so I'm starting today in 2025 do I go and learn like how to hack AI do I go and hack web applications do I do Network hacking? And this is where a lot of people I think get hung up initially is coding do I need to be a developer do I need to be a programmer and you want to make sure that you understand what that code is doing before you just go run it so you're going out and actually hacking a website or an application and there are a ton of great resources that are out there available we get to see a lot of people's successes but we don't get to see a lot of people's failures. Hey everyone it's David Bombal back with the amazing Heath Adams, Heath great to have you back on the channel. Hey David it's great to be back. Heath it's 2025 question that you get all the time I know and I get this as well I want to become an ethical hacker how do I do this how do I become like you? yeah it's a great question David uh we've got a road map that we've laid out and I'm happy to be here and sharing it today. yeah looking forward to this because you and
just for everyone who doesn't know you you as an accountant I mean there's a long journey right but you were an accountant then you got in you were like a network engineer I've understood right you became an ethical hacker you've started ethical hacking business you do blue teaming now you do like a whole bunch of things right? yeah we're we're kind of all over the place but um it's it's been a while journey from definitely accountant to to running a pentest company is very weird. And I think it's really important to highlight right you run a pent testing company you pentest you have people in your team that pentest so this is based on real world experience? Yeah absolutely we're we're always hiring and trying to understand the market and so this is based on latest and greatest ideas and what we're seeing in the market and the ideal people that we'd rather have on our team uh these are the the qualifications and training and those sorts of things. That's brilliant so I'm going to keep quiet Heath I get complaints if I interrupt people so I'm going to keep quiet unless I really have to ask a question so take it away. Perfect yeah so we have a Blog that is How to Be an Ethical Hacker in 2025 and this covers a lot of information on Pathways and everything else so a lot of what you're seeing today I'm going to be going through on this blog and just talking through the different journeys that one has to take kind of from absolute zero into becoming a pent tester so this is going to start with assuming that you have zero knowledge in it if there's certain areas where you say hey I already know that you can feel free to skip that and just kind of move your way up the ladder and so we've got this pyramid here that I'm sharing and this is kind of the foundations and I equate it to a house you want to build a strong foundation for your house before you go out there and uh start building the actual house and same thing with ethical hacking we see a lot of people be interested in the field and then they go out there start learning about hacking right away and they realize it's very difficult and they haven't learned the foundation so now they're backpedaling and trying to learn other Concepts and it can honestly lead to failure so making sure that you have the core foundational skills very very important uh for us those skills are we consider basic IT so your A+ equivalent or something along the lines of being able to troubleshoot build computers those sorts of things layering on to that networking skills uh going above and beyond that security skills and then some things related to specifically for cyber security you're going to need to know Linux you're going to need to know some programming as well uh so I'm going to cover the different resources that are available there kind of in that order and so we've got our basic it skills and so I equate this to your A+ certification now I don't think that you have to go out there and get every single certification that I'm going to talk about and it's not necessary to go get A+ n plus Security+ if you don't want to you don't have the funds all right this is just equivalencies so from our standpoint A+ is really looking at that beginner foundational help desk level and so we have training out there that is specific to this uh which is I think great Professor Messer is fantastic uh this is completely free and so Professor Messer does a lot as you can see with A+ Net+ Security+ so if you're looking for free training you're going to see me bring up Professor Messer a few times in this class or in this video I should say and so with his class is for the exam specifically there are two exams for A+ so there's the the 101 the 102 and he's got training material for both of those and so you could just go in here and watch the videos his videos are a little bit more of kind of PowerPoint like and so it's not as Hands-On with the material but you're just kind of learning the overall Concepts and some of it gets a little Hands-On but not really um a paid alternative there is Mike Meyers I think Mike Meyers does a great job on Udemy and so just checking out different different creators out there I used Mike Meyers when I was coming up and I also used Professor Messer and I thought they were both great uh you may find and search for an A+ course on Udemy and say hey this instructor seems interesting and you might go with them but just looking out and doing your diligence on courses that are out there um I'm going to do a little bit of self-promotion throughout this uh video as well this is our training material so we have an academy at TCM Security and on the academy there is this free tier so we have a lot of the foundational courses and our goal is to release foundational courses for everything that you see in this video um and one of those classes is practical help desk so this is a 19-hour class same concept it's not teaching you to go out there and get the A+ so it's not a 18 or A+ type uh type class it's actually more of a Hands-On practical class where you do actually get to get in here and see some of the material it's not really all that that PowerPoint training to a specific certification so if you go through the material you can see that hey we've got how do we fix a computer how do we fix a laptop what are the operating systems um going through those going through networking as well remote support ticketing systems uh cyber security active directory like all the things that we think you would need to know and again