Yoo Welcome to Issue #10 of Navigating Security.

🍃Quote of the week:

What To Expect 🫡

This week we discuss our goals from Q1 and what is in store for Q2.

• 🛣️Why you should divide your yearly goals into quarters

⏱️Incase you missed the previous issue, here you go:

This Week’s YouTube Video:

If You’re A Jr Penetration Tester, Watch This…

⚠️ The newsletter is currently not sponsored

Direction & Goal Setting 🛣️

I started this newsletter because I always feel like I’m being pulled in different directions when it comes to the field. GenAI/LLM security is popping, I’ve always wanted to be a red teamer, bug bounty is something I’m highly interested in, and malware development seems pretty cool - these are all things I constantly think about. The problem with thinking this way is that you don’t end up learning anything because you don’t execute on anything - call it analysis paralysis or whatever. Whenever you feel overwhelmed just remember you can’t learn everything, and you won’t; a friend had to remind me about this recently as I was kvetching.

A few weeks into 2024, I discovered the 12-week year. Instead of spreading your goals over 365.25 days, you split your year into 4 and tackle one major goal every 12 weeks. It’s just a way of dividing your year into quarters, but it’s laid out in a way that’s appealing to the masses. It made sense to me because my goals are always so vague, it’s pretty difficult to do any sort of reviews or benchmarks to see where I’m at until the goal is either reached or time runs out.

At that point, I decided to invest the rest of Q1 into getting started with bug bounty. I learned quite a lot, submitted a few bugs, but none paid out - just dups and N/A’s (OOS)😭 The biggest takeaway from this quarter is that your pentest mindset cannot be your bug bounty mindset, but your bug bounty mindset can be your pentest mindset. What am I saying? Bug bounty findings are pretty different from the stupid misconfigurations you report in pentests. Impact is key. The sooner you wrap your head around this, the easier it will be.

What’s next❓

My next 12 weeks will be focused on my red teaming goal. I have to take the CRTP as part of my training for my new role so that’s the main goal. This will be cemented by revisiting the PEH course by TCM Security, the External Pentest Playbook by TCM Security, Game of Active Directory ( GOAD) - guided by Howard from IT Security Labs, and doing some of the modules from Maldev Academy because why not?

Side Note: I’m thinking of changing the newsletter cadence to bi-weekly. Nothing final, but I’m busy as hell. My brain and laziness can’t keep up. I also have to get back to YouTube, but that’s always a hassle because, to me, it seems people would rather watch the same old garbage “Best certification for cybersecurity” videos that some creators pump out every month with a different title and thumbnail - yes I’m salty 😂.

Anyway, evaluate your performance for the first quarter of 2024. How well are you executing the steps that will eventually achieve your goals? If your goal is too broad, divide it into sub-tasks and spread them over each quarter so that you can accurately measure your performance without feeling too overwhelmed. Remember, it’s you vs you then you vs everyone else that wants to work in cybersecurity. Pattern up. Step up. Show up for yourself 🫡

Suggestions

Hit me up on Discord or LinkedIn if you have anything you feel would be cool to include. Thanks, Cheers.