My Journey in Cybersecurity

(Used Grok to ensure everything makes sense. Turns out, it's better than the actual transcript: no filler words and wrong grammar.)

I recently had the pleasure of joining Anuj Singh (his LinkedIn) on his podcast. Anuj is a security consultant at KPMG India, and we had a great conversation about my background, career transitions, content creation, and advice for aspiring cybersecurity professionals. I've transcribed and formatted our discussion into this Q&A style post for easy reading. If you're interested in offensive security, AppSec, or starting your own venture, I hope you find some inspiration here.

Link to the full Podcast on YouTube (Anuj's channel).

Link to the YouTube shorts on my channel:

• Avoid free resources as a beginner (in cybersecurity)
• Cybersecurity certificates make you replaceable
• How would I start from zero to be a pentester in 2025

Introduction and Background

Anuj: Hey William, thank you for being with us. Can you introduce yourself, take us back to your beginning, what sparked your interest, and how did you start your cybersecurity career?

William: Sure, thanks for having me. I'm a cybersecurity professional from Hong Kong. In my last job, I was a penetration tester, and currently, I'm building my own startup focused on application security for clients. As for how I got started, it's simple: I love breaking rules and I love computers, so cybersecurity was a natural fit. The spark came in high school when I hacked the local admin restrictions on our school computers. I Googled how to extract SAM and system hashes, cracked them and got the admin password, and bypassed all the controls. That kicked off my journey.

From Corporate Life to Startup Founder

Anuj: Cool, so you're transitioning from an employee role to starting your own company. What motivated you to go from being a corporate guy to becoming a founder?

William: My last company was a big corporation, and it felt like it went against everything I enjoyed as a hacker. I wanted freedom and creativity, which are hard to find in that environment. After leaving, I joined a smaller, hacker-run consulting firm that was vibrant and perfect. But I felt there were changes needed in cybersecurity—like better quality services and more awareness. Staying there meant focusing on projects and revenue, not real impact. So, I jumped out to start my own thing, emphasizing that security shouldn't be an afterthought. It needs to be integrated into development to protect against threats like ransomware.

Content Creation and Helping the Community

Anuj: You're a great content writer with humor in your posts. How do you choose what to research and write about? Is it based on industry trends, curiosity, community needs, or gaps you see? What's your approach to helping the cybersecurity community?

William: Over the past year, I've been active on LinkedIn, following people and reading posts to gauge industry directions. When I spot something I like or dislike, ideas flow. For example, people complain about vulnerabilities from "vibe coding" (like in the Tea incident where sensitive info got exposed). I see the root issue as a lack of knowledge on what and how to secure. We need to make that common knowledge, especially for beginners building products.

Anuj: I've read your blogs—they're impressive, covering topics like RCE and other commands. I'd suggest everyone check them out. Now, with the shift toward automation, how do you see the evolution of cybersecurity tools? Are we moving fully to automation, or is manual testing still king?

William: I've been watching exploit development and automation tools closely. The consensus among leaders is that tools should assist pentesters, not replace them—turning a 10-day pentest into a 5-day one. This way, you serve more clients without layoffs. Even advanced tools like those in XBOW miss vulnerabilities that humans catch. Relying solely on automation could harm businesses by overlooking critical issues.

Staying Updated and Prioritizing Learning

Anuj: With rapid changes in security, how should professionals keep up? What sources of training do you recommend, and how do you prioritize what to learn next—based on industry demand or building a skillset to stay competitive?

William: This is just my advice—I'm a bit selfish and childish; I focus on what I enjoy. If you love researching something, you'll outperform others. Pick a niche you think will have demand, even if small, and go full speed. Don't worry about earnings; if you're great at a sought-after skill, you'll get paid. Relevance matters, but passion drives excellence.

The Value of Certifications Like OSCE3

Anuj: You've earned high-level certifications like OSCE3 from OffSec. How worthwhile is it? How did it change your approach to hunting vulnerabilities? For others considering OffSec certs, is it worth the investment, and what benefits did you gain?

