How To Prepare For A Penetration Tester Internship/Interview
Let’s face it, we all have anxiety when we are going to be interviewed because we put the time and effort to learn the content that the HR recruiters will ask us, but you have anxiety of how it’s going to end up in terms of will HR approve of you for the internship, or say respectfully that they are moving on with someone else. However, the focus of this blog will be to help illustrate a pathway to be prepared, and feeling confident about any questions thrown at you, but also format as well such as scenario based, true and false etc. Furthermore, as the title suggests, the main objective of this blog is to create a guide to help those that are interested in the field of penetration testing become prepared in terms of skillset, knowledge, and confidence in themselves, in order to make them and who’s reading, feel that they are meant for this role and overall, that they will crush the interview process. With that being said, penetration testing is one of the broadest fields in cybersecurity in general, so preparing for a position in this field can be daunting because of the amount of information needed for this field from a foundation perspective, but specific to the roles as well. However, in this blog, I will create a guide that can be used to methodically prepare for that internship or interview in general, so that you can always rely on this and overall use it as a reference.
First off, before you begin learning and using the additional resources that I explained in my previous blog, the Cybersecurity Red Team Guide, to learn the necessary skills and knowledge needed in order to feel prepared for the interview, you must first do an assessment of yourself, such as what your strengths and weaknesses are, and then try to find the necessary resources/advice needed in order to improve those. For instance, we are all unique in our own way, so it can be hard because it isn’t like one solution fits all, but if you take the necessary time and effort to truly analyze yourself in terms of what skills am I good at, and what skills do I need to improve on, then you can feel that someone else is using this strategy because it can be applied to any situation. After that, start searching for resources that best suits you such as motivational quotes to help you persevere through hard times, research fields in penetration testing such as web application penetration testing, cloud penetration testing, mobile application penetration testing etc, so that you can get a better understanding of what you want to pursue to help you hone in on a field to prepare for. Also, use resources such as my cybersecurity red team guide to build that solid foundation that is necessary to be successful in cybersecurity such as networking, linux, security concepts/terminology, programming, etc, so that way when you start using the penetration testing platforms such as HackTheBox or PortSwigger. You will feel more confident in learning more advanced or specialized topics pertaining to penetration testing, because you will have a great understanding of concepts that you can use to create that bridge to more advanced topics in penetration testing, so it’s highly important to first learn the fundamentals, before you start using the platforms that I mentioned in my Cybersecurity Red Team Guide.
With that being said, TryHackme is a incredible resource to learn the fundamentals because they have a wide variety in terms of what you can learn such as Linux Fundamentals, Windows Fundamentals, Networking Fundamentals, Cyber Defense, Web Fundamentals, CompTIA Pentest+, and last but not least, offensive pentesting at an affordable cost($8 per month for student, $10 for non-students). In addition, while you are learning the fundamentals, it is also highly recommended to document the concepts that you have completed on your resume in a very clear and concise manner, so that way HR can understand your concepts from a high level, and when you are asked about it, you will feel that you are confident in not just understanding the content, but also explaining it as well. For example, while you are going through the learning paths over the topics that I previously mentioned that TryHackMe uses for it’s learning paths, you can use this website to create blogs or writeups detailing your experience going through the exercises for each of the modules, and document those blogs or writeups on your resume to show the recruiters your documentation skills as well. Adding on to that, you could also create videos detailing the process of you going through those modules step by step, so that the viewers can get a more visual representation of your thought process such as how did you methodically step through the modules and also mentioning about would you recommend this content to others would be also beneficial to know as well. Additionally, another great resource to learn the fundamentals and potentially penetration testing would be Heath Adams(The Cyber Mentor)’s Practical Ethical Hacking course because it is very hands-on, and Heath Adams does an amazing job of explaining the content in a really enjoyable way, and overall I would highly recommend this fantastic resource. However, Heath Adams also offers 7 other courses on very important and in-demand courses that are very highly recommended, but also very high quality in terms of content and explanation that are : Windows and Linux Privilege Escalation, Open Source Intelligence (OSINT) Fundamentals, External Pentest Playbook, Movement, Pivoting & Persistence, Python 101 for Hackers, and last but not least: Practical Phishing Assessments for a very affordable price because Heath Adams tends to do sales for 50 percent off every course or even free as well.
Moving on, now that you have learned the fundamentals, but also have built up your penetration testing skills and knowledge in terms of TryHackMe and Heath Adam’s courses. It is now time or recommended to move to the notorious Penetration testing platform called HackTheBox to get more hands-on-experience with tools such as Nmap that is a must-know for working in penetration testing, but you will also get exposure to real-world scenario machines that mimic real-world environments that you will encounter as a penetration tester such as having to deal with antiviruses, EDRS, and Active Directory to name a few, so using HackTheBox and truly getting the most of it would be immensely beneficial. HackTheBox also offers writeups for it’s beginner track and overall beginner difficulty machines, but if you pay for the VIP and VIP+ membership, you will get more machines that have writeups and very helpful walkthroughs to walk you through the machines in terms of what tools you will be using etc. Like I previously mentioned, you should also document the labs/concepts you have done as well, but your rank because it can be looked up in terms of what you did to get there, the difficulty of the labs or machines you practiced on, writeups and walkthroughs etc, so it’s very important to be able to understand what rank you are and to elaborate on what labs or machines you did in a very clear and concise manner as well. Last but not least, HackTheBox comes with an amazing discord server that I would highly recommend joining because the community is very kind, knowledgeable, and overall willing to help you if you get stuck in terms of a machine or box, so definitely make sure to join their discord server as well to really benefit your learning and professional networking.
