Gustavo Bobbio-Hertog

Gustavo Bobbio-Hertog

Penetration Tester

Road So Far

5 minute read

Update

This past month has been very busy. I started a new job, participated in two CTFs, worked on my blog, learned how to use git, got an AWS certification, and started an Ethical Hacking course on Udemy.

Although I want to jump in and tell you everything new that I’ve been learning, I want to take a step back and tell you more about how I ended up where I am. I plan to post about my new experiences in the coming week.

My Career So Far

Level 0: Noob

I graduated high school and college with a Networking AA in 2015 with the help of a program called Running Start. This program allowed me to attend college during my junior and senior year. I was able to fulfill all my high school and AA credits. This and other opportunities allowed me to finish school with my CCNA, CCNAS, IC3, and lots of MOS certifications. The challenge I faced was not having any work experience, so as soon as I turned 18, I dove right in.

Level 1: Noob in training

Soon after I turned 18, I got my first job. I worked as a contracted Dispatcher at T-mobile’s NOC. The job overall was simple. When an alarm came in from a cellular tower, a ticket was created and routed to a troubleshooter. A troubleshooter will then analyze the alarm and send it to a Dispatcher who then contacts a local engineer to fix the tower. All in all, the job was very easy. Most of the time I was digging around T-mobile’s online training and guidelines. I ended up getting promoted to a troubleshooter, but by that time I had made the decision to move careers. I came to the conclusion that I didn’t want to continue in the cellular networking path, as my initial passion was for computer networking. Additional to the career path change, the 12 hour shift made it extremely hard to do classes at my college. During my time at T-mobile, my local college came out with a Information Security BA, and soon after I applied for it. In the meantime, I was also contacted by Mindtree and was offered a full-time job!

Level 2: Novice

Mindtree was a vendor for Microsoft. After some shuffling, I was placed in the Azure Networking Support team. I loved it. It was one of my favorite learning experience as I was able to use my academic skills to use. Our team was tasked to do Tier 5 and 4 network support cases and I got to work 1 on 1 with Azure customers with their networking issues. The troubleshooting aspect of this job was what I fell in love with. I encountered simple issues from subnet misconfiguration to troubleshooting Site-to-Site IPSec Step 1 misconfigurations. I was so excited to learn everything. I had an awesome team and was rapidly learning. But as soon as I knew, I got contacted by AWS to join as a full time employee. I could not give this up.

Level 3: Intermediate

The AWS Abuse team intakes abuse related reports from AWS ip range or resources. Abuse ranged from traffic related to content related reports. This job got me introduced to abusive behavior of the internet. The amount of spam emails that I had to review… although, it was a fun job! I joined the team as a Customer Support Technician. I gained experience on training new hires, creating SOPs, and developing metric dashboards. Beyond the new soft skills that I gained, I started doing more research on network security and tracking abusive account behavior. I hit another career change dilemma, I found it extremly hard to move up the ranks within the Customer Support organization and knew I needed to find a position that will allow me flexibility to grow within the security field. Soon after, my dad told me that the Information Security team at Amazon was hiring a Tier 1 Support Engineer. I took this opportunity and jumped into the Information Security organization. This is where my road began within security.

Level 4: Profficient

I joined the Information Security Governance team as a Support Engineer. My main task was to handle policy interpretation questions. I gained so much experience working on this team: constructing guidelines, wikis, automated metrics, and training material. The position gave me a vast amount of visibility on projects around Amazon and my specialty was classifying data. I worked closely with the Compliance, Assurance, and Tooling team for Information Security, and this put me in contact with lots of amazing compliance folks. During my time in this team, I was able to attend two SANS courses and became certified in GCIH and GPEN. This is when my aspiration to become a Security Engineer began. Although I gained a vast amount of skills within the policy team, I needed to decide between continuing in the compliance world or pursuing a chance to join a technical security team. During this transition time, I graduated in 2019 with my BA in Information Security, taught myself Python, and began to get comfortable using Linux distros. This is when I was provided a chance to join Amazon’s Application Security team: my most exciting career choice yet!

Level 5: Professional

A few months ago, I became a part of Amazon’s Application Security team. Although I joined as a Support Engineer, I inspire to become a Security Engineer. The Detections team within AppSec focuses on dynamically and statically scanning Amazon for vulnerabilities. With an awesome team of Security Engineers to guide and mentor me, I also began my own self-study. This is how this blog began. As I continue to learn and grow within this industry, I want to document the steps I have taken in the hopes that I can help readers like you. Hopefully, my journey in becoming a Security Engineer can show that you can make it too.

In the coming year, I aspire to reach the level of “Hacker”. Although the level system above is my own fabricated scheme (And approved by my wife). I will consider myself an Ethical Hacker once I have passed my OSCP and become a Security Engineer at Amazon. Granting, that will just be the start of my career as a Security Engineer (A Hacker Newbie). I can’t wait to learn.

You may also enjoy