Last updated on 14 July 2021
little while ago, I wrote a blog post called “So you want to be a pentester and/or red teamer?” . This post was pretty well received within the community, as it’s been almost a year and a lot has happened to me personally in the meantime, I figured it was time for a follow-up.
If reading non-technical blogs is not something you fancy, feel free to skip over this one. Otherwise, welcome!
You might say, who the hell is this guy, writing about personal branding, he isn’t famous, he does not have a blue checkmark on Twitter, why should I take advice from this random internet stranger? And you would be right, I am definitely not famous, nor am I the best in what I do, and I certainly do not have a doctorate in psychology or how to build meaningful relationships with people. You are right to criticize this post, I am merely going to talk about my own experiences here. It’s a bit of a “Dear Diary” situation, in the hope, it might prove useful to some people, if not, at least I tried ¯\_(ツ)_/¯
Without further ado, let’s dive into it, shall we?
1. Be curious, be willing to learn and surround yourself with like minded people.
I have been in infosec for about 3 years now, this is not very long (in my opinion). However, I feel like I have been a sponge from day 1. This is an important aspect of succeeding in infosec. You gotta be willing to do the work, dive into the trenches of topics you really enjoy (infosec is HUGE, there are a ton of options out there). This will help you grasp advanced concepts better. Yes, you will probably fall on your face a few times, this is okay. Do not compare your success timeline to others, everyone is different. Rome was not built in a day, and guess what? Neither was Windows, Linux or macOS. The key takeaway is, once you figure out what your main interest is, identify some researchers in those specific fields. If you are like me and love Active Directory attacks and Winternals, people like Nikhil Mittal, RastaMouse, Batsec, FuzzySec, The Wover, EthicalChaos, Cneelis, hexacorn ,… and countless others are probably people you wanna keep an eye on.
Once you have digested some (or all, if you are brave enough) of the research people did, do not be afraid to recreate something. For example, you see printernightmare in python? try recreating it in Nim or C or C# or literally any language you want. More of a blue-minded person? See if you can perhaps contribute to the community by creating some cool Yara or sigma rules, figure out new ways to identify unproperly guarded C2 servers, …. The world is your oyster.
If you are working on something cool, dare to ask questions! Most researchers are pretty approachable, and will certainly help out if you are working on something serious.
2. DO engage in the community
The internet is huge, and there have never been more options to socialize with like-minded people. Building out a network can be scary, but it all starts with “putting yourself out there”. Join the Bloodhound gang slack, trustedsec’s discord, BCSecurity discord, BlackHills Discord, Porchetta industries Discord, seriously there are like a gazillion discord and slack channels out there. Chances are that there will be people there that want to talk! It does not always have to be tech, it could also be cooking, <insert red/blue/purple> team fit, News, …
Another cool thing to do is to volunteer for conventions! People appreciate volunteers and it will certainly get you some good karma points and some interesting conversations down the line.
3. DO create content!
Creating content is probably the #1 best way of getting noticed. Again, the internet is huge, and the possibilities are endless!
If you don’t feel like putting your face on the internet, write a blog!
If you feel like you are a good speaker, make a podcast!
Feel like you know a lot about a specific topic? Write a book about it!
Do you like video stuff? create a youtube channel!
No matter what you do, creating content will help you build out a personal brand, will get you noticed, and might help people.
4. DO attend trainings/cons
If your employer (or your own pocket?) can stomach it, another great thing to do is to attend training and or conferences. People often think that attending training is about gaining knowledge about specific topics and, although true , it is also a (somewhat hidden?) opportunity to expand your network with interesting people!
Liked a talk? Try to talk to the presenter afterward!
See a person wearing a funny/witty t-shirt/hoodie you like? Compliment them!
Seeing people all alone and a bit lost? Go talk to them! I am sure they will welcome you with open arms, as they are probably like you, just trying to have a good time.
There is this cliché that tech people are socially awkward, help us get rid of this cliché! This does not have to be the case at all!
A REALLY good way to network is by being a facilitator for SANS. Not only will that result in a discount on your course, it will also help you be in direct contact with the instructor. What is cool about SANS is that you also will have a chance to participate in a CTF at the end of the course, usually, this is a team effort, creating once again, an opportunity for you to form bonds with likeminded people.
Alright, now I have talked about things you should do, but there are also some things you should NOT do, as it will negatively impact your personal brand, and create the opposite effect of what you want to achieve.
1. DON’T be a d*ck.
This is the number one rule to remember. Yes, the internet is “anonymous” and it can reduce the social threshold to trash-talk someone significantly. Just remember that on the other side of that screen, there is a person (with feelings!). Treat others like you want to be treated yourself!
2. DON’T have an ego.
Admittedly, this can be a “hard” one, because the #1 method of communication over the internet is text, and it is hard to transmit emotion over text, which can lead to misinterpretation of what you are trying to say. You can be proud of your accomplishments, and you probably should be. But there is a line between being proud of something, and just shoving it into everyone’s face at every opportunity you get. Just remember, there is probably always someone better than you. Remain humble, no one likes a show-off.
3. DON’T be pushy
Remember that I said to reach out to people and ask questions? Well, respect people that are indicating that they currently do not have the time. People have very different lives, it does not necessarily mean that that person is a d*ck, it could just be very well the case that they indeed simply do not have the time to deal with you right now, and that is okay. Patience is a virtue, albeit that it can be difficult to have patience ( trust me, I know ;P)
4. DON’T steal peoples work without giving them credit.
Seriously, it is uncool, please refer to #1.
If you love what you do, and are nice to others, good things will happen to you eventually.
Do not get discouraged if things go sideways, do not quit when things get hard.
Persistence is key, and if you carry on through the hard times, you are bound to be successful eventually. If you can, help less fortunate people than you, tutor someone, pass on knowledge. A wise friend of mine has said to me multiple times: “knowledge is useless if you cannot pass it to people”.
Thanks for this interesting article Jean-François! I am just starting to learn in cybersecurity and this is definitely going to help me.