6 Problems Penetration Testers Face (and How Schellman is Solving Them)

There’s a Latin proverb that says, “if the wind will not serve, take to the oars.” If you’ve ever hunted for a (new) job, you likely can relate. Of course, every workplace has its idiosyncrasies, but you need to find the “wind” that serves you best.

That goes for experienced penetration testers as well. As with everything else, there are different problems people in our field face in doing this work. If you’re nodding your head, maybe you already have “taken the oars” and are looking for another opportunity. But it’d likely help to know that your new employer has a plan to tackle these issues for your sake—or, as in Schellman’s case, that they already are.

Our penetration test practice may be thriving with diverse projects, but that doesn’t mean our team members don’t face similar difficulties as everyone else in the field. If you’re currently in the pen test field and are exploring making a change, we wanted to share some insight into how Schellman is actively working to remedy these workplace difficulties for the benefit of our team.

For any experienced penetration testers, this is why you should consider Schellman.

6 Problems in Penetration Testing

Problem #1: Burnout

We couldn’t start anywhere but here, since this is probably the largest problem pen test professionals are facing right now. Burnout is a versatile issue that’s usually caused by one or more of the following:

  • Poor workload distribution
  • Unclear expectations
  • Uninteresting work
  • Underscoped projects

What’s Different at Schellman?

Schellman is aware of this problem at a greater, firm-wide level, and is working to address it for all, but let’s look at how the pen test team specifically helps the team fight these causal factors of burnout:

How Schellman’s Pen Test Team Addresses Burnout

Poor Workload Distribution

We have a large team of experienced testers, so if you don’t think you’ll be meeting a certain deadline, there’s almost always someone available to provide aid and guidance (assuming you let management know early on).

Unclear Expectations

We keep documented unambiguous baselines for each pen test type, along with a set process for engagements so you won’t be caught off-guard by what you should and shouldn’t do on a project.

Uninteresting Work

Schellman works with clients from a vast array of industries—one project to another will vary widely in scope, methodology, and goals. You can expect to be placed on a different project every 2 to 6 weeks.

Underscoped Projects

We perform hundreds of penetration tests each year and are committed to quality and accuracy. To help with that, projects are scoped by Schellman penetration testers, not by a sales team that doesn’t have to face the repercussions of an underscoped project.

Problem #2: Job Misrepresentation

While burnout takes the cake as the most widespread issue in our industry, there’s another which isn’t talked about as much—misrepresentation.

While searching for potential positions, you may see job postings advertised as “penetration testing,” but when you dig deeper into the job description, you discover it isn’t 100% hands-on penetration testing. For example, some positions may even go as far as to require “Blue Team” duties, such as threat hunting or even incident response, but in actuality, you’re only performing automated vulnerability scans.

What’s Different at Schellman?

Point blank we will have a project for you to use your pen test knowledge every day. We perform real penetration tests. We believe that manual testing is an absolute requirement for an adequate assessment. No blue team duties are required – the closest would be writing remediation recommendations or securing our own pen test infrastructure. Finally, we work with assorted clients on various fronts, so there will be plenty of varied challenges to tackle while on our team.

Problem #3: Siloed Testing

We also see a common theme that pen test teams around the country are siloed, meaning testers are only responsible for one specific product or service, which may not be your cup of tea.

What’s Different at Schellman?

Schellman addresses this one by default. We have a large number of clients spanning multiple industries, so it’s incredibly unlikely you’re going to be testing the same scenario over and over.

Moreover, since a large number of our pen tests are for compliance initiatives, many of our pen tests vary in terms of what’s performed, so you’ll get a great variety of experience that’s not included in most job descriptions. Here are the most common tests we perform:

Problem #4: Imposter Syndrome

Everyone runs into this one at some point—feeling like you have zero knowledge in an area compared to your peers. We recognize this and understand how this feeling may occur, and for our pen testers that have had this concern, we provide plenty of mentoring and training opportunities. Additionally, we combat this potential worry by clearly articulating achievable individual goals and objectives.

What’s Different at Schellman?

To help you feel more comfortable, Schellman does a few things:

  • Specializations: If you have a specific domain of pen testing that you’re more passionate about or comfortable with, you can pick that as your main specialization (though to avoid silos, it won’t be your only work).
  • Research and Training Time: All penetration testers on the team are given time each quarter to perform practice development, research, and/or training to advance their knowledge.
  • Collaboration: Most importantly, you’re able to ask any question to our team, which is a very tight-knit group with various levels of experience and diverse expertise. It’s not very often we come across something we haven’t seen before, but if you do, our team will be very interested in what you found!

Problem #5: In-Office Requirements

When the COVID-19 pandemic hit back in 2020, many (if not most) organizations pivoted to remote work, but now that things are returning to normal, a lot of places are asking their employees to return to the office.

That may or may not be your preference – but read on.

What’s Different at Schellman?

In fact, Schellman was largely a work-from-home employer before the COVID-19 lockdowns, so if you do come aboard, you can expect to work from your own home, although we do have offices in several cities.

Traveling to an office or a client site is infrequent and when it does occur, it’s planned well in advance. Other than the occasional client requirement, moments where you would need to appear in person include our yearly corporate retreat, an annual team get-together, onboarding, and other optional training. There are no other on-site requirements for our pen test team.

Problem #6: Poor Compensation and Benefits

All the previous problems roll some way or another into this one—given the cutting-edge work being done in the pen test industry and the time we all spend acquiring more skills and expanding our knowledge bases, we want to be paid accordingly for such expertise.

What’s Different at Schellman?

At Schellman, you won’t have to worry about that. The firm provides top-of-the-line compensation, along with quarterly bonuses for all team members. You can also earn more via bonuses given for exemplary performance and marketing participation, as well as client and recruiting referrals.

The top-tier benefits package further compliments this competitive compensation too and features some truly unheard-of perks not yet mentioned in this article:

  • Up to 10% of your salary is 100% matched for your 401(k) (opt-in w/ vesting period).
  • From day one, if you want to go for an approved certification, we’ll pay for it and provide you some time to train and take the exam. Conferences are also encouraged.
  • Up to $150 per month towards your Internet and mobile phone bills. 

This list is just the start of what we offer now, and our benefits are always expanding, so check here for our latest information. 

Interested in Joining Our Team?

If you’re someone who has or wants to “take up the oar” and find a new opportunity, Schellman may or may not be the right next move for your penetration testing career. But at least now you know that this firm is aware of the biggest issues people doing this kind of work face, along with what our leadership is doing to help.

Knowing all that, you may be ready to join the team, and if so, you can view our opportunities and apply now. But, if you’d like to continue learning more about us before you pull that trigger, feel free to also check out our Glassdoor page which features reviews from current and former team members and includes both pros and cons.

About the Author

Josh Tomkiel

Josh Tomkiel is a Director and Penetration Tester based in Philadelphia, PA with over 10 years of experience within the Information Technology field. Josh has a deep background in all facets of penetration testing and works closely with Schellman's other service lines to ensure penetration testing requirements are met. Additionally, Josh leads Schellman's Red Team service offering, which provides an in-depth security assessment focusing on different tactics, techniques, and procedures (TTPs) for clients with mature security programs.

More Content by Josh Tomkiel
Previous Article
The Importance of Learning (and How Schellman Can Help)
The Importance of Learning (and How Schellman Can Help)

Schellman is dedicated to learning, and now we are expanding to help educate others--whether they work here...

Next Article
Working for Schellman: An Early Review from an Auditor
Working for Schellman: An Early Review from an Auditor

Trying to decide which accounting firm is right for you? Our Will Sparks weighed his options & chose Schell...