My experience getting a Cybersecurity Job as a graduate

Published in

Nerd For Tech

16 min readOct 6, 2023

I recently finished my master's thesis and was looking for a job in the cybersecurity domain as this is my biggest passion. I want to share my experience with you in this article so you can better prepare yourself for the job hunt. The article describes my prior experience, the interview processes, salaries and benefits, and red flags to watch out for. I will also give tips, on how you can stand out as a candidate!

My prior experience

Experience comes into play when searching and finding a new job. In this chapter, I want to share my professional experience with you.

After school, I started studying computer science. The main focus of my studies was in Software Engineering. In fact, the bachelor’s program doesn’t differ that much from a cybersecurity bachelor’s. I also had cybersecurity classes and got a deeper understanding of low-level concepts, such as operating systems, networking, etc. than my friends studying cybersecurity. In my bachelor thesis, I implemented a network laboratory for red and blue teaming in the AWS cloud.

After my bachelor’s I immediately studied my master’s in computer science. During my master’s I mainly focused on Data Science, as this is another area I am passionate about. Furthermore, I strongly believe that Machine Learning will have a huge impact on cybersecurity in the upcoming years. So it was not a bad idea to get exposure to this field during my studies. In my master's thesis, I implemented a Reinforcement Learning agent to solve the Nurse Rostering Problem. In the literature, there are hardly any Reinforcement Learning concepts for the nurse rostering problem and my agent was performing the best on certain instances of the Shift Scheduling Dataset.

Alongside my studies, I also worked in the field as an intern and working student. I started working in the second semester in Software Engineering of web applications and embedded devices. This helped me better understand web vulnerabilities and low-level vulnerabilities, such as raise conditions and buffer/stack overflows. After that, I spent time in a Security Operations Center, where I mainly was doing Security Monitoring. After that, I worked in Security Consultancy at one of the big four companies. Then I worked in a Red Team of a DAX company for one year. Finally, I switched to a software engineering consultancy to write my master’s thesis.

Furthermore, I further educated myself in cybersecurity by reading books and watching YouTube videos (TheCyberMentor, Hacksploit, John Hammond, etc.) and participating in security capture the flags. However, I do not possess any certifications.

As you can see, I did not solely focus on cybersecurity. I tried to get as much exposure to computer science-related topics as possible. And that’s also what I would recommend to anyone who is currently studying. Not only will it open you as many doors as possible but you will also get skills that no one can take from you. For example, I am able to develop software all by myself from requirements engineering to deployment. Because of my master’s studies and my thesis, I am also capable of implementing Data Science projects from start to finish. Additionally, I still have the skills to work in cybersecurity.

So I would also recommend you to learn as many high-value skills as possible. Furthermore, by getting exposure to many fields, you will better understand what you are passionate about. For example, if I had never focused on Data Science and would never have worked in the field, I am pretty sure, I would ask myself in a few years if Data Science would be a better path for me. Based on my experience, I know that I am more passionate about cybersecurity than Data Science.

The statistics

I’ve applied to 32 organizations and got 21 interviews. I have still not gotten any response from 6 companies. I got rejected by 5 companies without an interview. I got rejected by 2 companies after the first interview. I have rejected the second interview at 3 companies because I either did not like the position or I spotted some red flags 🚩. I have aborted the interview process at 9 companies because I already had a better offer at another company. Furthermore, I got ghosted by 2 companies after the first interview. I also got ghosted by one company, after I had to reschedule the interview because of a doctor’s appointment.

The positions I have applied for were: Incident Response, SOC Analyst, CTI Analyst, Penetration Testing, Red Teaming, and Security Research. I applied in the following industries: consultancy, manufacturing, automobile, aerospace, transportation, energy, chemistry, software, telecommunication, government and research.

The interview processes

The interview process depends from company to company. But all of them consisted of a minimum of 2 interviews. The maximum amount of interviews was 3. Two companies had an “Experience Day”, where you will go to the company and work alongside your future colleagues for one day. The interviewees were HR staff and technical staff from the department I will be working for.

Some HR-related questions I got:

Why should we hire you?
Why did you choose this company?
Which nationality do you have?
What is your earliest start date?
How many hours do you want to work?
Why did you choose computer science as your major?
Why are you interested in cybersecurity?
Can you describe your previous working experiences?
How would you react, if a customer asks you a question and you don’t know the answer?
How do you manage your time?
What is a project you are very proud of?
What are your hobbies?
What is your expected salary?
How would prior colleagues describe you?
What are your career goals for the next 3 years?
What would your ideal working environment look like?

