Reality of The Job: Pentesting isn't Hacking, it's Consulting

I've decided to pivot what Comfortably Dumb is "for" whilst I've been away working on other projects.

There are plenty of fantastic articles out there breaking down what fancy new hack has been invented in a university lab somewhere. There are also plenty of wonderful technical write-ups on almost every possible vulnerability and common misconfiguration.

But that's not what I want to write about, and there's more than enough of them at this point.

I'm going to focus mainly on the cybersecurity/information security industry and tips for making a career. Less on the technical skills, Comfortably Dumb will be featuring more on soft skills and clearing up misconceptions that hold back new and inexperienced professionals.

Perception and Reality: Pentesting

I've worked in IT for a fair while now, and have been pentesting commercially for some time now also, In that time, I've noticed that there is a profound disconnect in the way that penetration testing/ethical hacking as a profession is portrayed in the media and the actual reality of the job. I also believe that this disconnect between perception and reality is one of the reasons why retention in the field is so difficult. People see behind the curtain and often are surprised by what they see.

Let me explain what I mean. Unsplash is the royalty-free photography service that I use for 90% of the images on this site - look at the first two pictures that come up when I type in the words "ethical hacker":

The third one was a cup of coffee next to a laptop. That one was accurate as hell.

But the stock imagery used to portray those who ply their trade in security vulnerabilities just doesn't match the reality of the work. Penetration testers (a term that I use interchangeably with "ethical hacker") aren't these shadowy hoodie-toting Mr. Robot wannabes - despite the portrayal on article after article, and on television features. They are 99% of the time closer to an auditor than they are a Mr.Robot style hacker. Their job is to audit a specific technology or network and consult based on the results - not as sexy when you put it that way, huh?

This mismatch then bleeds into the perception that prospective entrants into the industry have about the job and what it entails. Sold a false perception by job adverts that promise a career spent breaking into banks from the comfort of a Starbucks (or from home) and by adverts for training providers, I routinely get asked questions like:

"I've got no experience, but you guys make like £45k off the bat, right?"

"I'm not really interested in the business side of things, I just want to break stuff for a living!"

"I want to do this for a year or two, and then get into red teaming."

All of these are real questions I've been asked by various people.

Anybody who's actually done the job for more than about 45 seconds will be knowingly smiling and thinking "Oh, poor deluded summer child...." - this is the exact disconnect that I'm talking about. Those same professionals now knowingly smiling are doing do because they had the same realization - that the portrayal of the job is total bollocks, compared to what the job is.

This is a real problem in my opinion - people get drawn into the industry and pour hundreds of hours and pounds into training, chasing after the idea of a job that either doesn't exist or certainly isn't attainable straight off the bat.

Time for a little Mythbusting...

(had to give a shoutout to one of my favourite childhood TV shows - photo credit to Amazon Video)

So we've established that there's a bit of a gap between the way the job of penetration testing is portrayed and sold, and what the job is actually like. Let's go through some of the main misconceptions that I've encountered so far:

#1 - The money is INSANE. You'll be making £65k straight off the bat!

Thought we should start with the reason I suspect many people are clamouring to get into this field, despite their protestations to the contrary - the money.

Plenty of providers selling "Become a Cyber Security Expert" courses are hawking them based off the potential earnings, purporting that graduates of their training programs will be raking in £50-80k in their first year. Despite most of these numbers being total bollocks, there is a stubborn remaining perception that you will somehow enter this field earning a salary that is double or triple the UK median graduate wage (£25k as of 2020, according to GraduateJobs.com)

Apologies to burst anyone's bubble here, but that will absolutely not be happening. It might have been so a few years ago when the industry was so cripplingly short on personnel, that qualified personnel could ask for ridiculous money because there just wasn't anyone else around.

The economics of the entry-level penetration testing labour market have unfortunately changed since then. Penetration testing has been by far the most popular choice of first cybersecurity job for some time now and a rash of new entrants to the pentesting labour market has had the effect of depressing the equilibrium market wage for entry-level penetration testers significantly.

You're likely wondering "what the f**k is he talking about? Equilibrium was that movie with Christian Bale in it a few years back, right?" Correct, it was a bloody awesome film too!

But let's take a look visually at what I mean:

(Credit to www.economicshelp.org for the diagram)

This kind of graph is used a lot by economists to summarise how different moving parts in a given market (in this case, selling labour doing penetration tests for a wage) affect the market wage.

On the upward-pointing y-axis, you have wages.

They start from zero near the intersection and go as high as you want to measure. The higher you go on the upward line, the higher the wage.

On the horizontal x-axis, you have the quantity of labour.

Again, it starts from zero near the intersection and goes as high as you want to measure. The further you go on the horizontal line, the more people there are willing to do that job.

