Module 10 · Lesson 3 · 20 minutes

💼 First Job as a Junior Pentester

The final lesson of the course. From "completed the course" to "getting paid". Resume, LinkedIn, and how to pass an interview.

📖 Why You Need to Know This

In 2023, a large Russian company, Positive Technologies, announced a recruitment for Junior Pentester positions. Out of 5 available positions, 1200 applications were received. Only 200 of them were valid, and only 30 had practical experience on HackTheBox and bug bounty platforms. Only 8 had at least 3 published write-ups.

All 5 hired candidates were from those 8.

Lesson: it's not about the diploma or years of experience. It's about demonstrable skills that allow HR and tech leads to be convinced that you are already doing it. This lesson is about how to properly "package" yourself to pass the selection process.

📄 What Makes a Pentester's Resume Different

🎯 In a Nutshell (30 seconds)

A typical IT resume includes education and work experience.

A pentest resume, on the other hand, focuses on portfolio: links to your HackTheBox account, bug bounty profile, write-ups, and CTF participation. These are verifiable proof of your skills.

A good pentester resume should include:

Contacts + Summary — 2-3 lines about who you are
Skills — specific tools: Burp Suite, nmap, Metasploit, sqlmap, hashcat
Certifications — OSCP / CPTS / CRTO + date of completion
Portfolio — the most important part: HTB profile, HackerOne profile, GitHub
Write-ups — links to 3-5 of your public write-ups
Work Experience — even non-security related (programmer, sysadmin, IT support)
Education — even without a diploma (courses, self-study)

🎯 What to Include in Your Portfolio

What	Why
HackTheBox profile	Shows your rank and solved machines
HackerOne / Bugcrowd profile	Reputation and valid reports
GitHub	Your scripts, tools, and write-ups
Personal blog / Medium	Your technical articles
CTFtime.org	Participation in team CTFs
YouTube (optional)	Video write-ups of CTFs (a big plus)

🔗 LinkedIn — The Main Channel in 2024

LinkedIn is the main channel for hiring in international companies. In Russia, it's growing.

📋 What Should Be on Your LinkedIn

Headline: "Junior Penetration Tester | OSCP | HTB Pro Hacker" — immediately visible who you are
About: 3-5 sentences with keywords (pentest, OWASP, red team)
Experience: even non-standard experience (participation in CTF, bug bounty finds)
Skills: 20+ skills, ask friends to confirm (endorsements)
Activity: respond to security posts, publish your write-ups 1-2 times a week

🏢 Where to Apply (for Russian speakers)

Russian companies:

Positive Technologies — the largest security company in Russia
Group-IB / F.A.C.C.T. — incident response, threat intel
Bi.Zone — security from Sber
Kaspersky — antivirus, research
Solar Security — SOC, monitoring
Tinkoff / Yandex / VK / Sber — internal security teams

Foreign companies (for remote work):

Bishop Fox, NCC Group, Mandiant — global pentest consulting
Praetorian, Cobalt — boutique pentest
EPAM, Luxoft — outsourcing with a security focus
Y Combinator startups — often hire junior security

📧 Template for a Letter to a Recruiter

Cold email in 10 lines, specifics + links:

Subject: Junior Penetration Tester — interested in a position at [Company]

Hello, [Name]!

I'm Ivan, a beginner pentester with a focus on web vulnerabilities.

Over the past year:
- Passed CPTS (HackTheBox)
- Solved 50+ machines on HackTheBox (rank: Pro Hacker)
- Found 3 valid bugs on bug bounty (HackerOne, reputation: 45)
- Maintaining a blog with write-ups of real cases — [URL]

I saw an open position for Junior Pentester at [Company].
I'm ready for a technical screening at any convenient time.

