So I’m a Googler Now.

On June 20th 2023 I started as a Red Team Specialist at Google (insert confetti emoji). I’m super excited about this position but I would in no way be able to have this opportunity if it weren’t for the countless helpful people in the security community that guided me along the way. I wanted to take some time to reflect on the steps I went through to get here so that others who wish to follow a similar path can do so.

It is impossible for me to give tailored advice to everyone’s specific situation, so I am not going to attempt to do so. Instead, I’ve created a list of information that would have been helpful to me in my specific situation as that is the only thing I know is 100% true. My hope is that some of the information I learned from looking back on my job hunt can be picked up and molded to your specific situation, but remember, there is no one size fits all advice for such nuanced topics and you should be skeptical of anyone who gives very specific advice for such a personal topic.

Some context

For some context, here is the TLDR of my resume I sent out to many places. I will provide screenshots of my resume further down.

• Certs: A+, Net+, Security+, Project+, Linux+, eJPT, eCPPT, GSEC, GCIH, GSTRT, GPYC, GCIA, GDSA, GCED, GXPN
• Education: BS in Cybersecurity (UNG), SANS Masters Information Security Engineering (almost done)
• Job Experience: ~2.5 years in offensive security (pentesting, vulnerability analysis). About 4 years working random jobs (grocery store, warehouse, etc)

The following is a graph of all the jobs I applied for over about a 5 month period. As you can see the majority of the applications I sent went straight to /dev/null and another large portion got denied with pretty generic “sorry, maybe next time” messages. While I was denied from the majority of jobs, looking back, I’m not surprised by this for reasons I’ll get into in the next section.

Lets break down what conclusions I take away from this data.

1. I applied to ALOT of positions and cast a wide net.
2. I got denied from ALOT of positions.
3. While I didn’t have too many interviews, I was doing reasonably well on the interviews I did get. Personally I think this means that I was doing fine interviewing, it was just hard to get that interview in the first place.
4. It’s ok to withdraw from an interview process if you don’t get good vibes.

It takes time, even if you’re qualified: Marathon not a sprint

When I first began my search for a new role, I was blissfully ignorant in my thinking of how long it would take to get and accept an offer. I (incorrectly) thought that I would have an offer within a month. Much to my dismay, that turned out to be very incorrect. In fact, I didn’t sign an offer until about 6 months later. I believe there were many factors that were at play here:

1. The entire industry is having massive layoffs, not exactly the best time to be looking for a new gig.
2. I was aiming VERY high. With a few exceptions, I was aiming for senior roles with only ~2.5 years of security experience" (I’m a strong believer that number of years of experience != experience level. You can be terrible at your job for many years. There are too many factors at play, but that is a whole different tangent for another time.) The exception to my “aiming for senior roles” was companies that either A: Didn’t do the whole senior/junior role thing or B: companies where a non-senior level employee is equivalent to a senior position at another company (these were mostly tech companies).
3. I had a long list of companies I didn’t want to work for either by name, market vertical, or job type. I won’t air out all my grievances, but generally I wasn’t looking for “consultant-style” pentesting (AKA: doing PCI compliance pentests every other week for a new company that isn’t going to fix the critical findings you call out in the report) and a few other types of work as well as market verticals. I am confident I could have found another “consultant-style” pentesting gig very quickly if need be.

I sent out my first application on December 27th 2022 and didn’t accept an offer until mid May, nearly 5 months after my first application was sent out. This was a bit demoralizing but I am grateful for two things. 1. I was already in a very safe job, I wasn’t in any rush to find something new, I could afford (both financially and to a lesser degree, mentally) to take my time. 2. I work VERY hard to make myself competitive. It took a while, but I am very glad I stuck it out for so long. The last situation I wanted to be in was one where I was going to be searching for jobs again within the next two years.

