Skip to content

How to get a job in a pen test team

We’re hiring pen testers at the moment at work, it’s an interesting experience. I’ve interviewed more pen testers than I can shake a smelly stick at and I can honestly say that pen testers are a unique breed of people. So you can imagine my urgent need to change underwear after reading this post on the securiteam blog. It’s funny because it’s true. I especially like this comment as it’s particularly relevant to the non-techie pen tester.

Take the other site of it:

- you wear nicely pressed shirts, and can fire up Newt, besides that, you’re the master in copy-pasting the outputs into MS Word.
- you have a goatee
- if a network doesn’t have dhcp, you have problems configuring it
- you get scared when a subnet’s octet doesn’t contain 0 or 255,
- you start a blog and critic everything and everybody, yet provide nothing useful
- you gather vulnerabilities – and rate the about:alert… XSS vuln in IE a high risk
- you think “tls” is some type of “mou” or “roi”
- you love the sound of “mitigating risk factors”
- you aim for all certifications that end in “P”, as long as they are not technical
- every bug can be exploited “by sending a malicious specially crafted packet, it is possible to potentially compromise the entire network”.
- you dont know how to program
- you get upset, because the weird looking nerds don’t consider HTML as a programming language
- what you mean, there’s another linux besides fedora?
- you are techie enough, your motorola phone runs linux.

For all the great stuff that a really techie pen tester does; making obstructive project managers break down in tears, getting servers to implode by thought control and getting ‘mad w00t’ on boxes by looking at them funny, the non-techie guy is the one you can actually sit in front of a client, comfortable in the knowledge that he won’t start barking, whistling DTMF or just bitching at the client. Funny thing is, I’ve known people who think they’re in one category but firmly belong in the other, and it’s just as funny to watch.

If you come for an interview and get me as an interviewer, expect to be rated according to the above…


Posted in Links, Security.

3 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. James says

    Assuming you’ve finished interviewing – what question did you ask your candiates? Did you ask them to demo anything? IMHO often non-techie people are better client facing, and are often useful as an on-site contact when conducting assessments (as long as they have a basic understanding) but then you get into the world of how much you pay them, are they less/more/or the same in terms of revenue as your techies that dream shellcode. What sort of makeup is you pen test team – 1/2 and 1/2 or is it more like a pen test team and a external technical sales guy?

    Intresting to see it from a HR point of view..

  2. James says

    Assuming your’ve finished hiring – what questions did you ask your interviewee’s? Did you get them to demo anything? It’s intresting to hear from an HR side of things – whats your take the techie tester and the ‘technical sales’ kind of pen tester? Often it’s good to have a non uber geek on your customers site to act as a contact while doing external audits – what sort of ratio does you company have of these?

    It’s an intesting industry with some very different extremes isn’t it.

Continuing the Discussion

  1. SnakeOil Labs » Thoughts from the Interview Room linked to this post on February 17, 2006

    [...] I had an interesting comment from James in an earlier post about penetration testing teams. There were a lot of questions in there so I thought I’d write a response as a new post. We’re still hiring by the way, so if you’re looking to join a fledgling security consultancy on the sharp edge of the ‘verse, you could do worse than get in touch (yes I know that it’s the blog for snakeoillabs page but it’ll get to me). [...]

Some HTML is OK

or, reply to this post via trackback.