Certification Roadmap for the Bug Bounty Hunter (2023)
According to Certification Magazine, the top non-technical IT skills are:
- the ability to teach
- time management
- leadership
- emotional intelligence
- writing
- communication
I’m grateful to be practicing this successfully as you consider this article.
As a self-taught junior Cyber Security professional, I have acquired my knowledge mainly by seeking relevant online courses through bookstore computing sections. I own a dozen of the latest specific Web Application Security books which I have read and mapped, along with about 100 digital books covering everything from classics to the last 5 years (2018–2023) in broad Human-Computer-Interaction through Cyber Security and into specific Bug Bounty Hunting methodologies. If not entire books then select chapters or only the Tables of Contents which tend to offer great outlines of the body of knowledge in a particular direction. Next, I would do the work that matches my aims while documenting the path.
I have also worked security at music events and in the film industry.
This is a rather large quantity of effort for a mere promise of basic IT employment. From what I can extrapolate based on my decade of experiences in the film industry which is now under question due to a rapidly advancing A.I. — it is possible that all this junior Cyber Security work will be replaced by learned machines in the next 5 to 10 years.
Alwaysthemore, due to my fluency in the Polish language, I completed the excellent Offensive Security Web Application Testing course which helped me build a framework for my #InfoSec to #Offensive #BlackBox #WebAppSec niche within the Cyber Security industry. Despite what feels like a vast amount of information and an exceptional skill set, so far, this has not translated into suitable employment.
As a freelance self-taught security researcher, I decided to look into the security certification and employability dilemma. Here are my findings in 9 points.
0) To begin, through my technical passion as a freelance Bug Bounty Hunter I can work for any organization of choice within a listed bounty program (such as the U.S. Dept Of Defense) on a bounty platform (such as HackerOne). I can start immediately as the tasks are straightforward. The Polish OSWAT course covered all this. Now, everything depends on my experience. This work can be done on my free time and remotely from a comfortable internet connection. I can also choose from hundreds of companies on various Bug Bounty platforms.
With these same skills, in order to be employed with a salary through one company which provides Vulnerability Assessment and Penetration Testing services— the approach differs. Unless such a company is in a position to provide employment based on a mere Bug Bounty Hunting portfolio or something other than experience, skills, and certifications, then one has to acquire all of these on the defensive side first and begin as an entry-level Security Operations Centre (SOC) Analyst or Incident Responder.
Companies won’t hire junior offensive security researchers nobody knows. For obvious security reasons and because it is possible to cause great damage through ignorant offensive operations.
It is also possible that few people with Cyber Security salaries know about how little Cyber Security knowledge from the major certifications is needed (CompTIA Security+, CEH, OSCP) in order to begin hunting for vulnerabilities in websites through bug bounty platforms. Teenagers with basic computer interests in cultures with an accent on intellectual development are able to successfully complete these tasks. They care, have means and motivation. A 16-year old girl completed the OSCP certification, which is great to see, and could possibly be normal. Might this mean there is too much pride among security “experts” with their years of sacrifice in order to obtain highly complex knowledge in a field that few master?
It is possible that the industry could choose to respect the fact that people will be learning Cyber Security skills at an increasingly younger age and increasingly faster.
As a self-taught IT specialist in the field of Web Application Bug Bounty Hunting, I found it challenging to seek regular entry-level Cyber Security employment because I have no previous IT experience in an office setting, and there are no Web Application black-box testing roles and no such specialties at any company, whether locally or internationally. Other than on Bug Bounty platforms, no company accepts a junior penetration tester who can merely assess vulnerabilities and deliver reports.
Note: they could. Because there are hundreds of thousands of jobs available. But it’s just not how the world works, possibly because those with Cyber Security businesses are too busy to see that the reason there are more malicious hackers around is the same reason there are more ethical hackers around: it is becoming easier to learn! This is also why machine learning is scary to those who understand the implications.
If you know of any businesses which offer employment to self-taught Bug Bounty Hunters, please let me know. If you run such a company, I wonder about you. I am starting a business along these lines because I know how to construct and coordinate, but I would benefit from mentorship.
