To give you a brief summary about myself, I currently work in offensive security, with previous experience in defensive security, software development, and IT support. This blog post aims to help those struggling to land their first job in cybersecurity or those simply curious about the industry. While the information I will be sharing is primarily focused on Canada, it can be relevant to other countries as well.
Please keep in mind that this is my personal view of the industry based on my experience. I encourage you to conduct your own research as well.
In Canada, there aren’t many cybersecurity programs available at community colleges or universities. I studied Computer Science at university, but Computer Science and Cybersecurity are distinct fields, much like Biology and Chemistry. If you manage to find and enroll in a cybersecurity program, that’s great. I’m sure there are excellent programs out there, but generally, these programs don’t make you career-ready professionals. They help you build fundamental skills and give you a feel for what you’ll be doing in cybersecurity.
I’ve worked with people who didn’t pursue higher education, those who studied something completely different like Arts, and those who took a master’s program in cybersecurity, and we all got paid the same. While having a technical background can be advantageous for building fundamental skills in cybersecurity, education does not have a significant impact on career success in this field.
Cybersecurity can be divided into offensive and defensive sides. The demand for defensive roles is significantly higher, and the barrier to entry for offensive security is steeper. While there are many specialized roles on each side, let’s focus on SOC analysts for defensive security and penetration testers for offensive security, as these roles have the most demand. More demand means more opportunities, and more opportunities mean a higher chance of getting the job.
If you’re new to cybersecurity, I recommend starting in defensive security, particularly as a SOC analyst. As a SOC analyst, you will be monitoring and analyzing endpoint behaviours and network traffic to decide if the activity is malicious or benign. There are different tiers among SOC analysts, but I believe it’s the easiest role to start with if you don’t mind shift work. Shift schedules vary by company, but to give you an idea, I worked 8-hour shifts for 6 consecutive days, followed by 4 days off. Holidays didn’t affect us, and the shift times rotated every 10 days: 7 am — 3 pm, 3 pm — 11 pm, and 11 pm — 7 am. Some companies have dedicated night shift teams. Having previously worked 24-hour shifts in a 3-man rotation in the military (24-hour shift, 2 days off, 1 day off if someone was on vacation, and repeat), I was happy with the work schedule. Getting 4 days off gave me plenty of time to study.
If you want to get into offensive security right away and lack CTF or bug bounty experience, consider pursuing the certifications I will discuss later in this post. However, it’s important to note that studying for these offensive certifications takes time. You will likely need at least a year, or even several years, to be ready to apply for offensive security jobs. If you can study full-time, go for it. Alternatively, starting in defensive security first and then transitioning into offensive security while studying part-time and getting paid from your full-time job is recommended. With intensive studying, you can be ready to apply for jobs in defensive security within a few months.
If you value work-life balance, it’s generally better on the defensive side. In a Security Operations Center (SOC), the workload isn’t too heavy unless there are incidents or breaches. On the offensive side, you don’t necessarily have to work crazy hours or do overtime, but you will need to invest a lot of personal time in studying to stay current and effective in your role. You might wonder, shouldn’t you learn everything during training? Not really. The team provides basic guidance and support when you get stuck, but you need to develop your own methodology for penetration testing and often figure things out independently. If you’re not comfortable with continuous self-learning, research, and working independently, offensive security might not be the best fit for you.
In penetration testing, you’ll essentially work as a consultant. Some companies even title the role as “offensive security consultant.” Your job is to find vulnerabilities and misconfigurations in client systems, demonstrate their impact, and provide solutions for remediation. Since every client uses different technologies, you will always need to study and adapt to new things.
Now that you have a basic understanding of what it’s like to work as a SOC analyst and penetration tester, the next step is figuring out how to land the job. While some people are skeptical about certifications, I believe they are an excellent way to demonstrate your suitability for the role. Certifications won’t teach you everything, and earning one doesn’t guarantee you’ll be career-ready. However, much like developers who work on personal projects, certifications can add valuable lines to your resume and showcase your passion for the field. Additionally, the right certifications can make you more competitive among applicants.
If I were to choose between a cybersecurity program from a community college or university and certifications, I would definitely choose certifications. First of all, there are not many good cybersecurity programs in Canada, and second, you can study at your own pace with certifications, and third, it’s a much cheaper option.
