2026 Cybersecurity Roadmap with a Master Hacker

Hacker pentesters are really a very small segment of cyber security industry. They want somebody to protect their business. 80% of the cyber security jobs are in protecting companies and organizations. So I know that you know people talk about imposttor syndrome where like I I I don't want to do this because I don't know enough. I don't feel like I know enough. Everybody feels that way. [laughter] >> Exactly. Exactly right. >> Everybody feels that way, but everybody feels that way. So don't let that stop you. One of the things that I would, if I was new

to the industry, that I would really look seriously at is DFIR, right? DFIR, digital forensics and instant response. These guys get paid well. They're the people who come in after a hack, right? And they're the ones who have to decipher what took Place. Hey everyone, it's David Bomble back with the amazing OTW. OTW, great to have you back on the show in the new year as well. >> Oh, thank you very much. It's always an honor to be asked to be on your show, the very best cyber security channel on YouTube. >> So, if for

those of you who don't know OTW, have a look at our videos that we've created. We've created a whole bunch of videos. I've linked them below, But OTW is also the author of this book, Linux Basics for Hackers. fantastic book if you want to learn Linux and you should do that in 2026 but he also takes the view of Linux for from a hacker's point of view and if you don't know OTW he has years and years of experience being a hacker he can teach you about pentesting he can teach you about uh cyber security

and that's all we're going to cover in this video I believe but before we get there notice he's also Written this book getting started becoming a master hacker as well as network basics for hackers and OTW I hate to put you on the spot before we get before we get into the interview. Right. You are writing a book Python for hackers as well, I believe. >> Right. Right. Yes, I I am writing a book and hopefully it's finished uh within a month or two from when we're speaking right now. So, look for that book and

it's it kind of fits into the whole um Model that I've been trying to build, which is to create books for the fundamentals of cyber security. So these books are all I would consider to be required reading for gaining the fundamentals of Linux networking and Python. >> It's 2026 now, right? People may have New Year's resolutions. They may decide that this is the year that they're going to get into cyber security and they need a path or roadmap To do that. And that's always the the sort of the feedback I get and I'm assuming you

get as well. I want to become a ethical hacker. I want to become a pentester. I want to get into cyber. How do I get there? OGW, I hope you're going to give us a road map or something. I will say this. I'm assuming that this this topic Linux is somewhere in there, but I don't want to put words in your mouth. So, get us started. You know, how do I become like you? >> Okay. Thanks, David. Yeah. Everybody makes their New Year's resolutions come January. January 1st, January 2nd. I do, right? I don't always

I don't always I don't always keep them, but I I make them and I try. >> But this year, this year, you're going to do it. >> This year, I'm going to keep my resolutions. I'm going to keep all of them. So, I'm hoping that people make those New Year's resolutions. And for The people who are watching your show, I mean, a lot of them want to get a job. They want to get started in cyber security. And so let's talk about the broader topic of cyber security rather than simply pentesting. So what I would

do if I was a young person starting out today and it's January, beginning of January and I'm making a resolution, I would make a resolution says I will get a job in cyber security this year. Now how do I get >> how do I get there though? Right? So one of the things that you need to do is the the the the aspiring cyber security person and I will point out first of all that cyber security is really a a fascinating field. I mean I love it here and I've been here for a long time.

You know it's always exciting. You know sometimes you know you're dealing with you know geopolitical situations that are cyber in nature right? So there's lots of stuff going on. I think that It's the the cyber community just keeps on growing and so there's going to be more and more jobs. The the jobs are well-paying. If you stick around the industry, you're going to make a good living and you're going to be able to, you know, buy yourself a nice house and a nice car and and have a good career. So it's a good if if

you have the determination and the persistence and the aptitude this is a great field to be in. So if I were starting out right now The first thing I would do I think even before learning Linux what I would do is like you need to know this might this might be you know seem like a a a no-brainer but you need to understand the computer system that you're working with every day. If that's a Windows system or a Mac system, get to know it, right? Get to know it really well. Get to know the inner

workings of it, right? And so this would even come before learning Linux. I think if you're and Most people most people who are watching this are probably working on a Windows system and you know all they know is how to tweet and do Google searches, right? Google searches are good, right? But you know you need to understand how that system actually delve deeper into how Windows actually functions, right? And so if somebody says to you, you know that this piece of malware is make is changing a key in the registry, you better know what the

registry is and What the registry does, right? In a Windows system. That's the first thing. Know your system. Know what you're working with. and and I've seen people trying to start in cyber security who really don't have good fundamental skills even in the operating system they're working with daily. So that's number one and then once you've mastered that or at least you know have some depth you're not going to nobody ever masters anything you just have to keep On learning all the time. That's that's one of the the mantras of cyber security is that because

our field changes so rapidly that you have to constantly be learning, always learning, always learning because the world keeps on changing. And if you, you know, studied cyber security 10 years ago, you're not going to have a clue as to what's going on now and much less longer than that. Things change that rapidly. >> OtW, sorry to interrupt you just before We continue. um understanding computer systems is that like some people might want to read books, some people might want to go for certifications or training classes. I know you have training classes, so we'll link

