I’ve been answering questions about penetration tester jobs for over 20 years now. During that time I have been a penetration tester, and a Director of a penetration testing company. These days I head up the penetration testing team at a well-known Manchester-based cyber security company. I’ve interviewed, rejected, hired (and on occasion, fired) penetration testers and have mentored and guided many others.
I suppose that gives me some insight into what the job requires. Or at least, what I’ve always needed from a penetration tester working on my team.
Much has been written about qualifications and experience, and that’s fine. Although a focus on academic qualifications alone really does miss the point. There are many attributes a penetration tester requires in order to be effective, and many of these are actually personal characteristics rather than paper qualifications.
As I write this, I think of the most talented testers I’ve had (and have) the good fortune to work with, and their backgrounds really are eclectic.
At this point I imagine you want me to talk about all of the qualities needed to get the job. Unfortunately for you Dear Reader, thinking and acting like everyone expects you to is not a quality that successful penetration testers exhibit. Instead I’ll recall (anonymously) some occasions where it was clear to me that the individual really would not be happy in the role.
The ‘tell me exactly what I need to do’ candidate
During this interview, the candidate repeatedly wanted to know a very specific list of the things he needed to tick off to get a penetration testing job. I tried to explain that it really doesn’t work like that, and life just doesn’t consist of a check-list, with a guaranteed outcome. We agreed to disagree. Next candidate please.
The ‘show me the money’ candidate
Let’s be honest, the pay for many penetration testing jobs is decent. Demand is high, and supply is low. This does tend to attract people who like money more than perhaps they should. There’s nothing wrong with chasing money, but if you’re trying to get into the industry, at least pretend to actually be interested in the detail of the job. If nothing else, penetration testing jobs are detail jobs.
The ‘I can bring you loads of new clients’ candidate
How or why would you do that? Isn’t that a sales and marketing job? Never going to happen. Next please.
The ‘never mind the quality, check out my certs’ candidate
Cyber Security Certifications. A whole other blog post in that old chestnut. This is often the candidate who has just got their current employer to pay for a bunch of expensive certs, and is now actively marketing themselves on the back of it. Sometimes it works, and sometimes it’s a red flag to a prospective employer.
The ‘nobody understands how great I am’ candidate
Confidence is a great thing, but I remember one candidate who took every opportunity to let us know that this role, which we’re obviously going to offer him, is only the next step in a what will be a stellar career. In actual fact, he thought we were lucky to have the chance to employ him before he’s snapped up by Nasa, Boston Dynamics or Tesla. I imagine he was on the phone to them shortly after our interview concluded.
Qualities that matter
So I guess you can work out (reverse engineer maybe?) from the above what the qualities of a successful candidate are.
- Genuine enthusiasm, coupled with demonstrable engagement with the subject. Blogging, Github projects, online cyber security training environments, personal side projects, specialist group or society memberships. These are big green flag items. Unless the role specifically requires particular certs, this is more important than anything else.
- A modest ego. Everybody has one, but playing well with others is a vital attribute.
- Willingness to learn or cross-train to new things, and being able to show some new things you’ve learned recently.
- The ability to ask questions. Penetration testing is a process involving the identification and solution of numerous small puzzles. An inquisitive mind is essential.
Housekeeping basics
There are other important things too. I’d class these as housekeeping issues. Boring but important.
- Showing up on time, prepared for the interview. We’re all doing camera interviews these days and the dress-code norms of the pre-Covid world have gone away. But basic prep and timekeeping is still important.
- Proof-reading your CV/Resume. You can’t claim to have great attention to detail when your CV has grammar or formatting errors.
- Show interest in things outside of Cyber Security.
- Be aware of your social media footprint. Employers check this stuff these days so it is worth checking your privacy settings.
Myths
You have to be super-smart to be a penetration tester
Debatable. It is true to say that I’ve worked with some people who are indeed super-smart and are amazing testers. But I would also add that I’m not super-smart and I’ve managed to have a decent career in the field without a problem.
The fact is that some penetration tester jobs need super-smart people. But if you’re lucky enough to be exceptional, then you don’t need my advice and you’ll probably do well in whatever area you choose. It doesn’t mean there isn’t room for us non-genius people too. Hopefully in this blog I’ve made it clear that there are some personal attributes that will serve you well if you genuinely want to get into the field.
We can’t all be Lionel Messi, Grace Hopper or John Coltrane.
Certifications are the route to success
Not in my experience. Although the Cyber Security industry is littered with them, I would humbly suggest that many of them are little more than tick-box certs. If you’re considering investing in a course & exam programme, I would suggest you confirm that:
- The course is based on practical skill development, i.e. not simply a set of canned CTF exercises or multiple choice questions.
- The examination is practical and includes a mandatory report-writing component where you are required to clearly identify your findings and recommendations.
- The course material is up-to-date. Technical architecture changes quickly and the state-of-the-art now will be irrelevant in a few years’ time.
- People have actually heard of it. There’s a lot of money-making cert companies out there, and they’re not all highly regarded.
You need a degree to even apply for penetration testing jobs
Some companies may indeed specify this, but this is changing rapidly. The demand for cyber skills has made many companies realise that they need to be more creative and open-minded in recruiting. This is a welcome change, and not before time. Many of the brightest and most talented people I’ve ever worked with have unrelated or no academic backgrounds. Do not let a lack of academic experience put you off.
I don’t need a degree? I’m quitting my course right now
That’s up to you of course, but consider your actions carefully.
Penetration testing is mostly about retained knowledge
Absolutely not true. Penetration testing jobs are quite skill-based. Sure, you need to know stuff, but you also need to develop skills through practice. This is why I value practical experience and attitude very highly.
The Cyber Security Industry is basically all about penetration testing
Massively untrue. The industry continues to evolve and new markets, products, services and roles are opening up all the time. I’m talking about penetration testing jobs in this post, but the industry and indeed the emerging profession is much larger. I should write another post on that topic.
So there you go. The field is open, and there is opportunity even if it feels inaccessible at first. With perseverance and a little luck, you’ll get there.