October 3, 2025 • 24 mins
Want a real-world map into penetration testing instead of a maze of hot takes? We sit down with Philip Wiley—offensive security veteran, teacher, and author of The Pentester Blueprint—to unpack practical paths that work today. Philip traces his journey from sysadmin to consultant and shows how prior roles become leverage in security: command line fluency, networking instincts, audit rigor, and the ability to translate technical findings into business impact. If you’ve wondered whether you “must” start in IT, you’ll hear why transferable skills matter more than a single prescribed path.
We dig into how learning has shifted. Five years ago, home labs were the default; now, cloud-based platforms like Hack The Box, TryHackMe, and Antisyphon accelerate skill-building without the drag of fragile setups. Philip breaks down which certifications best reflect hands-on ability—think PNPT, TCM’s junior pen tester, and OSCP—and how to structure your study with focused reps, thorough enumeration, and disciplined reporting. Expect honest advice about fundamentals over shortcuts, the value of repetition, and why a good methodology beats a bag of tricks.
Mentorship and community run through everything here. Philip shares what successful learners actually do, how encouraging guidance can flip hesitation into action, and why showing up at B-Sides, OWASP, and local hacker associations opens doors you didn’t know existed. We also talk personal branding—publishing talks, write-ups, and even books—to make your progress visible and credible to hiring managers. You’ll leave with a weekly cadence you can start immediately: deliberate labs, concise notes, a study group, and one community touchpoint that compounds into opportunities.
If this conversation helps you chart your next step into offensive security, follow the show, share it with a friend who’s studying, and leave a review so more learners can find it.
Socials
- Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
- Follow us on Twitter: https://twitter.com/SecChipmunk
- You can find us online at: https://securitychipmunks.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
It is from a property project for acquiring
skills and potential to learn.
SPEAKER_01 (00:06):
Welcome to the Security Chipmines Podcast,
where we keep chipping away atit.
I'm your host, Edna Johnson, andI'm here with Philip Wiley.
Welcome, Philip.
Tell us about yourself.
SPEAKER_00 (00:17):
Thanks, Edna.
It's an honor to be joining yourpodcast.
I appreciate you uh inviting meto be on.
And for the listeners, prettysoon your episode of my podcast
will be coming out.
SPEAKER_01 (00:27):
So yes, I am really excited about this uh podcast
crossover episode.
SPEAKER_00 (00:34):
Yeah, that's one of the things, one of the things
for folks out there that areinto content creation,
collaboration is one of the bestthings that you can do.
And and collaborations can takedifferent forms, but the kind of
collaboration I think that'sthat's very advantageous is
trading being on other people'spodcasts or YouTube shows and
(00:55):
stuff.
So I think it's it's a reallygood way to get exposed to
different audiences.
Sometimes there's somecrossover, and then sometimes
there's some cases that you getintroduced to some people that
you otherwise might not have.
SPEAKER_01 (01:09):
Yeah, absolutely.
And it's a good way for us tonetwork and uh share information
with each other's audience.
So very glad to have you on.
SPEAKER_00 (01:19):
Yeah, good to be on this.
And to I kind of detracted fromwhat you asked.
So for the for the listeners,uh, my background is in
offensive security.
So I've worked as a pen testerfor over a decade, uh, been in
cybersecurity for over 22 years.
And prior to getting intocybersecurity, I spent six years
as a system administrator in IT.
(01:41):
So one of the things that I liketo share with anyone that's
trying to get into security isthat knowledge that you pick up
and skills and experience thatyou get in things like IT,
different areas of IT, even helpdesk, is helpful when you get
over to cybersecurity.
SPEAKER_01 (01:59):
Yeah, absolutely, for sure.
The knowledge that you build upas you're uh going through your
journey and and taking up jobsleading up to cybersecurity,
they really help you when youget into the career.
Um so when you were startingout, what what are uh some of
the ways that helped you breakinto uh pen testing?
(02:22):
I know that's a very excitingfield, and a lot of people want
to get there.
So, how how do people do that?
SPEAKER_00 (02:29):
So, how I did it, and it's and it's gonna be
different for it for everyone.
I want to also preface it,preface my path to meaning you
don't have to be doing this forX amount of years.
You don't have to follow myexact path.
Because whenever I got into pentesting, it was kind of a rare
job.
There weren't a lot of pentesting roles, and especially
(02:51):
when I got into cybersecurity,so I started out as a sysadmin,
spent the first six years as asysadmin, and that was very
helpful in uh experience for mebecause I gained knowledge and
hands-on experience with Windowsservers, Linux, uh networking
systems.
So all that information was veryhelpful.
So once I become a pen tester,all the sysadmin skills gave me
(03:16):
a big uh boost to help me learnthe skills.
Because one of the things Ialways tell people is you need
to learn the basics because ifyou ever get a shell or command
line access to a Linux orWindows system, if you don't
know the command line, you mightbe able to get through it, but
you're gonna be doing a lot ofGoogling and now uh using
whatever chat GPT or whatever tofigure out what you're doing.
(03:38):
You need that base level ofknowledge.
So uh for me, I started out IT,moved into the Blue Team site.
So my first year and a half, Iwas in security, I was doing
firewall stuff, I was managingintrusion detection systems.
I was also uh doing riskassessments and vulnerability
(04:02):
scans.
I was working in this financialinstitution and they hired a new
CISO.
When this new CISO came in, hehad a more modern idea of the
way things should be done.
So he split us up into differentsilos instead of everyone doing
the same thing.
And fortunately for me, I gotput on the AppSec team.
