From Sysadmin to Ethical Hacker: Phillip Wylie shares Skills, Labs, and Real-World Strategies

Show Notes

Want a real-world map into penetration testing instead of a maze of hot takes? We sit down with Philip Wiley—offensive security veteran, teacher, and author of The Pentester Blueprint—to unpack practical paths that work today. Philip traces his journey from sysadmin to consultant and shows how prior roles become leverage in security: command line fluency, networking instincts, audit rigor, and the ability to translate technical findings into business impact. If you’ve wondered whether you “must” start in IT, you’ll hear why transferable skills matter more than a single prescribed path.

We dig into how learning has shifted. Five years ago, home labs were the default; now, cloud-based platforms like Hack The Box, TryHackMe, and Antisyphon accelerate skill-building without the drag of fragile setups. Philip breaks down which certifications best reflect hands-on ability—think PNPT, TCM’s junior pen tester, and OSCP—and how to structure your study with focused reps, thorough enumeration, and disciplined reporting. Expect honest advice about fundamentals over shortcuts, the value of repetition, and why a good methodology beats a bag of tricks.

Mentorship and community run through everything here. Philip shares what successful learners actually do, how encouraging guidance can flip hesitation into action, and why showing up at B-Sides, OWASP, and local hacker associations opens doors you didn’t know existed. We also talk personal branding—publishing talks, write-ups, and even books—to make your progress visible and credible to hiring managers. You’ll leave with a weekly cadence you can start immediately: deliberate labs, concise notes, a study group, and one community touchpoint that compounds into opportunities.

If this conversation helps you chart your next step into offensive security, follow the show, share it with a friend who’s studying, and leave a review so more learners can find it.

Socials

• Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
• Follow us on Twitter: https://twitter.com/SecChipmunk
• You can find us online at: https://securitychipmunks.com

Chapters

• 0:00: Welcome & Collaboration Payoffs
• 1:23: Philip’s Background in Offense
• 2:49: Breaking Into Pen Testing
• 5:17: Fundamentals Over Shortcuts
• 8:02: Consulting, Variety, and Transferable Skills
• 10:45: Mentoring Mindset That Enables Growth
• 12:13: The Book: Relevance and Updates
• 15:10: Cloud Labs vs Home Labs
• 18:10: Certifications That Matter Now
• 20:00: Why Publish: Access and Credibility
• 22:06: What Successful Learners Do
• 24:14: Conferences, Meetups, and Networking

Transcript

SPEAKER_00: 0:00

It is from a property project for acquiring skills and potential to learn.

SPEAKER_01: 0:06

Welcome to the Security Chipmines Podcast, where we keep chipping away at it. I'm your host, Edna Johnson, and I'm here with Philip Wiley. Welcome, Philip. Tell us about yourself.

SPEAKER_00: 0:17

Thanks, Edna. It's an honor to be joining your podcast. I appreciate you uh inviting me to be on. And for the listeners, pretty soon your episode of my podcast will be coming out.

SPEAKER_01: 0:27

So yes, I am really excited about this uh podcast crossover episode.

SPEAKER_00: 0:34

Yeah, that's one of the things, one of the things for folks out there that are into content creation, collaboration is one of the best things that you can do. And and collaborations can take different forms, but the kind of collaboration I think that's that's very advantageous is trading being on other people's podcasts or YouTube shows and stuff. So I think it's it's a really good way to get exposed to different audiences. Sometimes there's some crossover, and then sometimes there's some cases that you get introduced to some people that you otherwise might not have.

SPEAKER_01: 1:09

Yeah, absolutely. And it's a good way for us to network and uh share information with each other's audience. So very glad to have you on.

SPEAKER_00: 1:19

Yeah, good to be on this. And to I kind of detracted from what you asked. So for the for the listeners, uh, my background is in offensive security. So I've worked as a pen tester for over a decade, uh, been in cybersecurity for over 22 years. And prior to getting into cybersecurity, I spent six years as a system administrator in IT. So one of the things that I like to share with anyone that's trying to get into security is that knowledge that you pick up and skills and experience that you get in things like IT, different areas of IT, even help desk, is helpful when you get over to cybersecurity.