this is 100% free so I'll point out when there are resources I'll point out when they're free resources like Professor Master is completely free and that way you can kind of a path depending on your your access financially and what not to uh to a journey in cyber because it doesn't have to be incredibly expensive I love that too so moving moving on from that um once you have your A+ skills once you can fix a computer troubleshoot some issues build a computer you want to move into networking next and there are some great resources for networking that we've got laid out here again you're going to see Professor Messer and you're going to see Mike Meyers I think both of them are great uh courses again but also we've got the Cisco Packet Tracer which I know David you're a CCNA and Cisco guy and so um this is a great resource for coming in and just learning kind of like your basic command line and learning some of the the networking infrastructure and how it's laid out and being able to kind of build out your own labs and again it's completely free there's resources in here for actually using Cisco Packet Tracer and how to explore them some some free resources there and so just learning those networking concepts what is a uh what's a port what are on different ports what is the OSI model how do you troubleshoot networking issues and just moving through chain it's going to become important especially as you move into pen testing and hacking because you're going to need to know and understand networks like CIDR notation subnets in order to hack them and so this is a critical critical part that I feel like a lot of people skip over and then they get overwhelmed when they don't understand core networking concept so understanding networking is going to be very important. Heath the old old question I always ask you CCNA or Network+ or doesn't it matter? Good question uh I don't think it matters so I did the Network+ and the CCNA the CCNA I think is more challenging by far I think that it it's fine to go CCNA if you want to be a pen tester I wouldn't go above and beyond that like I don't think you need to go ccie or anything uh but understanding those core foundations CCNA is a great exam uh Network+ is is fine as well but just making sure that you have those I think that the only thing with the Cisco side is that you can start rabbit ho holing yourself into Cisco specific so uh Compt is vendor neutral but I do think that there's some benefit to actually getting the CCNA and understanding some of the uh command command line interface and just being able to what happens if I hop on some sort of networking equipment because you get more Hands-On with the CCNA than you do the Network+ and there are benefits there as well but again you could do no certification you could do both certifications it's completely up to you and in what you're you want to do. So get the knowledge don't worry so much about the cert. 100% all right next up uh Linux skills are going
to be very important so the platform that most of us live in for hacking is called Kali Linux there are other versions out there too there's like Parrot or distributions that should say uh there's parrot both of them do kind of the same thing they operating system or distribution made for penetration testing or ethical hacking and so basically they're a form of Linux that's Debian based and you just have all the tools available to you or most of the tools say available to you for for doing hacking right out of the box and so you're going to need to understand how to navigate around Linux and use it because it's different than uh it's different than Windows it's different than Macs as well it's kind of its own little learning curve so there are a lot of great resources out there for learning Linux I'm just going to start with ours because that's the one first in the order here but again this is part of our free tier Linux fundamentals you can come through here and just pick up Linux without having any former prior knowledge there and it covers quite a bit I think it's two-hour course here so it gets you through hey how do I actually use Linux open the command line all the way to actually writing some scripts with bash which is good for your programming skills there are other actual resources out there too like Linux journey is a great one um you can come through here and just do some of their uh different modules that they have and it's all free as well we've got over the wire which are these war games and bandit's one of those ones for beginners they've got a bunch of different war games in here but basically it's kind of like a capture the flag you go through and you have different challenges on these levels and you have to accomplish different things and that helps you kind of learn Linux through challenges so I'd recommend like starting with a Linux class first and then coming through and challenging yourself to get through some of these challenges and think a little bit logic while using Linux ultimately there's a ton of resources that are here uh we also have on our Academy the paid side of the academy they have a Linux 101 class which is kind of above and beyond the 100 but it does get a lot more in- depth so if you find yourself saying hey I want to know more about Linux there are curated resources out there as well you could go to Udemy same thing you could go to YouTube search for a course uh just make sure honestly that you're looking up more of Debian based Linux because that's what to use in ethical hacking there's different versions of it uh but I'd be searching for Debian based courses Ubuntu things like that that could help you out. Heath I love what you've done right where you have got the paid courses but you making so much available for free especially for beginners I mean it's great to see. Yeah I mean we've uh we've got this motto of we don't believe that anybody should pay price on education and so coming and learning the foundations with us I think is a is a great alternative and like a lot of our videos are meant to just be short digestible especially for this modern era where we want information as quickly as possible and not as long as possible so so um just getting that Hands-On kinesthetic learning and I think it's a a big benefit to the community. That's correct so once we get past our Linux side of things uh coding is another area where it' be very beneficial to learn and this is where a lot of people I think get hung up initially is okay coding do I need to be a developer do I need to be a programmer and the answer is no