College and Infosec: To Degree or not to Degree?

So, you love to hack, and you’re going to get that dream job in infosec! Except, now what? A wide array of certification firms and colleges are willing to sell you an infosec program, with shiny advertisements and clever sales pitches. Unfortunately, college is massively expensive in the US, and the learning environment isn’t great for everybody. Is it worth the money and effort to get that Bachelor’s in Cybersecurity? Will a degree in an unrelated field do the trick? Will not getting a degree come back to bite you years later?


College degrees. I’ve found few topics aside from vulnerability disclosure in information security which raise so much raw emotion and fierce debate. In the interest of giving a well rounded and diplomatic answer about their value, I’ve once again asked several exceedingly qualified people to join me in sharing their time, experience, and ideas on the subject. Through a series of ten questions, each of us has weighed in on some hefty questions about the value of college education in learning about information security, getting an information security job, being promoted, and showing credibility.

Please allow me to introduce today’s contributors, who have generously contributed their time and thoughts:

Daniel Miessler, I’ve been in information security for around 18 years, with most of my time in technical testing (thick, app, web, mobile, IoT) and consulting. I lead OWASP’s Internet of Things security project and run a website, podcast, and newsletter where I talk about infosec, technology, and humans. More at

Tarah M. Wheeler, Tarah Wheeler (BA, MS, CSM, CSD) is Principal Security Advocate & Senior Director of Engineering, Website Security at Symantec. She is the lead author of the 2016 best selling Women In Tech: Take Your Career to The Next Level With Practical Advice And Inspiring Stories. She co-founded and now serves as board chair for Fizzmint, an end-to-end employee management company. She has led projects at Microsoft Game Studios (Halo and Lips), architected systems at encrypted mobile communications firm Silent Circle, and holds two agile development certifications through the Scrum Alliance. She founded Red Queen Technologies, LLC & Infosec Unlocked. She acquired her startup funds by cleaning out poker rooms in the Northwest and Las Vegas. Reach her at @tarah.

Robert Sheehy, @helpmerob. Helping “people” with “stuff” while holding a senior management role in infosec.

Space Rogue, Looks like everyone else is putting their corporate bio here, uggh. I’m just some guy, ya know? I’ve been around for a while and I’ve done some stuff. I currently work as a Strategist for Tenable, [@spacerog]

Chris Sanders, Chris Sanders is an information security author, trainer, and researcher. He is the founder of Applied Network Defense, a practitioner focused information security training company, and the Rural Technology Fund, a nonprofit devoted to providing technical education resources to rural and high poverty schools. He is the author of the best-selling security books Applied Network Security Monitoring and Practical Packet Analysis. He also hosts the Source Code Podcast., [@chrissanders88,]

Jessica Hebenstreit (@secitup),  I’ve been doing security for almost 17 years.  I got a lucky break early in my career at Motorola as an Intern and have been doing InfoSec ever since. I’ve done a lot of different roles in a few different verticals.  I always come back to Ops and IR. Creator of the DREAMR framework, speaker and volunteer.  I am active in the security community and enthusiastic about making the industry more inclusive and accessible.

Without further ado, let’s launch into some of the most contentious questions about career paths in the industry!


  1. First of all, the elephant in the room – did you go to college or university yourself? If so, did you get your degree before or after you started formally working in security?

    Jessica: In short yes.  However my academic career was varied, and longer than a traditional “4 years”.  I started at Iowa State University in the Computer Science program.  After a couple of major changes (because I am not great at coding and suck at math), along with study abroad experiences and transferring to Arizona State, I graduated with a Bachelor’s degree in Interdisciplinary studies with a focus on International Business and Spanish.  I was fortunate to start working in security as an Intern at Motorola for 3 years prior to graduation.  I was offered a full time role that I began prior to actual graduation.  I also have a Master’s degree that I obtained in 2012.

    Space Rogue: I started school like everyone else but quickly ran out of money despite the GI Bill.. I was able to get good paying IT jobs anyway and figured I didn’t need a degree. Then one of the many recessions in my career hit, I found myself out of work with few opportunities. I could almost always get an interview based on my resume and experience but on more than one occasion after the third or fourth interview I was asked, “So I don’t see a degree on your resume, do you have one?” I would answer truthfully, “No, but I have years of experience and have done all these great things, blah blah.” and I was told “Thank you very much, we’ll call you.” After the fourth time in a row that this happened I decided I needed to get a degree. It took me several years of online and night classes but I finally graduated.

    Chris: I had an opportunity out of high school to take a computer network consulting job that would have put me in the top 1% of earners in Mayfield, KY. Of course, that was making 40K/year as Mayfield is a very rural, high poverty area. I’m fortunate that I had a few teachers who really cared about me and got it through my head that my ceiling was much higher and a degree would help me realize that. I ended up completing my bachelor’s, master’s, and am currently working on my PhD. I couldn’t afford college and didn’t receive nearly enough financial aid to pay for it all, so I worked full time (and then some) while working through all of my degrees.

    Robert: I received a two year degree in computer programming, although I have been considered a hacker since my early teen years. I’ve undertaken a significant number of independent studies since getting my degree, most of which did not result in a formal credential. I’ve taken and passed well over three dozen various IT and infosec certification exams, with close to a dozen still being active. Most of them demonstrate a minimal understanding of baseline requirements and not of advanced expertise. I feel that some people are way too proud of their credentials and certifications.

    Tarah: I went to college before formally working in infosec, though I’d been doing hardware assembly and servicing since 16 and coding since I was about 19. I got degrees in international relations and political science with quantitative elements. I have a BA and an MS, and in my experience, no one at all cares if those degrees are in cybersecurity or not. They’re an absolutely indispensable box tick when it comes to getting past HR, however.

    Lesley: I hold two Associate’s degrees (Avionics and Electronics) which were more an accidental byproduct of completing a lot of coursework than anything else. My Bachelor’s is in Network Engineering. I received it before working in infosec formally and after joining the military (thank you, G.I. Bill!). There weren’t really any security specific degree programs yet at the time.

    Daniel: I did go to college, for four years, but I left before graduating to start my professional career in infosec without a degree. I’ll be completing my bachelors soon and moving on to a Masters. At this point it’ll be just to check the box and for the fun of it.

  2. Based on your experiences hiring entry to intermediate-level infosec professionals and working in the field yourself, where do you fall on the spectrum of extremely pro-college, somewhat pro-college, neutral, somewhat anti-college, or extremely anti-college?

    Chris: Somewhat pro-college. I think everyone can benefit from being surrounded by a group of people who are devoted to learning. However, I recognize that it isn’t for everyone and finding the right faculty/college/program is non-trivial. All things being equal, if I’m choosing between two candidates I will go with the person who has a college degree.

    Tarah: Somewhat pro-college. I don’t think in any way that college is a prerequisite for being in security. I think it’s a startling leveller when it comes to diversity in technology, and one of the challenges employers are always facing is how to justify hiring someone who doesn’t “look” like a hacker or coder. I have, in my several previous positions, had to fight like a dog to get a woman or a person of color or someone queer to get hired, and sometimes the only ammunition I have is that they have a degree, and the more stereotypical (and often less-well qualified or experienced person) doesn’t. When I’ve been the CEO, I could just say “you’re hired,” but when I’ve been in a hierarchy, I have had to, in the past,  justify my decisions to a structure that doesn’t always understand the hacker mindset.

    Space Rogue: Neutral. Personally I would rather hire someone with at least some experience than just a college degree. I am always looking for someone who has done something, anything, real as opposed to just book learning. But I also realize when it comes to hiring managers I’m probably a bit of an anomaly. As infosec as an industry matures it is becoming more and more difficult for entry level people to stand out amongst the crowd. There is a lot of talk about the talent shortage in infosec but that really only applies to the mid and high level. The entry level is awash with people just finishing college with their newly minted degrees all looking for some way to stand out.

    Robert: Neutral. There needs to be experience outside of school for anything beyond entry level. Without experience, a credential can help to demonstrate that the candidate can see through a formal curriculum program to completion.

    Jessica: Somewhat pro-college, I believe some are “late bloomers” and that college right out of high school may not be for everybody.  I think more doors are opened for college degrees. I also think college gives one a variety of experiences and challenges one might not encounter otherwise.  I also realize college is expensive, at least in the US and for that reason alone can be out of reach for some folks.  I am still deeply in debt for my degrees.

    Lesley: Somewhat pro-college. I see more benefits than negatives, but it’s not for everybody and it’s extremely expensive in the US.

    Daniel: Somewhat pro-college. There are skills you can get from university that you don’t usually get other places, but it shouldn’t be considered a must for most infosec positions. This is something Google figured out when they did their big study of what variables make people successful. They expected to find that great colleges produced the best workers. Or people with the best grades, or who interviewed best. But no–they found few correlations with any of this stuff, and they were forced to accept that there’s no magic variable to any of it. Their people who went to college or didn’t, or went to a small school vs. a big famous one, didn’t show much difference in their performance. It turned out to be all about the management of the team that made the difference, but that’s a story for another day.

  3. What are some skills, motivations, and credentials that stand out to you the most on a entry level infosec résumé (before the first phone screen)?

    Space Rogue: I look for anything done outside of school that is relevant to the job. I want to see some kind of passion for the work, at the entry level it doesn’t have to be much but something. If the resume is nothing but degrees and certs and zero extracurricular things they will unlikely get an interview from me. If a person has no relevant work history at all then I want to see non-relevant work history. To me work history, any history, beats formal education every time.

    Chris: I don’t expect much out of an entry-level resume and put very little stock in them. I rely much more heavily on the interview and wind up interviewing most of the people who apply to an entry-level posting. Hiring is the most important decision I make, so it’s well worth the time spent. As far as resume content, it’s an entry-level job, so I don’t expect them to be passionate or display that on the resume yet. I want them curious, and then as their manager it’s my job to help them evolve that into passion. That said, if someone has already started learning about the field I think it’s great to list what they’ve been learning, how they’ve been learning it, and who they’ve been learning it from. I also value resumes that show involvement in service projects. People who have a servant leadership mindset and are willing to give of themselves are the type of people I want to work with.

    Tarah: Have they built a computer from parts to booting? Have they contributed to an open source project…even so much as a pull request to fix a typo? Have they built a website? Have they tried to harden their home network? Have they ever demonstrated that they’re willing to help others by posting blogs or information or answers? I don’t much care if they feel like they’re good people or if they love animals. I care what they can *do*. No one can hire solely on potential; you must demonstrate some of your ability.

    Jessica: Passion for the industry is something I definitely look for.  Personal projects that one can speak to such as those on github, or a blog.  Competing in things like CTFs or other contests, volunteering and other involvement in conferences, competitions or other projects show a passion for industry.  

    Robert: Personal initiative and interest in information security. The best professionals are passionate about what they do.

    Lesley: Speaking, presenting, competing, or working at infosec conferences. Other participation in the security community through projects or meet-ups. Some type of dedicated coursework that demonstrates good systems and networking fundamentals, or equivalent work experience in another IT field. Some college is a plus, but the degree doesn’t have to be technical. Overall, I look for motivation to learn and succeed.

    Daniel: Having a website or other home for projects you’ve created or helped with. Projects show passion, and passion is a powerful force for improvement. If you’re actively working on projects in your field there are few things that are more compelling to a hiring manager than seeing actual fruit of that curiosity and skill.

  4. Can you think of a situation in which you might recommend that an entry-level person who is interested in security not get a degree?

    Space Rogue: I don’t think I could recommend anyone not get a degree ever, not in today’s job market. In the 90’s and early 2000’s almost nobody had an infosec degree because infosec degrees did not exist. Everyone was self taught so if you didn’t have an infosec degree you were no different than anyone else. Infosec or more accurately ’cyber’ degree programs exist at just about every college and university today. If you decide to not get a degree you will be at a pretty big disadvantage compared to everyone else competing for the same entry level job. That said, if your resume makes it to my inbox I won’t really care if you have a degree or not if your resume shows that you have the experience and or skills for the job. But then I’m probably not the hiring manager for the job you are applying for.

    Chris: I had to work 60+ hours a week to pay for college and even then I still have fond memories of standing in Wal-Mart calculating what foods had the best dollar/calorie ratio so I could spend as little on food as possible. You have to REALLY want it sometimes (or just be deathly afraid of failure). If you have hardship to deal with, whether financial or family, you have to figure out how much pain it will cause you and whether the upside reward is worth it. For some people, it simply isn’t.

    Tarah: No. Sure, save money and do some at a community college, do the GI Bill, do a state school and be a big fish in a little pond…but I simply cannot in good conscience knowing what today’s job market looks like and how overheated cybersecurity hiring is going to be for the next ten years recommend that someone not get a degree. Note here that I don’t give a damn what your degree is in. Neither will anyone else past possibly a couple of people in your first entry level jobs. Just get one. And get an MS if you can. It’ll pop your earnings drastically long term and is  a HUGE leveller for diversity in tech.

