Back in 2018 I graduated a Computer Science degree and got my full-time internship/job as a junior pentester.

The cybersecurity market was no where as crazy as it is now.

OSCP was still seen as a relatively advanced certificate and my experience as a full-stack developer + side-gig CTFs was enough to pass the interview.

Looking back at the first 6-12 months as a pentester, I want to share with you 3 mistakes I made in that period.

And that I wish somebody would have told me about!

1. Pretending that you know/understand - when you get a new job, no one expects you to know everything. You won't "get it" the first time you hear about a new attack. It takes time and multiple attempts to perform your firsts XSS/SQLi/LFI.

   However, as humans, we tend to be afraid that we will be perceived as stupid or "not suitable" for the job.

   But the truth is: pretending/lying to yourself that you understand a concept will do more harm in the long run. The same things will come back over and over again in your career. Be truthful to yourself: if you don't understand something -> put the effort into learning it

2. Afraid to Google basic stuff - things like "how request smuggling works", "simple http server in python3" or "how to start a port listener". You think something is too easy/basic.

   You have a rough idea of how it works, but you can't explain it in details. Yet at the same time you avoid looking for more information because it hurts your ego of "not knowing such a simple thing".

   After more than 8 years, I accepted the remembering programming language syntaxes and tool commands is my weak spot. I don't fight it anymore -> I make sure to understand the concept, and I google for examples no matter how easy they might seem

3. You don't try new things - this is a tricky one. Because it comes also with experience. But as pentesters we tend to stick with what we know instead of trying/searching for new things. In your first pentests everything is new, everything looks "interesting" and "hackable" because it is the first time you see those attack surfaces.

   As you progress, you'll find out that same things come over and over again -> therefore you get lazy and think that you don't have to try to hack that feature because you tried before and nothing came out of it. But a large portion of vulnerabilities are not discovered because people "assume" things.

   As a rule of thumb: 80% comfort zone attacks - 20% new attacks for every pentest. Use each pentest as an opportunity to learn something new!