Hacking Your Offensive Security Career
Engineering your career ethically.
Offensive Security people are some of the most interesting and intelligent I’ve met, with individuals coming from all sorts of diverse backgrounds. I’ve spent most of my career working in this space, either as a consultant or leading teams. Two characteristics that I’ve found ubiquitous across the sub-sector, are a sense of curiosity and a desire to bend things to our will. Conversely, I am always struck by the frustrations and in some cases bitterness, that people have about climbing the career ladder. I find it surprising that many smart people struggle with this element of the industry, as seemingly, they have all the right skills to soar to the top. It should be noted that not everyone is a careerist, and the actualisation of being able to ‘hack stuff’ for a living is a primary motivator. Moreover, the rich neurodiversity of our field (I count myself, proudly, among these ranks!) can sometimes create social barriers, that make forming relationships that enable ‘getting ahead’ much harder. As is always the case, no single approach is superior to another, but being honest with yourself about your goals is an important part of your journey.
For those who’ve been unfairly overlooked for promotion, have struggled to make your mark, lack the recognition you deserve, don’t know how to improve your ‘game’… this post is for you.
Thanks for reading Munrobotic Cyber Security Blog! Subscribe for free to receive new posts and support my work.
The first thing I should have written, was that this post is predicated on the principle that hard work and capability development come ahead of career engineering. If you’re spending more time developing your Twitter game than in skills development, you should consider refocusing your efforts. These ideas are designed to support those who are already working hard at developing their craft. I hope this will support those who require some pointers on how to channel their approach or to create awareness in their organisation (or the community) of their capability.
Consistent personal development is not unique to our field; however, it is one of the most important elements. The motivation for learning needs to come from you and be supported by your employer and/or mentors. Many of us can get stuck in what I call the ‘teacher-student mind-set’, especially early in our careers. This is the misapprehension that anyone else has responsibility or accountability for your learning and it’s normally a symptom of the schooling system. There may be people with a vested interest in your personal development, but that isn’t the same thing. The most important thing (in my humble opinion) for personal development is the ownership of it and the acceptance that you will need to drive this throughout your career.
One of the traps I have seen often in this area (especially on social media) is the debate about industry certifications versus academic qualifications, versus work or life experience. I don’t think it’s a useful discussion, because the answer is obvious. There is no ‘one way’ to learn, all knowledge is good (irrespective of acquisition method), everyone is different, and has a different journey. One route is no less valid than another. Certifications do not automatically make you proficient in and of themselves, but then neither does tenure. When taking advice from people on this topic, always consider the source i.e., don’t take sweets/candy from strangers (even if they have 50k followers on Twitter).
Finding your Cheerleader and Mentor
It’s important to identify someone who’s going to be your coach, sponsor or cheerleader within your role. This is a really important step, that often happens organically when you demonstrate the right aptitude and attitude. If you’re struggling to find this person, start with self-reflection as to your general approach. Are you proactive? Do you try first, THEN ask others for pointers, or ask blindly for solutions? If you’re struggling, don’t be afraid to ask a senior colleague if they would mind spending some time with you and give you the benefit of their experience. It’s important that you don’t come across as inauthentic, so don’t find the company ‘rockstar’ in your first week and ask ‘will you be my mentor?’ It’s important to demonstrate the right attitude and develop rapport with people first. Often, you’ll find that the best technical performer will not be the best mentor. Therefore, it’s important to build working relationships with a broader range of people, and start looking for those willing to give up their time and (hard-won) knowledge. I would also encourage reaching out to the community and engaging with people who share your specific interests. I’ve found that the overwhelming majority of creators are more than happy to engage and support people who demonstrate enthusiasm for their work. Don’t be intimidated by stature or infamy of the InfoSec Twitterati. Be bold, be polite, be curious.
How to Get Your Employer to Fund Training
Personal growth is super important in our field, for a couple of key reasons. For our industry to remain relevant, we need to understand the latest technology and have access to it. Secondly, it’s a good long-term business strategy to invest in people. If you’re like the majority of people, in that you don’t have an explicit annual training budget, you may need to build a strong case. In theory, your leadership team should be doing this on your behalf. However, be mindful that they may have attempted it, but not have been successful. Don’t go in all guns blazing with a list of demands.