    Jessica : No, I’ve spent quite a bit of time thinking about this question recently and I really cannot come up with a scenario where I would recommend not getting a degree. Even if you have to go part time while you work and it takes years and years, I strongly believe you will be better off in the end with the degree.  I think there are definitely outliers that find vast success on skill and reputation alone, but those folks are few and far between (you know “outliers”).  I’m seeing more and more organizations that are putting in hard and fast degree requirements, particularly in healthcare and high education, without which you will quickly reach a ceiling.  I’ve seen this ceiling as low as not going past a Senior Analyst/Engineer without a degree.

    Robert: College degrees are only one way to show that you’re well rounded and take your professional development seriously. An individual’s personal situation and experience must be considered in respect to what is the best focus of their professional development efforts. Particularly if student loans are involved, the long term debt accumulation might not be worth it. Focusing instead on a certification could serve as a first helpful step towards gaining that first position in infosec.  If working as a contractor it might be wise then to defer schooling even further in your carrier until obtaining a permanent position that offers tuition assistance. With professional momentum and outside self study, you might get to the point in your career where your professional experience are accepted as substitute for the formal accreditation. World travel, for example, can be used to demonstrate educational sophistication in lieu of a degree.

    Lesley: If they’re only interested in the money or prestige as opposed to the work, or they haven’t done anything to learn about the field before launching into a degree. Also, if they already have a strong network of infosec contacts and going to school would interfere with taking a great opportunity immediately. Lastly, if it’s a significant long-term financial burden, college may simply be unfeasible.

    Daniel: If they already have some significant level of skill that makes them competitive and they’re being offered a job in the field similar to what they’d get when they graduated. Even then, if it would be relatively painless, I’d say get the degree just to have the checkbox, but if it’s overly difficult and you already have the skills required to get a job, go for it. It all depends what you’re looking for. If you just want to get into the field, you can do that. But if you want to make it to the top at a big company, you’ll probably need a bachelor’s and/or masters.

  5. If an entry or intermediate-level infosec person chooses not to get a degree, what are steps do you suggest he or she take to mitigate this when applying for jobs or promotions (which may state college as a requirement or preference)?

    Space Rogue: My first bit of advice is to realise that without a degree there are some jobs where your resume just won’t make it past the first level of HR. However if it is a job that I am hiring for and your resume can actually make it to my inbox then I will want to see some sort of experience. Something that says you are really interested in this line of work, volunteering at an infosec conference, a github project, contributions to an OSS project, participating in the local citysec meetup, something, anything.

    Chris: While this may be an unpleasant fact of life, not having a degree may affect your ceiling because some organizations value it. However, for the job seeker there is a benefit that infosec is in a skilled worker shortage. If you can develop skills in areas where need exists, you can find a job. However, you need to be able to show those skills in some way. For some people that might be a certification, for others it might be a github repo showing a project, and for others it might be a blog. Once you establish one or more of those things, focus on connecting with real people instead of relying on HR gatekeepers and automated systems. Do your research, find people working in or hiring for roles you want, and reach out to them. Even if it doesn’t lead to an immediate job, you might find a mentor or build a long-lasting relationship.

    Lesley: Network, network, network. You’re going to get blocked at a number of HR filters, which are automated and unforgiving. So, your hopes lie with name recognition with hiring managers who can tweak postings for you or somehow bypass the computer. This means proving your competence through projects, community participation, and being articulate. Currently we’re in a skill shortage, which plays in your favor in this scenario. This gap is decreasing, starting with entry level as more people graduate from cybersecurity training and degree programs. Certain geographic markets will take longer to catch up than others, so looking outside your local area may help.

    Robert: It is not a degree by itself that makes someone qualified for a senior position, rather they serves as a proxy to be used by the hiring managers to measure capability. This requirement can be substituted, but constructing the best argument to support your personal experience as a worthy substitution is completely on the individual. Non-traditional education can stand for formal degrees, but it may require a substantial effort to make the case for your specific goals, and are likely to require repeating every few years.  Always address any concerns about an educational deficiency in your resume head on when pursuing a new roll. It can go a long way to submit a well written statement in response to any concerns that you’re willing to obtain whatever credential is expected while working in the position, along with spelling out in detail how your specific personal accomplishments and experience directly address the traits your target is hoping are demonstrated by having the degree requirement.

    Tarah: Get good and get well-known for it. Get a CISSP, which is the bareass minimum you’d need to get past HR without a degree at some infosec jobs. Network your ass off because without a degree, you’ll suffer for recruiters contacting you. Figure out how to get some publicity. You must, must, must begin speaking and teaching widely.

    Jessica: First of all take a long hard look at where you want your career to go long term.    I think these decisions are made with a short to medium term outlook.  Come to peace with the fact that you are likely closing doors and limiting your upward mobility.  That said, get certs CISSP is a must to get past HR, I also recommend several SANS certs, maybe the OSCP, depending on which area in security you want to be.  Lastly, get your name out there, network, get on twitter volunteer and/or speak at every conference you can.

    Daniel: If they’re just starting out and don’t have a degree they’re going to need to show proof of existing skill. That usually means blogging and projects showing your abilities. Show vs. tell is a powerful concept in today’s market.

  6. Conversely, can you think of a situation where you might suggest to an infosec candidate that he or she should get a degree? If so, which skills would this most enhance?

    Daniel: I’d say get a degree if it’s at all easy for you to do so. If it’s paid for. If it’s an easy program. If your friends are there anyway. Etc. If it’s not going to put you out too much, or if you don’t have any skills at all and you need to learn fundamentals in a structured way. The other advantage is just rounding out your writing, general education, etc., which are important for advancing to later career stages.

    Space Rogue: Getting a degree is not going to hurt you. You will never be disqualified from a job because you have a degree. It is possible to get a degree without spending fortune and going into debt. You can either get a degree to actually learn something or you can just get the piece of paper. Either way a degree can only help you. If you are going to spend the time and money to get the degree you should try to actually learn something. I would focus on any hands on classes where you can actually work with production systems, even if they are simulated. Learn to code. Any class that allows, no, encourages you to break things.  

    Lesley: When you can’t fill more than half a page, single spaced on your resume with IT-relevant skills or experience, it’s definitely worth considering. Also, some companies and government agencies value degrees very highly as a corporate culture, and degrees may be tied fundamentally into future promotions or pay raises. If you’re looking to join one of those organizations, or you want to stay in one, it may be time to start planning ahead. Finally, if you have G.I. Bill or your employer pays a significant portion of tuition fees, it’s prudent to not waste free money.

    Chris: If you are capable of getting a degree, you should do it. There are immense benefits to being surrounded by people whose goal is to both teach and learn. Not only might you actually learn something, you’ll also learn how to think differently and be exposed to viewpoints differing from your own. In real life you have the option of filtering out people who you don’t agree with. In academia, that is a lot harder and it forces you to think about things you’re not used to thinking about. This also makes you better at debating, presenting information, and incorporating new information into your existing viewpoints.

    Robert: College can be fun, you can learn a lot, and start networking with other future professionals early. What degree you get likely does not matter for a career in infosec, but I would recommend sizing any opportunity to get a degree if it does not come with a significant debt burden.

    Tarah: Getting a degree cannot possibly hurt you. The Pareto-optimal solution is to get a bachelors in any field as cheaply and as rapidly as you can. Unless you are graduating top of your class in CS at Stanford or MIT, no one cares.

    Jessica: Getting a degree, any degree is not going to hold you back. If you have a desire to someday move into leadership a degree is going to help to facilitate that.  I know a lot of folks in security that do not have technical degrees; archaeology, accounting, psychology, business, women’s studies to name a few. I also know several folks that didn’t get a degree and are now finding roadblocks to advancement because of it and are now going back in their late 30’s and 40’s to get the degree while also now balancing a job,  spouse, kids, etc. which makes it that much more difficult.

  7. Assuming an entry or intermediate level infosec person has decided to get a degree, do you find more value in non-technical degrees or technical degrees? Is there any value in a minor in a different field? Does it matter at all from your perspective or management’s?

    Daniel: I think technical degrees are preferred. CS is preferred but CIS (what I did mine in) are also solid. The more you get away from those the less value it’ll have for infosec jobs. But keep in mind that many companies are just looking for the bachelors checkbox. This matters most if you’re looking to a formal hiring process at a very large or prestigious company, where CS and CE are preferred.

    Space Rogue: If you just want to pass the first entry gate of HR then get a degree in basket weaving or creative writing or philosophy. The automatic system scanning your resume won’t care and will sort your resume into the ‘with degree’ pile. Assuming you focus on a ‘cyber’ degree your minor will depend on what your long term goals are. If you want that CSO/CIO job in 20 years then look at a business or even accounting minor but I wouldn’t discount an art history or western civ minor either. You might be surprised at what lessons from other fields can be applied to infosec.

    Lesley: What you gain from a degree is much more fundamental than technical minutiae, which becomes obsolete quickly. Lots of skills one learns in college are ubiquitous across majors. Business, language, and communication courses provide important insight in our field. From a technical degree, you should concentrate on gaining a solid understanding of how things work at a fundamental level: programming, the telecommunications infrastructure, attack vectors, and common system architectures. Learning how to use a specific tool is rarely helpful after a couple years, and I see few course curricula that aren’t already several years out of date. You should be learning how to think logically, continue learning, and express your thoughts professionally.

    Chris: The unfortunate fact of our industry is that most university degrees don’t actually teach the skills necessary to do the job well. There are a few pockets of excellence and great instructors scattered here and there, but they are rare. Traditional computer science is great at building engineers and programmers, but not information security practitioners. Dedicated programs for information security are often dramatically out of date and focus on the wrong things. For that primary reason, I urge people to get degrees in other things while studying infosec through non-traditional means. This also has an added benefit of bringing “outside” perspective into information security, which is much needed and helps set you apart. I perk up when I meet someone who has a degree in physics, psychology, engineering, english, or something completely unrelated to tech. I can’t wait for the day where I feel good recommending people pursue information security degrees, but that day isn’t today. You can come from anywhere and be an effective infosec practitioner, but the ability to think in a way that is unique from your peers will help you move up quicker in many cases.

    Tarah: There’s a hack here. The hack is to get your degree in whatever you can get paid for or most cheaply–and to take research methodology or EECS or applied math courses alongside. This is what I did. I have a decade and a half of technical coursework that bumped my skills to next level in math, data structures, computer science, electrical engineering, social network and complexity theory, etc. You can pick and choose what you emphasize as you speak to employers. I personally find that people with philosophy degrees make magnificent programmers, and people with math degrees make magnificent philosophers.

    Jessica:  Get any degree.  I think there is something to be said for applying ideas and learnings from one field to security.  I started out in a technical program (computer science), but had a hard time with programming classes (I took intro to C++ 3 times) and math classes (Calculus I 3 times as well!) and it wasn’t feasible for me to continue this path.  I went into my manager at Motorola where I was interning and she said something along the lines of:
    “Jessica – you have a job here but you have to graduate at some point.  I can’t hire you without your degree and you can’t continue as an intern without being in school. You work for a multinational corporation get ANY degree that could be applicable.”

    I then scoured the course catalog and settled on International Business and Spanish.  There is a lot to be said about being well rounded and not having all of your knowledge in one basket.  I’ve also never had an interviewer ask “why International Business and Spanish; not CS/CIS/MIS/etc.?”

    Robert: Since any degree is unlikely to actually provide you the core skills you need to be successful in infosec, the degree pursued is insignificant. I’d recommend taking a topic you find interesting that you will see through to completion.

  8. Considering candidates you’ve interviewed and current cybersecurity curricula at a variety of institutions, would you recommend cybersecurity-specific degrees at all? What would you consider some indicators of a good and/or a bad infosec degree program?

    Daniel: I generally judge programs by big vs. unidentifiable names. If it’s a big name school, or a big CS school, that’s a plus. If it’s a no-name school then it’s just a CS checkbox, which is still positive. Most of the benefit of someone from a big name school is the fact that they got accepted in the first place.

    Space Rogue: To be honest I am not super familiar with the various programs that are out there. I know some are a lot more hands on than others but if I am looking at a resume I am unlikely to research your school to see how good of a program they have because frankly I don’t care. However, if you are looking to actually learn something then look for a program that has additional certifications. Something like the NSA’s National Centers of Academic Excellence in Cyber Defense or other certification.

