Path to Becoming an Ethical Hacker
Key Points
- The video explores how to prepare for and land an ethical hacking role, building on previous episodes that covered the job description and required tools.
- Patrick shares his personal journey: starting in college with help‑desk work, which gave him practical computer and customer‑service experience and early exposure to security issues.
- He then served six years in the Marine Corps, where involvement with Department of Defense information‑assurance teams reinforced offensive‑defensive mindsets and introduced military‑derived cybersecurity concepts.
- As he transitioned out of the military, Patrick leveraged the GI Bill to earn professional certifications and focused on targeted training to qualify for a career as an ethical hacker.
- The host emphasizes that while each path is unique, learning from Patrick’s blend of hands‑on IT support, military discipline, and formal certification can guide aspiring ethical hackers.
Sections
- Path to Becoming an Ethical Hacker - In the third video of the series, the host and professional hacker Patrick discuss how to prepare for an ethical hacking career, outlining Patrick’s journey from college help‑desk work to full‑time security consulting.
- From Pen Testing to Red Teaming - The speaker traces his progression from security analyst to penetration tester and finally to red team specialist, highlighting the specialization ladder and stressing that an inquisitive mindset is essential for ethical hackers.
- Balancing Bootcamps, Degrees, Certifications - The speaker explains that bootcamps, formal degrees, and certifications each add value to a candidate’s profile, but success hinges on mindset and strategically combining these credentials rather than relying on any single credential alone.
- Stay Curious, Master Terminology - The speakers emphasize that success in adversarial simulation requires a blend of theoretical and hands‑on knowledge, continual learning of evolving terms and concepts—especially AI—and a proactive effort to stay ahead of industry changes.
Full Transcript
# Path to Becoming an Ethical Hacker **Source:** [https://www.youtube.com/watch?v=wLgdhrZMGKE](https://www.youtube.com/watch?v=wLgdhrZMGKE) **Duration:** 00:15:24 ## Summary - The video explores how to prepare for and land an ethical hacking role, building on previous episodes that covered the job description and required tools. - Patrick shares his personal journey: starting in college with help‑desk work, which gave him practical computer and customer‑service experience and early exposure to security issues. - He then served six years in the Marine Corps, where involvement with Department of Defense information‑assurance teams reinforced offensive‑defensive mindsets and introduced military‑derived cybersecurity concepts. - As he transitioned out of the military, Patrick leveraged the GI Bill to earn professional certifications and focused on targeted training to qualify for a career as an ethical hacker. - The host emphasizes that while each path is unique, learning from Patrick’s blend of hands‑on IT support, military discipline, and formal certification can guide aspiring ethical hackers. ## Sections - [00:00:00](https://www.youtube.com/watch?v=wLgdhrZMGKE&t=0s) **Path to Becoming an Ethical Hacker** - In the third video of the series, the host and professional hacker Patrick discuss how to prepare for an ethical hacking career, outlining Patrick’s journey from college help‑desk work to full‑time security consulting. - [00:03:07](https://www.youtube.com/watch?v=wLgdhrZMGKE&t=187s) **From Pen Testing to Red Teaming** - The speaker traces his progression from security analyst to penetration tester and finally to red team specialist, highlighting the specialization ladder and stressing that an inquisitive mindset is essential for ethical hackers. - [00:07:58](https://www.youtube.com/watch?v=wLgdhrZMGKE&t=478s) **Balancing Bootcamps, Degrees, Certifications** - The speaker explains that bootcamps, formal degrees, and certifications each add value to a candidate’s profile, but success hinges on mindset and strategically combining these credentials rather than relying on any single credential alone. - [00:11:28](https://www.youtube.com/watch?v=wLgdhrZMGKE&t=688s) **Stay Curious, Master Terminology** - The speakers emphasize that success in adversarial simulation requires a blend of theoretical and hands‑on knowledge, continual learning of evolving terms and concepts—especially AI—and a proactive effort to stay ahead of industry changes. ## Full Transcript
Welcome back to the third installment in this series on ethical hacking. In the first one, we
took a look at what is the job role in general. And then in the second video, we looked at what
elements go into the job: what kinds of things do you, if you're an ethical hacker, have to do, what
kind of tools and things like that. In this video, we're going to take a look at how you go about
getting a job, how do you, in other words, how do you get prepared for this. The kinds of things that go
into making you possibly able to be an ethical hacker like Patrick, who I brought along with me.
