Being a penetration tester is an exciting and lucrative career, but is it the right one for you? You may be reading this article because you:

  • Are interested in becoming a penetration tester
  • Are currently freelancing and are considering taking on a corporate role
  • Are working at a company which is considering setting up an in-house pentesting team
  • Have recently qualified as a Certified Ethical Hacker (CEH)

Image for Warning by JuralMin. Licensed under CC BY 2.0

Below, we will answer some common questions aspiring penetration testers and ethical hackers ask about working for an in-house team and provide links to related resources. At the end, you will be able to make an informed decision about whether a job on an in-house team is a viable career option to suit your lifestyle, interests, financial needs, skills, and experience.

The Job: Roles and Responsibilities of Pentesters on In-House Teams

Cybersecurity Job Roles and Pentesting Specialization

Entry-level ethical hackers will usually start their careers in a role such as junior systems administrator, network administrator or IT support. With further experience and professional qualifications, you could move into a junior penetration-testing role. As a penetration tester, you will have many opportunities to specialize in a particular niche, whether in an entry-level or management position. Common areas of specialization (and these may overlap) include:

  • Servers and network endpoints
  • Windows, Linux or Mac operating systems
  • Web-based products and applications
  • Mobile applications and wireless devices
  • Software code vulnerabilities
  • Improper software configuration management implementation
  • SCADA (Supervisory Control And Data Acquisition) control systems
  • IoT (Internet of Things)
  • Social engineering tactics
  • Security frameworks and standards

A senior penetration tester may choose to work with or open a security consultancy, become a freelance ethical hacker or climb the ladder in-house to a managerial position.

Teamwork: How Are Pentesting Teams Organized in a Company?

An in-house team may be broken down into silos with different foci. Within these silos, members will have different responsibilities depending on their grade, e.g. entry-level or senior management. This depends on the requirements of an organization. Smaller businesses may have just one team with members playing multiple roles:

  • Red Team: The members of this team are the primary attackers. Their job is to mimic an attacker, find system vulnerabilities and break through system security. This team is responsible for planning and reconnaissance, scanning, attempting access, maintaining access, maintaining access and results analysis. In the real world, Red Teams are often third-party consultants called in en masse to ethically hack large infrastructures like power grids and nuclear facilities and advise on security measures.
  • Blue Team: Members of this team are the heroes who attempt to defend the system from attack. One of their primary goals is to ensure that any breach by the Red Team is quickly identified and an appropriate response made to thwart damage or theft.  
  • Purple Team: As Ravi Das explains, this team is the “bridge” between the Red Team and the Blue Team. It “adopts the security controls and tactics from the Blue Team, as well as the security weaknesses and vulnerabilities which are discovered by the Red Team [ … ] to implement a policy of continuous and constant security improvements for the corporation.” An important role for members of the Purple Team is to understand security compliance regulations and standards and communicate these to the Red Team. The Red Team then need to test whether systems remain compliant when under attack or breached.

What Will Your New Job Title Be?

There are numerous job titles for in-house pentesters, depending on what they do: Network Security Analyst, Information Security Analyst, Computer Forensics Analyst, Cyber Security Analyst, Security Architect, Vulnerability Tester, Ethical Hacker, Information Security Manager, Security Consultant, Intrusion Detection Analyst, Chief Threat Officer or Homeland Security Specialist, among others.

Payscale and Indeed are good places to look for jobs and research penetration tester salaries.

The Daily Grind: A Day in the Life of an In-House Pentester

What Would the Average Workday of a Penetration Tester Look Like?

A penetration tester’s responsibilities will vary according to their role and experience, but below are some typical duties for an in-house pentester:

  • Understand the types of attacks a system may be victim to, including common phishing attacks
  • Plan penetration tests and strategies
  • Select off-the-shelf or create suitable testing tools, e.g. automated testing tools and network scanning tools
  • Perform a variety of penetration tests on applications, networks, software code, mobile endpoints, social engineering vulnerabilities and so on
  • Test hardware and physical devices like servers and network devices
  • Devise and document pentesting methodologies and strategies
  • Review and distinguish between physical security loopholes and social engineering vulnerabilities
  • Gather data intelligence and results
  • Analyze outcomes and communicate them to the organization’s stakeholders
  • Make recommendations for security improvements and enhancements of existing assets
  • Keep up to date with ethical hacking (and black-hat hacking) news, insights and methodologies

In addition, pentesters provide a support role, particularly if and when an organization is breached. Pentesters may have to work shifts or be on call after hours to ensure 24/7 security at an organization.

What Do Real-World Pentesters Spend Most of Their Time Doing?

Pentesting is not all glamorous cloak-and-dagger shenanigans and the fun of full exploitation.

In “The Difference Between a Vulnerability Assessment and a Penetration Test,” Daniel Miessler notes that penetration testers can illustrate vulnerability without full exploitation of a system. “A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could.”

