An interview with CPTS first blood, William Moody

It’s official. Our Certified Penetration Testing Specialist (CPTS) certification has its first successful pass! We caught up with William Moody to learn about his experience taking the CPTS certification. He also shares his journey into cybersecurity and tips for beginners who are choosing their next certification.  

Fun facts about William Favorite movies: In no particular order: The Shawshank Redemption, Inception, The Matrix, Se7en, No Country for Old Men. Favorite games: I very rarely play video games anymore, but I grew up on Counter-Strike and Minecraft. Favorite tech: Contact lenses. Where would I be without them... Education: BSc Software Engineering from the Technical University of Vienna Hobbies: Weightlifting, motorcycles, and of course, CTFs.

You studied software development and programming, but work in cybersecurity. How did that happen? 

I came to Austria to study Software Engineering at the Vienna University of Technology. In the fourth semester (out of six) there was a mandatory course called an Introduction To Security. It was led by an Austrian CTF team who participated in many CTFs, and they made the course so captivating that I wanted to learn more about cybersecurity. It was way more interesting than programming (which is something I’m good at and have been doing since fifth grade). I find that cybersecurity is more like a satisfying game - one that rewards you for finding a vulnerability or solving a challenge.

After taking the introductory security course, I was inspired to go for the OSCP certification. I spent three months every day doing a couple of hours of material and labs. I passed on my second try. It was hard for me because I had never used Linux up to that point and was mostly a Windows user. Over the next summer break, I dove right in and tried to learn as much as possible about Linux and security. 

By the fifth semester, I was eager to start working so I applied for pentesting jobs and ended up working for one of the largest private data center operators in Austria. 

What is your day-to-day at work? How does HTB help you? 

I work for Raiffeisen Informatik, one of the largest private data center operators in Austria. We host a lot of data centers for smaller banks in Austria. My day-to-day involves a lot of internal pentesting with relatively few external tests - it’s almost all networking and internal infrastructure. We occasionally do Red Teaming. 

Hack The Box has helped because it was my first introduction to the cybersecurity world a couple of years ago and has sharpened my practical skills! But the thing with pentesting is that you have to develop your own methodology, and you develop your own routine. 

When you merge your training and learnings together, you have a sum that is greater than its parts. This means that CPTS won’t apply to every pentest you do. Neither will OSCP.

What did you like the most about CPTS? 

I really enjoyed how realistic the training is. It teaches you to creatively problem solve and think for yourself instead of relying on the work of others, which is critical for any cybersecurity professional. 

I say this because I’ve noticed other popular courses and certifications on the market feature unrealistic vulnerabilities that are sometimes overly complicated, based on public CTF style exploits, or use software or environments that you won’t encounter in the real world.

Another great thing about CPTS is the exam and grading process. I completed the exam in five days, but you have ten days in total. It follows the format of an external pentest of an organization with a large Active Directory network, and you need to submit a realistic penetration testing report to complete it. My report was graded the day after submission. 

Most of the content is also covered in the modules leading up to the exam, and you can take the exam whenever you want. Regardless of whether you pass or fail, you get personalized feedback for every attempt which is extremely beneficial for learning. The certification is also great value for money when compared to other vendors, especially if you have a student plan.

You’ve got 11 certifications including CPTS, CBBH, and OSCP. What’s your advice for beginners choosing their first cybersecurity certifications? 

Most certs will benefit you. If, let’s say you have a limited budget and you have to pick one, choose something that gives you the skills that you need the most. 

Your reason behind taking a certification is also important. If you’re doing it just for interviews or because you think you have to, you might not learn much from it because you’ll rush the process. Overall, I think certifications are very useful, but you have to understand why you’re taking a certification or course. Otherwise, you’re less likely to put in the required effort and get the maximum value out of it. 

What’s your advice to people who are going to take the CPTS exam?

I’ve got a complete guide to taking the CPTS certification, but I'd say: 

• Pay attention to the modules. All vulnerabilities in the exam are covered in the relevant module. 

• Use the search function on the Academy to help you find information and answers for your exam. 

• Take a ton of in-depth notes from modules to prepare for your exam. For example, have important commands ready. 

• You will already have the necessary knowledge by the time you sit your exam, so take your time enumerating. Once you’ve found everything, you can start to exploit.

• Find everything there is to find before you go in-depth on anything. Take it slow. You have ten days. 

• If I were to hire someone and they did CPTS, I’d value it. 

What is your favorite thing about HTB Academy?

Everything’s explained from the ground up and you have interactive machines that you can practice with. You’ll learn a lot, especially if you’re new to the topics. Most cybersecurity training vendors have this in some way, but I like the way HTB integrates content with interactive elements to be more engaging and help you understand what you learn. 

What suggestion would you give to someone starting in cybersecurity?

Knowing a programming language is extremely beneficial because you’ll understand what you’re testing from a developer's perspective. If I had to pick one language to learn, I would pick Python, even though it is a scripting language. It’s versatile and enables you to create scripts for automation or exploits. It might seem overwhelming at first, but once you understand one language, it’s easier to learn others. With enough practice, programming eventually becomes a mindset rather than a technical thing because it’s just the syntax that changes. 

Finally, if you want to get good at cybersecurity, it needs to be a passion. You should want to learn about cyber. It changes so often, with new vulnerabilities, new attack vectors, etc. that you should like learning. This is one of the biggest assets for a career in IT/cybersecurity. 

 

Author bio: Hassan Ud-deen (hassassin), Content Marketing Manager, Hack The Box Hassan Ud-deen is the Content Marketing Manager at Hack The Box. Combining thought leadership and SEO to fuel demand generation is his jam. Hassan's also fascinated by cybersecurity, enjoys interviewing tech professionals, and when the mood strikes him occasionally tinkers within a Linux terminal in a dark room with his (HTB) hoodie on. #noob. Feel free to connect with him on LinkedIn.