like if you understand programming and you can go on and be a developer I think that's a great addition to your skill set and it's a great fallback too. A lot of people say well I interested in cyber security but should I go for a computer science degree if you're truly interested in computer science absolutely because if you get into cyber you don't like it you always have your programming background to fall back on um having the programming skills will help but ultimately you just need to be able to read code and the big reason for that is you're going to go out to places like GitHub and you're going to download code and you're going to run that code against an environment if you're doing ethical hacking that's going to be potentially against a client or your own company and you want to make sure that you understand what that code is doing before you just go run it uh willy-nilly and so from our side being able to just read code and understand code helps you're able to take that above and beyond be able to program automate some of your things and your tasks that's even better and there are tons and tons of resources out there if you're learning programming um you can find your own again I'm just going to list a few of those out but there's tons that are out there completely free um for us again free tier we've got the programming 100 fundamentals covers a lot of the Core Concepts and we teach in Python which is where I think the industry is going in terms of uh you used to teach Java as like your introductory programming language in college now they're teaching Python it's just a lot easier to understand and and learn for beginners and um there's a quite a bit of information here too you get to build out your own uh tools and learn to automate a lot of processes again completely free uh free codeCamp another great resource that's out there they do have a ton of tutorials they are all over the place so make sure if you're looking for programming tutorials you're looking for Python 3 because Python 2 may show up and that's deprecated nowadays so Python 3 would be good to know um the newer the course the better off you're going to be because it's going to have the latest and greatest fundamentals in there but tons of resources code academy is another one here where this one is semi free semi paid you can sign up for a free trial and it doesn't take a credit card which I like um they've got a ton of different things on here you can go through and say hey what what do you want to learn about tons of languages but again I'd recommend starting with Python and just one more resource that I've used in the past is team Treehouse this is not free believe it's 25 oh it is free for seven days then $25 a month but um I I like the way that it is just engaging they've got video based instruction which I prefer to learn from and so uh another great resource depending on again budget and what what you want to learn from who you want to learn from but you can't go wrong on YouTube can't go wrong on Udemy again for looking for this kind of content okay last of the foundations is security skills so now that we've kind of got everything laid in place we need to add some basic cyber security knowledge on that uh we've learned networking for example we've learned what ports there are uh we know that we've got uh Port 21 is FTP but then we've got Port 22 is SSH and why why is telet insecure and why are we using certain ports and which ports are more secure what's encrypted what's not uh being able to understand that very important understanding the core foundations of cyber security very important and that's kind of the next step before you get into anything hacking related is I need to understand these foundations of cyber security before I move on and I always like to think of this as when I was taking the Security+ I was thinking of it as the Network++ because it really did take the Network+ material and just layer layer Cyber Security details on top of it so if there's one certification I think that's like valuable out of what I just showed you uh Security+ is going to do pretty well for you A+ could get you a help Desk job Network+ maybe get you Junior Network job uh CCNA definitely the Security+ can definitely help you land like that Junior SOC analyst type role or just kind of set you apart from some people so out of the list of what I've shown already I think this is the most viable certification to get but there are great great resources out there as well again shouting out Professor Messer here um I think he's fantastic on our side we do have a paid course here which I'm going to scroll over this side um we've got a paid course which is called SOC Operations this is just on our Academy and this is almost 30 hours actually it is now over 30 hours of materials and so it covers literally everything that you would do from a security analyst perspective so if you want to learn the handson um actually get get kinesthetic learning from a video-based uh site this would be the material that I would recommend there's just so much in here that uh you just get exposure to and if you're looking to be a junior SOC analyst or like a level one SOC analyst you're trying to get into that side of things this would be great prep even for Security+ again we don't teach for any certifications but if you're prepping for a certification having this type of knowledge would be incredibly useful. How much does it cost is it like a monthly fee or is it like once full. Yeah we do monthly fees so it's for a month it's $30 a month um you get access to all of our courses in in content um upwards too and you can do annual as well and save a little bit on the the monthly rate that's correct awesome that is it for the foundational skills so now we'll move into the actual foundations of ethical hacking perfect okay so once we've got the foundations down and the foundations that we just covered are good for literally all of cyber in my opinion so even if you don't want to become an ethical hacker those are the core things that you should really know now that we're moving into the ethical hacking side of things we need to learn the basics of ethical hacking uh and so where do we do that how do we do that there's quite a few resources that are out there so one I'm going to point to ours again um for our resource we do have this on our Academy this is the Practical Ethical Hacking class this is by far our most popular course this is what we started with this is what we're known for um and this kind of takes you through that journey of