2025 Ethical Hacker Roadmap with lots of free training (NOT Sponsored)

2025 Ethical Hacker Roadmap with lots of free training (NOT Sponsored)

Show Video

so I'm starting today in 2025 do I go and  learn like how to hack AI do I go and hack   web applications do I do Network hacking? And  this is where a lot of people I think get hung   up initially is coding do I need to be a developer  do I need to be a programmer and you want to make   sure that you understand what that code is doing  before you just go run it so you're going out and   actually hacking a website or an application and  there are a ton of great resources that are out   there available we get to see a lot of people's  successes but we don't get to see a lot of   people's failures. Hey everyone it's David Bombal  back with the amazing Heath Adams, Heath great to   have you back on the channel. Hey David it's great  to be back. Heath it's 2025 question that you get   all the time I know and I get this as well I want  to become an ethical hacker how do I do this how   do I become like you? yeah it's a great question  David uh we've got a road map that we've laid out   and I'm happy to be here and sharing it today.  yeah looking forward to this because you and  

just for everyone who doesn't know you you as an  accountant I mean there's a long journey right but   you were an accountant then you got in you were  like a network engineer I've understood right you   became an ethical hacker you've started ethical  hacking business you do blue teaming now you do   like a whole bunch of things right? yeah we're  we're kind of all over the place but um it's it's   been a while journey from definitely accountant to  to running a pentest company is very weird. And I   think it's really important to highlight right you  run a pent testing company you pentest you have   people in your team that pentest so this is based  on real world experience? Yeah absolutely we're   we're always hiring and trying to understand the  market and so this is based on latest and greatest   ideas and what we're seeing in the market and the  ideal people that we'd rather have on our team uh   these are the the qualifications and training  and those sorts of things. That's brilliant so   I'm going to keep quiet Heath I get complaints  if I interrupt people so I'm going to keep quiet   unless I really have to ask a question so take  it away. Perfect yeah so we have a Blog that is   How to Be an Ethical Hacker in 2025 and this  covers a lot of information on Pathways and   everything else so a lot of what you're seeing  today I'm going to be going through on this blog   and just talking through the different journeys  that one has to take kind of from absolute zero   into becoming a pent tester so this is going to  start with assuming that you have zero knowledge   in it if there's certain areas where you say  hey I already know that you can feel free to   skip that and just kind of move your way up the  ladder and so we've got this pyramid here that   I'm sharing and this is kind of the foundations  and I equate it to a house you want to build a   strong foundation for your house before you go out  there and uh start building the actual house and   same thing with ethical hacking we see a lot  of people be interested in the field and then   they go out there start learning about hacking  right away and they realize it's very difficult   and they haven't learned the foundation so now  they're backpedaling and trying to learn other   Concepts and it can honestly lead to failure so  making sure that you have the core foundational   skills very very important uh for us those  skills are we consider basic IT so your A+   equivalent or something along the lines of being  able to troubleshoot build computers those sorts   of things layering on to that networking skills  uh going above and beyond that security skills   and then some things related to specifically for  cyber security you're going to need to know Linux   you're going to need to know some programming  as well uh so I'm going to cover the different   resources that are available there kind of in  that order and so we've got our basic it skills   and so I equate this to your A+ certification now  I don't think that you have to go out there and   get every single certification that I'm going to  talk about and it's not necessary to go get A+ n   plus Security+ if you don't want to you don't have  the funds all right this is just equivalencies   so from our standpoint A+ is really looking at  that beginner foundational help desk level and   so we have training out there that is specific to  this uh which is I think great Professor Messer   is fantastic uh this is completely free and so  Professor Messer does a lot as you can see with   A+ Net+ Security+ so if you're looking for free  training you're going to see me bring up Professor   Messer a few times in this class or in this video  I should say and so with his class is for the   exam specifically there are two exams for A+ so  there's the the 101 the 102 and he's got training   material for both of those and so you could just  go in here and watch the videos his videos are a   little bit more of kind of PowerPoint like and so  it's not as Hands-On with the material but you're   just kind of learning the overall Concepts and  some of it gets a little Hands-On but not really   um a paid alternative there is Mike Meyers I  think Mike Meyers does a great job on Udemy   and so just checking out different different  creators out there I used Mike Meyers when I   was coming up and I also used Professor Messer and  I thought they were both great uh you may find and   search for an A+ course on Udemy and say hey this  instructor seems interesting and you might go with   them but just looking out and doing your diligence  on courses that are out there um I'm going to do   a little bit of self-promotion throughout this  uh video as well this is our training material   so we have an academy at TCM Security and on  the academy there is this free tier so we have   a lot of the foundational courses and our goal  is to release foundational courses for everything   that you see in this video um and one of those  classes is practical help desk so this is a   19-hour class same concept it's not teaching you  to go out there and get the A+ so it's not a 18   or A+ type uh type class it's actually more of a  Hands-On practical class where you do actually get   to get in here and see some of the material it's  not really all that that PowerPoint training to   a specific certification so if you go through  the material you can see that hey we've got   how do we fix a computer how do we fix a laptop  what are the operating systems um going through   those going through networking as well remote  support ticketing systems uh