Resume and portfolio: [URL]
HTB: [URL]
HackerOne: [URL]

Best regards, Ivan

🎤 Technical Interview — Top 7 Questions

📋 What to Prepare For

"Tell me about the last machine you hacked on HackTheBox" — your story
"Explain how SQL Injection works" — in simple terms, like to a friend
"What's the difference between XSS and CSRF" — in simple terms
"What is OWASP Top 10" — name 3-5 from the list
"Show me your pentest methodology" — reconnaissance → attack → post-exploitation → report
"Practical" — they'll give you a virtual machine, ask you to show how you'd start
"What's the last thing you read in security" — books, blogs, podcasts

💪 Soft Skills Are Also Important

Communication — pentesters write a lot (reports) and explain to clients
Curiousity — they might ask "what would you try on such a stack" — the desire to dig is important
Responsibility — pentest = sensitive data. NDA, ready to answer for actions?
Willingness to Learn — security changes quickly, need to constantly catch up

📈 First 3 Months on the Job

Keep quiet and learn — observe how seniors work
Ask "dumb" questions — while you're junior, it's allowed and encouraged
Do your first pentest under the supervision of a senior
Have a weekly 1-on-1 meeting with your mentor
Maintain a personal knowledge base (Notion / Obsidian) — record new experiences

💰 Career Path and Salaries (Russia, 2024)

Level	Experience	Salary
Junior	0-2 years	80-180 thousand ₽/month
Middle	2-4 years	200-400 thousand ₽/month
Senior	4-6 years	400-700 thousand ₽/month
Lead / Principal	6-10 years	700 thousand — 2 million ₽/month
Own consulting / startup	—	no ceiling

🤔 Simple Test to Check Understanding

What makes a pentest resume different from a regular IT resume? → The focus on portfolio (HTB, bug bounty, write-ups), not education/experience
Where should you "package" yourself for security? → LinkedIn — the main channel for hiring in the industry
What are 5 companies in Russia for junior pentesters? → Positive Technologies, Group-IB, Bi.Zone, Kaspersky, Solar Security
What question do newbies typically "fail" on? → "Tell me about the last machine you hacked" — lack of specifics
How long does it take to go from Junior to Senior? → 4-6 years of active work

🛠 You Can Skip This, But It's Interesting

Go to LinkedIn Jobs and search for "Junior Pentester" / "Junior Penetration Tester" / "Security Engineer Intern". Open 10 job postings, look at what skills and certifications are required. This is your next "shopping list" for learning.

🤖 Final Vibe-task

Open Claude and ask:

I've completed the "Hacking from Scratch. AI-powered" course.

Create a personal action plan for the next 12 months:

Months 1-2 — basic practice:
- What to do every day?
- Which platforms?
- How many hours?

Months 3-6 — first bug bounty payment or first job:
- What specific steps?
- What to learn?

Months 7-12 — junior pentester position or $1k/month from bug bounty:
- What to specialize in?
- Which companies to apply to?

Let's compare results with this plan in a year.
Explain it like you would to a 10-year-old. No jargon.

💡 Main Takeaways from the Lesson

🎓 What to Take Away

Pentest resume = portfolio: HTB, HackerOne, write-ups. Not a diploma.
LinkedIn with the right headline (role + certifications + skills) — the main channel.
5 companies in Russia to start with: Positive Technologies, Group-IB, Bi.Zone, Kaspersky, Solar Security.
Cold email to a recruiter — 10 lines, specifics + links.
Junior salary in Russia: 80-180 thousand ₽. Grows quickly with experience and certifications.
First 3 months on the job: keep quiet, learn, ask questions, maintain a knowledge base.

🎉 Final Thought

This course is 0% of your future career. 100% is what you'll do after.

Hacking is a marathon, not a sprint. Those who practice 2-4 hours a day become professionals in a year. Those who complete the course and give up forget everything in a year.

Good luck. Do it. Don't give up.

🏆 Congratulations on Completing the Course!

What you now have:

✅ Understanding of the basics — ethics, law, career path
✅ Linux, network protocols, web
✅ Experience with SQL Injection, XSS, CSRF on DVWA
✅ Knowledge of Burp Suite, Metasploit, hydra, sqlmap, hashcat
✅ OSINT and social engineering recognition
✅ A ready plan for bug bounty
✅ A ready plan for your first job

Next — practice. Every day. For a long time. Calmly.

← Lesson 10.2 🏠 Back to Course