Security Testing Journal Entry | w/e Friday July 12, 2025 - "My Nine Months at Secure Ideas" Ed.

Highlights from a career pivot

What we learn from failure, and what we do with that knowledge, is what matters — M. Bloomberg

So here's a quick recap of how it went with my time at Secure Ideas since my last post:

1. JANUARY

• THE GOOD:
• Had just come back from holiday break. Lots of report writing and CISSP. Lot's of constructive feedback and learning.
• THE BAD:
• Attempted my first blog and received some feedback regarding the subject. Completely missed the assignment.
• THE UGLY:
• My inexperience was showing.

2. FEBRURARY

• THE GOOD:
• Awesome client-facing experience (funny guy!).
• Documentation for mobile is on-point!
• First network PT went well.
• CISSP studying going well.
• THE BAD:
• End of month - the project was severly underscoped, had to do way more as a junior; no help from partner (who was a principle).
• Needed to pull in extra resources to get API test to done
• THE UGLY:
• The report for the project was late because we ran into issues early in the project.

3. MARCH

• THE GOOD:
• Learned a lot about passive recon.

  VHosts - 1 server, multiple hosts (IPS / websites).

  PTR Records (reverse DNS look up) A PTR record is a "pointer record" query the name for a given IP address;

• Be quiet; no actively interacting with the host; recon - learn as much about the external footprint looking for host name, CIDR subnets, and domains

  Following any kind of a scan, be sure you save it and upload the data to Engagements

  Access-Control-Allow-Origin is missing - that its missing is intentional; it keeps the security tight, blocking AJAX calls

• THE BAD:
• CISSP Studies - need more practice. Struggling a little bit to keep up.
• THE UGLY:

• rookie-mistake no. 1 - Had a report go out where I forgot to update the TOC until late.

  Whenever there are any kind of structural changes to the report, where headers are renamed, always always always update the TOC right before pushing it up for review How it happened? We got hung up in the details of the bigger finding and made sure all pertinent details that mattered were in, and I forgot to update the TOC

4. APRIL

• THE GOOD:
• Holy Week .. lots of reflecting and gratitude for the good job
• Spent a lot of time with are home-grown Vulnerability labs ... good practice with API testing, CORS, etc.
• Moving through API training with great succeess; Active Directory home lab completed; Finally got a blog post published.
• Lots of compliments on the documentation revamp.
• THE BAD:

• rookie mistake no. 2 - as mentioned .. not updating the TOC;

  rookie mistake no. 3 - During the meeting with the client a JS vulnerability was recorded with no corresponding CVE.

  It was found during the call (a proper search). How did it happen? not searching diligently enough;

  rookie mistake no. 4 - I reviewed a report I had helped write.

  The feedback was for the new content. Per the process, anyone who collaborates on a report, or helps to write it, cannot be a reviewer

• Another quiet week not on a billable project.

  Feeling a bit worried / vulnerable / insecure about my work. And with taking off on 6/25, it moved me off a project making me on the bench from the end of May through June and beyond. I've been assured things are going to pick up, but I've heard that before ... it didn't end well.

• THE UGLY:

• rookie mistake no. 5 - As I had completed several blog posts, one of them set off alarms.

  The repositories I was referencing were NOT for public use.
• Mentor has been MIA for quite some time. Without his help/guidance, been feeling like I'm drowning. Truism: No one is coming to save you!
• Some steps in the client-provided documentation were missed. Somethng to do with sign-up .. can't remember

5. MAY

• THE GOOD:
• Got to see Mom for her birthday!
• Had a productive week where I got to help
• New project with my "AWOL mentor" and favorite API wizard
• THE BAD:
• Things started to come unglued after the ZERO report.

  rookie mistake no. 6 - I tested the file upload component on the website like QA, not HACKER. In so doing, I uploaded a link from an app that should absolutely NOT have happened. It lead to finding a vulnerability, but becaues of the way this was tested, I presented the likelihood of introducing risk to the client and putting SI in a bind. As it were, the component was inadequately tested. I've corrected this mistake, but this was bad!!

• rookie mistake no. 7 - failing to follow process.

  . I thought the report was good-to-go, and in my hubris, put it up for review. The report feedback was scathing and the CEO torched it. Although it was collaborative, and it could have been done better, the authorship fell on me as the primary agent responsible for it. NO BUENO!
• New project the following week, and everything went well until the report. It took several rewrites and a lot of late nights to get it to done. Another situation where I was the author and bore the full responsibility, but it was collaborative and others had issues as well. Can you see the pattern .. things were getting worse for me
• THE UGLY:
• Bad became worse as my two blog posts were shredded beyond hope. I completely missed the assignment.
• Concerns were raised regarding my performance. I was not excellent and had failed on many levels.
• Beginning of the end for me ...
• KEY TAKE-AWAYS FROM A BAD MONTH:
• The client comes first.
• The report is a reciept of services rendered along with being a statement of competence in the service provider. You cannot fail them.
• Always follow the process and be transparent about when things are being done; report readiness.
• Be Humble. You're not as good as you think you are. There's always room for growth.
• Do better.
• Ask lots of question; clarifying questions that help you do your job better.
• Get better with the tools (ie, Burp Suite Pro) and technology (Windows, AD, Networking, etc.).
• Time is money. Don't waste them.
• Revisit the Portswigger labs and re-learn.
• Learn from this and move on. Don't dwell in the failure of the past.

6. JUNE

• THE GOOD:
• Last week in may -- Trip to Jacksonville to meet the CEO, and co-workers.
• Progressively getting better with report writing, but more work still needed. Manager sees significant improvement. Good job!!
• THE BAD:
• The trip was a PIP in disguise. Fell way beind on career progression to the next level.
• Failed to meet expectations - performance was subpar.
• First Friday of June - 86d.
• THE UGLY:
• I hated having to go to work to hear that I have cultural issues that need attention; my work is in jeopardy ... again!
• I hated the hotel I was at.
• Lost the best job I've had in a long while and have only myself to blame. The first two weeks were a nightmare.
• It's taken me a solid month to process the loss, and from it I finally got to confront the final element of what has been holding me back.

7. JULY

• THE GOOD:
• Nothing good so far.
• THE BAD:
• Four weeks and no Unemployment Money yet.
• 25 jobs applied to so far, 8 rejections, not one phone call.
• THE UGLY:
• Job Market for 2025 is without a doubt the worst ever!!

No question this was a longer recap than I anticipated. I am eternally grateful for the chance at getting to work in pen testing for as long as I did. I learned a metric ton and made some invaluable connections. Met amazing people and I have nothing but the utmost regards for the opportunity. I am strong, smarter, and wiser as a result. Yes, there were a lot of mistakes. The kind of mistakes that could have been avoided with the proper guidance. Sadly, that's been the story of my life: figure it out or fail forward and learn the hard way.

Wife has been super-supportive, despite calls for divorce, which I half expected. Having a steady paycheck and benefits was awesome. Getting fired from a "prayer's answered" job hurt like hell. Still does. But the experience was immeasurable .. and despite the mistakes, I am better for it.