    Lesley: I see too much focus in most “cyber” programs on specific tools and minutiae, as opposed to critical IT fundamentals which are so important to being a good hacker or defender. Also, I see an unfortunate tendency to gravitate towards the cool, theoretical, and “sexy” as opposed to less exciting but more relevant skills. For instance, my ongoing gag gripe is about every Forensics major I meet doing their thesis on steganography, which is relatively rarely seen in real practice. The same people often aren’t comfortable with memory forensics or timelining. There’s a lot of pragmatism in real life infosec. Overall, ensure that the program has plenty of general IT courses that build a good understanding of how systems work, and references real life cases.

    Chris: Our industry is really good at building excitement around topics like breaking and hacking. Unfortunately, those aren’t the skills you learn first and they aren’t the areas where the most jobs exist. Most cyber security programs gravitate towards those areas and skip over the fundamentals. The ones that do see a need for the fundamentals often think those fundamentals are computer science. While computer science is foundational, you don’t need to be an expert in mathematics or embedded systems to be successful in the vast majority of infosec jobs. For these reasons, I have a hard time recommending cyber security degree programs. I’m hopeful this will change at some point when more experienced practitioners find their way to academia, which is happening. Universities needs more instructors who have been in the trenches, but also understand academics and what foundational knowledge is critical for our field.

    Tarah: Only the power of your alma mater’s network matters here. Unless you’re going to UW, CMU, Stanford, MIT, Berkeley, or a similar program known for tech, your best  move is to learn what you love and add tech as tools for you to use. That will be reflected later in your work and career.

    Jessica: I feel like a lot of the “cyber” programs are reminiscent of the MCSE bootcamps from the early 2000’s and other certification mills.  If that is the program you want, then find a quality one.  Otherwise go for another degree.  Cyber programs also need more folks that have been actual practitioners to teach actual skills that will be used.  Having a good foundation, rooted in theory is fine and in some cases needed; however  I see too many candidates now that can memorize the buzzwords and talk very shallowly about a concept but cannot apply it in a meaningful way.  Additionally, critical thinking and analysis skills are sorely lacking.  Those are hard to teach but it’s really hard to be a good Security practitioner (particularly in a role like SOC or DFIR or Red Team) without those skills.

  9. At this time, (or in the near future), do you foresee any potential benefits in the infosec field in going on to get a graduate degree?

    Daniel: Yes, if you’re interested in working in any sort of formal field. Like government, or a big company in a specific department, like data science. Other than that, the bachelors is usually quite sufficient. The other thing a Masters is good for is that it’s somewhat important for senior roles in big companies, or top roles (CISO) at any company, if you think you might want that later on.

    Space Rogue: If you really want to differentiate yourself in the job market then yes, get a graduate degree. But this really depends on your own personal long term goals. If you really want to be a scapegoa^H^H^H CIO/CSO than a graduate degree will be a big help in achieving that.

    Lesley: I can see two situations where this would be desirable. The first is when it is likely to be required for a desired promotion in the future (I do see Master’s Degrees, especially MBAs, preferred for senior leadership positions). The second is when one’s intention is to stay in academia or dedicated advanced research. I rarely see graduate degrees greatly preferred over a Bachelor’s degree in entry-to-intermediate level infosec hiring.

    Chris: If you are thinking about a masters degree then you should have a sense of how much you enjoy your current work and where you want to go with it. For example, if you want to get into business leadership then something like an MBA might be helpful. The thing here is that you shouldn’t just pursue another degree because you feel it’s a requirement to get someone you want to go. Chances are, with persistence you might be able to get there anyway. You should pursue another degree because it will introduce you to new ways of thinking and teach you things that will be more fulfilling to you on a personal or professional level. I pursued a master’s degree in homeland security because I was interested in national defense and public policy. That provided valuable perspective that I apply in multiple areas of my life. The more successful people I’ve seen often pursue master’s degrees in things a bit outside their normal comfort zone. The key is that it should be about learning, not about checking a box.

    Tarah: Hell, yes. It’s definitely put me at the top of lists. And my MS is in political science, don’t forget. It’s just a box to check. Get a law degree or an MA in English–it just doesn’t functionally matter.

    Jessica: some industries are now requiring this in order to be in a management/leadership position.  I would not have gotten my job at Mayo Clinic without my master’s degree, they require it for Director level positions.  I think there is going to continue to be more rigor there. I know my Master’s has opened other doors for me as well.  I do wish I would have gotten a JD or MBA instead of my MSIT.

  10. Anything further you’d like to add on the topic?

    Space Rogue: In the ongoing twitter debate there have been a lot of comments about the cost of college. While a traditional name brand four year school will cost a pretty penny there are ways to get an accredited degree without going into huge debt and spending a fortune. Without going into super detail here are some thing for you to google on your own.  Look at your state school, often much less expensive than a private institution. Don’t forget you can start out at a local community college and transfer the credits later. Also depending on what program you are looking at many schools will offer credit for life experience, if you know who to ask. One of the best ways to get credits for little money is the College Level Examination Program, again depending on your school you can get up to two years worth of credits for $80 per class. Anyway if all you’re looking for is to check a box and get a degree cost is not a valid excuse.

    Tarah: Either the hiring manager wants to bring you aboard or they don’t. If they do, they might need extra ammunition for their choice of you over someone else. Make it easy on them by sticking every letter you can behind your name (on LinkedIn, not in your Twitter bio). I want to emphasize one last time: degrees and certifications are the big leveler in diversity. I have a growing body of anecdata that is burnishing my now gold-plated theory that women, POC, and queer people benefit disproportionately from getting degrees and certs. That typically manifests itself as a drastic uptick in recruiter approaches at each career level when you update your LinkedIn in a way that doesn’t seem to happen for people who stereotypically look like the media’s conception of hackers. If the hiring manager doesn’t want to hire you (based mostly on the first fifteen seconds of your impression on them) no degree will help you. But chocolate and career coaching might.  🙂

    Jessica:  College is expensive in the US, and the cost is only going to continue to increase.  It will open more doors than would otherwise be opened.  Think of it as future proofing.  I’ve always known I want to be in leadership, but I have colleagues that came to that conclusion later in their careers and are now going school to check the boxes.  Set yourself up for success and an easier path now.  I think as our profession matures it is only going to become a more steadfast requirement, like many professions there are some minimum requirements and I see ours continuing in that direction.  We’ve moved past the infancy of the infosec profession; along with that comes a threshold, which often times and more in the future, means a degree.

    Chris: Most knowledge-based professions have a really well prescribed paths for getting into the field and finding success. If you want to get into medicine, accounting, or law you know exactly what you need to do. Our field couldn’t be farther from that — there is no single path. The beauty of that is you don’t have to go to college. However, like those other professions, you do have to learn how to think. Being aware of how you think and effectively applying that (aka metacognition) is the most critical part of gaining expertise and ensuring you are capable of learning effectively. The beauty of college is that it is the perfect environment for your metacognitive ability to flourish…if you let it. If you view college as an opportunity to do this and seize it you will benefit tremendously. If you view it as merely a checkbox to get a piece of paper, you’ll be disappointed in how far that paper gets you.

    Daniel: Credentials have the value that others place on them. Understand that and you’ll understand a lot about degrees. Make a clear distinction between the education and the credential, and realize that while you can self-educate you can’t self-credential. Understand that you’ll find a full spectrum of respect for degrees in various populations, countries, verticals, sectors, etc. Some will not even notice if you have a degree or not, and others won’t take you seriously unless you do. That being the case, it’s always better to have it than not, so the question is really about what you’re sacrificing to get it, and whether or not that’s worth it.

Starting an InfoSec Career – The Megamix – Chapter 7


Chapter 7: Landing the Job

So, we’ve come this far in your infosec journey. You’ve studied hard, attended conferences, played a CTF or two, updated your resume, and networked a bit within the information security community. Great work!

Let’s prepare for your very first information security interview.


=== What to Say ===

There have been nigh infinite pieces written on the subject of interviewing, but I’d like to briefly share some basic interview skills that have really served me and my candidates well:

  • Make sure spend at least 30 minutes researching the organization you will be interviewing at. What are their strategic goals or products? Where do they have offices? What’s their corporate culture like? Consider what interests you about their mission, and how you feel you could benefit them as a security professional.
  • Always bring several printed copies of your resume and references to your interview, formatted the way you intended. HR systems will often remove formatting and line breaks before routing your resume to a hiring manager, and your copy may be more pleasant to read. You will also want a copy to reference, yourself.
  • Bring note taking materials to your interview, and make sure you’ve written down a few relevant questions to ask your interviewers about the position and the organization.
  • Arrive 15 minutes early for your interview, and be polite to everybody you meet. You never know if the person you make eye contact with and say “good morning” to in the hall will be interviewing you, later.
  • Make eye contact, and pay attention during the interview. Most of us are introverts, and this can be a challenge. Make the effort to be personable and show that you are listening to your interviewers.
  • Put your phone away and on silent. I shouldn’t have to say this.
  • Answer questions honestly. Most of my colleagues and I would very much prefer, “I’m not sure”, to an evasive answer or an outright lie, particularly on technical questions. Often, knowing where you would look something up is an okay answer to a technical question. When we ask you questions about where you could improve, there should be a real response that verifies you are a human. Everybody has some area they can improve in, and we will never believe you’re utterly perfect.
  • The initial interview is not normally the appropriate place to ask about compensation. Yes, infosec is an understaffed and in demand field. You have better chances than most at landing the job. No, your Masters in Information Security does not guarantee you the position immediately in lieu of a technical interview.
  • Do talk about your (legal) infosec-related hobbies and activities! We want to hear about the security lab you built in your house, the book you read, the CTF that you participated in, or the security related talks and projects you’re participating in. They show you are an interested and involved candidate, and a good fit for our teams.



=== What to Know ===

The previous chapters in this blog series suggested ways to build your foundational skills in the key areas of networking, systems administration, and security, so I won’t dwell too much on the necessity of knowing the fundamentals of these things such as common ports and protocols, malware types, and operating system functionality in an entry level infosec interview. Suffice to say, this is where the free educational resources, formal training, and your home lab really come into play.

You should ensure, before going to an interview, that you are up to date on the basics of current threats and security news. What you learned at your university is almost certainly not current enough for most interviews. There are a lot of great resources that provide information on ongoing threat activity. For instance, I really like the exploit kit status dashboard at (ProofPoint) EmergingThreats. SANS ISC posts botnet and scanner activity from publicly submitted data, and Sophos posts a nice free malware dashboard that shows their overview of currently detected malware. Threat trackers, coupled with the blogs, news services, and educational resources we’ve previously discussed, should enable you to go to your interview ready to answer general questions about the top threats that are currently plaguing organizations.


=== What Not to Say ===



In May, I surveyed a broad swath of security professionals to share the statements they hear from interview candidates that are the most indicative that the person is inexperienced in professional information security work. I’d like to share a few of the most popular, and why they carry that connotation. Keep in mind, the selected statements by candidates aren’t necessarily technically wrong; they more often tend to oversimplify or ignore administrative and business-related problems in security. It would be wise to choose your words diplomatically before saying any of the following things:

“Antivirus is obsolete, and a waste of money! Get rid of it.”

We can’t all be Netflix, dramatic headlines or not. It’s true that antimalware programs have a lot of problems to contend with in the 2010s. Between a cat and mouse game with well-funded malware authors, and polymorphism and regular botnet updates, simply maintaining a library of static signatures is indeed not effective anymore. Most decent antivirus vendors recognize this, and have implemented new tactics like heuristic engines and HIPS functionality to catch new variants and unknown threats. Antivirus is one component of a solid ‘defense in depth’ solution. It has a reasonable potential to mitigate a percentage of things that slip past network IPS, firewalls, web filters, attachment sandboxes, and other enterprise security solutions.

“Why are you wasting money on $x commercial product? I can do the same thing with this open source project on GitHub”

We love the philosophy and price tag on open source projects, and it’s great that commercial vendors have open source competition that drives them to improve and enhance their products. This doesn’t mean that free tools are always a viable replacement for commercial tools in an enterprise environment. There are intangible things which usually come with the purchase of a good quality commercial security product: support, regular updates, scalability, certifications, and product warranties. Those intangible things can have a tangible cost for an enterprise implementing an open source product in their stead. For instance, the organization may have to hire a full time developer to maintain and tweak the tool to their needs and scale. They may also be solely legally liable if a vulnerability in free open source software is exploited in a breach – a risk many organizations’ legal teams will simply not accept.

“They deserved to get breached because they didn’t remove Java / Flash / USB functionality / Obsolete Software…”

Most organizations exist to provide a product or service, and that’s usually not “security”. As security professionals, we’re just one small part of our organizations and their mission, and we never function in a vacuum. Oversimplified assertions like this are a dead giveaway that a candidate is not used to compromising and negotiating inside a business environment. Yes, in an ideal security world, we would use hardened operating systems with limited administrative rights and no insecure applications. Few of us actually operate in that ideal world, and many of us work at an operational scale alone that renders this unfeasible. We do what we can; navigating the political risk management game where we must to provide the most secure environment we are capable of.