There were two of us on theAppSec team, so we were doing
(04:23):
vulnerability scanning, and Imanaged the third-party pen
tests because we would have pentests done, and I would work
with the consulting companiesduring those pen tests as well
as work through the remediation.
So I got interested in pentesting from that.
And when I got laid off in 2012,so I got my first security job
January 2004 within thefinancial institution I work
(04:47):
for.
And then by the time I got laidoff in 2012, I applied for a
role at Verizon for a consultingrole as a pen tester.
And so that's kind of how how Igot into it, but it was
leveraging this experience.
And when I say you don't have tofollow my exact exact path, I
had students when I used toteach at Dallas College, teach
pen testing.
(05:07):
I had a student come in firstweek and he said, I want to be a
really good pen tester, and butI want to get there sooner than
you.
Can I do it?
And I said, Yeah, it's just moretime and effort you put into
things, the quicker you canlearn.
So you're not really limited tosomeone else, what they they've
done.
And about the second week, hecomes back in and says, Do I
(05:28):
have to read the book to the thetextbook?
And I said, Well, notnecessarily.
That just means you've got tospend more time in the labs
getting the hands-on experience.
But that's kind of how I did it.
So you really need to reallywork on getting that fundamental
IT skills because that's gonnahelp you across all sorts of
areas.
So if you were working innetwork security now, uh you
(05:50):
hear it referred to as IToperations or security
operations, you're gonna need tounderstand networking and
operating systems to be able toconfigure firewalls.
So that basic knowledge you gainis very helpful.
And one of the things I likeabout security compared to IT is
say, like, you're a databaseadministrator and you decide now
(06:12):
that you want to be a Cisconetwork engineer, that's a total
retrain.
You're probably gonna have toyou'd be lucky if you don't have
to take a pay cut to be able tolearn that new skill.
And then there's gonna be youhave to learn all these new
skills.
But with pen testing or otherareas of security, say like you
came in from the GRC side andyou were familiar with doing IT
audits, that auditor mentalityis gonna make you a better pen
(06:36):
tester.
So you're able to leverage thoseskills.
You may have to take a lateralgoing into that role, but the
skills you have are not lost.
You've got things you can buildupon.
There's unique perspectives thatyou may have over uh veteran pen
testers.
So all those skills that yougain across other areas work.
So it's not like a completewashout and retrain, or you have
(06:59):
to take a huge pay cut.
When you've got those skills,it's helpful.
And then when you look at beinga consultant, uh, some of the
roles I've had, especially likeat ATT, we were able to do
digital forensics as well as pentesting, but I enjoyed pen
testing so much, and I wasalways worried that I'd be taken
away to take care of incidents,you know, investigating
(07:21):
incidents, breaches, and Ithought I'd get pulled off on
that and I wouldn't get to pentest.
I like pen testing.
I'm not ready to move on tosomething else.
But the opportunities there wereamazing.
I had the opportunity to uh dolike a secure SDLC software
development lifecycle review.
I'd never done that before, andour practice lead uh pointed me
(07:43):
in some directions of some gooduh resources for secure SDLCs,
and I studied up on it and I didmy first secure SDLC review.
So when you're working inconsulting, some companies are
small enough that you're able towork across several different
silos, you're not stuck in justone area and you get the
(08:05):
opportunity to learn differentthings.
So all of a sudden, now if youwere someone with a GRC
background, then that's gonna behelpful too because you got dual
purpose, you're not just pentesting.
SPEAKER_01 (08:16):
Oh, yeah, that is fantastic information.
Um, so in there you mentionedthat uh your student uh asked
about having to read the book.
Well, was that the pen tester'sblueprint?
SPEAKER_00 (08:31):
No, it's actually the the the uh class textbook
because the textbook was thatpoint we would we'd moved on to
the the pen test plus book.
And one of the things I alwaystry to do is I I feel like you
should be honest with people,but sometimes I think as
mentors, we need to beopen-minded and encouraging
(08:53):
first and not really try todiscourage people.
And when he came up that thatsecond week and he says, Do I
have to read the textbook?
I'm thinking, Yeah, you wantedto be really good.
Now all of a sudden you'retrying to you're saying, I don't
want to do this or or do that.
Can I still succeed?
But the cool thing was by me notdiscouraging him and telling him
(09:15):
I didn't think he had what ittook because if he's not really
willing to put into work, I justsupported him and he turned
around.
Uh, it was within a year lateror something, he landed an
internship as a pen tester.
The thing about it was he wasn'tlike the best high-skilled
student.
(09:36):
Okay, but the thing was is hehad the belief in himself and he
applied for this pen testinternship.
So that's one of the things asmentors, we need to encourage
people and not discourage peoplebecause sometimes people will.
I've got I know veterans in theindustry that have been in, you
know, around the same amount oftime I've been in or longer, and
(09:56):
they're just so intent on, yeah,you've got to start out in IT.
No, you really don't, because alot of us had to start out in IT
because there weren't securityroles when we got started.
They were very, very few.
Most people that have 30 yearsworth of experience or more, a
lot of cases came in through thegovernment or something.
Really, the government was onlywhen they had dedicated security
(10:17):
at one point.
So I really think when you'rementoring people, you need to
make sure to encourage them andnot discourage because I could
have came back and told him,yeah, you need to read the book.
You know, if you really want tobe really good, you know, we'd,
you know, think back to adultsfrom our childhood, and you
know, you were asking foradvice, and then you're trying
to say, well, I don't want to dothis and do this.
