Hacker

11 min read

From poker player to Senior Pentester at Oracle: Jeremy's journey into cybersec

From stockbroker and pro poker player to gaming PC salesman, Jeremy’s journey is inspiring! Read on to learn how he carved out a career in cybersecurity

Hassassin,
Oct 04
2022

Jeremy Chisamore's journey into cybersecurity is inspirational! 

From stockbroker to professional poker player to high-end gaming PC salesperson (selling to celebs and professional athletes) and finally, Penetration Tester.

Reeling from layoffs and events outside his control, Jeremy adapted and diversified into multiple different career paths before diving head-first into cybersecurity. 

He was determined to succeed “without a plan B” and “even if it killed him.”

Starting off as a self-taught junior security consultant (who admittedly forgot the OSI model acronym during earlier interviews) he’s now a Senior Penetration Tester at Oracle. 

Fun facts about Jeremy

Favorite movies: Hackers, Rounders, Fast and the Furious (the first one).

Favorite games: Counter-Strike (if by the number of hours played). The Mass Effect series, and Witcher 3.

Favorite tech: My gaming PC.

Education: Bachelor’s Degree in Management Science.

Hobbies: PC Gaming. Poker. Cars. Tinkering with anything I can get my hands on.

Did you have an interest in technology when growing up? 

I was a PC gamer since four or five years old and learned how to read on one of these bad boys: 

Jeremy Chisamore first computer

To stop me from constantly messing with his work computer, my father bought me a PC (he was one of the early adopters of remote work and had his own consultancy business in the 80s and 90s).  

I eventually took college-level computer science in high school around 1999, but I didn’t enjoy it because I got bored. Let’s just say the math teacher instructing the class wasn’t exactly the most inspiring professor of all time. 

At one point, my friends and I used the Windows 98 DCOM exploit to get admin rights to the school library computers so that we could install and play Diablo 2 via a LAN party. (I used the same exploit almost 20 years later when training for certifications!)

Note: Hack The Box doesn’t condone the unlawful hacking of systems and networks. 

You went from “tinkering” with computers to gaining admin access to your school library’s computers. How did you learn to do this? 

Primarily with just networking with people but since this was in the 90’s it wasn’t through the traditional Twitter, Slack, and Discord platforms but instead forums, Bulletin Board Systems (BBS), and Internet Relay Chat (IRC). 

Google wasn’t as big back then, but I would find these sites through friends I met gaming and would just literally just ask how can I install this game as a regular user and people would chime in on how to gain administrative rights.

(It’s interesting to note that throughout this period, the concept of this being a valid career path never occurred to me.)

Get hired with HTB

Hack The Box is the heart of the hacking community and the best resource to find cybersecurity jobs worldwide.

What made you go from working in management and finance to cybersecurity?

I was broke after getting my four-year management degree and I chose it as a standard and secure path to take (I didn’t realize a cybersecurity career was something I could pursue). 

Due to my financial circumstances, studying for a Masters or MBA wasn’t an option. So I chose to enter the workforce immediately as a stockbroker at a small brokerage firm. 

The job lasted around 6 months because it was boiler room-esque, you weren’t allowed to sit in a chair or enjoy a coffee unless you closed a sale. 

The wealth management and financial services firm Merrill Lynch then hired me as an investment advisor, but the 2008 mortgage crisis happened. Bank of America acquired Merrill Lynch, and during the merger I was made redundant. 

I eventually worked at a company called MAINGEAR. We built and sold high-end gaming computers and had customers like Snoop Dog and Henry Cavill (who nearly missed the casting call for his Superman role because he was playing World Of Warcraft). 

I got laid off (once again) from MAINGEAR in 2016, and that’s when I took a serious interest in cybersecurity. 

While flying out to visit family in Canada, I was killing time at an airport bookstore and picked up a book on cybercrime called Future Crimes (Marc Goodman). 

My initial reaction after reading it was “Oh my god, this is a valid career path. People can hack things for a living and get paid for it?”

I then got serious about switching to a cybersecurity career. I networked with people, followed cybersecurity influencers on Twitter, and set my sights on the OSCP certification.

Fortunately, my wife was working at the time and she supported my goals. 

Did becoming a professional poker player help your cybersecurity career?

Poker was well before my cybersecurity career as I played PokerStars and Full Tilt between 2010 and 2012. I was struggling after the mortgage crisis and a buddy told me about playing poker on the internet.  At that point, I hadn’t sat through a single poker game in my life, but the idea interested me and I was living with my parents so I could afford to take the risk. 

I went all in. 

I hopped on forums and networked with some of the best online players in the world. Paid coaching, extensive note-taking, and intense hand analysis in forum discussions were also key parts of my learning program. 

As my poker skills developed, my earnings increased to the point where I was making an entry-level salary playing poker from home. 

The approach I took to progressing in poker is identical to the one responsible for launching my cybersecurity career: 

  • Network with others who are ahead of you

  • Learn from the best

  • Invest in coaching and education

  • Learn to coach yourself

  • Analyze your weaknesses 

  • Commit to the journey ahead

My poker career came to an abrupt stop when the Department Of Justice shut down online poker websites because they apparently breached the Federal Wire Act. (The act criminalized the use of interstate telephone lines to run a betting or wagering company). 

