A few months ago we heard from Jason Leighton, a former soldier with 14 years of military service under his belt with 1st Battalion the Duke of Lancaster’s Regiment. In this blog we catch up with him to find out how he’s got on with his cyber security training and how he’s faired on the job market.

It has now been near enough 2 years to the day that I returned from a training exercise in Kenya and properly started my resettlement. I wanted to celebrate the fact that I have now been employed within my chosen job industry for nearly 2 months by writing a blog about my journey.

After 11 years in the infantry and during my time as an instructor at ITC Catterick I decided that I needed to make a break from being an infanteer and look at other careers within the military. Just short of 2 years later, having passed every stage along the way to become a pilot, including a 4-week flight grading assessment, I was rejected by the Air Corps pilot selection board.

It seemed like I was stuck in the Infantry. My unit was based in Cyprus and I was hoping to stay in the UK until they returned so I attended a pre-course for senior Brecon up in snowy Otterburn. It was a week into this that I made the decision to leave the army and turned down a place on the January course.

After a lot of thinking over Christmas leave there were 3 main questions to be answered: 

1: Where to live/buy a house

2: What job to get

3: When to sign off

I decided that financially I wasn’t in the best place to leave the army and that if I waited a bit longer the conditions would be better. I decided to forge ahead with a plan to complete Senior Brecon that summer but begin formulating my escape plan.

I looked at my finances and calculated how much I was spending on different things each month. I then created a cash-flow forecast spreadsheet of all of my income and outgoings (who knew something learnt at school would actually be useful). This spreadsheet made it easy to figure out how much I could expect to put down as a housing deposit and what salary I would need to earn in order to stay in the green. 

I would play around with it by adding in different salaries, factoring in estimated army reservist pay and seeing how long I could go without earning anything. I decided to have an ’emergency fund’ of 6 months living costs that was not to be touched. That way if it took longer than planned to find a job or I needed to pay for emergency roof repairs etc then I could take it all in my stride. After all you never know what’s waiting for you just around the corner.

I re-joined my battalion in Cyprus for around 3 weeks before getting a place on senior Brecon. Whilst on the Brecon course I was receiving extra allowances, plus there was no time to spend any money. This helped boost my savings by a good amount and I was able to start looking at mortgages. During the course I was also able to use a Standard Learning Credit (SLC) which I topped up to get a BTEC level 5 in leadership and management to strengthen my CV. 

3 months later I had finished 3rd on the promotional course and had firmed up my plan to exit the army (while others were conducting planning estimates I was conducting estimates on leaving the army. Odd on a career progression course I guess!) Where to settle down was decided due to my main hobby of skydiving. I picked a town with 3 cities within a 30-minute commute and only a 90 min train journey to central London. It is also 30 minutes away from my favourite drop zone and I had a few friends living there too. 

Career-wise I thought my main options were either health and safety (think NEBOSCH) or something managerial. I also vaguely considered IT as I had always enjoyed fiddling around with my laptop and playing around with different programs, though nothing too in depth. Sign off date? Well in a few weeks it would be 13 years to the day that I had joined up so I went with that.

Back to battalion it was and just in time for the unit move back to the UK. In the short time before we left the island, I was able to have a chat with the IERO (resettlement GURU) and learn a lot more about the process. He also sign-posted me towards the army skills offer and I bagged some more leadership qualifications free of charge.

A few short weeks later back in the UK and it was time to sign off. 13 years and 2 days after joining the army I went onto JPA and joined the ‘7-clicks to heaven’ club by putting in my early termination notice. 

At this point I wish I had done things a little differently. Because I knew that there was a plan in place, I relaxed a bit whereas I should have been chasing down interviews and getting booked onto resettlement courses.

I spoke to Alex over LinkedIn, a Late Entry officer I had worked with and who had recently left the army. He gave me lots of good advice around networking. This was the first time it was really explained to me how LinkedIn worked. He mentioned professional CV/LinkedIn profile writers. “I definitely would if I was you mate, one of the best things you’ll spend £200 on during this journey”. He even wrote a quick example note to send along with connection request’s and helped me draft my first ever LinkedIn post. The last piece of advice was to save a copy of the job advert and CV for every job application, so that I could re-read them if I made it to interview.

