The following article is a discussion about helping you to best utilize your military skills to successfully transition into the commercial space.
Author: Conner Buell, Sr. Penetration Tester
I am proud of my military service. I was able to serve my nation and earned a plethora of great opportunities and skills because of it. That being said….. I couldn’t wait to get out of the military! In the months leading up to my final day, I grew increasingly excited, but lurking anxiety began to crawl up. “Will I be able to find a job? Do I have the right skills to work in a commercial environment? Maybe I should stay in the military or be a defense contractor. That way, I won’t have to relearn everything I know and look like a fool.” As I drew nearer to fulfilling my contract, these questions and thoughts popped into my head. Doubts like these are not exclusive to me; nearly every veteran goes through a similar bought of self-doubt and worry. So, to any veteran or transitioning service member reading this, I would like to reassure you that you have all the tools at your disposal necessary to make this transition, and though you may not know it yet, you are primed to thrive.
Another useful trait you have likely developed through your time in the military is adaptability. Many service members in the field of Cyber Warfare, myself included, have been thrown around a hundred different work roles and been expected to simply “figure it out.” While frustrating at the time, this certainly makes an individual quick to pick up new skills and an effective problem solver. It also provides you with a wide breadth of knowledge across the many domains of cyber security. All of which will come in handy. To succeed, penetration testing requires a diverse knowledge of many different environments, systems, toolsets, and technologies. Rely on your generalist mindset, incorporate strategies and techniques from your various experiences and adapt them to your new environment. You may test the wireless security of a law firm one week, an internal test on an ICS/SCADA system another week, and a web application test for a bank the following week. The number of skills necessary to succeed across all these domains is incredible, so having a wide area of knowledge and the ability to adapt quickly is essential. Your ability to adapt and overcome in any environment will be a game changer and allow you to excel in the ever-evolving field of penetration testing.
“Rely on your generalist mindset, incorporate strategies and techniques from your various experiences and adapt them to your new environment.”
When speaking with fellow veterans and service members involved in cyber, a theme that is commonly brought up is that they feel they do not have the knowledge or experience to successfully make the transition to the commercial sector. I certainly understand these feelings as I myself struggled with them during my transition to commercial penetration testing as well. Some service members believe their skills are too specific to the military, that they use different tools than the commercial sector, or even that their training was inadequate, and they do not have much of the requisite knowledge to move to commercial pen testing or similar fields. Many of these fears can be chalked up to imposter syndrome or simply doubt. Very few cyber-related work roles are so specific to the military that you cannot find a commercial use case. In fact, you may find that you are one of a select few people with the knowledge and experience to do some of the rarer types of penetration testing, including satellite or cellular testing. Many companies would be eager to hire anyone with experience with these technologies, which are often less common among testers with a civilian background. If you have a specialized or unique set of skills, investigate the commercial applicability before simply writing it off and shooting yourself in the foot without exploring an opportunity to succeed.
The next common fear is that most of a service member’s experience is with toolsets specific to the military or federal agencies. Again, I sympathize with this fear, but it is not something that should hold you back. You will be surprised to find that many of the technologies you used during your military service have very similar commercial alternatives that require only a minimal adjustment to become proficient. To prepare yourself, do some research on common penetration tools and their functions. You will be surprised that many of the tools you used in your early training are the same tools used in commercial Pen Testing environments. Familiarize yourself with these tools to make life easier on yourself both during the hiring phase and after you have secured a job. Even if there is not a similar commercial tool to what you are accustomed to, the important part is that you understand the fundamentals of how certain scans, attacks, systems, exploits, and payloads function.
Many service members feel as though their training or knowledge is inadequate. From my experience, the training, especially early on in your career, is superb. It was just so long ago you forgot how much you learned. At the very beginning of most cyber warfare service members’ time-in-service, they attend a grueling cyber security course. Those who have participated in this course will remember that this is a six-month course, eight hours a day, every day, learning cyber security and computer science fundamentals. This provides many cyber warfare service members with a profound understanding of foundational knowledge about computing, cyber security, and more. A course that can provide someone with such an in-depth yet broad knowledge of cyber security is difficult to come by in the civilian world. With the exception of certain university programs, you will be unlikely to find a course that will better educate you on the prerequisite knowledge necessary for working as a Pen Tester or other related cyber security field.