Aim high, then aim higher

I was trying to bat way out of my league when it came to jobs I was applying for. The biggest mistake I see people making is not understanding how valuable they could be to the company they join. This is a very important step, it would be a big mistake to move laterally to a job that would not meet all of my criteria just to be left wanting more and having to repeat the job hunt. Knowing myself and the industry I am in, I am comfortable batting way out of my league because I know that I have put in a lot of work to get where I am at, and I know there are jobs out there that DO meet all of my criteria.

Don’t sell yourself short if you have the luxury of time. The higher you aim, the more time it will likely take and the more mental bandwidth you will have to exert, but getting a job you’re excited about should be your #1 priority.

You probably suck at interviewing

Interviewing is tough even if you know all the answers. Not only does it take a long time, but it is mentally draining. I took a lot of PTO from my previous position solely to interview for new positions. I wouldn’t necessarily recommend doing so, because if you have a set amount of PTO and you don’t land a new job, you can put yourself in a bad spot. Unfortunately I could not handle working full time, interviewing, working on my masters, and doing security consulting on the side. If you’re going to leave, you need to use the PTO anyway, so it may be worth it to take the day off, just be careful.

Interviewing in and of itself is a skill. During the 5ish months I was interviewing, I developed the odd habit of asking myself common interview questions in my head whenever I was driving, doing the dishes, or doing some other mundane task. I think this REALLY helped. I would ask myself things such as “What is your biggest weakness, tell me about a time you had to work with a difficult coworker, describe the TCP 3 way handshake, etc”. Workshopping the answers to these very common questions in my head gave me a good starting place when it came to real interviews. I wouldn’t rehearse an answer, so much as refine my thinking on those types of questions. I would highly recommend looking up a list of common interview questions and learning how to answer them.

Tech interviews are a large time investment, don’t be afraid to end your candidacy for a position if you don’t love the job. I did my best to only apply for jobs where an interview would be a good investment of my time and I ended my candidacy for a position I knew I wouldn’t love.

Do your research

Whether you’re researching a company or a specific position, make sure you do your research. here are a few tips that helped me.

Talk to people at that company to understand what it is really like. I reached out to multiple people at multiple companies I was interested in to understand what it was like working there. I really appreciated how honest some people were at seemingly good companies who told me to stay away because there were a lot of internal issues. Additionally, if you reach out someone you know at a company, they can always refer you which increases the odds that someone will take a look at your resume. I had multiple referrals for multiple companies (and multiple at the same company). All of the companies I was referred to I either had interviews with or decided it wasn’t the right company for me. It never hurts to leverage your network!

Researching the position you’re applying for is also crucial so you can understand how to tailor your expectations, applications, and interview answers. I knew that I wanted to do something in offensive security, but I didn’t really know what. After mulling it over for months (honestly probably more like years), I decided that the best position I could be in would be 1. An internal position (I want to have some sort of stake in what I’m securing) 2. I want to break things but I also want to help fix or detect them 3. The work I’m doing has to be meaningful (No more PCI compliance pentests for companies who won’t even read your report). These three things seem to point me more towards an internal purple team type position. Unfortunately, “Internal Purple Team” yields exactly 0 results when looking for jobs. The closest I could find was some variation of red team engineer, application security engineer, or penetration tester. Depending on the company, those job roles could be VERY different things. Researching the company and reading the job posting very closely was the only way to find exactly what I was looking for.

Research your salary! I get it, salary is a touchy subject for some people but if you don’t ask around and do your research you could be majorly under valuing yourself. If you’re applying to large companies, I highly recommend checking out https://levels.fyi and looking at the salaries listed. You likely won’t find the salaries of security positions, but most big(ish) companies somewhat align their security staff salaries with the software engineer salaries. It is very handy to not only understand your potential value, but also to give you some context for negotiating.

Keep a list of your personal top companies you would love to work for. These could be companies that you know are great places to work. A couple times a month, peruse their careers page to get an idea of how often they’re hiring and what type of qualifications they’re looking for. This can give you some tools and technologies to focus on learning which will be helpful when you’re ready to start applying.

Negotiate your offer

Congrats you’ve gotten an offer! At this point you have the option to negotiate. If you decide that you would like to negotiate your offer, there are a few things you should keep in mind.