(10:38):
You know, you'd get hard lovesometimes when they say, if you
really want to do this, you haveto do this.
And so I felt like nowadays wehave to kind of communicate
differently.
And I think by me justsupporting him, he had the
confidence and courage enough togo apply for a pen testing role,
and he landed a pen testingrole.
SPEAKER_01 (10:58):
That's amazing.
Very happy to hear that.
And yeah, encouraging people isdefinitely the way to go and
allowing them the chance togrow.
Um, but I did want to ask aboutthe the book that you wrote.
So you wrote a book about pentesting.
Um so that is I think it's beena f a few years now, but um
(11:22):
that's been such a um a staplein you know people's library
when they're learning pentesting.
Um do you think writing the bookhelped you in your career?
And and do you think it's stillum something that that people
value today?
Uh are the concepts still likevaluable in there?
SPEAKER_00 (11:46):
Yes.
And it's interesting because itcome this coming November, it's
either November or December,we'll make five years that the
book's been out.
And so uh I think it's stillvaluable because the thing about
it is only things if I if I hadto make any updates to it, some
of the things that will beupdated would be uh certs have
kind of changed, certificationrecommendations I might make a
(12:09):
little bit differently.
One of the things that Irecommended heavily back then
was to build a home lab, but I'mmore of the mindset nowadays
there are so many onlinecloud-based learning uh
platforms and courses out therethat I would focus on that.
If you really need experiencewith servers and networking, the
IT side of things, then buildinga home lab can be helpful.
(12:33):
But some of the caveats tobuilding home labs, and this is
kind of like Georgia Weedman'sbook, because Georgia Weedman's
book uh that was like actuallythat was the what I use for my
textbook when I started teachingthe class because her book came
out about 2014 or so.
But a lot of the vulnerablemachines and labs wouldn't work
(12:54):
because technologies have beenupdated, and she had to put some
resources online where peoplecould get the labs to work.
And so, one of the things aboutmy book is really not
specifically uh teaching yousetting up labs.
So the it's still relevantbecause it's teaching you that
you need the IT basics, some ofthe certifications, the things
(13:17):
you need to do to learn pentesting, the things that you
prerequisites you need beforeyou start learning how to pen
test.
But kind of back to the labthing, uh, I kind of started
recommending more cloud labsbecause another thing I took
from another experience I tookfrom my own personal experience
was one of the things I used todo as a side hustle is I used to
have a business doing webdesign.
(13:40):
And when I hosted my customers'websites, I had a server at
home.
I would take my older hardwareand that would become a server
because you're not running asmany applications and you're
just running a web server, so itdoesn't take as much resources.
So my old computer became myserver, and I was hosting the
websites on it.
And one night I came home fromwork one night and I noticed the
(14:02):
websites were down, and the harddrive had died on my server.
The thing about it was I had allthe source files and all the
images and stuff on my computer,my main computer, but I didn't
have an exact backup, so I hadto go back, reinstall, put a new
hard drive in the machine, goin, reinstall all the websites,
(14:24):
set all that back up because Iwas hosting their email on that
server.
Uh the web server was on it, soDNS, everything was on that one
server.
So I got that back up andrunning, and I kind of learned,
well, I really need to find ahosting company because that way
I'm not spending time rebuildinga server, which I was working as
a sysadmin, so I had all theexperience I needed building
(14:46):
servers.
So where I needed to focus mytime is building websites that
was helping me build my businessand make money.
And so that was a learningexperience there that I've kind
of thought about in hindsight.
If someone's needing to learnpen testing, learning how to
hack, they need to spend thattime and stuff like try the try,
like uh try hack me, hack thebox, anti-siphons training, a
(15:10):
lot of other great resources outthere.
That's where you need to beputting your efforts in.
If you really need to learn theIT stuff, then you can build a
home home lab and that type ofstuff.
But those are some of the thingsthat's kind of changed.
Some of the certifications outthere that have changed is like
the PNPT and the uh the also TCMAcademy's junior pen tester
(15:32):
certs.
These are good certifications,and they weren't around when the
book came out.
And there's some certificationsout there that are kind of gone
away that were uh put on orhosted by other companies that
are kind of got bought out, andthe names, titles of the
certifications changed, some ofthe certifications have gone
away.
So those are a few of the thingsthat have really changed, and
that's one of the things I likeabout the book is it was the
(15:55):
things you need to get startedin pen testing.
And this was based on myexperience mentoring people that
wanted to get into pen testing.
I did that before I startedteaching at Dallas College, and
the book is actually based on mylecture that I gave the first
day of class, which turned intoa conference talk for our
B-Sides DFW, B-Sides Dallas FortWorth, in November of 2018.
(16:18):
And then I gave that conferencetalk several times, and I was in
the Tribe of Hackers Red Teambook, and Wiley Publishing asked
me if I had any ideas for books,and and I wanted to write a book
based on the PentesterBlueprint.
Excuse me.
But any rate, so I wrote thebook and I wanted to help other
people.
And the reason that kind ofmotivated me that there needed
(16:40):
to be a book written on asubject, I was given this talk
so many times, and every time Igave it, there was always a lot
of people that had not heard thetalk.
I was on the CFP review boardfor a conference, and one of the
things they were saying on theCFP review board, has this talk
been given before?
And I thought, we reallyshouldn't discount talks because
they've been given before,because people there may have
(17:03):
not had, maybe someone gave thattalk at, you know, besides
Orlando, but people here inDallas hadn't heard it.
So you want just because it'sbeen given doesn't mean not to
accept the talk.
