Recruiters filtered out the operators who can actually breach

Opening Claim

Most people who call themselves pentesters cannot maintain access through a modern EDR for more than ninety seconds. They can run a scanner, parse the output, and write a report that reads like a compliance document. That is not red team work. That is vulnerability assessment with better marketing. The gap between those two jobs is the entire reason the industry has a hiring problem and an operator shortage at the same time.

A functioning red team operator is judged on one metric: did you achieve the objective without triggering detection at a level that would have stopped a real adversary. Scans do not achieve objectives. CVE lists do not achieve objectives. The ability to bypass application allowlisting, move through an identity boundary, and persist through a credential rotation is what achieves objectives. Almost no entry-level candidate can do any of those three things on day one, and the certifications the market rewards do not test for them directly.

The people hiring operators know this. The recruiters sourcing them usually do not. That delta is why candidates with a strong CV get filtered through to a technical interview and fail inside the first ten minutes, and why candidates who learn to talk about Active Directory abuse paths, constrained delegation, and protected process light get offers before the interview is finished. The work has moved. The hiring funnel has not caught up.

The Original Assumption

The standard path that gets circulated on beginner forums looks like this: learn networking, learn Linux, pass Security+, pass OSCP, apply for junior pentest roles. That path was accurate approximately eight years ago. It assumes the target environment is a flat network with unpatched services, weak passwords, and no endpoint detection worth defeating. It assumes the pentester’s job is to find exploitable software and document it. It assumes the defender is a firewall and a patching schedule.

The assumption behind OSCP in particular is that if you can compromise a box, escalate privileges, and pivot, you can do the job. The lab environment rewards exploitation of known vulnerabilities, buffer overflows on older targets, and misconfigured services that no production environment has exposed in years. The certification confirms you can follow a methodology against cooperative targets. It does not confirm you can operate against an environment that is actively trying to stop you. Those are different problems.

The deeper assumption, the one that actually breaks candidates, is that offensive security is fundamentally about finding vulnerabilities. It is not. It is about understanding trust relationships, identity boundaries, and execution context well enough to turn a foothold into an objective without being evicted. Vulnerabilities are a delivery mechanism. They are not the job. A beginner who treats the vulnerability as the goal will find one, get a shell, trigger Defender, lose the shell, and have nothing left to do. That is the ninety-day failure pattern.

What Changed

Three things changed in the operating environment, and the training material has not adjusted. The first is identity. In modern enterprise environments, the boundary that matters is not the network perimeter. It is the identity plane: Azure AD tenants, conditional access policies, service principals, managed identities, federation trust between tenants, and the token lifetimes that govern all of them. An operator who cannot enumerate a tenant, identify high-privilege service principals, and reason about token theft versus token forgery is not going to progress past initial access in most engagements this year.

The second is detection. Endpoint detection and response is no longer optional in the target environments worth engaging. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black are present by default. Standard tooling that worked in a lab: Mimikatz invoked directly, Cobalt Strike default profiles, PowerShell Empire agents, PsExec for lateral movement, will be caught before the first command returns. The operator’s skill set now requires knowledge of process injection techniques that survive AMSI and ETW, custom loaders that defeat static and behavioural signatures, and the ability to modify public tooling until it is unrecognisable. That is not covered in OSCP. It is not covered in most paid training either.

The third is control bypass at the foundational layer. Application control, driver signature enforcement, credential guard, protected process light, WDAC, constrained language mode on PowerShell, and LSASS protection are present in environments that take security seriously. Each of those is a specific control with a specific bypass path or a specific accepted limitation. A beginner who has not studied how these controls are implemented, where they are enforced, and what the documented bypasses look like will reach a foothold and then stop. They will not have the next move. That is why the failure window is ninety days: the first month is learning the environment, the second month is burning through tooling that gets caught, and the third month is realising the actual skill gap is not a tooling gap. It is a controls knowledge gap. By then the probation review is scheduled.

Mechanism of Failure or Drift

The failure mechanism is not a skills deficit in the abstract. It is a precise misalignment between the mental model the candidate was trained on and the mental model the target environment enforces. The trained model is linear: find a vulnerability, exploit it, escalate, pivot, loot, document. The enforced model is relational: establish a foothold, understand the identity you hold, understand the identity you need, understand the controls sitting between those two identities, bypass or evade the controls, maintain the new identity against active rotation. Every beginner who fails within ninety days fails at the second step of the enforced model, because they have never been required to think about identity as a graph with edges that can be traversed, severed, or forged.