cyber security   active directory like all the things that we think  you would need to know and again this is 100% free   so I'll point out when there are resources  I'll point out when they're free resources   like Professor Master is completely free and that  way you can kind of a path depending on your your   access financially and what not to uh to a journey  in cyber because it doesn't have to be incredibly   expensive I love that too so moving moving on from  that um once you have your A+ skills once you can   fix a computer troubleshoot some issues build a  computer you want to move into networking next   and there are some great resources for networking  that we've got laid out here again you're going to   see Professor Messer and you're going to see Mike  Meyers I think both of them are great uh courses   again but also we've got the Cisco Packet  Tracer which I know David you're a CCNA and   Cisco guy and so um this is a great resource  for coming in and just learning kind of like   your basic command line and learning some of  the the networking infrastructure and how it's   laid out and being able to kind of build out your  own labs and again it's completely free there's   resources in here for actually using Cisco  Packet Tracer and how to explore them some   some free resources there and so just learning  those networking concepts what is a uh what's a   port what are on different ports what is the  OSI model how do you troubleshoot networking   issues and just moving through chain it's going  to become important especially as you move into   pen testing and hacking because you're going to  need to know and understand networks like CIDR   notation subnets in order to hack them and so this  is a critical critical part that I feel like a lot   of people skip over and then they get overwhelmed  when they don't understand core networking concept   so understanding networking is going to be very  important. Heath the old old question I always ask   you CCNA or Network+ or doesn't it matter? Good  question uh I don't think it matters so I did   the Network+ and the CCNA the CCNA I think is more  challenging by far I think that it it's fine to go   CCNA if you want to be a pen tester I wouldn't go  above and beyond that like I don't think you need   to go ccie or anything uh but understanding those  core foundations CCNA is a great exam uh Network+   is is fine as well but just making sure that you  have those I think that the only thing with the   Cisco side is that you can start rabbit ho holing  yourself into Cisco specific so uh Compt is vendor   neutral but I do think that there's some benefit  to actually getting the CCNA and understanding   some of the uh command command line interface  and just being able to what happens if I hop   on some sort of networking equipment because  you get more Hands-On with the CCNA than you   do the Network+ and there are benefits there as  well but again you could do no certification you   could do both certifications it's completely up  to you and in what you're you want to do. So get   the knowledge don't worry so much about the cert.  100% all right next up uh Linux skills are going  

to be very important so the platform that most  of us live in for hacking is called Kali Linux   there are other versions out there too there's  like Parrot or distributions that should say uh   there's parrot both of them do kind of the same  thing they operating system or distribution made   for penetration testing or ethical hacking and so  basically they're a form of Linux that's Debian   based and you just have all the tools available  to you or most of the tools say available to you   for for doing hacking right out of the box and  so you're going to need to understand how to   navigate around Linux and use it because it's  different than uh it's different than Windows   it's different than Macs as well it's kind of its  own little learning curve so there are a lot of   great resources out there for learning Linux I'm  just going to start with ours because that's the   one first in the order here but again this is part  of our free tier Linux fundamentals you can come   through here and just pick up Linux without  having any former prior knowledge there and   it covers quite a bit I think it's two-hour course  here so it gets you through hey how do I actually   use Linux open the command line all the way to  actually writing some scripts with bash which is   good for your programming skills there are other  actual resources out there too like Linux journey   is a great one um you can come through here and  just do some of their uh different modules that   they have and it's all free as well we've got  over the wire which are these war games and   bandit's one of those ones for beginners they've  got a bunch of different war games in here but   basically it's kind of like a capture the flag you  go through and you have different challenges on   these levels and you have to accomplish different  things and that helps you kind of learn Linux   through challenges so I'd recommend like starting  with a Linux class first and then coming through   and challenging yourself to get through some of  these challenges and think a little bit logic   while using Linux ultimately there's a ton of  resources that are here uh we also have on our   Academy the paid side of the academy they have a  Linux 101 class which is kind of above and beyond   the 100 but it does get a lot more in- depth so  if you find yourself saying hey I want to know   more about Linux there are curated resources out  there as well you could go to Udemy same thing you   could go to YouTube search for a course uh just  make sure honestly that you're looking up more of   Debian based Linux because that's what to use in  ethical hacking there's different versions of it   uh but I'd be searching for Debian based courses  Ubuntu things like that that could help you out.   