So You Wanna Be a Pen Tester? 3 Paths To Consider (Updated)

Tips for Entering the Penetration Testing Field

By Ed Skoudis

It’s an exciting time to be a professional penetration tester. As malicious computer attackers amp up the number and magnitude of their breaches, the information security industry needs an enormous amount of help in proactively finding and resolving vulnerabilities. Penetration testers who are able to identify flaws, understand them, and demonstrate their business impact through careful exploitation are an important piece of the defensive puzzle.

In the courses I teach on penetration testing, I’m frequently asked about how someone can land their first job in the field after they’ve acquired the appropriate technical skills and gained a good understanding of methodologies. Also, over the past decade, I’ve counseled a lot of my friends and acquaintances as they’ve moved into various penetration testing jobs. Although there are many different paths to pen test nirvana, let’s zoom into three of the most promising. It’s worth noting that these three paths aren’t mutually exclusive either. I know many people who started on the first path, jumped to the second mid-way, and later found themselves on path #3. Or, you can jumble them up in arbitrary order.

Path A: General Enterprise Security Practitioner Moving to Penetration Testing

First, you could parlay a job in the security group of an enterprise (whether a corporate, government, or educational position) into vulnerability assessment and then penetration testing. For example, today, you may be a security auditor, administrator, analyst, or a member of a Security Operations Center (SOC) team. Tell your management that you are keenly interested in vulnerability assessment and penetration testing, and offer your support in existing projects associated with those tasks. You might have to start by taking one for the team and putting in your own hours in helping out, without getting a break from your “regular” job. Consider this extra time an investment in yourself. At first, you could help with tasks such as project scoping, false positive reduction, and remediation verification. Later, offer help in preparing a high-quality penetration testing report. Over the space of several months or even a year, you’ll demonstrate increasing skills and can ask management or other groups in your enterprise for a move more directly in the heart of penetration testing work.

Path B: Working for a Company or Division that Focuses on Penetration Testing

There are many companies that provide third-party penetration testing services to other companies, including organizations such as Verizon, Trustwave, and FishNet Security. Many of these organizations are looking to hire exceptional penetration testers, especially those who have experience. If you have no direct penetration testing experience, you may still want to try your hand by applying for a junior role in such organizations. A solid background in secure networking, development, or operations will prove helpful. But, if experience is absolutely required, consider moving through Paths A or C to hone your skills before jumping to Path B.

Path C: Going Out on Your Own

If you are more entrepreneurially minded, you may want to consider forming your own small company on the side to do vulnerability assessment for local small businesses, such as a local florist or auto mechanic. Start with just vulnerability assessment services, and build your skills there before going into full-blown penetration testing. There are a couple of huge caveats to take into account with this path, though. First off, make sure you get a good draft contract and statement of work template drawn up by a lawyer to limit your liability. Next, get some liability and errors & omissions insurance for penetration testing. Such protection could cost a few thousand dollars annually, but is vital in doing this kind of work. Once you’ve built your vulnerability assessment capabilities, you may want to gradually start looking at carefully exploiting discovered flaws (when explicitly allowed in your Statements of Work) to move from vulnerability assessment to penetration testing. After your small business is humming, you may decide to stick with this path, growing your business, or jump into Paths A or B.

Regardless of whether you go down paths A, B, C, or your own unique approach to entering the penetration testing industry, always keep in mind that your reputation and trustworthiness are paramount in the information security field. Your name is your personal brand, so work hard, be honest, and always maintain your integrity. Additionally, build yourself a lab of four or five virtual machines so you can practice your technical skills regularly, running scanners, exploitation tools, and sniffers so you can understand your craft at a fine-grained level. Learn a scripting language such as Python or Ruby so you can start automating various aspects of your tasks and even extend the capabilities of tools such as the Metasploit framework. And, most of all, give back to the community by writing a blog, sharing your ideas and techniques, and releasing scripts and tools you’ve created. You see, to excel in pen testing, you can’t think of it as a job. It is a way of life. Building a sterling reputation and contributing to others is not only beneficial to the community, but it will provide many direct and indirect benefits to you as you move down your path from new penetration tester to seasoned professional.