In order to maximise the chances of success, you need to build a strong business case alongside your personal goals. It’s important to remember that what you want is the outcome and not a win for your ego. Often, this is where people go wrong. They focus solely on their own personal development, rather than considering the benefits to the business. I caveat this section with the statement: “this is not my personal approach or belief, but the common response or attitude you may find in money-making organisations”. The harsh reality is, you are not entitled to expensive external training (unless you were smart enough to negotiate this into your contract when you joined). Smart employers will offer this, but a sense of entitlement in this area will rub people up the wrong way. If you’re finding frustration or blockers in this area, the best thing to do is approach it as you would a hacking challenge. If you can’t get a shell on a job, would you complain it’s being unfair? You’d look for the solution. That’s the best advice I can give in your career as a pen tester, decide whether you want validation of what you feel is your righteousness or to get the end result you want. This is not about compromising ethics, it’s about setting expectations and engineering the best outcome. Hopefully, the following dos and don’ts will help you navigate these situations.
I’ve listed some of the common approaches that may fail, below, and why:
I haven’t had any training in ‘x’ months / years
This risks coming across to your leadership as a moan. Think whether you’ve previously requested training, and if you haven’t, whether you may have ended up at the back of the queue. I’m not saying this is right, just the common reality. The key point is that this ‘challenge’ to your leadership doesn’t address what you want and why, it’s just an unmet expectation that they may not share. Be forward looking, why should you get training now?
<insert-name> got training…
Comparing yourself to others when negotiating on things like training, budget allocation or even salary is not a good way to go. This will come across as immature to senior leaders. Don’t focus on disparities in what you perceive as fairness, focus on what you want and why you should get it. You don’t know other people’s situations and the business will not want to discuss this with you. This is not to say that organisations should not be fair and transparent, it could be the case that another colleague got there first and built a good case. Budget is finite and with a large number of people to support, it’s a case of prioritisation.
If an organisation has promised you ‘x’ and then not delivered, that is unfair and should be challenged. There may be genuine reasons for them to renege, but it’s a difficult pill to swallow. However, expecting that you should be front of the queue is likely to annoy people and reduce your chances. Consider reflecting on what it is that you want and how you’re going to get it, rather than your perceived entitlement.
Create the Case
When building a case for training, you should think about the benefits to the business and put the focus of your request on that. Your line manager should help you with this (if not be doing this on your behalf), speak to them in the first instance to lobby support. I would suggest creating a Word document outlining your case or a well laid out email. Questions you should proactively answer (in the form of clear justifications):
Are publicly available materials scarce or skills difficult to acquire? Are these essential in order for you to deliver billable work?
Will this add any new capability to the team?
If this is for a niche area, such as ICS / SCADA, that’s something to highlight. New skills equal new service lines, which equals more revenue (money) to the business.
Does this come with a certification that is useful or valuable to the business?
In the UK, things like CREST / The Cyber Scheme give access to the Government CHECK scheme. More certified people means more options for clients, which in turn, means more sales wins and retained clients. More broadly, in RfPs (how large businesses assess which providers they will use) they will often ask for certification numbers (*rolls eyes*) for things like OSCP.
Are you suggesting the most logical cost effective option?
Check if there is an option to do the course online rather than in person, perhaps if you wait a month the SANS course abroad will be run locally. Demonstrate that you’ve considered multiple options and alternatives and this is the best one. It’s important to factor in expected travel costs too. P&L holders (the leaders who hold the money and make decisions on spending it) like to feel they’re optimal in spending and getting a good deal. I find that providing three options is good, with the middle one being the most likely they will select, so build the request in a way that drives their decision-making.
Becoming a Leader (or Not)
One of the hardest decisions you may be confronted with in your career is whether you should become a leader or not. As Offensive Security is a very technical field, there tends to be a habit of promoting the best individual performers into leadership positions. This is due to a lot of factors such as: poor leadership, a glass ceiling on technical positions or few other options to retain top talent. This issue is usually compounded by a lack of training and support for new leaders, and role models who themselves suffered a similarly janky transition to seniority. If you find yourself in this position, I wrote a post for new leaders here that may help.
To decide whether you want to go into leadership, you should consider why that is your goal. If it’s because you want to be the boss or only to get more money, you probably shouldn’t start the journey. Those things come unstuck fast and can lead to responsibilities you don’t want. If you want to learn about becoming a leader and feel your skills are better suited to it, it may be the best thing you ever did. The key thing is to be truly honest with yourself, even if you’d rather there was a different answer.
