How CTFs Landed Me A Job As An Offensive Security Engineer
How I Became A Professional Hacker For Fun And Profit
There is an argument online I stumble across regularly about the effectiveness of challenge sites and CTFs when it comes to their real-world application. While I cannot speak for everyone’s experience, I wanted to write a post detailing how working with these practice challenges landed me my first job in the industry as an Offensive Security Engineer.
A Note About “Career Talk” Online
I was very hesitant to make this post because I am not the biggest fan of online career advice. Everything is always a success story and an oversimplification. This took months of interviewing on top of years of developing my skills. Anyone can do it, and I am in no way special, but it did not happen overnight as this quick blog post may make it seem. I sent 100s of applications out and was regularly ghosted or denied. All the while, I was constantly seeing success posts on Twitter and LinkedIn that made me feel inadequate.
No path to getting there is the “right” path, and everyone’s own experience will be different. I decided to share my interview process in hopes to give those in a similar position an idea as to what I went through to break into the industry.
I want to begin with a bit of background about myself because it would be unfair of me to just say I did cybersecurity challenges and got a job without addressing some of the other things that played a role as well. I am currently a senior in college pursuing a Computer Science degree. I have worked a few internships as a software developer but had never done anything specific to the security space when I began applying to full-time roles. The closest I had come at the time of my interviews was some DevOps work that required best practices when it came to cloud security.
Throughout my time in college, however, I had pursued security-related projects. The main way I improved my skills was by doing casual weekend CTFs and challenges on HackTheBox, TryHackMe, and exploit.education. In addition, I had a blog where I posted write-ups as well as notes on other miscellaneous security topics. All of this information was on my resume, dressed up to make it sound as impressive as possible (“in the top 15 percent of TryHackMe users” and “owner of a security blog to host my own technical write-ups and papers”).
While I can’t say for certain, I believe that this helped my application get past HR and moved me onto an initial phone screen. In the end, I interviewed with 4 companies, all for offensive security-related work. Most of these interviews consisted of an initial phone screen, and then a final round technical interview. This post has omitted some of the techniques I used for the phone screen, but I would be happy to detail more information on that in a future post should there be interest.
Did CTFs Do Anything Other Than Get You An Initial Foothold?
Yes! All 4 of the companies I ended up having a final round interview for involved multiple CTF-like challenges.
Out of the 4 companies, two were interviewing me for a prospective Junior Vulnerability Research role. They had me screenshare simple crackmes and pwnables, no different than those you would find in any weekend CTF. I was able to talk through the methodology I had developed through my own experience and show them how I approached problems such as these.
The other two companies were interviewing me for their junior-level rotational programs in which I would engage on projects spanning from network security to web app pentesting to low-level exploitation. Both of these interviews involved “stations”, in which I would solve CTF style challenges in different domains. For an hour I would hack on a web app, then for the next hour I would work on a binary, and so on. All of this took place while being evaluated and talking through my thought processes to the engineers watching.
But You Still Haven’t Proved CTFs Make You An Effective REAL-WORLD Hacker
I guess technically this is true. I practiced with CTFs and those were also used to evaluate my skills as a hacker when it came to the hiring process. Therefore up to this point, no one has even tested or proved that I can hack on real-world applications.
But my goal from the beginning was to break into the industry. If I wanted to become a bug bounty hunter, I certainly would have spent more time attempting to hack on the real-world web or mobile applications. What aligned for me and my goals was to get into the industry early and learn from those who have come before me.
If you learned anything from this post or want to see some of the things I am working on, feel free to follow my Twitter. I have ventured into working on some bigger reverse engineering projects as well as an unannounced gamified hacking platform (spoiler!!). I regularly write blog posts and am considering starting a YouTube Channel as well.
Until next time,