Open in app

Sign in

Write

Sign in

Hacking Your Pen Testing / Red Teaming Career: Part 1

Lawrence Munro
Munrobotic
Published in
9 min readSep 11, 2020

Most People Don’t

Pen Testers are some of the most interesting and intelligent people I’ve met in my life, with individuals coming from all sorts of diverse backgrounds. I think what we all share, is a sense of intrigue and a desire to bend things to our will. Whilst this is true, I am always struck by the frustrations, and in some cases bitterness, testers have about climbing the career ladder. I find it surprising that so many smart people struggle with this element of the industry, as they seemingly have all the right skills to soar to the top. It should be noted that a lot of people don’t crave success or accolades, just the actualisation of being able to ‘hack stuff’ for a living. Obviously that’s no more or less valid an ethos (although I’m sure many would argue the purity), but being honest with yourself about your goals is an important part of your journey. For those who’ve been unfairly overlooked for promotion, have struggled to make your mark, lack the recognition you deserve, don’t know how to improve your game… this post is for you.

It isn’t about Smoke and Mirrors (Disclaimer)

The first thing I should have written, was that this post is based on the principle that hard work and capability development come ahead of career engineering. If you’re spending more time developing your Twitter game than in skills development, you should consider refocusing your efforts. These ideas are designed to support those who are already working hard. Moreover, I hope this will support those who require some pointers on how to develop their approach to learning or to create awareness in their organisation (or the community) of their capability.

Personal Development

Consistent personal development is not unique to our field, however, it is one of the most important elements of it. This needs to come from you and be supported by your employer and/or mentors. A lot of people can be stuck in what I call the ‘teacher-student mind-set’, especially early in their career. What this is, is the misapprehension that anyone else has responsibility and accountability for your learning and it’s normally a symptom of the school system. There may be people with a vested interest in your personal development, but this isn’t the same thing. The most important thing (in my humble opinion) for personal development is the ownership of it and the acceptance that you will need to drive this throughout your career.

One of the traps I’ve seen often in this area (especially on social media) is the debate about certifications vs. academic qualifications vs. work experience. The reason I don’t think it’s a useful discussion, is because the answer is obvious. There is no ‘one way’ to learn, all knowledge is good (irrespective of acquisition method), everyone is different and has a different journey and one route is no less valid than another. Certifications do not make you proficient in and of themselves, but then neither does tenure (work experience). When taking advice from people on this topic, always consider the source i.e. don’t take sweets/candy from strangers.

Finding your Cheerleader and Mentor

It’s important to identify someone who’s going to be your coach / sponsor / cheerleader within your role. This is a really important step, that often happens organically when you demonstrate the right aptitude and attitude. If you’re struggling to find this person, start with self-reflection as to your general approach. Are you proactive? Do you try first, THEN ask others for pointers on specific points or topics, or ask blindly for answers? If you’re still struggling, don’t be afraid to ask a senior colleague if they would mind spending some time with you and give you the benefit of their experience. It’s important that you don’t come across as inauthentic, so don’t find the company ‘rockstar’ in your first week and ask ‘will you be my mentor?’ It’s important to demonstrate the right attitude and develop rapport with people first. Often, you’ll find that the best technical performer will not be the best mentor, so it’s important to build working relationships with a broader range of people and start looking for those willing to give up their time and (hard fought) knowledge. This should happen organically if you work at a good company and you exhibit all the right behaviours.

How to Get Your Employer to Fund Training

Having run a few different teams, I’d hope my colleagues always found me to be very supportive of training and development. For me, this was always super important, for a couple of reasons. Firstly, I genuinely believe in developing people and the onus on an employer to make that investment. Secondly, it’s a good long-term business strategy. If you’re like the majority of pen testers, in that you don’t have an explicit annual training budget, you will need to build a strong case for the expense. In theory, your leadership team should be doing this on your behalf, but be mindful that they may not have or may have attempted it, but not been successful. Don’t go in all guns blazing with a list of demands.

In order to maximise the chances of success, you need to build a really strong business case alongside your personal goals. It’s important to remember that what you want is the outcome and not a win for your ego at the cost of the victory. This is often where people go wrong, they focus on their own personal development and wants rather than considering the benefits to the business. I caveat this section with the statement: “this is not my personal approach or belief, but the common response / attitude you will find in money-making organisations”. The harsh reality is, you are not entitled to expensive external training (unless you were smart enough to negotiate this into your contract when you joined). Smart / good employers will offer this, but a sense of entitlement in this area will rub people up the wrong way. If you’re finding frustration or blockers in this area, the best thing to do is approach it as you would a hacking challenge. If you can’t get a shell on a job, you wouldn’t complain it’s being unfair, would you? You’d look for the solution and put your ego aside. That’s the best advice I can give in your career as a pen tester, decide whether you want validation of what you feel is your righteousness or entitlement or to get the end result you want. This is not about compromising ethics, it’s about resetting expectations and engineering the best outcome for you within the industry. Hopefully, the following dos and don’ts will help you navigate this minefield.