Heath I love what you've done right where you  have got the paid courses but you making so   much available for free especially for beginners I  mean it's great to see. Yeah I mean we've uh we've   got this motto of we don't believe that anybody  should pay price on education and so coming and   learning the foundations with us I think is a is  a great alternative and like a lot of our videos   are meant to just be short digestible especially  for this modern era where we want information as   quickly as possible and not as long as possible  so so um just getting that Hands-On kinesthetic   learning and I think it's a a big benefit to the  community. That's correct so once we get past   our Linux side of things uh coding is another  area where it' be very beneficial to learn and   this is where a lot of people I think get hung  up initially is okay coding do I need to be a   developer do I need to be a programmer and the  answer is no like if you understand programming   and you can go on and be a developer I think  that's a great addition to your skill set and   it's a great fallback too. A lot of people say  well I interested in cyber security but should   I go for a computer science degree if you're truly  interested in computer science absolutely because   if you get into cyber you don't like it you always  have your programming background to fall back on   um having the programming skills will help but  ultimately you just need to be able to read code   and the big reason for that is you're going to  go out to places like GitHub and you're going to   download code and you're going to run that code  against an environment if you're doing ethical   hacking that's going to be potentially against a  client or your own company and you want to make   sure that you understand what that code is doing  before you just go run it uh willy-nilly and so   from our side being able to just read code and  understand code helps you're able to take that   above and beyond be able to program automate some  of your things and your tasks that's even better   and there are tons and tons of resources out  there if you're learning programming um you can   find your own again I'm just going to list a few  of those out but there's tons that are out there   completely free um for us again free tier we've  got the programming 100 fundamentals covers a   lot of the Core Concepts and we teach in Python  which is where I think the industry is going in   terms of uh you used to teach Java as like your  introductory programming language in college now   they're teaching Python it's just a lot easier  to understand and and learn for beginners and um   there's a quite a bit of information here too you  get to build out your own uh tools and learn to   automate a lot of processes again completely free  uh free codeCamp another great resource that's out   there they do have a ton of tutorials they are all  over the place so make sure if you're looking for   programming tutorials you're looking for Python 3  because Python 2 may show up and that's deprecated   nowadays so Python 3 would be good to know um the  newer the course the better off you're going to be   because it's going to have the latest and greatest  fundamentals in there but tons of resources code   academy is another one here where this one is  semi free semi paid you can sign up for a free   trial and it doesn't take a credit card which I  like um they've got a ton of different things on   here you can go through and say hey what what  do you want to learn about tons of languages   but again I'd recommend starting with Python and  just one more resource that I've used in the past   is team Treehouse this is not free believe it's  25 oh it is free for seven days then $25 a month   but um I I like the way that it is just engaging  they've got video based instruction which I prefer   to learn from and so uh another great resource  depending on again budget and what what you want   to learn from who you want to learn from but you  can't go wrong on YouTube can't go wrong on Udemy  again for looking for this kind of content okay  last of the foundations is security skills so   now that we've kind of got everything laid in  place we need to add some basic cyber security   knowledge on that uh we've learned networking  for example we've learned what ports there are   uh we know that we've got uh Port 21 is FTP but  then we've got Port 22 is SSH and why why is   telet insecure and why are we using certain ports  and which ports are more secure what's encrypted   what's not uh being able to understand that very  important understanding the core foundations of   cyber security very important and that's kind of  the next step before you get into anything hacking   related is I need to understand these foundations  of cyber security before I move on and I always   like to think of this as when I was taking the  Security+ I was thinking of it as the Network++   because it really did take the Network+ material  and just layer layer Cyber Security details on   top of it so if there's one certification I think  that's like valuable out of what I just showed you   uh Security+ is going to do pretty well for you  A+ could get you a help Desk job Network+ maybe   get you Junior Network job uh CCNA definitely the  Security+ can definitely help you land like that   Junior SOC analyst type role or just kind of  set you apart from some people so out of the   list of what I've shown already I think this is  the most viable certification to get but there   are great great resources out there as well again  shouting out Professor Messer here um I think he's   fantastic on our side we do have a paid course  here which I'm going to scroll over this side   um we've got a paid course which is called SOC  Operations this is just on our Academy and this is   almost 30 hours actually it is now over  30 hours of materials and so it covers   literally everything that you would do from a  security analyst perspective so if you want to   learn the handson um actually get get kinesthetic  learning from a video-based uh site this would be   the material that I would recommend there's just  so much in here that uh you just get exposure to   and if you're looking to be a junior SOC analyst  or like a level one SOC analyst you're trying to   get into that side of things this would be great  prep even for Security+ again we don't teach for   any certifications but if you're prepping for a  certification having this type of knowledge would   be incredibly useful. How much does it cost is it  like a monthly fee or is it like once full. Yeah   we do monthly fees so it's for a month it's $30  a month um you get access to all of our courses   in in content um upwards too and you can do annual  as well and save a little bit on the the monthly   rate that's correct awesome that is it for the  foundational skills so now we'll move into the   actual foundations of ethical hacking perfect  okay so once we've got the foundations down and   the foundations that we just covered are good for  literally all of cyber in my opinion so even if   you don't want to become an ethical hacker those  are the core things that you should really know   now that we're moving into the ethical hacking  side of things we need to learn the basics of   ethical hacking uh and so where do we do that how  do we do that there's quite a few resources that   are out there so one I'm going to point to ours  again um for our resource we do have this on our   Academy this is the Practical Ethical Hacking  class this is by far our most popular course   this is what we started with this is what we're  known for um and this kind of takes you through   that journey of okay