Or "How I wound up as a Penetration Tester five months after dipping my toes into InfoSec"
First: I do not have a degree in CS. I don't have a degree, actually. (A lot of people in infosec don't. A lot of people have several. Don't freak either way.) My last IT-labeled-as-IT-on-the-job-description experience is from right before Windows ME was inflicted upon the general public.
Also, I'm coming from another field with a lot of skill overlap. The last career-ish thing I did was flying spacecraft and satellites. Yes, seriously.
The second thing I should do before going into anything is note that I'm not a n00b to IT. My friends in high school were the guys playing with computers and trying to hack into things. I wasn't one of them per se, but there were some lively Windows vs Mac discussions that went on and my mother would punish me by taking away my 28.8 baud modem so I couldn't access my favorite BBSs. I was (im)properly introduced to Linux in 1995, and learned from a sysadmin point of view that year on a network that was migrating from SunOS to Solaris. My then-boyfriend sat me down at a terminal, showed me what a man page was, then said "Okay, now untar this .tar file." I swore at him a lot, but married him anyway the end of that year. (Didn't last, but it wasn't emacs vs vi reasons.) And yes, I untarred the file.
My first email account was off a shell account, and I used elm, then pine, to read it. I wrote my first web page in HTML, using emacs, and learned permissions the hard way – chmod is not always your friend, but fortunately the sysadmin was.
I worked dialup tech support for a year. A few months after that I lucked into an internship on a project at NASA Goddard. I took that and learned everything they let me. When there was an opening on the Flight Ops Team, I jumped at that and got hired because they knew I knew the spacecraft. There is a really surprising amount of IT involved in aerospace; UDP encapsulation, scripting, coding in a language very similar to Perl. Later when I worked at a private aerospace company, I actively monitored the router status pages, asked the network folk about error messages I saw, and would rlogin to teammates' computers to pop xeyes up and play silly sound files. (Twelve-hour shifts can get boring if nothing's breaking.)
I sometimes run Linux at home; this blog is self-installed Ghost on an AWS EC2 instance because I wanted to play with command line again. At one point I made my then-eight-year-old daughter install Ubuntu from a USB key.
WITH THAT IN MIND. Look at the common thread – I kept playing with Linux, making mistakes, and USING it. And once you have the basics down it's really easy to go look up blogs on how to escalate privileges. Windows, same. Read anything that holds still long enough. Yes, you have to read. No, ADHD isn't an excuse – I have it as well.
Now, the "how"...
If you're reading this, you very likely came over from Twitter (at least as of this writing) and saw my tweet about "five months" and/or the "Sixteen years ago I heard of DEF CON" thread. This is in context of those. I'm trying to put together everything I did that contributed – specifically and especially the reproducible stuff.
Straight up? A lot of it's social engineering, benign type.
First, go to any convention you can! There are often sponsorships, people giving away badges, things like that. Look at local stuff first; there's often a BSides within not-awful range of most people. If you can wrangle travel, look for people looking for roommates at the locales. (And vet them – there are creeps out there, all genders targeting all genders. Listen to the grapevine.) Watch recorded talks from conventions. But in person is best. THAT is where a chunk of the networking happens.
Conventions are also where you can drop in to things, watch things quietly or interactively with lots of questions, and get a feel for what really appeals to you. Ignore where you think you'll fit. Look at what appeals to you.
Things that are helpful at conventions:
Put together a website/blog (like this one!) They're cheap to free unless you want a domain name, and those are fairly low cost depending on where you look.
Make a page on there, doesn't have to be linked on the home page, that is an online CV. (Mine is here and I have to update it.) Bonus points if you can edit your blog, and therefore this page, from your phone. DO NOT put your address or phone number on this – you might even avoid your name. Email address yes, but rearrange it to make it at least a little harder for spamspiders.
Hit up Zazzle or similar for custom business cards. On one side, your name and your specialties and a method of contact you won't freak out if randos get but that you want to use for business communications. On the other side, the URL to your CV. Memorable without over-the-top is good unless you have a trademark gimmick; mine are black with a pretty metallic-looking logo on one side and the info I mentioned on the other, on a heavier-than-average paper. Because they're black, I also carry metallic ink pens. Yes, I am That Person with the glitter gold ink pen at a professional conference.
Get a SECOND set of cards that look very different and have your name and Twitter handle, email address, whatever – this is your "social" card and you can use it when you don't want to give your resume card but you REALLY want to make sure that fascinating person can reach you later and you're not sure where you can find a working pen. (Networking! Plus making friends.) Leave one side blank and don't use gloss paper; you want to be able to write a phone number on it if you DO have a pen! (Mine are half-height with my name and Twitter handle. Half-height means I don't confuse them with the CV cards.) (This is also useful if you have kids going to a sleepover and want to make SURE their friends' parents can reach you.)
I had so many recruiters at networking events (another feature of conventions!) say that they had never seen anything like that idea and loved it. I also dropped my name in the hat a few times by paperclipping my card, CV URL side out, to a job description.
Twitter! If you somehow are here NOT though Twitter and don't have a handle there, get one. It is by far the most useful networking tool I have run into. LinkedIn is as well, and I strongly recommend having one with an updated profile and a PII-sanitized copy of your generic resume uploaded to it, but Twitter seems to be where the magic happens. (It does tend to help if you don't have 666, 69, or overly-off-color references in it, so you know.)
