My pentesting journey so far ...


2 min read

I wanted to share my journey into the cybersecurity industry today to explain why I still work in it (despite writing about the high rate of burnout among cybersecurity professionals).

It roughly started during high school (about 8 years ago) when I saw an interview with a person who dropped out of college and started a company to provide pentesting services.

In those days, cybersecurity wasn't as popular, and no one recommended this as a career option. "Hacking" was considered a crime, and the concept of "ethical hacking" simply did not exist. But I was determined to learn more about this subject, so I contacted that pentester and asked him how he got started. He recommended a book called "The Web Application Hacker's Handbook, 2nd Edition by Dafydd Stuttard and Marcus Pinto."

I started reading it and quickly realized that I didn't have a basic understanding of how websites work, and the book was too difficult to read without it. I realized that I needed to take a step back and start learning basic IT and network skills as I went along.

My first stop was YouTube, where I discovered Professor Messer, who offers free video series on CompTIA A+, Network +, and Security +. This is by far the most valuable resource that anyone can use to get started in IT to date.

Once I had the foundations covered, I started to look for more in-depth resources to get hands-on experience. I discovered two excellent instructors who made many of the more difficult concepts approachable and understandable. They are:

  1. Hackersploit :

  2. The Cyber Mentor:

Practice in live environments is the quickest way to learn pentesting, and sites like Hackthebox make it easy. I've rooted around 80 machines so far. I used to watch Ippsec's walkthrough and copy his methodology when I was struggling with it at first.

While all of this was going on, I managed to get a job as a network engineer and later moved on to a security engineer role that primarily dealt with firewall management.

Today, as a senior security researcher, I get to point out all of the bad things that I find in my company's network.

I intend to pursue other opportunities, such as participating in bug bounty programs, and to improve my skills, particularly in web app pentesting, which is why I started this blog.

I'm currently enrolled in the API Pentesting course,, and I believe I'll cover some of its key takeaways in future posts.