I’ll start with a little background, I negotiated 17.5% total compensation increase by researching my position, understanding what I bring to the table, and identifying valid reasons why I should ask for more. Here is a guide for how I did so.

When negotiating you typically have three things you can negotiate. Your base pay, a sign on bonus, and (depending on the company), equity in the form of restricted stock units. Sometimes you can negotiate other things as well, but these are the most common from what I’ve seen.

First, you have to understand a few things:

• It is not greedy for you to negotiate. If you’ve gotten to the point where a company wants you to work for them, they like you and have spent a lot of time and effort getting an offer letter to your inbox. It’s in both you and your future employer’s best interest to have a salary you’re satisfied with.
• Your recruiter is your advocate. It’s unlikely that your recruiter is the one creating offer, instead, they are your voice within the company to those who do create the offer. Be polite!
• Your recruiter is expecting you to negotiate, as long as you’re polite and can advocate for yourself, the worst they can say is no.
• Don’t be scared that your offer will be rescinded because you negotiated.
• You will likely be asked upfront your salary range. Do your research and say you’d like a base salary at the top of your range as well as a competitive equity grant. For this example we will say you said your base salary range was $150,000-$170,000 and you’d like your total compensation to be $230,000.

Let’s run through a scenario to illustrate what to expect when negotiating. Typically your recruiter will call you and give you the verbal job offer and give you the numbers or you will receive a job offer via email.

For this example I will use fictional numbers to demonstrate. Lets say the offer letter has the following numbers: $155,000 base salary and $150,000 in equity over a 4 year vesting period. A typical way of calculating your total compensation is to take your equity ($150,000) and divide it by the vesting period (4 years is typical) and add that to your base pay ($155,000). This will give you a total compensation of $192,500.

This is where doing your research comes in. Take a look at a site such as https://levels.fyi, and figure out what range your offer is in for your position, company, and area. Brainstorm why you deserve to be at the top of your range. This can include many factors but here are a few: You’re leaving something on the table at your current job (money, tuition reimbursement, etc), you will have to commute more frequently (if applicable), etc.

Negotiation script

Now that you have your reasons, schedule a call with your recruiter to discuss the offer. You can use a script like the following once you’re on the call:

1. You: “Hey $recruiter, I got the offer in my inbox and I’m very excited about it, I really appreciate you spending all the time working with me to get to this point. I really enjoyed speaking with the team and I think we’ll be a great fit! I was hoping to increase the total compensation initially offered from $192,500.”
2. The will likely ask what number you were looking for, wanting a number from you.
3. You: “I have been told by my current employer that I am getting promoted next month which will increase my pay by about 10% and I understand $new_company will not pay for the rest of my masters program. Additionally, I will have to commute more frequently for this position. As such I was thinking of increasing the base salary to get closer to the higher end of that $170,000 range I initially provided as well as a bump in equity to get us closer to that $230k total compensation number we discussed previously.”
4. $recruiter: “I understand, I will go back to the compensation team and see what we can do”
5. You: “Thank you! I really appreciate it!”

For my situation, that was all I had to do. Not so bad once you’ve done it, but it can be very intimidating. The biggest favor you can do for yourself is to research the company, position, and be professional. It is in everyone’s best interest to create an offer you’re excited about. If you’re interested in learning more about negotiation, I recommend the book Never Split the Difference.

Stand out from your competition

While it doesn’t guarantee you a job, being capable of performing a job is obviously table stakes for getting a position. Standing out from your competition is essential for increasing your chances. I could write a whole book on this topic (and perhaps I will write another blog post) but here are some things that I have done that I feel helped me not only do well in interviews, but helped me land an interview in the first place.