And that idea made me think, youknow, there's a lot of people
that still haven't heard mytalk.
There are people they're notpart of the cybersecurity
community or I'm not connectedwith.
(17:24):
So this information they may nototherwise find.
And I thought a published bookin libraries, in bookstores,
online booksellers like Amazon,people can find that, that they
have no connection tocybersecurity.
I thought this is a good way toget the information out there.
For selfish reasons, I didn'tthink it was going to be making
(17:45):
that much money.
I didn't think there'd be a lotof money writing a book.
So my selfish reasons wereprofessional brand, just to
build my own brand.
And it was a huge success.
I mean, a lot of people, whenthey see that you wrote a book,
they see that you're a subjectmatter expert, and it just lends
a lot of credibility to you.
So personal branding and just mebeing a subject matter expert,
(18:07):
it helped kind of emphasizethat.
So it was huge for my career.
SPEAKER_01 (18:12):
That's fantastic.
I I'm I'm really glad to hearthat because like I I know I
don't know if I knew about yourbook first or about you first,
but like I know that you've hada lot of success with that book.
Um and it's a great resource forpeople.
I definitely recommend it topeople that are interested in
going into pen testing.
(18:34):
Um, so you mentioned yourmentoring people and uh so for
those that are breaking into pentesting now, like what are the
patterns in people who aresuccessful that you you notice,
or what are things that peoplecan do to become successful in
in this uh career?
SPEAKER_00 (18:56):
I'm glad you asked me that question because taking
uh an example from my classteaching at Dallas College, the
students that did really wellwere the ones that spent a lot
of time in the labs.
They really took the labsseriously, they really worked on
those hands-on opportunities,and those were the ones that
went on to get pen testing jobs.
The ones that didn't were theones that really didn't put much
(19:18):
effort in the lab or much effortinto the class.
But one of the things I saw, andthis one of the things that also
saw too, is some people didn'tget it as easy.
Maybe they weren't as techsavvy.
I had a guy in the class that'sprobably around my age, and this
gentleman would sit there and dothe labs and go over them over
and over again to learn, and helearned.
(19:40):
So it's just a lot of uhrepetition and putting in hard
work.
You put in the work and you getthose hands-on skills down,
those are the people that aregoing to succeed.
If you skimp and try to takeshortcuts, it's gonna be more
difficult.
But one of the things I've seenthat's that has been huge in a
lot of successes of people evenoutside of the school is
spending a lot of time in labsdoing like hack the box and try
(20:03):
hack me.
Uh, I know people that werepreparing for the OSCP that they
were just doing a lot of uh hackthe box, and it made it a lot
easier for them to pass thatexam.
So, hand regardless of what areaof security you're going into,
make sure to get those hands-onskills because that's usually
where people don't get theroles, is because they don't
hands on have hands-onexperience.
(20:24):
If you can get your foot in thedoor to get that interview and
you're doing enough hands-onactivities and doing enough to
educate yourself, you're able toanswer some of those questions,
even regardless if you don'thave real-world hands-on
experience.
SPEAKER_01 (20:39):
That that's an excellent answer.
I definitely think that uhpracticing is the the way to go
to build up your skills.
And the more hands-on keyboardexperience you have, the better
off you are.
Um and you mentioned your yourlocal B-sides and other B-sides
(21:00):
as well.
Do you think going to uhconferences and participating in
uh cybersecurity events aroundyou is is helpful to people?
SPEAKER_00 (21:11):
Um that is very huge.
I highly recommend it.
And one of the things we have tolook at too, uh, I'm a big fan
of B-sides because they're lowcost to free.
Our local B-Sides has been goingon, I think this is coming up on
the 11th year.
We're only like one year behindB Sides Las Vegas, I believe.
So they started a B-Sides hererather quickly.
(21:33):
Uh, but those are really goodbecause the nice thing is, like
I said, they're either free orlow cost to attend.
People there that are thatattend that are experienced and
stuff really love community andwant to help others.
So it's a good way to findmentors, uh, people that you can
start a study group with, shareinformation with, and and don't
(21:56):
leave it just to the conferencesbecause if you have you may have
a local B-sides, you only get toattend that once a year.
Find like your DEF CON groups,your OWASP groups.
Uh you have hackers associationsin Dallas.
We have Dallas HackersAssociation, which was inspired
by Austin Hackers Association,which inspired a lot of other
(22:17):
hackers associations.
And then OWASP groups, there'salso your ISSA, ISOCA, and some
of these more uh professionaltype groups.
But take advantage of thosebecause thing I'd used to do was
when people would come to melooking for junior pen testers.
If I knew people in thecommunity, I knew their skill
(22:38):
set, what they wanted to do.
When recruiters or companieswould come to me for resumes, I
would include the resumes ofsome of the other people I knew
because I knew their skill set,uh, I knew what they wanted to
do, and I knew they were a goodcandidate.
So I'd pass on the resumes and Ihelped some of them get jobs,
some of their first pen testingroles because of that.
So when you're attending thesemeetups or these conferences,
(22:59):
don't be shy in the corner andnot say anything.
Let people know who you are,what you're doing, what you want
to do in cybersecurity, some ofthe certifications you're
working on, or what you have,your educational background.
Share that information so theyhave some kind of idea about
you, and they're more thanlikely to refer to you or share
opportunities with you.
SPEAKER_01 (23:20):
Wonderful.
Thank you.
Uh, where can people find youonline if they want to connect
with you?
SPEAKER_00 (23:26):
Probably one of the best places is going to be
LinkedIn.