uh your website below, but I and I think you train an A+ course. I think CompTIA A+ is is that what you're thinking when it comes to like fundamentals of computers. Is that kind of like aert that's kind of related to this topic? >> That would probably be the certification that's closest to what I'm talking about. Right. So the A+ from CompTIA is going to give you some of these fundamental understanding of your system that you need before you can even progress into cyber security. And CompTIA has a lot of introductory level certifications. They have

some more advanced ones as well. So they have A+, they have Linux plus, they have network plus, right? Those are all kind of Fundamental grind floor certifications that show that you have mastered or at least have a good understanding of those skills. Um I often times will have people apply to me with um with certificates of completion. [laughter] >> Yeah. Yeah. Yeah. >> Certificates of completion. We offer certificates of completion but that only says that you have completed the course that you've gone through all the videos or you sat in it doesn't say that you

Have have gained the knowledge that's necessary. So you need to prove that you have gained the knowledge not just completed the course. If you come to me and give me 20 different certificates of completion that's that's meaningless. I need something that is going to show that you actually are competent in that particular field. Certificates of completion are in my opinion worthless, right? But at least for job applications, they're they're really, You know, I I don't want to discourage people um but really what do they show? They show that you sat through a course. That's all

it shows. It doesn't show that you have actually learned anything. So I want to see something where you've been tested and you've been able to show that you have some mastery of the subject. So the CompTIA and I I don't get any any commission from CompTIA but what the beauty of the CompTIA um certifications is that they have all Of these fundamental certifications that are non vendor specific. Right? So they they're they're not Microsoft, they're not m they're not Linux, they're not Cisco, they're do you understand the fundamentals without being particular to any one vendor.

And that's why I do like their entry-level certifications is because they're not vendor specific. doesn't mean that you can't get a high level of in understanding and certification from going to a Microsoft Certification or Cisco certification. The CCNA is is an excellent certification, but it's it teaches you how to work with specifically Cisco products. And Cisco products are widely used and uh they're all over the place. So that's not necessarily a bad thing, but you know, you need to understand how these networks work on multiple systems, not vendors specific. At least that's my opinion. >>

Oh yeah, I I I understand what you said About certificate of completion. I think it's better than nothing, but I I agree. Get the C because that proves that you actually have a level of comprehension of the of the topic, right? So A+ >> A+ is a good place to start with what I was talking about initially which is understand the system that you're working with and have some some depth in understanding you're not just clicking on you know websites and doing Google searches you actually understand what's Going on behind that. So the next step

is to learn Linux, right? And and I know of a pretty good book for doing that, right? Maybe it looks like this, right? >> It looks it looks looks very similar to that. And that's that's a second edition. And uh you know, I wrote it just for that purpose. I wrote it because when I was training US military, I was dealing with some really smart guys and gals. Mostly guys, our industry is overwhelmingly male. So, we always Welcome females in the industry. Um, mostly males and they were really smart and they knew what they were

doing. They knew Windows really well, but they didn't know Linux. And so, I I wrote like a little handbook for them to learn the basics of Linux. And then that became the book. And one of the things that um you know the the book tries to convey to the reader is how would you use Linux as in cyber security not just as an administrator administrators are Great that's a good job to have too but in cyber security we use Linux a little bit differently and so that's what I tried to put in there so I

would make that the next step >> so OTW I think for Linux right are we talking about Linux plus from CompTIA here or is there some other cert that you you recommend for learning Linux or is it just general Linux knowledge? >> Well, there is a Linux plus certification from CompTIA which is a is A good one. Um we have a hackers arise white hat hacker has a Linux basics for hackers certification as well. So either one of those are going to be excellent. They're going to prove that you know some basic Linux. Ours is

more attuned to cyber security and it's also more attuned to the information that's in the book. So if you read the book and you understand the book, you're ready to take that test. Whereas the the Linux plus and the others, they're good for Understanding how Linux works, but they're not specific for cyber security. when you're trying to break into this field, you got to know the fundamentals first, right? You got to know, you can't, you know, end up being, you know, a pen tester if you don't even understand the basics of Linux and networking. I

mean, it's just not possible. You can't do it. So, that raises the question of what do I do next to my fundamental skills? And I would Put on that list networking. You need to understand how networks work and that's why I wrote network basics for hackers. The same thing some fundamental networking some firewalls um the the various different protocols that are used in networks. So that book was designed for that purpose. It doesn't you don't have to read that book to get those skills, right? I mean my book there's other books out there that will

convey the same information. I Think that I try to design that book for the industry. So you know it's it's not required but it's something it's an area that you need to master or at least have fundamental skills on. >> So OTW the two searchs that are often spoken about with networking is network plus and CCNA. What are your opinions of those? And you know would you recommend one over the other? Would you recommend both for this networking section? >> I would recommend both. CCNA and Network Plus are both good um certifications and it shows

that you you know you have grasp this knowledge and you have a a fundamental understanding of it. So either one of those are good. Um in some cases the CCNA is going to carry more weight in the industry because it's it's better known um and Cisco dominates the world of networking. So it might put you on a path towards being a network engineer um if that's what you want to be. But if You're it it will show that you have a fundamental understanding of networking that if you're if you think that you're going to spend

