Usually, I post in German. This is the second exception from the rule, maybe the rules have changed. Who knows?
Look, I don’t know you. I can’t tell you how to land that sweet pen testing job, or what to learn in order to land one. Everyone is different, everyone has their own experiences, and frankly: pen testing is not for everyone. But still: I’m in no position to tell you what your best course of action is.
What I can do tell you, however, is: there are factors that have nothing to do with you, and these will — at least in part — determine if you will be able to get a pen testing job. Please note that I’m speculating for many aspects of this article, so my conclusions might be totally wrong, but I hope that you find my thought process interesting.
For the sake of brevity I’m not distinguishing between red teaming and pen testing here. Infosec job descriptions vary greatly: one company might want to do a full adversary simulation, while another one is looking for someone that can just monitor the attack surface. Both job offers might call this “pen testing” or “red teaming” – the job offer lingo is unclear, hence I’m settling for pen testing in this article.
Let’s start with the obvious:
There are not that many jobs.
I don’t have reliable numbers for you, but the estimated blue to red job ratio is said to be 15:1. That makes sense, since most organizations have the need to secure their systems but have no internal red team.
Even worse: pen testing positions are seen as a career path within an organization. Let’s say you’re working in a SOC, doing blue team stuff, and you’re supporting internal stakeholders. Offering you a promotion into pen testing is a way to keep you at the organization. This also means that this is a pen testing position that people outside the company can never apply to.
It’s the economy right now!
That is a factor, no doubt. There are layoffs and security teams are no exception. This makes it especially hard for new people to enter the field, since newly unemployed, experienced pen testers also apply for open positions. This oversupply of qualified personnel allows employers to raise the bar for jobs pretty high, think 5+ years of experience combined with OSCP/OSEP/CISSP/… certificates.
But even if the economy recovers: that does not mean that there will be more pen testing positions. In fact, I think that pen testing positions will be even rarer in the future.
But we need pen tests for compliance!
An increasing number of information security management systems (ISMS), cyber insurance and legislation include the requirement for regular pen tests. So there should be more pen testing positions, right?
Well, on one hand, the push for more regulation will strengthen the security posture of affected organizations. In addition, insurance companies are canceling cybersecurity policies because of unmanageable risks for them. So there is a case for increasing security, including using pen testing engagements.
But on the other hand, regulations like the European NIS2 directive call for pen test without specifying what a pen testing engagement actually looks like.
In the last years, pen testing and security assessments (as in: scanning and evaluation of the results) are converging. Many companies sell you a Nessus or Purple Knight scan for 5k EUR and call it a pen test. This is sufficient to fulfill the requirements of most regulatory frameworks, and organizations happily accept this.
In short: the increased demand for security assessment leads to more automation, not pen testing jobs. I find this problematic: the value of pen testing is a set of fresh eyes, an outsiders’ perspective assessing your security controls. An automated vuln scan cannot deliver the same results.
Security assessment changes…
Pen testing roles always changed, and information security priorities always changed as well. Remember the uptime competitions from 15 years ago? Administrators were pushing back reboots1,
resulting in machines that did not have kernel updates for three years or more.
Back then, Uptime was prioritized over patching, but that lead to security incidents. So priorities changed, and we introduced pen testing as a way to make sure that patches were applied adequately. This also lead to improvements with regard to software development (for example, preventing SQL injection) and configuration (for example, disabling SMBv1 in Windows networks.). Overall, security improved.
Today, we are taking automation even further by running security assessment tools (think Purple Knight) regularly. Assessment tools make it easy to understand the attack surface, based on industry best practices. They will not catch every vulnerability or logic fault in an application, but they are cheap to run. And automatic assessments will regularly show which machines need patching, which in the end will reduce the attack surface.
At the end of the day, the blue team needs to patch or developers need to implement bug fixes to increase the security posture of an organization. Pen testing skills are useful and help identifying security problems before attackers do so. Ultimately, pen tests are just a step in this process. And if there are cheaper/easier tools available, organizations will use them instead of employing pen testing staff.
So pen tests are useless now?
No! Not at all. As I wrote above: the point of a pen test is to get a fresh set of eyes and an objective evaluation of the attack surface. But the demand for “classic” pen tests changes, and pen testing companies change as well. They now offer things like continuous pen tests as well as AppSec or DevSecOps consulting. Parts of a “traditional” pen test are now done regularly in-house by the blue team, such as running vulnerability scanners on the internal networks.
I think this is a challenge for people that want to go into pen testing. The roles are shifting, and you’ll increasingly see combinations of red/blue team scopes of work in one job role. Or pen testing people get embedded into development teams, making sure that new products are designed with security in mind.
But why am I trying to get pen testing knowledge then?
Knowledge is never useless! I would argue that it is still very beneficial to your career. You should, however, consider that the job role of a pen tester is changing. Employers will expect you to understand the bigger picture. For example, the PJPT exam forces you to write a report, detailing your findings in a way that will support the blue team’s effort to fix them. Similarly, doing bug bounties will be beneficial for a position in DevSecOps.
Don’t be set on a pen testing job because you think it is cool. Be flexible, find a way to use the pen testing knowledge for the greater good. And, let’s not forget: pen testing knowledge grants you the privilege to wear hoodies whenever you feel like. That remains a perk, even if your pen tester role is not called pen tester any more.
And gaining bragging rights because of it. ↩︎