Cybersecurity Careers: How to Write a Penetration Tester Resume

This blog is the first in a series NWG will publish related to obtaining a career in cybersecurity.

We recently posted a job opening for a junior penetration tester (pentester) role here at NetWorks Group. The response, which may be a surprise to no one, was overwhelming.  Almost 400 people applied within a week, over 100 of those within the first 24 hours.  I personally looked at every single resume submitted, which ranged from outstanding to not-so-good.  The purpose of this post is not to make fun of or belittle those who submitted poor resumes; instead, I’d like to take a moment to highlight some of the best aspects I saw, while pointing out the most common errors along the way.  The usual caveats apply: every employer may look at the hiring process a little differently – these are only my observations and suggestions, your mileage may vary.  Also note that most of these suggestions can apply to most jobs out there, not just cybersecurity.

The first important thing to note is that a quick bit of math will tell you my team didn’t have the time to scrutinize each resume for 10 minutes to hunt for details about the applicant.  Most employers will utilize a system where they’ll decide to keep looking within seconds of beginning the process.  So if I am scanning the document at a high level, these are the kinds of things that will often be an instant disqualification:

Spelling and grammar.  Every modern document editor has built-in spelling and grammar checking functionality – use those tools!  If all else fails, give your resume to your friends and family to look over for errors.  A large part of being a pentester is the ability to convey messages through clear and concise writing.  Taking the time to proofread your resume demonstrates that you will do the same with your pentesting reports.
Length.  If you can’t convey your education and work experience in one (ideally) or two pages, you’re probably being verbose, or you’re vastly overqualified for a junior pentester position.  I’ll take simple “what I did, what the results were” bullets over paragraphs with too many details any day. If your resume is five pages long, that first page should be so impactful that I’m forced to read the rest, otherwise I’ll lose interest quickly.
Skills and proficiencies. Yes, we want to see a list or short description of your top skills and proficiencies.  These can include programming languages, command line applications, or even operating systems.  However, keep in mind that ethical hackers are detail oriented and have a great eye for catching things that just look “off” or out of place.  If you list something on your resume and cannot explain to me what it is or why it’s there, remove it; otherwise, when I ask about it and your response is, “...oh, I guess I shouldn’t have put that on there…,” your fate is sealed.
“Form Letter” resumes.  Employers can tell when you have one resume you send out to everyone.  More on tailoring resumes below.
Lack of summary statement and/or cover letter.  I understand that this is a fairly unique job we advertised, even including the words “Are you looking to break into a career in offensive security?”  The problem is that when you apply with little to no offensive security experience, you need to find a way to convince me that it’s something you’re interested in.  A great way to convey that message is through either a summary statement (also called a professional summary or similar) or a cover letter. Highlight the fact that you’re in a job that’s not fulfilling your career desires, tell me why you want to cross over into this career field, remind me to focus on the part of your resume that details your high ranking in HackTheBox or TryHackMe, etc.

Now, on to some of the more successful resume examples.  These are things that will hopefully catch an employer’s eye and give you a quick leg up on your competitors.

PDF resume.  This one is an easy kill, but we still received a lot of Word (.docx) format documents.  PDFs should look the same on just about every device an employer uses, whereas other formats may not render correctly.  PDFs will also reliably render within browsers, .docx files may not.
Professional formatting. Clear headers and logical flow go a long way.  Use a template that’s the best fit for the story of your education and career.
LinkedIn profile.  Look, I get it.  Social media is evil and all that.  But it’s a necessary evil at this point: If I’m interested in your story, I’m going to look you up.  And for better or worse, LinkedIn is the de facto standard these days.  Save me some time – create an account, (roughly) mirror it to what your resume says, and put the link in your resume.  As a side note, if I go to your account and see you’ve actively participated in discussion, included thoughts of your own, follow industry leaders, etc., that’s going to give you bonus points.
Tailored Resume.  As I mentioned above, you must tailor your resume to the exact position you’re applying for.  Scour the job description for keywords you have experience in.  If you see a Men in Black reference in our post (probably dated ourselves there), slip that in somewhere inside your resume, maybe in the summary statement!  Show me you care about this job by letting me know you’re not sending the same resume to every potential employer.

If you were one of the almost 400 candidates we couldn’t extend an opportunity to: Don’t be discouraged! Keep sending out those (properly tailored!) resumes to great companies, keep updating them as your experience grows, and make sure you glance at them once in a while just to make sure they’re ready for prime time.  Also, watch out for new jobs opening up at NetWorks Group.  We’re anticipating more growth and may be looking for new talent soon!

###

Published By: Mike Walker, VP of Ethical Hacking, NetWorks Group

Publish Date:  October 4, 2022


Subscribe to get new content! Never miss a security update from the team.

Security news, tips, webinars, and more straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.