For the past years, most of my focus has been on cloud security — hardening AWS environments, responding to incidents, and making sure access is tightly controlled. But lately, I’ve felt the urge to explore a different side of the equation: ethical hacking.
That’s why I’ve decided to take the eJPTv2 (Junior Penetration Tester) certification.
This post is a mix of personal motivation, my preparation strategy, and how I see pentesting tying directly back into the work I’ve done in AWS and incident response.
Why Pentesting (and Why Now)?
Working in cloud security gives you a strong view of defense: how to build guardrails, monitor events, and enforce least privilege. But defense without understanding the attacker mindset is incomplete.
Pentesting adds that perspective: it shows you how misconfigurations, overlooked IAM roles, or weak monitoring controls can actually be exploited. For me, this was the missing piece to round out my skills.
And with eJPTv2 being an entry-level but hands-on certification, it feels like the right way to start this journey.
My Preparation Path
I’m preparing for the eJPTv2 in a structured but realistic way. Here’s what’s working for me:
- INE official prep course — following the structured modules ensures I don’t miss the fundamentals.
- Obsidian for notes — I’m building my own knowledge base, which I’ll be able to reuse later in real projects.
- Command cheat sheet — keeping a personal reference of go-to tools (Nmap, SQLMap, Hydra, etc.).
- Hands-on labs in TryHackMe — reinforcing theory with practical hacking experience.
This mix gives me both a theoretical foundation and a practical skillset.
How This Connects Back to Cloud Security
Some might think pentesting is far from cloud, but in reality they’re deeply linked:
- IAM roles & temporary credentials — I wrote about securing them here. From a pentest perspective, weakly scoped roles can be abused to escalate privileges.
- Incident response in AWS — I covered IR practices in this article. Pentesting helps simulate the incidents you’d need to respond to.
- Monitoring on a budget — affordable AWS monitoring only works if you know what attackers actually do. Pentesting provides those insights.
By blending pentesting with cloud security, I aim to not just build secure environments, but also think like an attacker to validate them.
What’s Next
My plan is simple:
- Finish the INE prep course and lab work.
- Attempt the eJPTv2 exam in the coming weeks.
- Share my notes, lessons, and reflections here on the blog.
This is only the beginning. Long term, I see myself combining cloud security, GRC, and pentesting into a broader career path, where I can secure systems from both compliance and attack perspectives.
Final Thoughts
This blog started with AWS security. Now, it’s evolving alongside my own career journey. I am still getting to know myself and the vast world of cybersecurity.
If you’re a cloud engineer thinking about pentesting (or a pentester curious about cloud), I hope my path resonates with you. The overlap between these two worlds is bigger than most people realize.
Curious about the tools or techniques I’m using to prepare? Or maybe you’re also studying for the eJPTv2? I’d love to hear from you in the comments or on LinkedIn.
Together, let’s keep learning — and keep hacking responsibly.