a career in networking, I would say go to the CCNA, right? Go to the CCNA if you really just want to spend your career in cyber security. And I don't think it really matters. Both of them will be good. >> Yeah, I think that I mean I always advocate I mean I'm biased perhaps because I am a CCIE and you know been a Longtime Cisco advocate if you like but um the great thing about CCNA is it does open a lot of doors because it carries a lot of weight but yeah like you said you

might end up becoming a network engineer rather than being pure cyber but I mean you could combine those. So that's great. Thanks. And there's nothing wrong with being a network engineer, right? That's a that's a great career as well. But in in cyber security, you know, it's it's it does carry weight in cyber Security does carry weight. The network plus though also is going to prove that you know the basics of networking. >> That's great. And then so we've got sorry just to summarize understand the computer system. So like fundamentals then we've got Linux number

two. Uh networking is number three. Uh so what's number four? >> Number four is scripting. If you're if you can write scripts that Python scripts, bash scripts, PowerShell Scripts, it's really going to be a plus for you in trying to find a job because in all honesty, there's a lot of people in cyber security who can't write scripts, believe it or not. Right? So if you go ahead and you can show that you can automate tasks through scripting, it's going to be impressive to a potential employer and it's going to make you valuable to them.

And so that means probably initially write bash scripts. Bash scripts are pretty simple And then learn PowerShell, right? PowerShell is being used today as we speak. PowerShell is being used by a lot of attackers once they get inside of the Windows system. They are then using PowerShell for pivoting in the system, gathering information in the system. So it's PowerShell is a really good one. We have a class on PowerShell coming up in Feb in March. Uh PowerShell basics for hackers. You don't have to come to that class, but it's one place that you can Turn

to to get a fundamental understanding of how PowerShell works. Bash is the the terminal in Linux is a great place. It's easy to learn. Uh and then Python is probably 80 to 90% of the tools in cyber security are written in Python. Right? So if you want to be the person who can write scripts that are can either be defensive scripts or they can be attacking scripts or just scripts that are going to automate a lot of the Tasks that you do every day. Python is probably your best tool for doing that. That's why I'm

finishing up this book on Python basics for hackers, which will be Python specifically for cyber security and hacking to give people a fundamental understanding of of Python. And then it's not meant to be the endall book on Python like there's a lot of books out there that are thousand pages long. It's kind of meant to be like Linux basics for hackers. a good place to start to Gain the basics and then you can advance beyond that in the future. >> I'll I'll mention PowerShell, right? A lot of people perhaps who are new to the industry

don't realize that most corporate systems run Windows still, right? >> Yes, most corporate systems still run Windows. So, you know, you're in the in the general public, it's over 90% of the systems are still Windows. Um, and so as an attacker, you want to be able to Understand the system that you're attacking. And oftentimes, PowerShell plays a role in that attack sequence. And so once attackers get inside the system, they're often using PowerShell on the system to do malicious stuff on the system. As a as a system administrator, you need to know PowerShell to automate

your tasks on the Windows system. If you're if you're in a Linux environment, you probably want to know The bash script thing. So, and a lot of things can be done. If you're if you're working in a Linux environment, a lot of things can be done with a simple bash script. I would recommend that that may be the best place to start. I think bash scripting is actually the simplest. You know, PowerShell is a very powerful scripting language and they actually have aliases for Linux. So if you know the Linux commands, a lot of them

will transfer directly into PowerShell Because Windows has aliased them, meaning that they they take the their command and if you type in the Linux command, it'll do the same thing, right? So it'll do the same thing as does in Linux. So this is, you know, one of those places that it can work in both environments. Um, I think I should also mention that if you're running a Windows system, you can run Linux in WSL. >> Yeah, it's a good point. Yeah. >> Yeah. >> So, if you're running a Windows system and you don't want to

go ahead and, you know, and and create a VM or another system, you can just run WSL, which is Windows Subsystem for Linux, and and and get your fundamentals there. And so, you don't have to create a new system. And this kind of raises another important issue for the beginner is that it's a good idea to become familiar with one of the virtualization systems, right? The The virtual box, the VMware, because this allows you to run multiple operating systems all on the same computer, right? You can run one, you can run one Linux system and

another Linux system and a Windows system and a Mac system all on the same computer. And you can practice what you need to know and you can practice attacking systems in a safe environment where you're not going to break any laws and end up in prison because we don't want you in Prison. We want we want you to be a successful cyber security professional. So keep it inside your own system like keep it inside your own network. Create virtual machines and practice your attacks that way. Okay, >> I love that. >> You need to you

need to familiarize with those virtual systems because sometimes you know it's not it's not as straightforward as maybe I would like. Oftentimes the virtual machines will give us trouble what have you. We've all worked with them. We all know the trouble. Sometimes they can be I wish they were more trouble-free. But the more time you spend with them, the more familiar you become like anything and you can then negotiate the problems that arise in working with those systems and you will be expected you will be expected to understand virtual virtualization of virtual machines in That

