How to Become a Penetration Tester

After our recent hiring drive, we got a lot of questions from people wanting to know how they can improve their chances of breaking into cyber as a penetration tester.

How to Become a Penetration Tester

When it comes to applicants for entry-level penetration testers, we’re concentrating on three key aspects.

#0 - Play our Challenge

This one's specific to us but if you solve our CTF it demonstrates points #1 and #2 to some degree and separates you from the crowd.

Yes our CTF works, no it's not broken.

#1 - Demonstratable Eagerness to Learn

Claiming you're eager to learn isn't enough; you need to show it.

Talk is cheap, but actions are priceless.

Now more than ever, there's an abundance of both free and paid cybersecurity learning resources available - the options are endless. You don't have to wait until you've secured the job to start learning.

Given the vast amount of training material available, we particularly value practical learning experiences. Some examples could include:

  • A substantial Hack The Box (HTB) portfolio
  • Personal cybersecurity projects or cybersecurity research
  • Engagement and success in CTF competitions
  • Hands-on certifications like the BSCP, HTB CPTS, or even an attempt at the OSCP (acknowledging that the OSCP is expensive)

#2 - Strong IT Fundamentals

This leads us to the second crucial quality we seek in candidates: strong IT fundamentals.

We firmly believe that to effectively break something, one must, at least to some extent, understand how it works.

Yup, that’s about right…
by u/Missing_Space_Cadet in Kalilinux

This still cracks me up!

An IT or computer science bachelors degree is one way to brush up on these fundamentals.

Over and over we see candidates from who might not have the experience of writing a SQL query before attempting to exploit SQL injection vulnerabilities.

There are, however, alternative routes to acquiring these fundamental skills beyond a degree. Some ideas:

  • Developing a small web application can offer insights into data structures and Model-View-Controller (MVC) architectures
  • Setting up a homelab to experiment with complex networking and Type 0 Hypervisors can help you understand enterprise IT environments
  • Contributing to an open-source project can be a great way to learn about software development practices

Most importantly with these activities, whenever you encounter something unexpected or something you don't fully understand, take the time to research and grasp the underlying reasons/concepts and over time these activities can help you bridge those gaps in knowledge.

Closing

We hope this article has helped illustrate what we're seeking in candidates and inspires you to embark on your journey with more confidence.

If you're interested in future opportunities with us follows us on LinkedIn as we always post when we're hiring there.


Project Black is a CREST accredited Australian penetration testing firm.