Offensive Security was founded to empower the world to fight cyber threats by inspiring the Try Harder mindset. Tough courses and rigorous exams mean only those with the right skills, mindset, and attitude hold an OffSec certification. Those who succeed often have insights to share with other students.
In previous student spotlights, Csaba Fitzl outlined his journey to earning all five OffSec certifications and Samuel Whang shared a philosophical approach to the OSCP. In this post, OSCP holder Suhyun Smith highlights the importance of mindset and community along the path to certification.
The journey to the OSCP
Suhyun’s first job in information security was at a small penetration testing consultancy in South Korea, focused on compliance. She moved to the USA from Seoul three years ago after a study abroad program in infosec. While she learned a lot about systems in her first job in the US, she wanted to be more engaged with the security field in general and blue team/defensive security in particular.
She sought opportunities to expand her knowledge by gaining experience in systems security, access management, and different operating systems. Exploring new paths made Suhyun realize that she wanted to get back into penetration testing and participate more actively in red team and the offensive side of security.
Before taking Penetration Testing with Kali Linux, Suhyun passed the CISSP and CEH exams. She decided to tackle the OSCP exam after hearing about it from a study group. She soon discovered that it was a hands-on experience recommended by others in the community.
One year of studying the [PWK] course taught me a lot of offensive side of security, stealth scanning, bruteforcing, etc. I also learned how to approach all different types of targets depending on their environments, like OS, running service, settings, etc. There’s no certain procedure for hacking any one box. Depending on your target, you have to create a strategy of your own.
After a year of preparation, which included study sessions at 5 a.m. as well as community engagement, Suhyun took the plunge.
I enjoyed it more than I thought I would. It was not a stressful experience because I was doing what I loved. There were some boxes that took hours to solve. But I didn’t feel like it was a waste of time. In the end, it was really fun because I eventually succeeded and learned a lot along the way.
As a result of completing the exam and earning the OSCP certification, employers started considering Suhyun as a candidate more often. She began receiving more calls for on-site interviews and enjoyed a comfortable salary raise.
The importance of community
Throughout her journey, Suhyun connected with others in both the infosec and Offensive Security communities.
Communities motivate each other and push you to succeed more. Not only are they are aware of security trends, but you can also share your experience and knowledge with each other. I want everyone to use local communities and other cybersecurity meet-ups.
She called out DC 404, a local cybersecurity meet-up community, as a resource that was particularly supportive in her journey. Attending conferences like DefCon and Black Hat also provided opportunities to connect with others in the industry.
When you announce that you’re studying for [the OSCP], it lets people know you need to focus and receive encouragement. Having a community really helps because you’re not alone.
Paying forward the community support she received is also important to Suhyun.
Prove that you’re qualified and skilled so that you can later share the knowledge you’ve gained with others. Such actions are beneficial for the entire field because it will help it grow in maturity. Hopefully, someday I’ll have more experience and be able to mentor people.
By actively mentoring and supporting our colleagues’ growth in information security, we can do more to address the cybersecurity talent shortage and skills gaps, as well as defend against threats more effectively.
For those trying to decide if the OSCP is right for them, Suhyun suggests ensuring that the offensive side of security is what they want to do. Penetration testing requires a Try Harder mindset, plus significant dedication and personal investment. She noted that it also helps if you enjoy the process, rather than jumping into the field because of how hacking is portrayed in the media.
Earning the OSCP certification takes determination. Suhyun had completed almost 40 machines before making her attempt. She built an extensive study sheet filled with commands for tools and tips. When that was complete, Suhyun felt ready.
It’s really time-efficient and helpful for building a strategy. I felt like I could pass the test once I had a perfectly customized study sheet and Kali ready to go. Like Abraham Lincoln said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”
Women in cybersecurity
Another point Suhyun wanted to raise was awareness for women in cybersecurity. She said, “There aren’t many women in IT, nor in the cybersecurity field. Because there aren’t many female college students who major in computer science or information security, I always try to encourage as many prospective students as I can. I like to emphasize that cybersecurity can be fun and entertaining, too.”
At Offensive Security, supporting the growth of women in tech is a priority. OffSec CEO Ning Wang says: “While we have many capable and talented women in tech and security today, there are still many obstacles for women. To get more women in tech and security, we need more relatable women role models, women of different backgrounds and styles. We want men and women to be more cognizant in mentoring and supporting women. For all women OSCP holders, share your journey with the community like Suhyun to inspire more women to pursue a career in security.”
Suhyun highlights the importance of community here as well:
Joining communities like Women in Technology (WIT) or Women in CyberSecurity (WiCys) and getting advice from people is always helpful, but you need to be independent and determined about your own plan. You can get most answers from a simple Google search, so don’t be afraid to ask silly questions. Finding other people to study with or do exam reviews can be helpful as well. Professors can give you advice, but in the end you will be the one who has to make your own plan.
Finally, Suhyun pointed out that a desire to keep learning and developing skills is a must.
You need to keep up to date with cybersecurity. There’s a big difference between those who are just doing their job, and those passionate individuals who are really in it for the long run. The difference in skill will begin to show because people who love what they are doing are willing to spend their after work hours for research.
While it can be difficult to add training and research on top of a busy schedule, continuous learning is the only way to stay on top of evolutions and advancements in cybersecurity.
Ready to do more learning of your own? Learn how to select the best cybersecurity training in our downloadable guide or review the paths you can take with OffSec courses.
Follow Suhyun’s journey in cybersecurity via her blog, Info in Security.