where do I actually start and  so we do cover some networking and you hey Linux   and Python um but we come through here what's  the hacking methodology how do we perform the   five steps of ethical hacking which we start with  information gathering reconnaissance we go into   scanning and enumeration uh which we cut through  here and then we start just hacking machines and   so you learn exploitation which is step three and  we've got Capo machines that are built custom here   that you actually go through and you have to  hack your way into those machines we get into   active directory hacking which I think is the most  important thing for a junior pentester to know how   do you hack an active directory environment and  so we've cut a lot of information just on active   directory hacking we get into web application  hacking which is also very important and there's   just a ton of information here some Wireless  hacking report writing legal documents you   should know etc and so it just covers everything  that you should know is developed as what should   you know to become a pentester and we do have this  for free as well at least the first half of it so   we do have the first 15 hours of this course for  free um this is a little bit older this is 2023   Edition so it's not the latest and greatest but it  gives you a great idea and is the core Foundation   still what it covers to get you to that next level  of understanding uh what ethical hacking is like   am I going to actually even like this this is  something I want to do so before even putting   any money into anything you can come to YouTube  again and go through this content in these courses   and actually see do I want to become an ethical  hacker and there's a part one here there part two   here and you can absolutely come through and check  this out there are other resources out there as   well TryHackMe is one that has some free options  and some paid options so you can come through   here and actually do what is more of like a CTF  style learning so they teach you through more of   Hands-On activity what I do like about TryHackMe  is that you can come through and actually do tasks   so they're task oriented it's more text based  learning but you can come here and have objectives   and then submit answers and learn through  exercises so that's pretty nice um Hack the Box is   very similar Hack the Box was um more of a capture  the flag style environment now they've kind of   shifted to an academy their site is not free in  that sense you do have to pay for what are called   cubes on their site so depending on how many  cubes and paths you want to go down the pricing   does change um but it's another great resource  that is um being utilized by a lot of people   uh last but not least there is Vuln Hub this is  very much Capture the Flag style and so I should   differentiate there there's what I consider  practical hacking and Capture the Flag style   hacking I think both of them have their um their  place in hacking but it's more like a vend diagram   in in terms of there's going to be some overlap  but the more time you spend on Capture the Flag   style the more you're really focused on um I  would say more impractical things you're going   to maybe learn some items that are uh exploits  and things that are relevant but the pathways to   get there maybe are not the most practical or  relevant ways that you actually to see in the   real world um so the more you can focus on actual  practical learning versus doing these CTF type   machines the better however still doing CTF type  machines is good for like logical games is good   if you ever do want to go out and do a CTF there  are some exams which we'll get to later that are   more CTF based and so if you want to take a CTF  based exam learning these types of techniques   can be good as well so there's quite a bit that  you can learn from here I would stray if you're   learning more on the uh trying to become a hacker  side I would say straight on the ethical hacking   practical side more so than the uh the handson  CTF style but everybody has their their place   for learning on this. Heath can you just go back  to your tab on your YouTube channel right because  

you that's one video that you've got like 15 or  30 hours of content or so but you got a whole   bunch of videos It's the Cyber Mentor is that the  channel name right? Yeah the Cyber Mentor we uh   we've got quite a few yeah I you can see a lot of  them here over on the side but we've got um ENT a   lot of the courses that are on our Academy half of  it's up for free anyway so you can come and learn   and say do I like this am I not interested and so  we again there's a ton of free material out there   there's Linux course out there I know we've got  Python we've got an older ethical hacking course   that's on there as well so there's there's quite  a bit in here in terms of courses and content if   you just come into our cyber Mentor Channel and go  to full courses there's um there's a tab for that   on our channel. So for everyone watching please  go and sub show the love he's giving so much away   for free he really appreciated it so please for  everyone watching go love he's trying to get to   a million subs at the time of this recording he's  getting close so you know get him to a million as   soon as you can. Appreciate that just trying to  have my gold plaque like you David yeah exactly   man it's go for it man it's not long it's going  to happen appreciate that so once we learn our   foundations of ethical hacking that kind of  gets us to what is maybe a junior level for   hacking once we have that we really need to build  Upon Our skill set and there's a ton of places to   go out there and do this really from an ethical  hacking standpoint when you come into the field   and you want to be a junior ethical hacker Junior  penetration tester you're going to need to know   how to perform external pen tests and internal  pen tests external is outside looking in how do   I break into an organization from the outside  a lot of that is open source intelligence a   lot of that is finding out usernames and trying  to to Really guess passwords and get into login   panels um from an internal perspective we're  really looking at active directory so what   happens once I'm inside the network what happens  that there's been a compromise most networks out   there activ directory based networks from a a  business environment so that's where we're really   focused on so understanding those two things very  important understanding web application hacking   is going to be important too at a junior level  you're not expected to come in and actually hack   a web application but you should have some core  knowledge of what we call the OAS top 10 we'll   talk about that in just a