understand that “you need to learn to code to be a good ethical hacker” is not equivalent to “you need to be able to write commercial-grade software to be a good ethical hacker”. Security testing isn’t a programming job. Most programming done in security can be resumed to:

writing simple scripts to automate tedious, repetitive tasks
writing simple scripts to speed up the analysis of some information you just found
writing simple scripts to demonstrate/exploit vulnerabilities
reading code written by other people and understand what’s going on (to identify security vulnerabilities)

You don’t have to be a top-notch developer to do any of these. You just need a basic understanding of general programming concepts and to be able to write code in one or more scripting languages. We suggest you start with Python language. There are countless excellent courses and learning materials on this topic, just google it!

Networking

One of the first requirements of any technical information security role is a comprehensive understanding of networks and the underlying principles (e.g., TCP/IP). But the Internet is, without doubt, the most extensive engineered system ever created by humankind, so how the hell can one learn or understand such an overwhelmingly large and complex system 🤯?

Don’t freak out—yet. You see, most of the underlying technologies used by today’s Internet were developed sometime in the 1960s. They are quite old but well documented. You don’t need to be able to set up a complicated corporate network or know every small detail of each protocol, but rather have a general understanding of the subject.

So, start with simple concepts:

What is a network protocol?
What is an IP address? What’s the difference between IPv4 and IPv6?
What is a switch, and why do we need them? How about a router?
What is the OSI Model? Why is it important?
What is the difference between TCP and UDP?
What are HTTP, FTP, SMTP, DNS, SSH? Have you used any of them so far?

All these and many others are explained in Computer Networking - A Top-Down Approach. I recommend you check it out. Here are a few more awesome resources that worth a bookmark:

Operating Systems

The beauty of hacking is that no two systems are exactly the same. Each uses different technologies and unique configurations to achieve its purpose. As an ethical hacker, you deal with various systems, and often, an exploit that works flawlessly on a server may not work on an apparently similar server.

To overcome such situations without overcomplicating the process, you should have at least a basic understanding of the main operating systems (Linux, macOS, and Windows), how they work, and the differences between them. So make yourself a favor and get familiar with the following concepts:

Linux/Windows system principles
Linux/Windows file system
CLI vs. GUI
CLI basic commands
Users and permissions
Linux/Windows important files for security (e.g., /etc/passwd)
Process Management

You can find all this information in this course.

Personality traits

Information security is an industry where something always goes wrong. Whether it is a script that was working last time you checked, or you just triggered a vulnerability but have no idea what caused it, there will always be something that doesn’t work the way you expect. There are no shortcuts in ethical hacking. You need to be persistent, hard-working, and always eager to learn.

It’s easy to spot a good fit for information security just by analyzing a person’s attitude. Do they want to learn as much as they possibly can? Are they willing to spend hours or even days to come up with a working strategy when reaching a dead-end situation? Do they have a keen passion for solving puzzles and an unbridled curiosity to go beyond the causes of a problem?

If the answer to the above questions is YES and we just described you, then you may be a good fit for an information security career. Otherwise, you may find security more frustrating than fun.

Formal education

One of the most common questions about how to become an ethical hacker is, “Can I find a job if I don’t have a formal degree?”

Absolutely yes! While a university degree can be useful, it is not mandatory to get a job. And it all makes sense if you think about it. Since security is everyone’s problem and companies are struggling to find enough talented people, what would be the logic to limit security roles only for people with degrees in computer science?

Many of the best security professionals are self-taught individuals who dropped out of formal education. Of course, we don’t encourage you to drop school—we just say it’s possible to work without a formal degree.

On the other side, “not mandatory” doesn’t mean “it’s useless”. An information security degree can be a kickstart for your career. It won’t make you a hacker, but it will provide you the basic technical skills we mentioned above. The fact that it forces you to learn those not so fun boring, yet challenging concepts is a big advantage if you are not a very disciplined person and cannot do this on your own.

As a student, you can gain real-world experience through internships while working with experienced professionals. If you demonstrate that you are passionate about hacking, you may even get a full-time job offer there.

Certifications

Similar to formal education, security certifications are good to have but not a must. They are a great way to learn the basics and acquire valuable experience for your resume. Here are a few recommendations:

Offensive Security Certified Professional (OSCP)
Offensive Security Certified Expert (OSCE)
eLearnSecurity Certified Penetration Tester
SANS SEC560: Network Penetration Testing and Ethical Hacking

Keep in mind that you have to provide yourself as the best option in the job market. Often, even the smallest differences between you and someone else can have a significant impact over a job decision. For instance, a person with interesting personal projects but no work experience wins over a person with no work experience an no personal project. A person without a degree, but with certifications wins over a person without a degree. And so on.

Tips for starting

Start a personal blog — This is probably the best advice we can give you. Start a blog and document your journey. One of the most efficient tools to consolidate the information that you just have learned is introspection. Reflect on what you’ve learned and try to explain it to other likeminded people on your blog. This will improve your understanding of that subject, your communication skills, and why not, your resume.
Set goals — Straight from the beginning, you should set some achievable goals—something like milestones. They will help you to understand your evolution and focus on what is important. However, keep in mind that as you progress through your information security journey, your goals may change.
Become a Google search master — Being an ethical hacking is not about memorising. You don’t need to know every small detail about each protocol, tool, or command. What really matters is to understand how to find that information when you need it. So whenever you don’t know something, google it! The chances are that other people had the same question.
Use AI to learn, but don’t outsource your thinking — AI chatbots can be a powerful learning tool. Use them to challenge your assumptions and understanding of a subject. Use them for clarifying concepts and diving deep into technical topics. But don’t use AI as a replacement for actually learning the basics. If you let the chatbots to provide all the answers, you will miss out on developing the necessary skills to think independently, troubleshoot complex scenarios, or adapt to unforeseen challenges.
Learn how to learn — How do you learn? Maybe you understand better if you read a concept. Or perhaps if you watch a video about it. Whatever your learning style might be, it is imperative to have a framework—so check out The Feynman Technique.
Got stuck? Don’t be afraid to seek help, but learn how to ask technical questions — Most people are happy to help newcomers, but the answer you get to a question mainly depends on the question itself. Raymond and Moen wrote an excellent guide on how to ask technical questions. Also, you can check this LiveOverflow’s video on the same topic.
Stay informed — You can find many experienced ethical hackers on social media where they share their experience and sometimes drop some knowledge. Here are a few people that you should follow: James Kettle (@albinowax), Jobert Abma (@jobertabma), spaceraccoon (@spaceraccoonsec), Sam Curry (@samwcyo), NahamSec (@NahamSec), Soroush Dalili (@irsdl), Justin Gardner (@Rhynorater), BBRE (@gregxsunday), Phillip Wylie (@PhillipWylie), Orange Tsai (@orange_8361), STÖK (@stokfredrik), zseano (@zseano), Somdev Sangwan (@s0md3v), Patrik Fehrenbach (@ITSecurityguard), Jason Haddix (@Jhaddix), ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler), Frans Rosén (@fransrosen)
Check out these fantastic blog posts on the same topic to get a better understanding of the industry