So, which certifications should you pursue? With hundreds of cybersecurity certifications available, it can be overwhelming to choose. Paul Jerimy has created an excellent resource that maps out various cybersecurity certifications: the Security Certification Roadmap. To determine which certification is right for you, search for jobs by certification names on LinkedIn, setting the location to where you want to work. This will help you identify which certifications are in high demand in your area, allowing you to make an informed decision.
Generally speaking, CompTIA Security+ is a great choice. While I personally opted for the SSCP from ISC2, I’ve found through conversations with many professionals that Security+ can help you bypass the HR resume filtering stage of the job application process. Of course, you’ll need to demonstrate your capabilities during the technical interview, but if you’ve studied and passed Security+ and taken good notes, you should be well-prepared.
Once you become a SOC analyst and gain experience, you can consider leveling up a tier if you enjoy the job and shift work. Alternatively, you can study to take a more specialized path such as incident handling, malware analysis, digital forensics, engineering, architecture, threat hunting, purple teaming, research, etc. You can even transition into offensive security, also known as ethical hacking.
To get into offensive security, it’s important to choose a certification that includes a practical exam, not just a multiple-choice exam. These practical exams demonstrate that you are not only knowledgeable in the materials covered by the course but also that you have the “try harder” mindset and the ability to dig deeper and go above and beyond. This is the key skillset that employers are looking for in the offensive security field.
The OSCP from OffSec is widely regarded as the best certification for this. It requires you to compromise a set of machines within 24 hours while sharing your screen and webcam with a proctor. The OSCP is not an easy exam, and you will have to study outside the course materials to prepare for it. Additionally, the price for the OSCP course and exam is not cheap, currently at $1,649 (USD) at the time of writing. While some criticize OffSec due to its price, the value this certification brings is significant.
I should also mention that there’s a much cheaper and more realistic exam — the PNPT from TCM Security — where the vulnerabilities you will be exploiting are based on real-world situations (OSCP is more CTF-like, meaning it’s more like a puzzle). TCM Security Academy has solid courses. However, this may change in the future, but currently, most employers are looking for OSCP-certified individuals when hiring.
When you start as a junior penetration tester, you will most likely begin with web application tests. The demand for cloud security is definitely increasing, but the majority of the engagements will be on the web. While web application tests are not easy, network penetration tests can be overwhelming for someone who is just starting. There are many things you need to know in order to chain attacks, and every client environment will be different. For example, different AV/EDR solutions may be in place. Furthermore, you could potentially bring down systems, including critical systems like medical devices in hospital operating rooms. Additionally, OSEP (more advanced than OSCP) will only cover 20–30% of an actual internal network penetration test.
Besides the OSCP, another great choice would be the BSCP from PortSwigger. Although BSCP has not yet gained widespread popularity and you may not find many jobs on LinkedIn that require it, PortSwigger offers the best web application testing course, and it’s available for free. You will need to pay $99 (USD) for the exam and $499 (USD) for the Burp Suite Professional, which is a software that you will need in order to take the exam; however, you can go through their course and learn about web vulnerabilities for free.
To give you an idea of what you can do once you become a penetration tester, with more experience, you can decide if you want to specialize in web, mobile, networks, cloud, OT, crypto, exploit development, etc., or even pursue a more advanced role as a red team operator. There is a difference between penetration testing and red team operations. Red teaming simulates real-world attackers’ tactics, techniques, and procedures (TTPs) with the goal of achieving a specific objective, whereas penetration testing aims to uncover as many vulnerabilities as possible without necessarily considering stealth during the engagement.
If you are curious about how much you will get paid for each role in Canada, I can attest that the average base pay range for an entry-level SOC analyst is $51,000 — $74,000 (CAD), and for an entry-level penetration tester, it is $69,000 — $107,000 (CAD), as mentioned on Glassdoor.
Ultimately, certifications are an excellent way to demonstrate your suitability for roles in cybersecurity when applying for jobs. Security+ from CompTIA is a great option if you want to get started on the defensive side. For those interested in the offensive side, OSCP from OffSec, PNPT from TCM Security, and BSCP from PortSwigger are excellent choices. These certifications not only showcase your knowledge but also your commitment and passion for the field, making you more competitive among applicants.
