From SOC Analyst to Penetration Tester: A Realistic Transition

Why This Transition Works

SOC analysts are better positioned for offensive security than they realise. You already understand how attacks look in logs, how detections fail, and how investigations move under pressure. The transition is not about learning to attack from scratch. It is about learning to produce, deliberately, the artefacts you used to investigate.

The mindset shift is real but bounded. Offensive work rewards patience, methodical enumeration, and report writing more than it rewards "hacker" energy. Most of these traits already exist in good SOC analysts. If you are still earlier in your defensive career, the SOC analyst career path and the Security+ to OSCP pathway outline the prior stage.

Why Defensive Experience Makes You a Better Offensive Engineer

The strongest junior pentesters in the EU market today are very rarely fresh CTF players. They are SOC alumni who carry three things into the offensive seat: knowledge of what gets logged, knowledge of what gets missed, and the discipline to write things down. When you have spent twelve months triaging Defender alerts, parsing Sysmon event ID 1, 3, and 11 chains, and building Sigma rules, you already know which Mimikatz invocation produces which event and which AMSI bypass leaves which trace.

That detection literacy turns into operator value the moment you are inside a client environment. You stop choosing techniques because they are famous and start choosing techniques because they fit the SOC posture you are facing. You know that a default Cobalt Strike beacon will get caught by half of the EDRs sold in Europe. You know that BloodHound's default collection method generates LDAP traffic that any reasonable detection engineer alerts on. You know which Kerberoasting requests look noisy and which look like ordinary service ticket activity. None of that is on a course syllabus, but all of it is on the table at every offensive interview.

The Offensive Skill Stack You Are Missing (and How to Build It)

Treat the offensive skill stack as five distinct surfaces. You will not master all five before your first role, but you should be able to demonstrate working competence in three.

Web applications. OWASP Top 10 is the floor, not the ceiling. The OWASP Web Security Testing Guide (WSTG) is the methodology that real consultancies map their work to. PortSwigger Web Security Academy is the lab environment that gets you fluent in Burp Suite, including manual proxy work, Intruder, the Repeater workflow, and extensions such as Autorize and Logger++. Plan to clear the apprentice and practitioner labs and earn the Burp Suite Certified Practitioner exam.

Active Directory. This is where most internal engagements live. You need to understand Kerberos, NTLM, ACL abuses, GPO abuses, certificate services attacks (ESC1 through ESC8), and trust relationships. HackTheBox Academy's CRTP and CRTS style modules cover the ground. The TCM Security PNPT and Altered Security CRTP are credible adjacent certifications.

Network and infrastructure. Reflexive enumeration, service exploitation, post-exploitation, pivoting through Chisel or Ligolo. OffSec PEN-200 and OSCP are the obvious destinations.

Mobile and thick clients. A smaller surface, but a differentiator. Frida, Objection, MobSF, and the OWASP Mobile Application Security Verification Standard (MASVS) form the toolkit.

Cloud. AWS, Azure, and GCP attack paths increasingly appear inside scoped engagements. PwnedLabs, CloudGoat, and the Pentester Academy Azure AD modules are the usual training paths.

The Lab Sequence Recruiters Recognize

There is a recognisable lab progression that hiring managers in EU consultancies actually trust. It looks like this: HackTheBox Academy modules to build technique, TryHackMe paths to build breadth, OffSec Proving Grounds Practice to build OSCP-style methodology, then PEN-200 lab time before the OSCP attempt. Add 5 to 10 retired HackTheBox boxes per month with full markdown write-ups stored in a public repository. The write-ups matter as much as the boxes. Pentest hiring is one of the few security niches where a public GitHub portfolio of lab work moves the needle, because the hiring manager can read your methodology before they meet you.

eJPT vs CPTS vs OSCP: Choosing Your First Offensive Cert

Three credentials dominate the first-cert decision. The eLearnSecurity Junior Penetration Tester (eJPT) is the cheapest and most accessible: a practical, scenario-based exam that proves you can enumerate, exploit, and pivot at a junior level. It is a strong CV signal for a SOC analyst applying for their first internal red team rotation.

The HackTheBox Certified Penetration Testing Specialist (CPTS) sits one level up. It is more rigorous than eJPT, costs less than OSCP, and has the practical depth that European consultancies increasingly recognise. The exam is a 10 day pentest with a written report. It is the closest dress rehearsal for OSCP that you can buy.

OSCP from Offensive Security remains the most recognised badge in the EU and UK markets. PEN-200 plus two to three months of dedicated lab time is the credible path. CEH (EC-Council) and PenTest+ (CompTIA) sit alongside as multiple-choice options, useful for compliance-driven employers and government work but lower in operator weight than OSCP. See the OSCP certification guide, CEH, and the Security+ foundation for context.