I still hadn’t decided on a set career path but attended career fairs and spent hours researching online and reading through resettlement magazines shortlisting possible careers and the relevant qualifications. During this time, I came across an event called “Cyber Re:Coded 2018”. Advertised as a 2-day career and skills event in London aimed at bringing people together to learn about the cyber industry and how to join it. Now at this point I had never heard the term ‘cyber-security’ but it looked interesting and was loosely to do with IT, right?

The event itself was incredible. It was the first expo event that I had ever been to and here I was, wearing civvies and planning my future career path. The main thing that struck with me was that all of the speakers and all of the people I spoke to sounded really passionate and driven. I listened to as many speakers as possible and was able to meet and ask advice of many of them after each talk. I made my way around near enough every stand during the intermissions, picking up leaflets and asking advice as I went. On the first day I managed to hit 25,000 steps, a new personal record. The next day I was back at it again, trying to speak to everyone all over again.

During the event I made a decision. This is the career I want, now how am I going to do it? From all of the questions that I had asked I now knew that there are these things called blue teams and red teams. Lots of information is available for free online (I wrote down many different websites). There are also many veterans within the industry and I should join something called ‘TechVets’. Most importantly it can be a long journey to join the career so lots of focus, motivation and dedication are needed.

That weekend I pored over all the notes I had taken, the leaflets that I had picked up and the business cards I had been given. I made a list of websites to visit, qualifications to research, job titles to learn about and I sent many connection requests on LinkedIn and applied to join a TechVets cohort (whatever a cohort was). I also organised picking up the keys to my first house and moving in the following weekend. A busy time.

A lot of my research had told me that CompTIA A+ is a good place to start as it forms the basis of everything to come. I started using Cybrary to watch learning videos at quiet times through the day, in the evenings and even on the coach during a trip to the range.

When I finally had the ability to book CTP courses I was disappointed to find the CompTIA Network+ and Security+ course was booked up. I settled for a 2-week A+ course and a 2-week CCNA course instead. And a 3-week property maintenance course but that was just for fun.

I was given free access to immersive labs courtesy of TechVets. This coincided with being tasked to go and work in an ops room in Warminster for two weeks. In my downtime I completed 44 labs in 8 days. It was my first real taste of anything cyber, enjoyable and addictive. 

Upon my return to the real world, I carried on studying and continuous research. I almost used one of my ELCAS credits on a course that required me to spend £1000 of my own money. However, when researching all of the certificates and learning, it worked out cheaper to learn it all online for free and buy the exam vouchers separately. So, with this in mind I decided not to use an ELCAS just then. It turned out to be a poor decision as one of the qualifications was the much raved about CEH. Sadly, I still do not hold that qualification.

I then deployed to Kenya on my last military overseas exercise. Whilst in Kenya there was little I could do to study or research online so it was a good mental break. I did take a couple of books to read through including, “The Hacker Playbook” and O’Reilly’s “Network Security Assessment”.

Upon returning from Kenya, it was a chance to finally focus on my resettlement properly. I had booked courses and tried to make the most use out of the various grants available to me. I used up all available travel warrants on the courses, used my full IRTC allocation and had already used that year’s SLC. I tried to plan as far ahead as possible and bought a large wall calendar to help me visualise everything and check it all lined up. All of my GRT days and leave days were planned. Now was the time to make it all happen. I also spent 4 weekends completely re-doing my garden as a mental break from studying.

Mark Milton (one of the TechVets founders) reached out to me on LinkedIn asking if I wanted a free ticket to CrestCon 2019 in London. I jumped at the chance and attended the event, again speaking to lots of people and listening to as many speakers as I could. I was able to thank Mark personally for the ticket and meet a number of fellow TechVets in the VIP lounge after the event. Once again, I was able to speak to others who had made the transition and add to my ever-growing list of learning resources.