He does this stuff for a living. So, I want to start off, Patrick, asking you: What was your path
getting into this? Now, everyone's going to have a little bit different journey, so you don't need to
exactly map his, but learn from what his experience was. So, how did you get into this field?
What was your path? Sure. Uh, well, I'll skip over the first couple of years, coz maybe they're not quite
so relevant, but uh, I, um, started my sort of IT career when I was in college, working basically help desk
type of work. And that was really good because uh, it gave me a good background in working with you
know computers on day to day and also working with... with customers. Uh, then I joined ... I'm sure that also
showed you how things could break. You know, people are calling you in the help desk, hey, I... I can't get
into my system. And then maybe it's a hacking issue, or maybe it's not, but you got exposed to
both of those. It also gave me an opportunity to play around with how do I optimize this? Can I
improve it? Can I make it better than the way it was designed to be initially? And so it ... it gives you
a good background all ... you know, in every aspect. Sure. Uh, but from there I ... I decided to join the military. So,
I spent the next about six years in the Marine Corps. Thank you for your service I appreciate
that. Um, and it was maybe uh, not quite so related to work, but I ... I had the opportunity to ... to maybe spend some
time with like DoD information assurance folks and get some background. So it was, you know, some
OJT, but basically uh, that was a little bit of a break in my overall IT career. Sure. And there's a
lot of carryover from the mindset of military is obviously about offense and defense. And
we're in the same kind of battle just analogously when we're talking about IT. So, I'm sure some of
the lessons learned in the battlefield and those kind of areas can also apply here. Absolutely. And
in fact, a lot of the ... the terminology we've used over these past couple of videos are things that have
been derived from the military. For whatever reason, cybersecurity loves to pull their
terminology a... and concepts from, you know, military-type things. Yeah. So what did you do after that? So,
as I was getting ready to leave the military, uh, I started working on some certifications. I was able
to use my GI Bill to go uh, take a lot of training, which was ... was awesome, uh, but I got my first real
InfoSec job as a security analyst. Okay, gotcha. And what was involved in that? So, I ... I like to tell
people this was my, you know, let me say really my starting because it was very generic. It was a
jack of all trades. So we did everything from well, generic-type security assessments—so think
vulnerability scanning and ... and analysis—all the way up to IT audit and risk assessment. Okay, gotcha.
And then from there you end up here. That's right. Well, there was one more step. I guess you could
think of it as a continuing spec ... specialization. So, as a security analyst, one of the things that I had
an opportunity to do was penetration testing. Uh, and so, my next job was a ... uh, focused
purely on penetration testing. Yeah. Yeah. Okay. All right. So that's uh, an aspect of ethical hacking. And
then ... Definitely. So, after I spent some ... some, let's say, maybe seven years doing penetration testing, I
had an opportunity to move over to RED teaming, which is again, maybe just a further
specialization in ... in the overall field. Yeah, yeah. So, in fact, we talked about it in the other two
videos, a ... a triangle where it began with vulnerability testing, pen testing and then RED
teaming. And so now you're doing adversarial simulations and things of that sort. Okay, Patrick,
so that was your path. But what was your preparation? What kinds of things did you have to
do in order to get to this point in the first place? Uh, let's start off talking about sort of the
mindset, the aptitudes and things like that. What do you think are important about those that you'd
be looking for in an ethical hacker? Certainly. And you can imagine that we have people with lots of
different types of atti ... aptitudes and backgrounds. But overall, what I look for is someone who has that
inquisitive sort of ...of mindset. Somebody who maybe as a child was the type of person to take a toy
apart and maybe even put it together in a different way, so it would achieve some different
objective. Yeah, that was me as a kid for sure. Uh, everything I got, I wanted to know how it worked
and I'm still that way. I want to know how things work, and I think if you have that kind of
curiosity, that's going to be an important start. It's not sufficient, but it's a really good place
to start. I agree, and you tend to find that people who have that mindset are very passionate about
this type of work, tends to drive them to, you know, how they have to take the thing apart. I have to
know. And they'll ... they'll ... they'll keep going until they figure it out. Yeah. And I think also the
uh, mindset—again, I've ... I've made some, uh, some facetious comments about just joyriding and like, this thing
is a ... is a big video game. There is a lot of fun in this, but there's also a lot of work in this. And if
someone just thinks this is going to be like playing video games, they're going to be really, uh, sore
... sorely uh, disappointed. So, the mindset also has to involve having some discipline, uh, knowing
where the limits are, pushing those limits, but knowing where to stay on the side of those, ethics,
a lot of those kinds of things, uh being responsible and so forth. That's the reason they're paying you.
