Red Teaming
mrb3n,
Nov 17
2022
Learning how to become a penetration tester can be confusing.
You probably already know that a penetration tester (or pentester) is a cybersecurity professional who executes targeted, authorized attacks on IT infrastructure, applications, or forms of physical security to determine vulnerabilities.
But does that mean you need a cybersecurity degree or certification to get started? (Spoiler alert: you don’t). And how do you know whether or not penetration testing is the right cybersecurity career for you?
If there’s one thing I’ve noticed after working with various IT/cybersec professionals, it’s that penetration testing isn’t for everyone. It takes a specific type of individual with certain character traits. (And no, using leetspeak isn’t one of them!)
In this guide, I’ll break down the practical steps for becoming a successful penetration tester. And based on my experiences of hiring junior cybersecurity professionals, I’ll also share how you can carve out unique advantages that get you noticed by recruiters and distinguish you apart from other candidates.
Suggested read: How to become a cloud security engineer. If you're looking for beginner-friendly, non-technical roles in cyber, bookmark our guide on career paths in cybersecurity.
A penetration tester's ultimate goal is to help uncover and recommend fixes for hidden flaws in digital or physical networks before “bad guys” or malicious attackers can exploit them. To serve this end goal, the daily tasks and activities a penetration tester will engage in include using technical/penetration testing tools to probe for security vulnerabilities, documenting processes and activities, and writing penetration testing reports about discovered insights for senior colleagues and clients.
More specific examples of a penetration tester’s daily activities include:
Conducting overall vulnerability assessments.
Scanning networks with a tool like Nmap.
Conducting an analysis of network structure and protocols with a tool like Wireshark.
Processing and reviewing large amounts of data or scouring file shares to look for passwords (I’ve spent entire days looking through file shares for login details).
Enumerating and attacking Active Directory environments and web applications.
Hunting for a foothold in a network, performing local privilege escalation, lateral movement, pivoting, and post-exploitation.
Communicating with clients and assisting senior managers and account holders with security debriefs and answering client questions; this could include sales calls or project kick-offs.
As a penetration tester or ethical hacker, you’ll spend plenty of time documenting your actions, liaising with customers, and reporting your activities and findings to internal and external stakeholders. In other words, executing commands in a terminal is only part (75 percent) of the job.
So to become a penetration tester, technical offensive security skills alone are not enough. You should also have (or consider building) good professional communication and soft skills. This means writing professional emails, being punctual, and delivering projects on time.
Some places that I worked for had a 24-hour client-response policy; if a client asked you a question, you were expected to respond within 24 hours. On live engagements, one organization’s policy even stated that we were to respond immediately or ASAP to clients.
Everything you need to become a pentester
Master complex concepts with free guided cybersecurity courses on the HTB Academy. (Student discounts are available.)
Prove that you have job-ready cybersecurity skills by taking the CPTS penetration testing certification (you’ll have example reports and pentests to share in interview assignments).
Show your investment in your skills development and earn CPE credits by solving Machines, Challenges, Endgames, and real-world cybersecurity labs
A note on the ethics and legality of penetration testing:
I have “a friend of a friend” who found a major flaw in a big (Fortune 500) company. He, with good intentions, reported it to the organization and was consequently arrested and sent to prison. Why?
Because he committed a crime by pentesting the organization’s network without their explicit consent.
Penetration testers can land into legal trouble when failing to operate within the scope of work outlined by a client or hacking a network without a contract or permissions in place. This is illegal (and demonstrates the importance of logging your actions). And as shown by the extreme example above, can result in serious legal consequences.
Err on the side of caution and test only when you have authorization. An example of this is being hired to conduct a test on a site with multiple domains. If your scope of work or contract states that you should only test one domain, you need to adhere to that stipulation.
Penetration testing is not an ideal career choice for everyone.
Before you invest time into learning the “dark art” and embarking on the journey to become a penetration tester, you need to know if it’s the right cybersecurity career for you.
Of course, there are no hard and fast rules to validate your suitability for the role. There are, however, common characteristics among penetration testers that I consider necessary to not only flourish in this field, but also genuinely enjoy the day-to-day work and environment. These qualities are:
Passion for problem-solving
Do you like a good challenge?