So I’d say that becoming a professional poker did indirectly benefit my cybersecurity career. It taught me how to adapt after losing to forces outside of my control, learn new/complex subjects from scratch, and go “all-in.” 

(If you're new to penetration testing, read our what is penetration testing post to understand the basics.) 

You managed to gain an entry-level cybersecurity role and build up the necessary foundational knowledge without a formal CS/IT degree. What was the process like? 

Building up my foundational knowledge was honestly a struggle. 

The learning curve was steep. (Learning is a lot easier now than it was back then thanks to platforms like Hack The Box.)

I didn't have a formal Computer Science degree and while I had some experience tinkering with computers, basic exploits, installing Linux, etc., the practical in-field experience a Sysadmin, for example, might have was missing. 

OSCP was the first cert I wanted to get because I wanted to prove that I had the fundamentals down. 

However, I didn’t learn much from directly attempting it because there was no classroom/theoretical teaching; you got access to labs but there was limited training. You’ve also got to be cautious about asking for help. That could violate their code of conduct, which would strip you of your certification. 

After gathering recommendations from people in the industry on Reddit and Twitter, and to build up to the OSCP, I did eLearnSecurity’s penetration testing certifications.

The OSCP itself was quite difficult and took 292 days when starting from scratch. 

I failed three times; scoring higher on each re-attempt. 

You failed your first three attempts at OSCP, what changed on the fourth? 

My dad asked, “If you fail this a fourth time, what’s your plan B?” 

My response was “I don’t have a plan B. I’m going to do this if it kills me.”

This was when I found HTB and ippsec’s youtube videos. I’m eternally grateful for ippsec and for the Hack The Box platform because they’re what I needed to get over the hump and pass on my fourth attempt. 

I didn’t want to pay for 90 days of OSCP just to flounder around and fail again. So for 3 consecutive months before my final successful attempt, I did HTB machines as practice because HTB is affordable and has extremely relevant machines (they had the same exploit paths as OSCP machines). 

While training on these machines, I started networking with other HTB members. It was (and still is) an extremely supportive community. 

We’d bounce ideas off each other and fill in knowledge gaps, which is extremely helpful when you’re new to an industry and trying to land your first job. 

The friends I made on the platform referred me to the HTB’s Talent Search job board where I applied for Context Information Security and landed my first role as a junior penetration tester. 

I ended up starting the job on the same day as the friend who recommended me (we met via the HTB community) and my cybersecurity career took off from there - I  progressed rapidly from consultant to lead consultant and then senior consultant.

It’s cool how all HTB users know each other! 

Now that you’re in a senior position and hire other cybersecurity professionals, what have you learned? 

You can teach technical skills to almost anyone, but the same doesn’t apply to soft skills. 

Enroll someone in a web app cybersecurity training course, and they’ll learn how to check for web vulnerabilities, but can that person properly present those vulnerabilities to a client?

I’m now in a position where I’m hiring junior cybersecurity professionals, and I value soft skills just as much as technical skills. I’m asking myself:

  • Can we confidently put the candidate in front of a CISO or senior management team?

  • Can the candidate speak and convey technical issues to non-technical audiences in a simple way? 

  • Do they produce professional write-ups, emails, and reports?

I’d also add that it’s hard to match formal qualifications and CVs to on-the-job performance. That’s why I pay attention to a candidate’s attitude and extracurricular activities. 

One example is HTB activity on a resume when hiring juniors. It shows that a candidate is deeply motivated and invested in developing their skills. 

At Context Information Security, for example, two juniors we hired were already active on HTB and it showed. They were extremely technically proficient and they passed the OSCP in approx 30 days. We were extremely impressed with them. 

Advice for people getting started? 

Life is short, and finding what you're passionate about is hard, so when you discover what you want to pursue you’ve got to go all in. 

With regards to where to get started, I’d suggest HTB. For around $10/month, the value is undeniable. 

I’d also add that if you’re starting this journey a little later in life, it’s not about catching up. I changed careers and didn’t get my first cybersecurity job until I was in my thirties.

I had peers who are ahead of me that I wanted to catch up to, but as I progressed in my own career I realized that it’s more about the overlap. Everyone has their own unique expertise, and once you work within a team, the collective skill sets and capabilities are more important than individual specialties. 

Hire and get hired for cybersecurity positions with HTB

More than 150 open cybersecurity job opportunities are listed on the Hack The Box Career Portal. 

Aspiring hackers can apply directly to roles posted by companies worldwide such as Amazon Web Services, NTT, Verizon, Daimler, DAZN, Context Information Security, and more.

At the same time, organizations can access a growing pool of talented individuals and discover their next ideal cybersecurity hire. Our new and revamped Talent Search helps recruiters find the perfect candidate more quickly and confidently than ever.

Start using HTB Talent Search

Hack The Blog

The latest news and updates, direct from Hack The Box