second but that will  set you above and beyond your peers especially   interviewing uh we do wireless hacking on the  network side as well um there's additional types   of hacking as you kind of grow in your career  I mean there's airplane hacking iot hacking   mobile hacking there's all kinds of stuff that's  out there you can turn in and specialize but for   now we're going to focus on what are the core  things that I really should know if I want to   be set myself apart as an ethical hacker and so  we've talked about active directory already and   for active directory I'm biased a little bit but  I truly do believe the Practical ethical hacking   course that we have is the best baying for your  buck out there to learn active directory hacking   there are some blogs that I listed in our blog and  people that are really good contributors to the   active directory hacking space and so definitely  go check those people out out as well as any   of these people follow their their X or their  Twitter and um be able to just kind of get updates   on active directory if you're interested in those  sorts of things I'm going to shift down to web   here and somewhat mobile web is very important  you can actually be a web application hacker you   can be a network hacker as well but you can be a  web application hacker without being anything else   like you could just specialize in any topic web  application has become very prominent because a   lot of programs that are out there are called Bug  Bounty programs that will actually pay you to go   and hack their application uh you submit the  bug to them you get a reward usually monetary   and so it's become incredibly popular in the  hacking space most of those are web not all but   a majority of those are web so you're going out  and actually hacking a website or an application   and there are a ton of great resources that are  out there available I'm going to start with the   free ones um best bang for your buck because it's  free is PortSwigger Academy they actually make one   of the tools which is called Burp Suite that we  use pretty heavily from a hacking perspective   when using web apps this Academy has absolutely  amazing resources you can just come in here and   click on any of these modules they give you labs  they give you lessons they give you walkthroughs   and it will just take you from uh 0 to 100  pretty quick in terms of just able to learn   these concepts um we have other resources too  like Hacker 101 this is pretty neat they have   some video lessons in here um I actually I don't  know if I'm still on there but I taught quite a   few of these classes back in the day there's a  CTF here that once you've kind of taken your your   video classes you can go participate in their  CTF if you complete the CTF you get a private   invite which is kind of nice um private programs  are a little bit better than public programs not   everybody's in it so you actually have a little  bit exclusivity you can kind of hack and know   that hey not the entire population come see  this program so you have greater likelihood   of finding some bugs which is kind of nice as well  um hacker hacker one is a Bug Bounty platform as   is Bug Crowd um Bug Crowd has their own University  and their videos in here I don't think they're as   curated but there's still pretty nice videos  in here that you can come through and look up   different resources and things like that there  is pentester lab which has some free component   Pro component uh you can come in here and do  different exercises for their platform as well   um you can see like GraphQL like literally so many  different things that you can go through here and   practice so again it's just how you learn and and  your your style from a self-promotion standpoint   we've got quite a few classes um our beginner  class is actually called practical Bug Bounty we   do partner with Integrity here so Integrity  is another uh Bug Bounty platform similar   to hacker one or Bug Crowd that if you complete  this class and you submit your certificate of   completion to them they will uh consider you for  private programs which is really nice so it it   says hey I have gone above and beyond I actually  do have some knowledge and that kind of gets you   into that system where you start getting private  invites which is really nice so this kind of takes   you from the foundational hey where do I start um  what are the foundations of hacking those sorts of   things the Practical ethical hacking course has a  lot of this as well um this goes a lot deeper than   what's found in the Practical ethical hacking so I  would start again practical ethical hacking that's   your foundation this starts going above and beyond  that and then we just keep taking that further and   further so we have practical web hacking which is  like The Next Step Up um API hacking as well and   then we've got our advance Advanced web hacking  class that we're we're just starting to to launch   out for um these do have certifications side of  them as does practical ethical hacking I won't   get too much into certifications right now but  there's certifications to this and exams that   if you wanted to go through it you could if you  wanted to just do the academy you could do that as   well uh if you're interested in mobile application  testing we also have a course on that um this is   something that is becoming more popular especially  in the bug Bounty space uh worth considering as   well um and you could specialize and that's a good  way to specialize in being kind of more of a niche   field and kind of set yourself apart from um you  know from all the other hackers I would be in   trouble if I didn't mention OAS from a web hacking  perspective oas.org is a great Community really  

what they do and what they're known for is this  top 10 so every few years they change their top 10   one of the top 10 most critical vulnerabilities  that web apps are facing right now and so as a   pentester especially as a junior you're going to  get questions on the OAS top 10 when you're doing   interviews and so understanding what the OAS top  10 are and understanding what their remediations   are very important again as a junior you don't  have to come in and be hacking web applications   day one it's an expectation of you as you grow  for us when we're doing our hiring we have Juniors   come in they start on external pentest once  they work their way up they do internal pentest   and then they work their way up and they do web  application so it kind of scales in difficulty   and for us we are asking questions and as are a  lot of interviewers about web application pent   tests and so understanding these very critical  same thing here it's good to know about this OWASP  web security testing guide this is actually