Uh, so just Philip Wiley onLinkedIn.
Also, my uh my website,thehackermaker.com.
And on there you can find allthe links to my social media and
also my YouTube.
And on my YouTube channel, I'vegot a playlist that's called
Ethical Hacking and SystemDefense.
(23:48):
And those are lectures for myclasses at Dallas College, uh,
my pen test class lectures, sopeople can see that content for
free as well as they can find mypodcast.
SPEAKER_01 (23:59):
Oh, wonderful.
That's a great resource.
Thank you for sharing.
Well, thank you for being on theshow today.
And thank you, listeners, forjoining us.
SPEAKER_00 (24:08):
Thanks for inviting me.
SPEAKER_01 (24:09):
Yes, absolutely.
Um and listeners, please uh makesure to like, comment, and
subscribe, and we'll see younext time.
It is from a property project for acquiring
skills and potential to learn.
SPEAKER_01 (00:06):
Welcome to the Security Chipmines Podcast,
where we keep chipping away atit.
I'm your host, Edna Johnson, andI'm here with Philip Wiley.
Welcome, Philip.
Tell us about yourself.
SPEAKER_00 (00:17):
Thanks, Edna.
It's an honor to be joining yourpodcast.
I appreciate you uh inviting meto be on.
And for the listeners, prettysoon your episode of my podcast
will be coming out.
SPEAKER_01 (00:27):
So yes, I am really excited about this uh podcast
crossover episode.
SPEAKER_00 (00:34):
Yeah, that's one of the things, one of the things
for folks out there that areinto content creation,
collaboration is one of the bestthings that you can do.
And and collaborations can takedifferent forms, but the kind of
collaboration I think that'sthat's very advantageous is
trading being on other people'spodcasts or YouTube shows and
(00:55):
stuff.
So I think it's it's a reallygood way to get exposed to
different audiences.
Sometimes there's somecrossover, and then sometimes
there's some cases that you getintroduced to some people that
you otherwise might not have.
SPEAKER_01 (01:09):
Yeah, absolutely.
And it's a good way for us tonetwork and uh share information
with each other's audience.
So very glad to have you on.
SPEAKER_00 (01:19):
Yeah, good to be on this.
And to I kind of detracted fromwhat you asked.
So for the for the listeners,uh, my background is in
offensive security.
So I've worked as a pen testerfor over a decade, uh, been in
cybersecurity for over 22 years.
And prior to getting intocybersecurity, I spent six years
as a system administrator in IT.
(01:41):
So one of the things that I liketo share with anyone that's
trying to get into security isthat knowledge that you pick up
and skills and experience thatyou get in things like IT,
different areas of IT, even helpdesk, is helpful when you get
over to cybersecurity.
SPEAKER_01 (01:59):
Yeah, absolutely, for sure.
The knowledge that you build upas you're uh going through your
journey and and taking up jobsleading up to cybersecurity,
they really help you when youget into the career.
Um so when you were startingout, what what are uh some of
the ways that helped you breakinto uh pen testing?
(02:22):
I know that's a very excitingfield, and a lot of people want
to get there.
So, how how do people do that?
SPEAKER_00 (02:29):
So, how I did it, and it's and it's gonna be
different for it for everyone.
I want to also preface it,preface my path to meaning you
don't have to be doing this forX amount of years.
You don't have to follow myexact path.
Because whenever I got into pentesting, it was kind of a rare
job.
There weren't a lot of pentesting roles, and especially
(02:51):
when I got into cybersecurity,so I started out as a sysadmin,
spent the first six years as asysadmin, and that was very
helpful in uh experience for mebecause I gained knowledge and
hands-on experience with Windowsservers, Linux, uh networking
systems.
So all that information was veryhelpful.
So once I become a pen tester,all the sysadmin skills gave me
(03:16):
a big uh boost to help me learnthe skills.
Because one of the things Ialways tell people is you need
to learn the basics because ifyou ever get a shell or command
line access to a Linux orWindows system, if you don't
know the command line, you mightbe able to get through it, but
you're gonna be doing a lot ofGoogling and now uh using
whatever chat GPT or whatever tofigure out what you're doing.
(03:38):
You need that base level ofknowledge.
So uh for me, I started out IT,moved into the Blue Team site.
So my first year and a half, Iwas in security, I was doing
firewall stuff, I was managingintrusion detection systems.
I was also uh doing riskassessments and vulnerability
(04:02):
scans.
I was working in this financialinstitution and they hired a new
CISO.
When this new CISO came in, hehad a more modern idea of the
way things should be done.
So he split us up into differentsilos instead of everyone doing
the same thing.
And fortunately for me, I gotput on the AppSec team.
There were two of us on theAppSec team, so we were doing
(04:23):
vulnerability scanning, and Imanaged the third-party pen
tests because we would have pentests done, and I would work
with the consulting companiesduring those pen tests as well
as work through the remediation.
So I got interested in pentesting from that.
And when I got laid off in 2012,so I got my first security job
January 2004 within thefinancial institution I work
(04:47):
for.
And then by the time I got laidoff in 2012, I applied for a
role at Verizon for a consultingrole as a pen tester.
And so that's kind of how how Igot into it, but it was
leveraging this experience.
And when I say you don't have tofollow my exact exact path, I
had students when I used toteach at Dallas College, teach
pen testing.
(05:07):
I had a student come in firstweek and he said, I want to be a
really good pen tester, and butI want to get there sooner than
you.
Can I do it?
And I said, Yeah, it's just moretime and effort you put into
things, the quicker you canlearn.