okay where do I actually start and so we do cover some networking and you hey Linux and Python um but we come through here what's the hacking methodology how do we perform the five steps of ethical hacking which we start with information gathering reconnaissance we go into scanning and enumeration uh which we cut through here and then we start just hacking machines and so you learn exploitation which is step three and we've got Capo machines that are built custom here that you actually go through and you have to hack your way into those machines we get into active directory hacking which I think is the most important thing for a junior pentester to know how do you hack an active directory environment and so we've cut a lot of information just on active directory hacking we get into web application hacking which is also very important and there's just a ton of information here some Wireless hacking report writing legal documents you should know etc and so it just covers everything that you should know is developed as what should you know to become a pentester and we do have this for free as well at least the first half of it so we do have the first 15 hours of this course for free um this is a little bit older this is 2023 Edition so it's not the latest and greatest but it gives you a great idea and is the core Foundation still what it covers to get you to that next level of understanding uh what ethical hacking is like am I going to actually even like this this is something I want to do so before even putting any money into anything you can come to YouTube again and go through this content in these courses and actually see do I want to become an ethical hacker and there's a part one here there part two here and you can absolutely come through and check this out there are other resources out there as well TryHackMe is one that has some free options and some paid options so you can come through here and actually do what is more of like a CTF style learning so they teach you through more of Hands-On activity what I do like about TryHackMe is that you can come through and actually do tasks so they're task oriented it's more text based learning but you can come here and have objectives and then submit answers and learn through exercises so that's pretty nice um Hack the Box is very similar Hack the Box was um more of a capture the flag style environment now they've kind of shifted to an academy their site is not free in that sense you do have to pay for what are called cubes on their site so depending on how many cubes and paths you want to go down the pricing does change um but it's another great resource that is um being utilized by a lot of people uh last but not least there is Vuln Hub this is very much Capture the Flag style and so I should differentiate there there's what I consider practical hacking and Capture the Flag style hacking I think both of them have their um their place in hacking but it's more like a vend diagram in in terms of there's going to be some overlap but the more time you spend on Capture the Flag style the more you're really focused on um I would say more impractical things you're going to maybe learn some items that are uh exploits and things that are relevant but the pathways to get there maybe are not the most practical or relevant ways that you actually to see in the real world um so the more you can focus on actual practical learning versus doing these CTF type machines the better however still doing CTF type machines is good for like logical games is good if you ever do want to go out and do a CTF there are some exams which we'll get to later that are more CTF based and so if you want to take a CTF based exam learning these types of techniques can be good as well so there's quite a bit that you can learn from here I would stray if you're learning more on the uh trying to become a hacker side I would say straight on the ethical hacking practical side more so than the uh the handson CTF style but everybody has their their place for learning on this. Heath can you just go back to your tab on your YouTube channel right because
you that's one video that you've got like 15 or 30 hours of content or so but you got a whole bunch of videos It's the Cyber Mentor is that the channel name right? Yeah the Cyber Mentor we uh we've got quite a few yeah I you can see a lot of them here over on the side but we've got um ENT a lot of the courses that are on our Academy half of it's up for free anyway so you can come and learn and say do I like this am I not interested and so we again there's a ton of free material out there there's Linux course out there I know we've got Python we've got an older ethical hacking course that's on there as well so there's there's quite a bit in here in terms of courses and content if you just come into our cyber Mentor Channel and go to full courses there's um there's a tab for that on our channel. So for everyone watching please go and sub show the love he's giving so much away for free he really appreciated it so please for everyone watching go love he's trying to get to a million subs at the time of this recording he's getting close so you know get him to a million as soon as you can. Appreciate that just trying to have my gold plaque like you David yeah exactly man it's go for it man it's not long it's going to happen appreciate that so once we learn our foundations of ethical hacking that kind of gets us to what is maybe a junior level for hacking once we have that we really need to build Upon Our skill set and there's a ton of places to go out there and do this really from an ethical hacking standpoint when you come into the field and you want to be a junior ethical hacker Junior penetration tester you're going to need to know how to perform external pen tests and internal pen tests external is outside looking in how do I break into an organization from the outside a lot of that is open source intelligence a lot of that is finding out usernames and trying to to Really guess passwords and get into login panels um from an internal perspective we're really looking at active directory so what happens once I'm inside the network what happens that there's been a compromise most networks out there activ directory based networks from a a business environment so that's where we're really focused on so understanding those two things very important understanding web application hacking is going to be important too at a junior level you're not expected to come in and actually hack a web application but you should have some core knowledge of what