Penetration testing (and security assessments in general) has evolved a lot in the last decade or so. At the same time, the underlying expectations of customers and business (that has hired the tester) has changed as well. This has lot of impact on a penetration tester's career.

What is this about?

This is about the other side of the fence. The non-pen-testing activities in a pen-testing company, why are they required, and where do you (the pen-tester) fit in. I hope that it helps you understand the big-picture (if there is such a picture) better.

To be fair, I don’t think I am the only one with these thoughts. Experienced pen-testers may already have seen all of these. However, I also think that lot of other pen-testers and wannabe testers won’t know about these.

And, you need to know.

So, here they are.

1. You are one cog in the wheel.

2. To business, pen-testers are jumbo jets.

3. Business will expect you to support them in non-pen-testing activities.

4. There will be customers who wouldn’t want you to become domain admin.

5. Reporting and soft skills are under-rated [in penetration tests].

6. There is value in becoming a fully-integrated tester.

7. You can pivot to these areas [from pen-testing]

Sign up for Risky Context

I write at the intersection of pentest, auditing, risk management and career advice. I add context to the infosec risk. I help answer the question 'where is the risk?'

No spam. Unsubscribe anytime. Musings based on real experiences, not theory. All Infosec, mashed up.

At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.

‎Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r