job in your job. you will be expected to know that >> if I've got a Mac, I can use VMware Fusion for free and if I've got Windows, I can use Virtual Box or VMware Workstation Pro for free, which is fantastic. So, I mean, a lot of this stuff's just free these days, which is great. >> Yes, it's it's really nice that VMware is now free because VMware I've always liked I've always preferred VMware, but >> I didn't want to use it in classes and what have you because I knew that the students couldn't necessarily

get it. It was It used to be about $200. Yeah. >> Or thereabouts. And so just one more cost. And so I would use Virtual Box. And I ran into a lot of problems in classes and other places running with Virtual Box. I have to give, you know, it's an Oracle product. I give Oracle a lot of credit for developing and keeping it developed and and not making any Money on it. They're basically doing this as a as a public service for us, right? So uh so we have to thank Oracle for that. But I

think that VMware has done a better job and it's easy to work with. They have less glitches with Virtual Box and now that it's free. There's no reason to use any. No, the VMware is better, less glitches. And now there's no reason not to use VMware because it's free. The next area, the next area might be a little Controversial, but in [laughter] my in my mind, you need to become familiar with the AIS, the consumer level AIS that are out there, right? >> I'm glad you mentioned it because it's on my list here. I was

I've got written right here LLM. So, that's fine. Go on, tell us about it. Go on. >> Yeah, it's it's going to make your life simpler. It's going to make your life more productive. remembers that what your your boss wants from you is they Want you to be able to solve problems quickly, right? That's that's what our industry is about. Our industry is about we're problem solvers. That's what we do. We have to think analytically to solve problems. And the AIs are not always going to come up with the most efficient or the best solution,

but they're going to give you some ideas, right? They're going to throw out some ideas and sometimes those ideas are going to be wrong and you need to be Able to discern the right ones from the wrong ones. But in general, it's going to save you a lot of time. >> As your boss, that's what I want. I as your boss, I want you to get the this problem solved now, right? And if the AI is going to do it, then great. Now, I can I I've been in this industry long enough to remember when

the internet first appeared in the 90s and a lot of there was a lot of controversy. People said, "Oh, you know, it's cheating to Use Google." [laughter] That's funny. Like that's you can't use Google to find the solution. That's cheating. Like no, my job is to get a solution as fast as possible, right? And so I think that AI is a lot like what Google was then 20 years ago or 25 years ago. It's like you can find the solution faster. It may not be a perfect solution, but it's going to be it's going to

help you in the process of analyzing your problem and coming up with a solution. And that's your job. >> AI, how deep do I need to go? Do I need to learn how to train an AI or do I just need to learn how to use like chat GPT or something? Well, like everything, we're talking about somebody who's just starting out and they're looking to get their first job. And so, at this point, I would say that it's important for you to be able to use AI. >> If you can train AI and use it

in offense or defense, all the better. But at the very least, learn how to use it And how to find information. It's kind of surprising to me that even in 2025, >> I find people in the general public because I I deal with the general public a lot who really don't have the skills to find information using a search engine. >> They they they can't find what they're looking for because they don't really understand how the search engine works. And that comes from familiarity. It's like you just need to know what kind of Keywords to

put in that are unique that are going to give you the output. But that's a lot of people aren't familiar with that and so they take a long time to find the information. Well, as a user of AI, you'll need h to know how to frame your question. All right? You need to know how to frame your question to get the information that you want. So as a very minimum, that would be the case, right? training AI. Okay, we'll [clears throat] we'll we'll we'll put That off for another day, but right now you need to

know how to frame questions in the AI to get the information that you want. >> I mean, like a simple thing you spoke about scripting, right? Um if I uh can't remember PowerShell or not so familiar with it, I could just ask an AI to show me how to write a PowerShell script to automate something. And the same with bash or Python, right? It's such a enabler, but I mean always there's a Caveat. you have to be careful because sometimes it just makes up stuff. But it it does it can really help teach you as

well, right? Because I think you and I have spoken about this before. Um sometimes people are embarrassed to ask other people questions or they don't have a mentor or someone that's around to that's [snorts] willing to help them. It doesn't like you know look down on them for asking a basic question. With AI, you've got an assistant who's never Going to look down on you for asking a basic question. So it can really enable you to learn more quickly. >> That's very true. And the other thing is that the AI when you ask it to

write a script, it'll then give you an explanation of what it's actually doing. So in this line here, I'm doing this. In this line here, I'm doing this. And there can be a really good use a training tool. So use AI. Try try them out. There's multiple AIs now and they Keep on getting better every day. I think for those people who are looking to write code or looking for technical solutions, I really have to recommend Claude. And so take a look at that. If your job is to write code, you're writing some Python, go

ahead and take a look at Claude. And and they have a Claude has kind of a developer version that that is pricey, but most of the the rest of it is free or very low cost. Of course, I have to mention, you know, Chat GPT, Gemini, uh, what are those? Copilot, there's so many of them. Perplexity. Try them all out and see which ones work best for you. Some of them are better at solving problems than others, and some of them are better at writing than others. And so if your job is to write a

report, you know, you might use a different AI for writing a report than you would use to be able to solve the problem. So and you know the other thing Is it just saves you a lot of time and at the very simplest these AIs have gathered all the information on the internet. Not maybe not all of it but a lot of it and can save you a lot of time of searching for the information. You know, for instance, Perplexity not only gives you all the information, but it also gives you references to where it