“Just block China/Russia/x… IPs.”

Once again, this indicates a candidate is thinking only as a security person (and a biased security person) and not as a member of a business. Unfortunately, it also shows a lack of technical knowledge, as many attackers use large, global networks of compromised hosts to launch attacks.

“Security Awareness is a waste of money. Users will always be stupid.”

This is an appalling lack of confidence in your own ‘team’. Yes, some end users will probably always click / ignore / fail to report. (Most security people will also click when properly socially engineered.) The point of security awareness is not to create a perfect environment where nobody ever clicks on a phishing message or ignores an alert window – if your management has made that their measure of success, they’re doing security wrong. The point of security awareness is to improve awareness of threats, encourage some employees to report potential threats so you can respond, and decrease day to day problems so you can focus on the more severe ones.

“[Fortune 100] should have already have gotten rid of $OS and gone to $OTHEROS, because it’s more secure / real security people use $OTHEROS.”

This is dogmatic elitism without real business or technical foundation. Any up-to-date operating system can have a valid use case in business and in security work. A good red team or blue team security professional should be able to secure, compromise, and use tools on OSX, Linux, and Windows effectively (and indeed, there are valuable tools unique to each). It’s okay to have an operating system preference and to intelligently discuss the merits of $OperatingSystem for your specific use case. Don’t assume everybody else’s use case is the same.

“Hack them back / have the attackers arrested…”

We all crave the movie ending where the black hat hackers get their comeuppance and are thrown in jail. Unfortunately, unless we work for a LEO, the military, or a huge global telco, we’re rarely likely to get it. “Hacking back” of any sort is usually wildly illegal (especially because attacks are almost always launched from compromised hosts that belong to law-abiding people). Arrests happen when time-consuming coordinated efforts between security firms, global law enforcement, and lawyers are successful. Even the terrifying financial spearphish to your CFO is likely to not be chased down by law enforcement for some time. When permitted, absolutely do share your threat intelligence with law enforcement and working groups to aid in these important efforts. Expect any response received will take significant time.

“Don’t you monitor every brute force attempt against your perimeter? I count the dictionary attacks against my honeypot every night!”

No, monitoring this would be a waste of time in most large organizations. Behavioral trends and specific sequences of events that could indicate a compromise are more valuable to monitor. Time is money.

Any statement beginning with, “Why don’t you just…?” or “It’s simple…”

It pretty much never is that simple, so don’t personally insult your interviewer by assuming it is



This concludes the InfoSec Career Megamix! I hope you’ve enjoyed this blog series and that it has been helpful to you in furthering your own security career. Many thanks to everybody who has commented on my blogs or provided input and suggestions. Please do check out the links to other peoples’ wonderful work on the subject which I have included throughout the blogs.

[You can find the previous chapters in this blog series here:

The Fundamentals

> Education & Certifications

> Fields and Niches

Blue Team Careers in Depth

Red Team Careers in Depth

Self-Study Options]

Starting an InfoSec Career – The Megamix – Chapter 6

[You can find the previous chapters in this continuing blog series here:
Starting an InfoSec Career – The Megamix – Chapters 1-3
Starting an InfoSec Career – The Megamix – Chapters 4-5]

Chapter 6: Self-Study Options

In the previous chapters, I’ve discussed potential career paths, education and certification options, and the fundamental knowledge needed to become a successful InfoSec professional. Unfortunately, college degrees and certification courses aren’t financially or logistically an option for everyone, nor do they provide all of the skills and practical experience needed to become a desirable candidate for an entry level position. Without further ado, let’s delve into some options for improving InfoSec knowledge individually.

==== Home Labs ====

Building a home practice lab is an integral part of improving skill at any area of blue team or red team information security. Since most of us (hopefully) don’t want to break the law and get arrested while learning how to hack, conduct forensic investigations, or reverse engineer systems, we’re obliged to create our own self-contained network environments to practice and learn within. This will also improve network and systems administration skills, which as I noted in Chapter 1 are absolutely fundamental for being a well-rounded InfoSec professional.

A decade ago, a home lab looked significantly different. It almost certainly included multiple computers, and likely a network rack complete with switches, power supplies, KVM, and cabling. While this is still a great option, a rack of computer equipment is noisy, hot, and power consuming. Today, we have the tremendous luxury of virtualization. A single reasonably spec’ed ESXi host server can act as most of our practice environment. While we might still opt for some physical network hardware, we have virtualized network lab environments available for use, as well. I really prefer the virtualized option because as we exploit, infect, and otherwise destroy our hosts, we can simply revert them to an earlier snapshot and start over.

Regarding purchasing the physical equipment or host machine(s), we can get as creative as our budget requires. A great way to purchase server grade computer hardware is via federal and state government auctions. These auctions are fairly underutilized next to commercial sites like eBay, and can offer some great deals during regular equipment replacement schedules. Remember that local businesses, hospitals, and municipal services often replace their hardware and sell the older equipment for a fraction of the original price. For virtualization, we’ll want a decent server grade processor, a lot of memory, and enough disk space for all the operating systems we are interested in using to grow as expected. Everything else is fairly negotiable. Many folks buy a few old servers of the same model, pull all of the memory, NICs, and hard drives out, and put them into one chassis.

The hosts we install in our lab environment shall vary quite a bit based upon our area of interest and what we’re currently trying to accomplish. For instance, in my forensics lab, I selected SIFT and Windows 8 hosts which I use to conduct analysis, and an array of primarily client OSes which I conduct analysis upon. My network monitoring and incident response environment is very different, because network services, network IPS, and firewalls are in play in a more realistic network environment. A penetration testing environment will look different still. Before you purchase equipment or begin the lengthy process of building your lab, consider what you want to learn, and what hosts and services you will need to accomplish this goal.

I’m not going to delve much further into the technical details of building out a lab, as a lot of people have done great writing on this subject already. I recommend looking at Carlos Perez, Matt Barrett, and Adrian Crenshaw’s informative blogs.

==== Self-Study Materials ====

Every person has a different learning style. Some of us are more comfortable learning new skills by watching a video; others need hands on practice or reading materials to understand new concepts best. Fortunately, at this point people who wish to learn InfoSec skills have a plethora of freely available options to fit any learning styles.

For the Visual Learner:

Years of talks at information security conferences have been recorded and are freely available on YouTube. I’d avoid watching Joe from ACME computer shop explaining how to use Kali, but there are more hours of recorded talks on from reputable conferences than anyone will ever have time to watch. hosts an immense number of conference talks. Adrian Crenshaw has recorded talks at conferences for years, and has a prolific archive of these videos on his channel. SecurityTube is also a great resource, (although some of their materials are paywalled by PenTester Academy, which may or may not be in your budget).

For the Auditory Learner:

Check out the amazing range of InfoSec podcasts available for free. There are so many more great podcasts than I could discuss in a blog of their own, but some highlights are PaulDotCom, Southern Fried Security Podcast, Security Now, ISC Stormcast, Defensive Security, Liquidmatrix, and Braeking Down.

For the Reading Learner:

There are two major resources you should investigate – textbooks, and blogs. This will, of course, vary quite a bit based your area of interest. My personal ‘essential reading list’ for Information Security professionals would include the following:

There are an immense number of amazing security blogs out there, but a very short list of my favorites includes Dark Reading,  Krebs on Security,  McGrew Security, Graham Cluley, Naked Security, Lenny Zeltser, Troy HuntAndrew Hay,  Threatpost,  and Andy Ellis.

For the Kinesthetic Learner:

As we previously discussed, a home lab is a great option, followed by Capture the Flag exercises and Challenges, which I discuss in the next section.

==== Capture the Flag and Challenges ====

Once you feel ready to leave the safety of your own home lab and delve into another network, a great option is Capture the Flag events, and similar challenges. A large percentage of hacking conferences provide some kind of CTF event, which will pit your skills against challenges they’ve designed as well as other participants, in a structured, legal environment. The challenges usually vary from simple to extremely difficult, and points are awarded to participants as they find or reach ‘flags’ hidden in the challenges. Don’t be daunted; most CTF events are rarely restricted by skill level, and they’re a great way to test what you’ve learned. You’re competing against yourself as much as other teams or participants.

CTFs and challenges are not restricted to red team penetration testers. There are plenty of open and paid practice challenges in many areas available now, both in person and online. DFIR challenges test investigation and forensics skills, while malware challenges test participants’ ability to reverse and analyze malicious code. Check out the great list of online challenges at

==== Conferences ====

There are no substitutes for in-person networking or training events. I strongly recommend attending InfoSec / hacking conferences, but I also encourage you to choose the right ones for you. Regrettably, the events with the biggest budgets often get the most hype. That does not translate to them being the best environments to learn in. Cost is often a factor that bears consideration, as well. Tickets to InfoSec conferences range from free (or nearly free) to thousands of dollars. Hotel and airfare costs vary by venue. All these factors should weigh into your decisions, but there’s a conference for everybody.

Hacking conference size and content vary a lot, but there are some commonalities. There are normally one or more tracks of speaker talks, selected by the organizers from outside call-for-paper submissions. Capture the Flag type events are fairly ubiquitous. It’s also not uncommon to see an option for longer, hands-on training classes for an additional fee. You’re likely to see some vendors, as well as hobbyist groups such as locksport organizations or makerspaces sharing their expertise. Evening parties sponsored by the conferences or vendors can provide an opportunity to network and have fun.

Let’s discuss a few popular conferences. A couple caveats. Firstly, I’m quite certain I am going to offend one conference or another by not listing them here – for this list I selected some better known representative examples and it is by no means comprehensive. Secondly, I’m based in the US, so my examples are primarily in North America. Hacking/InfoSec conferences are a global phenomenon, and the types of conferences I list have equivalents in Asia, Europe, Africa, and South America. Please feel free to ask me for assistance in finding ones in other locations as needed.

DEF CON – Las Vegas, NV, USA

One of the oldest, most famous, and largest hacking conventions in the world, DEF CON is held in August on the Las Vegas strip. The attendees are a mix of everybody from the most dubious black hats to corporate security professionals, from journalists to Generals, from researchers to federal agents. Events and talks run the full gambit in every sense of the word. The parties are wild and so are the attendees. DEF CON tickets current cost $230, (cash only!).

>> Pros: This is where you’ll see some of the most cutting edge research released, and meet many top notch pros. Everybody should DEF CON at least once, for the sheer experience.

>> Cons: Over-the-top parties, crowds, and hangovers can overwhelm actual learning and networking. If this is your first hacking conference, or you’re not reasonably cautious, you may be targeted for pranks (or worse).


Black Hat (USA) occurs the week prior to DEF CON, and offers more structured training opportunities on a variety of topics. There’s a heavy vendor presence. Black Hat is more targeted towards security professionals and executives, and offers organized networking events and a bevy of courses and high profile speakers. The talks are well vetted. This doesn’t come cheap; regular tickets are currently $2195. Training courses cost significantly more. If money is a factor, I certainly wouldn’t recommend paying your own way to Black Hat unless there is a course you desperately want to take that isn’t offered anywhere else. Wait for a scholarship or corporate sponsor.

DERBYCON – Louisville, KY, USA

DerbyCon is a relatively new but very popular conference, and acts a bit like a more community and family-friendly alternative to DEF CON. It occurs in September in the heart of downtown Louisville. While it’s not as big of a conference, DerbyCon offers five simultaneous talk tracks, as well as hosting a few special interest working groups and CTF. DerbyCon tickets are $175, and given the reasonable cost of living in Lousiville, this can be a pretty economical conference, without quite as much of the shock value. Although there are bad apples at any hacking conference and basic precautions should always be taken by attendees, DerbyCon is policed pretty well and is a very safe bet for a first con.

SHMOOCON – Washington DC, USA

Shmoocon was founded by a husband and wife team to become a relatively small, friendly, community and education focused conference. It occurs in January, and costs $150, making it the most affordable of the ‘big name con’ admissions. Due to its location and educational reputation, it’s popular with federal government, military, and federal contractors, and the networking, vendors, and talks can reflect this a bit. The downside is that Shmoocon has grown much more popular than its size allows, and tickets sell out quickly – very quickly – a matter of seconds, making attendance a bit of a lottery. If you plan to attend Shmoocon, (I do recommend it), read up on the ticket purchase process well ahead of time.


If you missed that RSA occurs in February, you’re not tuned into information security news. I can draw a lot of parallels between RSA Conf and BlackHat, but personally favor Black Hat as an event. They’re both targeted at executives and professionals, throw star-studded vendor parties, come with a hefty price tag (standard RSA tickets are currently $2,295), and get plenty of press. They have the biggest vendor expos, and often boast high profile speakers. I don’t recommend RSA to entry level infosec folks, even if the price tag is in your budget. For the money, I’d attend a course at Black Hat or REcon. The glitz and glamour do not make this the best environment to learn fundamentals or network, and despite some very good speakers, in my opinion RSA Conf continually commits public security faux pas to the ire of hackers and security professionals.