Every interview process consisted of technical questions. Here are some of the questions I got asked:

What is the difference between TCP and UDP?
Can you explain to me the TCP 3-way handshake?
What are the minimum requirements for a valid HTTP request?
Which web vulnerabilities exist?
Which tool can be used to make a port scan?
Which tool in Burp Suite can help you spot SSRFs?
How would you pivot to an internal host, if you have compromised a system inside the DMZ?
You unplug the network cable from your laptop. Then you plug it in and open example.com in your browser. Describe in detail, what happens on a network level, until you see the website example.com in your browser.
Which forensics artifacts exist to analyze if a program has been executed on a Windows machine?
What does the incident response process look like?
What do you think is the difference between CTFs and real-world penetration testing?
How would you analyze a phishing email?
How would you analyze malware?
Why do you need threat intelligence in Red Teaming?
Explain the ISO-OSI Model.
What might be the problem from a forensics point of view, if you shut down a machine?
How can malware persist on a Windows machine?
Where are Linux credentials stored?
How can you escalate your privileges on a Windows machine?
What would you do as a first response, if a client calls you and says one of their machines has been compromised by ransomware?
What would you do to recover from a ransomware attack?
What is the difference between IDS and IPS?
Here is a Wireshark screenshot of a pcap. Describe which protocols were used and which domain got contacted.
What is SQL Injection and how can you prevent it?
What are the three types of XSS vulnerabilities?
What is RCE?
What is IDOR?
What is the difference between Symmetric and Asymmetric Encryption?
Why don’t you just use Asymmetric encryptions?
What is a hash function?
What can be a problem with hash functions?
What port uses a ping request?
How does a Port Scanner know, which operating system is running?
Which flag do you need to pass to Nmap to scan all TCP ports?
How does the Stealth Scan work in Nmap?

Also for certain penetration testing and red teaming positions, I had to do a hacking challenge. Here are the types of hacking challenges that I had to do:

Penetration Testing of a banking web app and creating a report for the third interview in 1 week
During the interview, I had 10 minutes time to find at least 2 vulnerabilities in a web application
I got access to a network laboratory that consists of 3 hosts and creating a report, on how I hacked into the machines within 1 week
Getting access to a network laboratory for 6 hours and hacking into the machines and creating a report for the next interview
Doing Jeopardy-style CTFs and creating a Write-Up

For one position as an Incident Responder, I had to analyze malware and create a report for the next interview round. For another Penetration Testing position, I had to create a 10-minute presentation on a technical topic of my choice.

The first interview, I got was within 1 day of applying. The first offer, which I received was within 2 weeks after application. At most companies, only a CV was required for application. Few organizations required a cover letter, CV, and even my transcript from school. At some companies, you also had to do an online test, when applying. At one company the online test consisted of a German, English, and maths test.

Tasks

In this chapter, I want to share some day-to-day tasks of the roles, which I have applied for.

For a penetration tester, you will test mostly web applications. This is the main business for all these consultancy companies. After 6 months to a year, you have the chance to further educate yourself and do other sorts of penetration testing. For example infrastructure, mobile, cloud, etc. There were also specialized companies, where you would get unique tasks, for example, penetration testing of aerospace telecommunication systems, pen-testing trucks, and pen-testing of payment systems. At consultancies, which also provide Red Teaming, you can get into the Red Team after 2–5 years. But you also have to do some certifications. Some of the certifications that were required to transition to the Red Team were, the CRTO, CRTL, CRTP, OSCP, and OSEP. Your tasks as a penetration tester are also in consulting customers on how to remediate the findings.

For a Red Team position, the day-to-day tasks would be Penetration Testing of infrastructure, as well as actual Red Teaming, where you have to test the Detection and Response capabilities of the organization. As this was an internal Red Team, you occasionally would also have to help the SOC in case of incidents.

The positions for incident response, consisted of these tasks: acquiring digital evidence and analyzing it. As well as consulting the customer.

As a SOC analyst, your main tasks would be in monitoring and escalating tickets to the CERT.

Salary and Benefits

The salary range for an entry-level position was between 50k to 78k€. Please keep in mind that I am from Germany and salary ranges depend heavily on the country you are working in. I applied for positions in Bavaria, Baden Württemberg, Hessen, Nordrhein-Westfalen, Saxony, Hamburg, and Berlin. There was not a huge difference from my experience between the federal states in terms of salary. The companies I applied for have employees between 20 and 400,000. In my experience, there was also no huge difference between the company's size and compensation. Companies with fewer employees have even higher compensation than bigger companies.