The two diagonal lines represent the supply of labour in the given market (entry-level penetration testing) and the demand for labour in that market.

Supply is marked S and demand is marked D.

You can see that the supply line points upwards - the higher the wage, the more people are available that are willing to do the job.

You can also see that the demand line points downwards - the higher the wage, the lower the number of people are demanded. Makes sense, right?

People want as much as money as they can, and companies want to pay out as little as they have to to get their labour.

Where those two lines cross over is what's known as market equilibrium - and is what most people are referring to when they refer to the "going market rate" for something. Notice that when you add more people in (increasing the supply, and moving the supply line right from S1 to S2), that the point where the S and D lines cross is lower? This indicates that the market has reached an equilibrium at a lower point - the market rate is lower now.

This is what I was referring to earlier when I said that the rush of new people coming in wanting to do the job has had the effect of depressing that intersection point, lowering the average market rate.

Graduates, armed forces leavers, bored ex-system administrators - everyone wants a piece. So why would an employer pay you £50k straight off the bat when they can hire someone equally as inexperienced as you that requires experience and training for £30k? The answer is, they won't anymore.

Entry-level penetration testing jobs (as well as being rarer than rocking horse shite) have dropped from their highs of £40-45k a few years back down to a more sensible market rate of around £27-30k for those without previous experience. Your mileage may vary based on previous IT experience, security clearance held and negotiating skill.

#2 - Who cares about the business stuff? I got into this job to break shit, not write reports!

Ah...this is my favourite one by far.

This is the most fundamental misunderstanding that I encounter over and over. Penetration testers, even those with a year or so under their belt always treat the client calls, the scoping and the reporting as necessary evils. Something that "comes with the territory, sadly".

If you're reading this, wanting desperately to become a penetration tester or ethical hacker, I implore you to get this next statement through your head and burned into the back of your eyelids:

When you are hired to be a penetration tester, you are not hired to be a hacker, you are hired to be a security consultant. Your job is not to demonstrate the extent of your skill and "own" the customer's network on every test, padding your own ego.

Your job is to provide a solid, replicable standard of security auditing of customer systems and present it to them in a way that helps them to make sense of what you find.

Without it, congratulations on producing the world's most expensive coaster - because it's as good as useless if you can't consult and report properly.

Your soft skills - dealing with non-technical stakeholders like salespeople and managers, translating what you find into understandable English with a minimum of technical jargon and convincing clients why they should care about what you found - are easily as important as your hard technical skills. As much energy and time need putting into their development as your mad l33t h4x0r skills. Otherwise, you're of very little use to a consultancy or a customer.

At the end of the day, your job as a penetration tester is not to pad your ego by thoroughly owning the customer as aggressively as possible.

It's to enlighten the customer to security vulnerabilities they previously might not have been aware of, in a format that the customer's IT team can make actionable changes from, and in a manner that senior management can understand and recognize the situation at hand.

Clarity in communication (spoken and written) are critical skills to excel at this job. Your job isn't to break shit, it's to provide insight in clear English.

Conclusions

Your first year of penetration testing will very likely consist of a lot of web application penetration testing and infrastructure assessments. All necessary to keep the proverbial sword sharp, and keeps the lights of any reputable consultancy on.

But yes, after the first 20 tests it does get dull. Really dull, sometimes. Especially when you've been scoped for 5 days to test a site with 4 pages on it and nothing to play around with. You'll quickly start to go "ugggggggggghhhh" when someone mentions that you're on another one the week after, and another one the week after that.

Sometimes, if it is a busy period or you're just unlucky. this situation can extend for months at a time. Testers routinely end up on their sixth or seventh very similar job on the trot thinking "is this what the actual job is?".

That's the reality of it. 90% of the job is this bread-and-butter work that keeps the lights on and keeps you busy. Take pride in it, and absolutely kill it on every single one. Write every report like it's for the Nobel Prize committee. Eventually, when the odd interesting or off-the-beaten-track job comes in - you'll be top of the list to get it as a consistently good and reliable security consultant.

With concerted hard work and constant expansion of your skillset - and consistent networking with peers and recruiters - you will inevitably achieve the salaries that attracted you in the first place. You will also be able to start picking your shots and angling for more interesting work as you progress. But it won't happen straight off the bat, it won't happen overnight, and it will take the kind of hard work and singular focus that most aren't willing to put in.

It's way more repetitive and dull than the adverts make it look, but that doesn't make the work any less important. Do it well, do it with pride and continue giving a f**k and you will succeed.

If that still sounds like the kind of work that you want to get into, at least now your eyes are open and you're doing it for the right reasons.

Best of luck, and happy hunting!