RECON – Montreal, QB, Canada

If reverse engineering malware, hardware, or software is your cup of tea, there’s no better conference to learn more than REcon, which focuses exclusively on sophisticated reversing. Ticket prices for RECon increase through the year leading up to the event, currently starting at 700 CAD and culminating in 1200 CAD in June. Student tickets are discounted. The ticket price is hefty, but includes snacks and lunches. The available hands-on training courses will run you around 2000 – 5000 CAD, so once again, you may want to wait until you’re eligible for some sort of sponsorship for this one. I have not had the pleasure of attending this conference myself, but I’ve heard nothing but glowing reviews from my colleagues in this space.

CIRCLE CITY CON – Indianapolis, IN, USA

Circle City Con is newer than Shmoocon and DerbyCon, but fills the same educational / community friendly conference niche. Circle City Con occurs in June, near the Indianapolis Convention Center. Tickets are currently $150 and include optional training classes, aside from any required materials. Circle City Con is another safe bet for a first conference, and for family participation.


Hackers On Planet Earth is still a bit of a ‘hidden gem’. Although it’s one of the oldest annual hacking cons, it remains reasonably small and attended by industry greats. HOPE occurs in July, and tickets are currently $150. HOPE offers some of the most unique and varied events of any conference outside DEF CON, and boasts film festivals, art, and robotics along with the usual offerings. It’s a bit more eclectic and nuanced than other conferences. HOPE is worth serious consideration, especially for East Coast folks.

GRRCON – Grand Rapids, MI, USA

GrrCON specifically states their goal of avoiding elitism, and as a result they’ve earned a reputation as a positive and friendly environment which is heavily geared towards great networking and security education. GrrCON occurs in October and regular tickets are currently $150. Another location with very reasonable room and board, it would be a great choice for a first con. GrrCON also offers opportunities for family participation.


Perhaps you looked at this long list of conferences, and balked at the locations, travel costs, and ticket prices. All is not lost. Seek out your local BSides event, which occur in many metropolitan areas. BSides events tend to be organized by local hacker groups, and most are one or occasionally two days. BSides also tend to be smaller and less expensive, with tickets usually ranging from $0-50. There’s rarely a good excuse to miss your local BSides – it’s a great opportunity to network with security folks in your area for a nominal fee. BSides events also make a great excuse to travel to cities on your bucket list across the world, learn about hacking, network with people, while enjoying the local culture, sights, and cuisine.

I’d be remiss if I did not briefly discuss hacking conference safety and preparedness. As I’ve mentioned above, the level of ‘threat’ at conferences varies and exists everywhere, but regardless of the event you should take common sense precautions. (All of these precautions should translate into everyday life, because bad gals and bad guys are everywhere!)

  • Consider whether it is necessary for you to even bring a laptop to the conference if you’re not attending a course that requires one. Given insecure networks full of hackers, safely using a laptop adds an extra layer of preparation required and gives you another bulky, expensive item to carry and keep track of.
  • If you must bring a laptop, I highly recommend using a new hard drive with a clean OS image, full disk encryption, and as little personal data as possible that you only use for the conference(s). Ensure you have a standard array of vetted security tools if you plan to connect to any network, including VPN. Ensure wireless and Bluetooth are fully disabled when not in use. Use common sense about what you log into.
  •  It’s hard to function today without a smartphone, but consider ways to make your phone more secure. Burner phones or faraday bags are popular options. At the very least, ensure wireless and Bluetooth are off, and that the phone itself is encrypted. VPN if possible. Do not connect to WIFI. Do not borrow phone chargers.
  • Bring cash for as many purchases as possible. Bring as few credit/debit cards as absolutely necessary, and ensure they’re in a vetted RFID safe wallet (but certainly don’t expect those to be foolproof). Don’t bring unnecessary stuff in your wallet or purse such as your work ID, social security card, or passport. Do not use an ATM within an easy walk of the event. I have rarely been to a conference where the hotel ATM wasn’t obviously and amusingly hacked by the end of the first day.
  • Don’t leave valuables unattended at the bar or in your hotel room, in a hotel full of hackers who can trivially open (any) hotel doors. Double lock your room when you’re inside.
  • Know who you can contact and how to reach them if there’s a security or medical issue at the conference – most hacking cons have a staff of security ‘goons’ who are always present and reachable. Any large event can have its share of bad apples, rowdiness, alcohol overuse, and drugs, and they’re there to keep things from getting out of hand. That being said, hacking conferences should not be treated like Mos Eisley cantina. Look out for the safety and well being of your friends and the people around you, and get them help if needed.

==== Local Hacking Meet-ups ====

Aside from organized conferences, many metropolitan and regional areas have formed hacking meet-ups of varying structure and activeness. I recommend finding your local group as soon as possible and participating as much as you can, as it’s a really important way to network with local hiring managers and security teams. Name recognition in this community is absolutely invaluable when applying for jobs.

There were ways that hackers met two decades ago that still work, but they’ve been  impacted by Web 2.0 and social media as much as anything else. So, I’ll both discuss the more traditional ways to find your local hacker and InfoSec folk, as well as newer options.

The Old Ways

  • DEF CON local groups: They’re named by area code, globally. Unfortunately, in my experience, some are now defunct or inactive. (Check and make sure before showing up.)
  •  2600 : 2600 meetings occur in public spaces to be inclusive to everybody, but be cognizant that they are more ‘hacker’ meetings than ‘information security’ meetings. Their active group list is maintained pretty well.
  • CitySec meetups: A more ‘security professional’ focused set of informal meetings in many global metropolitan areas.

The New Ways

  • I’ve seen quite a few various information security organizations start posting their meetings through this site over the last few years. It’s always worth a look.
  • ISSA: A formal professional organization with chapters around the world.
  • Twitter – Plenty of these organizations post their scheduled events.
  • LinkedIn – Plenty of these organizations are listed as LinkedIn Groups.



Starting an InfoSec Career – The Megamix – Chapters 4-5

Chapter 4: Blue Team Careers

With the help of many people in InfoSec who kindly gave me advice and quotes, I have created a perhaps overly simplistic listing of common InfoSec roles in today’s market.

For each role I have listed a brief summary of what the job does, where these jobs can be found in the (primarily US) workforce, some suggestions for breaking into the role, as well as some common misconceptions about it. I also requested a person who currently works in each of the roles to provide me a brief quote on how they reached this point in their career and what is enjoyable about their role. Immense thanks to everybody who helped. You should follow all of these peoples’ fantastic feeds.

As a caveat, many of these roles are somewhat simplified and condensed. This is an overview, and this chapter could go on much further (and perhaps it will in the future). It is intended to give people new to the field a brief explanation of the types of jobs that we do as InfoSec professionals.

[If you currently work in one of these fields and wish to contribute an additional quote or comment, please DM me on Twitter @hacks4pancakes and I will do my best to accommodate you if possible, in a timely manner.]


 What this job does:

Today, work in a Security Operations Center is a very common entry point into Blue Team InfoSec roles. Entry-level Security Analysts (or SOC Analysts) frequently do shift work in around the clock monitoring centers, monitoring security logs, responding to SIEM events, and performing security ticket handling. In a good work environment, this role should give the analysts a solid foundation in InfoSec work to move on into a more specialized role in one to three years.

Where are the jobs:

Managed security vendors, and medium to large organizations and agencies.

What gives a candidate an edge:

Showing keen outside interest and involvement in InfoSec (especially on the resume). Good certifications to have are Security+, Network+, or GSEC. Degrees are a plus.

Avoid this trap:

Ticket farms with no opportunity to learn. A good analyst role will offer formal and informal training and the opportunity to gain certifications as part of the position. It will also clearly offer the analysts the opportunity to shadow and cross train across multiple roles.

Personal career story:

“Trained as a psychologist. Worked through school in IT. Spent 20+ years doing sysadmin/etc., before there were dedicated security positions. It was just part of the job. Refocused last year, decided I wanted a dedicated security position. Interviewed at several employers, got offers from all. Wound up as an analyst with CERT/CC. Interest, passion, and relevant (but not direct, paid, titled experience) pays off.”


 What this job does:

Forensic analysts are best known for recovering hidden and deleted data from hard drives, but today the role often includes lots of memory, mobile device, and network forensics. As opposed to ediscovery roles where forensics is limited to recovering evidence to be used in legal proceedings, on the security side, forensic analysts make up half of the “DFIR” team and figure out and report how digital devices were compromised, infected, or abused.

Where are the jobs:

Managed security vendors who provide DFIR services, medium to large organizations and agencies, computer crime investigative services.

What gives a candidate an edge:

Curiosity and a drive to investigate. A solid understanding of how operating systems, hard drives, and memory function extremely helpful. Forensic tools are fairly specialized, so exposure to commercial tools like AccessData FTK and Guidance EnCase are a plus if possible (they’re expensive). Memory forensics is woefully under taught in forensics degree programs and is now nearly a requirement, but the associated tools are generally free (such as Volatility Framework, Rekall Framework, and Mandiant RedLine). Good certifications to have are GCFE, ENCE, GCFA, GCNA. Most of the vendors named above provide formal training programs on their products.

Avoid this trap:

Believing the hype about steganography. Even law enforcement rarely sees it. But I’ve seen it as a senior capstone or conference talk subject more times than I can count. Forensics is not CSI: Cyber. It is painstaking, time consuming work, often involving hours of reading through file indices.

Personal career story:

“I started coding at a very young age, but I quickly realized my passion was at a lower level on systems, from computer hardware to the operating system. My interest in forensics was piqued as a teen when I read a Popular Electronics article on hard drive function and data recovery. I read all the (3) books that existed on the topic at the time and decided I desperately wanted to become a computer forensic examiner. Unfortunately, at the time, it was a very rare career that was not taught in universities. After many failed attempts to network inside the law enforcement forensics field, I started applying for entry level jobs. This seemed impossible after many discouraging interviews because I had no hands on experience with the expensive corporate forensics tools. However, I was still involved in the hacking community, and a friend of a friend eventually got me a security analyst job that allowed me the necessary experience with critical tools to move on into a forensics heavy role.  The best part of my job is starting with nothing but evidence, sifting through it, and building a story of what happened on the device until conclusions can be drawn.”


What this job does:

The other half of the “DFIR” team. When a breach or major security event occurs, this person coordinates the response and recovery teams, establishes a timeline of what happened, and figures out how to respond to it with the aid of other security roles, management, lawyers, and IT. Incidents can vary from data breaches to malware outbreaks, to phishing or APT response.

Where are the jobs:

Medium to large organizations, security contractors who provide DFIR services.

What gives a candidate an edge:

This job requires good analytical, organizational, and communication skills. Candidates need to be able to work well under high pressure and high stress situations at odd hours. This is not a job for people who don’t like to manage a project or a team, or report to senior leadership. Good certifications to have are GCIH and CISSP.

Avoid this trap:

Taking an incident response role when you aren’t comfortable taking charge and maintaining control of a situation, or writing extensive formal reports. You must have self-confidence and leadership skills to fulfill this role.

Personal career story:

“I used to work for a major shipping company. I hated the work. I’d do 60 hour weeks at weird hours and was unable to advance because of degree requirements.

I had an acquaintance that I played golf with that offered to float my resume around since he knew I had some technical skills. It took about a year before I heard back from him about a job.

He called me up one day to ask if I was still interested in working for him. I’d be writing tech policy and assisting with certification and accreditation work.

It was there that I learned I was making crap policy and had no clue if what I was writing had any sort of basis in reality. No one could tell me how any of the systems worked or if what I was writing would even be effective.

So I started looking into learning this stuff for myself. I stated teaching myself the anatomy of breach and what to look for during an intrusion event. The quality of my policy went up. It wasn’t overly restrictive but provided the required level of security. It started to get noticed.

After that, I was invited to help with network architecture on a small project. Again, I had to teach myself everything but I was working with more experienced people that loved the work I was doing.

Eventually that project ended and I was looking for work. It was only then that I fully got my start in info sec. I was hired to do enterprise security appliance integration. Take a SIEM and integrate it into a client environment.”

Personal career story:

“I got into infosec my moving laterally through related jobs. I’d built some websites as a hobby, so I got a job doing web programming. I entered the US Cyber Challenge and made contacts that let me get into QA at a security company, which let me play with malware and the like. From there, I was able to move to a security role at a fourth-tier social network, and from there to SOC work at Mandiant.

