I was told at one point that some interviews take CTF scorecards into account when hiring-does anyone here have any experience with that?
For my first pentesting job, I was told my HTB rank was one of the deciding factors in hiring me over other candidates. When I eventually ended up running interviews it was one of the things we looked for in good candidates, we would score high ranks on CTF platforms like HTB roughly equivalent to some of the low to mid level certs like OSCP and OSWE. That was around four years ago now since I left that job but I imagine they still do something like that, maybe the rankings are different now that boxes are more standardised? Can't say I know anything about their new HTB cert.
It is getting so hard to stay on the morally correct side of the keyboard
I have probably said something like this to myself a hundred times in my heckin soyber security career when I look at bugs that are used to steal unbelievable amounts of money and data. I figured I'm too shit at covering my tracks to actually get away with crimes, and that it is safter to stick to my desk job of finding similar bugs in corporate shitware instead.
If you wanna have a low-stakes shot at trying your skills at some real prod targets, bug bounty is how you do it. Don't expect wins like in a CTF though, biggest difference between a CTF and the real world is in the CTF you know there's an issue there to be found and exploited, IRL there's no guaranteed bug or issue there to be able to check yourself with the "it's just a skill issue, try harder" method that gets us all through our CTF years.
Once you're in a consulting job, you can't spend six weeks hunting an obscure bug in a third party dependency and R&D-ing it into a workable exploit for your target app, because time is money and ACME LLC isn't gonna pay for that time (ironically your employer will pay for a similar amount of time spent doing that to get some expensive cert that says you passed the CTF for that qualifies you in jiggling the splines of certain types of software in a special way only to never do that in your day job), you just have to cast your net wide to catch any low hanging fruit and go as deep as your time limit allows praying for gets, which is really unsatisfying after the first few years of "wow I'm finally here and doing it" wears off and you're testing the same app for the Nth year in a row with some manager breathing down your neck for a report that is due in a few hours that contains 85% identical content to the one you wrote a year ago because they fix things at the rate of 1 thing per year.
I'm jaded if you can't tell.