what  we use when we're doing pentest we've got this uh   converted into an Excel format as a checklist  but this is a book that actually takes you   through step by step if I'm doing a pent test  what should I be doing on a web application a   very very important res source for the community  lastly um there are these Hacktivity or Bug Bounty   write-ups that I think are fantastic um HackerOne  is just one example of it and you can just Google   Bug Bounty write-ups but you can come through here  and these are disclosed write-ups like here's one   for LinkedIn okay somebody got paid um doesn't  say how much they got paid here but they got   paid uh for this information disclosure where you  can see phone numbers of other users by providing   an email address that's cool you can click in here  and see okay well how did they do it and they show   you how they did it and so this actually kind of  takes you through stepbystep process of these so   what I used to do especially when I was learning  web apps early on I would actually start going   through and just looking at the bug that I thought  I maybe had and trying to find instances of other   people out there that had had written those up and  then testing that functionality and some of those   ideas that they had this is a great way to learn  is learning from other people and actual exploits   that are out there and happening okay moving back  so another item that we should know about is our   wireless hacking um from a wireless in standpoint  you can honestly just read a Blog I put a couple   in here but I know even David has videos on  wireless hacking from a hacking perspective   when we're testing Network we're really looking  at two things we're looking at WPA2 pre-share   key which is basically what's used in your home  network that's pretty easy you grab a hash you uh   you take the hash try to crack it offline there's  also enterprise which is a little bit trickier   that is using often radius it's using active  directory credentials uh there are ways to make   that insecure as well and there's ways to hack  Enterprise you can learn Wireless hack Ing and   follow along with a Blog honestly a lot of people  when they first start learning about hacking they   start with wireless because it's kind of a little  bit easier you just get a a wireless adapter   that's where I started you just start messing  around and and uh seeing where you can what you   can do and so um you can learn this from a Blog I  don't even know if there's a true Wireless hacking   course that's out there unless it's like really  complete and does Bluetooth hacking and other   things then that's getting a little bit above  and beyond our scope as a as a junior pentester   outside of that certifications this is a big topic  in the space and so I have put this chart together   this is not all inclusive of certifications  by any mean these are what I consider the   top certifications for entry level pen testing  uh there are all kinds of other certifications   there's web application hacking certifications  there's mobile hacking certifications uh different   ventures into different fields if you want to  become an entry-level pentester here are the   certifications that are really available to you  right now and so I've laid this out with these   this chart here we've got is this a multiple  choice exam your Pentest+ your CEH your GPEN   is okay so multi choice meaning I'm just going  through I have questions I have to pick from   an answer perfect now for CTF style exams Pentest+  has some simulations so it also gets a check   mark here for CTF and when I say CTF I'm saying  that it is not entirely practical it's not like   you're going in you're doing an actual pentest and  you're trying to hack against a an environment so   you're you're kind of doing a simulation against  machines in an impractical way uh same thing for   the CEH they do have a practical what they call  practical environment to their test but they   do have multiple choice so these are kind of  simulation based same with the GPEN the OSCP is   a true CTF style exam they've added some active  directory components which is nice lately and   so you go in you have 24 hours you have to hack x  amount of boxes to get x amount of points to pass   their exam you have to write a report submit  that and you can pass your exam um from the   practical side there are two exams that are out  there right now that I think are doing well one   is ours uh full disclosure but the PNPT which  is our certification CPTS which is the Hack the   Box certification both of those are practical you  are given an environment you have five days for   ours to go in and and hack the environment right  so you can go in for PNPT you have to perform   an external you break into the internal you have  to then compromise the domain you have to write   a report you have to give a debrief in front of  our team and so you go through the process and   steps that a real pentester would go through and  so we're starting to see an industry shift towards   more of these practical style exams which I think  a lot of people actually like and learn from as   opposed to the multiple choice exams where you  can kind of bring dump it a little bit in terms   of I learn all these things I go take the exam  maybe I don't have to learn these these at least   prove that yes I do have the the Hands-On skill  set OSCP as well I've got the Hands-On skill set   of where I need to go um government side of things  what is on the US this is only us-based what is on   us-based government um requirements pentest plus  C gpen okay so these ones if you're looking for   specifically a government role or you're trying  to adhere to 8570 which is getting replaced   then you're looking in this column here and what  is most beneficial Pentest+ could be good CH   could be good GPEN if employer paying for it which  coming down to cost uh CPTS PNPT Pentest+s are   going to be under $500 um CEH is anywhere in the  ballpark of a thousand to $1,500 depending OSCP is 1500   to 2500 depending on the plan that you get and  then the GPEN is upwards of $8,000 anywhere up to   to $10,000 depending so the higher you scale here  the more you're hoping your employer pays for the   the cost of the the exam and so those are those  are the critical certifications do your research   and due diligence on those um you know they all  have their place depending on what you're doing   again government for example I would lean towards  those if you're trying to stay in government you   want that Hands-On practical exam um you know  cost is an important factor as well so those   are things to consider when you're looking at  certification exams but these certifications are   critical in my opinion to getting in the field  you don't