Key features that helped me was self-driven training, finding jobs that included things that I could do and things that I wanted to do, and hitting up the types of companies that were willing to take a chance on someone with low experience and drive to learn.

What I like about IR is how things are constantly changing. I’m always researching, exploring, learning. Always new challenges”


What this job does:

Malware analysts figure out the nuts and bolts of how malware, adware, and hacking tools work, what their capabilities are, write signatures for them, and may attribute them to a campaign. They perform live, or heuristic analysis (meaning they run the malware in a sandbox and carefully analyze system changes and traffic), and static analysis of the code itself (which may be written, hidden, and packed in a way that purposefully makes this very confusing and time consuming.

Where are the jobs:

Larger organizations, cybercrime investigation agencies, antivirus and malware research firms.

What gives a candidate an edge:

Strong programming skills, especially scripting and assembly code. Strong network traffic analysis skills (you’ll be identifying and decoding lots of malware traffic). Experience with sysinternals tools and equivalent. Excellent analytical skills, and lots of patience. Good certifications to have are GREM or CREST CMRE. Previous exposure to writing IDS or Yara signatures may be useful.

Avoid this trap:

Assuming malware analysis is entirely heuristic or signature-based. Sandboxing alone is not adequate. You should understand assembly and programming architecture well in advance to succeed at this job.

Personal career story:

“So I figure I’d add my experience for breaking in to infosec. My background is in datacenter operations. I was a former sysadmin. My break into information security was knowing how systems work and studying for certifications to demonstrate that I had foundational knowledge enough for someone to take a risk on me. My key to success was to never stop putting myself out there and never stop submitting my resume. I know it seems lazy and banal, but study and persistence paid off for me.”


What this job does:

Security engineers are what most people think of when they hear that somebody works in network security, but today the job goes far beyond firewall management. They manage and update security appliances and rulesets. They may also keep data storage, tools, and log feeds working and useful for the other security roles listed. In today’s security world, they’re usually the people who manage SIEMs and security log aggregation tools. Sometimes security engineers are even responsible for scripting new tools and API integrations.

Where are the jobs:

Today, most organizations and agencies (that do not outsource these tasks) keep security engineers or system administrators with security engineering experience on staff.

What gives a candidate an edge:

Excellent systems administration skills, in Windows, CentOS, and Linux. Strong scripting skills (such as Python or Ruby). A general knowledge of security operations, practices, and applications. Certifications and training will vary by the specific position, as security engineering roles can specialize further. Some examples are SIEM and security appliance specific training through applicable companies like Cisco, Splunk, RSA Netwitness, Juniper, Blue Coat, Palo Alto, or HP ArcSight.

Avoid this trap:

Becoming too tied to a single platform or vendor. Falling for the ‘magic black security box’ sales pitch by a vendor without proper research. Avoiding open source tools entirely, or conversely, avoiding commercial tools entirely.

Personal career story:

“I broke into infosec because I have been interested in the field since reading “Cyberpunk: outlaws and hackers on the computer frontier” in 1991 and 20 years later I found myself working on an Internet of Things project in the same office as the guy who ran the Security team. We had lots of great security-related chats and one day I asked him: “hey, I’m interested in getting into security, can I join your team?”. He said: “Sure!” and the rest is history! 🙂 Being in the right place at the right time made all the difference.”


What this job does:

Security auditors and compliance staff evaluate and rate security programs and check organizations’ compliance with local, national, and international laws and standards. These standards can be required by law or merely ones that the organization chooses to strive for. For example, in the US, required standards include PCI for payment processors or HIPAA for medical records storage. Most formal security standards have regularly scheduled formal and informal inspections of documentation and procedures. Auditing and compliance staff perform these inspections, ensure compliance and improvement, and report their findings to leadership or regulatory agencies as required.

Where are the jobs:

Medium to large businesses, regulatory agencies, contract-based auditing firms.

What gives a candidate an edge:

Excellent organizational and report-writing skills. The ability to communicate courteously and diplomatically with all levels of an organization. Specific knowledge of applicable standards. Good certifications to have depend on the situation, For instance, the PCI Security Standards Council offers their own assessor certification.

Avoid this trap:

Assuming these jobs aren’t technical or demanding. In fact, many of these jobs require lots of travel (for on-site inspections), and a solid working knowledge of a wide array of security devices and concepts.

Personal career story:

“Being an effective Auditor can be one of the most rewarding and visible positions within an organization as your work product makes it in front of all levels of management up to the board of directors and is based on: evidence (policy and process), legal fact (regulation or policy mandated standard), and verification through security testing. The core of all IT Audits is controls and residual risk. If you enjoy technical challenges, making well formed evidence based (legal) arguments, and enjoy reading legalese then you’ll love Auditing.

I started out as a UNIX/Linux Systems Administrator in the early 90’s and learned how much I didn’t know after reading through the Rainbow Series ([0],[1]) which I obtained after reading the alt.2600 Usenet FAQ, making what I thought was a prank call to the National Computer Security Center requesting a copy of the series. Surprisingly, the operator was happy to send me the series and they arrived a couple weeks later giving me an encyclopedia of material to read. After reading through the series, I became interested in other standards
such as ISO 17799 (Security Techniques) and 15408 (Common Criteria) and the NIST 800 series (Computer Security Guidelines), and became infatuated with evidence and investigations.

These two interests: standards and investigations, became my foundation for becoming an Auditor. After my first gigs as an IT Auditor I quickly learned that organizations would try to fake their way through an audit
so I applied my systems administrator knowledge and learned how to exploit systems after being told during a final presentation of findings that a control was in place that I knew was not applied. So, during the meeting I demonstrated the exploit I’d used to verify the lack of patching.

I soon learned exploiting things to provide controls weren’t in place was Red Teaming or Penetration Testing, which I see as a variant of IT Auditing – proving controls are not in place. Later, during a Penetration Test I’d discover that a system was already compromised and that would move me into digital forensics and incident response.”


What this job does:

Threat researchers study attackers and their methods, and try to quantify their tools, tactics, and procedures (TTPs). This means observing and reading reports of attacks, and not only identifying ways to better detect the attackers, but attempting to predict their next moves based on behavior or world events. In some situations, threat intelligence analysts may also be asked to attempt attribution of attacks to a specific organization or country.

Where are the jobs:

Large organizations, cybercrime investigation, threat research firms

What gives a candidate an edge:

This is one of the backgrounds that is harder to obtain. Many of the best threat intelligence analysts were prior government or military intelligence staff and were formally trained as such. In lieu of this, a strong background in political science, foreign languages, or international relations along with strong security analysis skills can be useful. As one would expect, good report writing skills are a must.

Avoid this trap:

Relying only on open source feeds of intelligence data. A good threat analyst is regularly identifying who might target their organization or customer based on current events, industry, or high value targets in their environment.

Personal career story:

“I don’t have a comp sci degree or tech certs but I’ve been slowly working on them via EdX. My interest ignited when I read an online newsletter by Kaspersky. I didn’t know what half of it meant but it mentioned Stuxnet. The concept of nation state threat actors, tailored viruses, etc had me hooked and I went searching Google to learn more. But things really happened when I went on Twitter and literally fell down the rabbit hole that is InfoSec. I haven’t come back out. Everywhere I looked there was a link to learn something. I started by reading all the online content I could. And discovered online learning for free. Then, I read the bios of people I admired to see what their skills and advice were, and got up my nerve to ask questions. I followed the guys on Twitter who were finding stuff live and reporting it. I asked questions, and looked up what I didn’t know. I value beyond words my network of friends now on Twitter. The world opened up. As well, I made my own blog to share info at the ground level because I understood to well how it feels not to “get it”. When Shellshock/Bash hit, I became the go-to person in our office. From there, I launched a weekly team security briefing, and posted that news to share with clients on our sites. From there, I pushed for the security analyst/researcher role in my company. And I’ve carefully drafted a security plan we will roll out to our clients based on the wealth of knowledge I found from my resources here in InfoSec.

My strengths were more communications and learning, so I played to those to build up technical knowledge. And I was asked to contribute to online blogs, which was very gratifying. I could learn and contribute to this community! Perhaps the most amazing experience has been attending Cons. They inspired my blog about the learning and community that happens when we get to do face to face time. I listen carefully to where needs are, to look for where I can share my skills or knowledge. Or where there is an area needing more people to grow their skills. Currently, I’m working on becoming our key resource on Cloud Security, and pursuing a niche interest in Mainframe security.

I love the people I’ve met, that learning is everywhere, and that the work we do really matters. Everyday we make a difference. This is all I could ever want.”


What this job does:

Finally, we get to the directors and executives of the security space. This is rarely a ‘breaking in’ point for people new to infosec, but it occasionally happens as skilled people in other areas of technology or policy management are picked to lead security programs and groups. These folks develop and maintain the fundamental security posture and procedure for their organizations, taking into account international law, industry standards, and corporate requirements.

Where are the jobs:

Most organizations of moderate or large size, particularly government and those which deal with sensitive data.

What gives a candidate an edge:

Extensive experience in managing resources and people, solid understanding of a broad range of IT concepts including security.

Avoid this trap:

Losing touch with the information security community whilst relying on vendors or agencies for critical news. The fastest way to know what is going on in the security space is to attend hacking conferences, watch social media and blogs, and participate in research and training. I can’t count the times I’ve met a governance executive who still thinks Def Con and its ilk are made up entirely of criminal hackers and refuses to attend (at the expense of great training and current knowledge).

Personal career story:

“I’ve worked in IT for 20 years now ever since I left college (in the UK that’s when you are 18). I’ve always had an interest in Security ever since I watched the movie Sneakers when I was a teenage. Four years ago I decided to dedicate some time to improve my skills in Security. I created a training plan (which I soon ignored), started stalking people on Twitter (security people), and started a blog to chronicle my journey. I’ve taken part in UK Cyber Security, written magazine articles about some of my coding projects, run workshops at conferences, written tutorials and tried to contribute to a community that at it’s heart wants you to succeed and is willing to share its time and experience with you. A year ago I moved into a security role at my current employer, I know do technical security as well helping define and build the companies Cyber Security Strategy. I also work for UK law enforcement helping fight Cyber Crime. I love security, it’s the biggest puzzle you can get in IT. It’s like a ever changing, challenging and exciting rollercoaster ride that makes me glad to go to work everyday.”

(Many thanks to Christina M)

What this job does:

As an entry level analyst you will most likely manage day-to-day processes around an existing I&AM/IDAM solution. As a senior analyst/architect you will design, build, test, deploy and implement I&AM architectures. This includes centralizing and automating firm-wide access control processes via an IDM tool which includes on-boarding/off-boarding, access requests & approvals, automation of flows, future integration of applications, maintenance of IAM technology infrastructure, app and user store integration. In this position you will interact with mostly every department in your org from senior management to associate.

Where are the jobs:

Professional services, government, financial services, technology companies, consulting and outsourcing industry.

What gives a candidate an edge:

Solid IT and technical background, system architecture, design and implementation, business ops and controls. Also, staying away from silos. Learning about other areas in information security/IT and the business. Also communication! If you understand how to translate business requirements into IT requirements and highlight value propositions from a risk/privacy perspective you will succeed.

Avoid this trap:

Believing that certifications like the CISSP/CISA alone will give you the experience and knowledge that you need to succeed. They will not. The best way to learn is hands on.

Personal career story:

“Trained in information technology and network administration. While attending university, I interned at the computer lab and landed a help desk/desktop tech shortly after. After graduation, I went on to work as a Jr. network admin where I honed my skills in server administration, server implementation, network upgrades, troubleshooting patch panels, implementing VOIP. I got an opportunity to work in IT security for a financial co in 2007. While I didn’t have formal infosec training at the time my previous experience and understanding of network implementations & keen interested, landed me the job. I then learned about Identity and Access management frameworks, risk governance, centralization of access management, RBAC, access certification & automation. Went on to implement a full fledged identity and access tool and process at a fin org in 2012. Never be afraid to ask questions, try something new and take chances.”


What this job does:

Endeavors to ensure that software, devices, or apps are developed with good security in mind from the bottom up. Identifies deficiencies as products are developed and tested and acts as a resource for the development team.

Where are the jobs:

Any reasonably sized organization that develops things, from software, to SCADA to operating systems, to devices which will connect to the IoT.

What gives a candidate an edge:

Excellent software or hardware development and engineering skills. A good understanding of how the product type being designed could be practically exploited. Certifications not only in developing the device or language, but securing it (for example, GWAPT, GSSP-.NET, or the CSSLP). This can vary widely by what is being engineered. Some devices or software might need to conform to government or industry security standards.

Avoid this trap:

Believing that you will always win the security argument with developers and management, even when your argument is reasoned and evidenced. Assuming that every project you will be asked to will be designed with security in mind from dayone (sometimes it will be tacked on later at the expense of overall security).