got the information from. So, you can go there and look that up and look at the the original document and determine Whether or not that's the proper answer for whatever your problem happens to be. So, spend some time, test them out, and see which one works best for you for whatever your job happens to be. So you can't really say that one is better than the other because it all depends on what your job is. This raises, you know, an important issue that there's so many different responsibilities in cyber security. Not everybody is going to

be a hacker pentester. Hacker pentesters are Really a very small segment of cyber security industry. Think about it, right? I mean, think about all the companies and organizations in the world, right? These and governments and what do these people want? What do these companies and these businesses and these governments? They want somebody to protect their business, right? That's where I would guess and I don't have good you know data on this but this is just a my my ballpark guess is that 80% Of the cyber security jobs are in protecting companies and organizations. It's in

defensive measures is what people would call maybe blue team right defending and protecting is where most of the jobs are at. But I will say this about people who are protecting assets. Assets being you know the data of the company is that the you can better protect people's assets the better you understand what the hacker does. >> Exactly. >> If you understand what the hacker does then you have a better chance of stopping them. And so many people that I see working for companies in defensive measures in defensive positions don't really understand what hackers do.

And so as a result, they're just kind of like, you know, they're just trying anything to stop the hackers, but they have no idea what, you know, they're doing or how they do it. And the more You understand what the hacker does, the better you're going to be at stopping the hacker. And so I I would suggest if you're pursuing a career in defense, in defending against hackers, learn to hack a little, at least a little, and then it'll give you some perspective like, oh, I I think that what he's doing or she's doing, the

hacker is doing is this because I know how to do this. Whereas I see people who just have no idea who are working for big companies and they're Making good money who have no idea what the hackers are actually doing. They're just constantly trying to put up roadblocks but not really understanding what the hacker is doing. And so the more that you understand hacking, you don't have to become a hacker, but the more that you understand what the hackers are doing, the better you can protect. And if you're doing for instance incident response, it's it's

almost essential if you're doing DFIR, Digital forensics and incident response, if that's your role, you better understand what the hacker is doing because otherwise you're you're going to have no clue as to what you're seeing in log files and IBS alerts, what have you that will you let you know if you've been hacked and then what you do about it once you have been hacked. That's a very good point. I agree. If you if you know how the attacks are being done, you can be a better defender. It's um I That's so many true in

so many that's so true in so many spheres. >> I've used as far as learning to um hack and being a defender. I always use the analogy and whatever sport is your favorite sport. Think about playing defense in that sport. Let's use basketball. It's a nice international sport. If you don't understand how the other team, what plays they're going to run, who who their and what moves they have, what their strategies are, you're Going to be limited at how you can stop the other team, you need to study, you need to study what they're doing

offensively to be able to counteract their offensive measures. So, think of it that way. You you would not go into a game as a coach or a player without studying the offense, the hacker in our case. Now, the hacker is the offense and you are the defense. So, make sure that you understand what they're doing so you can better protect the assets of whoever Is paying you. Well, one of the things that the question I always get a lot from from people who are new to the industry is that they, you know, all these jobs

require experience. They want people with five years of experience or two years. How how can I get an entry-level job if I have no experience when the entry- level job says I want five years of experience? And and that's a very common complaint that I hear and and my my answer to that is relatively Simple. And that is that there's a lot of opensource projects out there that are always looking for people. find an open-source project that interests you and join it. They're they're they they aren't going to pay you, but you're going to gain

some valuable experience by working on this open source project. And that can go down as experience. When somebody comes to me looking for a job and they spent the last two years working on an open source project, I Say, "Oh, that's that's real experience. That's real life experience." And so you're not getting paid for it, but it can get you in the door where they're asking for a couple years of experience. And it also shows me that you're committed to the industry. I want people who are committed to cyber security, not just, you know, just

it's just a job. I want somebody who's like really focused on cyber security. And joining an open-source project shows that you're Committed and you have the experience. it's going to open up doors for you. I mean, you're just going to meet people, right? I mean, if you said you've contributed to some open source project that's well known, uh, even lesser known project, people are going to have a lot of respect for you and it's going to open doors for sure. >> You're going to get thank yous in the open source project. Your name is going

to be tied to the open source project. So, that's going to give you, you know, more kudos and more credibility in when you're applying for a job. They can go look at an open source project and they say, "Hey, this person's a contributor to this project, which is a really good project. It may or it may just be a simple project, but still they are a contributor and they have been doing this for two years or three years. I think we should give them a chance." >> Yeah, I love that. I mean, I'm I'm I'm