If you decide that you do want to become a leader, my advice is that if you see an opportunity or you’re offered the opportunity, go for it. In our industry, there aren’t opportunities every week to lead teams, you need to take the chance when it comes up. By the time you decide you’re ready, there may not be an opportunity for you. My next piece of advice is that as a leader, your ‘boss’ becomes more intrinsic to your ability to do your role, especially in lower/middle management. The right boss during your formative leadership years is key. Choose wisely and weight this heavily in your decision-making. The right role for the wrong boss can have long-lasting impact on your career. Another key mistake that new leaders often make is to think that now they’re the ‘boss’, they’ve made it. You may know the job your team do and the industry in which you work, but you’re back to school as a leader and it’s important to treat it that way. Although very cliché, I would suggest reading broadly about leadership and remember what you liked / didn’t like from your bosses in the past. Personally, I like the concept of servant leadership and the idea that ‘I work for the team’ rather than ‘the team work for me’. Your role is to set direction and ensure the well-being of your team, you want to create the best environment for them to operate within.
High Performance, Technical Development and Research
I’ve been extremely lucky to have worked with some of the best technical people in the industry. There are some common approaches and things they do which have radically redefined my outlook on what it means to be a high performer. I feel that if I ever decided to go back to penetration testing myself, I’d be a lot better second time around. I think this is because I’ve worked closely with people who’re much better than me. I know more now about what it takes. Hopefully, I can impart some of what I’ve observed directly in this post, but my advice is to watch how the ‘best’ do it and experiment with your approach.
The first thing that differentiates the very top performers is their cadence and their ability to find and process new information. This normally takes the form of being well-organised and having a set-up that allows them to process new information (normally TTPs) fast. The top red teamers, for example, can process a complex new technique within a few hours and integrate it into their workflows. They do this day-in-day-out, normally whilst on jobs. Often, this requires having a lab that is quick to stand up and tear down. Most serious consultants utilise cloud platforms (or a garage full of rack servers) and a DevOps approaches to keep things slick and repeatable.
Another common trait of high performers is openness to different approaches and new ways of working. It’s important that you try to stay technology agnostic in your approach. Yes, you should learn the specifics of how things work, but don’t get caught in the trap of becoming a zealot as this can lead to lots of confirmation biases (see this article from Cassie Kozyrkov, Chief Decision Scientist at Google to understand why this may be bad). There’s a tool for every job and don’t get stuck thinking that because something works well, there isn’t something better. Polyglots often do extremely well.
Related to the mind-set of being open to change, is the idea that things can always be better. Perfectionism for lack of a better word. Most of the high performers I’ve worked with have an intrinsic drive to achieve something. The ‘something’ varies between individuals, as we all have different motivations, but the underlying trait is that they’re driven and it comes from within. If this doesn’t come naturally to you, consider creating (and sticking to!) a routine and forming positive habits around development areas.
Focus is also something that the best performers have in common, or in some cases what I’d call hyper-focus. This normally manifests as a deep understanding of a few areas. Where I think people potentially make mistakes early in their career, is they see high-fliers who’re focused on one particular area, and they look for the quickest way to become like them. It can be really enticing to shoot for that early on, as your perception may be that they’ve always been focused on that area. I would advise against this. When you look at high performers who’re specialist, they normally have a background with broad experiences. They’ve been a generalist before they’ve become a specialist, in fact, that generalism has likely allowed them to become the ninja they are today. There are some exceptions to this, but generally, you’ll find that you need broad foundations on which to build. From speaking to people who have made this mistake, it’s MUCH harder to spend time later in your career building these foundations or filling gaps. This can be because you’re now expected to deliver and have less dedicated time from your employer, you’re a bit older and have greater responsibilities in your personal life or you may feel generally burnt out. It certainly doesn’t help with imposter syndrome either. My advice is to spend a few years exploring things with a technology lens. Live outside your comfort zone, get used to being a perpetual beginner and follow your curiosity. This may feel unsettling at first, but it will set you up with the right mind-set to be open to new ideas and experimentation. I really recommend watching this Ted talk from the late Sir Ken Robinson about creativity and education, it was a game changer for me during my formative working years, it’s hilarious too.
