So you are an aspiring professional penetration tester (pentester)? That’s great! It can be a rewarding field for one who cannot get enough of intricate technologies and making them behave unexpectedly.

After more than five years of pentesting, I moved onto a management role and this led to meeting even more individuals who desire to transition into pentesting. Almost every time, I was asked “what can I work on to guarantee I will get a job?” The hard truth is nothing will result in a guarantee as I believe there are far more candidates than available opportunities, and the competition gets stronger by the day. Obviously, this is not the kind of answer I like to provide; I do not wish to discourage anyone. Instead, I prefer to focus the discussion on what can make a candidate stand out. Spoiler: there is much more than the technical aspect.

This post contains what makes a difference to me when I am considering a potential candidate working full-time to improve the security of a single large organization, along with some recommendations.

Ideal Candidate

The following are some of the most critical skill sets and mindsets I believe essential to have success in the role.

In-Depth Knowledge of Computer Science

Let’s get the technical part out of the way first since we cannot avoid it.

Take a web application pentest as an example. You will be given a limited timeframe to review its security controls and then present your findings to the software development team. By the end of the pentest, you are expected to know about the application practically as much as the developers themselves, and are going to let them know what they could have done better. That, in itself, is no small task and is quite difficult without knowing much about software development.

In the previous example, does this mean you must have five years of experience in development? Not necessarily but surely, it helps; however everyone learns differently. I have seen some pentesters who only worked as a developer in a three-month internship and it was enough to lay the groundwork to become ridiculously strong at application security. Without a doubt, they spent a considerable amount of personal time learning more about the topic in a self-taught way to get to where they are now. On the other hand, if I look at my own path, I do not think I would have been able to easily transition into pentesting without my four years of full-stack development as they were a critical learning experience. It all depends.

Something else to consider is how you are bound to have new technology you have never heard of thrown at you in a “here, tell me all I have done wrong” kind of way. Then, you will need to become an expert of the technology quickly in order to be confident about what you looked into. This is much easier to achieve when you can rely on your knowledge of the field since you will be able to identify similarities with other technologies you know of.

Excellent Documentation

Now you have found some shiny vulnerabilities, the most important part remains: communication. All the necessary information must be documented in a report to ensure the remediation team gets everything they need to proceed. Precise, but straight to the point to captivate your audience. I cannot stress this enough as any missing or inaccurate piece of information may cause confusion leading to incomplete remediation. Therefore, take a step back, impersonate your audience, and think of what information would be useful to you as the remediator.

Proper reporting also contains a criticality suggestion often guiding how urgent remediation must be done. A common mistake is to have a tendency to blow out of proportion how critical a finding is. This does not help an organization and may mobilize the remediation team on a finding that could have been at the bottom of the list. I get it, you want your findings to be remediated but if any new finding of yours suddenly becomes your talk of the hour, you will lose some credibility to your peers. Again, take a step back, consider the entire context and act accordingly.

Focusing on Value

This one is a favorite of mine. If I hand you five days to work on a project of your choosing, will I be happy of my investment?

A large organization can get a lot of value out of such exercises as pentesters often have good intuition regarding what may be broken, or what could improve their team. Unfortunately, it can also lead to rabbit holes where a lot of time is spent and not much comes out of it; however, I believe it is unfair to expect impactful results every time, and I will never discredit an activity where the motivation had sound reasoning.

As an example, consider the case where a pentester decided to look for some XSS. After a few days, they tell you all about the multiple XSS they found on a web application. Further investigation reveals that the application is only accessible internally, does not host any sensitive information, and is no longer used by any user. In short, the impact is extremely limited. Meanwhile, the pentester has never tested publicly-accessible web applications, cannot tell much about the posture of the organization’s Active Directory/Entra, and has no idea of the effectiveness of “Domain Admins before lunch” type of techniques. That would certainly make me question the investment of time.

In short, consider the big picture before working on a project. It does not mean your idea is wrong, but there are possibly other activities that should be prioritized first. Perhaps you could work on creating a backlog of significant exercises with your team, and challenge yourselves on the priorities.

Key Resource in Special Projects

Whether it is a new large-scale project or an incident response event, the two often share the common factor of having to work without an exact course of action. What I mean by this is you may be brought into these to contribute as the key offensive security expert, and you will have to deal with imprecision. Also, they usually come with an aggressive deadline, so no time to mess around.

These special projects get easier over time as experience pays dividends, but even if it is your first time, you need to be up for the challenge no matter how much it takes you out of your comfort zone. Understand your client, think of what you would want out of yourself if you were in their shoes and plan accordingly. Whatever you will be doing will be much better than freezing and reconsidering your own expertise because it is much different than what you are used to.

