Penetration Testing Career - Jr to Specialist

开新坑了(加速人才流动)，根据joas的Ebooks加强网络安全Career&skills方面的学习

国内外的某些技术面有所区别，需自行分辨！

From: Penetration Testing Career - Jr to Specialist.pdf

last update: 2020/11/30

文末有对应的翻译版本~

EN—Pentest JR(Junior->初级)

• Knowledge of information security standards and policies (ISO 27001, LGPD / GDPR, PCI- DSS, HIPAA, NIST, FISMA and etc);
• Knowledge of PenTest methodologies (OSSTMM, NIST, OWASP, Cyber Kill Chain, PTES, ISSAF and etc);
• Knowledge in Risk Management;
• Knowledge in Management and Analysis of Vulnerabilities;
• Knowledge in PenTest Tools;
• Knowledge in Programming Languages (Ex: Python, Ruby, C, C #, GO, PHP, JavaScript and etc);
• Knowledge of operating systems and administration (Windows, Linux, MacOS, Scadas, Mobile / Shell Script, Powershell, CMD and etc ...);
• Fundamental Knowledge in Computer Networks;
• Knowledge in Hardening and Risk Mitigation;
• Knowledge in PenTest in Mobile Applications, Web, Cloud, Networks and IoT;
• Knowledge in Black Box, White Box and Gray Box Testing;
• Assist in the preparation of Technical and Management Reports;

EN—Pentest PL (Intermediate->中级)

• Knowledge of information security standards and policies (ISO 27001, LGPD / GDPR, PCI-DSS, HIPAA, NIST, FISMA and etc);
• Knowledge of PenTest methodologies (OSSTMM, NIST, OWASP, Cyber Kill Chain, PTES, ISSAF and etc);
• Knowledge in Risk Management;
• Knowledge in Management and Analysis of Vulnerabilities;
• Knowledge in PenTest Tools (Best Tools);
• Knowledge in Programming Languages (Ex: Python, Ruby, C, C #, GO, PHP, JavaScript and etc);
• Knowledge of operating systems and administration (Windows, Linux, MacOS, Scadas, Mobile / Shell Script, Powershell, CMD and etc ...);
• Fundamental Knowledge in Computer Networks;
• Knowledge in Hardening and Risk Mitigation;
• Knowledge in PenTest in Mobile Applications, Web, Cloud, Networks and IoT;
• Knowledge in developing Scripts and improving tools;
• Advanced PenTest techniques, without using automated tools;
• Development and preparation of executive and technical reports;
• Knowledge and experience in PenTest Black Box, Gray Box and White Box;

EN-Pentest SR AND SPECIALIST(Senior->高级, Specialist->专家)

• Knowledge of information security standards and policies (ISO 27001, LGPD / GDPR, PCI-DSS, HIPAA, NIST, FISMA and etc);
• Knowledge of PenTest methodologies (OSSTMM, NIST, OWASP, Cyber Kill Chain, PTES, ISSAF and etc);
• Knowledge in Risk Management;
• Knowledge in Management and Analysis of Vulnerabilities;
• Knowledge in PenTest Tools (Best Tools);
• Knowledge in Programming Languages (Ex: Python, Ruby, C, C #, GO, PHP, JavaScript and etc);
• Knowledge of operating systems and administration (Windows, Linux, MacOS, Scadas, Mobile / Shell Script, Powershell, CMD and etc ...);
• Knowledge in Hardening and Risk Mitigation;
• Knowledge in Architecture and Information Security Solutions;
• Knowledge in PenTest in Mobile Applications, Web, Cloud, Networks and IoT;
• Knowledge in developing Scripts and improving tools;
• Advanced PenTest techniques, advanced exploration methods and etc;
• Advanced Post Exploration Techniques;
• Knowledge in Buffer Overflow and Development of Exploits;
• Knowledge in Miter Att & ck and Advanced Persistent Threat (APTs);
• Development and preparation of reports and technicians;

Resources

• Skills Development - Labs
• Hackthebox;
• Vulnhub;
• Try Hack Me;

• Skills Development - Certifications
• eLearnSecurity;
• EC-COUNCIL;
• Offensive Security;
• Sans;
• CompTIA;

• Roadmap Certifications
• https://pauljerimy.com/security-certification-roadmap/

