3 min read


AMA with Ricki Burke

🔥 Founder of @CyberSec_People 🔥 | 🏢 Cybersecurity recruitment across Australia and NZ 🏢 | #BSides speaker | 👱 Host of Hacking into Security podcast 👱 | ✨ Co-Organiser @AllSecMel

  • Do you think age is a factor in getting in to a junior pentest job? Whom do you think an employer choose, a person with around a decade of experience in development or someone fresh from college provided both have performed same in the interview and have same certs and all?

    • I don’t believe so. Most pentesters used to work in other roles like sys admins, engineers and others. I know people that worked in these roles for 5-10 years before becoming pentesters. I think the pref is someone who worked in dev and then god interested in security.

  • What Is primarily required to join as a junior pentester without a degree? Are certifications required? If yes then should proceed with ejpt/CEH/OSCP or anything else? How to build a strong portfolio for a job/freelancing for pentesting and entry level infosec jobs?

    • The skills to test and write a report. Don’t every forget the reason for a pentest isn’t just to h@ck sh!t but so an external or internal customer can test an environment and make fixes.

    • Certs are a tough one, CEH isn’t well respected in Australia (that’s my main market). Self-learning through PentesterLab, Hack The Box and bug bounties are great ways to demonstrate to hiring managers who know about hacking.

    • A blog with all your research, a link to your GitHub etc sharing any tools you have built is even better than a CV, IMO.

  • How to hunt in deep? Can you provide any tools or any hint?

    • Sorry. Not really my area.

  • Q1) How much do you feel colleges degree or certs prepare a fresher for a infosec job for eg pentesting?

  • Q2) What is that one mistake you find in resumes that results in not getting selected.

  • Q3) How do you see infosec industry in next 5-10 years?

  • Q4) How did covid effected the infosec job numbers?

    1. A degree - not much, unless you had an tutor that is/ was a pentester. Certs - eJPT and beyond and OSCP are helpful. Just a certification won’t often land someone a job, they still need other skills, especially around report writing.

    2. There is more than one mistake. Grammar, not enough relevant information, missing out by not sharing the self-learning activities.

    3. In 5-10 years, I have no idea. Although if it was me, I would be learning to code and building up my knowledge of how to use automation and better know-how in things like data analysis, AI/ machine learning.

    4. Yes, COVID has impacted jobs. The industry is booming and more people get to work from home, or at least more than they used to.

  • How Bughunter can approach for Infosec jobs?

    • Make sure you share your bug hunting profile with hiring managers and also your abilities to write a report. A pentest is only as good as the report sharing the issues and how to fix them.

  • What are the common issues you faced while you are recruiting freshers?

    • The sad truth is we don’t fancy many issues because we don’t get many entry-level roles. When we do, we often know the people who would be good as we meet them at conferences/meetups or online.

  • Do you support CTFs for getting into cybersecurity? How should a CTFer approach for job opportunities?

    • A great place to build skills, knowledge and networks. Many industry professionals play CTFs, especially at cons. Make sure these are highlighted on a CV and LinkedIn profile. But you will need more than CTFs. You need to demonstrate you have the skills for the job you want.

  • Are CTFs good for bug bounty Hunter? Can you mention the suitable road map for bug bounty Hunter from your perspective (courses and books included)?

    • Sorry, not really my knowledge area. My friends @codingo_, @sml555_, @hakluke would better placed to say.

    • Great answer by @sml555_:

    • They can be, but it depends on the CTFs. Some of them can score you private invites, whereas others may be highlighting a very obscure exploit. If you target the more practical type of CTFs, it will likely be beneficial!

    • This one is a bit difficult, as it differs from person to person. A good thing to start with is the Tangled Web. It helps understand how things work.

    • The Bug Hunters Methodology by JHaddix is gold too! Highly recommend looking into it! If you haven’t played with the OWASP Top 10 (or stuff), there are some good resources like Web Application Hacker’s Handbook, @PentesterLab and @PortSwigger Academy, which could be worth trying.