Re: Starting a Pen-Testing Career

2) What is an average day of work like for you?

As someone on the end of reading security audit reports, can you:

1 - write high-level management reports, with scare stories to generate more

2 - can you write down all the issues their own tech team tell you are
issues, and present this as your own work?

3 - can you state the bleeding obvious in an important-looking document -
'you need to patch your systems, have firewalls & IDS, do more monitoring,
QA your software, run up-to-date AV, limit admin accts, enforce password
policy, limit physical access, review security logs....'. (Since every firm
is always just one step behind in some area, you will always find an 'in').
If they are fully up-to-date and compliant, can you scare them with 0-day
exploits and more consultancy costs.

4 - can you steer someone else's cleverly written vulnerability scanner, and
produce reams of pdf reports which justifies your pointless exercise and
substantial contract fee

If so, go work for a big audit firm and keep reselling the above and keep
creaming the profits, whilst knowing in your heart you've never written a
line of exploit code or had an original idea on security yourself.