Additional SANS Penetration Testing Resources

Watch: WEBCAST – So, You Wanna Be a Pen Tester?


Available Now!
Recorded: 6/19/2108


Upcoming SANS Pen Test Webcasts:

Pen Test Cheat Sheets:

SANS Pen Test Posters:

Build your Skills (Free):

SANS Penetration Testing Webcasts (YouTube):

SANS Pen Test Training:


Upcoming SANS Special Event – 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen

Pen Test Hackfest Talks – Some GREAT Reads

A couple weeks ago, we held our annual SANS Pen Test Hackfest, a really wonderful event where we run 3 nights of NetWars challenges, 1 night of CyberCity missions, Coin-a-palooza (where attendees can earn SANS Pen Test Coins for classes they’ve taken before), and much more.  This year, we even went on a field trip to the National Cryptologic Museum, where we enjoyed my wife’s fresh-baked cookies, an ice cream sundae station, and an open bar.  Yes… at the museum, which was chock-full of cryptographic treasures including Enigma machines and more.  The museum trip was incredible, sharing such amazing history with over one hundred great friends.

But, the single best part of the SANS Hackfest is the great speakers who share incredibly useful tips, techniques, strategies, and utterly awesome knowledge with attendees.  The whole goal here is to help us all do more powerful, technically in-depth, and business-valuable pen testing.  Our presenters this year really knocked my socks off, and I think you’ll enjoy checking out their advice in their presentations included below.  I’m deeply grateful to each and every one of them.

Here are the slide decks from each of the presenters… they are all fantastic.  In fact, if you want to just download a big ol’ ZIP file with all the talks in it, click here.  The featured talks included:

Some of the audience favorites among this highly esteemed group of talks are:

Many thanks to our presenters for their fantastic work.

It took us 12 months to plan the 2014 Hackfest.  We’re now diving in to plan the 2015 Hackfest, and we’ve got some really amazing ideas for it to make it EVEN better.  It’ll be in the DC area in early November 2015.  I do hope you’ll consider joining us for something really special next time around.


–Ed Skoudis
SANS Fellow, Instructor, & Pen Test Curriculum Lead
Founder, Counter Hack Challenges

How Not to Fail at a Pen Test: Slides and Stream

Earlier this week, John Strand presented a fantastic webcast that was chock full of pen test tips.  This post contains the slides as well as a link to the streaming slides and webcast audio.

Here’s the description of the talk:

In this presentation, John and Ed will cover some key components that many penetration tests lack, including why it is important to get caught, why it is important to learn from real attackers, and how to gain access to organizations without sending a single exploit.

One of my favorite slides in the presentation is John’s concluding Code of Ethics.  Click on the image below to download all of John’s slides.

If you’d like to hear the full audio stream, you can access it here.  Click on the link, login to your free SANS Portal account, and you can see and hear the stream.

On a directly related note, we’ll be running an exciting SANS Pen Test Hackfest event in Washington DC November 13-20, throwing in pretty much everything we have to make for a fun and exciting event, including an evening of missions in CyberCity, 3 nights of NetWars, and chance to earn up to four SANS Pen Test challenge coins.  Click the image below for details on this nifty event.

Thank you!
–Ed Skoudis.


Demanding MOAR From Your Vulnerability Assessments and Pen Tests – Slides and Link

A few weeks ago, I did a presentation on Demanding MOAR from Your Vulnerability Assessments & Pen Tests.  I’d like to share the slides with you now.  The presentation is full of tips, some easy and others more complex, for providing extra value in vuln assessment and pen test work.