SPEAKER_01: 1:59

Yeah, absolutely, for sure. The knowledge that you build up as you're uh going through your journey and and taking up jobs leading up to cybersecurity, they really help you when you get into the career. Um so when you were starting out, what what are uh some of the ways that helped you break into uh pen testing? I know that's a very exciting field, and a lot of people want to get there. So, how how do people do that?

SPEAKER_00: 2:29

So, how I did it, and it's and it's gonna be different for it for everyone. I want to also preface it, preface my path to meaning you don't have to be doing this for X amount of years. You don't have to follow my exact path. Because whenever I got into pen testing, it was kind of a rare job. There weren't a lot of pen testing roles, and especially when I got into cybersecurity, so I started out as a sysadmin, spent the first six years as a sysadmin, and that was very helpful in uh experience for me because I gained knowledge and hands-on experience with Windows servers, Linux, uh networking systems. So all that information was very helpful. So once I become a pen tester, all the sysadmin skills gave me a big uh boost to help me learn the skills. Because one of the things I always tell people is you need to learn the basics because if you ever get a shell or command line access to a Linux or Windows system, if you don't know the command line, you might be able to get through it, but you're gonna be doing a lot of Googling and now uh using whatever chat GPT or whatever to figure out what you're doing. You need that base level of knowledge. So uh for me, I started out IT, moved into the Blue Team site. So my first year and a half, I was in security, I was doing firewall stuff, I was managing intrusion detection systems. I was also uh doing risk assessments and vulnerability scans. I was working in this financial institution and they hired a new CISO. When this new CISO came in, he had a more modern idea of the way things should be done. So he split us up into different silos instead of everyone doing the same thing. And fortunately for me, I got put on the AppSec team. There were two of us on the AppSec team, so we were doing vulnerability scanning, and I managed the third-party pen tests because we would have pen tests done, and I would work with the consulting companies during those pen tests as well as work through the remediation. So I got interested in pen testing from that. And when I got laid off in 2012, so I got my first security job January 2004 within the financial institution I work for. And then by the time I got laid off in 2012, I applied for a role at Verizon for a consulting role as a pen tester. And so that's kind of how how I got into it, but it was leveraging this experience. And when I say you don't have to follow my exact exact path, I had students when I used to teach at Dallas College, teach pen testing. I had a student come in first week and he said, I want to be a really good pen tester, and but I want to get there sooner than you. Can I do it? And I said, Yeah, it's just more time and effort you put into things, the quicker you can learn. So you're not really limited to someone else, what they they've done. And about the second week, he comes back in and says, Do I have to read the book to the the textbook? And I said, Well, not necessarily. That just means you've got to spend more time in the labs getting the hands-on experience. But that's kind of how I did it. So you really need to really work on getting that fundamental IT skills because that's gonna help you across all sorts of areas. So if you were working in network security now, uh you hear it referred to as IT operations or security operations, you're gonna need to understand networking and operating systems to be able to configure firewalls. So that basic knowledge you gain is very helpful. And one of the things I like about security compared to IT is say, like, you're a database administrator and you decide now that you want to be a Cisco network engineer, that's a total retrain. You're probably gonna have to you'd be lucky if you don't have to take a pay cut to be able to learn that new skill. And then there's gonna be you have to learn all these new skills. But with pen testing or other areas of security, say like you came in from the GRC side and you were familiar with doing IT audits, that auditor mentality is gonna make you a better pen tester. So you're able to leverage those skills. You may have to take a lateral going into that role, but the skills you have are not lost. You've got things you can build upon. There's unique perspectives that you may have over uh veteran pen testers. So all those skills that you gain across other areas work. So it's not like a complete washout and retrain, or you have to take a huge pay cut. When you've got those skills, it's helpful. And then when you look at being a consultant, uh, some of the roles I've had, especially like at ATT, we were able to do digital forensics as well as pen testing, but I enjoyed pen testing so much, and I was always worried that I'd be taken away to take care of incidents, you know, investigating incidents, breaches, and I thought I'd get pulled off on that and I wouldn't get to pen test. I like pen testing. I'm not ready to move on to something else. But the opportunities there were amazing. I had the opportunity to uh do like a secure SDLC software development lifecycle review. I'd never done that before, and our practice lead uh pointed me in some directions of some good uh resources for secure SDLCs, and I studied up on it and I did my first secure SDLC review. So when you're working in consulting, some companies are small enough that you're able to work across several different silos, you're not stuck in just one area and you get the opportunity to learn different things. So all of a sudden, now if you were someone with a GRC background, then that's gonna be helpful too because you got dual purpose, you're not just pen testing.