Over the next 3 months I avoided work as much as possible and sat in my room learning through Cybrary and Immersive Labs as well as more research and planning. I attended a 3-week property maintenance course and managed to get to another expo, this time in Manchester.

My last day in unit came along quickly and then I was actually living in my own home. I attended the A+ and CCNA courses, purchasing discounted vouchers for the CompTIA A+, Network+ and Security+ in the process. I also went on a 2-week skydiving trip abroad during terminal leave to celebrate my new freedom.

On the 4th September 2019, 14 year and 3 days after joining the army and 1 year 9 months after deciding to leave the army, I was a civilian. 7 days later I was on a 2-week reservist annual training exercise as part of 3 Royal Anglian. 

Back home my time was spent in a mix of studying, redecorating my spare room, applying for entry level IT jobs, skydiving holidays abroad and reservist training. In late 2019 I was given a place on a 2-week offensive security course courtesy of Crucial Academy starting in January. The knowledge prerequisites were higher than my current knowledge so I spent near enough a month straight on Cybrary panic studying in time for the course.

The 2-week offensive security course was tough and I felt underprepared. There was so much information in the first week to take in that I would stay late in the evenings trying to catch up on that day’s learning and I spent most of the weekend in the classroom too. The instructor was really good and recognised that I needed a bit more help than the rest so a big thanks to him. The second week was more practical and I carried out my first ever ‘hack’ using the famous eternal blue exploit.

We were advised to book the CPSA exam as soon as possible before forgetting everything that we had just learnt. Doing so also meant that I had a date to aim for. So, lots of studying and revision later I managed to achieve my first cyber security qualification, the Crest CPSA.

Attending Crucial Academy had kick-started my learning in a way. Prior to attending the Crucial Academy course most of my studying had been aimed at A+, Net+ and Sec+. Now I had more advanced knowledge and started to practice using tools such as nmap, burpsuite and metasploit. Crucial Academy’s course also highlighted some rather large knowledge gaps so I purchased a handful of courses on Udemy such as the ‘complete Linux course’ and ‘kali Linux 101’. In hindsight these would have been extremely useful before the course, but it is what you make of it and I now had a much better understanding of using Linux. No more would I be trapped in a VI editor. I also bought Heath Adams ‘Practical Ethical Hacking’ in one of his many sales. The topics were similar to crucial only I now had a stronger knowledge base and I could pause the video, rewind and google anything I was unsure of.

During this time, I also came across John Stephenson on LinkedIn, creator of the forces transition group. He was a great help in turning my CV into a professional looking document free of any military lingo. Being a veteran himself, he offers this service free of charge to other veterans. He, along with many others before, reinforced the necessity of networking. I began almost shamelessly sending connection requests to anybody with the job title that I wanted or who worked at a company of interest. I was also starting to run out of savings so began putting in 3 days a week at the army reserve centre.

As I continued to grow my network and study, I realised that my CompTIA vouchers would soon expire so I booked all of the exams. The first part of the A+ exam I managed to fail by a few points so I cancelled the other A+ exam and focused on Security+ as it seemed more fun than Network+. As Covid-19 hit my exams were postponed. I kept revising for them as well as playing Hack the Box, learning via  ImmersiveLabs, and spending many hours gardening and even building a work bench into my shed (cue 2 weeks of woodwork projects).

As the pandemic evolved, I was able to sit the Security+ exam remotely. Due to the number of notes on the walls of my spare room it was simpler to set up an ironing board at the foot of my bed and sit the exam there. I managed to achieve a pass. I was continuously applying for online courses and was able to attend a Splunk training course courtesy of TechVets, a day of python coding courtesy of ‘teach the nation to code’ and many online seminars. TechVets were able to get me a space on a 12-week virtual internship with the cyber security academy focused on ‘the threat within’. This course gave me a real understanding of WFH and working with others over video calls to complete projects. It was also a 12-week internship to add to my CV.

