By Josh Daniels
After Wild West Hackin’ Fest 2026 in Denver, I ran into Corey Ham, head of the ANTISOC Team (continuous pentesting) at BHIS, in the lobby of the hotel. He was about to take off for some well-deserved R&R. We struck up a conversation, and he graciously provided some insights into the world of pentesting at a top-tier firm, specifically for those getting started.
Before we start, all of what follows is subjective. There are as many ways to begin a career and progress toward a specific job in cybersecurity as there are people working in the field. That said, Corey’s practical advice has the benefit of coming from someone who not only works as a pentester, but also leads a team of testers, so it may hold a little more weight.
Prepare for hot takes.
For those looking to enter the field of cybersecurity, the common wisdom is: There are way more defensive security jobs than offensive jobs, so if you want to do X in cybersecurity, you should start with a blue team position. This perspective is a result of imagining cybersecurity as a monolithic profession instead of several specialized roles working toward the same goal.
For example, while both are involved in healthcare, physicians treat patients and biomedical researchers develop new medical technologies. They share a common foundation of biology and chemistry, but one would be hard pressed to perform the job of the other. In the case of cybersecurity, IT is the common starting point, and the divergence begins as one advances in a blue or red team direction.
As you study the particulars of defensive cybersecurity, you are developing skills and a mindset that are adjacent to offensive security, help build a foundation for security overall, and will help offer the adversary perspective. But pentesting requires some different abilities and methodologies.
Of course, this is dependent on your situation. If you love cybersecurity and need a job, then working in a SOC or other defensive role is going to be more beneficial than working in another industry. But if offensive security is your dream, then starting down the blue team road will begin to develop your skills in that direction.
Corey explained it thusly: “An excellent blue teamer is an SME [subject-matter expert] in the tools and processes that their organization uses. An excellent red teamer might be an expert with a few choice tools, but their main skill is learning on the fly, finding or building tools and processes as they go.”
Defensive security professionals monitor, detect, and respond to threats across an organization — analyzing telemetry, building detections, and hardening systems to make attackers’ lives harder. An ethical hacker tests the defenses of a system through a process, using whatever tool is available, customizable, or buildable.
While there is some crossover, and understanding the tactics of your “adversary” is always going to be beneficial, the two professions are working the same problem from different ends, with different methods, tools, and mindsets.
Corey’s advice: If you want to be a pentester, then work on being a pentester. You don’t need the detour of blue team. If you’re a blue teamer, work on being an excellent blue teamer.
So, how does one gain the skills and prepare themselves for a shot at working at a pentesting firm?
A great place to start is really understanding what is meant by the term “pentester.” Dispel the mythology propagated by Hollywood and pop culture of the hoodie-wearing hacker, pwning all that they survey. Ask people who work in the role, and investigate what the actual day-to-day of the profession looks like. This will serve you at the outset of your journey better than any roadmap.
“It’s a lot of repetition. It’s learning a methodology and doing it over and over again. What we do is not magic,” Corey said.
This was the basic path toward pentesting that Corey proposed.
IT -> CTFs -> bug bounties -> pentesting
Gain a solid understanding of the fundamentals of Information Technology (IT). Move into Capture the Flag (CTF) exercises, competitions, and cyber ranges for learning exploitation, C2, offensive tooling, etc. Pursue bug bounties to start finding vulnerabilities and learn to craft professional writeups. By the end, you have a pretty good pentesting skillset.
There are some gaps and nice-to-haves that could be added here and there, but this is a possible path that hits the high points. Quality, hands-on training that helps you gain proficiency and develop skills in these areas will progress you along this path. For instance, Antisyphon Training courses allow the student to face real-world challenges with instruction and guidance from cybersecurity professionals. Not a bad place to start.
You’ll also notice that there isn’t a certification in sight on the list (more on this in a moment). At the end of the day a team lead is concerned with whether or not you can conduct the test and write a report, and few certification exams gauge this well.
A seasoned pentester with a few years of working experience will have a certain level of innate trust that a brand-new tester will not. If you are lucky enough to find yourself on the short list for a junior level pentesting position, you will need to prove that you can “hack” it.
Some more advice from Corey here: Pay special attention to the write-up and document your assessment with plenty of useful screenshots. This is ultimately what clients are paying for. If your methodology and technical skills are great, but the writeup isn’t clear, thorough, and easy to follow, you may find yourself a hard sell to a pentesting team.
Part of the BHIS process for vetting potential junior testers involves completing a challenge on our own cyber range and then submitting a thorough write-up.
The real indicator for Corey, though, is performance in the first 30/60/90 days of working as a pentester. If one can conduct live tests and present professional-grade findings to the client, the results will speak for themselves. It goes without saying, but if you do get the shot to prove yourself, hit the ground running and go the extra mile.
Certification really only serves as an easy signal to others that a cert holder has been “tested” on some material in some capacity. This process has many issues, such as quality of testing methods and material, cheating, and (for cybersecurity specifically) lack of hands-on components.
In many cases, certifications serve the function of attempting to gauge a baseline of knowledge, but may not provide the best picture of practical competence. This is doubly true for certifications that do not have hands-on components. Corey believes that a working pentester should be able to complete the Offensive Security Certified Professional (OSCP) and that it serves as a decent signal of skill, but the trial-by-fire of actual engagements is still the gold standard.
In a recent Reddit AMA, John Strand responded to a question about certifications, and this was his conclusion:
“So yes, some certifications absolutely still hold value. OSCP, CISSP, GIAC, they all carry weight in different ways. But I would really love to see the industry move toward recognizing cyber ranges and CTF achievements as equal to or even more meaningful than traditional certifications. When someone proves they can actually solve problems, that means a lot more to me than passing a multiple-choice exam.”
All in all, the most applicable nuggets I walked away from the conversation with were these: 1) Pursue what you are passionate about and 2) focus on gaining the day-to-day skills associated with what you want to do.
If pentesting is your dream, it’s better to struggle toward that than aligning yourself with an adjacent job that is not actually what you want to do. While you might find faster success in landing a role, you may be developing yourself in a different direction. That said, you might find you like defensive cybersecurity! There are many ways to defend that don’t include offending 🙂
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。