SPEAKER_01: 8:16

Oh, yeah, that is fantastic information. Um, so in there you mentioned that uh your student uh asked about having to read the book. Well, was that the pen tester's blueprint?

SPEAKER_00: 8:31

No, it's actually the the the uh class textbook because the textbook was that point we would we'd moved on to the the pen test plus book. And one of the things I always try to do is I I feel like you should be honest with people, but sometimes I think as mentors, we need to be open-minded and encouraging first and not really try to discourage people. And when he came up that that second week and he says, Do I have to read the textbook? I'm thinking, Yeah, you wanted to be really good. Now all of a sudden you're trying to you're saying, I don't want to do this or or do that. Can I still succeed? But the cool thing was by me not discouraging him and telling him I didn't think he had what it took because if he's not really willing to put into work, I just supported him and he turned around. Uh, it was within a year later or something, he landed an internship as a pen tester. The thing about it was he wasn't like the best high-skilled student. Okay, but the thing was is he had the belief in himself and he applied for this pen test internship. So that's one of the things as mentors, we need to encourage people and not discourage people because sometimes people will. I've got I know veterans in the industry that have been in, you know, around the same amount of time I've been in or longer, and they're just so intent on, yeah, you've got to start out in IT. No, you really don't, because a lot of us had to start out in IT because there weren't security roles when we got started. They were very, very few. Most people that have 30 years worth of experience or more, a lot of cases came in through the government or something. Really, the government was only when they had dedicated security at one point. So I really think when you're mentoring people, you need to make sure to encourage them and not discourage because I could have came back and told him, yeah, you need to read the book. You know, if you really want to be really good, you know, we'd, you know, think back to adults from our childhood, and you know, you were asking for advice, and then you're trying to say, well, I don't want to do this and do this. You know, you'd get hard love sometimes when they say, if you really want to do this, you have to do this. And so I felt like nowadays we have to kind of communicate differently. And I think by me just supporting him, he had the confidence and courage enough to go apply for a pen testing role, and he landed a pen testing role.

SPEAKER_01: 10:58

That's amazing. Very happy to hear that. And yeah, encouraging people is definitely the way to go and allowing them the chance to grow. Um, but I did want to ask about the the book that you wrote. So you wrote a book about pen testing. Um so that is I think it's been a f a few years now, but um that's been such a um a staple in you know people's library when they're learning pen testing. Um do you think writing the book helped you in your career? And and do you think it's still um something that that people value today? Uh are the concepts still like valuable in there?

