Navigating the Leap: My Journey from Software Engineering to Offensive Security

This is a summary of a blog series you can find here. 

Changing jobs can be stressful and challenging. Many of us, unless we’re being let go, prefer not to make that move. No matter how unfulfilling or pointless the job may feel, as long as we’re paid relatively well, many of us tend to stay in that warm and cozy environment for years—sometimes even until retirement. Whatever your reasons may be for staying, they are yours, and I’m not here to tell you to quit. However, I do have a piece of advice based on my personal experience, which took me by surprise: the longer you stay in one place (no matter what it is), the harder it will be for you to leave and find a new job—whether by choice or necessity. Just keep that in mind; I know I will.

If you clicked on this link, there’s a good chance you’re in the middle of your career and are considering a change. There’s also a strong possibility that this “something else” you’re contemplating is a move into Infosec.

As you’ve probably gathered by now, I recently transitioned into Infosec. In fact, it’s been just over a year since I started working as a cybersecurity engineer, primarily focused on vulnerability research and offensive security. It’s been an incredible journey—I’m having a blast every single day. Infosec has opened up a world of new opportunities that I didn’t have before, and I’m doing my best to make the most of them.

What’s even more important, despite how quickly things are moving, I try to stay present, take it all in, and savor every moment. For instance, as I write this article, I’m on a flight from Frankfurt to Las Vegas, heading to DEFCON, the world’s largest hacker conference, where I’ll be speaking at the Aerospace Village. I know, I know—it’s just a village, nothing too fancy. But given that attending DEFCON has been at the top of my goal list for a while, this is pretty exciting news for me.

Although I’m thrilled to reach another milestone in my transition to Infosec, I’m also making an effort to stay grounded, not get too carried away, and maintain my focus. With about 11 hours to kill on this flight, I thought it would be a good opportunity to reflect on the past couple of years—what I did, both right and wrong, to get to where I am now. After all, that’s probably what you’re looking for and expecting from an article with this title. So, let’s get started.

*Disclaimer

This article outlines my journey from software engineering to offensive security. While it is written as a personal story, the key aspects can be broadly applied to anyone’s situation. Depending on your background and experience, the specific steps may differ, but the necessity of taking these steps remains the same. I chose to frame this article in this way because everyone’s situation is unique. My goal is for you to understand my situation, goals, and the reasons behind my decisions as I pursue these objectives. By doing so, you can then apply a similar approach to your own circumstances.

Before doing anything else, understand that any career transition will require significant effort. The further your dream job is from your current position, the more effort you’ll need to put in to achieve your goal. It’s going to take time—your free time, personal time, and family time. Make sure you and those closest to you understand this. There will be moments when you’ll want to give up and retreat to that warm and cozy chair because no matter how much you dislike your current job, it’s still easier to stay in the familiar. These are the times when having people around you who support and push you forward is crucial. This support can come from friends and family, but also from the trusted infosec community. I can’t stress enough how important a community of like-minded people was during my transition. Where can you find such a community? I’ll discuss that later when we dive into the concrete steps you’ll take on your journey.

The first question I asked myself when the thought of leaving my comfort zone crossed my mind was, “Where do I start?” With my extensive experience as a TPM, planning comes naturally to me. So, I decided to approach my transition just like any other planning activity. For every planning process, I like to begin by taking a step back, getting a clear view of the big picture, and defining in one sentence what I want to achieve. So, let’s see:

“I want to shift my career from what I’m currently doing to something related to offensive security.”

That’s a good starting point, but I think I can refine it a bit by adding:

“I want to shift my career from what I’m currently doing to something related to offensive security, preferably with a connection to software engineering, since that’s my background—and something I genuinely enjoy.”

So, that’s my goal, although it’s still at a high level. For now, it’s a good starting point. Next, I’ll recap where I stand in achieving this goal. As I’ve mentioned, my background is in software engineering, so I’m not exactly a newcomer to IT. But what does that really mean? Let’s refine that a bit further.

I’m a software engineer with 15 years of experience—5 of which were spent coding primarily in C++ and Java, and the remaining 10 years working as a TPM. It’s also worth noting that in recent years, I’ve been developing and maintaining similar types of software using the same development stack. Although I worked on multiple projects, the software and its functionality were largely identical. As a result, while I’ve gained valuable skills in software engineering, project management, and leadership, I’m not entirely up to date with the latest technologies.

