![[Original size] White and Pink Strikeout](https://static.wixstatic.com/media/8264b6_7b0a194fbd554fac92d9b94b2375c5e8~mv2.png/v1/crop/x_52,y_156,w_384,h_171/fill/w_446,h_199,al_c,lg_1,q_85,enc_auto/%5BOriginal%20size%5D%20White%20and%20Pink%20Strikeout.png)
Jonothan is a very good friend of mine who has made the walk from the Royal Marines into a coveted job as a Penetration Tester - I caught up with him to get his insights on what making a bloody difficult transition was actually like, without the fluff and bullshit.
Why did you leave the Forces, in the end? :
"I've got to be honest, I think I outgrew it! I started falling into a rut, and for all the attempts I made to climb out of it nothing worked.
Every posting was more or less the same, just in a different location and I was spending a lot of time away from my family on jobs that weren't giving me any satisfaction.
I just couldn't bear the thought of missing out on life due to being to scared to make the jump.
There was a lot of cultural changes to the Corps which left me feeling it wasn't the organisation I had joined any more, and I just didn't feel challenged or that I was being used to my full potential. The pay was pretty poor, and as much as I had enjoyed my time, I didn't feel I was really getting anywhere in life whilst in uniform.
That was then going to affect my family’s future and I couldn't justify that in exchange for a couple of fun trips a year. As such I made the scary decision to jack it in after almost 14 years of service and completely change my role and skill-set. Older dogs can learn new tricks, after all!"
What was your previous experience with tech, before making the leap?:
"Not a lot, basically! I came from the Signals Specialist branch of the RM (Royal Marines), which helped me by giving me a technical mindset so I learned relatively quickly. The only similar information I took was that frequencies are similar to IP ranges at first glance, and how to work (a little) with the primary and secondary DNS.
Even that knowledge was nowhere deep enough to be a game changer to be honest.
Other than that I had experience ‘out front’ delivering training which no doubt helped me to present myself confidently in interviews etc, but that's about all the transferable skills I took with me.
The attitude I took from the Corps of ‘hustle, hit, never quit’ has been the only thing that's really got me anywhere in Cyber security."
Why ‘Cyber’ specifically? Rather than general IT or doing the contracting circuit?:
"To be honest, I wanted to prove to myself that I wasn't as dumb as I thought I was. I'd been associated with the Corps for so long that I'd started to believe the adage that Marines were dumb (obviously not the case, more OR ranks in the Corps are degree level educated than any other service… but anyway…) and it started to irk me.
Being a ‘hacker’ sounded sexy as hell, then I saw the pay levels that could be achieved and that was it, challenge accepted!
I was told I wouldn't be able to get into penetration testing straight ‘out the box’ but hey, no cuff too tough!
(Editor's Note: Damn right - only crime in the Forces is a lack of ambition, whether in scope of career or scope of food theft!).
Knowing I was setting myself what looked like an unattainable goal put me back to being a kid getting off the train at CTCRM all those years before, and re-kindled my motivation to really throw myself at something.
It also looked like a job where there wouldn't be a rut to fall into, and I'd constantly be learning new things. That was something I'd lacked in the RM, I felt I'd learned as much as I was going to at my level but this was going to be a whole other barrel of fish."
What courses and training did you choose to do to make the switch? And what would you recommend?:
"Here's where you earn that money guys! The learning curve puts the most crazy roller-coasters to shame, it truly was a mental battering.
That being said, I gave myself a ridiculously short time to get it all in. I started studying about a month or two after putting in my notice, and that was a mistake.
I wanted to be employed in penetration testing immediately after TX (final exit) from the RM, that gave me about 8 months to learn what needed to be learned, and 2 months to find a job.
That was… optimistic to say the least. So if you're reading this and still not deterred, start NOW.
(Ed: CANNOT AGREE WITH THIS MORE! One day...or day one, its up to you!)
Here's the path I took;
-CompTIA IT Fundamentals: Cybrary - Definitely optional. What is an IT? How do Cyber? Massive overview of the whole shebang. If you've never heard of IT, give this a crack. Maybe just do it as a warm up and to solidify your learning style.