SPEAKER_00: 11:46

Yes. And it's interesting because it come this coming November, it's either November or December, we'll make five years that the book's been out. And so uh I think it's still valuable because the thing about it is only things if I if I had to make any updates to it, some of the things that will be updated would be uh certs have kind of changed, certification recommendations I might make a little bit differently. One of the things that I recommended heavily back then was to build a home lab, but I'm more of the mindset nowadays there are so many online cloud-based learning uh platforms and courses out there that I would focus on that. If you really need experience with servers and networking, the IT side of things, then building a home lab can be helpful. But some of the caveats to building home labs, and this is kind of like Georgia Weedman's book, because Georgia Weedman's book uh that was like actually that was the what I use for my textbook when I started teaching the class because her book came out about 2014 or so. But a lot of the vulnerable machines and labs wouldn't work because technologies have been updated, and she had to put some resources online where people could get the labs to work. And so, one of the things about my book is really not specifically uh teaching you setting up labs. So the it's still relevant because it's teaching you that you need the IT basics, some of the certifications, the things you need to do to learn pen testing, the things that you prerequisites you need before you start learning how to pen test. But kind of back to the lab thing, uh, I kind of started recommending more cloud labs because another thing I took from another experience I took from my own personal experience was one of the things I used to do as a side hustle is I used to have a business doing web design. And when I hosted my customers' websites, I had a server at home. I would take my older hardware and that would become a server because you're not running as many applications and you're just running a web server, so it doesn't take as much resources. So my old computer became my server, and I was hosting the websites on it. And one night I came home from work one night and I noticed the websites were down, and the hard drive had died on my server. The thing about it was I had all the source files and all the images and stuff on my computer, my main computer, but I didn't have an exact backup, so I had to go back, reinstall, put a new hard drive in the machine, go in, reinstall all the websites, set all that back up because I was hosting their email on that server. Uh the web server was on it, so DNS, everything was on that one server. So I got that back up and running, and I kind of learned, well, I really need to find a hosting company because that way I'm not spending time rebuilding a server, which I was working as a sysadmin, so I had all the experience I needed building servers. So where I needed to focus my time is building websites that was helping me build my business and make money. And so that was a learning experience there that I've kind of thought about in hindsight. If someone's needing to learn pen testing, learning how to hack, they need to spend that time and stuff like try the try, like uh try hack me, hack the box, anti-siphons training, a lot of other great resources out there. That's where you need to be putting your efforts in. If you really need to learn the IT stuff, then you can build a home home lab and that type of stuff. But those are some of the things that's kind of changed. Some of the certifications out there that have changed is like the PNPT and the uh the also TCM Academy's junior pen tester certs. These are good certifications, and they weren't around when the book came out. And there's some certifications out there that are kind of gone away that were uh put on or hosted by other companies that are kind of got bought out, and the names, titles of the certifications changed, some of the certifications have gone away. So those are a few of the things that have really changed, and that's one of the things I like about the book is it was the things you need to get started in pen testing. And this was based on my experience mentoring people that wanted to get into pen testing. I did that before I started teaching at Dallas College, and the book is actually based on my lecture that I gave the first day of class, which turned into a conference talk for our B-Sides DFW, B-Sides Dallas Fort Worth, in November of 2018. And then I gave that conference talk several times, and I was in the Tribe of Hackers Red Team book, and Wiley Publishing asked me if I had any ideas for books, and and I wanted to write a book based on the Pentester Blueprint. Excuse me. But any rate, so I wrote the book and I wanted to help other people. And the reason that kind of motivated me that there needed to be a book written on a subject, I was given this talk so many times, and every time I gave it, there was always a lot of people that had not heard the talk. I was on the CFP review board for a conference, and one of the things they were saying on the CFP review board, has this talk been given before? And I thought, we really shouldn't discount talks because they've been given before, because people there may have not had, maybe someone gave that talk at, you know, besides Orlando, but people here in Dallas hadn't heard it. So you want just because it's been given doesn't mean not to accept the talk. And that idea made me think, you know, there's a lot of people that still haven't heard my talk. There are people they're not part of the cybersecurity community or I'm not connected with. So this information they may not otherwise find. And I thought a published book in libraries, in bookstores, online booksellers like Amazon, people can find that, that they have no connection to cybersecurity. I thought this is a good way to get the information out there. For selfish reasons, I didn't think it was going to be making that much money. I didn't think there'd be a lot of money writing a book. So my selfish reasons were professional brand, just to build my own brand. And it was a huge success. I mean, a lot of people, when they see that you wrote a book, they see that you're a subject matter expert, and it just lends a lot of credibility to you. So personal branding and just me being a subject matter expert, it helped kind of emphasize that. So it was huge for my career.

SPEAKER_01: 18:12

That's fantastic. I I'm I'm really glad to hear that because like I I know I don't know if I knew about your book first or about you first, but like I know that you've had a lot of success with that book. Um and it's a great resource for people. I definitely recommend it to people that are interested in going into pen testing. Um, so you mentioned your mentoring people and uh so for those that are breaking into pen testing now, like what are the patterns in people who are successful that you you notice, or what are things that people can do to become successful in in this uh career?

