Transitioning into a Penetration Testing Role

Having completed my first year as a penetration tester, I feel fortunate to say that this has been the most rewarding and engaging work I’ve had the pleasure to do. Simply put, this was and continues to be my dream job, and yet, the transition from full-stack web application developer to penetration tester was daunting.  The path I took saw me make a number of mistakes and miss some opportunities, but my hope is that those of you who are just starting this process can use my experience and apply the lessons I learned along the way.

Setting Expectations

First and foremost, it is essential to truly understand the role that you are entering. The reality is that days of penetration testing may go by with little to show for it--more often than not, the clients engaging your services are well refined, mature organizations with top-notch security professionals that have dedicated their careers to preventing the likes of you from gaining a foothold in their networks and systems. But for those of us with a passion for security, a high severity finding makes all that wait worth it. With that being said, as slow as some individual days may be, it is also important to appreciate the grander, more accelerated pace of this field. New tools and methods of exploitation are released daily on Twitter and GitHub, and so a penetration tester must also simultaneously be a researcher, as your long-term efficacy in the industry has a strong correlation to your continued learning efforts.

Starting from Ground Zero

Now that a general picture has been painted, the actual first step in this journey is to develop a hacker mentality and to put it into practice against a real system. Luckily, a wide variety of free and paid resources exist to help you achieve this—definitely consider Hack The Box, which is an immeasurable resource that hosts hundreds of intentionally vulnerable machines designed to educate newcomers and improve pen testing skills. Many additional step-by-step walkthroughs or technical write-ups for these challenges can also be found online.

For beginners, I highly recommend choosing five “retired” machines which have accompanying YouTube videos made by IppSec. Fire up your Kali machine, connect to the VPN, and complete the challenge using the same steps you see in the walkthrough. In doing so, you will begin to establish a penetration testing methodology and understand the cadence of security testing. However, do not make the mistake of using these resources as a crutch. Once you feel comfortable, attempt the remaining retired boxes without assistance, and only reference the walkthrough if you feel you have exhausted all other options without progress, as having the answers provided to you is a costly habit that will only slow you over time. For myself, I felt ready to move onto a greater challenge after two months and completing 25 boxes with limited assistance—it was then that I attempted to achieve Offensive Security Certified Professional (OSCP) certification.

The Proving Grounds

In the highly contentious debate over which security certifications are most desirable, I can offer two pieces of insight. First, I can tell you that I gained a greater understanding of pen testing after one month in the OSCP labs than during the majority of my postgraduate research focused on cybersecurity, largely due to the hands-on and self-study nature of the certification process that created an unparalleled, immersive learning experience. Second, the knowledge required to pass the OSCP exam absolutely prepares you for an entry-level pen testing position in itself. Yes, you will find yourself enumerating plenty of Windows XP machines and using exploits written back in the stone age of computing, but the mentality you adopt is by no means antiquated. Technology evolves, but the underlying issues from which vulnerabilities arise have stood the test of time, and as such, I highly recommend completing the OSCP prior to applying for a penetration testing role. Whether you pass the exam on your first attempt or after one of the many thereafter, the pursuit is a worthy investment towards becoming a pentester.

Landing the Job

But even with battle-tested pen testing skills and a certification in hand, the most challenging aspect of your transition may be finding the right employment opportunity. With a wealth of job-seeking advice already out there, I can only add that it helps to search for these roles with a hacker’s mentality—evaluate potential employers and learn about the services they offer, as well as the types of clients who engage them. Use your new OSINT skills to research what tools are needed for particular jobs and take the time to familiarize yourself. Not only that, but attempt to discover the ways your non-security background can be used to benefit potential new employers.

Personally, I found that my passion for developing internal security tools, developed during my time in software development, proved a boon to our team, and it’s been no surprise that each of our other team members also brought with them a diverse skill set that has contributed to the growth of our practice. Diverse skill sets are both necessary and desirable in this line of work, so do what you can to recalibrate everything about your old and new experience to set yourself apart.  In the end, all of the effort is likely to prove worth it as the way through to the interesting and rewarding work that is penetration testing is paved.

About the Author

Nathan Rague

Nathan Rague is an Associate Penetration Tester with Schellman & Company. Prior to joining Schellman in July 2018, Nathan worked as a Senior Full Stack Developer, specializing in front and back-end web application development. As an Associate Penetration Tester with Schellman, Nathan is focused primarily on delivering thorough and comprehensive penetration testing services for organizations across various industries.

More Content by Nathan Rague

No Previous Articles

Next Article
A Spooky Tale of Cybersecurity
A Spooky Tale of Cybersecurity

When it comes to cybersecurity, it’s the things we don’t know that can be the scariest.