It is unfortunate that as a self-taught Bug Bounty Hunter specializing in Black-Box Stealth Recon my skills are too low of a level. The Cyber Security industry would greatly benefit from the right juniors doing the right work at lower levels. It is correct however, that the risks are too great, that people are possibly too weak as humans to do it right. The only place inexperienced entry-level hackers with an ethical heart could be hired is on zero-risk non-critical systems, but then there is little business logic to pay anyone for securing assets outside of the organization’s threat model.
For now, while entertaining an unrelated job and attempting Bug Bounty Hunting, I must also continue to study and apply myself for general employment in Cyber Security at the global entry level.
Here is my process for entry-level Cyber Security employment as a Bug Bounty Hunter:
1) Start with the body of Cyber Security Body of Knowledge. Select a direction of specialization. I have always been fascinated with the most accessible Offensive Security Operations on the largest network, the World Wide Web of applications. Therefore Web Application Security.
2) Consider the industry certifications in that direction using Paul Jerimy’s Certification Roadmap.
3) Complete beginners can enter the field with the corresponding skills, motivation and economic means. To start, Cyber Security foundations can be learned using free online courses through various providers. NIST has prepared a list of such sources, the Free and Low Cost Courses.
I have begun my journey in the One Million FREE (ISC)² Certified in Cybersecurity initiative to help 1 million interested people obtain the basic skills to pursue entry-level Cyber Security positions.
4) Major players such as IBM, Google and Amazon have their own courses. These can be higher level than the free introductory courses and more in depth. These however, are not final certifications. I completed the IBM SkillsBuild Cyber Security Fundamentals. Now I’m looking forward to the next relevant modules.
Due to select circumstances, I have a certain understanding of Cyber Security from fields beyond anything known by popular civilian life, including metaphysics and military intelligence, whereas the general entry-level comprehension is a very narrow field. Having to find the basics has been as baffling to me as might be the opposite direction for the vast majority.
To follow a generic trail of Cyber Security employment information by Coursera, a popular online learning platform.
Here is the sequence of knowledge mapping one may follow:
a) Select entry-level IT.
b) Select Cyber Security multiple course series — all about Security in 100 hours each:
IBM Professional Certificate
Google Professional Certificate
c) Select the most specific and basic entry-level role in IT — Cyber Security: Information Security Analyst.
d) Consider the discussion of deeper Cyber Security certificates on Coursera.
Looking into the specific IBM SkillsBuild sequence for employability:
Start here — Quick IT Skills towards Cyber Security
General free courses — IBM SkillsBuild
My particular course — Cyber Security Analyst — Details.
IBM teaches what I already do as a Bug Bounty Hunter — Vulnerability Assessment for a Website.
IBM Skills Network courses on Coursera — with my chosen course, Introduction to Cyber
Note: if one plans to spend an entire 30+ year career in a slow advancement within Offensive Web Application Security Testing, one might never study for any certification, but rather take the exams only if needed, having enough acquired experience to be able to solve all problems in the field. However, we live in a time where we might only have a few years left of civilization due to the rapid for-profit advancement of self-evolving quantum artificial intelligence. This is a problem which most likely will not be resolved, considering a multi-dimensional mapping of Cyber Security threat intelligence. Therefore I do not recommend planning to spend more than 5-10 years in the field without major changes happening in civilization in which the Internet could easily be altered in a dramatic way beyond memes. But completing these certifications while pursing knowledge in machine learning …might be of benefit.
5) In this section I present the certifications that matter to the machines that process Curriculum vitæs (CVs / résumés) and cover letters:
For all General Cyber Security employment:
Based on my research about employment that may correspond with my digital nomad lifestyle, as per the roadmapping towards Offensive Security Operations, starting at the bottom center (beginner in IT) and moving upwards towards the offensive side in the right corner (expert Ethical Hacker), my selected route could be as follows.
For major accreditation I have selected the CompTIA Security+ certification as my foundation. This certification seems like an overall accepted marker of competence for all entry-level Cyber Security employment.
