As 2025 comes to a close, I find myself reflecting on what has been the most transformative year of my cybersecurity career. This was the year I stopped trying to know everything and started building something real. It was the year I transformed from someone chasing certifications to someone architecting solutions. And it all started with a failure.
The OSCP Wake-Up Call
I entered 2025 with a singular focus: earn the OSCP. In this industry, it felt less like an optional credential and more like a rite of passage, one I was determined to complete. My first attempt didn’t go as planned. Falling short was disappointing, but it provided something far more valuable than a passing score would have: clarity. That failure gave me an plain assessment of where I stood and precisely what I needed to improve.
My goals were straightforward at the time: secure the OSCP for resume and HR “points”, master C2 redirector setup, and strengthen my web application security skills, the area I knew I was weakest. What I didn’t anticipate was how dramatically my perspective would shift over the following twelve months.
The most important evolution in my thinking was learning to let go of the impossible standard of mastery across every domain. I had been operating under the belief that I needed to be an expert in everything: web apps, malware development, Active Directory, cloud platforms, Linux, Windows, C2 infrastructure. The weight of that expectation was crushing. Over time, I developed what I’ll call a personal operating framework: become truly great at one discipline, highly proficient at two others, and maintain working knowledge across the rest. This approach gave me the breathing room to lead assessments with confidence in my specialty while still contributing meaningfully to conversations with deeper experts in other areas.
Initially, I thought my focus would be malware development, active directory and cloud pentesting. That refined itself over the year into a more precise triad: Network pentesting, C2 infrastructure development, and secure code review. Areas that can complement each other and align with where I can deliver the most value.
Building Real Infrastructure
This newfound clarity sent me down a path of deep technical exploration. I evaluated every major web server: Apache, Nginx, and Caddy. Testing each for covert C2 operations, Caddy emerged as the clear winner for my use cases, offering the flexibility and stealth characteristics I needed.
But I didn’t stop at simple redirectors. I began thinking about defense in depth for my own infrastructure: how could I make C2 traffic even more secure? This led me to Netbird, a tool that allowed me to create an internal mesh network for my infrastructure. While many in the red team community gravitate toward Headscale, I prioritized Netbird’s native self-hosting support and first-party reliability. The result was a distributed, resilient architecture that immediately proved its worth.
Cloud security became another major focus. After encountering increasingly complex cloud environments during engagements, I pursued specialized training through Electra and ACRTP, recognizing that modern attack paths inevitably lead through cloud services. Every tool, technique, and concept I learned was deployed in real assessments within days or weeks of acquisition. My colleagues could see it in my work: when a concept from OSCP, OSEP, or ACRTP became relevant, I was ready to apply it immediately.
The project I’m most proud of this year was built after being inspired by the CRT-ID, I completed C2 infrastructure from scratch. I provisioned multiple VPS instances across different providers, interconnected them via my Netbird mesh network, and developed custom shellcode runners based on OSEP methodologies that consistently bypass standard antivirus solutions like Windows Defender. It was the synthesis of two certifications’ worth of knowledge into a working, evasive capability.
The Certification Journey
This year, I completed five certifications: OSCP, OSEP, CRT-ID, MCRTA, and ACRTP. Each served a specific purpose in my development, but the journey through them revealed an interesting pattern.
The OSCP, despite being an “entry-level” certification in the Offensive Security ecosystem, demanded the most from me. My background was a bit unconventional; I started in network security with deep Active Directory experience rather than web applications. While many professionals begin with web apps and branch into AD, I took the reverse path. This meant the AD chain in the OSCP exam felt natural, and I secured 40 points there quickly. The challenge was the standalone machines requiring web exploitation, an area where I had to work significantly harder to compensate. The exam took me sixteen hours of focused effort.
The OSEP, by contrast, was an eight-hour completion. Its heavy emphasis on Active Directory played directly to my strengths, allowing me to execute the full attack chain and capture the final flag in a single, fluid session.
Beyond the credentials themselves, the true value of these certifications was the comprehensive reference library they forced me to build. I now have detailed, well-documented notes covering web application pentesting, cloud exploitation, and AD/network techniques. As someone who dislikes memorizing syntax, having a personal knowledge base with working examples and explanations has been transformational for my efficiency.
Perhaps the most unexpected outcome was my complete comfort shift with web application testing. At the start of 2025, I would have described Burp Suite as a weakness. After being pushed by the OSEP, Electra, and ACRTP curricula to engage with web apps repeatedly and under pressure, I now approach them with confidence. What once felt like a liability has become a reliable tool in my arsenal.
The Professional Pivot
The most significant professional lesson I learned this year had nothing to do with exploitation techniques or tool configuration. It was mastering client communication and report writing.
Translating technical findings into clear business impact is a skill that separates good pentesters from great ones. I dedicated significant energy to refining how I present vulnerabilities to clients in ways that resonate with their risk management priorities. Equally important was elevating my report writing. There’s a common sentiment in our field that reports are a chore, but I came to see them differently: the report is the product. Clients aren’t paying for shells; they’re paying for actionable intelligence they can use to improve their security posture. A well-written report that provides clear, prioritized, and contextual remediation guidance is the ultimate deliverable. In offensive security, your value is ultimately measured by the quality of your documentation.
If I could offer advice to myself standing at the threshold of 2025, it would be this: trust the process you’ve designed and execute it with discipline. The framework you build will carry you further than sporadic intensity ever could.
Looking Toward 2026
My goals for the coming year are both ambitious and focused. First, I intend to continue my technical growth while shifting toward community contribution. I’m currently developing a tool that addresses a significant pain point my team faces regularly, and I’ll be sharing more about that on LinkedIn soon.
Second, I’m committing to deeper expertise in secure code review. My ultimate objective is to earn the OSWE, forcing me to develop the ability to dissect application logic and find vulnerabilities from the source code itself. If I can develop the capability to audit complex applications and identify flaws at the code level, I’ll have achieved a level of analytical depth that represents the next major milestone in my technical evolution.
Finally, I plan to apply everything I’ve learned in 2025 as a foundation for deeper specialization. I want to push the evasion techniques from OSEP further, enhance my understanding of domain fronting and SOC evasion from CRT-ID, and generally take every lesson from this year and dive one level deeper. The foundation is built. Now it’s time to strengthen the structure.
2025 was the year I stopped chasing breadth and started building depth. It was the year I failed forward, built real infrastructure, and found my professional voice. I’m proud of the work, grateful for the lessons, and ready for what comes next.