1. Formal training/certifications. While I’m not a fan of the certification industry, I do have quite a few certifications because I live in the real world and recognize that while I have many qualms with the certification industry, no one can argue that more training is better for your career. My advice is to relentlessly learn as much as you possibly can through whatever means are available to you. If only free resources are available to you, list them on your resume and expand upon the training through research projects turned into blogs posts (and list those on your resume). If certifications are available to you (through employer reimbursement), take them for the training but also take the certification exam as “proof” you know the material.
2. Side projects. The extent to which you spend your free time working on side projects is up to you, but if you’re trying to accelerate your career, the more time the better. Please be aware of burnout though.
3. Connect with others. Doing this through linkedin, twitter, conferences, and other means is extremely helpful and can sometimes directly lead to a job.
4. Market yourself! This is a key piece that I see many others missing. Having a “platform” opens so many doors. Make content, help others, and don’t be afraid to make your accomplishments known.
5. Speak at conferences. I really believe this is something that everyone is capable of doing and it really helps you in your interviews. Most of the interviews I had brought up my talk at Wild West Hacking Fest.

For more information on how to stand out from your competition I recommend the following books:

1. So Good They Can’t Ignore You/Deep Work
2. Atomic habits
3. Essentialism

Consider the opportunity cost

Many people I talked to were concerned with me leaving my current position because I had not been there very long (~1 year 11 months). I find it very common to see people look down on leaving a job that you haven’t been with at least 5 years and quite frankly, I don’t agree with that line of thinking.

If you’re unhappy, underpaid, or bored in your current position, you’re doing both yourself and that company a favor by leaving. Don’t hesitate to leave your current position for greener pastures. You don’t owe any company anything for any reason. As difficult as it may be, consider the opportunity cost of leaving your current position. Although money isn’t the only thing to consider, it can be a big factor for consideration, it all depends on what you value. Some things to consider in opportunity cost are: pay, work interest, career opportunities, work life balance, PTO, and anything else that you value.

Job postings are amorphous wishlists: treat them as such

When hunting for jobs, there are typically many qualifications listed on each job posting. I’ve found that people view these as must have qualifications in order to apply for the job but in reality, they are merely skills that are desirable. Think about it, if you’re hiring for a position, you want to fill that position with the best possible candidate so it is always in your best interest to post a list of a ton of different skills. Often times this turns into a bulleted list of “x years of experience required in Y technology”. What is often left out of this list is that not all of them are actually required.

For my current position at Google, I met only half of the listed qualifications but I was able to make up for those I didn’t meet with other areas of expertise. A job posting should be as guidelines for what type of work you will be doing in that position, not a checklist of skills you need to have to apply to the position. Additionally, if you’re an expert in one technology such as Docker, it is logical to assume that given enough time and resources, you could also learn something such as Kubernetes. I bring this up to draw attention to the fact that your experience in one technology is also an indication that you are capable of learning similar technologies. Use this line of thinking when evaluating if you have the skills required to apply for a job.

Always be applying

Applying to jobs is not exactly what most people would call “fun”. However, to maximize your chances of landing a job you’re excited about, you need to cast a wide net and apply to many different positions. Ideally you should be applying months in advance before you need a new position. This will give you much needed time to sort out what exactly you want to be doing.

One of the things that shocked me was how few applications I sent out actually went anywhere. There were many I applied for that I met all the qualifications for but never heard back from (looking at you Microsoft). Again, I have to stress that you should not be measure your worth based on who responds to your applications.

Resumes matter

Resumes are just as important as they are boring. Have a professional looking resume with all the relevant information easily readable is critical to landing a job. Your resume has a low chance of being viewed and an even lower chance of being viewed for more than a few seconds. Keep it simple, relevant, and easy to read. Here are some quick tips I learned while going through this process:

