Working in cybersecurity can be a very fulfilling career, but most jobs require some amount of experience or formal training. While there are many great courses and certifications for learning pen-testing out there, it might be the case that they are simply above your budget. But that is totally fine. I think it is still possible to get job-ready knowledge about cybersecurity and pen-testing from free resources.
A little warning: While I feel like it is possible to spend no money on your way to the first pen-testing job, it is the case that some paid resources provide knowledge in a condensed and easy-to-digest form. Having access to those resources might accelerate your learning journey. So I will provide some recommendations on which of them are worth it and which are not.
I also created a GitHub repo with free cybersecurity resources. Check it out, and feel free to add some:
I got really lucky in terms of getting a job. My first contact with cybersecurity was back in my teenage years when I Googled “How to become a hacker.” That was back when there were no such resources as HackTheBox and TryHackme. So, a lot of the learning was more theoretical and, in general, kinda slow.
After I finished school, it was time to look for a job. I started out with a student job for a big software company. There, I had the opportunity to work with different security teams. During this time, I did my eJPT certification and got in contact with the internal pen-testing team. They provided me with the opportunity to do an internship and paid for my OSCP. After I finished my Bachelor’s degree, I got offered a full-time job as a pentester.
As I mentioned, I got lucky, but I think there are a couple of takeaways from my own story:
I know you probably want to get into learning right away, but I think we should have a brief discussion about this topic. There is a decade-long ongoing discussion about the difference between certifications and degrees and which is better and a lot more. I don’t want to dive into all that stuff.
Generally speaking, a degree or a certification is a verifiable and easy way for employers to assess the skills of an applicant. The OSCP or a computer science degree does show that the candidate has skills and knowledge in a certain area. If you have to filter through hundreds of applications, they give a good orientation. But there are two big things to take into consideration:
To know where you should start, you have to know where you stand. It is a big difference if you already have fundamental IT knowledge or if you are coming from a different profession because it is absolutely necessary to understand basic computer science concepts like networking and how programs, web pages, and computers are built and running.
Since I suspect that many readers of this article will have this knowledge, I will not talk too much about learning all that stuff.
As well as for basic knowledge, I think you should really start with
If you are thinking about what kind of pen-testing (mobile, web, network, Red Teaming, etc…) to learn first, I suggest you go with web pen-testing because there are many resources about it, and when we talk about Bug Bounty later, most of the targets are available in this area. But if you feel like doing something else, do it; all of this is just my opinion.
Additionally, to do the learning path, you should also do some of their boxes that don’t give you any hints about how to solve them. Also, check out
When solving boxes, I recommend you give yourself a time limit. I recommend something like this: If you don’t have the initial foothold after 30 minutes, you should check a writeup. Afterward, you try 30 mins for privilege escalation, and if you don’t get it, check the writeup again. It might be true that there is no writeup in a real pentest, but doing boxes is about getting as much knowledge as possible. Also, start pushing yourself as soon as possible and increase the difficulty. It may mean that you might need a write-up for almost every step, but it also means you learn something new with every box.
If you love certifications as I do and want some more for free, please check out my GitHub Repo over here:
By now, you already hacked some machines and websites, but all of them were in a simulated environment and left vulnerable by design. While this provides valuable experience and gives you the ability to learn how to exploit vulnerabilities, it is not necessarily the experience employers are looking for. Therefore, I recommend you try your skills against some real-world targets (in a legal way). Luckily, Bug Bounty platforms allow you to do this and maybe earn some money.
You can check out the following platforms:
Look at their programs and get familiar with the general topic of Bug Bounty (try to avoid the Twitter and Medium hustler bubble; there is some really bad stuff out there). I suggest you start by looking at Katie Paxton-Fear’s stuff (
If you get one or the other bug, it is great for your CV because it shows you know how to apply your pen-testing knowledge to real-world targets.
This one really depends on how much time you want to spend before getting a job as a pentester. I am not part of it, but I heard really good stuff about it. It basically is a closed Bug Bounty platform, but they additionally offer some fixed pay jobs like checking default credentials or OWASP Top 10. However, you have to apply to them, and this process can take a while. But it gives you the chance to have some experience with a real-world job application. It offers great hands-on experience and looks good on your CV. So check it out and see if it is for you.
If you are following this blog (btw. please read more resources than just this one; there is a lot of great career advice out there), I hope you don’t think of it as something that has to be done in chronological order. You can skip things and do them in parallel, or however it feels right for you.
Before you go out and look for a job, you should write a CV. This really should focus on showcasing skills that you can apply to your pen-testing job. So if you have worked in another job, think about how you can translate the skills you gained to pen-testing. If you are a programmer, tell them you have a deep understanding of technology and for sure you had to implement security measures in your code, and probably you know how developers think and fail. If you have worked as an executive assistant, you have probably done a lot of writing and have clear communication skills, which is also really beneficial for pen-testing.
By now, you have done at least some certifications and courses, but be careful what you include in your CV. I think, if you have done the three free certs I mentioned, you should include all of them, as they really showcase skills and knowledge needed for your job. But you want to be careful not to include every little thing. Rather than including the certificate of completion for every TryHackMe track you did, you should just include your TryHackMe profile. And for bug bounty profiles, you only want to mention the sites where you have at least one accepted submission. If you put too much basic stuff in there, it probably seems desperate.
For writing the actual CV, you should not get too creative. It is best to either download a Word template and fill it in with your experience and skills or use one of the online generators (consider privacy implications). Be aware that your CV is often times read by machines, so make it “machine-readable.”
Being visible can be really helpful if you want to get a job. I think having a well-maintained LinkedIn profile is crucial. So create one, put a nice photo and some experience on it, and maybe include “aspiring pentester” in your bio to make yourself visible when recruiters search for possible candidates in this area.
You can also do a little bit more to increase visibility. A nice thing to do is to start a blog. Like this one, you are just reading. Even tho you might not have a lot of expert knowledge; you can talk about your journey and experiences or write a tutorial for a tool or a writeup for a box you did. But please don’t go down 1337 Hacker Road. I don’t think that blogs like “Hack a webcam with only three steps,” “Hacking Instagram password,” and other clickbait help find employment. Other things you can do are contribute to GitHub projects (for example, Nuclei and Spiderfoot allow you to contribute new rules and templates), create your own tools, or speak at a conference. All of these things will increase your network and look great on a CV.
Go for quality over quantity. The job has to be a match for you as much as you have to be a match for the job. So, really try to find jobs that match your expectations. While I say that, it is also true that it is probably easier to pivot from one pen-testing job to another than getting into the industry, but I feel bad advising anyone to take a job they don’t enjoy.
I highly recommend you reach out to recruiters/headhunters. You can easily find them on LinkedIn, add them to your network, and ask if they have a role that fits your profile. It will not cost you a penny because the employers are paying them. They will also be a big help with streamlining a lot of the process. They know their clients and where you have a good chance of getting hired and, most of the time, allow you to skip steps like writing a cover letter. Even if they are not able to offer you something right away, they will add you to their contact list and reach out in the future.
There are just better resources than I am, so I will link to them:
While it should be entirely possible to get a pen-testing job without spending a dollar, it will still require a lot of work. Spending at least some money can make the process if you spend it right. I also have to mention that all of this is just my personal experience and perspective. Your mileage may vary.
If you liked this blog post, you can follow me on Twitter @Secbyaccident or read my other stuff over at
And if you have read this far, I want to offer you a little Thank You. My DMs on Twitter are open, and you can reach out to me if you want me to review your CV, help you with some studying, or set you up with some recruiters. I will do all of this for free, but expect a little delay in response time.
Also published here.