So you're not really limited tosomeone else, what they they've
done.
And about the second week, hecomes back in and says, Do I
(05:28):
have to read the book to the thetextbook?
And I said, Well, notnecessarily.
That just means you've got tospend more time in the labs
getting the hands-on experience.
But that's kind of how I did it.
So you really need to reallywork on getting that fundamental
IT skills because that's gonnahelp you across all sorts of
areas.
So if you were working innetwork security now, uh you
(05:50):
hear it referred to as IToperations or security
operations, you're gonna need tounderstand networking and
operating systems to be able toconfigure firewalls.
So that basic knowledge you gainis very helpful.
And one of the things I likeabout security compared to IT is
say, like, you're a databaseadministrator and you decide now
(06:12):
that you want to be a Cisconetwork engineer, that's a total
retrain.
You're probably gonna have toyou'd be lucky if you don't have
to take a pay cut to be able tolearn that new skill.
And then there's gonna be youhave to learn all these new
skills.
But with pen testing or otherareas of security, say like you
came in from the GRC side andyou were familiar with doing IT
audits, that auditor mentalityis gonna make you a better pen
(06:36):
tester.
So you're able to leverage thoseskills.
You may have to take a lateralgoing into that role, but the
skills you have are not lost.
You've got things you can buildupon.
There's unique perspectives thatyou may have over uh veteran pen
testers.
So all those skills that yougain across other areas work.
So it's not like a completewashout and retrain, or you have
(06:59):
to take a huge pay cut.
When you've got those skills,it's helpful.
And then when you look at beinga consultant, uh, some of the
roles I've had, especially likeat ATT, we were able to do
digital forensics as well as pentesting, but I enjoyed pen
testing so much, and I wasalways worried that I'd be taken
away to take care of incidents,you know, investigating
(07:21):
incidents, breaches, and Ithought I'd get pulled off on
that and I wouldn't get to pentest.
I like pen testing.
I'm not ready to move on tosomething else.
But the opportunities there wereamazing.
I had the opportunity to uh dolike a secure SDLC software
development lifecycle review.
I'd never done that before, andour practice lead uh pointed me
(07:43):
in some directions of some gooduh resources for secure SDLCs,
and I studied up on it and I didmy first secure SDLC review.
So when you're working inconsulting, some companies are
small enough that you're able towork across several different
silos, you're not stuck in justone area and you get the
(08:05):
opportunity to learn differentthings.
So all of a sudden, now if youwere someone with a GRC
background, then that's gonna behelpful too because you got dual
purpose, you're not just pentesting.
SPEAKER_01 (08:16):
Oh, yeah, that is fantastic information.
Um, so in there you mentionedthat uh your student uh asked
about having to read the book.
Well, was that the pen tester'sblueprint?
SPEAKER_00 (08:31):
No, it's actually the the the uh class textbook
because the textbook was thatpoint we would we'd moved on to
the the pen test plus book.
And one of the things I alwaystry to do is I I feel like you
should be honest with people,but sometimes I think as
mentors, we need to beopen-minded and encouraging
(08:53):
first and not really try todiscourage people.
And when he came up that thatsecond week and he says, Do I
have to read the textbook?
I'm thinking, Yeah, you wantedto be really good.
Now all of a sudden you'retrying to you're saying, I don't
want to do this or or do that.
Can I still succeed?
But the cool thing was by me notdiscouraging him and telling him
(09:15):
I didn't think he had what ittook because if he's not really
willing to put into work, I justsupported him and he turned
around.
Uh, it was within a year lateror something, he landed an
internship as a pen tester.
The thing about it was he wasn'tlike the best high-skilled
student.
(09:36):
Okay, but the thing was is hehad the belief in himself and he
applied for this pen testinternship.
So that's one of the things asmentors, we need to encourage
people and not discourage peoplebecause sometimes people will.
I've got I know veterans in theindustry that have been in, you
know, around the same amount oftime I've been in or longer, and
(09:56):
they're just so intent on, yeah,you've got to start out in IT.
No, you really don't, because alot of us had to start out in IT
because there weren't securityroles when we got started.
They were very, very few.
Most people that have 30 yearsworth of experience or more, a
lot of cases came in through thegovernment or something.
Really, the government was onlywhen they had dedicated security
(10:17):
at one point.
So I really think when you'rementoring people, you need to
make sure to encourage them andnot discourage because I could
have came back and told him,yeah, you need to read the book.
You know, if you really want tobe really good, you know, we'd,
you know, think back to adultsfrom our childhood, and you
know, you were asking foradvice, and then you're trying
to say, well, I don't want to dothis and do this.
(10:38):
You know, you'd get hard lovesometimes when they say, if you
really want to do this, you haveto do this.
And so I felt like nowadays wehave to kind of communicate
differently.
And I think by me justsupporting him, he had the
confidence and courage enough togo apply for a pen testing role,
and he landed a pen testingrole.
SPEAKER_01 (10:58):
That's amazing.
Very happy to hear that.
And yeah, encouraging people isdefinitely the way to go and
allowing them the chance togrow.
Um, but I did want to ask aboutthe the book that you wrote.
So you wrote a book about pentesting.
Um so that is I think it's beena f a few years now, but um
(11:22):
that's been such a um a staplein you know people's library
when they're learning pentesting.
Um do you think writing the bookhelped you in your career?
And and do you think it's stillum something that that people
value today?
Uh are the concepts still likevaluable in there?
SPEAKER_00 (11:46):
Yes.
And it's interesting because itcome this coming November, it's
either November or December,we'll make five years that the
book's been out.