If you are a service member that still has some time in service and is thinking about transitioning to Pen Testing but do not feel knowledgeable enough, then use one of the many military training programs you have access to. The Army has the COOL ( Credentialing Opportunities On-line) program. This program will provide you with a system to find and pay for certification programs. Assess what skills you feel you lack the most and use the program to educate yourself. Other branches have similar credentialing assistance programs as well. Many Commands will also have vouchers available for various certifications, talk to your supervisors to see how you can claim one of these vouchers. Additionally, the Department of Defense (DOD) has the Skill-Bridge program. This program is designed specifically for the purpose of assisting you in transitioning to the commercial sector. The program allows a service member to work as an intern for a civilian company for up to six months; all while still being paid by the DOD. similar commercial alternatives that require only a minimal adjustment to become proficient. To prepare yourself, do some research on common penetration tools and their functions. You will be surprised that many of the tools you used in your early training are the same tools used in commercial Pen Testing environments. Familiarize yourself with these tools to make life easier on yourself both during the hiring phase and after you have secured a job. Even if there is not a similar commercial tool to what you are accustomed to, the important part is that you understand the fundamentals of how certain scans, attacks, systems, exploits, and payloads function.
By no means is this post meant to convince service members to leave the military. The intent here is to clear up some doubt and properly explain the opportunities available to service members who would already like to separate. In fact, I would say to those wishing to start a cyber-security or Pen Testing career but have no experience or means to educate or certify themselves that the military can be a wonderful way to break into the field while serving your nation. You can enter the military with almost no computing or security knowledge whatsoever, and leave with all the essential knowledge, traits, and social habits necessary to enter the cyber security field and thrive. So to all the service members reading this. You have a professional appearance, demeanor, and manner of speech. You have timeliness, sensibility, and adaptability. You have excellent cyber security knowledge, training, and certifications. You have many military programs you can leverage to round out any skills you are missing. You are prepared, ready, and able to make this transition. Get after it! Check in with Redbot Security Careers Page!
Conner brings 6+ years of military cyber operations experience and served as a Cyber Operations Specialist with the work roles of Special Activities Team (SAT) Technician, Expeditionary Cyber Operator (ECO), Information Operations Operator, and Pilot Operator. Conner emulates malicious actors and provides the customer with the knowledge necessary to prevent a security incident before it happens – Simulating Real World Attacks – Before they Become Real…
Senior Level Hands-on-Keyboard
Manual Testing
Get a Project Quote
Becoming proficient in Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) network testing can appear daunting as there are fewer learning resources.
While penetration testing is valuable in identifying technical vulnerabilities, red teaming provides a more holistic assessment by simulating realistic threat scenarios. By embracing red teaming, organizations can bolster their defenses, uncover weaknesses, and stay one step ahead of sophisticated adversaries.
Today, cybercriminals have plenty of entry points to exploit. Therefore, it has become crucial for organizations to improve their attack surface visibility to have more effective protection. This is where attack surface management (ASM) comes into play. This article will explore all about attack surface management (ASM), including its importance, working principle, and benefits.
Cybercriminals are ditching malware and exploiting trusted tools already inside your systems. Learn how Living off the Land (LotL) attacks work, and how to stop them.
From API-server exploits to supply-chain threats, this checklist shows how the best penetration testing companies harden Kubernetes. Boost resilience now.
The FBI released its FY 2024 IC3 Annual Report on April 24, 2025, detailing 859,532 complaints and a record $16.6 billion in losses. In this post, we highlight how phishing, BEC, and cryptocurrency fraud continue to surge, why ransomware remains a top threat to critical infrastructure, and which demographics are most at risk. Plus, discover Redbot Security’s proven strategies,from manual penetration testing to red teaming, that can help you turn IC3 data into actionable defenses.