we call the OAS top 10 we'll talk about that in just a second but that will set you above and beyond your peers especially interviewing uh we do wireless hacking on the network side as well um there's additional types of hacking as you kind of grow in your career I mean there's airplane hacking iot hacking mobile hacking there's all kinds of stuff that's out there you can turn in and specialize but for now we're going to focus on what are the core things that I really should know if I want to be set myself apart as an ethical hacker and so we've talked about active directory already and for active directory I'm biased a little bit but I truly do believe the Practical ethical hacking course that we have is the best baying for your buck out there to learn active directory hacking there are some blogs that I listed in our blog and people that are really good contributors to the active directory hacking space and so definitely go check those people out out as well as any of these people follow their their X or their Twitter and um be able to just kind of get updates on active directory if you're interested in those sorts of things I'm going to shift down to web here and somewhat mobile web is very important you can actually be a web application hacker you can be a network hacker as well but you can be a web application hacker without being anything else like you could just specialize in any topic web application has become very prominent because a lot of programs that are out there are called Bug Bounty programs that will actually pay you to go and hack their application uh you submit the bug to them you get a reward usually monetary and so it's become incredibly popular in the hacking space most of those are web not all but a majority of those are web so you're going out and actually hacking a website or an application and there are a ton of great resources that are out there available I'm going to start with the free ones um best bang for your buck because it's free is PortSwigger Academy they actually make one of the tools which is called Burp Suite that we use pretty heavily from a hacking perspective when using web apps this Academy has absolutely amazing resources you can just come in here and click on any of these modules they give you labs they give you lessons they give you walkthroughs and it will just take you from uh 0 to 100 pretty quick in terms of just able to learn these concepts um we have other resources too like Hacker 101 this is pretty neat they have some video lessons in here um I actually I don't know if I'm still on there but I taught quite a few of these classes back in the day there's a CTF here that once you've kind of taken your your video classes you can go participate in their CTF if you complete the CTF you get a private invite which is kind of nice um private programs are a little bit better than public programs not everybody's in it so you actually have a little bit exclusivity you can kind of hack and know that hey not the entire population come see this program so you have greater likelihood of finding some bugs which is kind of nice as well um hacker hacker one is a Bug Bounty platform as is Bug Crowd um Bug Crowd has their own University and their videos in here I don't think they're as curated but there's still pretty nice videos in here that you can come through and look up different resources and things like that there is pentester lab which has some free component Pro component uh you can come in here and do different exercises for their platform as well um you can see like GraphQL like literally so many different things that you can go through here and practice so again it's just how you learn and and your your style from a self-promotion standpoint we've got quite a few classes um our beginner class is actually called practical Bug Bounty we do partner with Integrity here so Integrity is another uh Bug Bounty platform similar to hacker one or Bug Crowd that if you complete this class and you submit your certificate of completion to them they will uh consider you for private programs which is really nice so it it says hey I have gone above and beyond I actually do have some knowledge and that kind of gets you into that system where you start getting private invites which is really nice so this kind of takes you from the foundational hey where do I start um what are the foundations of hacking those sorts of things the Practical ethical hacking course has a lot of this as well um this goes a lot deeper than what's found in the Practical ethical hacking so I would start again practical ethical hacking that's your foundation this starts going above and beyond that and then we just keep taking that further and further so we have practical web hacking which is like The Next Step Up um API hacking as well and then we've got our advance Advanced web hacking class that we're we're just starting to to launch out for um these do have certifications side of them as does practical ethical hacking I won't get too much into certifications right now but there's certifications to this and exams that if you wanted to go through it you could if you wanted to just do the academy you could do that as well uh if you're interested in mobile application testing we also have a course on that um this is something that is becoming more popular especially in the bug Bounty space uh worth considering as well um and you could specialize and that's a good way to specialize in being kind of more of a niche field and kind of set yourself apart from um you know from all the other hackers I would be in trouble if I didn't mention OAS from a web hacking perspective oas.org is a great Community really