A college or recognized training certification certainly helps you acquire the knowledge, skills, and abilities required to work as a pentester; but a great hacker is a tenacious problem solver. One with the grit to dig deep into the root of a problem and creatively think outside the box.
While you can cultivate (and to an extent, exhibit) this problem-solving mindset through cybersecurity or penetration testing certifications, it’s important to honestly self-assess your passion and attitude toward solving unique technical problems.
Out-of-the-box creativity
To defend against an attacker, you need to think and act like one. This requires the ability to respect, but also think beyond routine practices like firewall reviews and scanning for known vulnerabilities. It means you should be able to approach a web application with no credentials and understand how to begin profiling it to plan your attacks, or approach an Active Directory environment and have the know-how to hunt for an initial foothold.
Cultivating this persistent creativity that’s critical to cybersecurity is why our CEO created Hack The Box:
As a former ethical hacker, I have learned new techniques from hands-on experience as well as taking part in, and winning, hacking competitions. I know that to be successful, you need to think outside of the box and develop a mindset rather than just a list of qualifications. But I also realized that there was a lack of training for these unique skills, so I created Hack The Box
Haris Pylarinos, CEO, Hack The Box
Unquenchable curiosity and a love of learning
Okay, that’s two qualities, but in my defense, a love of learning and a curious nature go hand-in-hand. Almost all of the pentesters I know have both qualities in droves and for good reason: the world of cybersecurity moves fast.
New hardware, applications, concepts, and vulnerabilities constantly surface. And that’s the undeniable beauty of penetration testing or cybersecurity as a career path:
There’s always a scintillating subject to sink your teeth into and learn about.
After graduating with a dual bachelor's in Business Administration and Spanish I worked for a small (20-employee) language translation company. When the designated IT manager was let go, I agreed to pick up his responsibilities, started studying IT, and basically became a one-man hybrid helpdesk/sysadmin team.
This helped me progress deeper into the world of cybersecurity and into other roles. I eventually performed and lead technical security audits and penetration testing at PwC before moving on to a smaller firm where I focused on different types of penetration testing.
My journey into cybersecurity isn’t unique. Plenty of people have become penetration testers later on in their lives without educational or career backgrounds in cybersecurity:
Jeremy Chisamore was hit by layoffs and events outside his control and still carved out a career in cybersecurity; going from struggling poker player to Senior Penetration Tester at Oracle.
Chuck Woolson, a former United States Marine (who was interviewed by IppSec), changed careers in his 50s and became a Red Team Operator with little prior experience.
Josiah Beverton started off studying physics, but his passion for cybersecurity lead him to become a professional penetration tester with experience in Blue and Red Team roles.
These success stories show that you don’t need a formal background in cybersecurity to succeed as a penetration tester. You need the right skills, mindset, and commitment to mastering the fundamentals.
As with entering any new field, the technical skills required for penetration testing will vary depending on the specific discipline you choose, current marketplace trends (driven by the threat landscape), and the position you’re aiming for. Someone looking to become a cybersecurity analyst, for example, will specialize in different skills in comparison to a penetration tester—one role is offensive security, and the other is defensive.
If you’re starting from scratch and you have zero technical knowledge whatsoever, set goals to learn:
Linux. Use our Linux commands cheat sheet to get started.
Windows.
Bash scripting.
A scripting language (I highly recommend Python because it is highly versatile, relatively easy to learn, and can be used for a wide variety of penetration testing activities. E.g. writing/customizing exploits and tools.).
If you’re a mere mortal, like me, you won’t internalize all this new information overnight. So give yourself enough time to develop a firm grasp of the fundamentals. How long should you spend learning the fundamentals of pentesting before getting certifications and applying for jobs?
It really depends on the time you have available to study. But as general “best practice” advice, I would say spend at least six to eight months on the fundamentals. Perhaps two months for each skill: Networking, Linux, Windows, and Python to build a strong foundation. This realistic approach combined with guided cybersecurity courses and practical cybersecurity exercises means you’ll hit the ground running and enjoy your transition into the world of cybersecurity.
(A scan of the open ports on a network. Executed on a live practice target via our Academy's in-browser tool, Pwnbox. Click here to try it yourself.)
