How to get a job with pen-testing team.

It’s cold and gloomy outdoors. I’m feeling pretty faded (errr, jaded) right about now. I’m sure all you corporate hangers-on have seen the Big-whatever companies come in with their pen-testing or audit teams. Some of them call themselves pen-testing, some Tiger, some white-hat hacker, whatever. They should just state that they are inept p0sers. But, that gets me thinking (on just such a day) what it would take to get hired at one of these Big-whatever companies. So, without further adieu:

Rule 1 – You can’t run Windows. Seriously, don’t even consider showing up to a Con|interview|class|etc with Windows. Even if you have to run a CD distro, or OpenBSD at runlevel 3, you must do it. You will be scoffed at and not taken seriously with a Windows machine. For bonus points, put con stickers or anti-microsoft stickers on the laptop. You get extra bonus points if you’re running a MAC. Just pull up Safari and browse over to slashdot. Yeah, you’re rolling hardcore now.

Rule 2 – You must have complete and utter disdain for any authority figure. You’re the rebel – the misunderstood creative genius. Act the part.

Rule 3 – You must be a coder of some sort (‘Hello world’ is sufficient). Ruby and Python are pretty cool right now. C is an old standard and always well respected. If you’re running one of those GUI APIs that really makes things much easier, STOP. It’s not cool. gcc or death.

Rule 4 – You’ll have to be a Goth, punk, or (less bonus points) a long-hair. You must dress and look the part. Yes, Dave Aitel showed up to Defcon wearing a shirt and tie…but, hey, he’s Dave. If you’re not Dave, you have to look like a meth junkie, sorry. There *are* bonus points for piercings and tattoos.

Rule 5 – On some elite mailing list, you must have gotten a wink (both ‘;)’ and ‘;-)’ are acceptable) from some security guru. !wink == !cool (incidentally, I just satisfied rule 3 – Go me!)

Rule 6 – You must have a ‘Niche skill’. Not only must you have the niche skill, you must talk about it a LOT. Certain skills are worth more than others, so I’ll do a quick rundown on which skills generate the most bonus points. If it’s not on this list, then it’s worth negative points and you should avoid it at all cost.

Reversing – Crank up IDA Pro, put on that “I’m so busy doing really, really important reversing that you dare not ask me any questions” look and watch those bonus points ROLL IN!

Writing exploits or shellcode – Still very cool. Try to be seen with either a .s file open (use vi editor, don’t make the mistake of using emacs or pico or, G-d forbid, a GUI editor) or gdb. In a crunch, you can have a .c file open, but don’t make it a habit. You’ll need to work on that “don’t bother me look”, lest someone ask you wtf you’re doing.

Fuzzing – Do NOT tell anyone that you use a commercial or open-source fuzzer. That’s like -500 bonus points. No, my friend, you write your own fuzzers. “Yeah, cuz like, SPIKE wasn’t doing enough pairwise-relationships between parameters so I had to like, write my own fuzzer that took advantage of like binary relations across multiple fields and stuff and like, I’d explain it to you but it’s really complicated and like …” ad infinitum.

TCP/IP Ninja – Really low on the spectrum. It used to be really cool but now, unless your name is Kaminsky, you’re not really getting much spin with this one. Maybe when people figure out that there are still bugs to be found at layers 2,3, and 4 of the stack this will get some rejuvenation…but, until then, I don’t recommend this one.

Rule 7 – You must be the project owner of some arbitrary project… Have some pet project that you supposedly work on all hours of the night. Send out emails at all hours of the night (use cron if you have to) telling your boss that you have a great idea for some cool new reversing/fuzzing/exploiting-shellcode_generating-morphing-inline-tcp-ip-ninja-death-ray machine that you are working on. If they ever ask to see a working demo, take the coders moral high road (i.e. make up some reason why you are so elite that you dare not try the tool until you’ve tweaked out some bugs…or whatever)

Rule 8 – Coherent statements are not for you. That’s right, even if you have to go back and add in typos, do it. I should probably give a few examples.

Bad email – Good evening Mister Jones, I was just working on my project for that Death Ray auto-pen-testing machine and wondered if you had any feedback regarding how we would handle shellcode delivery across SCADA or process control networks. Further, as I am putting in so much time with this project, I may need to be a little late tomorrow morning.

Good email – hey. so, im rewrking the shellcode delivrey mechanism for teh scada and pc networks and if you had anyhthing to add before I commit thes to CVS then can you shoot me an email. I might be in late tomorrow depeending on how son I get thes bugs worked out.

That’s about it. Good luck, I’m sure I’ll be seeing you soon.


  • sunshine

    It will take me time to recover, damn, that was good! :)

    Two issues:
    1. SUIT? Dave’s name is now erased from my memory. I commit him to /dev/null until he takes that back.

    2. No Perl?

    3. What’s wrong with pico?!
    :o )

  • Anthony

    I laughed so hard, I *almost* cracked a rib. Excellent — though the truth is not too far off either…

  • aviram

    Great post, D!