• Skills Development – Youtube Channels - 做个了解就好了！！！
• https://www.act.com/channel/UCNRM4GH-SD85WCSqeSb4xUA
• https://www.act.com/channel/UCxHzA- Z97sjfK3OISjkbMCQ (RoadSec)
• https://www.act.com/channel/UC2QgCedRNj_tLDrGWSM3Gs Q (Mindthesec)
• https://www.act.com/channel/UCz1PsqIhim7PUqQfuXmD- Bw (Hackaflag)
• https://www.act.com/user/BlackHatOfficialYT (Blackhat)
• https://www.act.com/channel/UCi8P9S-PW7AF71g8Pi0W6Jw（ACADI-TI）
• https://www.act.com/user/genxweb （Michael LaSalvia）
• https://www.act.com/user/Wraiith75（Wraiith）
• https://www.act.com/channel/UCVImyGhRATNFGPmJfxaq1dw（Bsides）
• https://www.act.com/channel/UCySphP8k4rv7Jf-7v3baWIA（Vinicius Vieira）
• https://www.act.com/channel/UCwTH3RkRCIE35RJ16Nh8V8Q （Kindred）
• Bug Bounty Public Disclosure
• https://www.act.com/channel/UCqGONXW1ORgz5Y4qK-0JdkQ(Joe Grand)
• https://www.act.com/user/DEFCONConference (Defcon)
• https://www.act.com/channel/UC4dxXZQq- ofAadUWbqhoceQ (DeviantOllam)
• https://www.act.com/channel/UC3s0BtrBJpwNDaflRSoiieQ (Hak5)
• https://www.act.com/channel/UCimS6P854cQ23j6c_xst7EQ (Hacker Warehouse)
• https://www.act.com/channel/UCe8j61ABYDuPTdtjItD2veA (OWASP )
• https://www.act.com/channel/UC42VsoDtra5hMiXZSsD6eGg/featu red (The Modern Rogue)
• https://www.act.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw(Stack Mashing)
• https://www.act.com/channel/UCW6MNdOsqv2E9AjQkv9we7A(P wnFunction)
• https://www.act.com/channel/UCUB9vOGEUpw7IKJRoR4PK- A (Murmus CTF)
• https://www.act.com/channel/UCND1KVdVt8A580SjdaS4cZg (Colin Hardy)
• https://www.act.com/user/GynvaelEN(GynvaelEN)
• https://www.act.com/channel/UCBcljXmuXPok9kT_VGA3adg (Robe rt Baruch)
• https://www.act.com/channel/UCGISJ8ZHkmIv1CaoHovK- Xw (/DEV/NULL)
• https://www.act.com/channel/UCDbNNYUME_pgocqarSjfNGw (Kac per)
• https://www.act.com/channel/UCdNLW93OyL4lTav1pbKbyaQ (Men torable)
• https://www.act.com/channel/UCMACXuWd2w6_IEGog744UaA (Derek Rook)
• https://www.act.com/channel/UCFvueUEWRfQ9qT9UmHCw_og (Prof. Joas Antonio)
• https://www.act.com/user/ricardolongatto (Ricardo Longatto)
• https://www.act.com/user/daybsonbruno (XTREME Security)
• https://www.act.com/user/eduardoamaral07 (Facil Tech)
• https://www.act.com/channel/UC70YG2WHVxlOJRng4v-CIFQ (Gabriel Pato)
• https://www.act.com/user/Diolinux (Diolinux)
• https://www.act.com/user/greatscottlab (Great Scott!)
• https://www.act.com/user/esecuritytv (eSecurity)
• https://www.act.com/channel/UCzWPaANpPISEE_xvJm8lqHA (Cybrary)
• https://www.act.com/user/DanielDonda (Daniel Donda)
• https://www.act.com/user/ZetaTwo (Calle Svensson)
• https://www.act.com/channel/UCNKUSu4TPk979JzMeKDXiwQ (Georgia Wedman)
• https://www.act.com/channel/UCqDLY9WFoJWqrhycW8cbv1Q (Manoel T)

replace😉

CN—初级渗透测试工程师

• 了解信息安全标准和政策（ISO 27001、LGPD / GDPR、PCI-DSS、HIPAA、NIST、FISMA等）;
• 了解渗透测试方法论（OSSTMM、NIST、OWASP、Cyber Kill Chain、PTES、ISSAF等）;
• 熟悉风险管理;
• 熟悉漏洞管理和分析;
• 熟悉渗透测试工具;
• 了解编程语言（例如Python、Ruby、C、C#、GO、PHP、JavaScript等）;
• 了解操作系统和管理（Windows、Linux、MacOS、Scadas、移动/Shell脚本、Powershell、CMD等）;
• 具备计算机网络的基础知识;
• 了解加固和风险缓解技术;
• 了解在移动应用、Web、云、网络和物联网方面的渗透测试;
• 掌握黑盒、白盒和灰盒测试方法;
• 协助准备技术和管理报告。

CN—中级渗透测试工程师

• 信息安全标准和政策的知识（ISO 27001、LGPD/GDPR、PCI-DSS、HIPAA、NIST、FISMA等）;
• 渗透测试方法论的知识（OSSTMM、NIST、OWASP、Cyber Kill Chain、PTES、ISSAF等）;
• 风险管理的知识;
• 漏洞管理和分析的知识;
• 渗透测试工具的知识（最佳工具）;
• 编程语言的知识（例如Python、Ruby、C、C#、GO、PHP、JavaScript等）;
• 操作系统和管理知识（Windows、Linux、MacOS、Scadas、移动设备/Shell脚本、Powershell、CMD等）;
• 计算机网络的基础知识;
• 强化和风险缓解的知识;
• 移动应用、Web、云、网络和物联网渗透测试的知识;
• 开发脚本和改进工具的知识;
• 不使用自动化工具的高级渗透测试技术;
• 编写和准备管理层和技术层面的报告的能力;
• 黑盒、灰盒和白盒渗透测试的知识和经验。

CN-高级&专家级渗透测试工程师

• 信息安全标准与政策的知识（ISO 27001、LGPD/GDPR、PCI-DSS、HIPAA、NIST、FISMA等）;
• 渗透测试方法论的知识（OSSTMM、NIST、OWASP、Cyber Kill Chain、PTES、ISSAF等）;
• 风险管理的知识;
• 漏洞管理与分析的知识;
• 渗透测试工具的知识（最佳工具）;
• 编程语言的知识（例如Python、Ruby、C、C#、GO、PHP、JavaScript等）;
• 操作系统与管理知识（Windows、Linux、MacOS、Scadas、移动设备/Shell脚本、Powershell、CMD等）;
• 强化与风险缓解的知识;
• 架构与信息安全解决方案的知识;
• 移动应用、Web、云、网络和物联网渗透测试的知识;
• 开发脚本与改进工具的知识;
• 高级渗透测试技术、先进的探索方法等;
• 高级后期探索技术;
• 缓冲区溢出与攻击利用的知识;
• Miter Att&ck与高级持续性威胁（APTs）的知识;
• 报告的开发与准备技能;