tl;dr; Take the online courses for Cloud Security is the best bang for your buck IMO.
As a Security Engineer that works on network/devops stuff at a modern Saas company.
I think 90% of what I do is Cloud DevOps with a focus on Security. That could mean: making frameworks to make security easier, or advise other teams on how to secure their pieces of infra, or identifying insecure configs and pushing to get those fixed.
The other 10% is understanding security risks and what designs/implementations of the infra are good/bad. Pen-testing might help with the later skill, but at ~10% it's a surprisingly small factor.
I would like to echo the points made by other posts, that there are a lot of different fields of security.
Pentesting is one field, Application security is another, there's also compliance, red-team, IT-security, threat hunting, etc. The list goes on, and there are a lot of different skills you could build, certifications you could get, and areas to specialize in (or distract you from your specialization)
It does sound as if you enjoy the InfraSec/SecDevOps parts of the problem. So learning more about AWS/GCP Security in detail is probably the best way to improve your skill set in the area.
As a Security Engineer that works on network/devops stuff at a modern Saas company. I think 90% of what I do is Cloud DevOps with a focus on Security. That could mean: making frameworks to make security easier, or advise other teams on how to secure their pieces of infra, or identifying insecure configs and pushing to get those fixed. The other 10% is understanding security risks and what designs/implementations of the infra are good/bad. Pen-testing might help with the later skill, but at ~10% it's a surprisingly small factor.
I would like to echo the points made by other posts, that there are a lot of different fields of security. Pentesting is one field, Application security is another, there's also compliance, red-team, IT-security, threat hunting, etc. The list goes on, and there are a lot of different skills you could build, certifications you could get, and areas to specialize in (or distract you from your specialization)
It does sound as if you enjoy the InfraSec/SecDevOps parts of the problem. So learning more about AWS/GCP Security in detail is probably the best way to improve your skill set in the area.