I’ve listed some of the common approaches that may fail, below, and why:

  • I haven’t had any training in ‘x’ months / years

This will likely come across to senior leadership as a moan. Think whether you’ve previously requested training (perhaps you don’t feel like you should, in that case, see first paragraph of this section) and if you haven’t in ‘x’ years, you’ve probably ended up at the back of the queue to more vocal team members. I’m not saying this is right, just the common reality. The key thing is, this gripe doesn’t address what you want and why, it’s just an unmet expectation that your leaders may not share. Be forward looking, why should you get training now?

  • XYZ person got training…

Comparing yourself to others when negotiating on things like training, budget allocation or even salary is not a good way to go. This will come across as immature to senior leaders. Don’t focus on disparities in what you perceive as fairness, focus on what you want and why you should get it. You don’t know other people’s situations. This is not to say organisations should not be fair and transparent, it could just be the case that another person got there first, built a good business case and didn’t start the conversation with a complaint.

  • Acting entitled

This is all about expectation setting. If an organisation has promised you XYZ and then not delivered, that is unfair. There may be genuine reasons for this, but overall it’s a difficult pill to swallow. However, expecting that you should always get training and be front of the queue is likely to annoy people and reduce your chances. Consider reflecting on what it is you want and how you’re going to get it, rather than your perceived entitlement.

Create the Case

When building a case for training, you should think about the benefits to the business and put the focus of your request on that. Your line manager should help you with this, speak to them in the first instance to lobby support. I would suggest either creating a Word document outlining your case or a well laid out email. Questions you should proactively answer (in the form of clear justifications):

  • Is your role unique or high-end in any way that requires you to attain difficult to acquire skills, in order to deliver billable work?
  • Will this add any new capability to the team? If this is for a niche area, such as ICS / SCADA, that’s something to highlight. New skills equal new service lines, which equals more revenue (money) to the business.
  • Does this come with a certification that is useful or valuable to the business? In the UK, things like CREST / Tiger / Cyber Scheme give access to the Government CHECK scheme. More certified people means more options for clients, which means more sales wins / retained clients. More broadly, in RfPs (how large businesses assess which providers they will use) they will often ask for certification numbers (*rolls eyes*) like for OSCP/E.
  • Are you suggesting the most logical cost effective option? Check if there is an option to do the course online rather than on site, perhaps if you wait a month the SANS course abroad will be run locally. Demonstrate that you’ve considered multiple options and alternatives and this is the best one. It’s important to factor in expected travel costs too. P&L holders (the leaders who hold the money and make decisions on spending it) like to feel they’re optimal in spending and getting a good deal. I find that providing three options is good, with the middle one being the most likely they will select, so build the request in a way that drives their decision-making.

Becoming a Manager (or Not)

One of the hardest decisions you may be confronted with in your career is whether you should become a manager or not. As pen testing is a very technical discipline, there tends to be a habit of promoting the best (or at least most organised) testers into management positions. This is due to a lot of factors such as: poor leadership, a glass ceiling on technical positions or few other options to retain top talent. This issue is usually compounded by a lack of training and support for new leaders and role models who themselves suffered a similarly janky transition to seniority.

In order to decide whether you want to go into leadership, you should consider why that is your goal. If it’s because you want to be the boss or just to get more money, you probably shouldn’t start the journey. Those things come unstuck fast and can lead to responsibilities you don’t want. If you want to learn about becoming a leader and feel your skills are better suited to it, it may be the best thing you ever did.

If you decide that you do want to become a manager, my advice would be if you see the opportunity or you’re offered the opportunity, take it. In our industry, there aren’t opportunities every week to lead pen testing teams, you need to take the chance when it comes up. By the time you decide you’re ready, there may not be an opportunity for you. My next piece of advice is that as a leader, your boss becomes more intrinsic to your ability to do your role, especially in lower/middle management. The right boss during your formative leadership experiences is key, so choose wisely and have this as a big factor in your decision-making. Another key mistake that new leaders make is to think that now they’re the ‘boss’, they’ve made it. You may know the job your team do and the industry in which you work, but you’re back to school as a leader and it’s important to treat it that way. Although very cliché, I would suggest reading broadly about leadership and remember what you liked / didn’t like from your bosses in the past. I’d describe my leadership style as a smattering of previous bosses, personal experience / quirks and ‘stuff I’ve read’ — equally weighted. Personally, I like the concept of servant leadership and the idea that ‘I work for the team’ rather than ‘the team work for me’. Avoid phrases like ‘I’ll get Dave to do that’ or ‘my team’ that suggest some sort of ownership, power or control — it doesn’t impress anyone. I’ve found that with managing pen testers, creating a sense of peer relationships works better than an autocratic leadership style. Your role is to set direction and ensure the well-being of your team, you want to create the best environment for them to operate within. Be their shield and their cheerleader.

Penetration Testing
Red Team
Careers

--

--

Lawrence Munro
Munrobotic

Written by Lawrence Munro

6 Followers
Editor for

Information Security leader interested in Purple Teaming collaboration strategies, breaking silos and leading high performing teams. Former WW VP for SpiderLabs

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams