I’m Not A Pentester (And You Might Not Want To Be One Either)
Hi all! So, this is going to be a different type of post. I’ve tried to stay a little off the radar personally with my blogs and Twitter account for a lot of reasons. It’s not hard to find out who I am. I have links to my Twitter account and this blog on my LinkedIn (I know, it’s a gross place), but I don’t flash it around.
I don’t know if I’ve ever said this before on my blog (I definitely have on Twitter), but I’m not a pentester. Even though security is extremely interesting to me, it’s not my day job. I worked as a pentester for a very short time before leaving the position. Why did I leave? I’ll get into that later.
I haven’t been doing security stuff for very long. I think the first time I git cloned something was back in 2018. I didn’t get my OSCP until 2020 and I failed twice. I work as a Linux admin and I have for the majority of my time in IT. Prior to working in IT I was in the US Armed Services (not doing IT). So all of this was, and still is, very new to me.
I’m not a good programmer or even that great with Linux. I still have to man page most of my job. I’m constantly saying why doesn’t this work “chmod web.txt 777”. Oh yeah, the file path comes after the permissions.
Why am I talking about this? Well, because even though I don’t work in security full time, I still get to play around with malware dev, attack paths and other cool stuff. I just don’t get paid for it. The thing is, I’m also not accountable for it.
Five years ago, when I started all of this, I really wanted to work in security. Like, really wanted to work in it. Be careful what you wish for. I am not a pentester and here is what I wish somebody would have told me before I tried to be one.
The Job Market
Oh my God, there are 3 million cybersecurity jobs out there that haven’t been filled! We’ve all heard it.
Take a look at where these stats are coming from. A lot of times, it is coming from an organization that does what? Offers cyber security training! Weird huh?
We’ve also heard the debate on what an entry level job in cyber is.
“They want 5 years experience and an OSCP for an entry level position!”
Here’s the truth. There are ways that you can get an entry level position in pentesting. Like a true entry level position. But you have to have some experience. Entry level doesn’t mean no experience. It means some experience. And that’s not on HackTheBox or TryHackMe. Web devs, sys admins or .Net programmers have an excellent chance of getting scooped into an internal team. This would be a lateral movement with a company that the candidate is already established in.
Don’t have your OSCP or whatever cert is the hotness right now? Want to get into pentesting? You probably need a CS degree and you’ll have to pivot into a paid gig off an internship.
The days of getting your OSCP and instantly having an interview at EY are long, long gone.
Get in good with a team and transition over to security. The team is going to know your strengths and weaknesses so they wont’ be annoyed or feel duped that they hired somebody who can’t code the new PoolParty POC in Nim.
Also, most people in security have egos and feel the need to inject their technical dominance onto everybody online. It will be different talking in person to a mid level operator that can talk to a hiring manager on your behalf.
Since we’re on the subject of the job market. It’s 2024. Have you seen the layoffs? But how are people starving for talented cyber people when every tech firm is laying people off?
The job market is HOT for cyber people, but cyber people that have 10 years experience as a web app pentester, client facing consulting experience, CVEs and have given talks at conferences. They won’t have a problem finding a home.
The market is not hot for people that turn off Real Time Protection to run their MSF payload.
The market is also hot for web app people. Why? Because if you’re worth a shit at web apps you’re doing bug bounty and making 4–5 times what a consulting firm is willing to offer.
Full disclosure I was offered 120k to be a web app person. I didn’t take it. I make way more as a sys admin.
I’m not aware of the global job market, this is just what I’ve seen in the US. It could be different in other countries. I talk to a lot of people in the EU so they seem to have some openings. But who knows. I do know that pentesters in the UK make far less than they do in the US.
On a side note, have you noticed how many “training” sites there are now? It’s almost like people are making more money teaching hacking than actually doing it. Everytime I turn around I see a new EDR evasion, Malware Dev, REAL HACKER training course popping up. Strange huh?