The best tips I can give on how to capitalise on these experiences are:
Manage your learning proactively. Look for the gaps and fill them. I’ve helped people map their capabilities to things like Mitre ATT&CK or OWASP ASVS in the past, it’s a great way to find weaknesses and chart your learning.
A key thing for red teamers in particular, is to invest in a lab whereby you can replicate the majority of incoming TTPs that are interesting to you. You can find this information by plugging into Infosec Twitter, r/netsec on Reddit, Twitch streams, or various Discord / Slack channels. Get in a position whereby you can process a new TTP quickly and understand how it works. Get your hands dirty and develop skills like debugging that will help you understand how your tools work.
Be forward-looking and start learning ‘blue’ now. In my view, a purple teaming approach is the future of our industry. Get ready for this by starting to learn about how logging, detection engineering and threat hunting work. You could also consider a stint in incident response or working as a SOC analyst or detection engineer while you’re junior enough (i.e., can take the financial hit or before you settle down). These skills will stand you in good stead down the line. The biggest complaints I hear about pen testers (from clients and blue teamers) are: ‘they are naïve about blue team / dev challenges’ and ‘they don’t understand how a large-scale enterprise IT works’. Ask yourself whether you’d take advice from an IT admin on how to pen test and reverse that question after. If you’re focused on application security, consider taking an in-house role for a while or focusing your efforts on SDL or working with policy teams. Application security logging in SOCs is at a woeful level of maturity, this is a niche rife for exploitation!
Read lots, read broadly. This is especially important for remote workers. I spend around two hours per day reading both technical and industry-related information. Even if you start with 10-15 mins per day, then try to discuss what you’ve read with someone else, you’re on the right path. Consider finding someone who’ll be a ‘buddy’ and read one article each and explain the concepts to one another and have a discussion. Applications such as Feedly can help you curate the content.
Self-promotion and Speaking at Cons
Self-promotion and speaking at conferences is quite a controversial topic. In many areas of the industry, there are pre-conceived notions of ways you should and shouldn’t do this. There are also people who believe this is sub-optimal in terms of knowledge sharing, who reject conferences on the basis that they prioritise ego and brand above the content and broad distribution (they may have a point!). Broadly speaking, deciding to speak at a ‘con’ should be based on a desire to share what you’ve learnt with the community, which naturally rises to acclaim because the research and content you’ve created is good. I do agree with this ideal, with the best ideas tending to gain the most attention. However, as an industry, I think we’re jaded, and the concept of good and rigorous outputs have skewed over time with reputation often trumping fresh faces and ideas. Moreover, I think a trap the ‘1337z’ can often fall into, is to forget the initial struggle they went through for validation and the continuing ‘circle jerks’ that happen once you’re ‘in’ or established.
I am fairly moderate when it comes to my opinions on speaking at conferences and promoting oneself. It’s no secret I’ve done a fair amount of work to build a personal brand and I’ve spoken at conferences like BlackHat USA. I like to think it’s because of hard work and my personal style of academic rigour, but it’s likely, at least in part, down to a desire to be recognised as credible and making conscious efforts to that end goal (as well as doing the actual leg work in a field I love!). Before you consider your approach to industry and self-promotion, you need to be honest with yourself about what you want. Opting out is an option and doesn’t preclude a successful career. Conversely, self-promotion doesn’t need to be shameless, but you need to have the capability and output FIRST. A common mistake I’ve seen, is the encouragement of people to speak at conferences when they lack a topic or specific idea. For me, this is totally the wrong way to approach things. I’m sure they used to think I was a ‘gatekeeping d*ck’ in my response, but the ideas have to come first and ideas normally start with a problem to solve. Challenges will appear in your daily work, the key is to find an elegant solution, then find out whether others have the same problem. If they do, you have the genesis of something worth sharing and then you can think about submitting to CfPs.
There is certainly an art to getting promoted in any job, and often a lot of politics surrounding those who are and aren’t successful. There are two main opportunities available to you to get promoted, the ‘performance route’ where you perform well and get promoted internally or you leave and take a step up at another organisation. There are other paths, but these are the two that you are most able to control (and hiring a hitman on the dark web to take out your boss is generally frowned upon).
