Logan it's been 5 months, what happened?

It's been a while since I've made a blog post, sorry about that, but a lot has happened since we last talked. For starters, I made one of the greatest achievements in my life thus far. I have finally gotten my OSCP from Offensive Security after a long 3 three years of dedication - more on that later. Other than intellectually challenging feats, I can finally say I can bench 225 pounds, in fact I'm currently at 245 max bench! Another big achievement was getting experience as a security consultant working at RSM.

Now that's out of the way we can get to the juicy deep thought stuff that people love.

OSCP

Ah yes the dreaded OSCP exam. I don't think there's anything I've done that has more hours dedicated to it than the OSCP. I did my first attempt in my freshman year of college about three years ago - back when Buffer Overflows were still part of the exam. If you put in the collective experience of studying, building projects, and doing REAL corporate work, I have to have over 2500 hours at least dedicated to offensive security. Okay so I've put all of this work in and got my OSCP, so what's the big deal?

Unfulfillment

I was so excited when I first saw the email that said I finally passed that I about fell out of my chair! It was so great, the thing I've been chasing for three years now was in the palm of my hand.

Fast forward a week later, and I'm disappointed.

Why is this happening? You should be ecstatic about what you accomplished, take a vacation you deserve it.

I thought the exact opposite.

My immediate thought was "there's people my age, even younger, that's making incredible Red Team tools, finding insane CVE's, working at some of the best security companies in the world, why am I not there yet?" This was constantly looping through my head and was driving me insane.

I've always struggled with feeling underachieved, but this was an all-time high.

What am I going to do?

I wanted to do something that no one had ever done before. So using my knowledge I set out to research different EDR platforms. I've always liked creating complex solutions to evading EDR in Red Team engagements, but I've never had my own technique for stuff like shellcode injection, AMSI/ETW patching, User-land hook bypasses, etc. This pissed me off.

It took me 3 weeks to realize that I didn't have the skills required for security research. I may have my OSCP, but that does not directly translate to security research.

I'm missing a couple of MAJOR knowledge checks:

• Operating System Architecture
• Reversing (How did I not think of this)
• EDR Architecture

I have a basic understanding of these three skills, enough to slap a bunch of techniques together to evade major EDR platforms, but it's not enough to make novel findings.

Here's where I'm stuck.

As much as I love cybersecurity, it takes YEARS to be great. That's how it is for a lot of aspects in life, but especially cybersecurity. Is this something I really want to do?

Security Wizard or Entrepreneur?

There's something else really bothering me other than the feeling of being underachieved within cybersecurity.

The itch to build a multi-million dollar company solving REAL issues.

I miss building a startup so bad. I spoke with a buddy of mine the other day who made a huge leap: he dropped out of college and started his own marketing agency. Incredibly proud of him, it takes balls to do that, and he's already seeing lots of success.

This just amplified my itch for entrepreneurship by ten tons! The late-night coding days, the adrenaline rush from brainstorming new ideas, seeing results from beta users, I missed every second of it.

I do think there's a major link between research and entrepreneurship. People who like these activities love the impossible. They want the challenge, they want to do something no one else has ever done.

Now again, what am I going to do?

While writing this, I honestly had no idea what to do. However, a conversation I had with one of my colleagues made me realize this: It's not a one-way street! I may be driving on a path but it doesn't mean I can't get off. This helped me realize that I can walk two paths at once. Maybe one day I'll focus on security research and another day I'll build my personal brand and push forward my entrepreneurial goals. Just because I can't write a zero-day in a week or have a thousand users on an app, doesn't mean I won't ever be able to do it. Sure, could I have possibly gotten a thousand users on an app sooner? Who knows, I'm in no rush. As long as I'm dedicating time to my goals, I know I must be getting better.

It might be a simple lesson, but it's easy to forget and dig yourself into a hole. Social media apps like TikTok & Instagram are burning people's dopamine receptors. If you're trying to do the impossible, you have to discipline yourself to push past immediate gratification.

That's all for now, the next time I make a blog post it will be amazing, mark my words. Hope you enjoyed reading!