Here’s the official description of the talk:

You pay good money for your vulnerability assessments and penetration tests, right? But are you getting real business value from these projects? Do you ever get the sense that your assessors and pen testers are just phoning it in, checking off boxes, and not really properly helping you improve your security stance? In this lively presentation, Ed Skoudis will provide hugely valuable tips for getting the maximum business value out of your vulnerability assessments and pen tests. With specific recommendations for people procuring such projects as well as for testers themselves, this webcast is chock full of insights for effective scoping, best-of-breed methodologies, potent communications, and just plain getting the most vuln assessment and pen test bang for your buck.

Here is the slide deck, which you can flip through at your own pace.

Or, if you prefer, here’s a link to the streaming audio and slides, if you’d like to hear me presenting it.  To see and hear it, click on the link at the right, sign in to your free SANS portal account, and you’ll get access to the stream.

Hope you find it fun and useful!

–Ed Skoudis.
SANS Institute Fellow
SANS Penetration Testing Curriculum Lead
Founder, Counter Hack  


Pen-Test-A-Go-Go: Integrating Mobile and Network Attacks for In-Depth Pwnage

Josh Wright and I presented a webcast a few months back that is chock full of useful pen testing techniques from the mobile and network arenas. Based on the new SANS course, SEC561: Intense Hands-on Skill Development for Pen Testers, this webcast covers numerous useful techniques, such as:

  • Exploiting and automating data harvesting from iOS devices
  • Extracting stored secrets from iTunes backups
  • Effective Anti Virus evasion with Veil
  • Windows host compromise and privilege escalation, along with UAC bypass

The slides below cover all the tools and techniques for doing all that great stuff, and more.

The SANS SEC 561 course is 80% hands-on skill development, showing how security personnel such as penetration testers, vulnerability assessment personnel, and auditors can leverage in-depth techniques to get powerful results in every one of their projects. This innovative course uses the SANS NetWars system to help hammer home lessons in a fun and interactive way to foster in-depth knowledge and capability development.

Take a look at the webcast slides by clicking on the title slide below.  Or, if you’d like to hear the sonorous voice of Mr. Josh Wright himself (along with me), click here for the full webcast:

Have fun!

–Ed Skoudis

p.s.: If you want to build your skills to get ready for SEC561, you should definitely check out my SANS SEC560 course on Network Pen Testing.  I’m really looking forward to teaching 560 in March in Baltimore, April in Orlando, and May/June online via vLive.  For the follow-on course, SEC561, SANS will offer it next in Orlando in April.  You should check ’em both out.

DerbyCon Keynote Presentation – Kinetic Pwnage

by Ed Skoudis

This morning, I had the honor of presenting at DerbyCon.  My talk focused on the ability to cause physical impact through hacking computers and networks.  I call it “Kinetic Pwnage”.  The slides are available below, and the talk touches on several themes of the recent work my team and I have focused on, including CyberCity, a miniature city with a real power grid and other computer controlled components used to build capabilities of cyber warriors.

By the way, right after the talk, lotsa people asked me how they could do CyberCity missions.  If you are interested in participating in CyberCity missions hands-on, we’ll be running our first ever CyberCity missions at a public conference event during the SANS Pen Test Hackfest Summit & Training event, in Washington DC on November 7-14.  If you take a full six-day class there, you can join us for one whole evening of CyberCity missions hands-on, plus four evenings devoted to NetWars.  Oh, and we’ll be giving away a bunch of SANS Pen Test Coins to people who do well in NetWars.  Check out that event  here.

Download the DerbyCon keynote slides by clicking on the title slide below.

–Ed Skoudis.


The Bad Guys Are Winning, So Now What? Slides

By Ed Skoudis

Below are the slides for my talk called “The Bad Guys Are Winning, So Now What?”  It’s my most requested talk ever.

In my job, I write two or three new presentations per year, and deliver each of them two or three times at various conferences before retiring the talk and moving onto another topic.  My butterfly attention span doesn’t let me stay on a particular topic for longer than that.  In the past year, I’ve written talks titled “Please Keep Your Brain Juice Off My Enigma” (Debuted at SANS in Sept 2012 and posted here), “Unleashing the Dogs of Cyber War” (Debuted at BruCON in Sept 2012), and “Kinetic Pwnage: Obliterating the Line Between Computers and the Physical World” (Debuted at SOURCE Boston in April 2013 a week and a half ago).