William: It depends—if you're paying out of pocket, it's probably not worth it. But if an employer sponsors it, go for it. OSCE3 feels a bit outdated now, even when I passed it. However, I gained confidence from tackling hard material like OSED, and patience from slogging through boring parts (e.g., assembly instructions). Those non-technical lessons—confidence and patience—motivated me to try new things, like starting my company. They're more powerful than the tech skills.

Anuj: OSED is one of OffSec's toughest exams. What prerequisites helped you, like coding languages? How important is coding knowledge for someone pursuing it?

William: Two key prerequisites: familiarity with assembly language (I learned MIPS in university, which helped with x86), and comfort with debuggers. You'll spend 90% of OSED time in a debugger, attaching to apps, setting breakpoints, and reverse-engineering without source code. Those skills are crucial for success.

Advice for Beginners in 2025

Anuj: For someone starting in red teaming or cybersecurity in 2025—maybe fresh graduates—what path would you suggest?

William: I'm not deeply into red teaming, but for offensive security generally, build foundations in networking, infrastructure, and programming. It doesn't have to be your first job, but strong basics make transitioning easier.

Anuj: Beginners are overwhelmed with resources. For serious starters, where should they begin? How to prioritize their learning path in this competitive era?

William: This might oversimplify, but avoid free resources and lean toward paid ones, even if cheap. When I started, I subscribed to TryHackMe for a month (about $15 USD) and learned skills that got me my first job. Paid content is often higher quality and more focused, saving time over scattered free stuff.

Anuj: If you had to start from zero in 2025—no knowledge, connections, or portfolio—how would you prepare and make yourself competitive in cybersecurity?

William: First, I'd question why cybersecurity specifically. (We discussed this, and Anuj shared his thoughtful reasons for choosing it over AI, emphasizing its enduring relevance due to human errors and evolving tech like blockchain, APIs, and AI security.) For me, I'd focus on foundations of what you want to hack—networking, system architecture, programming. Understand how things work before breaking them. For example, my system integrator experience made setting up labs easy. This advice holds for the next 10 years: master the basics to innovate beyond rote methods.

Reflections on Career Beliefs and Soft Skills

Anuj: Early in your career, what did you strongly believe that you now see as a waste of time? What would you prioritize instead?

William: I believed technical excellence alone—mastering coding and cybersecurity—would lead to high pay and influence. But it's not true; builders and sellers often achieve more. Now, I recommend learning soft skills like writing, public speaking, and presentation to keep options open beyond technical roles.

Anuj: People are getting multiple certifications. Is it worth investing in them, or does raw skill still have more value?

William: Certifications evaluate skills, making you replaceable (e.g., one OSCP holder leaves, hire another). They can get you jobs or raises, but focus on irreplaceable skills instead of just collecting certs.

Conferences and Building a Brand

Anuj: You participate in conferences like Black Hat. How does that help build your brand and personality in cybersecurity? Is it better than staying isolated?

William: I love Black Hat and DEF CON—the energy from like-minded people is invigorating. I made a friend there who inspired me to learn beyond cybersecurity. It's great for networking, but the cost and travel are demanding, so I'm undecided on going again.

Vision for Sechurity

Anuj: You've created Sechurity. What's your vision for building your brand, helping cybersecurity, and expanding globally or just in Hong Kong?

William: My goal is to push the industry forward by creating demand, especially in offensive security. Instead of competing in a saturated market, I'll offer compliance services integrated with pentests to generate jobs. I also want to use my platform to teach advanced techniques affordably, making knowledge accessible beyond expensive conferences or courses. Owning a company frees me to publish content consistently, which is tough with a day job.

Thanks again to Anuj for the insightful chat—it was a blast reflecting on my path. If this resonates, check out my other posts here or connect on LinkedIn. What's your biggest takeaway? Drop a comment below!

(Grok is not bad, huh? Thanks for reading the whole post. You're the best!)