I acquired my OSCP Certification back on the 12th of May 2019. It took three attempts to acquire it but I prevailed.
I should note this was for OSCP/PWK v2. The course was recently updated to v3 in early 2020.
You can read my take-aways and experiences per attempt via:
Once I acquired my OSCP Certification, I started to apply to several different companies as Jr. Penetration Tester / Red Team operator. I was determined to get into the field I had always wanted to be in since my freshman year of college.
I’d like to note that the OSCP Certification is not the guaranteed ticket needed to get into the field. It is a great start / stepping stone to get your foot in the door.
That being said, after applying to several jobs and receiving interviews a majority of them did not pan out as expected. The employers presented challenges that I did not have experience with as it was not covered in the OSCP / PWK course. Without naming companies or specific challenges out of respect for the employer, I will mention challenges I faced:
- Web app pentests where I had to find over 10 vulnerabilities in a web app. They provided the source code which had to be analyzed to find starting points. In addition to finding the vulnerabilities, there were several other trophies or flags once in the system. Afterwards I had to then provide a written report.
- Buffer overflow in a specific application. This wasn’t hard as it was fairly close to the BOF exercises from the OSCP / PWK course.
- Answering a number of questions related to Active Directory
The aforementioned points above are just a few examples of challenges I faced that the OSCP Certification may or may not cover.
Some employers I was supposed to have interviews with never showed and never contacted me again. There were some employers I had to turn down after they rescheduled on me several times and were late to my interviews. I valued my time and this was a red flag as to how they might treat their employees.
Fast forward to January 2020, I had some colleagues I worked with at my previous job as a Red Team volunteer. These colleagues had reached out to me regarding some Jr. Penetration Testing roles at their company to see if I was interested.
Of course I was interested! I sent them my resume and I had then started my interview process. The process was three rounds which consisted of two phone interviews and one on-site interview. This was before COVID-19 became a major issue.
After going back and forth I had received my offer in March 2020 to work at Oracle as a Jr. Penetration Tester for their Oracle Cloud Infrastructure (OCI) team.
For those of you reading this, if you have read my exam attempts you know I am persistent and determined. If you did not, that’s perfectly fine. The point here is to be determined and persistent until you manage to land yourself the role you are hoping for.
If the employer presents you with a challenge you do not have experience with, try your best and learn from it. From the first example I provided I became determined to become better at Web App Pentests. I picked up a book and looking to get the OSWE Certification as a result.
Check out various websites like LinkedIn for any open roles. Set up some alerts for yourself. I found LinkedIn to be where most of my interviews came from even if I was stood up for some of them.
You may also want to check out NinjaJobs. Here is a brief about us from their staff: NinjaJobs is a community-run job platform developed by information security professionals. Our unique approach of focusing strictly on cybersecurity positions allows us to personalize the user experience.