Moving from Pentesting to Appsec
I’m a pentester with ~3–4 YOE looking to transition into AppSec. Currently I work at a consultancy focused on penetration testing, so I’m already comfortable finding vulnerabilities, reviewing code, and thinking from an attacker’s perspective.
My background includes:
- Basic programming skills (mainly Python, some Go)
- Small pentesting-related tools/projects on GitHub
- Good knowledge of AWS
- Experience with SAST/DAST tools
- Familiarity with Kubernetes, CI/CD concepts, SCA, etc.
Where I feel I’m lacking is hands-on enterprise-level experience securing CI/CD pipelines, which seems to be a common requirement for many AppSec roles.
What would you recommend to gain practical, demonstrable experience in this area and improve my chances of landing an AppSec position?
For example:
- Any good personal projects/labs?
- Open-source contributions?
- Certifications or learning paths worth pursuing?
- Ways to simulate “real-world” CI/CD security work?
Would appreciate advice from people who made a similar transition or who currently work in AppSec.