So, I bit the bullet. Here I am, with my selected articles, in the form of a newsletter. While this will be a weekly newsletter, all of my articles are available on my website. Subscribers on my website will get my articles immediately, as I publish them.

I am a top-down guy. I made lot of mistakes. I learnt from my mistakes, my website and this newsletter is a reflection of them.

I hope you like it. Not my mistakes, but the learnings.

The first edition is about things that no course on pen testing will teach. Well, maybe some (like reporting), but not all of them.

I was fortunate to work with extremely talented penetration testers. Here's what I learnt.

---

Penetration testing will be affected a lot by AI, in coming years. Run of the mill testing will be done by AI, eventually. I am sure it is learning from all those test cases, payloads, and reports that are available publicly.

The articles in this newsletter emphasise that a successful penetration testing career requires more than just technical prowess. It requires a business-minded approach, strong communication skills, and a willingness to contribute to the broader goals of the organisation.

1. Penetration testing is not just about technical skills. While technical expertise is crucial, it's only one piece of the puzzle. Businesses view penetration testers as part of a larger ecosystem, requiring them to contribute to non-technical aspects like marketing, sales, and project management. Supporting business functions beyond penetration testing is crucial for career growth. By understanding and contributing to other business functions, penetration testers can become more well-rounded professionals, improve their career prospects, and gain a better understanding of the industry as a whole.

2. Penetration testers are valuable assets but need to be profitable. Businesses operate on a profit-loss model. Just like jumbo jets are expensive when grounded, penetration testers need to be actively engaged in projects to justify their cost. This means contributing to activities beyond just penetration testing, such as mentoring, writing articles, or developing tools.

3. Understanding the bigger picture is essential. A successful penetration tester needs to understand the business context of their work, including client expectations, regulatory requirements, and the impact of their findings. This includes recognising that not all customers prioritise achieving domain admin status, and some may prioritise risk assessment over vulnerability identification.

4. Moving from 'vulnerability' to 'risk'. Clients are ultimately concerned with the risks associated with vulnerabilities, not just the vulnerabilities themselves. Penetration testers who can effectively assess and communicate risk provide more value to clients and are more likely to secure repeat business. This involves understanding and contributing to all stages of a security assessment project, from marketing and sales to reporting and project closure. This holistic approach leads to a more nuanced and effective service delivery.

---

So that's all for this week. See you next week, with some more articles. Please consider subscribing to this newsletter. Being member on my website will get you these articles as soon as I publish them.