It’s worth stressing that learning the Linux operating system and the fundamentals of networking is pivotal; they’re two of the most essential skills to possess as a penetration tester because you’ll repeatedly rely on them in real-world scenarios.
If you’re an experienced IT professional or you’re a developer who wants to upskill in cybersecurity, you have a different journey. You’ll still need to master the fundamentals that a beginner is required to learn, but you have the advantage of existing skills and expertise.
Experience as a sysadmin or network technician, for example, builds a great foundation for becoming a penetration tester because you’ll be familiar with Active Directory environments and common account misconfigurations and exploits. Web developers, on the other hand, will have a strong knowledge of secure coding and web applications, so a web app pentesting role is certainly within reach.
Map your existing skills and experiences to the skills required for penetration testing. Then, dissect your knowledge gaps and look for opportunities to move closer to cybersecurity or penetration testing roles.
After building a strong foundation of theoretical knowledge and practical cybersecurity skills, pursue a certification that proves your competence in offensive cybersecurity.
Technically, a certification isn’t a strict requirement to becoming a penetration tester. But when you start reaching out to recruiters and applying to junior penetration testing roles, it’ll tip the odds in your favor by proving your competence and getting your resume past automated screening systems that look for certain requirements such as a specific certification.
Prioritize skills development when deciding which cybersecurity certification to take. As Robert Theisen, a former cybersecurity professor (and HTB content creator) states in his post on choosing a cybersecurity or penetration certification, the value of a certification or degree is based on the practical skills that you gain from it. You should also consider:
Whether or not the certification prepares you for real-world engagements and penetration tests.
The price of the certification, how long you’ll have access to training content, and renewal costs.
How well-recognized the certification provider’s brand is amongst recruiters and security professionals.
There are many cybersecurity certifications one can take:
Certified Ethical Hacker (CEH)
CompTIA PenTest+
GIAC Penetration Tester (GPEN)
GIAC Web Application Penetration Tester (GWAPT)
Offensive Security Certified Professional (OSCP)
Certified Penetration Testing Specialist (CPTS)
Call me biased, but I’d recommend Hack The Box’s CPTS certification because it:
Focuses on turning you into a complete job-ready penetration tester. To pass the exam, you’ll receive a letter of engagement (just like you would from a real client) and will have to submit a penetration testing report based on your assessment of real-world Active Directory networks hosted on HTB’s infrastructure. This will be reviewed by an examiner (who will also offer personalized feedback on your performance).
Emphasizes both practical skills and fundamental knowledge. Combined with the penetration testing job path on the HTB Academy, you’ll have exploited more than 250 realistic targets and attacked 9 various corporate-level networks (ranging from a shipping freight company to a robotics tech company). This is in stark contrast to other certifications that are CTF-style (somewhat unrealistic) in nature and are primarily based on repeating established common vulnerabilities and exposures (CVEs), and as a result, fail to cultivate the persistence and creativity required for real-world hacking.
Offers great value for money. For less than $500/year, you get lifetime access to content that’s continually updated based on the ever-changing cybersecurity landscape (MITRE ATT&CK and NIST aligned), and a certification that prepares you for the real world of pentesting to distinguish you apart from other candidates.
The ultimate pentesting certification
Accelerate your cybersecurity career with the HTB CPTS: The cost-effective, hands-on penetration testing certification that’s valued by employers, prepares you for real-world environments, and gets you job-ready.
If you chose your certification wisely, you’d have some practical experience in enumerating, navigating, and identifying vulnerabilities in real-world environments by the time you reach this stage. Again, these skills are vital to becoming a penetration tester and they’re now easier than ever to acquire.
(When I started learning how to hack, there were no affordable hosted lab environments. There were free resources available where you had to download a vulnerable machine and hack it, such as the Vulnhub platform that released machines and walkthroughs periodically for a number of years. While these were useful to get started, they did not simulate a corporate network. It was difficult to get experience in a realistic environment unless you could build a small Active Directory network yourself to experiment with.)
So if you don’t have access already, use penetration testing labs to simulate practice in real-world corporate environments. Acquiring lab experience is effective for learning and for interviews because it elevates your confidence in your practical skills. You’ll have the ability to speak authoritatively about things you’ve actually done.
