i resigned from a three-year sales job at the start of march 2026. last day was april 2. i'm now job-hunting for entry-level cybersecurity roles — pentesting and red team primarily, full-stack development as a fallback — in spain and the wider eu.
this isn't a "follow your passion" post. the actual story is more practical and, i think, more useful for anyone in a similar spot. here's what the pivot actually looked like.
the shape of the parallel track
for most of the three years at the sales job, i was also a part-time student in a two-year bootcamp combining full-stack development and ethical hacking. i finished in march 2026.
the work pattern was unromantic: a full work week at the sales role, then evenings and weekends on coursework, lab work, and personal projects. most weeks the maths worked because the sales job didn't follow me home. some weeks it didn't, and i let the coursework slip rather than the job, because the job paid the rent.
that ordering — paid work first, training second, never both compressed into the same hour — is the only reason the parallel track survived three years instead of collapsing in six months. the temptation to do both badly at the same time was constant. i think it's the main thing people underestimate.
what i learned from the sales role
i want to be careful here, because there's a version of this post that swings too far into "sales taught me everything" and a version that swings too far into "those were three lost years". neither is honest.
what was actually useful:
- talking to strangers about technical-ish things without flinching. a cold pitch is a structured conversation under mild adversity. pentest reports and client kickoff calls are also structured conversations under mild adversity.
- reading a room before delivering a message. an executive summary in a security report is the same exercise as reading whether the prospect wants the long pitch or the short one.
- treating "no" as data. a rejected application, a failed exploit, a closed door — they all carry information about what to try next.
- concrete metrics. sales is allergic to vague claims. i learned to talk about my work in numbers, which carries directly into how i describe pentest findings.
what wasn't useful, and what i no longer pretend was useful: the day-to-day product knowledge, the crm proficiency, the specific industry context. none of that transfers. i list the sales role on my cv under work experience, reframed around the transferable skills with concrete metrics, and i don't try to stretch it into something it wasn't.
what i'd have done differently
two things, mainly.
i would have started a public technical brand earlier. the handle (bloodmoonbreach) and the cluster of accounts attached to it — github, hackthebox, tryhackme, linkedin — only really cohered in the last six months of the program. if i'd started a year earlier, i'd have a year more of public writeups, ctf history, and visible commit activity. none of that is hard to do. it just needs to be done continuously, and "i'll start when i'm ready" is the trap.
i would have done more public projects on side time. most of my coursework lived in private repos. most of it could have been public. the bwapp pentest is a good example — it's a strong project, it's a real piece of work, and it could have been a public repo with a writeup attached eighteen months before i finally posted it. future employers don't care that you wrote it for a course. they care that they can read it.
what the first months out actually look like
the romantic version is "i quit my job and started shipping". the actual version is more boring and, i think, healthier.
mornings: job applications. a focused two-hour block. cv tuning per application, cover letter where the role calls for one, tracking everything in a simple spreadsheet so i can tell which roles got a response and which didn't.
middays: certification work. currently moving through the google cybersecurity certificate as the entry-level credential, with comptia security+ behind it and the hackthebox path (cjca → cdsa → cpts) after that. the plan is to run certifications in parallel with applications, not sequentially. nobody gets hired by being one cert away from ready. they get hired by being ready enough and continuing to study.
afternoons: portfolio. the next.js site you're reading is the first artefact. two more are planned — a full-stack crud application, and an api-driven dashboard — to round out the modern-stack signal. the bwapp writeup will be a featured post here, and the pentest report itself remains the strongest single artefact in the application package.
evenings: training that isn't coursework. hackthebox machines, tryhackme rooms, the occasional ctf. this is where pattern recognition for the actual job is built.
where i'm going
professionally, the medium-term goal is a junior pentest role at a consultancy with a real client load. the reason i want a consultancy specifically is the variety — every engagement is a different stack, a different team, a different report. that's how the skill grows fastest in the first two years.
why post this
a few reasons. search engines will eventually surface this post for someone who's standing where i was eighteen months ago — three years into a job that isn't the goal, half a degree into a track that is, trying to figure out whether the maths works. the honest answer is "yes if you do these specific things, and probably no if you don't", and the specific things are not that mysterious.
i also want the version of myself that has to look back at this in 2027 to have a record of what the plan was. plans aged in public are useful. they keep you honest, and they let you correct in real time when something stops working.
if you're in a similar pivot and want to compare notes, i'm reachable. the email is on the contact page.