what they do and what they're known for is this top 10 so every few years they change their top 10 one of the top 10 most critical vulnerabilities that web apps are facing right now and so as a pentester especially as a junior you're going to get questions on the OAS top 10 when you're doing interviews and so understanding what the OAS top 10 are and understanding what their remediations are very important again as a junior you don't have to come in and be hacking web applications day one it's an expectation of you as you grow for us when we're doing our hiring we have Juniors come in they start on external pentest once they work their way up they do internal pentest and then they work their way up and they do web application so it kind of scales in difficulty and for us we are asking questions and as are a lot of interviewers about web application pent tests and so understanding these very critical same thing here it's good to know about this OWASP web security testing guide this is actually what we use when we're doing pentest we've got this uh converted into an Excel format as a checklist but this is a book that actually takes you through step by step if I'm doing a pent test what should I be doing on a web application a very very important res source for the community lastly um there are these Hacktivity or Bug Bounty write-ups that I think are fantastic um HackerOne is just one example of it and you can just Google Bug Bounty write-ups but you can come through here and these are disclosed write-ups like here's one for LinkedIn okay somebody got paid um doesn't say how much they got paid here but they got paid uh for this information disclosure where you can see phone numbers of other users by providing an email address that's cool you can click in here and see okay well how did they do it and they show you how they did it and so this actually kind of takes you through stepbystep process of these so what I used to do especially when I was learning web apps early on I would actually start going through and just looking at the bug that I thought I maybe had and trying to find instances of other people out there that had had written those up and then testing that functionality and some of those ideas that they had this is a great way to learn is learning from other people and actual exploits that are out there and happening okay moving back so another item that we should know about is our wireless hacking um from a wireless in standpoint you can honestly just read a Blog I put a couple in here but I know even David has videos on wireless hacking from a hacking perspective when we're testing Network we're really looking at two things we're looking at WPA2 pre-share key which is basically what's used in your home network that's pretty easy you grab a hash you uh you take the hash try to crack it offline there's also enterprise which is a little bit trickier that is using often radius it's using active directory credentials uh there are ways to make that insecure as well and there's ways to hack Enterprise you can learn Wireless hack Ing and follow along with a Blog honestly a lot of people when they first start learning about hacking they start with wireless because it's kind of a little bit easier you just get a a wireless adapter that's where I started you just start messing around and and uh seeing where you can what you can do and so um you can learn this from a Blog I don't even know if there's a true Wireless hacking course that's out there unless it's like really complete and does Bluetooth hacking and other things then that's getting a little bit above and beyond our scope as a as a junior pentester outside of that certifications this is a big topic in the space and so I have put this chart together this is not all inclusive of certifications by any mean these are what I consider the top certifications for entry level pen testing uh there are all kinds of other certifications there's web application hacking certifications there's mobile hacking certifications uh different ventures into different fields if you want to become an entry-level pentester here are the certifications that are really available to you right now and so I've laid this out with these this chart here we've got is this a multiple choice exam your Pentest+ your CEH your GPEN is okay so multi choice meaning I'm just going through I have questions I have to pick from an answer perfect now for CTF style exams Pentest+ has some simulations so it also gets a check mark here for CTF and when I say CTF I'm saying that it is not entirely practical it's not like you're going in you're doing an actual pentest and you're trying to hack against a an environment so you're you're kind of doing a simulation against machines in an impractical way uh same thing for the CEH they do have a practical what they call practical environment to their test but they do have multiple choice so these are kind of simulation based same with the GPEN the OSCP is a true CTF style exam they've added some active directory components which is nice lately and so you go in you have 24 hours you have to hack x amount of boxes to get x amount of points to pass their exam you have to write a report submit that and you can pass your exam um from the practical side there are two exams that are out there right now that I think are doing well one is ours uh full disclosure but the PNPT which is our certification CPTS which is the Hack the Box certification both of those are practical you are given an environment you have five days for ours to go in and and hack the environment right so you can go in for PNPT you have to perform an external you break into the internal you have to then compromise the domain you have to write a report you have to give a debrief in front of our team and so you go through the process and steps that a real pentester would go through and so we're starting to see an industry shift towards more of these practical style exams which I think a lot of people actually like and learn from as opposed to the multiple choice exams where you can kind of bring dump it a little bit in terms of I learn all these things I go take the exam maybe I don't have to learn these these at least prove that yes I do have the the Hands-On skill set OSCP as well I've got the Hands-On skill set of where I need to go um government side of things what is on the US this is only us-based what is on us-based government um requirements pentest plus C gpen okay so these ones if you're looking for specifically a government role or you're trying to adhere to 8570 which is getting replaced then you're looking in this column here and what is most beneficial Pentest+ could be good CH could be good GPEN if employer paying for it which coming down to cost uh CPTS PNPT Pentest+s are going to be under $500 um CEH is anywhere in the ballpark of a thousand to $1,500 depending OSCP is 1500 to 2500 depending on the plan that you get and then the GPEN is upwards of $8,000 anywhere up to to $10,000 depending so the higher you scale here the more you're hoping your employer pays for the the cost of the the exam and so those are those are the critical certifications do your research and due diligence on those um you know they all have their place depending on what you're doing again government for example I would lean towards those if you're trying to stay in government you want that Hands-On practical exam um you know cost is an important factor as well so those