Typically, pentesters spend their days:

  1. Methodically and painstakingly running pentests
  2. Documenting testing results
  3. Communicating suggested security improvements to stakeholders

Alexander Drabek is a pentester at 2-Sec. “Much of the day is working through a range of processes, methodically performing careful analytical tests and reporting in minute detail on results.” However, there are always opportunities for growth and learning: “When we have time, we conduct in-depth analysis of recent vulnerabilities, new technology and general research into a variety of topics to actively expand our knowledge and ensure that our clients are protected as much as it is possible.”

Adrien de Beaupré, in an interview with Sector, says a lot of the work is mundane and methodical. “Pentesters typically work in teams, each with their own specialized area of operation, and they walk through the process in minute, heavily-documented detail, only deviating from the methodology where required for creativity, and documenting the change in plan.”

John Treen, interviewed by Learning People, says, “Day to day, I will usually be working in a team creating simulations. So for example, we send out phishing simulations where we select a sample of employees and send a phishing email to see how people respond. From this, we can monitor for clicks and see if people are downloading malware and picking up infections. We can then make suggestions on how to improve security measures.”

What Are Some of the Difficulties Found in Dealing with Non-IT Specialists in a Company?

Organizations require a mixed bag of skills from pentesters, and not only technical ones. A pentester must be able to communicate effectively with non-IT specialists as well as team colleagues and managers. There can be a disconnect between penetration testing teams and non-IT staff in an organization when:

  • Non-IT people do not understand the underlying technologies in the system
  • Technical individuals find it difficult to explain results in layman’s terms and describe system functionality without jargon
  • IT specialists do not understand the high-level requirements of non-technical business specialists
  • Non-IT specialists do not understand what penetration testers need to do their job or what they spend their time on, e.g. require expensive testing software and spend seemingly inordinate amounts of time attacking a system only to find it impenetrable

Communicating Cyber Attack Risks to Non-IT Professionals: How Are These Difficulties Overcome?

To overcome this disconnect, additional skills for a pentester include:

  • Ability to analyze and break down pentesting results and identify how they affect business processes
  • Business report writing skills to create and communicate security solutions and improvements to non-IT specialists, and explain in layman’s terms the impact on the system if recommended solutions are not implemented
  • Awareness of end-user needs and rights (e.g. data privacy) and understanding that data breaches are not just important in terms of system security failure or fines for non-compliance, but have real-world implications for end users, including financial losses and identity theft

What Skills Does an Entry-Level Pentester need?

According to Infosec Institute’s Keatron Evans, vital skills for an entry-level penetration tester include:

  • Mastery of an operating system
  • Good knowledge of internet and network protocols
  • Knowledge of basic scripting
  • Understanding of how firewalls work
  • Knowledge of one or more coding languages
  • Understanding of databases
  • Experience from practice and experimentation

In an interview with Concise Courses, several penetration testers shared their different journeys:

  • Practicing hacking as a hobby followed by online courses to get certified and prove competence before applying to an in-house security team
  • Reading, taking online courses and creating a pentesting environment for self-learning in spare time
  • Formal computer science training followed by work in an IT Security role (e.g. as a Systems Administrator) for an organization, and then a horizontal move into a specialized pentesting role

Skills Advancement and New Penetration Tests Methods

How does an in-house team afford opportunities for a pen-tester to learn and apply new methods outside typical specialized skill sets?

An in-house team can offer its security teams the time and support to investigate new pentesting trends, tools and methods, e.g.:

  • Addressing risks pentests do not find: From coding vulnerabilities to social engineering tactics illegal hackers use, ethical hackers should take time out to learn what their testing may be missing
  • Using new cyberstalking tools: Jorge González Milla, writing for PenTest magazine, suggests that new search engines for cyberspace can assist pentesters in finding cybercriminals
  • Researching modern data security paradigms: Steven Russo, writing for PenTest magazine, predicts that MicroEncrypted Digital Vault capabilities will change the way organizations encrypt data because the data that is most sensitive is also the same data that must remain accessible to those authorized to access it

Mobile Device Penetration Testing

Getting Started for Aspiring In-House Penetration Testers

Concise Courses interviewed various professionals in the field of cybersecurity. What they overwhelmingly agreed was that a successful penetration tester must:

  • Have a passion for cybersecurity and hacking
  • Learn independently as much as they can by reading and chatting online with other hackers; researching hacking techniques, tools, and methodologies; and consistently practicing their skills, even outside work hours

InfoSec Institute has a wealth of resources to help you research in-house pentesting as a career:

 

Sources

6 Common Phishing Attacks and How to Protect Against Them, Tripwire

The Difference Between a Vulnerability Assessment and a Penetration Test, Daniel Miessler