A technical guide for non-technical profiles or how to demistify a profession.
Nota importante: Esta guía está escrita en inglés a propósito. Si te cuesta leerla o diréctamente no la entiendes. Pausa tu aprendizaje y dale caña al idioma primero.
Hello there! Let me introdce myself: My name is Xabier (Xabi) Iglesias but people usually call me by my nick Tretorn (Which i found a few years ago it is actually a registered trademark fml). I work as a cybersecurity engineer on grupo Coren, as a teacher on Universidad Nacional de Educación a Distancia and I have my own cybersecurity company called Celeiro Ciberseguridade. My main area of knowledge is binary exploitation (This guide will reflect on that fact a LOT) and even if im not an expert of any kind, im really involved in the field and enjoy sharing knowledge.
The purpose of this guide is to be a reasonable starting point for anyone interested in getting a job in the field. This is NOT a tutorial on how to hack but a practical reference to what you should learn over time. Just save it and check it every now and then, whenever you have a few hours available.
Cybersecurity is a field that is growing exponentially and it is not going to stop anytime soon. The demand for cybersecurity professionals is growing and the supply is not. This means that there is a lot of work to do and not enough people to do it. It is also not the worst field you could work on, i mean, this always depends on your personal preferences, but there are a few things that make it at least interesting:
- It is a field that is constantly evolving. There is always something new to learn and new challenges to face.
- You get to skip thoose anoying algorithms and data structures questions in interviews. You will be asked to solve a lot of problems but they will be more related to the field.
- You get to work with a lot of different technologies. You will be working with a lot of different programming languages, operating systems, hardware, etc. This means that you will not get stuck mastering an stack that will become obsolete in a few years.
- People is usually awesome.
- Salary is just better than programming.
- Hacking is probably the closest you can get to magic.
Important: This only applies to Spain!
The market is crowded by offers. You may expect to get about one request each day. (Yes, in this field, can reasonably expect to be the one who chooses the company from a pool of offers). You are expected to have at least three interviews before getting an offer. But the salary bracket will be told you by the phone straight up. Nobody wants to make you waste your time.
The salary bracket is the following:
- Crappy positions, internships, students: 20k-30k
- Junior positions: 30k-40k
- Mid positions: 40k-50k
- Senior positions: 50k-70k
- Lead positions: 70k-100k
You can add a plus of around 20k if the position is based on Madrid or Barcelona.
This is important usually companies will try to offer you the same bracket as a developer on the initial interview. This is due to the fact that a lot of cybersecurity roles are of new creation and they are not sure how to value them. Just negotiate and don't hurry. You will get a better offer.
A few perks that you should be able to get:
- Some kind of remote work
- Intensive work schedule (40h/week) 7am to 3pm.
- Days off for assisting to conferences
- Days off for attending to trainings
- Paid certifications
A few pleads and advices:
- Don't accept a position that doesn't offer to pay for certifications. This usually means that the company doesn't understand the role and you will end up stuck doing other tasks that are not related to your job.
- Please, try to identify your worth. Don't accept a position that doesn't fit your bracket. You will devaluate the market for everyone.
- Seniority is not a matter of years worked. With three years of experience you can perfectly be a senior. It is a matter of how much you know and how much you can do. Spain has a problem with this concept, but this shouldn't be your problem!
If you don't want a 9-5 (or 7-3) job, you can also consider the following options:
- Bug bounty hunting (This is a very interesting option, but it is not for everyone as you may spend a lot of time without getting any rewards)
- Freelancing (Really not recommended unless you have good communication skills)
- Working for a startup.
- Training other hackers.
Q: I don't have a degree, can I still get a job? A: Yes, absolutely.
Q: How much work do i have to put in? A: A lot, but way less than your average waitress.
Q: Is it really hard? A: From zero to advanced, not really. The curve is really mild but it gets exponentially harder as you advance from there. On the highest level it becomes as hard as any hardcore research field.
Q: Should i move to other country? A: Yes, you may get around it, but in the end the better option is to spend a few years in a country with a better market and then move back to your home country via remote work.
This is the plan that i followed to get my first job. It is not the only way to do it, but it is the one that worked for me. I will try to explain the reasoning behind each step. Anyway, there are a few questions that should be answered before starting and that will help you to fix your priorities:
Here we diferentiate between the following groups:
- Pre-university students.
- University (engineering) students (Bachelor's degree, master's degree, doctorate).
- University (non-engineering) students (Bachelor's degree, master's degree, doctorate).
- Professionals with technical background (formation or experience).
- Professionals without technical background (formation or experience).
First case, best case: Before starting this guide, spend one or two months completing the following checklist:
- Install any Linux distribution on a virtual machine. https://ubuntu.com/tutorials/how-to-run-ubuntu-desktop-on-a-virtual-machine-using-virtualbox#1-overview
- Learn how the basics of how to use the terminal. https://ubuntu.com/tutorials/command-line-for-beginners#1-overview
- Try to write simple scripts in python and upload them to github. https://www.learnpython.org/es/ https://docs.github.com/en/get-started/quickstart/hello-world
- Try to make an script that fetches data from any API that you find interesting and does something with it. https://www.dataquest.io/blog/python-api-tutorial/
If you are an student in a non tecnical field or a professional without technical background, you should also complete the checklist above.
This is basically: How much effort can you put in? How much time do you have? How much money do you have?
If you are currently working as a cashier making minimum wage, pretty much any decent offer will be light years ahead of your current situation. But you will also lack proper time to spend.
If you have family responsibilities, you will need to be a bit more secure about your capabilities before leaving your job for a career in a field that you don't master.
Try to spend less but higher quality time studying. And try finding Youtube channels that explain things in a way that you can understand and that interests you. You may spend dead time in your job watching them.
If you want to improve your salary, work less hours, have time to research, etc. It is different than if you simply became bored of developing websites. Specially on the first case, try to get around the tasks that made you sour for a while. You cant be a great hacker and never write a line of code, but you may keep it to the minimum and be perfectly fine.
A bit of maths and logic will help. Any technical background is a plus. The only hard requirement, and i can't state this enough: ENGLISH. You will need to be able to read and understand spoken english at a near native level. I purposely wrote this guide in english because if you don't understand it, you will have zero chances on it.
This section makes reference to the requirements that you need to satisfy before landing a job. Not before starting learning (that's the previous section).
- A laptop computer with some kind of Linux and an internet connection.
- Some scripting language knowledge (Python is recommended for beginners).
- You need to know how to write reports.
- Knowledge on network communications.
- General programming knowledge (how to read code on any language).
- Field specific knowledge (Top techniques used on the wild, popular malwares, etc).
This is your repertory of techniques, this varies from person to person and from position to position. A few important ones are: (Don't worry if you don't understand the terms at this point)
- Web hacking (SQLi, XSS, Deserialization, LFI/RFI, CSRF, etc).
- Network hacking (ARP poisoning, DNS poisoning, etc).
- Malware analysis (Disassembling, debugging, etc).
- Cryptography (Hashing, encryption, etc).
- Defensive techniques (IDS, IPS, WAF, etc).
This is the first part of the guide, it should take you a few months (let's say between 1 and 2) to complete it. It is the most important part of the guide, as it will give you the basics that you need to start working. There are a few milestones that you should have completed before moving on:
- I know the differences between binary, hexadecimal and octal, and i can convert between them.
- I know how to use linux for basic tasks, aka: If my Windows/Mac machine dies, i can still work.
- I know how HTTP works, how to make and debug API requests.
- I know what LDAP.
- I can create simple automation scripts.
- I can enter hacking forums/discord servers and i understand some of the terms used there.
A newbie is someone who just started learning.