Don't focus on admin certs when you want to become a Pentester. However...

focussing on administrative certifications while aiming to be a pentester - could be a waste of time. I try to explain 'why' and 'what to do instead' in this post.

Don't focus on admin certs when you want to become a Pentester. However...
Photo by Possessed Photography / Unsplash

I see lot of people aiming at getting administrative certifications (e.g., CCNA, CCNP, Microsoft Certification exams, etc.), when they aim to become a penetration tester.I have spent quite some time with penetration testers and have noticed that this approach has its own perils.I have tried to list them here, have a read.

The problem

Strong foundations are important to become a penetration tester.
Often, certification study guides (e.g.,those for CCNA, Network+, Security+, etc.) are prescribed to learn the basics.
Nothing wrong in getting certified, along the way, is it?

However, we end up missing forest for trees.

I assume you want to become a pentester

A Pentester breaks into things (systems, networks, web applications, mobile apps, IoT, lateset-fad-here).

In order to do so, a Pentester needs 3 crucial skills

The 3 crucial skills to become a pentester

  1. An understanding of how things work (so that they can be broken into). One needs to constantly keep learning to do so.
  2. An eye to look at a system (IT asset, process, workflow, etc.) and to identify the weak points.
  3. Willpower to keep moving when you are stuck and not leave the field.
While it is important to understand how a network works (CCNA) and how it is secured (CCNP), I believe trying for these certifications is a waste of time, if pen testing is your goal. Here's why...
  1. Humans are builders first.
  2. Breaking things doesn't come naturally to us.
  3. The administrative certifications are all builder/ maintainer certs. They primarily teach 'how something works', not 'how to break it'.

Now consider this.

  1. A Pentester's job is getting tougher by day. Hardened networks/ applications, evolving firewalls, shrinking budgets, make job very difficult for a pentester.
  2. As a pentester, you will be required to learn 'how to break into this thing' on a daily basis.
  3. The key question should not be 'how does this work?' but 'how to break it?'
  4. More often, we focus more on the first question, forgetting the second one.
  5. However, it does not mean you stop learning things (you won't be a better pentester unless you learn how things work).
  6. What it means is this...
Keep the second question in mind (how to break it) while looking for answer to first question (how this works).

At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.

‎Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r