Consulting
So, you want to be a pentester? Think you’re going to sit down at your Kali box and start psexec-ing to DA? Okay. Have you ever done a kickoff meeting? Have you ever been dragged into a sales call? Have you ever been expected to bring in clients?
Welcome to the consulting world. The majority of pentesting jobs you’ll find are in the consulting world. The dirty, grimy world of consulting is a hell hole that pentesters find themselves in with no foreseeable way out.
At some firms, the security comes secondary to the money. How much is the client paying? That determines the level of effort. I believe turn and burn was a phrase I heard.
I was actually told once “they aren’t paying that much money so just do whatever.” Sounds legit right?
A lot of times you’ll come away from an engagement with the client having paid 20k to be told to turn off LLMNR.
This is the world where a client pays 15k for a wireless pentest and the operator runs Wifite, doesn’t get a handshake and walks away. Sounds great, right?
Are all consulting firms like this? No, certainly not. There are some really good ones out there that actually take the time to work with their clients and secure their networks over months, even years.
Know what you’re getting into if you’re interviewing at a consulting firm. Ask them about billable hours, how many operators are on each engagement, what the reporting requirements are, etc. Also ask them about research, training and development time. How do they treat this?
Obviously, if you’re not on a client engagement you’re not just sitting around watching Netflix, but what are you doing? Are you editing other people’s reports, developing internal TTPs? Or do you go from one client to another with no downtime?
What happens when you get stuck on an engagement? You know something is exploitable, but you can’t figure it out? This happened to me a lot, but the firm didn’t want to bill another operator against the client so nobody would even take a look at my attack. The client suffered.
Internal teams are always better. There is usually not as much reporting and if there is a report, it can be tackled by the entire team. Or if the team is high speed enough, a staff technical writer!
Junior pentesters need to understand how they look to consulting firms. In the world of business, if you’re not bringing money into the company, you’re costing the company money. Pentesters don’t bring in money, sales people do.
Pentesters are the company’s product. They sell the pentester to a client for a specified amount of time. If you go over that time, you don’t cost the client more money, you cost the company more money.
As a pentester, you’re interchangeable with somebody that has just as much skill, but comes at a lower price. And in this job market, there are a lot of highly skilled operators desperate to make their mortgage after Rapid7 gave them the boot. Think they won’t take a job for 90k so they don’t get their house repossessed? Yeah, okay.
Unfortunately, because of the rise of offensive security training, there are more “hackers” out there than ever. Junior or even mid level pentesters will find it extremely hard to find a gig right now and probably for the foreseeable future. My prediction is that it will only get harder and we’ll see people with cyber certs trying to make their way into other IT fields like cloud, system administration, or web app dev.
The Salary
Think you’re going to make 150k? Think again. Senior level pentesters will make really good money. When I was a pentester, I made 120k. It was 5k less than I was making as a sys admin at the time, but I took the job because I wanted to be in security.
Yes, you read that right. I took a pay cut to get into security.
If you get an offer it will be between 85 and 120k. That is the truth. Might sound decent, but you can make more money as an Azure admin. When I transitioned from security back to sys admin I made 40k more. I didn’t have to deal with reports, clients, or billable hours.
I have told this to several security people through DMs and have had a few say they were seriously thinking of getting out of security because they were working more than 40 hours a week and not making very much money.
When I was working as a pentester, I did 60–65 hour weeks. I felt as if it were silently expected as did other people on the team. This is the reality. You will not work a 9–5. Security will be your life. When you’re not on an engagement you will be expected to go through the new hot course to level up.
You will be expected to get the latest OffSec cert, develop novel AMSI bypasses, whatever. And this is all after-hours. Ever notice how many US based security people Tweet after midnight? Ever notice how many US based security people tend to be working on a Saturday afternoon?
The Skills
Can you program in C, C#, python, perl, ruby, nim and rust? Can you script in bash, perl, Powershell, and VBscript? Yeah, me neither. For a lot of pentesting firms, you will need to know programming. They will even give you a programming challenge (maybe 2).