are things to consider when you're looking at certification exams but these certifications are critical in my opinion to getting in the field you don't necessarily have to have a certific to break in I'm going to say that again but you are competing against people that likely do have one or multiple of these and so you have to think about okay well if I don't have those where else am I going to set myself art having a YouTube channel doing blogs uh attending events volunteering uh being a part of a community or being in Discord uh Slack channels those things like that networking very good but these are going to be pretty useful for you as well so do you have to have them no can you get by without them absolutely are they going to help open some doors yeah absolutely as well. You get past the the recruiters right I mean that's the whole idea with certs I think is you you get your foot in the door to get to the interview helps a lot with that? Yeah absolutely yeah I mean there's there's a lot of just like checking the box right like for um if you like people want to be managers and CE levels I I tell them well probably need a CISSP and you probably need a master's degree often does the topic of your master's degree matter no not really it's just you just have to have that check box and that kind of opens up more doors for you so a lot of it's opportunity cost how much time and money is going to cost me versus um how much benefit am I going to get out of this and you have to kind of weigh those personally through each situation uh and then last on this list here is privilege escalation so the idea of privilege escalation is I land on a machine I am not the root user I'm not the administrative user how do I escalate my privileges to in order to become that ultimate end user and so there are some good courses out there the reason that we have these courses and this content is really for again CTF style so your OSCP is going to have privilege escalation on it so you're going to need to learn that kind of concept the PNPT for example is not a real pentest in my opinion very very rarely do I ever use any of the concepts found in these courses on a real engagement but if you're looking to pass an exam or you're looking to get better at CTFs you just want to get better at hacking this is kind of cool stuff uh it's not entirely relevant or practical but it's still useful in terms of career at least getting your foot in the door because this does lead to other exams so we do have a couple courses there's not anything really free material out there you can find some curated like um some blogs and things on on this and some resources but in terms of like if you're interested in video based learning there's really only two courses that are out there one is ours uh which is the Windows and Linux they're separate courses escalation for beginners uh and then on Udemy me there's another great course from a creator called Tib3rius he's got Windows uh and Linux and he's teaching for OSCP and beyond so again that's where it really comes into use for these uh these certifications and for CTFs but with that said that is um everything that you need to know in my opinion to get into the field of ethical hacking. Heath that's fantastic thanks so much for sharing I mean this is the old question we always get like I've mentioned you know how do I get started and I'm I'm really grateful that you've shared a road map I just like you said as well everyone just needs to do their own due diligence and you know decide which path is is the right path for them but I really want to thank you for for making it clear I got some questions right AI hot topic um do you have training on AI is there any recommended training on AI and is AI going to take my job away? Good question uh we have a little bit of training on AI um more of it is for using AI as an assistant with programming more courses will be coming on our side I think the field is still really new in terms of AI and especially hacking like hacking LLMs is a very very niche concept right now a course material not that I'm tracking not to say that it's not out there but you will probably see some more as time goes on I have seen some like PortSwigger uh Web Academy has some modules on hacking the uh hacking LLMs it's just a few modules but it's still better than nothing so there are some concepts that are taught out there but again it's going to be increasing as time goes on is AI going to take our jobs ultimately in a pentest field I think you're pretty safe um for like entry-level jobs like help desk I could see AI replacing that in the next few years you're already seeing it with entry level jobs like they're moving AI for drive-throughs they're moving to AI for drive-throughs and assistance and things like that so yeah the lower level the job the higher risk that you are but in order to think like a hacker it's going to take a long time for AI to get to that level it's still making pretty basic mistakes on some things right now so I don't think there's any fear there I would say that you're more likely lose a job at an entry level then you are going to be any sort of cyber security role now using it as an assistant understanding and learning AI is going to be critical to your job um I use it literally every day like it's something that you absolutely have to keep in your toolkit because it's just like anything else in cyber the field is always changing you need to adapt and learn to what the new trends are and that's going to be critical to success in field. So I'm starting today in 2025 do I go and learn like how to hack AI do I go and hack web applications do I do Network hacking or is it like just follow this path and then once you've got a bit further along then you decide what to specialize in? yeah I would say you need to get through at least that middle tier of the pyramid that we showed uh anything beyond that you can kind of start diversifying a little bit so do I want to become a network hacker yeah there's plenty of opportunity there you can completely specialize in that um especially with Cloud now so a lot of companies are moving away from True activ directory and moving to Entra or Azure in in the Cloud and so there's some active directory hacking around that as well um you have web applications mobile applications AI is going to be another niche what I tell people is find what makes you excited to wake up and learn in the morning and really that's where your path should take you all these fields will pay well everyone will have its own niche you could specialize you could be a generalist doesn't really matter um I you know I'm I would consider myself a generalist that really really loves active directory hacking but there are people out there that just specialize a little bit in everything and not really a true specialist in any one specific topic and they they do fine in their career as well. I love that I mean if you can enjoy what you're doing you know then you're paid to have fun right? It makes it so much better I love coming into work every day um if I specialize in something that I really didn't enjoy like accounting um you know be pretty miserable. I'm I'm so glad that you decided to leave accounting and come into this you know field it's you've added so much to the to the community so I'm glad you left accounting I also studied accounting and thank goodness I left that behind as well man I think we would have both been terribly unhappy. yeah I I'm grateful every day. Heath one thing you