The same as you, right? I'm on the other side when you look at employing people. It's like, show me your work. Show me what you've contributed. Don't just show me the the theoretical stuff in courses. Show me what you've done. So, like if you've done that, that's great. Then then I'll hit you with this. What about like a bug bounty or just volunteering for like like volunteering for a church or a um like a like a nonprofit and doing helping them? >> Well, I think that's a good idea, too. I mean that especially we're talking

about volunteering for a nonprofit. You know, if you can be, you know, the cyber security guy for your church or your school or whatever the organization is, you're going to gain valuable experience that you wouldn't get by sitting at home and looking at a a class or reading a book. Get out there, do it in the real world, even if you're not getting paid for it. And this for me builds Credibility that you are committed and you have some real life skills. The thing that employers are looking for are real life skills. When they say

they want two years or five years experience, what they're saying is that we want somebody who's actually done this in the real world, who hasn't just looked at a book or a video, who's actually done it. because the real world sometimes can vary dramatically from the book, [laughter] Especially as books get older and older. So, get some real world experience. Find a place to get realworld experience. And you, yes, you're probably not going to take a salary, but it's going to give you a advantage over everybody else who's applying for that job because you've done

it. You're in the real world. you you've helped your church or whatever the organization stop the hackers from stealing you know your your church's money or data or what have you Or even worse um stop the ransomware attack where you know everything everything would be locked up >> what do you say for people who say I don't know enough I mean my take on that is if you're in this if you understand a lot of this stuff you know more than a lot of people out there right so think about your mother or grandmother or

someone who's like in a nonprofit or something, they might not be implementing 2FA. They might be using The same password across many devices. There's a lot of lowhanging fruit that you can use to help them. And then you can write a report and get them to sign it off saying this is what I did to help them. Surely that's going to if you if you were trying to employ someone OTW, that's great to have on the on your resume or as an example of your work experience or stuff that you've done. Right. >> Exactly. The

the key is to be out in the Real world, experience it, do it in real life. You know, the one of the things that happens in in our industry and and other industries that are mostly techreated is that nobody knows everything. Nobody knows everything. >> I mean, and we have to constantly be learning. There's always new stuff. So, I know that, you know, people talk about imposttor syndrome where like I I I don't want to do this because I don't know enough. I don't feel like I know Enough. Everybody feels that way. >> Exactly. [laughter]

Exactly right. >> Everybody feels that way, you know, because there's always new stuff. So, and we always feel like I just don't know quite enough to do this, but everybody feels that way. So, don't let that stop you. >> No. Exactly. What about Bug Bunny? Do you want to explain what that is and what if it's good or not? >> Yeah. Well, bug bounty is bug bounty is another place where you can gain some experience and you know it's it only pays if you find a bug, right? So, what you're doing is you're looking for

vulnerabilities in people's software, right? So, if you're familiar with, you know, web app hacking, and that's most of what's going on here is web app hacking, you can go and try, you can sign up for a bud bounty program and then try to break into the company's web App or their OS in some cases. And if you do, you get paid and you can get paid really, really well. Uh so you'll be going for you might be going for weeks, months, years without getting a bug a bug bounty. So you have to be clear on

that, right? That many people work in bug bounty hunting and make nothing. And then there's a few people who make a lot of money, right? So >> that's true a lot of industries, right? Sorry, go on. >> Yeah, it's it's it's it's true in a lot of industries, right? There's some people who make very little or nothing and then the people who are really really good who get incredible amounts of money like the people who are you know you probably have seen the people who are working in AI right now in Silicon Valley they're they're

they're taking down salaries of millions of dollars a year >> of millions of dollars and with with you Know possible equity that's in the terms of hundreds of millions of dollars. So, and that and then there's other people who are getting nothing. So, and that's true in most industries. But I guess I want to emphasize is that get out there and do it. Get out there and do it. Whether it be bug bounty hunting, I would actually say that unless I would like to see people do an open-source project or helping agree a a community

uh that needs help than doing bug bounty Hunting because the thing about bug bounty hunting nobody will tell you is that there's people who are working for long periods of time who make very little money, right? because the the only people who talk about it are the people who oh I got a 10,000 I got a hundred thousand right those are the only people who talk about but most of the people are very quiet because they're getting nothing right so just be aware but if you're in a country that There is no opportunity to work

in pentesting or cyber security then bug bounty honey can be anybody can do that from anywhere and so it might be a good alternative But I would prefer to see you once again this is what I prefer is I prefer to see people contributing to an open-source project and that to me carries credibility and it it shows me commitment to our industry. >> I love it. I mean I think the there's different options, right? So some will Fit better for some people, some will fit better for others. What I always what I always like to

say about Bug Bounty is like there are you know programs that you can join that you don't even get paid. So you can go and hack NASA as an example. Um, but it it gives you experience, right? That that was kind of what I was alluding to. But I agree with you. You need to be careful with Bug Bunny because, you know, it's like people saying get into AI and then They try and sell you some course or whatever and you'll make millions. Be very careful of that because, you know, it could be that you

you you might not get paid anything. Um, but at least you've learned something. But I also like what you said. It's it's only it's normally one specific part of of of uh cyber security, right? there's uh there's other parts that you're not necessarily going to find bounties for. So, great advice. I like that. I I'm Glad you hit this about experience because it's a big one, right? Especially at the moment, people are saying, you know, I can't get a job. So, anything else you want to say about experience or are you ready for the next

one? >> Well, one of the thing about experience and it's kind of the whole part of the whole process of getting cyber security, but be prepared to learn continuously, right? you have to be learning Continuously and this has always been the case right but it's more I have to emphasize it more and give it a higher priority because what's going to happen and I hate to provide you know be a bearer of bad news but AI is getting so good that it's going to take and it already is taking a lot of the entrylevel jobs