I began working my way through ‘over the wire’ and started back 3 days at the reserve centre. Around this time the power of LinkedIn kicked in and I came across a vague job description that would “suit ex-military personnel”. I got in touch, was interviewed, and then a year and a day after leaving my unit I began paid employment for the first time managing a mobile COVID-19 testing site.

As I started my new job things were getting busy. 10-hour shifts didn’t leave much study time but the four days off did. My time off was spent on Hack The Box, scouring the internet for job vacancies and applying for any and all cyber jobs within commuting distance. 2-weeks into my new job I had also passed the Network+ exam.

4 months later it was starting to feel like a job within cyber was never going to happen. I had been on a few job interviews (including one where I was at home isolated with a positive COVID-19 test), even tackling an assessment rig, but no job offers so far. The 4 days’ work, 4 days study mixed in with various online and physical reserve training were starting to drag. 

I decided to do something different so planned to have a new boiler fitted and re-decorate my kitchen. I have always found bits of DIY can be enjoyable and yet still feel productive so don’t I feel bad about forgoing any studying for a week or two.

A slot became available for a CRT exam so I booked and began panic revising once again. I spoke to a number of people and due to the NDA, they couldn’t disclose a huge amount but I did receive some good advice such as time management (5 points is 5 minutes), having notes easy to search and any commands typed out so that I can copy and paste. 

I was lucky enough to win a 2-month premium voucher for TryHackMe courtesy of TechVets so I used the platform to practise using the tools that I thought would be on the exam and also completed some boxes to help boost my confidence. The learning was addictive and I was awarded a 30-day streak badge, even with all of the painting going on.

During this panic study time I came across a LinkedIn post about a junior pen tester job and, having requested more information, decided to apply and sent in my CV.

Early in December and feeling rather nervous I sat the CRT exam. What a rush that was. It was kind of surprising that I actually knew what was going on and how to answer most of the questions. A few I wasn’t sure about so I moved on immediately as there is no time to waste. Post exam I went to the nearest restaurant and grabbed a beer, I ordered food as well as the area was in tier 2. I decided that my results were going to be close. I hadn’t failed miserably, but was nowhere near a high pass rate, I had either scraped it or was just under the pass mark.

Upon arriving home, I re-read through all of my notes. This helped to jog my memory and I wrote down as much as possible of what I either struggled with or wasn’t sure on. This was a tip from Joe at crucial and works well, I knew what to improve on for the next exam (which hopefully would be sooner than 3 years away) and for improving my skill-set in general.

A week later my exam results were back and unfortunately it was a fail. I was 4.5% below the pass mark so my prediction was right. It was ok as I now knew what to improve on and was planning on taking a second monitor to help me be even more time efficient.

Later that same morning, I attended a job interview which seemed to go pretty well. Afterwards I ripped up my kitchen floor and started prepping for a new one as the last part of the kitchen refurbishment. Mid-task I received an email offering me the job. It had finally happened, 3 years after deciding to leave the army and just over 2 years after deciding upon a cyber career, I had my first cyber security industry job offer as a junior pen tester. I just needed to get the floor finished and then I could celebrate.

In January 2021 I started my new job with Hedgehog Security. Temporarily fully remote due to current COVID-19 restrictions and working in a tiny 4.5m3 office space in my spare room. The future is looking good, I get on well with the team, I am enjoying what I do and I will re-sit the CRT exam when lockdown 3.0 is lifted. Later this year, I will be moving in with my girlfriend and will have a bigger office space (I just need to persuade her that 3 screens are needed).

So, if your company ever needs a pen test then consider Hedgehog Security, it may even be me doing your test and who wouldn’t jump at the chance of that?

LinkedIn currently seems full of people who are starting on their journey towards cyber security and I wish them all luck. If I can change careers from an infantry soldier having no technical background to a junior pen tester then anyone can.

If, like I did, you have decided upon a cyber career but have not yet picked a specific area then use sites like Immersive Labs and TryHackMe to have a go at everything and see what you enjoy doing. This will help you decide what career path to choose. Have a plan pencilled out and update it as you receive new information. Write down what certifications you want and research if they are worthwhile, job adverts can be a good place to see what qualifications are required.