-CompTIA A+: Comptia/Cybrary - Basics, basics and more basics. Don't know what a mouse is? This is where you start. Never got hands on the actual shiny bits inside a computer? This is for you. Never installed an OS or partitioned hard drives? You should probably do this.
To be honest, a lot of the things you learn can quite easily be found in tutorials on YouTube. Having said that, the depth of knowledge you gain means you probably won't need to go googling if your hard drive corrupts etc.
I did it on Cybrary, and again as part of resettlement with CTP (Civilian Transition Partnership).
If you've got a spare computer knocking about to take apart and play with, I'd say do this one with Cybrary or Professor Messer's Youtube Channel. If not, go do it with CTP or a similar provider.
-CompTIA Network+ or CIsco CCNA: Cybrary - My Everest. Really struggled on this one, and unfortunately its full of knowledge you will come back to again and again in a pen-testing role, especially if you're doing the infrastructure side of things. CTP do offer N and S+ as a combo deal, but its usually booked up very quickly.
CCNA was pitched better I thought. I did them both through Cybrary, then again on Cisco's own website for learning tools and resources. I have since sat through N+ two more times. This is the knowledge that will make you look a fool if you don't have it nailed down.
-CompTIA Security+: Comptia/Cybrary - Covers a very high level overview of IT security, and gives you the basis to move into more specialised fields with the lingo down. A lot of it is common sense, and as such this felt like a respite in the whole learning process. The respite did not last long.
-CEH:Cybrary - Certified Ethical Hacker; Sounds Perfect, right? No. don't waste your time. I did it on Cybrary and I was not a fan. Definition of a duty errand in my eyes, move on.
-CREST CPSA (Practitioner Security Analyst) and CRT (Registered Penetration Tester): Crucial Academy - I used Crucial Academy’s Forces to Cyber course for this one. Through no fault of theirs I did fail both exams (remember what I said earlier about my time management being optimistic?) and found myself at the lowest point of the whole journey.
CPSA requires a knowledge base an inch deep and an ocean wide, it also requires you to switch from one subject to another without a blink.
One minute you're answering say, sub-netting questions… then you're immediately onto something like NT editions. Don't underestimate this, I did and I was placed immediately in the hurt locker.
CRT was good, I really enjoyed the course and exam. It's not as intense as some of the other courses out there, but it's all hands-on which is where I like to play. Unfortunately you're not allowed to hold CRT till you've beaten the rite of passage that is CPSA, however.
At the time of writing I'm actually prepping to retake these… again. Ive come a long way since my last go, so should be fine this time.
Open source/ eLearning:
Udemy: although there is no formal qualification to be earned form Udemy courses, I highly recommend cracking a couple of them just to give yourself that rounded knowledge base. Two I personally recommend are ‘Practical Ethical Hacking – the complete course’ by Heath Adams (the Cyber Mentor) and ‘Learn Ethical Hacking from Scratch’ by a gent called Zaid. Wait until there is a sale and pick them up for 10 or 20 quid. They take you through some stuff that you wont really otherwise look at till you're on CRT, but you can get yourself some foresight.
Linkedin Learning: if you have access to LinkedIn learning then there are some pretty good courses on Python3, Bash scripting and networking on there that will give you a jump in the early days.
Cybrary: Mileage will vary, and again no formal qualification to be earned. Some of the courses are really good and offer decent depth, the paid version provides labs etc in which to practice. Some of it is pretty sub-par. Pick a number and take your chance!
Hack the Box, et-al: If you're going to pen-test, this is your playground. There is no access code, just as a heads up. You've got to hack your way in to use the labs. If your feeling flush, splash out the tenner for the VIP access once your in. it provides a lot more functionality In terms of access to retired boxes with write ups. My learning and ability skyrocketed once I got the VIP. There are shed loads more places to practice, get amongst them and make sure your profiles are listed in your CV, these will show hard earned experience where you likely have none other to draw on.
What was it ACTUALLY like leaving the Forces?:
"Well, here we are. If you've made it this far then its time to take a long hard look at what your letting yourself in for. I was in a chronically undermanned troop, so what I experienced may not be replicated everywhere.
