Ethical hacking, penetration testing, red teaming, offensive security. Those words evoke an image of someone with a black hoodie up, coding whilst a wall of binary scrolls slowly behind. The binary is usually green for good measure.
So, over the last few years this has become to de facto 'cool' job. The idea of using malicious techniques, developing exploits and being a professional menace appeals to the dark side of a lot of people. You get to be the bad guy, get paid and not go to prison? That sounds to me like a win-win-win.
Sorry to burst any bubbles, but if you go into the industry with that mentality, you're unlikely to be pleasantly surprised. Over my years in the talent industry, the ask for many testers has shifted. Back years ago, the conversation was "Matt, find me the most technical person you can" and now it's "They need to be technical, but also able to be in front of a customer". What does that mean exactly?
This is written from my experience placing numerous testers and working with companies for many years. I am not a penetration tester, well, unless we count getting Root on Legacy.
It's a business facing role
Penetration testing is a business facing role. A company pays for you to test and validate their security measures within a tightly confined scope (usually, more on that later).Stakeholders at the business are your customers and their expected output is not a custom coded C2 framework or you gloating that you got Domain Admin. The output is a report.
The company are paying you to test and point out problems you find and then offer the remediation actions that you would recommend to plug that gap. Now yes, I understand many companies offer tools and staff to help consultants put these together, however your ability to write in a way that a non-technical audience, who may have no idea what SQL injection is, will be critical to your success.
Oh, that's right, it's unlikely that whoever reads that report will be a security professional, or at least one of the people reading it won't be. If they don't understand it, what do you think that says to them? I'll leave that one with you.
You will meet resistance
One of my long-term connections once regaled me with the tale of how whilst doing a penetration test, he asked for his IP to be whitelisted for the test.The network manager, who we shall call Dave, responded with "Aren't you meant to be a hacker?".
Whilst incredibly insightful, it misses the fundamental point.You are there to help this person to secure the environment by deploying Offensive techniques, however the sad truth is that no one likes their homework being marked. People will be naturally a bit wary of someone coming to check if they are doing things the right way.
The best antidote to this? Win hearts and minds where possible.If you find a vulnerability, the worst thing to do is gloat, be smug, feel superior.Address it with the relevant person and take a professional and helpful tone.
People like Dave may be beyond help, but this point leads me on to my next.
You will need to speak to people.
Sorry, can't help this one.It's a huge part of the job.
If you're going to succeed in penetration testing, being able to sit with a customer and explain why what you've done is important beyond "got root" is super important.Would a CFO care about how advanced your malware development skills are?Probably not.Will the care how much it's going to cost them if said Malware took a hammer to their estate?Most definitely.Know your audience and tailor your communications effectively.Honestly, this will turbo charge your career and give you a lot of extra value added.
If your only wish to speak to people is to social engineer them, you're going to be disappointed.
Soft skills matter, okay?
I cannot bang this drum loudly enough. It's been a theme through this article. The way you interact with people can really affect your career. The days of penetration testers being sat in silence away from people to do 'hacky-stuff' are long gone.
But how do you develop those skills? There isn't really a Try Hack Me room or a HTB lab for it. The answer is way simpler than you think, and I can give you an example. Bear with me.
My girlfriend has a massive family, some of whom are young children. While sat on their sofa a few months back, one of the kids sidled over and asked me what I do. I got thinking, how do I explain "I help organisations grow their Offensive Security capability, using current recruitment best practice, technical knowledge and leading tools" to a five-year-old.
I went with "Companies use me to find the pretend bad guys, to help protect them from the real bad guys."
Do you see? Practice explaining things to people who have zero idea what it is you do. Whether that's a friend, partner, parent. Try and explain something technical to them in a way they can understand. For people in the sector, talk about XSS, BurpSuite, Gobuster, Johntheripper all make sense, but to someone outside? Absolute gibberish. Try and explain something as if the person was five. Honestly it's a skill you can develop.
Still keen?
Penetration testing is cool. It just is. If I was to ditch the talent industry it would be where I headed. However, it's not the "Mr Robot" existence some people think it is. Your work is an expense to a company and you will constantly be looking to deliver an output to them.
If you begin to develop the people and consulting skills that sit alongside being a technical whizz, then you can expect to see quicker success across all aspects of the job.
Comments