Most of the salaries were fixed. A few contained a bonus. For example, depending on the company’s performance and/or your performance. These bonuses ranged from 6% to 14%. Furthermore, there was one company that also gave stock options as a sign-on bonus. Another company was giving a 15% bonus based on the revenue you create.

The holiday days ranged from 28 to 30 days. And companies were giving these benefits:

eGym Wellpass
Bike Leasing
Car Leasing
Deutschlandticket, BahnCard 50 1. Class, BahnCard 100 2. Class
Flexible Working hours and 100% remote work
Corporate Benefits
Mentoring program
Bring your dog to work 🐶
Sabbatical
Free drinks and coffee
Company canteen
Company vacation/retreat, where the company pays for everything (hotels, flights, etc.), e.g. traveling to Greece with your colleagues for one week, etc.
Bonus when referring employees
Travel reimbursement to the office
Personal use of employer hardware
Employee events
Access to HTB Pro Labs

I’ve also asked about salaries for senior positions. Companies are willing to pay between 70k-100k for senior staff.

On average defensive roles, such as Incident Response and Blue Teaming pay more money than Offensive roles such as Penetration Testing. But the difference is not that high. Furthermore, in defensive roles, you are most likely expected to do shifts on nights and weekends.

Working hours

Most of the companies have a full-time employment of 40 hours per week. There was one company having 38 hours a week, a company having 36 hours a week, and another company having 35 hours per week.

There was one company where you had an 80% remote work policy. That means you have to be in the office once a week or 4 times in one week and the other weeks of the month you can work from home. That company also pays for hotel and driving costs if you have to travel to the office. Furthermore, at that company, the time you travel to the office is counted as working time. So if you have to travel 6 hours to the office, you only have to work for 2 hours on that day.

At most of the companies, it was possible to work from home. Only at one company, do you need to go to the office every day. Some companies also have a hybrid approach. For example, you need to be at the office once or twice a week. There was one company where you had to be able to be in the office in 1 hour in case of an incident.

In Incident Response and SOC, it is necessary that you work occasionally on weekends. Furthermore, you also have to work in shifts. There was only one penetration testing position, where you occasionally had to work night shifts for certain engagements.

At one penetration testing position, you had to travel 2 weeks per month. But most of them keep traveling to a minimum. 1–3 weeks a year is the average.

Training

Every company will pay for certifications and training. The budget is between 2k — 5k per year. Every company that does Cybersecurity as their primary business is willing to spend a minimum amount of 5k€ per year per employee for certifications and training. Also, most companies will give extra holidays for certifications. For example, one company said, they give extra holidays 2 days prior to and 2 days after your OSCP exam. Companies are also willing to pay for expensive training such as SANS courses. Some companies also pay for HTB subscriptions and books if you want to read some.

Some companies also have internal training for certain topics. But they don’t cover specialized topics such as Red Teaming. Also, companies pay to attend industry conferences. Companies also pay for soft skills training.

Red Flags 🚩

Yes, you are looking for a position. But keep in mind, that the goal of every interview is also the application of a company to be your employer. So don’t ignore red flags, as you might end up in a toxic work environment and be on the job hunt in a few weeks again.

I’ve encountered some red flags during my interview process. At one company at the end of the virtual technical interview, the HR woman asked me if I cheated because I occasionally was looking on the top right. I would consider that as a red flag because if the company does not trust you during the interview process, they won’t trust you as an employee. When I get asked difficult questions and have to think a little bit, I tend to look to the top right corner. That’s how I behave to get less distracted during thinking. Furthermore, the question was so unnecessary, because during the technical interview, I did not know the answers to certain questions, which would be easily searchable with Google. And the funny thing is that you clearly could see my hands through the webcam video. So if I tried to Google stuff, they would be aware, because they would see me typing on my keyboard. And my mic was always on, so if I tried to ask somebody in the same room to answer the question, then they would have heard it. Clearly a red flag to me 🚩.

Another red flag is when companies ghost you, especially the one that ghosted me because I had to reschedule an interview because of a doctor’s appointment.

Another company tried to invalidate my working experiences and my computer science major during the interview. I would also consider that as a red flag. Because if they try to invalidate your working experience during the interview, then they will also invalidate your accomplishments during your work to not promote you 🚩.

