Unless this is your first day looking at Information Security, Cyber Security, Ethical Hacking etc I expect you already know him, only you probably know him by his other name ‘The Cyber Mentor’.
I am follower of Heath on his YouTube channel and have been for a long time now, since I discovered the ‘Networking for Ethical Hacking’ series of videos around about a year ago and I am contemplating getting the ‘Windows Privilege Escalation for Beginners’ course so you might see a review on here soon enough.
Anyways, if you haven’t already go subscribe to the channel, join the discord server, follow on twitch for some streamed teaching and CTF’s too.
You are very prominent across pretty much all the platforms you are on socially, which was the first one to really take off, was it YouTube and did the rest follow suit?
Yes, YouTube was the first platform that took off for me. Every social media platform was sort of its own grind that also grew as the other platforms grew. The first platform I joined was YouTube. I believe I started in February of 2019 and started to gain some traction on the platform in June or July of 2019. The other platforms followed suit, but YouTube still remains my biggest follower count.
I was looking over your LinkedIn and was shocked to see all this kicked off in 2014, which really does not seem like all that long ago, when did you start to get into the ethical hacking/cyber security side of things?
I started my first help desk role in December of 2015. I heard from a co-worker that you could get paid to hack, which sounded amazing and I instantly became obsessed with the idea. I went home that night and started Googling everything that I could about the profession. I figured out what skills, certification, background, etc. were important and immediately began applying my studies to those skillsets. I believe I compromised my first machine sometime in early 2016, passed a bunch of certifications (A+, Net+, Sec+, Linux+, CEH, and CCNA) before getting my OSCP and OWSP in late 2017. I became a penetration tester full-time in early 2018 and never looked back. So, from the start of my IT career to full-time pentest job in just about two years. I’m living proof that if you work hard and study harder, you can accomplish your goals in short time periods.
Being the founder and I am assuming, still the boss man at ‘TCM Security’ which focuses is on Penetration Testing, Security Auditing & Consultation plus much more. This must take up a huge amount of time alone, how do manage to fit in the teaching through courses, YouTube videos and going back to Higher Education which I believe you are away to do?
This is a tough question and I’m not sure that I’m the best to give healthy time-management advice. I am lucky if I get six hours of sleep on most nights and tend to be studying when I am not working or creating content. I am very passionate about everything that I do, so the long hours do not really feel like work to me. What advice I can give is this:
First, make sure that you make time for yourself and your family. I spend an hour every morning with my wife before she goes to work. I tend to work during normal working hours and then I’ll make sure I spend time with my wife again when she gets home and until she goes to bed. On top of this, I make sure to take time for myself. This could be as simple as going for a run or playing video games. It could also mean taking a day or two away from working and studying for a mental break. Breaks are important and family time is important.
Beyond this, I find it helpful to make a to do list and prioritize it. Sometimes, it helps to do a few small tasks and use it as a snowball effect to tackle bigger tasks. Additionally, I only try to work on or study topics I’m interested in as it helps me to not be bored. Again, if it does not feel like work, time flies and you can accomplish quite a bit.
In my new day job (which I absolutely love) I get to do some Blue Team work, scoping around in Windows ATP and stuff like that, in my spare time I also spend time taking red team courses (along with the blue team ones), using TryHackMe and Hack The Box too. How important do you think it is to know the skills and functions from both sides of the coin in Red and Blue?
I believe knowledge from either side is incredibly powerful. You often see blue teamers take red team courses or certifications (such as the OSCP) in order to better understand the offensive tactics that they are up against. I believe this to be true from the offensive side as well. Some of the most valuable lessons I have had in my career have been sitting alongside defenders while running offensive operations. It helped me understand what attacks of mine were being detected and helped me be stealthier overall. The defenders also saw benefits in that they understood their baselines and how they could improve upon them when bypassed.
Overall, I believe some of the best red teamers are those who were blue teamers first (and vice versa). If you only expose yourself to one side, then you are limiting yourself to half of the picture.
You have launched ‘TCM Security Academy’ recently and Ok, I will let you have a little sales pitch here mainly because I am interested too. I really like using ‘Station X’ and quite regularly take courses from them (I have reviewed a few on the site) as well as using ‘CodeRed’ ‘Hakin9’ and ‘Udemy’. How will ‘TCM Security Academy’ differ from these places concerning content and such?
This is a great question and the platforms you have mentioned are all very solid. The difference that we are trying to bring to the market are quality courses at affordable pricing. You can often find quality courses that are very expensive and courses that are affordable, but not that great. It’s hard to find a combination of both and that’s where we come in. Our courses are geared towards practicality, where one can learn what real-world hacking is like without spending $1,000+ to do so. To be honest, even the four figure courses often teach a capture the flag style approach versus one that will help students land a job.