Malicious actors prey on weak configurations like locusts. Microsoft, despite knowing that their operating systems, have inherent weaknesses have done little to enhance their initial security outside of remediation for publicly known vulnerabilities.
The following article is a discussion about helping you to best utilize your military skills to successfully transition into the commercial space.
The following article is a discussion that explores JavaScript Web Tokens
The following article is a discussion that explores Wave Behaviors to Locate Wireless Access Points and Devices
Should an Employee Report Security Incidents Involving Family Members? Is your business or job at risk if a bad actor gets access to your family. Will they gain access to you?
The likelihood of a cyber attack on a mobile platform is significantly high, but how difficult is it for a malicious actor to generate malware? You might be surprised.
Insecure Direct Object Reference (IDOR) vulnerabilities pose a significant risk to the security of web applications, allowing attackers unauthorized access to sensitive data and functionalities. By understanding the implications of IDOR and adopting secure coding practices, web developers can protect their applications and users from potential exploitation.
Mass Assignment Vulnerability occurs when a web application allows users to submit a more extensive set of data than is intended or safe. The potential consequences of this vulnerability can be severe
Attackers can manipulate the serialized data to execute malicious code, compromise the application, or gain unauthorized access.
Kerberos Authentication Service Response (AS-REP) Roasting, a technique similar to Kerberoasting, has gained prominence as a method for attackers to compromise Active Directory (AD) authentication systems.
Machine Learning (ML) is a subset of AI, and, more than likely, closely aligns with what we consider to be AI in the media.
Recent reports of significant cybersecurity layoffs in the United States have raised concerns about the nation’s preparedness to defend against cyber threats
While plenty of articles cover the Modbus protocol with varying degrees of detail and usage, this article aims to examine the Modbus protocol with an offensive security lens.
What is an API? APIs, including local and remote, come in various forms and are fundamental to modern software development. They serve as the bridge between different software components, enabling them to work together seamlessly.
Active Directory Certificate Services (AD CS) presents various security risks for organizations. This article will help you understand a Relay Attack.
Client-side desyncs are a class of browser-powered HTTP smuggling attacks. What you need to know and how to prevent a malicious actor from taking advantage of this vulnerability.
As a Senior Penetration Tester, I’ve witnessed firsthand how OSINT can be the linchpin in the security posture of an organization.
Through repeated random sampling, allows us to simulate a wide array of social engineering attacks with a depth and breadth previously unimaginable.
Is your security team sharing sensitive data unknowingly?
Our nation is under attack and overwhelmed. Modern Security teams face numerous challenges in managing network and application security effectively.
Our nation is under attack and overwhelmed. Modern Security teams face numerous challenges in managing network and application security effectively.
Increasingly, investors see proactive cybersecurity spending as a hallmark of strong corporate governance. It can be factored into how they value a company’s resilience and risk profile
With data breaches surging by 68% last year alone, cybersecurity has evolved from a low-key technical matter into a defining issue demanding top-level attention.
Cymbiotic Hive: The Simple, Rapid-Deployment Solution to Access Management
Redbot Security’s senior-level cloud security team brings years of expertise in AWS, GCP, and Azure security. Our approach is rooted in manual-controlled testing and deep-dive security analysis, ensuring that we uncover hidden vulnerabilities that automated tools often miss.
Internal network penetration testing is essential for identifying security gaps within an organization’s infrastructure. Attackers exploit misconfigured permissions, weak credentials, and unpatched vulnerabilities to escalate privileges and move laterally within networks. A thorough penetration test helps uncover these risks before they are exploited, ensuring stronger security controls, improved access management, and compliance with industry standards. Redbot Security’s expert-led penetration testing provides in-depth assessments to fortify your internal network against evolving threats.
Understanding NIST 800 and Its Impact on Penetration Testing Requirements.
From pipelines and water systems to power grids and transit networks, U.S. critical infrastructure is under siege. With CISA budget slashed, is a national cyber disaster inevitable?
Redbot Social