[ktta]

I feel like it is difficult to get hired right out of college into a pentesting/netsec role without a bunch of certs and CTFs (which you do mention in your career guide). Even then it just looks like just another qualifying tick in the checklist. Right now I'm thinking a dev job for a couple years, then move into security (which looks like what some recommend). What do you suggest one can do to show that they have the chops to take up the a good role short of getting a couple high profile CVEs? Write a blog? Write PoCs for past CVEs?

What will get the attention of someone who hires (like you) to think that they will be a good fit?

[dguido]

Easy! Develop software. Don't limit yourself to scripts and small utilities. Work on something substantial, preferably low-level and closely related to the operating system or hardware. If you play CTF, show me the tooling you wrote to prepare, and the process you use to review your past performance and plan your next game. Our biggest ask during our hiring process is a code sample of some kind. If you're talking about finding bugs, show me that you didn't just get lucky, that you know how to make the process reliably produce a known outcome.

Sidenote, I think the dev job for ~2 years out of college then moving to security is a smart move. You're 100x more effective as a security engineer if you have a strong background in development. I'll say that we definitely prefer to hire software developers and teach them security.

[ktta]

Thanks! This is great advice.