That said, I haven’t been idle during this time. I’ve explored various programming languages and frameworks out of curiosity. However, I wouldn’t consider myself an expert or particularly proficient in any of them.

Having a clear idea of what I want and where I currently stand in terms of skills, it’s time to narrow down the roles or areas within offensive security that I could focus on. To do this, it would be useful to create two lists: one prioritizing the areas I’m most interested in and the other ranking them by the effort required to excel, considering my strengths and weaknesses.

Having a clear overall idea of your goal is important and will help you get started on your journey. However, you should continually refine your goal as you progress. The more you learn, the more you’ll be able to refine it. At this stage, I also want to caution you that as you refine your goal, you may find that it has shifted significantly from what you initially set. Don’t be alarmed by this—it’s normal. In fact, it’s a positive sign because it indicates you’re not only learning about the field you’re entering but also gaining insight into yourself. This self-awareness is crucial.

So, my approach was to list all the things I think I’d like to do:

1. Pentesting

1. Red Teaming

1. Exploit Development

1. Reverse Engineering

1. Security Researching

1. Application Security

I didn’t get the numbering wrong; it’s all exciting. However, reading the definitions or job descriptions for some of these roles can be quite confusing. They often overlap or complement each other, making it difficult to determine which one I like the most. For example, try getting a single, concise description of the difference between Pentesting and Red Teaming from more than two people. The same goes for Security Research and Reverse Engineering.

It’s not a perfect start, but let’s move forward. Now, let’s map this list to my skills and experience to see if we can arrive at a more precise outcome.

Let’s sort the list by the things I think I’d be able to learn quickly:

1. Pentesting

I consider myself a well-rounded IT professional with knowledge in sysadmin tasks, networking, scripting, and software development.

2. Application Security

Given my solid background in software engineering, I believe I would primarily need to focus on acquiring infosec practices.

3. Exploit Development

Although it’s different from AppSec, I believe I could do a decent job developing something, given my coding skills and experience. I would mainly need to focus on acquiring additional knowledge in areas like reverse engineering and deep diving into OS/kernel internals.

4. Reversing Engineering

I don’t think anyone focuses solely on that, so I’d likely combine it with Exploit Development. Of course, I could be completely wrong.

5. Security Researching

Well, wouldn’t I need to be proficient in all of the above?

6. Red Teaming

The fact that no two people can provide a concise definition suggests that either I’m asking the wrong people or it indicates that this role requires knowledge and experience across all of the areas mentioned.

At this point, you may have a clearer understanding of your goal and might want to refine it further. For me, however, writing down those two lists highlighted how little I know about this field. I’m also nearly certain that there are many more areas and roles in offensive security that I haven’t encountered yet. This leads me to one conclusion: if I’m serious about this, I can’t do it on my own. I need to seek guidance and obtain a solid education. It’s time to divide the plan into two parts: upskilling and transitioning. Let’s start with the upskilling plan.

How do I get up to speed with all things related to offensive security? A quick Google search reveals a few insights:

– Almost no one considers getting a degree specifically in infosec. Even for younger individuals, a general CS degree is often recommended, with a pivot to infosec later.

– Certifications in infosec are highly significant. Initially, I thought they might just be a trend, but further research shows that certifications are crucial for employers in this field. Although you might think that these certifications are mainly for defensive roles, I’ve learned that this is not the case.

It appears that certifications are very important and, in some cases, even more critical than having a relevant degree in offensive security.

There are many certifications to choose from, but with some research, you can categorize them into a few groups:

– Entry-Level: Basic certifications to get started (e.g., eJPT or CEH).

– Advanced: More specialized and challenging certifications (e.g., eCPPT).

– Industry-Standard: Highly regarded, prestigious certifications that are often seen as major achievements (e.g., OSCP).

Before I continue, a few words of caution:

First, there are many more certification options available, so you should research and choose what’s best for you.

Second, what I’m about to describe is subjective and pertains to my own situation. I’m not claiming that my approach is the best, but it was the best for me. I’ll outline my thought process in selecting my first certification, and I hope it will help you make your own decision as well.