But, of all the talks I’ve ever written, there is one that I get more requests for than ever: my talk titled “The Bad Guys Are Winning, So Now What”.  I originally wrote the talk a couple of years ago, and have updated it a dozen times since then.  Maybe it is the straight-forward title, or the topic matter, or something else, but I have been invited to deliver this specific talk dozens of times in two years.  I enjoy presenting it, so I have continued to offer it where people have asked.  I’ve delivered it for commercial customers, civilian government agencies, and several military groups.  I’d like to release the final version of the slides below.  Please do check them out here: Bad Guys Are Winning 1Q13.

The first half of the talk sets up and underscores this central thesis:

A sufficiently determined, but not necessarily well funded bad guy can break into pretty much any organization.

We talk about why that is so, discussing concepts like increasing attack surface with wireless and webification, increasing assymetries, failing to learn lessons, and more.

The second half of the talk is the “So Now What?” part.  I split things into three groups: Pen Testers / Red Teamers, Enterprise Defenders, and the Military, with specific observations and recommendations for each.  My pointed conclusions are:

  • For pen testers: You should make sure your scope is a realistic view of the attack surface, and try to almost always get in.
  • For defenders: Consider re-appropriating some of your defensive resources into finding out where you’ve already gotten owned, and eradicating that.  Otherwise, you are depending on bad guys’ being nice to you.
  • For the military: Cyber space will become increasingly militarized, as we continue to deploy systems with more vulnerabilities holding highly sensitive information and controlling critical infrastructures.

It was with this talk that I first became comfortable with thinking of myself as primarily focused on offense.  Before pulling together my ideas for it, I had tried to balance my life and skills between defense and offense.  After this talk, I realized that I had nothing to fear by embracing my offensive side.  In fact, the last line I say when delivering this presentation is “So, I guess a subtitle of this talk could be How I learned to stop worrying, and love the Hack!

–Ed Skoudis.
SANS Instructor
Founder, Counter Hack

Invasion of the Mobile Phone Snatchers – Part 1

[Editor’s Note: Last Friday, Josh Wright did an awesome webcast on how penetration testers can extract sensitive information from mobile devices during an ethical hacking project, simulating what could happen if a bad guy snags a device and uses it to gather info to attack an organization.  Josh provides some commentary as well as his slides below.  These slides are a sampling of Josh’s brand-new 575 course on Mobile Device Security and Ethical Hacking.  I have to say — the new course is completely amazing!  It gives folks the knowledge they need to help protect their organizations against the onslaught of new mobile devices popping up everywhere — iPhones, iPads, Android devices, RIM Blackberries, and Windows Phone are all covered.  The course is selling out wherever SANS offers it, usually a month or two in advance.   Course details are available here. –Ed.]

by Josh Wright

Last week I had the opportunity to deliver my webcast “Invasion of the Mobile Phone Snatchers (Part 1)”.  Inspired from the famous movie “Invasion of the Body Snatchers”, we looked at the threat of lost of stolen mobile devices, and the ability for an attacker to extract information from a recovered device.

Mobile devices store tremendous amounts of information, a lot of which is valuable to an adversary.  Stored passwords are an obvious target, but even beyond passwords there is a lot of interesting content stored with locally installed applications, web browser cache, search history from apps and even the user dictionary content containing all the keywords you type into SMS, email, web browser search and other applications.  If your smart phone is anything like mine, the user dictionary is an autobiography of where you go and what you do, representing a substantial privacy threat if lost.

I was at my optometrist yesterday, and the patient next to me pulled out his iPad and unlocked it with the passcode “0000”.  Turns out he was a US Government employee, and we had a nice chat about the very limited security he gets with such a simple PIN.  Even with a more complex PIN, an attacker can quickly leverage platform weaknesses in Apple iOS and BlackBerry to bypass the authentication without trigger device wipe policies from failed login attempts.

