Steven McMunn, Penetration Tester
I’ve just joined the team at PGI as a Penetration Tester—it’s my first cyber security role and my first outside the Army. I know I’m not the first to make the jump and I see so many people wanting to get into cyber security but struggling to find the right path, so I thought I would share my experience.
I joined the Army when I was 16 years old. During my 15-year career, I had some amazing opportunities and incredible experiences, in some very remote locations. By the time I left the Army to get into cyber security, my main role was teaching explosive ordinance; I was a weapons specialist with the responsibility of ensuring soldiers were at the correct level to be deployed to operations. Essentially, I had no IT background at all.
Whilst on deployment, I decided I needed a career change and after doing some research, I worked out that cyber security was where I wanted to be. I started gathering information from others in the civilian world to understand the requirements to get into the industry and then I created a how, what, where, when action plan.
First steps towards becoming a penetration tester
In 2017, I signed up to a CompTIA A+ training course to learn the basics of IT. The course allowed me to work through configuring device operating systems, troubleshooting and grasping the basic knowledge of parts and components of a computer system, and it inspired me to learn more. After completing the CompTIA A+ online exam and achieving a pass, I then moved onto the CompTIA Network+ and Security+ courses to ensure I had the thorough knowledge of how networks work in detail, whilst learning about cyber threats, vulnerabilities, attacks and network infrastructure. I spent 10 hours a day studying and used my evenings to practice Ethical hacking—I knew this wasn’t going to be easy and I needed a lot of determination to achieve these steps.
In 2019, I decided to make the big jump and leave the Army service behind—I had 12 months to plan my resettlement to ensure I would be successful entering the cyber security industry as a Penetration Tester. Initially, I went to a careers fair to gain an understanding of what companies were looking for and I found that I had a lot to catch up on. This encouraged me to apply for a Offensive Security course, for which only 10 service leavers were eligible. I had about 10 modules to fight through—ranging from web application, computer hacking and forensics to penetration testing and ethical hacking—and I knew a lot of work and time was needed.
After spending an enormous amount of time studying (which included spending the evenings learning through Hack the box and Vulnhub to gain the practical side knowledge), I began to second guess my decision to move into cyber security. Luckily, I didn’t let the negative thoughts get the best of me and in October 2019 I was selected for the Offensive Security course (if I could prove I had the pre-requisite knowledge). One week later, I submitted an assessment to prove my skills and I started a very challenging 3-week Offensive Cyber Security course, working towards the Crest Partitional Security Analyst exam and then the Crest Registered Penetration Tester exam.
As I got close to exiting the Army, I began to find the spiral of negative/positive feedback challenging and difficult to process, particularly as I had started approaching companies and this was a whole new game for me. But I motivated myself to keep trying and I completed further courses.
Once my time had ended with the Army and a few more months of studying and applying for Penetration Tester roles I successfully join the PGI team.
Why did I want to transition into a cyber security career?
To me this was a simple question to answer. Security is a massive sector and because of my background, security is something I take very seriously. I wanted to be a Penetration Tester because I find it very interesting and it gives me that motivation and excitement that I need to enjoy my job.
I think that for someone learning ethical hacking or even already in the role as a penetration tester, the learning aspect will always be there no matter how much you think you know and this is something I thrive on—I don’t think there will ever be an end to learning in this role.
Don’t underestimate your military experience
The time you have spent in the military is not wasted. The technical skills and analytical processes you have been taught will easily translate into a civilian role. Don’t underestimate your soft skills either; your ability to perform under pressure, to follow commands, or to lead a team are equally valuable.
There are also a number of other roles within the Armed Forces that fit well in cyber security, not just communications engineering. Intelligence Analysts have the analytical training that makes them suitable for SOC or Threat Intelligence roles. Military Police have the investigative mindset that is required for cyber investigations and may have even worked on digital forensics during their military career. Whatever your role was in the Armed Forces, I guarantee that some of those skills will be directly transferable into the civilian world of cyber.