Everyone already knows that they need drive, determination, networking and lots of time spent studying. There are other things to consider as well. Remember that this is a marathon, not a sprint. If you spend every waking hour studying and taking notes you will burnout. Set a studying schedule and fit in other things; family time, hobbies, working out, gardening or DIY. If you prioritise studying above all else then you may start to slowly despise it as it will erode your lifestyle.

It’s not all about lectures and videos so change it up by using TryHackMe and Hack the Box to test out your understanding of tools. Take regular breaks, I used to sit in my garden and work my way through a sudoku puzzle book. I found that it kept my brain active, gave my eyes a break from staring at a screen and it’s always nice to be outside (weather dependant).

Don’t feel that you have to memorise everything, take comprehensive notes that are easy to understand and contain screenshots or walkthroughs. I regularly refer back to my notes or use google if I get stuck or haven’t used a tool in a while.

Find what learning style works best for you. Videos are great as they are on demand for that late night study session and you are able pause and research a topic whenever you need to. Classroom based learning also has many positives, it forces you to learn because you can’t keep pausing. You have the ability to ask the instructor as much as needed when you don’t understand something (sorry Joe). Booking exams before you are ready but with sufficient time to prepare forces you to focus and manage your time.

If you can build a support group then it helps. I meet up with a small group from the Crucial academy course regularly for chips, a brew and a chat (remember when we could do that?) We compare learning resources, share job adverts and complain about the difficulty in finding a job.

Attend expo’s, conferences and online seminars if you can. It’s inspiring to hear some of the stories and it’s also a good laugh. Speak to people whilst you are there and find out what qualifications they recommend and what learning resources to use. Build a network on LinkedIn, I was referred(?) for a job interview a couple of times by people I had never met. Check your feed regularly because you never know when that job advert post may come along. Ask advice but be polite and respectful whilst doing so. Post on LinkedIn occasionally to get your face out there, give shout-outs to those who have helped you along the way.

When you do start looking for employment then consider a different job in IT initially such as system admin or other, it’s the experience that counts (I couldn’t even achieve that). This will solidify your base knowledge and you may be able to move sideways within the company to a cyber security role. Salaries can be high for senior roles, but for junior roles you may have to consider taking a lower salary initially as you have minimal or no experience, within a few months the salary will more than likely rise. 

For those leaving the forces, TechVets is a brilliant asset. There are plenty of people to chat to at all stages of their career and working within all areas of the cyber industry. TechVets have access to various learning resources and regularly give away premium content vouchers or places on courses. 

Consider joining the Reserves. A lot of people want a complete break when they leave the army and that’s fair enough. It worked out well for me as it was the only paid employment that I had for a 10-month period.

If you have time, research the job you want before you sign off and have a rough career change path drawn up. Consider the geographical aspect of where you live (there seems to be a black-hole of offensive cyber roles where I am).

The second you sign-off a clock starts ticking, so get onto the Career Transition Partnership and book courses as soon as possible. Check websites daily for course vacancies as they can disappear quickly. Look for other vendors who offer courses. If you look at using an ELC then research into whether it is cheaper to pay the 20% required or to study for free and just buy the exam voucher.

You’ve spent years putting the army first. It’s time to focus on yourself and your resettlement as much as possible, your unit won’t grind to a halt if you are away on a resettlement course so don’t let them persuade you it will. The main thing that I came to realise is that the only people who understand resettlement properly are those who are getting out, so do your research.

If I could do it over again then I would attend both the CompTIA A+ course and the Network+/Security+ course (books up quick due to high demand) run by CTP and then, having sat my exams and built a working knowledge of using Linux terminal, attend Crucial academy’s offensive security course.

Thank you for reading my blog and a shout-out to TechVets for all of the opportunities, Crucial Academy for a 2-week course completely free of charge, Mr Joe for all of his patience and support, and to everyone else (far too many people to name) who have helped me along the way.