Is programming really necessary for pentesting? Kind of depends. You should understand the basics of programming, especially WinAPIs in C# and C. Will you be expected to analyze an exploit and rewrite it if necessary? Yes, you will be. No matter what the exploit is coded in.
Pentesters are expected to be experts in everything from .Net programming to Cisco switch configurations to Java deserialization. What BitLocker bypasses do you know? Have you ever set up a rogue AP? Do you know how to set DMARC and SPF for phishing?
Here’s something. Have you ever set up infrastructure to do war-dialing? This was an actual task I was given. If you don’t know what that is, look it up. It’s something they did in the 80s and I was asked to do it in 2021.
These are just the technical skills. When you get to the soft skills there are also a plethora of things that will be expected of you. How about holding your tongue when trying to explain to a CISO that your implant being detected and causing a deconfliction is an expected behavior?
When it comes to skills, you will be expected to either know it by heart, or be able to learn it in about 30 minutes. Quick! What’s the syntax to running secretsdump.py?
The Engagements
Here’s something that nobody would tell you when you’re getting into security. All that cool shit you learned in your OffSec labs or even did on your own, you probably won’t be able to actually do it.
Say good-bye to Powershell based attacks. They weren’t allowed when I was a pentester. Why? Because it “might” get detected. That whole training that I did based on PowerSploit? Had to find a different way.
Here’s another thing, got a dope implant? Think you’re going to drop EXEs on a target? Think again. I wasn’t allowed to drop anything to disk when I was a pentester. Why? Because I “might” forget about them and also because they “might” get detected.
How about that BYVOD AV killer? Haha. Okay. You really think your manager is going to let you kill AV on a client target? Not going to happen. I changed a registry key to turn on RDP for lateral movement to a SQL server once and everybody had a meltdown.
Obviously there are tactics that real APTs could use that would be destructive to a client’s environment so the line between adversary emulation and adversary action moves back and forth depending on your TTPs.
In some instances it would be acceptable to change a parameter of a scheduled task to get remote code execution. In other cases, you could really break something.
For instance, some firms will do simulated ransomware attacks to a segmented client network. But if you’re pentesting a prod environment, you do want to be careful of what you change.
What I’m saying is you’re not going to be able to go full auto on client networks. Many people getting into pentesting don’t understand this and think what they did on their CRTO exam will cut the mustard. Your firm will be restrictive, way more restrictive than you might think.
The Reality Of EDR
Another thing that people don’t consider is the reality of EDR. EDR, SIEM, whatever you want to call it, is getting much more prevalent in client networks.
Behavior based detections will take over within the next 10 years due to AI. Getting past these defenses is only going to get harder. Will there always be a way? Sure, but whether the industry wants to admit it or not, a lot of companies will start dumping yearly or quarterly pentests after operators stop finding ways to get in.
Imagine paying a firm 40k for a red team engagement just to get told that the operators couldn’t jump off their initial entry box (which the client provided). CISOs are executives. They want to see value. And a 40 thousand dollar Nessus scan doesn’t offer a whole lot. In fact, being told that the operator couldn’t jump off the box is even more reason to dump the pentests.
This goes back to the recent layoffs in the industry. Think I’m wrong? That’s fine. Maybe I am. Just my 2 cents.
I Get It
Look, I get it. We all want to get paid to pwn. The problem is that the business of hacking is much different than OffSec Proving Grounds or HackTheBox Certified Whatever networks.
If hacking is your dream, go for it! Just be ready for what it’s going to take. I’m not trying to be discouraging to junior or even mid pentesters. But if I had known what it was going to be like in the real world of hacking, I probably would have just stayed a sys admin and gone for my RedHat Certified Engineer cert (a work in progress for the last 5 years!).
If you’re interested in web apps, bug bounty is getting extremely competitive, but you’re still your own boss and many people specialize in 2–3 attacks (XSS, Injection, ect).
And with that, I leave you to it! Go drop an EXE to disk on a client network for me!