At this stage, my focus is on learning as much as possible, rather than just collecting certifications for my CV. Initially, I considered starting with the easiest certification and working my way up to the coveted OSCP. However, during my research, I discovered that certification bodies offer comprehensive study and training plans for their courses. This led me to reverse my approach: instead of starting with the easiest certifications, I decided to tackle the most extensive and challenging one first. My only guideline was to ensure I met the prerequisites before enrolling.

Since I could afford it and met all the prerequisites, I chose to pursue the PEN-200: Penetration Testing with Kali Linux course and the OffSec Certified Professional (OSCP) certification. This required a leap of faith that the requirements were accurate and that the training materials would adequately prepare me. The next thing I knew, I was a Learn One subscriber at OffSec—OSCP here I come!

I also hoped that this training would provide me with a broad overview of other areas in offensive security and guide my next steps in further education and certification. Ideally, it would help me begin the transition phase by either shifting roles within my organization, finding a part-time internship, or joining a Bug Bounty program.

To summarize, based on my research and current understanding, the first step I should take is to complete my OSCP. Along the way, I plan to address the following questions:

1. What different areas of offensive security are available?

2. Which of these areas interests me the most?

3. What roles are associated with my area of interest?

4. What are the next steps for upskilling in this chosen area?

5. What other relevant areas might be worth exploring?

*Disclaimer

In this section and the next, I’ll focus on OffSec certifications, as these were my choices and I wholeheartedly recommend them. However, I encourage you to conduct your own research and select the certification provider that best aligns with your goals and expectations.

1. What different areas of offensive security are available?

Based on what I’ve learned so far, I wasn’t too far off when I initially listed the areas of offensive security. However, I’ve realized a few important things that I’ll discuss below:

Pentesting is very broad and can be divided into several areas, including web, application, system (such as Linux or Windows administration and Active Directory), IoT, network, physical, and social engineering, among others. As a pentester, you need to be well-rounded across many of these areas. However, there seems to be a distinction between IT-focused testing (web, network, etc.) and social engineering (physical, people).

For example, in an external pentest of a company, if you are given initial information such as a website URL, you need to navigate the network and web to properly enumerate the target and gain a foothold. If the web-based attacks fail but other services are running on the host, you would need to enumerate those services and find exploits to gain access. Suppose you find an exploit that is a proof of concept for a binary application with a buffer overflow vulnerability running on Windows. You would need to modify the exploit, which requires knowledge in binary exploitation, reverse engineering, and exploit development.

This example illustrates that pentesting often requires familiarity with multiple areas of offensive security, although specialization in one area is also common. Other areas, such as web pentesting, application security, or reverse engineering, can be utilized within pentesting or pursued as standalone activities. For instance, a security researcher focused on discovering zero-day vulnerabilities would need to master reverse engineering and exploit development.

2. Which of these areas interests me the most?

Since the distinctions between different areas of offensive security are often unclear and frequently overlap, the answer to this question may not be straightforward. That said, I’ve thoroughly enjoyed working through the PEN-200 labs—sometimes dissecting them with ease, like opening small cans of tuna, and other times spending days in frustration without making progress. It’s the latter experiences that teach me the most. Despite the challenges, I’ve developed a deep passion for binary exploitation and absolutely love it.

3. What roles are associated with my area of interest?

I think the most fitting role for someone focused on binary exploitation is that of a Security Researcher. Essentially, this role involves examining systems to identify vulnerabilities. Although it might sound similar to a pentester, there are key differences. A pentester assesses whether they can access a system and how, such as by identifying vulnerabilities or misconfigurations in various services and exploiting them. They often use a black-box approach, testing services without prior knowledge, and if they don’t find anything, they move on.

In contrast, a Security Researcher is more specialized. They focus on a specific system, which doesn’t necessarily need to be in use by a customer. They analyze the code (in a white-box approach) or thoroughly investigate it by injecting various inputs or reverse engineering it to uncover potential vulnerabilities. This method can lead to the discovery of new, previously unknown vulnerabilities, known as zero-days. Each new vulnerability receives a CVE number, which can be considered a significant achievement—a sort of trophy for the researcher and a way to build an impressive portfolio! :)

4. What are the next steps for upskilling in this chosen area?

At this stage of my upskilling, I’m inclined towards a Security Researcher role. I find the idea of researching new vulnerabilities in software particularly appealing. Given my background in software development, I’m confident in my ability to navigate and understand code. There are various types of security research I could pursue, even within the software itself. For example, I could focus on web applications or delve into binary applications.

