Hi, I’m Nate. I’ve been a full-time penetration tester for a decade and I wanted to share some reflections on my journey so far — the kind I wish someone had written when I was just starting out.

If you're further along in your cybersecurity journey, you might disagree with some (or all) of this. That’s fine. That’s kind of the idea. But if you're just getting started in hacking or infosec, I hope something I have to say will resonate.

The Hacker Mindset: It's About Action, Not Titles

"I’m a hacker. How do I know? Because I hack."

That statement is true not because hacking is my job, but because I hack. Hacking isn't just a job title or certification. I’d argue this line of reasoning to many different skills and hobbies in life. Do you run? You’re a runner. Do you take photos? You’re a photographer. Painter, dancer, gamer, hiker? You get the idea. Who gets to be the arbiter of quantitative qualification? That’s the message I want internalized.

And yet, a lot of folks getting into offensive security hit this mental wall or some friction point: imposter syndrome. I’m definitely guilty of manifesting this myself, but it’s something I try to work on — even though I have a hunch it never really goes away.

“Am I good enough to call myself a hacker?”

“Am I good enough to take the next step?”

I get it. When you're new, it feels like there's a bar to clear, a title to earn, a bounty threshold to meet, or a secret club you’re not in. Some rite of passage or some cert that makes it “official.” Here's the truth: If you're hacking — learning, breaking, building, failing, trying — you're already in.

There is no gatekeeper. No one needs to grant you permission. No title makes it official. You don’t need the OSCP or GPEN. These things are useful and have their place, but they don’t make you a hacker. Hacking does.

If you hack, you're a hacker. Full stop.

The Lie of Confidence and the Power of Proof

There's a lie that I often see — especially in tech or adjacent circles — that the first step to greatness is believing in yourself. That confidence comes from hyping yourself up. But I think that’s backwards.

Here's a better idea:

"Belief in yourself is overrated. Generate evidence"

Ryan Holiday

In cybersecurity, confidence doesn’t bypass technical failure. It doesn’t bypass ASLR or find that ROP chain. It doesn't land you that type-juggling or request-smuggling exploit. It doesn't chain together a client-side path traversal and race condition for account takeover. What moves you forward is proof — generating evidence. It comes from stacking evidence of what you've done and learned doing the work. Not bravado. Not vibes. Evidence.

We don’t have imposter syndrome. We lack receipts. When you start to deliver, that’s when you stop feeling like an imposter. When you successfully troubleshoot that Bash script or nail some piece of automation, no matter how simple or complex, that builds confidence. Whether you’re patching shellcode by hand in xxd or punching yourself because you named a Python script json.py when parsing Bloodhound output, you are learning and building receipts.

Feeling Like an Imposter? Start Stacking Evidence

So how do you actually start building that evidence?

Here's some ways you can start:

• Complete so many HtB, THM, and VulnHub machines that you recognize the creators by name.

• Write up your experience hacking those machines — even if no one reads them.

• Reverse engineer a binary in Ghidra until you actually understand it.

• Manually calculate offsets to carve files from tcpdump.

• Download a PoC and walk through it to understand the flow. Then rewrite the code with your own twist.

• Build your own scripts to auotmate what tools like nmap or nuclei don't catch.

• Hit a wall with a CTF challenge, walk away, come back, and crack it.

• Create your own tools to solve your own problems.

That's how hackers build proof. Slowly and tangibly. It's not about having a fancy title or a shiny cert. It's about showing up and doing the work. Your best tool to dismantle imposter syndrome is action.

Tourist Mode vs. Hacker Mode

Here's where many of us get stuck in this weird limbo — I'm guilty too — sometimes:

• Staring at GitHub repos — because you swear you’ll come back.
• Collecting tools — instead of using them.
• Watching YouTube walkthroughs.
• Browsing payload lists.
• Chatting in Discord.

That's tourist mode. Looking at the thing without actually doing the thing. Tourist mode doesn't generate proof. Knowing about tools isn’t hacking. Downloading Kali isn't hacking. Tuning into someone else's Twitch stream isn't hacking. Blindly running Nuclei isn't hacking. Execution (no matter how messy) > Intention (no matter how polished). Exit tourist mode and start shipping receipts.

Real Hackers Don't Gatekeep

There’s no secret council. No elite badge. No one waiting to validate you.

All you need is a willingness to try, to fail, to learn, and to do it again.

Yes, you’ll write terrible code at first. Yes, you’ll get stuck. That’s not failure — that’s the path. Everyone starts with typoed payloads and copy-pasted shellcode. Let those messy attempts be your starting point. This field rewards the ones who do — the ones who stay in the chair when it gets hard and have tangible output.

If you're sitting there wondering: Can I really do this? Am I smart enough?

Here’s your answer: Yes, you can. Yes, you’re already on the path. And yes, you’ll get there — if you keep going.

Final Thoughts: You Don't Need Permission — You Need Proof

I didn’t set out to write another motivational blog post, but if there’s one thing I want you to take away, it’s this: If you really want to be a hacker, start stacking.

Remember, there’s no “chosen one” in infosec. No ordained hacker class. No final boss who hands you a badge and says “you’re in.” There’s just you, your curiosity, and your willingness to get after it.

So:

• Show up.

• Hacker Mode.

• Get better.

• Repeat.

That’s what it really means to be a hacker. Start Stacking.