This is part 3 of a series on my transition to a new job. Today's episode is aimed particularly for those of you going after tech-focused position, such as a security analyst or pentester. Many of these positions require that you complete not only a verbal technical grilling to test your knowledge, but also a hands-on CTF to test your might!

I've taken my successes and failures over this past month or so and broiled them down into five tips that I pray will help you survive this stress gauntlet and come out on the other side alive - and ideally with a new job!

1. Manage your time

These tech-heavy positions often have a technical CTF challenge (similar to something you might see on or OSCP) as part of the interview process. In my experience, the general rules are:

  • Find the vulnerabilities
  • Get root shell
  • Timeline = 7-10 days

If you end up interviewing for multiple positions, be aware you may end up working on several CTFs at a time. My advice would be to tackle one CTF per week, rather than take them all on at the same time like I did. That was stupid. Stupid stupid McStupid.

2. Know your stuff

You're likely to get a pretty intense verbal grilling in the form of a Q and A session. This session might cover anything and everything from describing how SSL and SSH work to identifying and exploiting an XSS vulnerability. Be prepared :-)

3. Don't cheat

Remember those CTFs I mentioned in tip #1? Some of them might be VMs you download and try to pwn locally. If that's the case, don't think you'll be clever by mounting the disk image or booting into single-user mode and reverse engineering how the VM is setup. Cheaters never win. Well, they may win temporarily, but the technical scrutiny you'll experience in tip #2 will expose you for the cheater, cheater, pumpkin eater you are!

4. Rock the report!

In my experience, the potential employers said not to worry about making the report fancy. But I did. And I think you should too. A well-written, proper report (with cover page, introduction, good screenshots, good code snippets, etc.) go a long way to say "Hey, I can communicate vulnerabilities and remediations to a wide variety of audiences!"

5. Be ready to present for realz

I use a "z" because I'm l33t and stuff. Anyway, the final step for some of these interviews will be to present your report as if it's a client delivery meeting. This will likely be done via Google Hangouts or Skype. I highly recommend doing a rehearsal of your presentation first - even if it is with someone non-technical. That way someone can point out things you might not realize you're even doing (shifting nervously, talking too fast, etc.) before the "realz" deal!