In the recent past, I‘ve had quite a number of cybersecurity enthusiasts reach out for guidance on how they can start and build their pentesting career. I wrote this blog to help anyone and everyone — especially those with zero experience who want to become the best penetration tester they could ever be.
Before we dive into the details, it’s important to understand what penetration testing is. A penetration tester, commonly known as a pentester, is a cybersecurity professional who assesses and evaluates the security of computer systems, networks, and applications. Their primary objective is to identify vulnerabilities and weaknesses that malicious hackers could exploit, exploit it in a controlled manner, report their findings to their client or organisation, and give solid, well detailed recommendations on how to fix the identified vulnerabilities that led to the exploit.
Here are good steps you can take towards becoming a penetration tester even if you have no experience:
Step 1: Develop a Strong Foundation
To become a pentester, you’ll need a solid foundation in basic computer and network concepts. You should focus on:
Operating Systems: Gain proficiency in Linux and Windows. Learn the basic commands, especially file systems, and user management.
Networking: Understand the fundamentals of TCP/IP, subnets, and routing. Know how to use tools like Wireshark to capture and analyze network traffic.
Cybersecurity Basics: Familiarize yourself with the common threats, attack vectors, and security best practices.
Step 2: Education and Training
While formal education can help, it’s not always a requirement in the cybersecurity field. However, if you’re just starting out, consider the following educational paths:
Online Courses: There are numerous online courses and training platforms that offer penetration testing courses. A good place to start would be Youtube particularly because it’s free and has good quality content or paid websites like Udemy (my most preferred).
Capture The Flag (CTF) Challenges: Participating in CTF challenges is a fun and practical way to gain hands-on experience and improve your skills. There are plenty of CTF platforms available online like TryHackMe, HackTheBox, etc.
Certifications: This should be the last on your list and you should only take them if you have the budget. A good cert to start with is the eLearn Junior Penetration Tester (eJPT). Afterwards, you can move to the CEH practical, then to Professional Network Penetration Tester (PNPT) by TCM security.
Step 3: Build a Home Lab
One of the best ways to get practical experience as a pentester is by setting up your own home lab. This lab will allow you to experiment, practice, and develop your pentesting skills in a safe environment. Here’s what you’ll need:
Virtual Machines: Install virtualization software like VirtualBox (free) or VMware (paid with a limited free version) and create virtual machines to simulate different operating systems and network configurations.
Vulnerable Systems: Download intentionally vulnerable systems like Metasploitable, OWASP WebGoat, and DVWA (Damn Vulnerable Web Application).
Tools: Install popular pentesting tools like Kali Linux, Metasploit, and Wireshark on your virtual machines.
Step 4: Networking and Community
Networking in the cybersecurity field is highly important. Join online forums, attend local cybersecurity meetups, and participate in online communities to connect with experienced professionals. Building relationships can lead to job opportunities and mentorship.
Step 5: Get Practical Experience
Practical experience is key to becoming a successful pentester. Start with the following activities:
Internships: Look for internships or entry-level positions in IT or cybersecurity to gain real-world experience.
Bug Bounty Programs: Participate in bug bounty programs on platforms like HackerOne, Bugcrowd, or Synack. You can earn rewards for discovering vulnerabilities in websites and applications.
Personal Projects: Work on personal pentesting projects and document your findings. Create a portfolio to showcase your skills to potential employers.
About the Author: Charles is a senior cybersecurity professional operating out of Nigeria