A day in the life of our penetration testers

Emma Dockerill Headshot
Written by Emma Dockerill  Marketing Executive

23/09/2021

A Q&A session with our pen testers

Our team of penetration testers arguably have the most interesting and exciting roles within the business, or perhaps, in the world. From robbing banks to breaking and entering, pen testing isn’t your typical desk job. So we’ve asked them to share some of their most interesting stories to really give you career envy!

Let’s see what we can find out about a day in the life of a pen tester:

Penetration testing isn’t your typical desk job.

What are some of the more interesting projects you have worked on?

Gillian Avatar

Gillian

Penetration testing is about thinking on your feet. When I arrived at a site test that wasn’t intended to be a red team exercise, but I was presented with an easy in, I took the opportunity to highlight this weakness! Before you know it, I was standing in the office of my contact and connected to their internet. It was fun to see their confused and disappointed look as I greeted them into their own office.

Jordan Avatar

Jordan

It’s quite a thrill to find a really critical weakness. I once performed an external infrastructure assessment and found a login screen to a service I had not seen before. I was able to extract the password and log in to find the main administration panel - which controlled the physical machinery for all of the client’s factories. It even had a big red off switch!

Kieran Avatar

Kieran

I love chaining simple vulnerabilities together to achieve a significant impact. I was once on a job for a bank in Europe where we managed to chain a number of simple problems together to transfer funds out of a targeted account. We were literally able to rob a bank! Things like that really make you love your job.

Karolis Avatar

Karolis

I’ve worked on a ‘vishing’ job where we called and convinced the head of HR to open a malicious CV as part of a job application. We researched what vacancies they had and tailored our script accordingly to convince her to open the bogus CV attachment. Easy win for us!


What’s your best/worst security story?

Jason Avatar

Jason

After discovering outrageous issues during a penetration test, the company had to make drastic changes to avoid potential dissolvement. This included letting someone go who could have caused severe financial, legal and reputational consequences for the business. Security really is that critical to the success of a business, so ensure you and your staff understand the risks before it’s too late.

Gillian Avatar

Gillian

My favourite story is when I found a very critical system that the IT department didn’t even know existed. I walked across the whole site to find it, and it turned out to be a very outdated server plugged in the corner of an old printer room. It was a system that could have easily taken down the whole network.

Kieran Avatar

Kieran

During an internal infrastructure test we found evidence that the customer had actually already been compromised. Although alarmed at first, the customer went on to invest far more heavily in their internal security and monitoring moving forward, so it worked out for the better!


If you could fix a security bug over night across the world what would it be?

Gillian Avatar

Gillian

It would be user awareness. We are moving at a very quick pace towards more secure systems, and while there will always be new bugs and exploits, the easiest way into a company is through its employees.

Jordan Avatar

Jordan

It’s a tough one but one that takes minimum effort yet delivers maximum effect would be to stop people using default credentials. It is so easy to bypass default credentials you may as well not even be using a password.

Karolis Avatar

Karolis

To continue what Jordan has said, I would say the enforcement of complex passwords. Businesses often employ security best practices but don’t enforce users to secure their accounts properly. Vast security efforts can be completely sidestepped by an attacker if they compromise an account with a weak password.


What’s your favourite pen test type and why?

Jason Avatar

Jason

I like to work on a blend of everything really as it gives me the opportunity to constantly learn new technologies and exploitation tactics.

James Avatar

James

I find web apps the most enjoyable. Firstly, because web apps are so ubiquitous now that they are found in all sorts of applications. Secondly, because this is my largest skillset so I get to try many more avenues of investigation during testing.

Karolis Avatar

Karolis

Web apps are also my favourite. I enjoy identifying attack vectors and they give a better opportunity to chain insignificant vulnerabilities together to achieve one bigger impact!

Kieran Avatar

Kieran

I personally enjoy infrastructure type testing. It’s far more tangible than web app testing, and untangling permissions can be like working on a puzzle.


What’s the most rewarding/challenging part of your job?

James Avatar

James

It really makes my job rewarding when a customer takes a retest and there is evidence that they have taken on board the remediation advice offered from the original test, and their environment is noticeably more secure. It means it was a job well done.

Jordan Avatar

Jordan

One of the most challenging aspects is the amount of new and complex technologies we are exposed to, which we must research in depth in order to understand the mechanics of how it works and how it could be exploited by malicious actors. Learning new things is rewarding though and keeps everyday in my job exciting.

Kieran Avatar

Kieran

The most rewarding aspect of the role is working with customers who are pro-active about their security. It’s great when a customer ‘gets it’ and they’re excited about interesting vulnerabilities that we’ve discovered.


Can you describe being a pen tester at Bulletproof in 3 words?

James Avatar

James

Great team effort.

Jordan Avatar

Jordan

Super talented team.

Karolis Avatar

Karolis

Everyday is different.

Kieran Avatar

Kieran

The team rocks.

Penetration testing provides a constant learning opportunity but the team are always ready to deliver.

How can you become a penetration tester?

If you have an interest in technologies and want to bring positive changes to businesses and their security, then penetration testing could be the career for you. A Bachelor’s degree in Computer Science or similar is a typical entry point, and there are even Ethical Hacking courses you can now undertake. You can also help to elevate yourself with diplomas and certifications such as CREST or Tigerscheme, as well as hands-on experience working with apps and networks.

Penetration testing is a fun and rewarding job. Our team is made up of people from all levels and skillsets. From graduates, to senior pen testers and team leaders. Each of them brings their own flare to the team and enables us to deliver varied and thorough tests for our customers. In a role that can be both challenging and rewarding, the team are driven by their mission to help businesses stay secure. With new technologies and attack methods arising, penetration testing provides a constant learning opportunity but the team are always ready to deliver.


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.