necessarily have to have a certific   to break in I'm going to say that again but you  are competing against people that likely do have   one or multiple of these and so you have to  think about okay well if I don't have those   where else am I going to set myself art having a  YouTube channel doing blogs uh attending events   volunteering uh being a part of a community or  being in Discord uh Slack channels those things   like that networking very good but these are going  to be pretty useful for you as well so do you   have to have them no can you get by without them  absolutely are they going to help open some doors   yeah absolutely as well. You get past the the  recruiters right I mean that's the whole idea   with certs I think is you you get your foot in the  door to get to the interview helps a lot with   that? Yeah absolutely yeah I mean there's there's  a lot of just like checking the box right like for   um if you like people want to be managers and CE  levels I I tell them well probably need a CISSP   and you probably need a master's degree often does  the topic of your master's degree matter no not   really it's just you just have to have that check  box and that kind of opens up more doors for you   so a lot of it's opportunity cost how much time  and money is going to cost me versus um how much   benefit am I going to get out of this and you  have to kind of weigh those personally through   each situation uh and then last on this list here  is privilege escalation so the idea of privilege   escalation is I land on a machine I am not the  root user I'm not the administrative user how   do I escalate my privileges to in order to become  that ultimate end user and so there are some good   courses out there the reason that we have these  courses and this content is really for again CTF   style so your OSCP is going to have privilege  escalation on it so you're going to need to   learn that kind of concept the PNPT for example  is not a real pentest in my opinion very very   rarely do I ever use any of the concepts found in  these courses on a real engagement but if you're   looking to pass an exam or you're looking to get  better at CTFs you just want to get better at   hacking this is kind of cool stuff uh it's not  entirely relevant or practical but it's still   useful in terms of career at least getting your  foot in the door because this does lead to other   exams so we do have a couple courses there's not  anything really free material out there you can   find some curated like um some blogs and things on  on this and some resources but in terms of like if   you're interested in video based learning there's  really only two courses that are out there one is   ours uh which is the Windows and Linux they're  separate courses escalation for beginners uh and   then on Udemy me there's another great course from  a creator called Tib3rius he's got Windows uh and   Linux and he's teaching for OSCP and beyond so  again that's where it really comes into use for   these uh these certifications and for CTFs but  with that said that is um everything that you   need to know in my opinion to get into the field  of ethical hacking. Heath that's fantastic thanks so   much for sharing I mean this is the old question  we always get like I've mentioned you know how do   I get started and I'm I'm really grateful that  you've shared a road map I just like you said   as well everyone just needs to do their own due  diligence and you know decide which path is is   the right path for them but I really want to thank  you for for making it clear I got some questions   right AI hot topic um do you have training on AI  is there any recommended training on AI and is   AI going to take my job away? Good question uh we  have a little bit of training on AI um more of it   is for using AI as an assistant with programming  more courses will be coming on our side I think   the field is still really new in terms of AI and  especially hacking like hacking LLMs is a very   very niche concept right now a course material  not that I'm tracking not to say that it's not out   there but you will probably see some more as time  goes on I have seen some like PortSwigger uh Web   Academy has some modules on hacking the uh hacking  LLMs it's just a few modules but it's still better   than nothing so there are some concepts that  are taught out there but again it's going to be   increasing as time goes on is AI going to take our  jobs ultimately in a pentest field I think you're   pretty safe um for like entry-level jobs like help  desk I could see AI replacing that in the next few   years you're already seeing it with entry level  jobs like they're moving AI for drive-throughs   they're moving to AI for drive-throughs and  assistance and things like that so yeah the   lower level the job the higher risk that you are  but in order to think like a hacker it's going to   take a long time for AI to get to that level it's  still making pretty basic mistakes on some things   right now so I don't think there's any fear there  I would say that you're more likely lose a job   at an entry level then you are going to be any  sort of cyber security role now using it as an   assistant understanding and learning AI is going  to be critical to your job um I use it literally   every day like it's something that you absolutely  have to keep in your toolkit because it's just   like anything else in cyber the field is always  changing you need to adapt and learn to what the   new trends are and that's going to be critical to  success in field. So I'm starting today in 2025 do   I go and learn like how to hack AI do I go and  hack web applications do I do Network hacking or   is it like just follow this path and then once  you've got a bit further along then you decide   what to specialize in? yeah I would say you need  to get through at least that middle tier of the   pyramid that we showed uh anything beyond that you  can kind of start diversifying a little bit so do   I want to become a network hacker yeah there's  plenty of opportunity there you can completely   specialize in that um especially with Cloud now so  a lot of companies are moving away from True activ   directory and moving to Entra or Azure in in the  Cloud and so there's some active directory hacking   around that as well um you have web applications  mobile applications AI is going to be another   niche what I tell people is find what makes you  excited to wake up and learn in the morning and   really that's where your path should take you  all these fields will pay well everyone will have   its own niche you could specialize you could be a  generalist doesn't really matter um I you know I'm   I would consider myself a generalist that really  really loves active directory hacking but there   are people out there that just specialize a little  bit in everything and not really a true specialist   in any one specific topic and they they do fine in  their career as well. I love that I mean if you can   enjoy what you're doing you know then you're paid  to have fun right? It makes it so much better I   love coming into work every day um if I specialize  in something that I really didn't enjoy like   accounting um you know be pretty miserable. I'm I'm  so glad that you decided to leave accounting and   come into this you know field it's you've added  so much to the to the community so I'm glad you   left accounting I also studied accounting and  thank goodness I left that behind as well man   I think we would have both been terribly unhappy.  yeah I I'm grateful every day. Heath one thing you  