I found I got ‘used up’ once I said I was off. The jobs came thick and fast, back to back exercises and training provision. Its almost like they wanted to squeeze every last drop out of me before I finally took off my lid for good.
Be prepared for an attitude change in your peers. At first you will be the novelty and almost gain kudos for ‘kicking it to the man’ but that rapidly fades.
Before long when you want to check out for a training course or the like, you're seen as shirking and placing your workload on others. You become more of an outsider as your clock ticks away to TX, and really find out who is your life long friend and who was a friend due to proximity.
My advice would be to go with the flow, at some points its going to feel like you're being targeted by the COC but if you fight them you're going to struggle.
Book courses early, like really early and give them plenty of notice. Accrue brownie points where you can by taking tasks for others etc when you get chance, you may need to cash those points in later for a short notice course etc.
That being said, consider your own attitude. Dont be the ‘chits in - tits in’ guy. This is going to either be a give and take scenario or a painful rebirth. You're still being paid by the forces, so do your job and do it well, right to the point you give your last salute in the CO’s office.
When things are shit and the lads are dripping, don't rub it in that you've only got ‘x days/months left to go!’
Manage your expectations and set your routine in the early days once outside. I continued to get up and be at my computer practicing and learning by 0830, sticking to the times I had worked for so long. That gave me focus, and stopped me becoming an alcoholic mess.
However, this is where I struggled the most. I didn't know much of the process for getting or sitting an interview, and I had only the slightest idea of the companies available as it turned out. Getting knocked back hit me hard in the early days, and oh how I got knocked back!
This is where your going to depend on your network of associates. Get your LinkedIn gleaming, add the recruiters, add everyone you go on course with. Help each other out because no man is an island and getting into that first gig is a fucking nightmare.
Drop any elitism you've picked up in the forces, no one cares what colour your hat was or where you went. All your dits are now just amusing anecdotes, not learning points.
Regardless of where your fellow peers on "forces to cyber" courses came from, you're all in training for something new, use that bonding ability you learned as a recruit because you're all Nods again now. Most civvies, despite what you have been told, are not useless wankers who would piss on you if it meant a promotion (Ed: Usually that costs extra...)
After all, you're one of them now!"
Advice for dealing with the interviews and recruiters?:
"Beware, here be sharks. Any small amount of research into the industry will tell you that there are too many jobs for too few people. That being said, don't expect to be welcomed like a conquering hero off the back of your first application.
This is not a duty attend and people are giving out serious money, but only to those who can earn their salt. Be prepared to take a pay cut.
Luckily I didn't have to, and ended up with a stellar company who have really looked after me (Coalfire). However, they did require I moved myself from Plymouth to Manchester for a short probationary period, as is standard. This was a hit I was more than willing to take, and they made it easy for me to do so by catering for that as much as possible in my renumeration.
Bear this in mind when negotiating with companies/recruiters. Not all companies are going to do that.
A lot of recruiters are going to either not know what they are talking about at all, or are going to try to sell you for less than you're worth. Here comes the balance; consider what you need in your paycheck to maintain you and your families’ quality of life, and what you can do without to get your foot in the door.
The first role is pivotal, and things will improve rapidly. Be realistic, when telling recruiters (lets face it, at the early stages you're going to rely on them) what you're after, don't quote 45k PA if you're only rocking an A+ certification.
As a mirror to that, don't quote yourself down to 20k PA if you're CPSA+CRT just to get your foot in the door. If you low ball yourself then your phone will ring all day with recruiters offering you jobs you're going to reject immediately, and that's a waste of everyone's time and damaging to the industry.
Be wary of ‘ex forces’ specialist recruiters. They know your clock is ticking, they know your likely anxious about getting a new job ASAP and they sometimes play on that. Some of them are great, but just keep an eye on your 6.
Interviews are interviews, present your best self. Do what military people do best, reconnaissance and preparation. Find out about the companies culture, ethics, roles and clients. Make sure you dress for the role your applying for, if you see that photos on the website show people in suits, wear a suit. If they're in board shorts and vest tops at their desks… maybe a nice pair of jeans and a shirt for the interview? Remember they aren't just recruiting your skills, a lot of these teams are small and they want to know if your a dick or not, primarily.