right so if you're not staying ahead of the AI the AI is going to eat your job. Whether you're whether you're in a job right now or you're Preparing to get into a job, the AIs are advancing very rapidly and companies are implementing AI at a very rapid pace and AIS are really good for entrylevel jobs. Right now, they're very good for that. So, I don't want to discourage anybody because I think this is a great industry to get into, right? But that means that you're going to have to commit yourself even more to learning

constantly. You know, I've been in this industry a long time and I learn something new every Day, right? If I don't learn something new, >> if I don't learn something new every day, it's a wasted day. So, if you don't like learning, if that's not something that turns you on, right, this is probably not the right industry for you. >> Yeah. I mean, it changes so fast, like you say. Yeah, I agree. It's um go go go and do some other job. Um this this is not the right industry if you don't want to learn.

Sorry. Go on. Yeah. >> Well, so the next part I would probably want to advise people to do is once again I said is get involved. Do the real world. You know, get involved with other people in your community or online who are doing it and connect with them. You know, people talk about, you know, networking, right? you know that that's that's going out and being with other people who are like-minded doing something similar because you know they're they're the ones who are going To tell you hey my boss said he needs somebody with this

skill level you should apply for it or I can recommend you you know so that's that's always useful in any industry right so if you're not in the industry now go out and connect with other people who are in the industry and you know and be a uh not just somebody who's there looking for opportunity, but be a friend, you know, and and be helpful and it'll open doors for you. >> Contribute, give, don't just take, right? Yeah. >> Right. Contribute. Don't just give. Yeah. Be a friend. Be a person who's there to help others

as well and it'll work for you. >> So, are you talking like online places like X or like Blue Sky or you talking like in person type events if you can or is it all the above? >> It's all of the above. you want to just connect with other like-minded people Who are in the industry. If the only opportunity you have is X or Blue Sky or whatever your social media is, >> great. But if you're in a big city, right, you probably have some groups that you can join that of people who are doing

something similar in the industry. They'll meet for, you know, a beer or coffee or what have you. You can go and chat with them, get to know them. find ways that you can contribute because if you contribute, I can guarantee you that Somebody's going to pay it back to you. >> Yeah, it's exactly that. Hey, you giving it's amazing if you give what what comes back and if you're a nice person how other people will help you if you're a nice person. It's amazing that I agree. So like bides or something like that in is

a good example in the US. Um but anything like that, right? >> Anything that's Yeah. If you can, if you can find a community, if you're in a big city, especially in big city, because You're not going to find these in, you know, small rural towns, but if you're in a big city, you're going to find some group that is, you know, that are developers or cyber security people, >> networking people who get together and just want to talk and share their their knowledge. >> Join it, make a contribution, be a good person, and it'll

pay off in the long run. >> So, what do you So, let me hit you with Some questions, right? Um, some people will say, I don't agree with this, but some people will say, I don't want to go work for a company for free. I need to earn money, or I don't want to volunteer because I need money. Um, what's your what's your answer to that? >> My answer to that is I'm very sympathetic to that. I mean, everybody needs money, right? We all need to make money to be able to eat and put a

roof over our house and support our families, What have you. So, I'm very sympathetic to that. So okay go ahead and take a job that is you know you work 8 10 hours a day whatever it happens to be but then commit yourself you know two or three hours a day to working on an open-source project or volunteering or doing bug bounty and that you're not getting paid. So you know yes nobody unless you're you know you were born with a lot of money nobody can can get through life without an income. So yes, I'm

sympathetic. Get Yourself the job that's going to pay you, right? And then but also be developing your skills in the time that you're not at that job and contributing to the community, networking, uh getting becoming part of an open source project so that you can show that not only was I just working at this job to, you know, to earn an income, but I've been learning for years. I've been part of this community for years and years and years. And then also, you Know, part being part of the community is also a way that you

can get yourself some references when you apply for that job. You know, if you if you're part of a a group that gets together and you know, they know you and they they like you, you've been a good and valuable part of the community. You know, those people can write references for you that might get you in the door, but it's better than not having a reference, right? But the references from somebody Who's well known is going to help you a lot. >> My last recommendation, right, for getting into cyber security and it applies to

getting into any job, right? And that is, you know, be an agreeable person, right? Be be a person that other people want to be around, right? Be giving, provide help, right? and and just be in general be agreeable so that because what your boss wants is somebody he can work with, right? Not somebody Who's whining and moaning and and you know and and not being um a team player. Be agreeable on uh uh with your colleagues. And for some people that might be the hardest thing to do. >> I'm glad what you said though. I

think the key word there is team player. Um it's a team sport. uh it's there are jobs where you can do everything alone but generally you go further as a team than alone and I agree with you you want to work with someone who's going to help You and make you become a better person rather than pull you down so I very much agree >> if you just think about it it's not any it's not rocket science people want to work with people who are agreeable right so your boss your boss wants somebody who he

can talk to and discuss things with and work with and so if you're a disagreeable person, which unfortunately there's a lot of those out there, you're not as likely to get a job. And also Keep in mind that whatever you post on social media, your boss is going to look at that stuff. And if you've put a lot of negativity out on social media, they're going to see that and that might be the deciding factor for you. So be careful what you put on social media. always think about how is this going to look to