So, I think that's going to be cri ... critical here as well. Definitely. And, you know, we think about
uh, mindset. We ... We have to think about we're also on a team. So we have people who rely on us. Like you
said, we have to have a ... a deliverable; we're giving that to a client. That's what they're going to pay
us for. Uh, we also have to think ... you know, cybersecurity is ... is changing, is maturing and growing. And I once had a
friend told me uh, that probably one of the most fun things the human can do is exploit their uh, uh, uh,
So the first time you ... you actually accomplish that is very satisfying. But uh, that's getting harder,
you know. Computers are getting harder to break into and so you have to mature with it. Yeah,
absolutely. And I ... I like that idea of teamwork because the ... the image is often of a hacker of any
sort as this lone wolf just off doing their own thing, you know. It's somebody where they've got a
job where, you ... you know, you ... you close the door, you slide pizzas under the door, and then they give you code
out the other end or reports or whatever. Uh, that's not really how it works so much in the
real world. We've got to work as a team in order to ... to accomplish this stuff. You can pay me in
pizzas, but I suggest it's probably not the best approach. I ... I would agree. Uh, so how about in terms of
some of the other preparation. Do I need a college degree in order to do this? Not
necessarily. Uh, I, you know, what we really look for when we're ... we're finding our uh, someone to hire or bring on to
the team is: Do they have the true capability? Can they, you know, not just talk the talk? Can they
walk the walk? Can they show us that they can do the things that we need them to be able to do? Now, uh,
often we find that a degree does help; it's a very helpful sort of thing. Uh, my degree is in
business. Yeah. Uh, and I will tell you that uh, especially in the first 5–10 years of my career, when I
would run into really strong computer science guys, I was very jealous because they were so far
ahead of me on the power curve. So, it can ... it can certainly if you have this, it can advantage uh, you
toward it. So, for me, I did my degree in computer science. So I felt like I was, you know, well
trained in a wide variety of things. But again, the point is there's not one path, there's not one
single answer. You were able to go out and get some more hands-on skills earlier in your career
that we're able to ... to supplement that and ... and make it so that you can do that. But I'm an adjunct
professor. So, I'm always going to say, yeah, a degree is important because I believe in that.
That's what I'm spending my time on. But that said, it's not for everyone. Some people do bootcamps.
Uh, what's your experience with ... with that? Do you think that qualifies someone? Not necessarily. I think it
goes back to the aptitude and mindset, which is, people who are very passionate and drawn to this
type of work, the people who like to take things apart. They can use bootcamps to teach them core
skills that they can use to make them very effective. But the ... it's not just a supplement; it's not
a checkbox that will get you a job necessarily. Yeah. So again, each one of these things, I ... I ... think,
you have to look at them in total; they're all adding up. So a bootcamp could be a way, for
instance, to enhance your degree that you've already done. Or you could do it the other way
around where you start off with a bootcamp and you get some of the basics, you s ... get an entry-level job.
Then you want to move up, you want to get past the glass ceiling that might be blocking you, and
the degree helps you do that. So, you could do this in a number of different orders. Uh, another thing
that I think uh, hiring organizations are looking for are certifications. So, what ones of those
are particularly important, do you think, in this space? Sure. And you know, one thing I'll mention on
the certifications is it's a great way to show an employer that you do have some skill because it's
basically showing that you took a test and verified that you're capable of something. And
certainly, certain certifications are going to be more useful earlier in your career versus maybe
later on, but maybe some really well-known ones I would start off with would something like
Network Plus. Yeah, Network Plus is ... is a good one that ... that's well known. And like you said, the point of
these certs would be to demonstrate to an employer who doesn't have time to ask you all the
things and find out what all you've done. But obviously a degree is one way of uh, providing a
credential for that. This is another. What are some of the others that ... that relate here? Another good one
is CCNA. So if you're familiar with you know, Cisco networking ... And just like Network Plus, I think
this is a really uh, cool one because it's not just saying, hey, I want to go learn how to hack; it's
saying, hey, I'm interested in understanding how this technology works at its core level, and I'm
actually capable of going and implementing it. Yeah, well, I've heard a ... a lot of people in this
space have is the Certified Ethical Hacker—Sure— certification as well. Yeah. CEH is a well-known
one that, um, you know, it gives you a good uh, shared uh, knowledge base and ... and language so that you can show hey,
I actually understand what these tools are, how they work, and maybe uh, how not to mayb ... maybe break a system by
using them. Yeah, sure. And how about this one OCSP? Uh, OSCP. OSCP. Yes.
