Becoming a Penetration Tester: The Ins and Outs With an In-market Pentester of 12 Years

The TryHackMe team is comprised of over 40 experts in cyber security with decades of experience in the industry. Today we’re chatting with our very own Ben, a TryHackMe Content Engineer who has been hands-on with the creation of our brand new Red Team Pathway, and training labs such as Lateral Movement and Pivoting, Windows Local Persistence, Windows Privilege Escalation, and Bypassing UAC. (Yes, he’s a legend!) Ben has 12 years of penetration testing experience, so we’ve fired a whole bunch of questions at him about his experience in the industry. Let’s get into it!

How did you first get into penetration testing, and why did it appeal to you?

My first job in pentesting was pretty much a coincidence. I graduated with a BSc in Telecommunications and was oriented towards working on networking positions, but after reading about working in cyber security I just went for it - it ended up being a natural fit, and I’m so glad I did.

The main driver behind the decision was the idea of hackers being able to breach systems seemingly by magic (at least as presented by movies like Hackers). While there isn't magic actually happening in hacking, I enjoy the constant challenges you are put through as a Pentester, where you have to quickly learn and adapt to the environment where you are working in and be creative about the ways you gain access to systems throughout the network. No matter how long you have been working, there's something new to be learnt in Pentesting every day.

What sort of roles and responsibilities have you had as a pentester over the past 12 years?

My first job was as a Cyber Security Analyst, being in charge of scanning the server infrastructure of an ISP for vulnerabilities and making sure the people in IT correctly patched them. I had to provide technical support in finding and applying the best solution to each vulnerability and was in charge of investigating security incidents for clients.

This provided an excellent understanding of the different technologies in a typical network setup and allowed me to migrate to pentesting in the same enterprise with a clear understanding of servers and network communication devices. As a pentester, my job was mostly focused on proactively finding vulnerabilities for either the ISP or specific clients requesting the service themselves. This included vulnerabilities in the network infrastructure, as well as in web applications.

After that, I co-founded a couple of start-ups dedicated to cyber security. In both of them, I led the technical team during security assessments, including pentests and red team assessments. Here I had the opportunity to work primarily for financial institutions and analyse several banking applications, perform advanced phishing campaign simulations, and perform some physical intrusion tests.

Share some of your pentesting stories with us! Has anything unexpected come up over your time in the role?

For a specific financial institution, we were checking the mobile banking application and couldn't find anything critical after days. After almost giving up on it, we tried transferring a negative amount of money, which resulted in us being able to do reverse transfers from any account back to ours!

Is continuous learning important in a career as a penetration tester?

It is essential. What you learned a couple of years ago will probably not be enough today. As technology evolves, so do the attack vectors you can use to subvert it. While some fundamentals will always serve as a foundation for any pentester, keeping up with the latest exploits, alongside recent threats and techniques is also a must.

Platforms like TryHackMe provide an easy way to experiment with new techniques and exploits in a quick and controlled way without having to implement your own lab from scratch. In that way, you can experiment first-hand with new techniques in a couple of clicks. It also serves as a great knowledge base where you can go back if you need a refresher on specific subjects. The challenges provide a nice way to keep your creativity active, forcing you to think out of the box to get the flags.

Check out the Junior Penetration Tester, Offensive Pentesting, and new, advanced Red Teaming training to upskill.

How does your real-world experience come into play when you create TryHackMe training rooms?

Real-world experience allows me to understand what is relevant to a real pentester on the field, making the training great for those who are just entering or upskilling in the industry. It also enables me to build more meaningful rooms by providing some background context as to where you'd expect to use a particular technique, or what conditions would need to be met in a real environment for an attack vector to be applicable. By providing labs that resemble real-life, the rooms also become much more interesting for the final users.

What would you say to other people who are considering a career as a penetration tester?

There are so many subjects to learn within pentesting and red teaming, so it may seem overwhelming when you start. TryHackMe has pathways that are a natural progression into red teaming and a guide to what you need to know, but also don’t be afraid to build your own path! Feel free to choose the training you find interesting and learn as much as you can about those topics. Even those who have years in the field still learn something new daily.

To kickstart your red teaming journey, check out the TryHackMe offensive security pathways:

• Junior Penetration Tester - Learn fundamental, practical skills to kickstart your red team learning journey.
• Offensive Pentesting - Take the next step up and acquire the skills needed to achieve certification status. Learn about industry-utilised penetration testing tools and attain techniques to become a successful Penetration Tester.
• Red Teaming - Level up with more advanced topics and understand how to execute adversary attack emulations as a Red Team Operator.

TryHackMe is running a red teamer month throughout September 2022. Take part in our Red Team training to win tickets you can exchange for over $21,000 (£18,000) worth of prizes!

Thank you so much Ben for your insight! You can follow Ben’s journey here on LinkedIn.