Ethical hacking/pentesting advice required

[Banzai_Joe]

Hi all,
so after 17 years as an IT Manager/Project Consultant. I've covered a lot of bases. Jacks of 'most' depts, but a master of none.
Some of the courses I've done include: A+, CCNA+, Sec+, ITIL4, Prince2 - but not certified in any of them. I studied them to help me do my job better not to appease someone who likes to see pieces of paper.
For the past year i've been studying for the CISSP (i have the relative experience required to become fully affliated if i pass). BUT....i'm not overly passionate about it and so i'm struggling with "thinking like a manager".
I've always been a hands-on kind of IT fella.

TLDR?
My current job is gonna end soon (i think). I want to get into ethical hacking/pentesting. The above info was to give background into my career thus far.
So what online content would those already working in the space suggest? Youtube vids, Udemy, LinkedIN Learning?
Maybe sit the CompTIA PenTest+ exam?
So, i'm not an IT noob, but happy to start from the ground up with this subject.

Please post your recommendation and advice.

thanks

 

[Banzai_Joe]

I would for go CompTIA PenTest+ or even CEH.

But after passing my Sec+ a few years back. Anything to do with CompTIA I didnt see on many job descriptions in the UK.

Thanks. Yeah i'm more interested in what courses will give me the best info to run with and develop skills. I have a bee in my bonnet about certifications, but its the game ya have to play for a lot of employers nowadays. I think mainly because they use recruiters who have no knowledge of the job themselves.

 

[Banzai_Joe]

Yeah, I have a few certs and it hasnt really helped me land the job I want so far.

People in the IT industry know that experience is waaayyyy more important that quals. But the REMF's (Rear Echelon Motherflingers) seem to be clueless and hence ask for them.

 

[Banzai_Joe]

And the HR filters can be a pain the ass.

lol, oh yes. God there are some jobsworths around.
Had 2 agencies ring me this morning and send JD's over. Both involve hi-end networking beyond my expertise really. Had they read my CV and understood it, they would have known that.
shame as one was for a gaming company no too far from me whereby the other reqs matched my skillsets, but I fall short on the networking part i think.

 

[Banzai_Joe]

If you want to do pentesting I would focus on something more directly applicable than CISSP.

Have you looked at OSCP?

I agree as well, CompTIA is not that common in the UK.

I briefly looked at OSCP, but its very expensive i think. Could do with some taster courses/labs to see if i really want to go further with it.

 

[Banzai_Joe]

Many are wish lists but some are leaning towards them being hard requirements when you get told. "We need someone who has experience in X" When you know you can learn X in a few days.

I have had this a few times, some companies don't want to take the time to training people. Even if its only 5% of what they need to know for the role.

Oh this x100. Had this loads of times. I’ve had plenty of conversations with recruiters about this very thing.
At least now quite a few JDs have bullet points of MUST HAVES and the DESIRABLES.

 

[Banzai_Joe]

Start off with some free resources like Hack the box or any online CTF type stuff to give you some practical experience.

Get following people on Twitter (or is it all Mastadon now?) to get a bit more immersed in that area.

Look at all the various pen testing co websites as they'll usually have blogs of some sort, diget these and again follow the people who write them on whatever social media.

Things like OSCP are going to be miles better than CISSP and CEH (I didn't rate the latter when I did it, very out of date and largely focused on what tool would I use to do this rather than the why).

Thanks. The CISSP is still on my timeline to bolster my chances but it was nothing to do with my latest idea of pursuing pen testing.
I’ve bought a Udemy course as it was offer for £15. I’ll do that and look at all the other resources to join up some dots.

 

[Banzai_Joe]

I have no real coding experience to speak of.