Yeah. That's a ... that's a great one. This is the one that ... that I like because it's so hands-on and it
really focuses on can you actually perform these skills in a live environment. You actually need to
be, you know, to be able to demonstrate that you really understand these things at a fundamental
level. And it's also testing whether you're dyslexic or not. And—Ha-ha-ha!—so there's that. Uh, and then uh,
something else uh, would be we've talked about Network Plus - Security Plus. There's a lot of
people that can't get this ultimate cert in cybersecurity, the CISSP, which is kind of considered
the gold standard of certificates But they don't, they're not really ready for that yet with ... in terms of
knowledge or experience. And there is a... a five-year requirement for experience. But this cert can be
one that's uh, an entry level that leads you then to the CISSP. Definitely. And the ... the two things I would
say about these is uh, they're really great in that they give uh, you all the ... the terminology and concepts
that you need to sort of maybe move to the next step. So they give you the foundation you need.
Because one of the things that you may run into in interviews is, hey, do you understand this
concept or this terminology? if you've never heard it before, you're going to be at a loss. Yeah,
exactly. And it's interesting how some of these tend to be, you know, uh, a more hands-on and some of
them tend to be more theoretical and conceptual. But it's not that one is enough. You need to
really understand both if you're really going to succeed in this field. That's right. You can't
write the report if you don't understand the words. Okay, Patrick, you've reached the highest
level in your field in this area of adversarial simulation and ethical hacking. So, what kind of
advice, if you were able to go back into a time machine and talk to your younger self, what would
you tell yourself? Well, one of the key things that uh, I would always try to ... try to you know, impart to anybody,
particularly my younger self, is always keep an eye on what you need to know y ... next, because the
field is changing quickly and ... and um, it's hard to keep up sometimes. I'm sure you ... you've probably talked a lot
about AI over the past year or two. Um, you know, knowing what the ... what's coming around the corner
is a really key element to staying afloat in this industry. Yeah, I think so. You've got to stay
curious. You've got to keep learning. If you're comfortable, well, then h ... you're going to be
uncomfortable very soon. And AI is a really good example of that. When you see those new
technologies coming along, uh, don't say, uh, I'm not interested in that. When you see that light, you
want to run to the light, because guess what, the bad guys are going to be using this to try to
break in. If I'm going to defend against that, I need to understand it at least as well as they do,
if not better. Uh, anything else you would tell your former self? Yeah. Never be the smartest person in
the room. I like to surround myself with people who are more knowledgeable than me, so I can learn
from them and rely on them and make sure that we're, you know, moving uh, uh, forward together. Yeah, that ... that goes
to that element of teaming as well. And I think what is critically important is being a lifelong
learner. You don't ever want to say, I'm comfortable with this. Uh, again, I'm looking for
flexibility, I'm looking for curiosity, I'm looking for someone who enjoys learning. If you don't
enjoy learning, you're in the wrong field with cybersecurity, because this field is always moving.
But to me, that's what makes it really fun. I agree. Yeah. So, so, there's a little bit of advice
and, uh, you know, maybe I would tell myself to not wear that shirt that I used to have. Maybe get rid
of that, because that's not going to uh, hold up well. But anyway, there's ... there's a little bit. One more question
for you, Patrick, though. I just want to know, can you get me a job? Well, unfortunately, Jeff, I am
not in charge of the hiring. I'm not involved in hiring, so I can't actually help you out. Uh, however, I
would suggest you keep your eyes open. Look at places like LinkedIn, or if you want to come work
at IBM, check out ibm.com/jobs. Yeah, this is where we post all of the job postings at this company.
But there's a lot of jobs out there. So don't ... uh, don't just uh, ask a ... a stranger or someone that you
don't know for that. Build your ... your credentials and start working with people. Do internships. Do
things like that that put you in a place where you now know the people. You need to build a
network of people, and people that actually know you and have observed your work. They are the ones who
can serve as references for you. So, there's a lot of jobs happening out here and a lot of
opportunity in this space. The one thing the bad guys do is they never sleep, it seems. So they're
always creating new opportunities for folks like us. And that's ... that's quite a ... a gift. I guess we
should look at it as ... it one way. So, in this series—I hope you've enjoyed it—we've looked at the role,
we've looked at the job overall and some of the career advice that you can follow in order to
become an ethical hacker.