a potential employer. >> I would agree with you, right? If you might think it's not right that an employer looks at your stuff that you Post on whatever platform, but it's likely going to happen. So, yeah, be careful with what you post. I agree. >> It's likely to happen. Most most employers now are looking at your social media feed. And if they're seeing a lot of, you know, a lot of vulgarity, a lot of meanness, um, you know, it just says that you're not somebody that they want to work with, right? So, be careful. And

then if somebody rejects you for a job, you know, don't put that out on social Media and call them names and what have you cuz the next employer is going to see that and they're going to say, "Oh, I don't want that person working here." >> Okay, so I let's let me hit you with some more questions, right? Um, it's 2026. Which area of cyber should I focus on? Because I think for a lot of new people, you know, on YouTube, there's like we there's a lot of talk like Mr. robot red teaming hacking uh

but cyber security cyber security is massive right So I think you should like can you give us like an idea of like what's involved in cyber because it's a massive area and any hot areas if you like or any good areas if that you would recommend I look at if I'm near >> well if if one of the things that I would if I was new to the industry that I would really look seriously at is DFIR right DFIR digital forensics and instant response these guys get paid well. They're the people who come in after

a Hack, right? And they're the ones who have to decipher what took place, right? And then recommend measures to keep you from being hacked the next time. Once again, the better that you understand hacking, the better you're going to be at DFI. And so I I emphasize that that is not only a growing area but it's a really wellpaid area of cyber security as well. And the other area that I think is really important is wireless networks. So the world is rapidly moving towards wireless networks. So we have Bluetooth, we have Wi-Fi, we have Ziggby,

we have cellular. These networks are all communicating by radio signals. And so one of the things that we emphasize at Hackers Arise is hacking these signals because this is the state of the art. The the networks are more and more going to wireless networks. So whatever it happens to be even in in big industry now we're seeing that they're connecting All of their devices say in an industrial plant by wireless communication because it's simpler it's easier it's simpler in that they don't run wires to everything right and so we're seeing a more and more of

networks going through wireless so get to understand this wireless communication and its vulnerabilities and that's one of are specialties at Out. >> It's interesting. I mean, we've mentioned this in other interviews. I've I've spoken to people in in Telos and how they are putting 5G in all devices and um this has been spoken about for a while. So, it looks like your washing machine, your toaster, like every device you can think of is going to be connected wirelessly. So, yeah, it's going to be interesting future that um from a privacy/cyberc point of view that that's

that's I'm glad that you mentioned that. The one I was thinking about was LLMs, right? Hacking AIS. Is That an area you'd recommend looking at? >> Not right now. Not for somebody who's just getting started. I think that at this point, what they need to do is be efficient and effective at being able to find the information that they need in uh an L in a AI, an LLM, large language model. you know, we could look at hacking and building our own AIS once you get into, you know, the next level of, you know, you're

at you you've been at your job for a few years and now you Want to take it to the next level, then uh like I wouldn't hire somebody who has an intro intro level intro uh position who was focused on hacking LLMs, right? That's a that's that's a very it's a niche, but it's an important niche. But for a beginner, focus on using the LLM, the AIS to find the information that you need to write the scripts that you want, what have you, you know, so you know, they're very effective. If you have a problem,

you have an issue that comes Up, you know, learn how to put it in the proper terms to put it into the LLM to get the right answer the first time >> and and and be able to discern when the AI is hallucinating. >> Exactly [laughter] right. Exactly right. I will say this, OTW, we've done a few of these videos in the past and I've seen a lot of people put out this content and what I really like about what you've done this time is we're not just focusing on technical skills. You Focus very heavily

on like get some basic foundations so you understand stuff and then straight away you went into like networking with people um be agreeable, get some experience with open source product uh projects. So I think it's great that we emphasize that because you know I think let me let me ask you this. I think a lot of people emphasize the technical skills and I think you've said it many many times most hacks are social engineering. You Know it's it's not always the technical skills that win right? >> That's correct. You know, it's it's good that you

have you must have the technical skills and but this applies to all industries, right? But you need you need to be able to learn how to work in a team environment and be agreeable, be a good friend, be a good employee. You know, your job is to make your boss look good. Remember that. Remember that. That's probably one of the most Important rules. Your job is to make your boss look good. Not to make you look good, but make your boss look good. And if you make your boss look good, you'll be there for a

long time. He'll love you. You'll get promoted. You'll get more money. Make your boss look good. >> I think we're going to end right there. Unless you've got something else to say because that was a great ending. >> Nope. That's that's all that's all I Want to say. >> OTW, as always, thanks so much for everyone who's watching. I've put links again to a whole bunch of videos that we've done. Mr. Robot, bunch of hacking videos. uh expect a lot more content from OTW and me. Let me know in the comments anything else you want

us to create content about. And do you agree with this roadmap or have you had different experiences? Did we forget something? Do you disagree with Something that we've said? Uh put it in the comments. OTW, thanks so much. >> Thank you, David. It's always good working with you and talking with you and trying to share some knowledge and uh information with your viewers >> and you do a great job. Thanks so much for that.