Combine that with a certification that shows your theoretical knowledge, practical skills, and reporting/communication skills, and you have an advantage over most candidates competing for any entry-level offensive cybersecurity job.
You can find cybersecurity jobs on general sites like LinkedIn or Indeed. But if you’re looking for an extra edge, Hack The Box’s cybersecurity job program is tailor-made to meet the needs of cybersecurity professionals who are looking for jobs, and recruiters who are searching for candidates with practical skills.
Once you reach the Pro Hacker rank, we’ll (with your permission) share your public profile with recruiters. This will connect you to jobs and recruiters who value your practical experience. It’s a great way to accelerate your job search and “show” your skills before you “tell” recruiters about them.
If you’re a current HTB member, all you need to do is enable the “Available for Hire” option under the Careers section. Although not mandatory, I’d recommend enabling it because you’ll receive up-to-date opportunities from some of the best companies worldwide. (Companies like Synack, PwC, and ExpressVPN use HTB to hire talent.)
Recommended resource: Cybersecurity job interview prep: A guide to hacking interviews
What will a cybersecurity recruiter find when they Google your name?
Googling candidates was a common practice when I used to hire penetration testers. Candidates with an online presence, even a small one, stood out to me as a hiring manager because their efforts:
Provided evidence that they were continuously learning
Showed the desire to improve and passion for the field
These qualities are extremely valuable in any cybersecurity candidate.
Now, do you need to become the next IppSec or NetworkChuck? Of course not. But if you want to stand out in a competitive marketplace, these three practical ideas will help:
Get involved in events and activities
Play capture the flag hacking events (CTFs) and Hack The Box labs to show that you’re committed to continuously upskilling and are up to speed on the latest and greatest in cybersecurity. You don’t have to play every single CTF or HTB machine, but do enough to prove your investment in continuous cybersecurity training.
Create content
Create content about the lessons you’ve learned or projects you’ve completed and post them on Medium or your own blog. This could be video content, write-ups, blogs, tutorials, etc. A portfolio of content is a fantastic asset for landing your first penetration testing job. If you’re more advanced, you could create a GitHub account with some scripts, labs, and video content.
Show off your reporting skills
Learn how to do reporting before you actually have to report anything. Juniors with solid reporting skills are a rare sight. That’s why submitting a sample report during an interview will certainly help you stand out from the pack.
If you’re enrolled in the CPTS certification, you can use the sample report from the exam process as part of your portfolio.
(Summary page of the penetration testing rules of engagement template in our CPTS certification. Even if students hack everything successfully, they'll still need to professionally fill in the rest of this report template to pass the exam)
Acting on these bonus ideas isn’t completely necessary to become a penetration tester, but I highly recommend them. I’ve interviewed many cybersecurity professionals whose skills didn’t match their claimed abilities in CVs and applications. By doing any of the above, you’ll demonstrate practical skills, a deep desire to learn, and dedication to the craft - you’d be a hard candidate to turn away!
According to sites like Glassdoor and PayScale, an entry-level penetration tester with approximately one year of experience can expect to earn a salary between $60,000-$70,000. This can go up to $100,000 and beyond depending on where you live once you become more experienced (5-10 years) in the field. From what I’ve observed, the best ways to level up your income and career are to:
Invest in learning new skills
Choose a specialty within penetration testing
Improve your soft skills (i.e. reporting, writing)
Improve your people and management skills
You now know enough to become a penetration tester. Spending more time learning about getting started won't do you any favors. It's time to put in the work and take your first step!
Author bio: Ben Rollin (mrb3n), Head of Training Development, Hack The Box Ben Rollin has over 13 years of information security consulting experience focusing on technical IT Audits, risk assessments, web application security assessments, and network penetration testing against large enterprise environments. He has a strong interest in Active Directory security and focuses time on research in this area as well as remaining current with the latest tactics, techniques, and procedures (TTPs). Ben has a bachelor's degree in Business Administration, as well as several industry certifications including Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Offensive Security Certified Expert (OSCE), and Offensive Security Certified Professional (OSCP). Feel free to connect with him on LinkedIn. |