Personal career story:

“Way back in 2002, I decided to start building dynamic websites in PHP for hobbies of mine. (I was in middle school at the time.) Some of the folks in one of the communities I was trying to contribute to were very toxic, so I kept getting hacked. I quickly caught onto how they broke in and started learning how to stop more advanced attacks. I found myself on websites like HackThisSite and EnigmaGroup, but I always felt outclassed, so I just kept reading, learning, and writing better code. And that kept going on for years: Read, learn better habits and strategies, rewrite entire websites from the ground up, rinse and repeat. In 2013, I decided to start contributing to open source projects on Github. I quickly identified some flaws in the cryptography code used by CodeIgniter, Kohana, etc. that seemed really obvious to me (timing attacks on the HMAC verification that shielded the unserialize() in their session drivers from being a remote code execution vulnerability), but whose team members did not find so obvious. I had a similar experience with Facebook’s SDK developers (which I wrote about ). Recently I published Halite, a PHP library that serves as a user-friendly wrapper for libsodium to make high-speed cryptography accessible for PHP developers and I’m pushing to make libsodium a core PHP extension in 7.1.

Being a secure developer is challenging; you have to exist at the cross-section of keen information security awareness and still be able to keep up with people who write software full-time. But it’s also incredibly rewarding, as long as you learn this lesson earlier rather than later: People who specialize in secure development are incredibly rare. Things that seem obvious to you might not be.

The one thing I like most about my job is that I get to take rare knowledge (in my case, cryptography engineering) and apply it in areas where it would otherwise not touch (i.e. web applications)..”

Chapter 5: Red Team Careers



 What this job does:

 Pen-testers are the folks who simulate a real network attack on a target to identify their security flaws and vulnerabilities. They can look for these vulnerabilities across a wide range of platforms and architectures – from traditional networks’ DMZs, to SCADA systems, to complex internal networks. Their job is to play the bad guy within well documented rules of engagement, and report back to their employer what was discovered. Entry level and intern pen testing is a starting point for many people moving into ‘Red Team’ roles.

 Where are the jobs:

 Medium to large organizations, smaller organizations which handle highly sensitive data, contracting firms which provide these services.

 What gives a candidate an edge:

 Extensive knowledge of multiple operating systems’ operation, including command line, authentication, and permissions. Solid knowledge of networking. Knowledge of social engineering tactics. Comfort with common hacking tools like the Kali distro and its installed packages. Experience with Metasploit / Armitage / Cobalt Strike is useful. Good certifications to have include OSCP and GPEN, with specialized certifications and experience in specific systems as required.

 Avoid this trap:

 Thinking that penetration testing will be the rock star job the media makes it out to be. This isn’t an episode of Leverage. Except for when it is, occasionally. Penetration testing is a lot of work that involves legalities, meetings, and lots of paperwork. There are usually heavy restrictions on what pen testers can attack and when. The job can also be travel heavy for contractors.

 Personal career story:

“I have landed every single InfoSec-specific job I’ve ever gotten via making friends in non-Professional contexts. Game nights, house parties, book signings, poker games, bartending. . . when you allow your career to flow from organic, human interaction (as opposed to forced professional contexts), you have a much higher chance of ending up somewhere you actually WANT to be. You’ll click with your team (and possibly the company) better, you’ll be naturally motivated to work simply because you care, and this will likely lead to you hanging around a company longer, racking up that sweet, sweet vacation time. All of this stems from dropping the shop talk and the constant immersion in InfoSec, and saying ‘Hey; I’m just people, and you’re just people, and maybe us people can get something done somewhere by just being people together.“

Personal career story:

“I was going to school in Boston, knowing that I was going to go into computer security. My university required two coop terms for the degree, and I was lazy about the first one, so I did a term in a computer repair shop. For the second, I was determined to get a coop at a security firm. I searched around for all the local security shops, then cold called them asking if they had coop programs. There was some forensics shop, [redacted], and Core. The forensics shop had no coop. I interviewed with [redacted] and they turned me down.

So, when I went to Core, I compiled sanitized reports from freelance pen testing I’d done, presentations I’d given at a security meeting I organized on campus, and writeups of bugs for which I had CVEs. I laid them all out in front of the guy interviewing me, talked him through each one, and asked if he had any questions.
He smiled approvingly, nodded, and said I certainly seemed to know a lot about security.

He then asked me what I knew about marketing. It was at that moment I learned I was interviewing for a marketing position. I put my head in my hands and explained the misunderstanding. The gentleman across the table from me said that he’d be willing to give me the position, and that in any down time I had after doing marketing work, I could do security research. I accepted, and within a month, I’d scripted away all my marketing work, essentially resulting in being brought into a security research position. I impressed enough people that I ended up in a pen testing role, starting my career in infosec.”


 What this job does:
Similarly to a traditional, network-based penetration tester, a physical penetration tester tests an organization’s non-computer security measures. This can include evading guards, locks, or cameras to reach a target, breach a defense, or conduct a network penetration test from inside a building.

 Where are the jobs:

Due to the nature of the job, physical penetration testers almost exclusively work on a contract basis for other organizations.

 What gives a candidate an edge:

Knowing locks and security systems inside and out. Being great at social engineering people and playing a role even when circumstances change rapidly. Potentially the full network penetration testing skillset, as well.

 Avoid this trap:

Expect to travel. A lot. Engagements can be days or weeks long, and can even involve pretending to for days work at an organization you’re trying to exploit. Don’t expect the job to be constant fun and games. There’s lots of reconnaissance and research that goes into breaching a building’s security, and plenty of reports to write afterwards. Expect to potentially be arrested or even go to jail before your employer or contracting agency can clear things up legally.

 Personal career story:

“I made the move from “conventional” INFOSEC work to Physical Penetration when one client had a sysadmin rage quit.  We were called in to pop the domain controller and re-establish access for the company, but upon arrival learned the server room was locked (and the key had left with the ex-BOFH).  As they “awaited the locksmith” I offered to simply open the door for them.  They allowed it, we easily got in, used the pnordahl toolkit to give them back their admin accounts, etc.  But it was the door-opening that floored this client the most.

“Show us that again!” they entreated, and we spent another two (billable) hours just walking around their facility, explaining how their doors could be picked or bypassed. Knowledge that for me was merely a fun hobby turned out to be valuable to clients.  That’s the most key element of establishing yourself in some security sphere: figure out a weak surface that no one is protecting (because they don’t yet think to) and learn to be as well-versed as possible in that vein.

Then publicize your findings and share knowledge with others.  My associates and I would never have become known as go-to people for locks, alarm systems, elevator access controls, etc, had it not been for our talks at conferences and training at places like Black Hat and SANS, etc.

In that regard, I have to offer huge thanks to people like Heidi Potter, Bruce Potter, Beetle, Jeff Moss, Ed Skoudis, John Strand, BernieS, and many other conference organizers who encouraged their events to host lockpicking and other physical security content from me before I was as well-known.”


What this job does:

Vulnerability researchers study products and software in great detail to find hardware and software vulnerabilities so that they can be fixed in a timely manner.

Where are the jobs:

Medium to large software companies, hardware engineering companies, vulnerability research organizations. (Many vulnerability researchers are self-employed and work for bounties.)

What gives a candidate an edge:

Excellent computer science and/or electronic engineering skills (depending on the target products). Excellent reverse engineering skills. An intense desire to research and understand how things work.

Avoid this trap:

Assuming anything about gaining this career as a legitimate form of employment will be easy.

Personal career story:

“I started with computing at a young age. My uncle (a professor) gave me C and BASIC texts. I read them. Having only school computers, I mostly theorized and scribbled on paper. Years later my father purchased an IBM Aptiva (~1994), and established dial-up access into the RPI network. Shell and MUDs became my home amongst RPI students. The knowledge I would gain from those late night experiments would shape my future. A future in vulnerability research. Through keeping a Socratic approach to all things computer related, I established a variety of friendships and contacts within the InfoSec Industry. Having a passion for identifying, and proving out flaws in applications and devices drove me through the, sometime very annoying, monotony that can be research. I began consulting on-the-side while attending school for Biology, and was given some amazing opportunities with Albany Medical Center, NYS Prosecutors, and GE Global Research. Those opportunities lead to the expansion of fellowship I had within InfoSec, and exposed me to a wide variety of specificities within the industry. That exposure solidified my calling of research; and I haven’t looked back since.”


Starting an InfoSec Career – The Megamix – Chapters 1-3

Even once a person realizes he or she has a passion for information security, moving in the field can seem a daunting task. The education market is oversaturated with degrees, certifications, and training programs. Meanwhile, many prominent hackers mock those programs publicly. Although I’ve touched on security education and training quite a bit, I’m continually asked to provide a resource for people who are trying to transition from school or other fields into Information Security roles. Ours is a healthy job market and we do need qualified and motivated applicants. The jobs exist, but we repeatedly see candidates being given false advice to get them.

With tremendous and very much appreciated help from many of my colleagues and friends in the field, I have endeavored to compile a comprehensive blog about starting an InfoSec career. This is a very lengthy blog broken into sections that may help people as parts or as a whole. We want you to succeed in our field. As always, please feel free to ask questions or leave comments / gripes / suggestions.

Chapter 1: The Fundamentals

 Unfortunately, for all the interminable hacking tool tutorials and security guides floating around the internet, many InfoSec job candidates haven’t grasped two fundamental concepts:

  • To hack something (or defend it from hacking), you must have a solid understanding of how that thing works.


  • InfoSec is not a career that can be put in a box once you go home from work or school. You must be passionate enough about the field to be continually learning and aware of quickly changing current events. If you want a career that you can forget about once you go home at 5:00 PM, InfoSec is probably not the right choice.

The really intriguing thing about InfoSec and hacking in general is how they draw heavily from knowledge of all sorts of IT subjects. It’s difficult to understand attacks, malware traffic, or intrusions without a firm understanding of network ports, protocols, and architecture. Similarly, it’s difficult to understand malware or identify system compromises without a firm understanding of operating system architecture, hard drive construction, or programming fundamentals.

There’s a misconception that sophisticated attackers use lots of malware and exploits. This is simply not the case. The better a hacker is, the more likely he or she is to leverage preexisting software and tools to compromise a network whenever possible. With malware comes more risk of detection and forensics. It’s a wise choice to use an excellent understanding of the command line and remote execution to move laterally across a network.

If you’re considering a career in InfoSec please evaluate yourself on your knowledge of basic computer science and networking concepts. If you’re weak in one of those areas, consider some outside study. Merely following a Metasploit or an Ophcrack tutorial will not teach you how to be a good hacker. Understanding how Metasploit modules and communication work, or how Windows passwords are stored and passed may eventually. (Almost universally, I find more value in a candidate who can read a pcap than one who can execute msf console.)

In regards to the second concept – in some ways we as a field are victims of our own success. InfoSec jobs are advertised as high paying and cutting edge, so there has been a surge of graduates and applicants. Unfortunately, being a good security professional is something tremendously difficult for any training program or school to teach. Without an outside interest in learning more, enhancing skills, and studying current events, entry level candidates are often tremendously skills-weak.

I often screen candidates with relatively simple questions based on malware and technologies commonly seen (and documented) in the last 3-5 years, as that tends to be newer than university curricula. It’s also very popular to simply ask candidates what they are doing on their own time to enhance their security knowledge. Often, this question leads to silence (which given the wealth of free resources available is a dead giveaway the person will probably not work out). We will discuss some inexpensive ways to improve InfoSec knowledge at home later on in this blog.

Chapter 2: Choosing Education and Certifications

 The debate over the value of (costly) college degrees in InfoSec is a continual and heated one, and likely will be for quite some time. I’m often asked if getting a (Associates, Bachelors, or Masters) degree is necessary to get a foot in the door in InfoSec. In the US, the answer is usually no. As I discussed previously, InfoSec interviewers usually value motivation, critical thinking, and self-study above all else while selecting entry level candidates. It is quite possible to write a resume which includes volunteer work, talks, and personal projects related to the field, and these usually are much better conversation starters than a degree.

That being said, there are a few notable exceptions. Government agencies and large corporations still tend to value degrees highly and may even refuse to waive them as a requirement for their hiring authorities. So, without a degree, resumes may simply be ignored by mandatory computerized HR screening.

Secondly, within these types of organizations, pay grade or promotion may be contingent on having a degree, so an entry level person without a degree might have to go elsewhere to move up. Be cognizant of the requirements at the place you’re seeking employment.

Personally, I usually view degrees favorably when they’re financially feasible. They show dedication to a task for two or more years, and an interest in some subject. I also trust credible universities to teach students general business skills like reading, presenting, and report writing (all of which are underappreciated but valuable in security). Thus far I haven’t seen much value in specifically gaining an InfoSec degree – I have come to expect those general skills to be taught better at a credible university in a History program than in an InfoSec program at a for-profit degree mill or technical school. Also, as I previously mentioned, established IT programs such as Computer Science, Computer Engineering, and Network Engineering can bring a lot to the table in terms of general knowhow.