didn't mention do you have a Discord or you know how do we how do I connect with people because you know I'm just someone somewhere how do I interact with people in the community is it people that I should follow on Twitter was it like do you have a Discord how do I like get to ask you questions or perhaps other people in the community? yeah that's a great question we do have a Discord um it is tcm-sec.com Discord or you can go to discord.gg TCM um I I'm a big believer in Discord and so I'm a big believer in mentorship through Community I should say that's how I learn coming up and I think that's the best way a lot of people are out there looking for one to one mentors and mentors really are limited on time but if you can learn by Community you have the availability of people everywhere in the world to help you and you can help them as well so we have a Discord there's somewhere close to 65,000 people in there which can seem overwhelming um but that's just 65,000 potential resources as well we've got different areas in there for uh different certifications pathways foundational skills there's job postings career advice resume reviews like it's a really great place to just come and meet other people the advice that I give people if you do go to a community even if it's not ours is just give back what you take feel free to ask questions and go in there and and um learn from other people but if people are asking questions as well and you know the answer help out um it it pays to be a good person it pays to get back because people are watching there and 65,000 people there are Executives in there there are managers in there and a lot of people get jobs just from being a contributor into a community so that's my my big advice there is just give back what you take and really um utilize the community as best as you can and last thing is there's always somebody that wants to be where you're at right now so even if you just started learning two weeks ago you're two weeks ahead of somebody that hasn't started at all and so don't feel like I don't know enough I can't help out I think that's a bad mentality there's always going to be somebody that wishes they were at where you're at right now and you're always wishing you could be somewhere else right so again uh just keep that in mind and um yeah Community mentorship I think they're great to to have and I think that ours is a fantastic resource. I always think you know people who are young think they're too young and people who are old think they're too old but I think it's everyone's on a journey like you said and you know you people who can relate to you may rather get it prefer getting an answer from someone like yourself rather than say from me or Heath so you know my advice is always feel free to share and I mean even if you get the get it wrong it doesn't matter that's how you're going to learn as well and in Heath you and I both teach right the best way to learn is to teach. 100% anytime I have a complex topic I will just record myself teaching it to nobody and that really really helps uh but yeah if you could write a blog or put content out there uh it's amazing how many times I actually go back to my own content to pick up something that I'm trying to do on a real engagement because it just helps you remember and it's a a way to document and keep notes and it's a way to learn as well. So Heath talked to your younger self what advice would you give it doesn't have to be technical but like general advice you know you want to break into this field what would you advise yourself or you know what would you tell yourself? yeah this is the advice I think I share with a lot of people is just run your own race and comparison is the thief of joy it really is and social media especially over the past several years is a place where we get to see a lot of people successes but we don't get to see a lot of people's failures and so we don't understand how long it took them to get to where they're at so it's very easy to get caught up in other people's success and uh have a detriment on our own and so really what you need to do is worry about getting better every single day being better than you were the day before just you nobody else you can look at other people and use them as motivation hey I want to be that person I want to get to that level great but you need to take your own pace getting there and there are people that just come in and be naturally talented and I kind of use running as an example like you may want to run a six-minute mile right now you're running a 10-minute mile uh if you keep looking at the person running six and saying that's my goal perfect but don't compare yourself to them and saying I'm never going to be there if you can run 9 minutes and 59 seconds tomorrow that's an improvement and that's all you really need there are going to be people that start running and can already run a six- minute mile and they've never ran before uh and that's just how life shakes out sometimes sometimes you're going to be better at something than somebody else is and sometimes it's the other way around people are going to learn topics faster than you and sometimes you're going to learn topics faster than other people ultimately you just need to worry about yourself uh compare yourself to others that really is the thief of joy just make sure you're running your own race and trying to be a better you every day. I love that advice Heath I really want to thank you for sharing and giving back to
the community really appreciated. yeah thanks David I really appreciate having me on again
2025-01-10 07:48