And so uh I think it's stillvaluable because the thing about
it is only things if I if I hadto make any updates to it, some
of the things that will beupdated would be uh certs have
kind of changed, certificationrecommendations I might make a
(12:09):
little bit differently.
One of the things that Irecommended heavily back then
was to build a home lab, but I'mmore of the mindset nowadays
there are so many onlinecloud-based learning uh
platforms and courses out therethat I would focus on that.
If you really need experiencewith servers and networking, the
IT side of things, then buildinga home lab can be helpful.
(12:33):
But some of the caveats tobuilding home labs, and this is
kind of like Georgia Weedman'sbook, because Georgia Weedman's
book uh that was like actuallythat was the what I use for my
textbook when I started teachingthe class because her book came
out about 2014 or so.
But a lot of the vulnerablemachines and labs wouldn't work
(12:54):
because technologies have beenupdated, and she had to put some
resources online where peoplecould get the labs to work.
And so, one of the things aboutmy book is really not
specifically uh teaching yousetting up labs.
So the it's still relevantbecause it's teaching you that
you need the IT basics, some ofthe certifications, the things
(13:17):
you need to do to learn pentesting, the things that you
prerequisites you need beforeyou start learning how to pen
test.
But kind of back to the labthing, uh, I kind of started
recommending more cloud labsbecause another thing I took
from another experience I tookfrom my own personal experience
was one of the things I used todo as a side hustle is I used to
have a business doing webdesign.
(13:40):
And when I hosted my customers'websites, I had a server at
home.
I would take my older hardwareand that would become a server
because you're not running asmany applications and you're
just running a web server, so itdoesn't take as much resources.
So my old computer became myserver, and I was hosting the
websites on it.
And one night I came home fromwork one night and I noticed the
(14:02):
websites were down, and the harddrive had died on my server.
The thing about it was I had allthe source files and all the
images and stuff on my computer,my main computer, but I didn't
have an exact backup, so I hadto go back, reinstall, put a new
hard drive in the machine, goin, reinstall all the websites,
(14:24):
set all that back up because Iwas hosting their email on that
server.
Uh the web server was on it, soDNS, everything was on that one
server.
So I got that back up andrunning, and I kind of learned,
well, I really need to find ahosting company because that way
I'm not spending time rebuildinga server, which I was working as
a sysadmin, so I had all theexperience I needed building
(14:46):
servers.
So where I needed to focus mytime is building websites that
was helping me build my businessand make money.
And so that was a learningexperience there that I've kind
of thought about in hindsight.
If someone's needing to learnpen testing, learning how to
hack, they need to spend thattime and stuff like try the try,
like uh try hack me, hack thebox, anti-siphons training, a
(15:10):
lot of other great resources outthere.
That's where you need to beputting your efforts in.
If you really need to learn theIT stuff, then you can build a
home home lab and that type ofstuff.
But those are some of the thingsthat's kind of changed.
Some of the certifications outthere that have changed is like
the PNPT and the uh the also TCMAcademy's junior pen tester
(15:32):
certs.
These are good certifications,and they weren't around when the
book came out.
And there's some certificationsout there that are kind of gone
away that were uh put on orhosted by other companies that
are kind of got bought out, andthe names, titles of the
certifications changed, some ofthe certifications have gone
away.
So those are a few of the thingsthat have really changed, and
that's one of the things I likeabout the book is it was the
(15:55):
things you need to get startedin pen testing.
And this was based on myexperience mentoring people that
wanted to get into pen testing.
I did that before I startedteaching at Dallas College, and
the book is actually based on mylecture that I gave the first
day of class, which turned intoa conference talk for our
B-Sides DFW, B-Sides Dallas FortWorth, in November of 2018.
(16:18):
And then I gave that conferencetalk several times, and I was in
the Tribe of Hackers Red Teambook, and Wiley Publishing asked
me if I had any ideas for books,and and I wanted to write a book
based on the PentesterBlueprint.
Excuse me.
But any rate, so I wrote thebook and I wanted to help other
people.
And the reason that kind ofmotivated me that there needed
(16:40):
to be a book written on asubject, I was given this talk
so many times, and every time Igave it, there was always a lot
of people that had not heard thetalk.
I was on the CFP review boardfor a conference, and one of the
things they were saying on theCFP review board, has this talk
been given before?
And I thought, we reallyshouldn't discount talks because
they've been given before,because people there may have
(17:03):
not had, maybe someone gave thattalk at, you know, besides
Orlando, but people here inDallas hadn't heard it.
So you want just because it'sbeen given doesn't mean not to
accept the talk.
And that idea made me think, youknow, there's a lot of people
that still haven't heard mytalk.
There are people they're notpart of the cybersecurity
community or I'm not connectedwith.
(17:24):
So this information they may nototherwise find.
And I thought a published bookin libraries, in bookstores,
online booksellers like Amazon,people can find that, that they
have no connection tocybersecurity.
I thought this is a good way toget the information out there.
For selfish reasons, I didn'tthink it was going to be making
(17:45):
that much money.
I didn't think there'd be a lotof money writing a book.
So my selfish reasons wereprofessional brand, just to
build my own brand.
And it was a huge success.
I mean, a lot of people, whenthey see that you wrote a book,
they see that you're a subjectmatter expert, and it just lends
a lot of credibility to you.
So personal branding and just mebeing a subject matter expert,
(18:07):
it helped kind of emphasizethat.
So it was huge for my career.
SPEAKER_01 (18:12):
That's fantastic.
