Being/Becoming a Penetration Tester

We get a lot of asking for guidance on becoming a penetration tester and what it takes to be a penetration tester. We got our CEO, Peter Bassill, who has spoken a lot at conferences on this, to put down his top 5 tips for aspiring penetration testers. While we don’t guarantee this will get you a job, it may help you stand out from the crowd.

Peter’s Top 5 Tips to Becoming a Penetration Tester

1. DO NOT BE A RECRUITERS DRONE

What I mean is, listen to your recruiter (if you are using one) but remember that penetration testing is a technical art form. The chances are the person reading your CV is a penetration tester, so appeal to the same technical creativeness. There is no point in writing a CV that is beautifully formatted in the standard word fonts at 10 or 11pt, fully justified with no graphics unless you want to be pen testing at PwC, Acenture, Deloitte or KPMG.

This brings me nicely to point 2.

2. KNOW YOUR AUDIENCE

Knowing your audience is essential to success in becoming a penetration tester. I treat everyone as family and we all have quirks. So Hedgehog is a great place for those of us who like the fringe. Tattoos are not a problem. Facial piercings are fine in the office. (OK, you might need to remove them if you are onsite with a client). Listen to metal? Fine. The point is, our firms culture is the polar opposite of many.  There is nothing wrong with having different versions of your CV and letters too. Remember to always drill into the audience. Check out their websites About Us page, stalk key peoples LinkedIn. Know your audience.

3. GOT A HANDLE? BE OPEN ABOUT IT

Made our interview shortlist? OK, great, you are very close to finally becoming a penetration tester. So we will raise an internal job for our testing team to run an OS INT gathering session on you. What I am say is, don’t hide your handle. It is fine. We will discover it anyway. Pretty much everyone in the pen testing has a handle.

4. ACE THE SHORTLIST

It was at B-Sides Manchester a few years ago I said that when you apply for a penetration testing role, you should include examples of your work. You know how many applicants I have had that have done that so far? Zero.  I have heard from three other pen testing firms though and every candidate that including an example report as their CV and “covering letter” got an interview and were overall successful in securing the job.  Penetration Testing is a technical art form. I have said that many times. Do excellent artists have a CV? No, they have a portfolio of work. Why don’t pen testers? I would rather a one page covering CV listing your skills and qualifications and then a couple of example reports from, say, hackthebox or offsecs labs, than a 3 page CV and a boring covering letter.

5. BE YOU

Don’t hide the you. It is your journey to becoming a penetration tester that will set you apart. The real you is the best you. If your every day wear is a bomber jacket and jeans with a battered laptop bag and bullet belt then great. Read point 2 again. Turn up at Hedgehog for an interview, we probably would not notice. Turn up at PwC, you will probably get turned away. Point is, penetration testers are an odd bunch. Pretty much every pen tester I know lives within a fringe society model. So, research where you are interview and get a feel for their culture. And be the best you.