Check out my presentation content (downloadable here) for more information on how an attacker can leverage a stolen device to extract information, bypassing authentication requirements on the platform.  I also make some recommendations for organizations on how to mitigate these attacks through device management systems and organizational policy and procedures, an essential task for any organization deploying mobile devices.


[Josh will be teaching his SANS Security 575 course at SANS FIRE in Washington DC in July to a sold-out room.  The next course offering is in Virginia Beach in late August, and then at SANS Network Security in Las Vegas starting September 17.  You really should check it out!

Also, this webcast is the first in a trilogy Josh is offering to help folks test and secure there mobile environments.  The second webcast in the trilogy will be June 29 (covering mobile device malware), and the third (explicitly addressing the topic of mobile device penetration testing) will be on July 19.  I’m really looking forward to these new webcasts, where Josh will build on the ideas of this session with additional tools and tips.  Please mark your calendars and register now!  –Ed.]



Presentation: PowerShell for Pen Testers

[Editor’s Note: Tim “My Shell Makes Your Shell Cry Like a Little Baby” Medin did a presentation at SANS Orlando called “PowerShell for Pen Testers”.  It’s really good.  It starts out with an overview of PowerShell for the uninitiated, and then quickly jumps to some really effective use cases of PowerShell for penetration testers and ethical hackers.  Wanna know how to do a port scan, ping sweep, and file transfer, using only PowerShell with no extra installs?  Tim covers it.  He also provides tips for post-exploitation on Windows boxes, and goes further by addressing PowerCLI for VMware as well as some tricks for Exchange servers.  He’s even sprinkled in some tips and techniques that are useful in incident handling and digital forensics.  Well played, Jake! –Ed.]

By Tim Medin

Download the presentation here.

By the way, if you are interested in penetration testing, as well as all things Tim Medin, you’ll definitely want to know that Tim will be teaching the SANS 560 Network Penetration Testing and Ethical Hacking course in Dallas, Texas from June 18th to 23rd.  It’s going to be a rollicking good time, and will include extra hands-on exercises through a series of cool bootcamp sessions.  Get more details here.



SANS Keynote Preso: Put Your Game Face On

By Ed Skoudis

Last night, I presented a new talk at a keynote session for the SANS Cyber Defense Initiative conference.  My goodness, was I excited, as the topic is something that has been very near and dear to my heart for the past 15 years.  The talk was all about how info sec professionals can use challenges to develop their skills and careers, including Capture the Flag games, as well as a whole bunch of other challenge types.  We touched on topics such as gamification, challenge designs, and a sampling of some really great free challenges available to everyone on the Internet.  Here is a slide from the talk discussing some of the stuff we’re thinking about and working on at Counter Hack Challenges:

Here is the overall description of the talk:

Put Your Game Face On: Using InfoSec Challenges to Build Your Skills and Career
– Ed Skoudis, SANS Institute Fellow
There are a multitude of info sec challenges available today, letting info sec pros evaluate and build their skills in a fun and exciting way.
Going beyond traditional lecture and exercise-based learning, some challenges are fantastic, while other sadly stink up the place. Some focus on tried-and-true formats such as Capture the Flag hacking competitions, while others push the envelope in structure, topic, and style, providing fertile environments for forensics experts, auditors, and secure software developers. What makes for a good challenge? What are some of the best ones freely available today? How can info sec pros use challenges to better their skills and improve their careers? In this lively presentation, Ed Skoudis, no stranger to playing or writing info sec challenges, will address these topics and more in a fun, interactive session. Whether you are interested in being a challenge participant who gets real value, or want to start authoring your own challenges, you won’t want to miss this session!

Feel free to download my slides here (Put Your Game Face On), and please make sure to check out the last 5 slides or so, where I provide an inventory of available free Capture the Flag and other info sec challenges available on the Internet.

Last night was the debut of the talk.  I’ll be presenting updated versions of it again at SANS New Orleans Jan 19-24 and SANS Orlando March 25-30.  W00t!