Leave more time to get there and get parked (I worked off of total travel time + 10%, because I'm weird) especially if its in a city that you don't know. Above all, do a bit of revision. Technical tests will vary in difficulty and delivery.
Be prepared to jump through the hoops of; telephone interview (after the recruiter does their bit), face to face interview with some technical questions and CV review, practical assessment proper (may be a rig, or a written test, or rapid fire questioning) and then final interview/review with contract negotiation. It's not a short or comfortable process, but its worth it."
What is your job ACTUALLY like? If it's good, let us know, if it's not, let us know:
"So you've jumped through hoops, you've turned you brain to mush and you literally see the matrix everywhere. You've dealt with salty members of your COC and recruiters, had sleepless nights frantically updating LinkedIn and your CV wondering whether you're signing on for the dole next month… but you've made it! You've secured a role that will pay the bills and succeeded as a civilian! Well done, you have arrived, it's all over now.
Or not.
Your first role is likely to be at associate or graduate level (unless you're an absolute exam ninja or have plenty of previous experience) so this is the beginning.
You're already lining up for your next certifications, and hitting the books hard once again. The difference being you now get paid to do it and have almost unlimited access to labs, premium tools and are completely immersed in the industry, surrounded by blokes with varied experience and skill sets who are bent on making sure your going to make it and excel. This helps. A lot.
Obviously experiences are going to vary dependent on what company you end up with, but at Coalfire my first month was mostly on-boarding and shadowing, a lot of shadowing. I wasn't expected to leap straight in to an engagement despite having shown that I could fairly competently do so. I partnered with other pentesters that had been in the game a while, helping them by doing enumeration or OSINT and other small, low contact facets of tests.
This gave me the confidence to start out.
After a short time I was allowed to do a segment of a larger test independently. It was a very weird feeling to actually engage on a clients system after only ever being on rigs. Very much the feeling of getting on the plane to your first theatre. You know what you have to do, and how to do it, but there are still those nerves.
But I'd been prepared, I had guys around me who knew what they were doing and that I could ask. That's a big thing at Coalfire and the industry at large; if you don't know then ask.
If you know something good, share it, and be honest if you mess it up.
Bring your sense of integrity with you from the forces, it's respected here as well.
I am still learning new things daily, as is a requirement in this role.
The only draw back in pen-testing I've personally found is reporting. Some guys love it, but for me its definitely the bit of the job that's actual work. Unfortunately clients expect more than just a phone call saying ‘yeah, we had a go at it, you're good’, and this report is the deliverable that earns the cheque.
As such, be prepared for a revisit to ‘defence writing’ style red-pen corrections, multiple versions of reports and sweet relief once its accepted through quality assurance.
Then you get assigned to a new client and the whole process starts again! Be prepared for out of hours work if you end up with a multinational operation, the internet does not work 9-5 and neither will you.
Luckily there is plenty of respite in my role and at my level. Office activities, training, fitness challenges, trips to conferences and expos… these are the things that in the forces were the ‘forced fun’ we all groaned about, but are actually really good (speaking from where I am anyway, companies will vary) and well worth getting involved in.
A lot of companies will send you to things like CES tech shows, and BlackHaat in Vegas annually. We even have our own internal company conference somewhere sunny for a week every year. the culture I've come into is everything I hoped for, rock-star geeks."
Any final thoughts?:
"Above all be flexible, be available and keep your eyes on the prize.
This industry can be overwhelming due to the fact you're never going to be ‘done’ learning.
There's a lot of fantastic roles out there with awesome rewards that need filling, but it pays to be a winner.
Develop your network of peers in the business and never stop studying. Stay up to date with current events and how they could affect the Security landscape, who is doing what, and how they are doing it. Once you make it into you role, try to give back to the community in some way. Help someone because someone helped you."
ED: THIS. If you get a leg up, stick an arm back down and grab the next guy!
Thanks again to Jonothan Harvey for sharing his experiences with us, and best of luck for the future!
If you fancy sharing your experiences, get in touch with me at matttwells@outlook.com or send me a LinkedIn Message! I don't bite - costs extra!
Comments