Offensive Security (Pentest / Red Team)
Hands-on offensive work. High ceiling, high effort, slow start. OSCP/PNPT biased. CISSP is NOT the path.
Phased progression
Foundations → first role → specialisation → advanced. The realistic order, not a script.
- 010–6 monthsFoundations
Literacy, lab habits, the cert that opens first conversations.
eJPT - 026–18 monthsFirst paid role
Land a Junior Pentester or AppSec Engineer. Operational time, not more certs, earns the next move.
Junior Pentester or AppSec Engineer$80–120k entry - 031.5–3 yearsSpecialisation
Add a specialist credential aligned to the work you're already doing.
PNPTCRTO$130–180k mid - 043+ yearsAdvanced
Move into adjacent roles. Long-term credentials become worth their cost.
Red TeamerOSEP$130–180k mid
- 01Foundations0–6 months
Literacy, lab habits, the cert that opens first conversations.
eJPT - 02First paid role6–18 months
Land a Junior Pentester or AppSec Engineer. Operational time, not more certs, earns the next move.
Junior Pentester or AppSec Engineer$80–120k entry - 03Specialisation1.5–3 years
Add a specialist credential aligned to the work you're already doing.
PNPTCRTO$130–180k mid - 04Advanced3+ years
Move into adjacent roles. Long-term credentials become worth their cost.
Red TeamerOSEP$130–180k mid
Certification sequence
Ordered by realistic relevance, not vendor marketing.
Practical projects
What to actually build, the portfolio that opens interviews.
- TryHackMe + HackTheBox streaks with public write-ups
- Internal CTF write-ups on a personal blog
- Custom Burp extension or a small C2 plugin
- ·SOC-first then pivot offensive
- ·AppSec via developer background
Realistic expectations
What no recruiter will tell you.
That stacking certifications shortcuts the timeline. It doesn't. Operational time and a public portfolio are what compress the path.
18–30 months to first paid role is the realistic time to the first role on this route. Most people overshoot by 6–12 months. Plan for it; don't panic when it happens.