Active Directory Attack Paths You Must Master

You should be able to walk a hiring manager through these paths without notes. Initial access through Kerberoasting or ASREPRoasting pulled from a low privilege account. Lateral movement using PsExec, WMIExec, and SMBExec under a stolen NT hash. BloodHound graph reading, including the shortest path queries to Domain Admins and the abuse of GenericAll, GenericWrite, WriteOwner, and WriteDacl on user, group, and computer objects. Constrained delegation abuse, resource-based constrained delegation (RBCD), unconstrained delegation. Active Directory Certificate Services attacks, especially ESC1 and ESC8. DCSync against a domain controller using replication rights. Mimikatz operations: sekurlsa::logonpasswords, lsadump::dcsync, lsadump::lsa, kerberos::golden, and the parallel Rubeus equivalents. Pass-the-ticket and overpass-the-hash. The defensive flip side is what you bring from SOC: which of these light up which logs.

Web Application Pentest Methodology (PTES + OWASP WSTG)

The Penetration Testing Execution Standard (PTES) and the OWASP Web Security Testing Guide (WSTG) are the two methodology references your reports should map to. PTES gives you the seven phases (pre-engagement, intelligence gathering, threat modelling, vulnerability analysis, exploitation, post-exploitation, reporting). WSTG gives you the test cases. A credible web pentest covers information gathering, configuration and deployment management, identity management, authentication, authorisation, session management, input validation, error handling, cryptography, business logic, and client-side testing. Burp Suite Pro is the workhorse. Knowing how to manually craft requests in Repeater is more valuable than knowing how to scan with Active Scan.

Report Writing Is the 50% Nobody Trains For

Half of a real pentest engagement is writing. The deliverable is a document that an executive reads first, then a developer reads in detail, then an auditor reads later. Each finding needs a clear title, an evidence section with screenshots and request and response examples, a CVSS or risk rating with justification, a business impact statement in plain language, and remediation guidance that the development or platform team can actually implement. The OffSec OSCP exam tests this directly: 24 hours of testing followed by 24 hours of reporting. Most failed attempts are reporting failures, not exploitation failures. Practice writing reports for your TryHackMe and HackTheBox work and have a peer review them. The samples on your GitHub will be read.

A Realistic 12-Month Transition Plan

Months 1 to 3: PortSwigger Web Security Academy apprentice plus practitioner labs, Burp Suite Certified Practitioner exam, eJPT. Months 4 to 6: HackTheBox Academy AD modules, 20 to 30 retired easy and medium HackTheBox boxes with write-ups, BloodHound and Mimikatz fluency on a home AD lab. Months 7 to 9: OffSec Proving Grounds Practice (40 to 60 boxes), PEN-200 enrolment, CPTS attempt as a credible OSCP rehearsal. Months 10 to 12: OSCP exam, targeted applications to internal red team teams and Big Four cyber consultancies, CRTO or OSWA as a follow-up signal. The full route to the offensive seat is summarised in the pentester career guide.

Salary Reality: SOC to Junior Pentest to Senior Pentest in EU

EU SOC L1 salaries typically fall in the EUR 32,000 to 40,000 band, with hubs like Madrid, Lisbon, and Warsaw on the lower end and Munich, Amsterdam, and Dublin on the higher end. A junior penetration tester role usually lands between EUR 40,000 and 55,000, which means the immediate jump is real but modest. The curve diverges fast: mid-level pentesters with OSCP and two to three years of engagement experience commonly reach EUR 55,000 to 75,000, and senior pentesters or red team leads with OSCP, CRTO, and OSEP exceed EUR 80,000 in most EU capitals and frequently clear EUR 100,000 in Switzerland, the Nordics, and parts of the UK. Compare to the bootcamp salary outcomes and is the bootcamp worth it for the foundation context.

Where the Bootcamp Fits

If you are still building defensive foundations, the Unihackers Cybersecurity Bootcamp covers the SOC-side groundwork that makes this transition realistic. The bootcamp's penetration testing module (m10) introduces offensive technique against the same stack you defend in m7 and m8. See the curriculum breakdown for module detail.

Common Stalls

Three patterns explain most stalled transitions. Tool collection without report practice. Knowing tools matters less than knowing how to write up what you found. The pentesters who get hired are the ones whose reports read clearly. Skipping web and AD. Most internal pentest work touches both. Avoiding either reduces the role pool dramatically. Going for OSCP too early. OSCP rewards methodology and stamina, not raw skill. Build sufficient lab hours first, or you will burn the attempt.

The transition is bounded and credible if you treat it as a deliberate twelve-month build rather than a rebrand.