The drift extends into the toolchain. The standard beginner tooling set is deprecated in any environment with a mature detection stack. This includes Nmap for discovery, Metasploit for exploitation, Mimikatz for credential harvesting, PsExec for lateral movement, and Cobalt Strike running a default Malleable C2 profile. Deprecated is the correct word. The behavioural signatures are published, the default artefacts are hunted, the network patterns are baselined. Running default Cobalt Strike against CrowdStrike Falcon produces a detection within seconds of the first beacon. The operator who has not internalised this fact will spend the only window they have before the blue team reviews the alert queue and revokes the compromised session.

The deepest layer of the failure mechanism is the assumption that the engagement is technical. It is not. It is adversarial. A technical problem has a correct answer the practitioner works toward. An adversarial problem has a defender actively modifying the environment to make the practitioner’s current approach fail. The candidate trained on lab boxes has only encountered static targets. The first live engagement is the first time they encounter a defender who sees the foothold, responds, and hardens the path behind them in near real time. Candidates who do not adjust within the first two weeks of that realisation do not adjust at all. They either leave the role, transition to defensive work, or settle into vulnerability scanning wrapped in red team language. The transition cost from technical mindset to adversarial mindset is the actual filter.

Expansion into Parallel Pattern

The same mechanism operates in cloud security engineering, and the failure profile is identical. An engineer trained on misconfiguration hunting in AWS will compile findings, raise tickets, and watch them get deprioritised. Typical findings include public S3 buckets, over-permissive IAM policies, and exposed EC2 metadata endpoints. The engineer has been trained to find static issues in a static snapshot of the environment. The actual cloud security problem is identity federation across accounts, service principal trust chains, assumed-role escalation paths, and the time-bound credentials issued by STS that cannot be rotated fast enough to interrupt an active operator. The engineer who treats cloud security as a configuration review job produces reports. The engineer who treats it as an identity-graph problem produces defences. Same mechanism at work: relational thinking versus catalogue thinking.

Detection engineering shows the same drift. A detection engineer who writes rules based on IOC lists, known-bad hashes, and vendor-supplied threat feeds will produce a detection surface that lags the attacker toolchain by months. The failure is not in the rule writing. It is in the model. The IOC-based engineer is cataloguing what attackers used last quarter. The behavioural detection engineer is modelling what attackers must do to achieve objectives in the specific environment being defended: LSASS access patterns, anomalous token requests, service principal creation during off-hours, unexpected federation changes between tenants. Both roles will claim to be doing detection engineering. Only one is producing coverage against an operator who has actually mapped the environment.

The pattern holds across every technical security role where the practitioner is measured against an adversary rather than a static benchmark. The failure is not knowledge volume. It is model alignment. The environments that matter are relational, identity-centric, and actively hostile. The training material produced at scale is catalogue-based, vulnerability-centric, and assumes cooperative targets. The delta between what is taught and what is required is the industry’s core structural problem. Every certification roadmap that promises readiness through completion of a defined syllabus is selling the wrong model. No syllabus survives contact with an environment that adapts.

Hard Closing Truth

The position is this. A pentester who cannot operate against an identity plane, defeat a modern EDR, and move through a control stack without losing the foothold is not a pentester in the operational sense. They hold the title. They do not hold the capability. The market will continue to pay them until the engagements get reviewed by technical leadership. At that review, the gap becomes visible, the role gets restructured, and the practitioner finds their next role harder to source because the reference environment has moved further ahead. That trajectory is already in motion in every firm that has invested seriously in detection engineering over the past three years.

The controls that determine success are not the ones listed in the certification syllabus. They are LSASS protection, Credential Guard, WDAC, AMSI, ETW, protected process light, constrained language mode on PowerShell, conditional access policies, token binding, and the specific bypass paths documented for each in the last eighteen months of offensive research. An operator who cannot name the enforcement point of each of those controls and describe the current state of its bypass research is operating below the baseline of the target environments. The baseline moved. The syllabus did not. That is the structural condition the hiring market has not yet priced in.

What must now be true. The candidate who intends to do the work treats certifications as a filter for recruiters, not as preparation for the job. The preparation happens after the certification, in lab environments that replicate current enterprise detection stacks, against targets that require identity reasoning rather than vulnerability hunting. The candidate either does that work or does not get past the first real engagement. There is no version of this where the gap closes through additional classroom hours. It closes through operating against live defensive tooling until the model realigns. Until that realignment occurs, the practitioner is not a red team operator. They are a report writer holding a title the hiring manager has not yet audited.