My goal is clear and it has been from the moment I chose this field: I want to be a penetration tester.
Not because it sounds impressive — but because offensive security is the discipline that genuinely excites me. The methodical process of thinking like an attacker, finding the weaknesses that defenders miss, and demonstrating the real-world impact of vulnerabilities to organisations that need to understand their risk — that is the work I want to do every day.
My background in defensive security at The Royal Mint gives me something most offensive candidates do not have: a deep understanding of how the blue team thinks, what they detect, and where the gaps are. The best penetration testers understand both sides of the equation. I am building that foundation deliberately.
The path is structured and realistic. By the time I move into penetration testing I will have commercial cyber security experience, a clean certification progression through to OSCP, and a specialism in web application security that reflects the real-world investigation work I do today.
The endpoint is not just penetration tester. It is team lead, then principal level. The kind of career where I am shaping how an organisation approaches offensive security — not just executing tests, but leading the thinking behind them.
"Take your time, focus on what genuinely interests you, and avoid comparing your progress to others. Cyber security is an evolving field, and embracing continuous learning is essential." — Ross Wills
Web application security is my natural specialism — shaped by daily AppSec investigation work involving XSS, SQLi, CSRF, SSRF, and more at The Royal Mint.
The BSCP and OSWE certifications will formalise that specialism. A web app pen tester who understands both the offensive and defensive perspectives of web vulnerabilities is a rare and valuable combination.