And on Twitter... follow people. Chat with them. Interact. Post something more than code snippets and retweets – though don't neglect the retweets, especially of jobseekers and job postings. Make friends. Be social. Be you. Note that your @ will usually stay the same, but you can change your screen name at will. Use that to your advantage; mine was "Cat is seeking a remote PM/tech writer job" for a while, then I changed it to "All Cat wants for Christmas is a new remote job" and left it. Every time you comment, retweet, like, anything that screen name (and therefore what you're looking for/that you're looking) will be seen. Tweets you make that get retweeted broadcast your search. Free advertising!
Oh yeah. That's another thing. BE YOU. Yes you'll see some people backing away. That's fine and don't sweat it (and yes, I know how hard that is; I have anxiety and "OMG they hate me!" issues out the wazoo.) This offer I just accepted? The person who contacted me did so because I lost my temper and wrote a several-tweet rant about the difficulty of coming over to infosec from another field. He knew I was looking because I had that "new remote job" thing as my screen name. The thing is, I was me and being my cranky fed-up self and it attracted the right opportunity.
Talk to people. Get into conversations about what you do, what you did, hobbies, bits that happened during the course of a workday at previous jobs. I never thought to put Linux on my resume until I did this; to me it was almost minimal, just something I did. Not fancy like the tools that get talked about – Wireshark, Kali Linux, Metasploit – nah, I just know how to kill processes, ping and traceroute remote servers, play with .profile and .bashrc files, setenv variables, little stuff like that to make your command line all cozy and comfortable for you and see if somewhere you want to go is up and running at a reasonable speed. It never occurred to me that this sort of thing is valuable.
I'm willing to bet that you, the entity reading this, whoever you are, have at least two things like that. Things you do without thought and don't think are worth mentioning... but that someone else will say "wait what?!" about. You may never realize them if you don't talk to people. Once you realize them, put them on your resume.
Resume! Have one. Have it editable online, say Dropbox or Google Drive or the aforementioned CV page. Have a skills section. Add things to this section even if you don't think they're big deals. This is where editing your CV page from your phone is useful; you're in the hallway at a BSides chatting with someone, you say something and their eyes go wide or they say "wait what tell me more!" Whatever skill that is? Add it. Right then, so you don't forget.
Mention on Twitter that you're trying to get your resume in shape and could use help. You WILL get DMs. Accept the help. Especially if the person intimidates the heck out of you when you look them up on LinkedIn and/or see their resume. Thank people for their help. Do not run yourself down. Ever.
Put together a tweet that states what you're looking for and what your skills are. Link to your CV and possibly your LinkedIn. I tend to keep it at CV most of the time, since when I use the LinkedIn I get some kinda creepy responses. Ask for retweets. Consider a similar post for LinkedIn.
And here's a key: state clearly what you are looking for. Not multiple times a day, but maybe once a week. If you don't get "hits" from specific stuff, open it up and be more general. Figure out 1-2 things you MUST have, be it location, field, entry level, whatever, state those, and leave the rest fuzzy. You never know what's going to pop up that might not be what you were looking for, but is perfect. Case in point: I was looking for project manager and/or technical writer jobs. But my "name" just said "remote job" after a while. I hadn't even thought of pentesting as something I could do. I have friends who are pentesters and they're... kinda weird, some of them. Others are fine but "oh be careful it's highly specialized and don't go near the dark web because there are awful people there" etc etc etc. Which, yeah, there are. I mean you want your camera and mic covered and an onion-type browser at the very least. But I digress. In any case, it's not a specialty that I thought of as something I had the least chance of being qualified for so I never even looked at the requirements in postings.
Let's see... oh! Presentations! This one will likely need its own post for full explanation, but the short form is that someone in the infosec community tweeted "Anyone want to give a presentation in a week? It's put together and has a slide deck ready, I just heard from my work that they won't let me do it." The presentation was at a conference that's very near me, so I said hey, why not... what's it about? It turned out to be a topic I actually have some personal experience in, so I agreed to take it over, went over it with the originator and we made some tweaks, and presented it. Apparently I didn't do too badly, and when the recording of it was available I posted the link to that on Twitter, on my LinkedIn, and in a post here. Things like that won't always come up, but watch for them and grab them when they do! They're good to add to the "I did stuff" file, it gets you better known in the community, it gets your name out as someone who gives back (a very very big thing), it may broaden your horizons a little if the subject matter isn't immediately familiar, and it lets you get into a conference and be there for other presentations. (There's a method to the madness.)
And you may also think of things that you can present on. If that happens, put something together and watch for CFPs – Calls for Presentations – at conferences near you. If what you have can be tweaked to fit their theme, or you can come up with something that would fit, SUBMIT! You may be rejected but that's fine... and now conference organizers recognize your name.
You'll notice I didn't mention certifications. That's because there are a lot of different views on them. Some places won't look at you without them. Others don't care – certs can be acquired, and can be expensive and not everyone can pay for them. If you have them, excellent! If that's all you have and you're relying on them rather than getting your hands in the bit buckets, maybe not so excellent. Practice is more useful than theory. I also know several people who make my jaw drop with how skilled they are, but they are not good test takers. You'll see a lot of different opinions out there; even if someone you respect holds an opposite view from you on certs, take it with a grain of salt.
Another thing: watch for red flags. There are companies that have well-known names; talk to the people who work there. See what the usual age range is. See if there's a common personality type. Ask about turnover. If someplace has a high turnover for the type of job you want, ask why. Churn happens for a reason, and it's your choice as to whether that would be an acceptable risk for you.
And possibly the biggest thing of all: if anyone says you can't do something that there is no actual obstacle to, look at them as though they have just peed on the dining table. Then go do it. But be polite about it. (Partly because being polite and refusing to engage will drive them up the wall.)
If I remember anything else, I'll come back and add it here. I hope this is somewhat helpful.