The other differentiator we bring is instructor quality and reputation. Sites like Udemy allow anyone to submit a course and when a student is browsing for the best learning option, he or she could easily be presented with a thousand or more courses to choose from. With the Academy, students know the instructors are hand-picked and world-class. A student does not have to worry about wasting money on an unknown course. We pay our instructors better than any other platform and have a strict selection policy on who we bring in.
The bottom line is that a student can come to TCM Academy, spend a very small amount of money, and receive top-quality education from some of the best instructors out there without having to shell out thousands to do so.
I am seeing you frequently giving courses for free and really great reduced codes for your stuff, do you think there is large amount of people being priced out getting to learn the subject and even from getting good grounding on the basics?
Yes, absolutely. Certification platforms are becoming more and more expensive. It seems that most of the major platforms have increased their pricing within the last year. This makes it increasingly difficult for students from low-income households and low cost of living countries to receive a quality, affordable education. A lot of these students have to hope for a scholarship or hope to find a job that will pay for this training. Our mission is to help eliminate these barriers. By releasing some of our courses for free, we help level the playing field and deliver knowledge to students who otherwise would not have access to it. I hope to see more organizations join in this mission moving forward.
A question and a thank you here. I was starting get imposter syndrome in cybersecurity and was debating in my head if I even deserved to have this site even if it is aimed at beginners but in at that time you released a video called ‘The Truth About Impostor Syndrome’ and was exactly what I needed to watch at that time so thank you, when did you decide to release the non-tutorial videos and was there any specific reason as I like them just as much?
Thank you! I’m really glad to hear that you enjoyed the video. For me, content creation has always been about making content that makes me happy. My channel started out as strictly ethical hacking tutorials, but I thought that it could have a lot of potential if I included more “real-world” videos too. These videos were less technical or non-technical at all, but offered insights into business, the cybersecurity industry, and motivation for those looking to get into this field. I started sprinkling these in around June of 2019 and made my channel about 50% non-technical once I hit 100,000 subscribers. Surprisingly, my non-technical videos do far better from an analytics perspective than the technical ones. People seem to enjoy them and I enjoy making them, so I think it’s a win-win.
Watching one of your videos, I had a thought that you would be great at ‘Bug Hunting’, have you ever thought about trying it?
I have thought about it, and have earned about $13,000 this year on bounties, but I am a very data-driven person. From my perspective, bug bounties are an incredibly competitive and saturated field. The major bounty platforms have been around for five or more years and we only recently started hearing about people crossing the million dollar lifetime earnings mark. Those people are the best of the best. They are the 1%. Not only are you competing with them, but you’re also competing with individuals from countries where the cost of living is low and a $100 bug finding is amazing where I expect to earn that in an hour as a penetration tester.
So, as an American with a high cost of living, when I evaluate how I can best spend 40 hours of my time, I think of it like this: I know that I can earn $100/hour working on a penetration test. That’s a guaranteed $4,000 minimum and that’s a contractor rate. At a business rate, it is closer to $250/hour and $10,000 for a week’s worth of work. In 40 hours of bug hunting, there is absolutely no guarantee that I can achieve that. Additionally, the variance in bug hunting is high. You could have dry spells without any findings, which would add anxiety and stress about money that I personally would not want. I prefer the stability of being a penetration tester. The earnings ceiling is undoubtedly higher as a bug bounty hunter, but at a greater risk. I’d rather be risk-averse and take the guaranteed money.
What are the blogs, Reddit Channels etc that you really like to follow if any in the cybersecurity world?
Here are some of my favourite subreddits, podcasts, and blogs:
Lastly, with 2020 coming to an end and it being so productive and rewarding for you, what is the plans for 2021?
Honestly, my plans are to just keep grinding. There is so much room to grow from a business and content creator standpoint. My plans are to continue to grow the consulting side of the business and hire more employees on that front. I also plan to continue to release new courses quarterly on the Academy side of the business. We are currently in talks with some great creators and I am excited about the content that is upcoming. We hope to have an exam option out early in 2021 along with more advanced content. From a content creation standpoint, I have some exciting plans for the YouTube channel and Twitch streams that are coming up. I can’t say much, but I am really excited.
The other focus is absolutely going to be personal growth in 2021. I am hoping to get into a PhD program and continue my learning. I also have to make sure I stay happy and healthy.
It’s all going to be a grind, but it’s one that I am really looking forward to!
Here is where you can find him.
- Youtube = https://www.youtube.com/c/TheCyberMentor/videos
- Website = https://thecybermentor.com
- Twitter = https://twitter.com/thecybermentor
- TCM Academy = https://academy.tcm-sec.com/
- Discord = https://discord.com/invite/RHZ7UF7
- Twitch = https://www.twitch.tv/thecybermentor
- Instagram = https://www.instagram.com/thecybermentor/
Take it easy.