Break, build, repeat: How hackers learn differently

We came across a thread on Reddit recently that made us stop for a moment. Because across the BHMEA community, we talk a lot about the opportunities available in the cybersecurity sector – the increasing demand for talent is creating an active jobs market. 

But this thread, titled ‘industry is way tougher than I imagined’, brought us back down to earth: written by a college graduate, it’s about the struggle to secure an entry-level position when so many roles ask for three years of experience and a wide variety of certifications. 

It’s a real problem. And an uncomfortable one to face, for an industry that’s working hard to improve its inclusivity credentials. Because to truly be inclusive and welcome talent and experience from diverse backgrounds, cybersecurity employers worldwide need to consider candidates with experience that doesn’t fit the 3+ years and certs standard. 

We’re here today with a bit of encouragement for aspiring cybersecurity professionals who are still looking for their first role. Because you might not be able to walk into your dream job straight out of university, but you can build your experience alongside a more accessible role (like an IT or help desk role) even if it doesn’t seem like an obvious route to the work you really want to do. 

Something that works in your favour in this industry is that hackers learn differently from other people. And cybersecurity employers know this. So by cultivating your own hacker mindset, you can make yourself 10X more appealing to employers in a short space of time. 

Break, build, repeat: How hackers learn differently 

When you watch a hacker at work, their learning style is strikingly different from what many cybersecurity pros experience in daily training. It’s a continuous loop of breaking something, figuring out why it broke, and then doing it all again – only better. 

It’s different from traditional learning. And embracing it could push your skills to new heights, and open up opportunities in the cybersecurity sector. 

Most cybersecurity training follows a stable path: learn the theory, pass assessments, tick compliance boxes, then apply in a controlled environment. It’s systematic, reliable; but it’s static. It’s not how the real world works. 

In contrast, hackers thrive in uncertainty. They aren’t satisfied with surface-level knowledge – they dig in. They provoke systems and actively seek out failure, because that’s where real learning happens.

Breaking and building is so important that leading cybersecurity professionals are working to create opportunities for others to immerse themselves in this mindset. BHMEA speaker Rana Khalil (Application Security Team Lead at C3SA), for example, founded an online pen testing academy where she provides affordable, cutting edge education to the next generation of dedicated pen testers. “We break down the technical details of each vulnerability, show how to spot it, exploit it, and defend against it,” she said. “We also get hands-on experience with labs that mimic real-world applications.” 

3 Ways you can develop your hacker mindset 

1. Capture the Flag: A playground to strengthen your hacker mind 

Have you tried a Capture‑the‑Flag (CTF) event? They’re simulated attack/defend scenarios that push you directly into hands-on problem‑solving. CTFs foster trial and error, demand creative thinking under pressure, and often reveal more than scripted lessons ever could.

When we interviewed BHMEA speaker Heba Farahat (Senior Cybersecurity Consultant at Liquid C2), she said:

“I believe that CTFs offer one of the most effective ways to learn about cybersecurity in a gamified manner. For that purpose, I actively participated in CTFs at the start of my career, and my team ranked among the top 5 in several regional competitions.” 

Real hackers build resilience through the struggles and small triumphs they face in competitions like this. And the skills picked up in CTFs transfer directly to real-world incidents. 

2. Reverse engineering: Rebuild understanding from scratch 

Reverse engineering is the ultimate test of your ability to inhabit a beginner’s mind. You have to let go of all assumptions and assess the situation in front of you for what it is – and that is a critical skill at every level of the cybersecurity industry. 

You take compiled code, firmware or binaries (without documentation) and rebuild understanding from scratch. 

At Black Hat MEA 2022, Wesam Alzahir (Software Engineer at CloudApps) showed us how he reverse engineered thermal printers to identify vulnerabilities that could affect the security of a retailer or its customers.

Moving through a process that began with static research (gathering information about the devices from the manufacturer and online) and then shifted into dynamic reverse engineering, Alzahir identified command protocols and functions, and tested them to understand how and when they were mis-implemented.

He then identified a number of possible attacks that could exploit vulnerabilities in thermal printers. Attackers could:

• Collect data from receipts – including customer data and sales information
• Manipulate the receipts/item slips so that the orders received by kitchen staff did not match the orders actually made by customers
• Disable receipt printing/item slip printing, leading to operations disruption

All of these possible attacks could cause damage to the reputation of a business, as well as loss of earnings through lost orders or customer compensation. If you learn how to execute a reverse engineering project and can demonstrate your ability to do so, you’ll significantly increase your value as a potential hire for a cybersecurity role. 

3. Bug bounties: Create a real-world hacker habit 

Getting into bug bounty programmes brings your hacker habit into the real world. You’ll test live systems, uncover flaws, and submit reports – and then do it all over again. It’s an iterative process that’s tied to actual impact and reward. 

For early-career cybersecurity professionals, a background in bug bounties helps you build practical experience, create a reputation for yourself, connect with potential employers, and can differentiate you as a candidate in a competitive entry-level jobs market. 

Empower yourself at an early stage 

Getting an entry-level job in cybersecurity isn’t easy. Yes, there’s a skills shortage – but it takes time, mentorship, and investment from an employer to cultivate those in-demand skills. 

But you can empower yourself now by taking charge of your own skills development. You can’t do everything on your own, but you don’t have to sit and wait for an employer to take a chance on you; you can actively position yourself as a better candidate by developing your real-world skills. 

You could…

• Rethink your routine. If you’re spending time reading about cybersecurity, could you replace it with active tinkering? Set up a CTF challenge or reverse-engineer a binary.
• Share your process. If you break stuff and learn from it, tell people about that. Share on a forum, participate in a code review.
• Join bug bounty initiatives.
• Practise celebrating every failure – because it’s raw material for your next breakthrough. 

Thinking like a hacker infuses your work (and by extension, your approach to job-hunting) with adaptability. You spot hidden vulnerabilities and respond under pressure. 

It’s difficult to make yourself stand out in the crowd of entry-level candidates. But the field of cybersecurity offers a wide array of ways to do that – if you think proactively, build your patience, and use the roles that are available to you to build your network, skills, and determination.