Pākiki Blog

The latest insights, vulnerabilities, research, and release information from the Pākiki team.

Follow us on social media:

Getting into Cybersecurity

Published on by Jess
Categories: Security
Tags: Careers Advice

We’re regularly getting people reaching out and asking for either jobs or career advice.

So what does it take to get into cybersecurity, and penetration testing in particular?

Caveats: These are the views of Pākiki, other pentesting companies may have different policies or things they value. If you have your heart set on a particular employer, it’s worth reaching out to them to see if they have particular requirements. It’s also worth mentioning that Simon Howard posts a yearly guide on Getting Started as a Penetration Tester in NZ. While we have a different focus, there’s a lot of overlap. Otherwise, these tips should put you in a good place to apply for penetration testing roles in Aotearoa.

Baseline skills

Our experience from previous companies is that at the entry level, there are lots of great candidates who apply and many will go on to do great things; However, we need to make the tough decision on who to hire from that candidate pool.

These are broadly the things we look for:

Basically, we care about the things we can’t teach you. Although the more security knowledge you have, the more likely you are to succeed.

What about education/certifications?

We do not put a strong emphasis on formal education.

We believe that if somebody has the skills on their CV indicating that they have the potential to do the job, we should consider them for an interview. Filtering based on education just hinders candidates who are neurodiverse, struggle with University, or did not have the means to attend. In previous roles, some of our best people had no formal IT training or education.

Certifications are a useful way to provide structured learning; however, we have also interviewed candidates with industry-leading certifications who couldn’t carry out basic tasks. As with any other type of formal education, you get out what you put in.

What we really care about is what you can do in practice, not a piece of paper showing that you can sit in a classroom for 6 hours a day or that you perform well under stressful exam settings.

Building Security Technical Skills

In the penetration testing world, there are broadly two distinct types of tests:

Again, for entry-level roles, you don’t need to be an expert in everything you’ll encounter; however, having the baseline skills and showing that you know about the common vulnerabilities will put you ahead in interviews.

Application Testing

There are guides online such as the OWASP Testing Guide which contain lists of common vulnerabilities and how to search for them.

There are also sets of exercises online, such as Pentester Labs or PortSwigger Academy. Both have explanations of vulnerability classes and a variety of exercises to ensure you understand and find them.

For those exercises, you’ll need an intercepting proxy. While we’re biassed, obviously we like Pākiki Proxy. The community/free edition will be fine for getting started and learning. There are also plenty of other options available as well.

Network Testing

There are a number of online platforms which have intentionally vulnerable machines where the goal is to gain access to a “flag”. In some cases, this will require exploitation of a network service, privilege escalation, or gaining access via a web application vulnerability.

Platforms include:

In some cases, the vulnerabilities can be thought more of as hacker themed crossword puzzles and aren’t always 100% reflective of what we see in the wild, but they are a good starting point for learning new concepts and getting exposed to things you haven’t encountered before.

To get practice with English writing, consider starting a blog or doing formal writeups of what you’ve found (just make sure you don’t spoil the exercise for other people, or publish them before you’re meant to based on the platform’s rules or conventions).

Hacker Mindset

Within security, we talk about the hacker mindset, which covers things like:

A good way to develop this is to be curious and to keep learning:

Again, fully appreciating that if you’re one of our neurodivergent friends, you may struggle with some of these. And that’s totally OK!

Resources can be at varying levels. Don’t be discouraged if some of it goes completely over your head. It’s common and will get better the more you learn.

Bug bounties are a fantastic and legal way to hone your skills on real world targets, and getting exposure to real world technologies and services. Just make sure you read and understand the scope. Going out of scope can be crimes.

Police Dog

Let us promise you that police dogs aren’t so cute in person.

It is also worth pointing out that many bug bounty programs will have had the vast majority of low hanging fruit already found, such that a traditional pentesting methodology (EG: Following the OWASP Testing Guide) probably won’t find the most interesting bugs. You can be a great pentester but it takes a vastly different approach to really do well in bug bounty programs. But that doesn’t mean they’re not good for getting real-world experience and practice.


There are obviously a large number of things to consider and learn in preparation for a job as a pentester or in cybersecurity more broadly. We look at a whole range of factors when making hiring decisions. If you demonstrate good non-technical skills, passion and have a reasonable baseline of technical skills (the more the better). Then you have a higher chance of getting an interview and an offer!

Are we hiring?

First, the sales pitch, we have a number of generous perks. We believe that if you treat your staff well, they’ll take care of our customers. Additionally, it’s the right thing to do.

For any roles, we’ll post job adverts up on:

For entry-level roles, or if we would like a wider pool of candidates, we’ll also post on NZ-based job sites, such as TradeMe and Seek.

Even if we’re not hiring, we like to chat with people who are passionate about security, and to help provide advice and guidance to the next generation of security professionals. If you’re based in Christchurch or Wellington, contact us. We’d love to have a coffee.