I had to browse through many articles to get to this conclusive summary in the summer of 2023. One needs to ascertain it is the most recent version of the knowledge. Aside from the official website, there exists literature in different formats (informational, course work, exam study guides), free PDF book downloads, and specialized courses for the exam preperation.
I will be purchasing the official book format and online assistance through StationX, another leader in assisting people with their Cyber Security training and careers.
Before CompTIA’s Security+, it seems A+ is the most basic related certification followed by Net+. I hope to bypass these certifications with my years of freelance experiences in IT but I do plan use the contained knowledge as reference.
1) CompTIA Security+ ($350) — time estimate by winter 2023.
Other Preparation:
https://www.cybrary.it/course/comptia-security-plus
https://www.professormesser.com/get-security-plus-certified/
Extras: EXIN 27001F ($250)
For Bug Bounty Hunting:
For practical skills I plan to complete the Bug Bounty Hunter modules on HackTheBox (for about $500 per year) in order to amplify skills for bounties on HackerOne and simultaneously apply to global employment. On the mentioned roadmap, the HTB CBBH skills path is ranked higher than the CEH!
1) HackTheBox Certified Bug Bounty Hunter — HTB CBBH ($500)
2) HackTheBox Certified Penetrations Testing Specialist — HTB CPTS ($500)
For entry-level Cyber Security employment:
The free available courses from the NIST list, in particular the previously mentioned ISC2 Cyber Security Foundations and IBM SkillsBuild.
1) EC Council Certified SOC Analyst — CSA ($550)
2) Any Threat Intelligence Analyst certification — TIA ($300 — $550)
3) Any Certified Incident Handler certification — IH ($300 — $550)
For Web Application Security Testing:
In my estimates, each study period for any certification, given a general prerequisite readiness, is about three months, and deep experience. I might take some easy basic Vulnerability Assessor certificates to start with the journey.
After this I hope to pass the CEH, OSCP and possibly OSWE. I know that these are not academic certifications but rather take long experience in the field to master. For an excellent overview of what it takes for OSCP success, please take notes from this informative video by David Bombal interviewing Rana Khalil in “The Best Hacking Courses and Certs — Your Roadmap to Pentester Success”.
1) Vulnerability Assessor — C)VA ($550)
Extra: EXIN Ethical Hacking Foundation — EEHF ($230)
2) CompTIA Pentest+ ($350)
3) Certified Ethical Hacker — CEH ($1200)
Extra: eLearn Junior Pentester — eJPT ($250)
4) OffSec Web Assessor — OSWA ($2500)
Extra: Mile2 Certified Pentest Consultant — C)PTC ($550)
5) GIAC Web Application Penetration Tester — GWAPT ($1000)
6) OffSec Certified Professional — OCSP ($1500)
7) OffSec Web Expert — OSWE ($1600)
By the time I get there, within a few years, the world of IT will have changed through rapidly advancing technologies. These have to be taken into account because it might be the last time humans are able to learn and reason with these tools before the onset of A.I. law enforcement.
6) It is best to gain the experience naturally by doing the work in one’s field before obtaining the certification. Yet similarly to other primary industries such as energy, housing development, or the film industry (which I know well after 15 years) often those with the means simply pay for quick training for top positions by top specialists.
Any of these bodies of knowledge pertaining to certificates can be taught in about one week by the right teachers with the right students. Then one has to practice for the exams and take the exam for another fee. Not to mention gain more experience if necessary.
One may consider taking a $10,000 six day SANS course or 12-week Lighthouse Labs bootcamp.
7) On a final note, here is how certification may affect salaries:
Salary Survey 2022
From Sizzling to Ice Cold
Certs Raise Salaries
8) Ultimately my employees will be doing the work when I run my own company integrating Ethical Hacking with the mentioned advanced technologies of the day: A.G.I. (and artificial life), VR (with mixed and augumented reality), Web3 (decentralization), Bitcoin (financial sovereignty), Quantum Computing and new, clean, fuel-less electrical energy sources.