Next up, know that your resume is starting to look stacked in terms of experience, hands-on-labs, writeups, and overall projects that you have done pertaining to penetration testing that you can also explain comfortably in a very clear and concise manner, it is time to apply for internships and get ready for the interview process. However, even though you have dedicated a tremendous amount of time and effort to get to this point, it is highly recommended that you use your professional network(Linkedin would be a great example) to ask for any advice or tips that would be beneficial in knowing what to expect for the internship/interview process, and one great resource that I previously mentioned is HackTheBox discord’s server because the community is affiliated with job-hunting for penetration testing/red-team internships and jobs, so definitely worth asking questions etc. Another great resource is that Heath Adams doesn’t only provide really amazing content affiliated with penetration testing at a very affordable cost, but he also offers one on one coaching sessions, where you can book a session with him for one hour and the session does cost $100, but you will greatly benefit from the session because Heath Adams will go over concepts such as technical topics, career advice(job interview or exam), and everything in between.
After that, you should look into reading books associated with penetration testing that aren’t outdated because cybersecurity is one of the industries that changes rapidly, so you want to make sure what you are studying and overall learning is current and most importantly: in high-demand. With that being said, I would recommend the book that I covered in my previous blog which was the Pentester Blueprint: Starting a Career as an Ethical Hacker because it depicts really well what is penetration testing from a conceptual level, and walks you through the phases of penetration testing such as Reconnaissance(Information Gathering), Scanning(Enumeration), Gaining Access(Exploitation), Maintaining Access(Post-Exploitation), and last but not least covering tracks. To add to that, the book also does a tremendous job of illustrating you the pathway similar to what I previously mentioned such as making sure to take the time and effort to become comfortable with the fundamentals before learning penetration testing, but also it exposes you to different areas of penetration testing and recommended resources to use/understand if you want to specialize in those fields. Overall, the Pentester Blueprint is a very great resource to have on you when you are conducting or learning about penetration testing because the information in that book is truly valuable to being successful on the red team side of cybersecurity and below it is how a typical penetration test would be conducted in terms of phases.
Another great resource to have at your side which is highly recommend in the cybersecurity industry and is one of the most helpful/amazing resources that you can have is the Rtfm: Red Team Field Manual and I will explain why. First of, this book is meant to be a reference guide to help you if you get stuck with a certain command such as Nmap which is a really powerful/popular tool that you will use countlessly as a penetration tester, but also the book illustrates the fundamentals, other important red team tools to know such as mimikatz, hydra, Wireshark etc and the book depicts them in a very easy-to-digest manner making it a great resource in general to have with you. In addition, while you are going through the book, the external research(learning about tools and concepts similar to the tools in this book)you do in addition to taking the time and effort in learning the concepts associated with the crucially important tools in this book will become very beneficial as well.
Similar to this book, there is also another great resource that shares the same goal of this book which is to serve as a reference to help penetration testers and those who are interested in penetration testing, be able to look for a certain command and concept and be able to understand that and help them complete their internship programs, interview process, or red team engagements as well. To clarify, you will learn the concepts that I previously mentioned that are associated with the penetration testing process, but it all comes down to having more resources to choose from which is very important because one tool or one resource doesn’t fill all in terms of what you will encounter in a penetration test interview, internship, or engagement. Additionally, it’s critically important that you know and understand multiple different resources associated with the phases of the penetration testing phases, but also the scenarios they can be implemented for, so that way you can be able to explain the penetration testing process from start to finish, what tools are best for different scenarios such as what if the questions asked references Active Directory or the cloud, and most importantly: be able to feel confident going through the process of explaining these in a way that is easy-to-digest and is associated with the question instead of going off-topic. Along with that, different books can cover the same concepts associated with penetration testing, but it all depends on what style of writing and style of reading such as e-book best suites you in terms of understanding, however, if you choose either one of these books, you won’t be disappointed.
In summary, if you are highly motivated and passionate to accomplish your goal of striving to get that internship, penetration testing position, or interview, then you will be devoted to working towards that goal because you will see and envision that the journey towards those things is a lot of fun, and will be willing to put in the time and effort necessary to accomplishing what you truly desire. Yes I agree that you will encounter hardships along the way, but if you reach and leverage the community, but tell yourself as well that you can do this, then you will truly feel like you are unstoppable because you envision the end goal and is willing to do what is necessary to accomplish that dream. Also, I hope that the roadmap I illustrated is very helpful towards your journey and that you also take a look at my red team guide blog for more details, but if you use the resources, methodology, etc depicted in this blog, then I strongly believe that you will ace that interview for that internship or position. In conclusion, the the most important aspect of preparing for an interview is to feel that you can accomplish everything and overall feel confident in your ability and yourself that nothing is impossible to achieve, but that you are motivated to doing what is necessary to achieve what you truly desire in your life such as acing that interview to get that penetration testing internship or position. Last piece of advice, I would say that you should use your professional network and practice scenarios based on the penetration testing process, tools for each phase etc to the best of your ability like being able to describe the attack process from start to finish because I use Linkedin and discord servers to build up my knowledge, skillset, and professional network and it truly has been an amazing and really fun experience. To build on that, you never know who you will connect with, so it’s imperative that you build up your professional network, so that way if they know of any opportunities that fit the main topic of this blog, then they will contact you with that information and overall help you in terms of taking the next step towards pursuing that internship or position(job role). Lastly, practicing different scenarios will help you build that attacker mindset which is crucially important for penetration test internships or job opportunities as well.
Thank you so much for reading!!
Have a great day and hope you are doing well!