I I'm I'm really glad to hearthat because like I I know I
don't know if I knew about yourbook first or about you first,
but like I know that you've hada lot of success with that book.
Um and it's a great resource forpeople.
I definitely recommend it topeople that are interested in
going into pen testing.
(18:34):
Um, so you mentioned yourmentoring people and uh so for
those that are breaking into pentesting now, like what are the
patterns in people who aresuccessful that you you notice,
or what are things that peoplecan do to become successful in
in this uh career?
SPEAKER_00 (18:56):
I'm glad you asked me that question because taking
uh an example from my classteaching at Dallas College, the
students that did really wellwere the ones that spent a lot
of time in the labs.
They really took the labsseriously, they really worked on
those hands-on opportunities,and those were the ones that
went on to get pen testing jobs.
The ones that didn't were theones that really didn't put much
(19:18):
effort in the lab or much effortinto the class.
But one of the things I saw, andthis one of the things that also
saw too, is some people didn'tget it as easy.
Maybe they weren't as techsavvy.
I had a guy in the class that'sprobably around my age, and this
gentleman would sit there and dothe labs and go over them over
and over again to learn, and helearned.
(19:40):
So it's just a lot of uhrepetition and putting in hard
work.
You put in the work and you getthose hands-on skills down,
those are the people that aregoing to succeed.
If you skimp and try to takeshortcuts, it's gonna be more
difficult.
But one of the things I've seenthat's that has been huge in a
lot of successes of people evenoutside of the school is
spending a lot of time in labsdoing like hack the box and try
(20:03):
hack me.
Uh, I know people that werepreparing for the OSCP that they
were just doing a lot of uh hackthe box, and it made it a lot
easier for them to pass thatexam.
So, hand regardless of what areaof security you're going into,
make sure to get those hands-onskills because that's usually
where people don't get theroles, is because they don't
hands on have hands-onexperience.
(20:24):
If you can get your foot in thedoor to get that interview and
you're doing enough hands-onactivities and doing enough to
educate yourself, you're able toanswer some of those questions,
even regardless if you don'thave real-world hands-on
experience.
SPEAKER_01 (20:39):
That that's an excellent answer.
I definitely think that uhpracticing is the the way to go
to build up your skills.
And the more hands-on keyboardexperience you have, the better
off you are.
Um and you mentioned your yourlocal B-sides and other B-sides
(21:00):
as well.
Do you think going to uhconferences and participating in
uh cybersecurity events aroundyou is is helpful to people?
SPEAKER_00 (21:11):
Um that is very huge.
I highly recommend it.
And one of the things we have tolook at too, uh, I'm a big fan
of B-sides because they're lowcost to free.
Our local B-Sides has been goingon, I think this is coming up on
the 11th year.
We're only like one year behindB Sides Las Vegas, I believe.
So they started a B-Sides hererather quickly.
(21:33):
Uh, but those are really goodbecause the nice thing is, like
I said, they're either free orlow cost to attend.
People there that are thatattend that are experienced and
stuff really love community andwant to help others.
So it's a good way to findmentors, uh, people that you can
start a study group with, shareinformation with, and and don't
(21:56):
leave it just to the conferencesbecause if you have you may have
a local B-sides, you only get toattend that once a year.
Find like your DEF CON groups,your OWASP groups.
Uh you have hackers associationsin Dallas.
We have Dallas HackersAssociation, which was inspired
by Austin Hackers Association,which inspired a lot of other
(22:17):
hackers associations.
And then OWASP groups, there'salso your ISSA, ISOCA, and some
of these more uh professionaltype groups.
But take advantage of thosebecause thing I'd used to do was
when people would come to melooking for junior pen testers.
If I knew people in thecommunity, I knew their skill
(22:38):
set, what they wanted to do.
When recruiters or companieswould come to me for resumes, I
would include the resumes ofsome of the other people I knew
because I knew their skill set,uh, I knew what they wanted to
do, and I knew they were a goodcandidate.
So I'd pass on the resumes and Ihelped some of them get jobs,
some of their first pen testingroles because of that.
So when you're attending thesemeetups or these conferences,
(22:59):
don't be shy in the corner andnot say anything.
Let people know who you are,what you're doing, what you want
to do in cybersecurity, some ofthe certifications you're
working on, or what you have,your educational background.
Share that information so theyhave some kind of idea about
you, and they're more thanlikely to refer to you or share
opportunities with you.
SPEAKER_01 (23:20):
Wonderful.
Thank you.
Uh, where can people find youonline if they want to connect
with you?
SPEAKER_00 (23:26):
Probably one of the best places is going to be
LinkedIn.
Uh, so just Philip Wiley onLinkedIn.
Also, my uh my website,thehackermaker.com.
And on there you can find allthe links to my social media and
also my YouTube.
And on my YouTube channel, I'vegot a playlist that's called
Ethical Hacking and SystemDefense.
(23:48):
And those are lectures for myclasses at Dallas College, uh,
my pen test class lectures, sopeople can see that content for
free as well as they can find mypodcast.
SPEAKER_01 (23:59):
Oh, wonderful.
That's a great resource.
Thank you for sharing.
Well, thank you for being on theshow today.
And thank you, listeners, forjoining us.
SPEAKER_00 (24:08):
Thanks for inviting me.
SPEAKER_01 (24:09):
Yes, absolutely.
Um and listeners, please uh makesure to like, comment, and
subscribe, and we'll see younext time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Bobby Bones Show
Listen to 'The Bobby Bones Show' by downloading the daily full replay.