Certifications are a trickier question because there are so many out there, and they serve different purposes depending on the niche field the applicant wishes to get into. I’d consider certifications a ‘nice to have’ for an entry level candidate – they are not likely to tip the balance much in a hiring decision, but they usually don’t hurt. (One exception: Due to the employment requirements and the purpose of the certification, I find it inappropriate when entry level applicants with no experience have [somehow] obtained their ISC2 CISSP ®. The certification is made for people already employed in the field with a number of required years in the field, so it looks a bit fraudulent.)

More appropriate for entry level candidates is the CompTIA Security+. It’s cheap, and it serves two purposes. The first is demonstrating some basic security terminology and concept knowledge. More importantly, it makes candidates eligible to perform government contract work under 8570 requirements. The CompTIA Network+ is also a safe bet, as it shows a bit of that basic network knowledge we’ve been discussing. Neither certification shows an advanced knowledge of their subject, but they are a good choice for getting a foot in the door.

I’ve recommended SANS / GIAC line of certifications in the past because I find their training and tests some of the most legitimate. Their certifications are some of the most technically respected to have on a technical resume. However, their certifications are also extremely expensive, with courses and books in the thousands of dollars and tests in the hundreds. There are some options to decrease the costs like their community offerings or work study program, but they may still be out of reach for entry level folks. If you can easily afford a SANS course and GIAC certification, absolutely take one applicable to your field (good general choices are GSEC or GCIH). If you can’t, don’t take it to heart – wait until an employer makes them financially available to you.

Offensive-Security offers the OSCP certification and course which is a fantastic choice for InfoSec applicants who wish to take a more offense-based route (or indeed, as exposure to those techniques to anybody in InfoSec). It’s real-world lab heavy. The course and certification are still expensive at around a thousand dollars, but may be more realistic than the cost of a SANS course.

I personally do not recommend EC-Council certifications for entry level candidates at this time unless they are specifically required for a role.

I’ll suggest some specific training and certifications as we discuss specific roles later on.

Chapter 3: InfoSec Fields and Niches

There was a time in the 19th century where a ‘scientist’ often meant a generalist – a respected scientist might have knowledge of biology, physics, and chemistry. As those fields grew in complexity, it became increasingly difficult for one person to remain current with all of the research and knowledge involved in even a single broad field. Today, we see scientists specialized in very niche fields, each with its own wealth of research. InfoSec is very similar. While in the 1980s a single security specialist could conduct penetration tests, configure firewalls, and investigate breaches, today that is much less common. There are many disparate fields which make up information security and an important decision for any InfoSec professional is finding which of those niches is are a good fit.

The first thing we have to understand is the distinction between the ‘red team’ and the ‘blue team’. While there is often some overlap in InfoSec job roles, we generally separate them into two broad camps – offense (red team), and defense (blue team). You may wonder why legitimate, “white hat” hackers would need offense. Consider the people who conduct professional penetration tests of organizations to generate reports on their deficiencies, and the people who conduct research into vulnerabilities. These are “red team” jobs.

The path to becoming a Blue Team InfoSec professional is usually somewhat different than the path Red Team professionals take. That’s not to say it isn’t tremendously wise for the two camps to cross-train. It’s difficult to conduct good offense without having a general knowledge of defense practices, and vice versa. We will discuss specific red team and blue team roles in the next two chapters.

1 The Fundamentals

> 2 Education & Certifications

> 3 Fields and Niches

4 Blue Team Careers in Depth

5 Red Team Careers in Depth

6 Self-Study Options

7 Landing the Job]

[I highly recommend visiting Daniel Miessler’s blog on the same subject, located here:]

Better GIAC Testing with Pancakes

It’s no secret that I’m a fan of SANS and their associated GIAC infosec certifications. Certifications aren’t worth a ton of credibility in the information security arena, but the SANS training and testing mechanisms really do ensure that students have to have some clue about the topic to pass. The courses aren’t cheap, but SANS provides less costly community and self-study options. So, people going into the certification exams are in varying training situations.

When people see my complex-looking system for passing these exams (I was a GIAC proctor, and now hold GCIH, GCFE, GCFA, GREM, and GPEN), they often ask me how they can better prepare for the exams. Even though most SANS courses cover this to some extent at night or on day 1, let’s review some best practices for succeeding at SANS certifications.

DISCLAIMER: I follow GIAC policies to the letter and I will never provide specific details about any certification exam. So don’t bother asking.

There have already been a few blogs written about the study mechanisms for GIAC exams and I will link them at the bottom as others’ methods are similar but vary a bit.


  • GIAC tests change regularly with the SANS course material. If you tactically acquire books from a year ago, there is a good chance they will not be completely applicable to the current test. Same with your practice tests, etc. Stick with your provided materials.
  • GIAC tests are open book, open note (no electronic devices allowed). There is enough detail in them that it is very likely you will not be able to score very high without books or notes in the room with you; they’re designed that way. Minutiae matters – read, don’t skim.
  • Some SANS books have no detailed index. This is for a smart educational reason – if you plan on using the books during your test (and you should) you are pretty much obligated to create your own. This forces you to actually read every page of the books while you’re preparing, and take notes. While some SANS courses have now added an index to match industry standards, creating your own with proper tabbing and references is still highly advisable for referencing speed during the exam and as a study aid.
  • People’s indexing styles vary. I will show you my system and why I do it the way I do. See the links at the end for some variations. The bottom line is you need some organized way to find stuff in the books in a time crunch.
  • GIAC exams are usually 3 hours long (a few some are longer or shorter) with around 115 questions. This means you have about a minute and a half per question. Unless you read quickly and your index is top notch, you will not be looking up every answer.
  • SANS instructors give you tools to help. Keep those handy SANS cheat sheets for tools, commands, and operating systems they give you in the class, and bring them to the test!
  • GIAC gives you two practice tests you can take at home, and they can be given to others. We’ll talk about this in more detail, but these are really important!


  • The SANS books for the certification you’re going to ace…
  • Some of these colorful plastic tabbies (you can buy ’em at Walgreens or Target) 5-6 colors are best… tabs
  • A fine tip permanent marker.
  • A highlighter.
  • Excel or something that does the same thing.
  • Word or something that does the same thing.
  • A color printer (or a handy Kinko’s).


First, we’re going to stop procrastinating and start the giant task of indexing. Hopefully, you’ve already read through the books during class, but I’m going to presume you have not, yet. Now, some people prefer to take one of their two practice tests before they do anything else, to get an idea of where they stand. That’s fine, but due to the short supply of two whole practice tests, I prefer to take them both after studying and initially drafting an index.

Be prepared for fully reading and indexing 5-6 SANS books to take a couple full work days. Take 2-3 days off, or block at least 12-16 hours over time off on your calendar if you’re that fortunate. I read pretty quickly; you may need a bit more time if you don’t.

We are going to open up our spreadsheet software as we do this, and keep it running as we study. We are going to keep our colorful tabs and our markers handy as well.

First, we’re going to place a uniquely colored tab at the top of every book, so we can quickly grab that book in the small heap of materials we use in the testing center. So our book .1 could be red, .2 could be purple, etc. It’s usually faster to see a color than read text. My method allows for both.

Then we will begin to read.

Just because SANS books don’t have indices doesn’t mean they aren’t divided into chapters and sections. These are usually distinguished at the start of each section in a table of contents slide. They look something like *grabs random book*:


So, we usually know roughly where we are going to put our tabs. We may decide logically to add or subtract one or two. We’ll normally ignore tabbing or noting the labs, capstone book, and appendices unless they contain useful references that compliment the text.

As we read our book, we’re going to install our tabs lengthwise along the side of the book at logical points that will help us find important sections and tools. Because I’m a bit OCD, I like to use a rotating sequence of colors through the books. That way, I can quickly look for a color instead of a generic yellow or white tab. (Purple book, red tab. Yellow book, blue tab, etc, etc…)

So place a color tab of your choice at the start of the first chapter, and write on it what it is. Then, we shall read our chapter.

If we find important information like tools, definitions, or keywords in the text, we’re going to use our highlighter to (you guessed it), highlight the critical information so we see it quickly on the page. Rocket science! We are also going to index as we read. Every time we find a new definition, critical fact, command, or tool, we’re going to add it to our spreadsheet. We’re going to take our fill button in our spreadsheet program and make the first column the number and book color, and the second column the specific item and the section tab color it is in.


We are going to give a little thought to how we write these items because they’re all going to go in alphabetical order at the end. For example, if we think we would look up XSS before CSS, we should make our line item XSS & CSS, instead of CSS & XSS. Or maybe we will make two entries, one for XSS and one for CSS, with the same page number and colors, just to be extra sure we can find it later.

If the items we are in all fall under one tool or subject, we might preface them with that tool so they end up in the same place once alphabetically sorted. For example, Meterpreter – priv module, and Meterpreter – Routing and Pivoting. We might put a couple word note next to a tool so we can quickly remember what it was for.

As we continue to fill our our index, we’ll start seeing a lovely, colorful list of book color and tab color develop. We now have two ways to reference any line in our index – reading the book and page number, or quickly glancing at the book and tab color.

It’s going to take a long time to read everything. Take a break when needed. Proofread your index every so often, and make sure your colors match up.

Eventually, our books will be tabbed, highlighted, and indexed in a spreadsheet from beginning to end. We’re then going to do some Office/Open-Office/Google Doc-fu. I’ll show you in Excel.


Sort by the text column alphabetically (with no headers). Your index is now an A-Z list of stuff, and a explosion of colors.

But printing this will be lots of pages, so we’re going to open up Word and make two columns…


Then copy-pasta (or import) the contents of our excel doc into that two column doc. If the lines are two long to fit in the two columns, make your font size smaller, your margins narrower, or abbreviate specific lines accordingly. We don’t want those lines to take long to read or find, anyway.

Now it will look something like this:


This is a lot more manageable. We can even print this two-sided to make our index even smaller. We still have the alphabetical list of topics, the page number, and the book and tab color code for the item. Our index should only be a max of 6-7, or four pieces of paper, printed out.

We have an index, and tabs! They look really cool!



So whether you used my index system or somebody else’s, let’s recap. You should now have:

  1. Read the books.
  2. Highlighted important facts, tools, and terms.
  3. Made an index you can quickly reference (if it’s over 8 pages you had better have bound and tabbed the index, too!)
  4. Tracked down your SANS course tool and software cheat sheets!

And now we must, alas, take the practice tests and the actual exam.

Tests make me nervous, and I like to ease myself into the first practice test. The first practice exam, I allow myself Google and the find function on my index document, neither of which I’ll have on the actual exam. This practice test, I concentrate on finding stuff that I missed adding to my index, and figuring out what SANS cheat sheets it will be a good idea to bring with me. I also use this test to gauge if there are sections I am very weak on and need to reread.

Some things to note:

  • On the practice tests, GIAC will tell you the correct answer of every question you get wrong (and why it is correct). If this is a confusing answer and you’re in a time crunch, copy pasta this information down to study later!
  • GIAC will also give you a 1-5 star score on each topic in the books when you’re done with the test. If you’re getting 2 or less stars on a section, you definitely need to re-read it and check the quality of your indexing.
  • Keep track on the first test of what you have to Google or can’t find, and make sure you add it to your index or cheat sheets.
  • At the end you will get a realistic percentile score. The passing score varies by exam, but is normally around 70%. I’m not sure exactly what the tolerance is, but expect your score to vary around 5% between the assorted practice tests and exam. So if you’re at say, a 73%, you’re going to want to consider studying quite a bit more before taking the second and final practice test.

I don’t take two practice tests in one day. I fix my index up, study sections I am weak on, and sleep on it.

The second practice test, I have a better idea what to expect. I treat it like the actual exam. No digital resources, just what I have printed out and my books. I take my time and look up anything I am not certain about in my books. I do continue to take a few notes when something really eludes me.

Hopefully at this point my score is pretty good. I make some final tweaks before getting another night’s rest and taking the exam at the testing center.


If you happen to pass your certification exam after only using one of your practice exams, you may send your spare test to another person’s SANS account via your GIAC portal account. This is an optional but nice thing to do for people who are struggling with an exam. The SANS course alumni and advisory board mailing lists are a great place to trade or give away practice tests, or find an extra yourself if you’re still struggling after your second practice test.


I recommend checking out some other lovely peoples’ guides to indexing and studying. Everybody’s learning and note-taking style is different. Perhaps you’ll find one that works for you or combine aspects of a couple.

(Updated March 2017 to reflect SANS courses with integrated indices.)