Life After OSCP: A Career Path

Congrats, you tried harder and did it. You passed the OSCP! After following our advice, going through all the lab machines multiple times, getting through all the courseware, and cracking many, many Hack the Box machines and other CTFs, you finally can let out a huge sigh of relief and celebrate your huge accomplishment. Test day is over and you were triumphant.

Unfortunately, you’re just getting started.

We know, no one really wants to hear it. But the OSCP, as prestigious an accomplishment as it is, is not a golden ticket to a better job, a new career, fame, or fortune. There’s still a lot to do after the OSCP. A lot of work, a lot of trying harder, and a lot of learning.

Don’t Let Up

Absolutely the number one, most important piece of advice we can give you for the days after passing your OSCP: keep practicing. You just put a lot of work into a very difficult to learn skill set. Even after the three or more months you just put in, it’s something that can start to decay quickly. The way to prevent this is to exercise it, keep learning, and keep working through new boxes.

You got a Hack the Box subscription like we recommended, right? Keep it and keep using it. Compromising virtual machines like theirs is the number one way to keep your skills sharp and keep growing. Learn from these boxes, learn new techniques, learn new tools, and hone the enumeration skills and patience that got you the OSCP in the first place.

Focus especially on the ones that you thought were “too hard” before. Only once you’re really stuck, like stuck for days, should you look at a box’s walkthrough. Perseverance will be your best teacher, but learning from the work of others is second in value.

A big emphasis of the OSCP is enumeration. Tools and techniques are great, but enumeration is key. If you don’t enumerate well, all the tools and techniques will be almost useless. Like any skill, with experience, there eventually comes intuition. This level of enumeration expertise will serve you so well as a pentester, but it must be maintained by practice. There are absolutely zero shortcuts here and again, being lazy will only dull your skills.

Keep studying and reading too. Penetration testing and all of information security is a field that is constantly growing and changing. Just turning on the news should tell you enough that the work will never be done and that the bad guys are relentless. Becoming stagnant is a surefire way to make backward progress; make sure your progress is always, always forward.

Another amazing opportunity for learning and growth that you should start ASAP is the growing number of crowded sourced red teaming companies. Companies like Synack and HackerOne will screen pentesters and security researchers to hire as contractors. If you pass then you get access to their platform, which essentially lists closed access bug bounties programs for other companies.

Pick an interesting target, test against it, and any vulnerabilities you find you report for payment. You’re going up against some very experienced white-hat hackers, but it can be an interesting learning experience and resume builder.

Tips for the Aspiring Penetration Tester

For those of you who started your OSCP journey wanting to be a pentester, congrats, you’ve taken your first step in a larger world. One slightly deceptive thing though about the OSCP courseware and labs that you need to understand: it’s not always like the real world. The OSCP will have you work through several boxes with vulnerable open source web apps, FTP servers, SMB shares, and other services with relatively easily found and well documented exploits.

No company with an ounce of operational security functions like this.

First, you won’t find a lot of services open to the internet besides HTTP and HTTPS. It has been a long time IT best practice to keep that stuff closed off to the public internet. Don’t expect, if you’re working as a pentester, to scan a client with nmap and find open SMB shares with text files containing passwords or a MySQL server that you can brute force in a few minutes. Things like that were prevalent in your OSCP labs, not because it’s like real life, but as a means to an end to teach you basic enumeration and exploitation techniques. The real world will make you work much harder.

Another consideration, if these services are no longer open to the internet then what are pentesters busy doing? Scanning web apps. A majority of any security consultancy doing red team work for clients will be spent scanning web apps and SaaS services.

How much OSCP content focuses on web apps? Maybe 20%, and given how broad a subset of pentesting that scanning web apps is, that 20% is pretty basic. Testing web apps is such a big thing that Offensive Security has a whole other course devoted to it, Advanced Web Attacks and Exploitation, which prepares you to test for the Offensive Security Web Expert (OSWE) certification.

If the OSCP was a bachelor’s degree, the OSWE is a doctorate. Maybe two doctorates. Remember that grueling 24 hour test you just did for the OSCP? The OSWE’s test is 48 hours. And that’s after another grueling round of courseware and labs.

Some people go as far as saying that the OSCP is an entry-level cert for pentesting. It’s not about learning the most relevant or up-to-date techniques; in fact a lot of what you learned isn’t terribly relevant in the world of SaaS services and cloud computing. It’s much more about learning to learn, learning to enumerate, working through an incredibly difficult process with discipline, and showing potential to keep growing and learning.

We keep hammering on this point, but it’s so important at this stage of your journey: stopping your learning now just because you passed the test will be a huge step in the wrong direction as pentesting grows and changes daily. So you must grow and change daily as well.

We’re not trying to say you need to jump right into the OSWE right after passing your OSCP. If nothing else this should be your takeaway if you’re going for a pentester job: the pentesting world is more about web apps then you might think it is after going through the OSCP courseware and you owe it to yourself to start your own independent learning on testing web apps.

The OWASP Top 10 is a great place to start learning. It’s a list of the top issues with web application security found in the wild today. Some of these you should be familiar with already from the OSCP, like SQL injections and cross site scripting. Others will possibly be brand new, like XML external entities. Pick one and start exploring; for each item you’ll find a massive trove of information.

In the meantime, assuming your goal is to be a pentester, start applying for jobs. All the normal advice applies here: network, polish your resume until it shines, practice interviewing, etc. One thing that you’ll love when it happens: you apply for a job, pass the first round interview, and then you’re asked to hack a few lab machines! That’s right, it’s not uncommon as a part of the interview process to do some actual lab work, hack a few boxes, and send in a write up, like a mini-OSCP test! As if earning the cert wasn’t enough…

Tips for Other Infosec Roles

So maybe web apps aren’t your most favorite thing. Or maybe you find yourself finished with your OSCP and just not as passionate about all this as you thought you were. Or maybe you landed an interview for a pentester position and were discouraged to be told “great job on your OSCP, but most of our work is web apps. You didn’t do much with web apps on the OSCP did you? You don’t know much about testing web apps do you?” (I'm Speaking from personal experience on this one…)

Do not fear because information security is an incredibly wide field; penetration testing is just one small niche. If you’ve already got IT chops, especially on the networking and server admin side of things, a move into infosec is a great idea. And while you don’t want to or aren’t yet cut out for being a pentester, that credential and experience definitely won’t hurt when looking for other infosec jobs.

For example, most infosec engineer or analyst or app security engineer type positions (basically defending from the bad guys instead of pretending to be one like a pentester) will benefit greatly from knowing the processes and tools that a bad guy is using. In other words, what better way to make your defenses stronger than to know how your enemies might attack them.

OSCP also, for a hiring manager that knows about it, is a great demonstration of how you were able to get a HARD goal and muster the discipline to achieve it. Your mileage may vary, but this is a great selling point, especially for talking yourself up in an interview about your journey from wherever you’re at now to why you’re interested in a certain position.

Final Thoughts

Whether your goal is to become a pentester or move into another infosec role, you’re in a great position to succeed. Just don’t forget what we preached here: keep practicing, keep moving forward, and most especially, keep trying harder.