1. Make a long list of skills you have and job functions you perform in your current role. The goal is to have a massive bank of bullet points you can pull from when you find a job posting you would like to apply for. Once you’ve created this list, you can pull from that list to tailor your resume to each posting you are submitting for. This should take no longer than 2 minutes per posting because you’ve already typed out each bullet point in advance, all you’re doing is taking the most relevant skills and job functions and exporting your tailored resume for each specific job application.
2. List community projects as a section on your resume. This does a few things for you. 1. It signals that you are actually interested enough in this field to be active in the community 2. Can give a sample of your work (both technical and non-technical) 3. Shows that you’re putting yourself out there and learning new things (this is the most important skill you can have in our field).
3. Have other people review your resume for clarity. You interpret jargon you write very well since it came out of your brain. Your goal with a resume is to clearly identify your skills you bring to the table, not sound smart. Having someone who does not work in the security field review your resume is the best way to improve the clarity of each point.
4. Don’t be afraid to put that you are learning about a technology on your resume. There is no point you reach in cybersecurity when you stop learning, and you should always be a beginner at something. As you can see, my current resume has “Rust (In Progress)”.

I highly recommend checking out Lesley Carhart’s “Landing a Job: Resumes and the Application process” talk on this topic! and if you want more information on job hunting specifically, check out Jason Blanchard’s “Infosec Job Hunting” webcast.

You can’t just rely on technical skills

Improving your technical skills is an important and necessary way to climb your own personal career ladder, but there comes a point where the opportunity cost associated with only focusing on technical skills will start to become very apparent. When you’re applying for more senior level positions, technical skills will be table stakes, you must bring other skills to the table too.

These can be whatever it is that you think is best for your own career, but the ability to do deep technical work and present that information in an impactful way is something that I have identified as being particularly important. I have a long way to go, but discussing these goals in interviews and on your resume will help you immensely.

Build bridges on your way out

When it does come time to leave your current organization, do your best to not only not burn bridges, but actively try to build more bridges along the way. Sometimes you leaving will open up cool new opportunities in the future for both you and your old coworkers. There will be those who are rude to you for leaving. Don’t let them sway your decision to leave. If you’ve gotten to the point where you’re considering leaving, that might be a sign that you do in-fact need to leave. If people give you serious grief over it once you let them know you’re leaving, that just reinforces the notion that you made the right decision to move on. Don’t take it personal.

Leverage the community

One of the best things you can do for your career is help give back to the security community and the best time to start doing so is right now. Not only are you going to help people along the way, but you will inevitably end up getting the attention of those already established in the industry who can help you in your career. I’m not saying you should give back to the community purely because it will help you in your own career, but it is an unavoidable outcome of being a decent human being and that is not something you should be ashamed of.

When it is time for you to start looking for a new position, you can quietly message friends you’ve met online or at conferences to see if they are hiring. Even if they aren’t, you might be introduced to someone they know who is hiring. The greater your number of connections, the greater the number of potential jobs you have access too. I wrote a blog on why you should start a security blog that touches on this topic The important part you need to remember is that if someone reaches out to you, you should take their request seriously and find out if your position is currently hiring.

A quick rant on hiring CTFs

The first pentesting job I ever applied for had a 6 flag CTF that was part of the “technical interview”. As someone who was new to the industry, this was an amazing opportunity where I could prove my technical competence without having the formal background to back it up. It’s a decent compromise for the “chicken and the egg” problem we run into when getting into the industry.

I think they’re an amazing tool for entry level positions but when you approach intermediate-senior level positions they’re terrible. Asking candidates to dedicated a week of their time to a CTF to be considered for a non-entry level position should not be expected by anyone. Applying to jobs is already time consuming enough, adding an arbitrary CTF in is a waste of time/resources at best and insulting to the candidate’s time at worst. You should be able to gather everything you need for technical skill level through previous experience and technical interviews. I understand the sentiment of why companies feel they are a good tool for hiring, I just think they’re wrong about it when it comes to hiring non-entry level employees.

Anything else?

That about sums up my experience with searching for jobs recently. I hope that you find some of this information useful. If you did, let me know on any of these sites or shoot me an email via blog[AT]grahamhelton.com. I’ll be heads down getting acquainted with my new role for the next few weeks but one of the reasons I was excited about this role is that I should have more time (and freedom) to post detailed blogs about topics I find interesting. If that is something that you find interesting, follow me on twitter to be notified when I post something new. Until next time.

:wq