What I learned doing an offensive security interview

Coming into University I always knew I wanted to begin my career as a cyber-security consultant. Although many STEM graduates aspire to work for big tech, or a cutting edge start up I always dreamt of becoming a professional hacker. The ideal job would involve landing a position as a part of someones red team where I’d get hands on experience running penetration tests for various clients. For a long time I thought the standard tech application, which included a Computer Science degree from a top university, relevant job experience, a cyber security certification (the CEH in my case) and a couple of side projects would be enough to land the perfect job. But after applying for the only offensive security consultant position in my province, and landing an interview, I found out I was wrong!

When I started my job search back in January of 2021, I’d began by crafting what I believed to be the ideal CV and cover letter. I began by writing about how I structured my bachelors degree to get the largest exposure to the technological infrastructure that supports the functionality of the internet. I’d gone as far as completing the University of Toronto’s Computer Science specialist program with a focus on internet technologies. This included many hands on projects like coding web servers, creating databases and performing relevant queries, and even full stack web development. This provided a solid foundation from which I could not only understand the exploits I would have ran at a deeper level, but allowed me to work without depending on pre-built software tools like many Script Kiddies. When it came to analysing different attack vectors for a specific software, knowing exactly how tools worked, or even being tasked to create a new tool, I felt I was well equipped. To back up my claims I mentioned 3 projects I’d completed in school and tied them directly to offensive security, two previous jobs with direct exposure to cyber security, the certificate of ethical hacking I received, and an hour long talk I gave on educating youth in cyber security along side a Professor from the University of Guelph. Although I also began publishing cyber security podcasts, only a month prior, and gained over 5000 listens, I decided to save that as a bonus during interviews. I remember writing the resume and thinking that it was perfect for the offensive security position I’d so desired.

As soon as I started applying I was in dismay to find only one offensive security position in all of Toronto, my home city. It was also at a Big Four Consultancy which has a notoriously difficult interview process. However, I felt that my chances were great, and didn’t think twice about the possibility of not receiving an offer. As I submitted my application, I remember naively chuckling about how I was a purple squirrel.

For those who don’t know, Big Four consulting companies usually have three rounds of interviews, where the third interview is with your future manager (potential future manager, I should say). From what I’ve gathered people who make it to third round interviews almost always get a job. When I received an invite to be interviewed directly by the manager (basically a third round interview), I was ecstatic. I’d done my preparation beforehand, and nailed all the interviewers questions. I regularly read cyber security news, was able to describe, a number of recent hacks such as Solar Winds, NotPetya, and WannaCry in detail, and even mentioning my podcast! Moreover I was thrilled to learn that they we’re hiring a number of pen testers, and looked to fill a couple of other relevant cyber security roles. However, I received significantly more questions than anticipated. Every single topic had a follow up question and I was asked to elaborate further. But I was prepared and felt I held my ground. Then the interviewer proceeded to ask what professional working experience I’d had penetration testing, as that was important for the role. I felt that this was an curve ball, as the guy had seen my resume and known I’d only had professional exposure to policy creation and secure software architecture. I expanded on the knowledge I’d gained during the CEH, the few virtual boxes I’d hacked beforehand, describing the process behind a penetration test and detailing the steps. I was very happy with my answer. I was open about the fact that I hadn’t had any paid experience. We talked for a approximately five more minutes, and was told I was expected to hear from them in the following 48 hours. I’d followed up with a thank you letter, but never heard from the team again. Bummer!

Although I did land a job I am very happy with, doing Cloud Engineering consulting, with a focus on Cyber Security I took some time to reflect on my interview and came up with a few key pointers seen below:

1. Do practice interviews for your specific role. At the time I would not have been able to describe any recent hacks in detail, if I had not prepared beforehand. And I was lazy about reading the news. I’ve fixed both those problems upon graduation and stay up to speed now. DataBreachToday is my personal favourite.
2. APPLY TO MANY JOBS. And don’t be afraid to move out of your city. I cannot stress this one enough — that’s why it’s in capitals. I’ll never know for certain why it is I hadn't heard from them, but I am fairly confident I could have gotten some kind of role if I had gotten 3–4 interviews for the same position elsewhere.
3. Certifications can only take you so far. Especially in tech! Get as much hands on experience as soon as possible. This is what I believe to be the weak point of my interview. Have some kind of third party rate your validate when possible. I am a big fan of hackthebox.com .

As it stands I’m very happy with in Cloud Engineering, and am able to explore penetration testing on evenings and weekends. The idea of building cyber security expertise in the domain of Cloud is something I find intrinsically appealing. I hope to fuse the two areas of interest into the future. Currently, I am studying for the OSCP exam. Hopefully this article provided some use for those applying to jobs as a penetration tester, and sets them on the path of gaining valuable experience and better prepping for an interview.