If you have read the part on interview questions, there is a question where I was asked about my nationality. In Germany, this is not an appropriate question to ask during an interview process and can be considered a red flag. But in that case, it was clearly not a red flag, because the question was necessary, as these positions I was applying for required certain citizenship to be able to do them, because of regulations.

Standing out as a candidate

Don’t worry you don’t need a panda costume to stand out as an applicant! :)

Especially for entry-level positions, you have to stand out to have a chance of getting the job. For entry-level positions people with very good diplomas, people who solely focused on cybersecurity (e.g. by studying master's and bachelor’s in cybersecurity), and people with working experience who transition from other domains to cybersecurity will apply. That’s why it’s important to stand out as a candidate.

For every cybersecurity position, you need to have a solid understanding of networking fundamentals. You need to know the common protocols, such as HTTP, TCP, or UDP. Furthermore, you should have a solid understanding of cybersecurity. Understand the CIA triad and frameworks such as the cyber kill chain or MITRE ATT&CK. If you want to really stand out, you should also have a good understanding of cryptography, as this is what applicants lack. Be able to explain the difference between hashing, and symmetric/asymmetric cryptography. Also be able to name a few pros and cons, as well as applications of these cryptosystems and some examples, like RSA, AES, or SHA-256. Especially if you are a computer science major. Because at least one interviewee said to me that most CS majors lack cryptography knowledge compared to cybersecurity majors. If you have this knowledge you will ace the technical interview.

For a junior in pen-testing, it is important that you have a solid foundation of web vulnerabilities. Get familiar with the OWASP Top 10. You should be proficient in explaining how to exploit the vulnerabilities and explain what the underlying problem is. You also should be able to give remediation suggestions for the vulnerabilities. If you are able to give appropriate remediation suggestions, that will make you stand out at the interview from other applicants. I only got asked about infrastructure-related vulnerabilities at one company, where I was applying for the Red Team. Most of the companies ask web related stuff because that’s the main business for all penetration testing companies.

Another thing to consider is your CV. Try to update your CV and target it towards the company you are applying for. You should do that for every company you are applying to. Many candidates don’t do that. They just have one CV and then they spray and pray.

Another way you can stand out is when you have built a portfolio of projects. For example by contributing to open source projects or creating content as a blogger or YouTuber. Also, most companies value it if you are doing TryHackMe or HackTheBox.

Before the interview, read through the vacancy and get familiar with the services of the company. Furthermore, try to ask as many questions as possible during the interview. Also, try to smile and be friendly. Show that you really care about to company and try to make an impression, that you will be able to help the company reach its goals.

Conclusion

I hope I was able to give you a good understanding, of how it is to get your first cybersecurity job. I have only applied to organizations within Germany. So experiences might differ in other countries.

I would recommend you have a cybersecurity portfolio and participate in Capture the Flags if you are serious about your career goals. These factors helped me a lot during the job search. Furthermore do some internships and work as a working student during your studies. It is very stressful studying full-time and working, but you will stand out when applying for entry-level positions. Furthermore, it helps you get exposure to the field and build a network.

When comparing offers, don’t overthink! Don’t try to get the best deal for you. You won’t be able to as you only had interviews for like 3–4 hours at these companies. You can’t make a well-informed decision based on these low impressions. Try to concentrate only on the few factors that are most important to you. Most of the good and high-performing companies, even if you reject them, are more than happy to welcome you, if you decide a few months later, that you made the wrong choice. Almost every company, that made me an offer and I rejected, said that I am free to contact them if I found out, that the choice I made was the wrong one.

Furthermore, if a company contacts you after application and says “The process will take a while because we got great applicants and we need our time to go through the resumes…”, don’t waste your time. I got about 2 responses saying this and got rejected after multiple weeks without an interview.

Also, another important factor is, that you try to get into a company where you will be learning as much as possible. I would recommend consultancy jobs because you get huge exposure to many industries. Furthermore, you will be working on multiple projects. And you will be building a bigger network, which will help you in the long run. I had colleagues who worked at a consultancy for 1 year, then switched to one of the customers for which they worked, to get a salary raise of 30–40%. Early in your career, it is very important that you invest in your human capital and don’t look for the salary as the only factor. But also don’t take a low-ball offer. Based on my experience every high-performing company is willing to pay at least 60k€ (with and without bonus) for a graduate.

If one of my interview partners is reading this, then thank you for your time and thank your for the interview process :)