From my OSCP training and subsequent experiences, I’ve developed a strong interest in binary exploitation. I’m fascinated by the process of finding a crash in an application, whether on Linux or Windows, which leads to binary exploitation, such as exploiting buffer overflows. I’ve enjoyed attaching a debugger and analyzing assembly instructions to understand the developer’s intentions and how to exploit them.

However, my knowledge and experience in this area are still quite limited. While I am comfortable with software, I have much to learn about other aspects, like reverse engineering. Despite this, my experiences so far have confirmed that this is the direction I want to pursue. To get started and gain practical experience, I plan to sign up for EXP-301 and WEB-300 to earn the OSED and OSWE certifications, respectively.

5. What other relevant areas might be worth exploring?

Reviewing EXP-301 and WEB-300 made me realize that pursuing these certifications will not only help me develop my skills in security research and reverse engineering but will also provide a solid foundation in exploit development.

Knowing myself, I tend to be drawn to challenging areas—like Security Research, Reverse Engineering, and Exploit Development—to the point where it sometimes clouds my judgment. I find myself questioning whether I am truly passionate about the process or simply motivated by the difficulty and the reward it offers. Despite this, I am committed to becoming a well-rounded pentester with a specialization in reverse engineering and exploit development. Combining my passion for software development with my new interest in offensive security feels like the perfect fit. I’m fully invested and excited about this path!

As I mentioned before, the offensive security community is incredible, and it’s absolutely essential for your growth. Hacking is challenging, and you’ll need support along the way. While there are many places to find help, from my experience, the best resources are the IRC and Discord servers maintained by your training providers. I personally found immense value in being a member of the OffSec and Infosec Prep Discord servers. Additionally, the OffSec Twitch streams led by S1REN were extremely valuable to me. Fun fact: when I began my transition, OffSec streams were hosted on Discord, where you could also join the call and chat with others. Those were great times.

One of the key actions that significantly accelerated my transition and helped me land my first offensive security job was putting myself out there. 

What does that mean? 

It means telling everyone about your goals—your family, friends, coworkers, and even your boss or higher-ups (especially if you want them to support your training). Share your progress and document your journey on social media. This serves two purposes: a) it makes you accountable, and b) it shows potential employers your commitment and dedication. Initially, I was skeptical about this advice, but it was consistently recommended by everyone I spoke to in the infosec community. Despite the recent hype around hackers, the community remains relatively small, and it feels like everyone knows each other. If you work hard and actively engage with the community, you will get noticed.

There are various ways to transition into offensive security, and I consider myself fortunate to have had the opportunity to explore several approaches. However, due to external factors, many of these methods didn’t work out for me. Here’s what I tried:

a) Expanding Responsibilities at the Customer Site

I worked as a contractor for an organization and hoped to leverage my offensive security skills there. I made an effort to spread the word and expand my duties internally. However, the organization’s security posture, both technically and culturally, was lacking. As a result, there was no opportunity to introduce or integrate any information security practices, let alone offensive security.

b) Pivoting Internally within the Company

Given that my immediate work environment was not conducive to infosec, I tried to pivot internally within my organization. I sought positions at different customer sites serviced by my employer. While there were many opportunities in infosec within the company, they were all based in the U.S. and required specific security clearances—an obstacle for me as a European.

c) Exploring External Opportunities

After exhausting internal options, I started looking outside the company. I considered moving into a completely new environment, outside my previous business domain. However, this proved challenging due to salary expectations, as my prior experience didn’t align well with the new roles, leading to the prospect of starting as a junior with a significant pay cut.

d) Be Patient

Ultimately, because I was open about my aspirations and desire to transition into offensive security, I was offered a position with another company in the same business area. This move allowed me to avoid a significant pay cut and enabled me to start pursuing my passion in offensive security from day 1.

Overall, it took me about two years from the moment I decided to change careers to secure a position in offensive security. It required hard work and a lot of dedication, but the reward has been priceless. Do what you love, and things will be fine.