How I Earned OffSec’s Certs In One Year

☀️ Quick Takes

Is this Live streaming Clickbait?

1-Sentence-Summary

Favorite Quote from the Author

If you can write an exploit for something, then you understand that thing to the zeroth level— as deeply as a human being can understand something. You understand that thing, even if it's a really, really small thing, and that feeling just feels so amazing.

TL;DR

Muhammad shifted from game hacking to penetration testing, emphasizing persistence, problem-solving, and a 'try hard' approach. He completed multiple OffSec certifications in a year, highlighting the importance of understanding tools, building relationships, and continuous learning in cybersecurity.

Key Ideas

• 🎮 Muhammad transitioned from game hacking to penetration testing, driven by passion and a desire for growth in offensive security.

• 🛠️ Exploit development requires deep knowledge of reverse engineering, system internals, and error message comprehension.

• 🔑 Persistence and problem-solving are key in cybersecurity, with all skills being transferable across different areas.

• 💪 The 'try hard' methodology is essential for learning in cybersecurity, where failure is embraced as a learning tool.

• 🔍 Understanding the mechanics of tools and attacks is crucial for effective penetration testing and adapting to different scenarios.

• 🧠 Burnout is common, but taking breaks and learning new things can help manage it. Accepting limitations is key to career focus.

• 📊 Pentesting is not just about finding vulnerabilities; it involves consultancy and providing actionable insights to clients.

• 🤝 Building relationships in pentesting is important, especially when no vulnerabilities are found, to discuss findings and best practices.

• ⏳ Completing multiple OffSec certifications in a year is possible with dedication, even amidst personal challenges and minimal sleep.

• 🔗 API pentesting is closely related to application pentesting due to the prevalence of API vulnerabilities.

• 🤖 AI and machine learning in pentesting are evolving, with many vulnerabilities still being explored.

• 📚 Continuous learning is essential in cybersecurity, even for experts, to avoid burnout and stay updated.

Conclusion

Burnout is common in the field, but managing it through breaks and accepting limitations is crucial. Pentesting involves consultancy beyond just finding vulnerabilities, and API pentesting is closely tied to application pentesting.

📃 Live streaming Mini Summary

From Game Hacking to Penetration Testing: A Passion-Driven Journey

🎮 Muhammad’s journey into cybersecurity began over a decade ago with game hacking. This early interest led him to programming and eventually to the bug bounty community in Egypt. His passion for offensive security grew as he realized how challenging and rewarding it was. Initially, he didn’t see it as a career, but once he discovered job opportunities in Egypt and globally, he decided to pursue it professionally. As he put it, "working on something you love will make you better at it."

The Depth of Exploit Development: Reverse Engineering and System Internals

🛠️ Exploit development, according to Muhammad, is like the next level of hacking. It requires a deep understanding of reverse engineering and system internals. He emphasized that to develop exploits, one must first learn how to reverse software or hardware, which is no easy task. Muhammad spent over two months studying for the OffSec Exploit Developer (OSED) certification, facing numerous challenges but ultimately mastering the material. He described the process as "extremely challenging but very fun."

"If you can write an exploit for something, then you understand that thing to the zeroth level."

Transferable Skills: Persistence and Problem-Solving Across Domains

🔑 Muhammad believes that all skills in cybersecurity are transferable. Whether it’s network penetration testing, web application testing, or even Telecom security, the core skills of problem-solving and persistence remain the same. He highlighted that his experience in various domains helped him tackle different challenges, and the methodologies he developed in one area often applied to others.

The Try Harder Methodology: Embracing Failure as a Learning Tool

💪 The "try harder" methodology is central to Muhammad’s approach. He emphasized that failure is part of the process and that learners should not shy away from it. Instead, they should embrace it as a tool for growth. He often found himself stuck, especially during the OSED course, but he would take breaks, change his perspective, and return to the problem with renewed focus. His advice: "Do not give up early, but also don’t let frustration take over."

"When you solve a challenge without knowing the solution, your mind will focus on solving the problem instead of finding the easiest path."

Understanding Tools and Attacks: The Key to Effective Pentesting

🔍 Muhammad stressed the importance of understanding the mechanics behind the tools and attacks used in penetration testing. He warned against simply running tools without understanding what they do. For example, knowing how a tool like Hydra cracks passwords is crucial for adapting to different scenarios. This deep understanding allows pentesters to adapt to any situation, even when tools fail or are unavailable.

Managing Burnout: Breaks, Learning, and Accepting Limitations

🧠 Burnout is a common issue in cybersecurity, and Muhammad is no stranger to it. He manages burnout by taking breaks and learning new things, which helps him regain his energy. He also emphasized the importance of accepting your limitations and not pushing yourself too hard. "It’s okay to take a break and come back with a fresh perspective," he said, adding that learning something new often helps him overcome burnout.

Pentesting as Consultancy: More Than Just Finding Vulnerabilities

📊 Pentesting is not just about finding vulnerabilities; it’s about providing value to the client. Muhammad explained that even if no vulnerabilities are found, the pentester’s job is to offer actionable insights and best practices. This consultative approach ensures that the client still benefits from the engagement, even if no major issues are discovered.

"Pentesting is more like consultancy. You consult your customer, even if you didn’t find any vulnerabilities."

Building Relationships with Clients: The Importance of Communication

🤝 When no vulnerabilities are found, it’s crucial to build relationships with clients. Muhammad emphasized the importance of discussing the findings and best practices with the client, ensuring they understand the value of the pentest. This communication helps maintain trust and ensures that the client sees the pentester as a partner in improving their security posture.

Completing Multiple OffSec Certifications in a Year: Dedication and Sacrifice

⏳ Muhammad completed five OffSec certifications in just 10 months, a feat that required immense dedication. He balanced a full-time job, freelance projects, and family life, often studying from 11:30 PM to 4:00 AM. His weekends were entirely dedicated to studying and solving labs. His advice to others: "You can do it, but you have to be dedicated and invest a lot of your time."

"I finished all the certifications in 10 months, not a year. It was very hard, but I scheduled all my exams in advance and stuck to the plan."

API Pentesting: A Close Cousin to Application Pentesting

🔗 Muhammad sees API pentesting as closely related to application pentesting. Many vulnerabilities in web and mobile applications are actually API vulnerabilities, making it a critical area for pentesters to understand. He emphasized that API security is becoming increasingly important as more applications rely on APIs for functionality.

AI and Machine Learning in Pentesting: An Evolving Field

🤖 While AI and machine learning in pentesting are still evolving, Muhammad believes there is significant potential in this area. He mentioned that vulnerability research in AI is still in its early stages, but prompt injection and other AI-related vulnerabilities are already being explored. He expects this field to grow in importance in the coming years.

Continuous Learning: The Key to Avoiding Burnout and Staying Updated

📚 Muhammad’s final piece of advice is that continuous learning is essential in cybersecurity. Even after completing multiple certifications, he continues to learn and solve challenges. He believes that no one is perfect in this field, and even the most experienced professionals are still learning. This mindset helps him avoid burnout and stay updated with the latest developments in the industry.

"Everyone is still learning. Even the big researchers are still learning. It’s a journey, and you have to take your time."