[PeterisP]

What are you looking for in that case? I mean, in the absence of previous experience doing the same thing.

The way I look at it, people come into technical security either from operations or development backgrounds, but it's hard to distinguish someone who has the required skills from their years in dev or ops from those who have managed to do their core work so without going into the relevant details; their CVs are going to look pretty much the same.

A hobbyist might have practiced on some CTFs or vulnerable machine challenges, but unless they haven't e.g. won some bug bounties or gotten some CVE disclosures, then that won't be really visible on a job application. If certifications aren't considered relevant by security hiring managers, what is?

[souprock]

Things that would count:

You wrote a compiler, kernel, emulator, firmware, or boot loader.

You wrote a small demo, such as 4096-byte or 512-byte. Like this: https://en.wikipedia.org/wiki/Demoscene

You have hand-optimized code via assembly language.

You have debugged software with a JTAG device or a digital logic analyser.

[pvg]

Why would those things count more or less than other things? It seems more like a list of things you think are neat but trying to guess what a resume-reader might think is neat seems like a game with very poor returns.

[souprock]

Well, those things fit the job I posted: https://news.ycombinator.com/item?id=18358038

The common feature is low-level experience. Somebody should be comfortable with assembly and related things.

It's true that not all security jobs are the same of course, so there will be plenty of places wanting other stuff, but I don't know about those.

[pvg]

Ah that makes sense but then those things would be useful when applying for your specific job rather than things that would be useful when looking to make a specialization switch and are wondering whether certifications are useful.

[tptacek]

We hire resume-blind, based on work-sample challenges.

https://latacora.com/careers/