SPEAKER_00: 18:56

I'm glad you asked me that question because taking uh an example from my class teaching at Dallas College, the students that did really well were the ones that spent a lot of time in the labs. They really took the labs seriously, they really worked on those hands-on opportunities, and those were the ones that went on to get pen testing jobs. The ones that didn't were the ones that really didn't put much effort in the lab or much effort into the class. But one of the things I saw, and this one of the things that also saw too, is some people didn't get it as easy. Maybe they weren't as tech savvy. I had a guy in the class that's probably around my age, and this gentleman would sit there and do the labs and go over them over and over again to learn, and he learned. So it's just a lot of uh repetition and putting in hard work. You put in the work and you get those hands-on skills down, those are the people that are going to succeed. If you skimp and try to take shortcuts, it's gonna be more difficult. But one of the things I've seen that's that has been huge in a lot of successes of people even outside of the school is spending a lot of time in labs doing like hack the box and try hack me. Uh, I know people that were preparing for the OSCP that they were just doing a lot of uh hack the box, and it made it a lot easier for them to pass that exam. So, hand regardless of what area of security you're going into, make sure to get those hands-on skills because that's usually where people don't get the roles, is because they don't hands on have hands-on experience. If you can get your foot in the door to get that interview and you're doing enough hands-on activities and doing enough to educate yourself, you're able to answer some of those questions, even regardless if you don't have real-world hands-on experience.

SPEAKER_01: 20:39

That that's an excellent answer. I definitely think that uh practicing is the the way to go to build up your skills. And the more hands-on keyboard experience you have, the better off you are. Um and you mentioned your your local B-sides and other B-sides as well. Do you think going to uh conferences and participating in uh cybersecurity events around you is is helpful to people?

SPEAKER_00: 21:11

Um that is very huge. I highly recommend it. And one of the things we have to look at too, uh, I'm a big fan of B-sides because they're low cost to free. Our local B-Sides has been going on, I think this is coming up on the 11th year. We're only like one year behind B Sides Las Vegas, I believe. So they started a B-Sides here rather quickly. Uh, but those are really good because the nice thing is, like I said, they're either free or low cost to attend. People there that are that attend that are experienced and stuff really love community and want to help others. So it's a good way to find mentors, uh, people that you can start a study group with, share information with, and and don't leave it just to the conferences because if you have you may have a local B-sides, you only get to attend that once a year. Find like your DEF CON groups, your OWASP groups. Uh you have hackers associations in Dallas. We have Dallas Hackers Association, which was inspired by Austin Hackers Association, which inspired a lot of other hackers associations. And then OWASP groups, there's also your ISSA, ISOCA, and some of these more uh professional type groups. But take advantage of those because thing I'd used to do was when people would come to me looking for junior pen testers. If I knew people in the community, I knew their skill set, what they wanted to do. When recruiters or companies would come to me for resumes, I would include the resumes of some of the other people I knew because I knew their skill set, uh, I knew what they wanted to do, and I knew they were a good candidate. So I'd pass on the resumes and I helped some of them get jobs, some of their first pen testing roles because of that. So when you're attending these meetups or these conferences, don't be shy in the corner and not say anything. Let people know who you are, what you're doing, what you want to do in cybersecurity, some of the certifications you're working on, or what you have, your educational background. Share that information so they have some kind of idea about you, and they're more than likely to refer to you or share opportunities with you.

SPEAKER_01: 23:20

Wonderful. Thank you. Uh, where can people find you online if they want to connect with you?

SPEAKER_00: 23:26

Probably one of the best places is going to be LinkedIn. Uh, so just Philip Wiley on LinkedIn. Also, my uh my website, thehackermaker.com. And on there you can find all the links to my social media and also my YouTube. And on my YouTube channel, I've got a playlist that's called Ethical Hacking and System Defense. And those are lectures for my classes at Dallas College, uh, my pen test class lectures, so people can see that content for free as well as they can find my podcast.

SPEAKER_01: 23:59

Oh, wonderful. That's a great resource. Thank you for sharing. Well, thank you for being on the show today. And thank you, listeners, for joining us.

SPEAKER_00: 24:08

Thanks for inviting me.

SPEAKER_01: 24:09

Yes, absolutely. Um and listeners, please uh make sure to like, comment, and subscribe, and we'll see you next time.