Generally speaking, there are five dimensions to getting promoted within your organisation: capability (skills and performance), attitude, potential, promotion appetite of your employer (created by growth or attrition) and perception. Like any good hacker, you need to figure out how the current process works within your organisation and plan your tact. The best way to find out the process and criteria is to ask. Most organisations will have an annual cycle, with exceptions being made in exceptional circumstances. It should be noted that most organisations dislike promoting people ‘out-of-cycle’ as this impacts their budget planning for the year, and once you do it for one person, the flood gates could open. You won’t be told what the exceptional circumstances are if you ask, but for all intents and purposes this is when people threaten to resign, or a really compelling case is made by a line manager (normally because they’re concerned you’ll resign!). Essentially, you should figure out the annual cycle dates and gear your approach around that.
The most common formal dimensions for promotion considerations are performance and potential. It’s pretty common for an organisation to use the ‘9-box model’ (see fig. 1) or something similar to identify key performers. What’s more likely to shift the needle for you is perceived capability and perceived potential. This isn’t to say, spend more time on perception than developing yourself, but do not underplay the relationship with your line manager or the value you offer to your employer in terms of the number of things you can do. Ensure they’re aware! This is why it’s important to find your mentor or cheerleader in your role, they’re your key stakeholder in the promotion case.
In my experience, something that people often find difficult to grasp is the reciprocity of the leader and team member dynamic. Helping your manager and understanding their challenges is a sure-fire way to build a good relationship. Be the helpful and understanding team member, in the way you’d hope your manager would be to you. You can do this by being the first to volunteer for things, take a positive view on change and support your manager within the team (they won’t always be delivering the news they want either!). When you become a leader, you’ll be surprised at how you’ve swapped appreciation for money as you climb the ladder, and how some people will be less eager to say what they really think to you. You don’t need to brown-nose your way to the top, but understanding and empathy work both ways, just because someone is senior to you, doesn’t mean they should be a punchbag for your frustrations.
There will be times when you feel that your only chance of being promoted comes from threatening to leave an organisation. My first piece of advice in this instance would be to speak to industry peers, especially if this is your first or second job. You may have unreasonable expectations or a lack of appreciation of your current situation. Try not to be reactionary or mercenary, especially if coming off the back of a specific negative experience. The grass isn’t always greener and extra money now may seem like the right thing, but as you progress, you’ll find that other factors are more important to you. After five to ten years, you’ll be hitting the ceiling of what you can earn in a technical role (or quicker if you excel). The culture and working arrangements will likely be much more important to you once you’re economically comfortable and you should be mindful of that. It’s also very important for a threat to leave to be genuine and not just a case of trying your luck for more money. I would also suggest that if this is your approach, and last option to be paid what you feel is your value, ensure that you already have offers from other companies showing they’re willing to pay you what you see as your worth. There is a risk without this sort of collateral that your employer sees this as a bluff and they will ask if you have an offer, if they feel you’re being unrealistic (and/or will be unwilling to budge without one). This is a high-risk strategy and you risk burning bridges in what’s a fairly small and incestuous industry. Moreover, it’s always better to position this as an attempt to be paid in line with market rates based on a confident understanding of your value to the business, and to have evidence that others are willing to pay you that amount. Remember, your employer could still disagree with your view or be unable to pay you any more even if they wish to. If you do get an opportunity to have this negotiation with your employer, this is a rare chance to shape your position i.e., make all your requests now and negotiate hard, it’s unlikely to be entertained if you come back 6 months later with another offer and more demands. So, make this count if your employer is listening and flexible, you might get that expensive training or conference trip on top of the promotion – everything is a negotiation. You should also make sure any agreement is in writing or better in your contract (although the latter will be a stretch, but you can ask). When you have discussions with your manager or HR, always follow-up with an email outlining what was discussed and ask for their confirmation of your understanding. Always assume that there could be a leadership change and any conditions agreed with one manager or Director / VP could be reversed or disregarded later, if verbally agreed. You should be aware that if you decide to take this approach, it can backfire. Massively. I’ve seen it a lot of times, where people have over-estimated their value and their resignation has just been accepted. Following this, you’re left going back to work as normal in the same company, with a bruised ego (and probably limited long term prospects), or leaving for another company that you weren’t even sure you wanted to work at. During these uncertain times, it’s best to be pragmatic and reserve gonzo tactics (if you must) for more predictable economic times.
Thanks for reading Munrobotic Cyber Security Blog! Subscribe for free to receive new posts and support my work.