Re: Starting a Pen-Testing Career

"erewhon" <sminkypinky@xxxxxxxxxxx> writes:

2) What is an average day of work like for you?

As someone on the end of reading security audit reports, can you:

1 - write high-level management reports, with scare stories to generate more

2 - can you write down all the issues their own tech team tell you are
issues, and present this as your own work?

3 - can you state the bleeding obvious in an important-looking document -
'you need to patch your systems, have firewalls & IDS, do more monitoring,
QA your software, run up-to-date AV, limit admin accts, enforce password
policy, limit physical access, review security logs....'. (Since every firm
is always just one step behind in some area, you will always find an 'in').
If they are fully up-to-date and compliant, can you scare them with 0-day
exploits and more consultancy costs.

4 - can you steer someone else's cleverly written vulnerability scanner, and
produce reams of pdf reports which justifies your pointless exercise and
substantial contract fee


Sounds like you have contracted someone doing vulnerability scanning
vs actual ethical hacking.

But it's funny cus the market does have a lot of such crap out there.

Best Regards,
Todd H.