How to break into penetration testing, according to the experts

It seems like every aspect of cybersecurity and IT is about protecting yourself from threats, but sometimes the best defense is a good offense. A career in penetration testing—the art of simulating adversarial cyber and social engineering attacks on a target to see just how tight their security really is—might be for you.

While it might be tough to make a name for yourself, just like a computer network, there are many different ways to break into (get it?) the field. IT Brew spoke with four experts on their advice for anyone looking to pivot their career towards ethical subterfuge.

Thomas Richards, principal software security consultant at Synopsys’s Software Integrity Group

Richards told IT Brew his “first and honestly, worst pen test ever” was for a former employer planning to switch from Windows-based to mobile-based software to run their business, which he found had several protocol-level issues. He subsequently got certified in offensive security and has since published over a dozen vulnerabilities, at least half of which were critical severity.

Richards advises prospective penetration testers to apply their existing knowledge of networks and systems towards hands-on experimentation.

“Underneath, we all need the same foundation of knowledge of networks and how they work, and have experience building and managing and maintaining them,” Richards said. “That knowledge then allows us to really home in on, ‘Okay, well, this is probably a bad design, there’s a vulnerability here,’ or even, ‘From experience, I know no one ever flips this switch.’”

“There are so many trainings available, and labs, and capture-the-flag events, and conferences, where you can go and just start networking with people,” he added. “These are all the things I look for when I get a résumé for someone coming up.”

Alethe Denis, senior security consultant at Bishop Fox

A specialist in social engineering, Denis told IT Brew that winning a DEF CON Black Badge in social engineering wasn’t enough to land a job as a junior penetration tester because her résumé lacked technical skills. She said many penetration testers find their way in by building experience in related fields, like SOC analysis and incident response. For Denis, that alternative route was compliance and governance.

“Winning a competition, or gaining a certification doesn’t adequately represent skill in the context of job-hunting,” Denis said. “So, just because you’ve got a Black Badge doesn’t mean anything to an employer. And just because you worked for a specific organization in the past doesn’t mean much if your skills don’t back it up.”

“But just because you have your Security+ and your CEH [Certified Ethical Hacker], doesn’t necessarily mean that you have the skills to do the job,” she added. “So, there’s always going to be that learning curve, and that gap of doubt that you'll have to close with a prospective employer. Demonstrate to them that you have willingness to learn, that you acknowledge where your gaps are, and where you need to continue learning.”

Heath Adams, CEO of TCM Security

Adams left a career in accounting to work at a help desk, where he pursued certifications and eventually became a network engineer. Once he found out about jobs in ethical hacking, Adams said, “I became obsessed, and I’m still obsessed.”

Adams said that penetration testing sounds like an incredibly fun job that rewards curiosity and a desire to learn—and often is—but isn’t all break-ins and hacking.

“When it comes to debriefing your findings, you might be sitting in a room with a CEO,” Adams said. “You have to be able to transcribe that from, ‘Here’s what I found, here’s why it’s bad,’ in a non-technical and technical perspective.”

“If you’re not prepared for a life of consultancy, that could be a rude awakening,” Adams added.

Josh Jacobson, head of security advisory at HackerOne

Jacobson began his career as an IT audit and penetration testing consultant after getting a certification in forensics. That role, he says, was a gateway to others like web app penetration testing at a major airline or his current role liaising hackers, clients, and customer service at bug bounty platform HackerOne.

Programming skills will help anyone trying to break into the field, Jacobson told IT Brew, and the secret sauce is a proven track record of finding real-world vulnerabilities.

“Your life is going to be a lot easier if you get proficient at coding,” he said. “Just knowing how to build things makes it a lot easier to break things.”

“Anything that you’re allowed to share disclosures on, that can go a really long way to be able to kind of toot your own horn and say, ‘Hey, look, I’ve done this for real-world customers,’” Jacobson said, adding a history of finding any bug worth payment or disclosure “can carry a lot of weight.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.