didn't mention do you have a Discord or you know  how do we how do I connect with people because you   know I'm just someone somewhere how do I interact  with people in the community is it people that I   should follow on Twitter was it like do you have  a Discord how do I like get to ask you questions   or perhaps other people in the community? yeah  that's a great question we do have a Discord um   it is tcm-sec.com Discord or you can go to discord.gg  TCM um I I'm a big believer in Discord and so I'm   a big believer in mentorship through Community  I should say that's how I learn coming up and   I think that's the best way a lot of people are  out there looking for one to one mentors and mentors   really are limited on time but if you can learn  by Community you have the availability of people   everywhere in the world to help you and you can  help them as well so we have a Discord there's   somewhere close to 65,000 people in there which  can seem overwhelming um but that's just 65,000   potential resources as well we've got different  areas in there for uh different certifications   pathways foundational skills there's job postings  career advice resume reviews like it's a really   great place to just come and meet other people  the advice that I give people if you do go to   a community even if it's not ours is just give  back what you take feel free to ask questions and   go in there and and um learn from other people  but if people are asking questions as well and   you know the answer help out um it it pays to be  a good person it pays to get back because people   are watching there and 65,000 people there are  Executives in there there are managers in there   and a lot of people get jobs just from being a  contributor into a community so that's my my big   advice there is just give back what you take and  really um utilize the community as best as you can   and last thing is there's always somebody that  wants to be where you're at right now so even   if you just started learning two weeks ago you're  two weeks ahead of somebody that hasn't started   at all and so don't feel like I don't know enough  I can't help out I think that's a bad mentality   there's always going to be somebody that wishes  they were at where you're at right now and you're   always wishing you could be somewhere else right  so again uh just keep that in mind and um yeah   Community mentorship I think they're great to to  have and I think that ours is a fantastic resource.   I always think you know people who are young think  they're too young and people who are old think   they're too old but I think it's everyone's on a  journey like you said and you know you people who   can relate to you may rather get it prefer getting  an answer from someone like yourself rather than   say from me or Heath so you know my advice is  always feel free to share and I mean even if you   get the get it wrong it doesn't matter that's  how you're going to learn as well and in Heath   you and I both teach right the best way to learn  is to teach. 100% anytime I have a complex topic   I will just record myself teaching it to nobody  and that really really helps uh but yeah if you   could write a blog or put content out there uh  it's amazing how many times I actually go back   to my own content to pick up something that I'm  trying to do on a real engagement because it just   helps you remember and it's a a way to document  and keep notes and it's a way to learn as well.   So Heath talked to your younger self what advice  would you give it doesn't have to be technical but   like general advice you know you want to break  into this field what would you advise yourself   or you know what would you tell yourself? yeah  this is the advice I think I share with a lot   of people is just run your own race and comparison  is the thief of joy it really is and social media   especially over the past several years is a place  where we get to see a lot of people successes but   we don't get to see a lot of people's failures and  so we don't understand how long it took them to   get to where they're at so it's very easy to get  caught up in other people's success and uh have a   detriment on our own and so really what you need  to do is worry about getting better every single   day being better than you were the day before  just you nobody else you can look at other people   and use them as motivation hey I want to be that  person I want to get to that level great but you   need to take your own pace getting there and there  are people that just come in and be naturally   talented and I kind of use running as an example  like you may want to run a six-minute mile right   now you're running a 10-minute mile uh if you  keep looking at the person running six and saying   that's my goal perfect but don't compare yourself  to them and saying I'm never going to be there if   you can run 9 minutes and 59 seconds tomorrow  that's an improvement and that's all you really   need there are going to be people that start  running and can already run a six- minute mile   and they've never ran before uh and that's just  how life shakes out sometimes sometimes you're   going to be better at something than somebody else  is and sometimes it's the other way around people   are going to learn topics faster than you and  sometimes you're going to learn topics faster than   other people ultimately you just need to worry  about yourself uh compare yourself to others that   really is the thief of joy just make sure you're  running your own race and trying to be a better   you every day. I love that advice Heath I really  want to thank you for sharing and giving back to  

the community really appreciated. yeah thanks  David I really appreciate having me on again

2025-01-10 07:48

Show Video

Other news

Brennan: Precision technologies on extensive beef production systems 2025-01-17 15:15
CES 2025: A Declaration of Autonomy. Accenture Tech Vision Session 2025-01-14 03:00
Novel drilling technology to accelerate the heat transition 2025-01-11 13:25