My Journey into Cyber Security: eJPT to eCPPT to OSCP (Part I)

Way back in November 2019 I was playing professional ice hockey and needed to transition into a real job that would pay the bills. I thought to myself:

“How am I going to get a job in cyber security?”

Why cyber security? Because I like computers, I like solving problems, and it pays well. Naturally what ensured was a plethora of YouTube videos, podcasts, and blog posts from middle-aged white men who were usually bold with a beard (classic computer dudes). After looking at my screen for an unhealthy amount of time, and hearing the same things repeated over and over again, I decided to go down the root of getting a Master’s degree and picking up certifications as I went.

The common entry-level debate in cyber security (and IT in general) is whether or not to get a degree or certifications to get a job. I was in the fortunate position where I could say “screw it I’ll do both” and opted for what I dubbed the Hannah Montana approach (the best of both worlds). What ensured was a very busy 12 months from October 2020–21 where I completed my Master’s degree and obtained the eJPT, eCPPT, and OSCP (the title may have spoiled this). That 12-month period gave me the opportunity to assess, for myself, the best approach to take when trying to get an entry-level job in cyber security, along with the quality of entry-level penetration testing certifications on the market.

I chose to go down the penetration testing route because it’s perceived by many as the sexy thing to do in the world of cyber. It’s in the movies, it’s in the news, and all the cool kids are doing it on YouTube. I thought “I want to break into systems and get paid for it” so as a bright-eyed and bushy-tailed wannabe I began my journey. My aim was to land a Junior Penetration Tester position anywhere that would have me.

To do this, I first undertook a Master’s degree. Now Master’s degrees, and especially this one, are not like a classic Bachelor’s in Computer Science. They are much more self-directed, research-based, and sink or swim. The degree I undertook was an MSc in Cyber Security Engineering and consisted of 8 modules, along with a year-long Dissertation project which made up half of your overall marks. The 8 modules were a week of intensive teaching (9–5), followed by 4 weeks where you completed a project which was either technical or research focused. This project then was assessed via a viva or through the marking of an…