As a manager, it is extremely appeasing to know no matter what comes, your experts will be ready to answer.

Peers Feedback & Knowledge Sharing

Everyone can improve, no matter how long they have been in the game. You noticed a situation where your colleague could have done something differently to possibly have a better result? Wonderful! Now, make sure to have an open-minded discussion with them. Maybe there was a variable at play you were unaware of, or maybe you are right it could have been better. All that matters is as professionals, you are expected to have these healthy discussions where everyone can greatly benefit.

Similarly, make sure to be on the lookout for topics that could be shared with your colleagues. Whether it is a new technique, a workflow to be more efficient or a primer on a technology most people are not comfortable with, these will be worth sharing. You want to avoid at all costs a case where every member of the team individually spent some time researching the same subject. How about one member does it and makes a presentation to the team?

Scope & Time Estimates

Most pentests assigned to you will contain two pieces of vital information: the scope (what must be tested) and an estimate of how long the pentest is going to take. Failure to follow the former implies your report will paint possibly a much different picture than reality. Indeed, if you spent time validating the security controls of a different scope, your report might end up claiming the expected scope is clean. In the same vein, if a pentest ends up taking twice as long as initially defined, another pentest will have to be put on hold in the meantime. As mentioned in “Focusing on the Valuable”, it does not mean the extra time you have spent was a waste, but it might not have been the right moment to look into the additional parts.

Making sure to have full understanding of the scope and doing some time checks along the way helps to deliver quality.

My Recommendations

As briefly mentioned in the introduction, there is no way to guide with the guarantee of achieving your goal. Nonetheless, here are a few pointers I believe are important to take into account.

Contribute to a Community

There are plenty of information security communities out there under different forms. Depending on your location and preferences, some may be a better fit but no matter which one you decide to take part of, the outcome is likely to be positive. It can be of benefit both on the technical aspect and to make contacts who may help you get an opportunity eventually. Make sure to bring a positive attitude and to help wherever you can.

Personally, I got my first job in the field through a contact from a community I spent a lot of time with. Usually, it makes the interview process more straightforward, and that is desirable.

Do Not Overdo Certifications

Some people got to the point where they can spell out the entire alphabet with the certification acronyms they have. When I read a curriculum vitae, it does not make much of a difference to me whether someone has three or twenty certifications. Does it mean they are useless? Absolutely not as they are a great way to show you have been working on your goal. If you are having fun catching ‘em all, keep going but do not count on them to be the key differentiator.

Be Good With Code and Web Apps

The idea here is there are different areas of expertise in pentesting itself, but some are more in need. I think it would be a missing opportunity to not be comfortable with web application pentesting as there is usually a bigger demand there, hopefully including code review for better coverage. Even if you are unsure which area is going to be your favorite, it seems adequate to begin with where the most opportunities are going to be.

Do Not Blindly Use Tools/AI

This one can be summarized by understanding what you are doing and why you are doing it. Some seem to be under the impression pentesting is about building an arsenal of tools and then just blindly throwing everything at your target without much consideration. While this can work out in certain scenarios, especially low-hanging fruits, it will never be as effective as someone who understands what those tools do and why they are using them.

Recently, a friend overheard a nearby team at a capture-the-flag event celebrating the flag they had just obtained. When a participant quizzed his teammate on how they managed to solve the challenge, they replied they had no idea because they simply let their AI agent solve it. While any means to an end within the bounds of rules is fair play during a competition, I cannot help but think it would have been much more beneficial for this team of students to focus on the learning experience instead of automagically solving challenges. Enjoy the journey, not just the destination.

Selling Yourself: The “Why You?” Edition

There is more material than ever to learn about pentesting, and surely this results in more people looking for professional opportunities. Time needs to be spent on marketing yourself to successfully stand out of the pack. Consider the section “Ideal Candidate”. How can you show through your actions and accomplishments you possess the characteristics of an ideal candidate? The popular idiom “actions speak louder than words” certainly applies here as it will improve confidence in your abilities to your interlocutor. Feel free to ask your community to review your curriculum vitae and see what kind of impression it makes on them to help you out.

Closing Words

I had the pleasure of meeting many accomplished pentesters and it does not take long to feel how passionate they are. Thus, it is not surprising in any way to find them doing research or getting involved in a community after a long day of work. I am in the belief that anyone willing to dedicate themselves this much into a discipline shall get the opportunity to be an excellent asset for an organization. While I cannot provide a clear path to follow, I hope these thoughts will be helpful in forging your own way.