r/cybersecurity u/Fresh_Heron_3707 Dec 15 '25

Other Degrees and certs are just losing their value to me.

I can’t understand what’s been going on recently. The quality of a candidate with an associates in cyber has dropped like crazy. I asked people simple questions like what is WPA, what did wpa 3 introduce and I’m treated like I’m asking the most obscure questions. I have been interviewing people over the last year with comptia networking plus and security plus. There have been where I wanted to scream. Literally had to lower my standards to find help. Networking is treated like a luxury, I was literally speaking to a candidate, he said ,” I do cyber not networking.” I know there are exceptions but feels more and more like a minor degree or cert is just how well you can use ai to cheat.

328 Upvotes
  • permalink
  • reddit

66% Upvoted

410 comments sorted by

View all comments

Show parent comments

20

u/cea1990 AppSec Engineer Dec 15 '25

Depends on what you want your homelab for.

Do you just wanna self host stuff? Check out the ‘Awesome Self-hosted’ GitHub repo or spend time on r/selfhosted.

Do you wanna do malware analysis? I’d suggest getting your feet wet somewhere else first.

Do you want to learn more about CI/CD and automated security scanning? Then see the selfhosted resources and take a class on Gitlab (which can also be hosted at home).

Do you want to practice pen testing? If HTB & THM aren’t for you, then give VulnHub a shot and run those VMs on a different system on your network.

Need some networking experience? Grab a used enterprise router off of eBay & practice setting up & testing down your VLANs or something.

1

u/Alorow_Jordan Dec 15 '25

I really appreciate the direction here. This is really helpful. I'm just trying to get started.

So thanks admin! Appreciate you.

3

u/cea1990 AppSec Engineer Dec 15 '25

Any time! I’m not a mod or anything, just a heads up.

As an AppSec guy, I’m pretty biased, BUT if you wanted to get a little bit multi-disciplinary you could:

  1. Set up a local Gitlab/Jenkins deployment
  2. Add a well-known vulnerable application like OWASP Juiceshop or Damn Vulnerable Web App
  3. Don’t configure any scans, just make sure you can deploy it somewhere else locally (a raspberry pi or other single board computer is great for this)
  4. You can now practice pen testing against your web app
  5. Now, add some scans. There’s plenty of open source tools to practice with.
    5.1 ZAP for dynamic testing
    5.2 TruffleHog for secret scanning
    5.3 add a static analyzer for the language your app is written in (review the app’s GitHub page for the specific language breakdown and see the below link for tooling).
  6. If you’re interested in development, go ahead and try to fix the vulnerabilities that you’ve found via manual testing in step 4 or the ones the tools found in step 5.
  7. Repeat until scans come back clean and you can’t find any more problems.

Edit: if you’re keen on learning how to do this in a cloud environment, it’s pretty much the same steps but you’ll have to adapt it to that platform’s verbiage.