    Here’s a couple more for your list:

    - Insist that your scanner is homemade (you did change the default nessus report format, right?)
    - Keep talking about your secret 0-dayz stash that you can’t talk about

  • Bill Cheswick


  • Utena

    perl? Pico? Perl is so 4 years ago. And Pico is WAY too easy to use. If you can’t spout off how to navigate, search, erase lines, and correct typos in vi without using the arrow keys, you hav eno cred.

  • David Ulevitch

    “TCP/IP Ninja – Really low on the spectrum. It used to be really cool but now, unless your name is Kaminsky, you’re not really getting much spin with this one.”


  • dmitryc

    Heh. Aviram is right. Our uber-mensch (and frauleins) must have the ability to run selective sed commands (cat report.txt | sed ‘s/Nessus/Dmitry/g’ And, yes, I forgot about the infamous 0-day stash (how did I forget *THAT*?) :-)

  • Tom Ferris

    hahah damn thats awesome. I havent had a good laugh like that in a long time.

    One thing you forgot to add is, make sure you dye your hair either blue or green. I hear that really does the trick.

  • JA


  • damn!

    I can count almost all these steps as.. me!

  • dmitryc

    Oh SNAP! I just satisfied Rule 5 (see above, por favor) :-) I had also forgotten the ‘Complete disdain for the stack-based buffer overflow’ (otherwise known as the “I only bother writing heap overflows”) rule.

  • Vadim

    on the scale 1-10 it’s 11! :)

  • Arik

    Great! Me like.

    I think that there’s rule #0 that says that if you’ve been in jail for successfuly hacking something you can ignore the rest of the rules, go everywhere with a suit and tie and not even carry a laptop with you ‘because of the parole conditions’ and still come up on top.

    – Arik

  • sunshine

    Erm, if you were in jail you are not that good of a hacker, are you now?

  • goretsky

    Err… isn’t one supposed to have a criminal record as part of their dark, illustrious past? As long as they don’t mention it was for parking tickets.

  • Pingback: jekil personal blog

  • nocturnal

    Didn’t you forget the “hacker group”? I consider it common knowledge that all good hackers need a group of prepubescent, undereducated wannabe hackers worhsiping your every step on this world because you know some programming language and how to use a disassembler. The main function of the hacker group is of course to boost your ever expanding ego because, and i think most of you agree with me, there is nothing like associating with idiots to make yourself look and feel smarter. :)

  • aviram

    Nocturnal, I believe you’re right. I’ll even add that if you can’t find yourself a bunch of groupies, just refer to yourself as “we” instead of “I” and claim you’re a part of a secret group of people.

  • StudMuffin

    Our CISO, who is definitely a suit, recommended this site. You guys are sooooo over.

  • itrelated

    Nice blog here! Keep up the good work!

  • Pingback: Howto Get A Job With A Pentesting Team | IT and Security Related Matters

  • Pingback: PacketPunk » Blog Archive » Les 8 règles pour être pentester!

  • Enno Lenze

    I dis that 8 hours a day, 5 days a week and got a lot of money for it. Everyone in the company was proud to have such a cool “expert” in an office :)

  • ivan

    last but not least:
    - wear polically incorret t-shirts with appropiate taglines or some cryptic hex numbers and/or ASM excerpts at all times:
    “I your warez”
    “My other computer is yours”
    “The internet is full, go away!”
    “Will hax0r for pr0n”
    “LeetCon 0x07CE: One byte to pwn’em all”
    Even old 2600 tshirts are stylish theese days, but beware of the “Free Kevin!” ones, these are generally frowned upon and will yield negative points.

    Which brings me to the the second missing rule:
    - you MUST refer to known infosec. “experts/gurus” on a first-name basis. Not only that but you also SHOULD demotraste how you prove them wrong on a regular basis during yours frequent peer-to-peer conversation at your favourity bar/strip club.
    “So Marcus and Bruce said that it was impossible to break out of the process’ address space and into the firewall’s containment module but I figured it all out after one night of coding. It All ended up with free beer for the entire crew at Wendy’s Sluthouse that Wednesday”
    “Yeah Kevin is kewl but he can’t hold hist liquor”…you get the point

    If they ask you who are you talking about, just stare at them for 5-10 secs. and change the topic.

    Also avoid using MUST,SHOULD,SHALL (all uppercase) in emails or any written document, it is RFCish and tooformal & old-school. It WILL have an adverse effect on your well-polished neo-anarchist image

    oops I blew my cover…argh!

  • ivan

    one addendumn, one missing rule.
    Addendum to rule #4.
    Wear “politically incorrent” tshirts with net-jargon every day (you dont know when you may be summoned to an urgent sales pitch meeting). T-shirts can include smart-ass witticisms, hacker conference memorabilia, cryptic hex numbers and/or portions of ASM or C code. Examples:
    “I you warez”, “The Internet is full, go away!”, “My other computer is yours”, “31337-CON 0x7CE: One byte to pwn’em all”, “Will hax0r for pr0n”, etc…. you get the general idea. Old 2600 tshirt are ok but beware of the “Free Kevin!” ones, these are frowned upon these days and will earn you negative points.
    The missing rule:
    -You MUST refer to well-known security personalities in your regular conversation. You MUST do so on a first-name basis. You SHOULD hint at the fact that you prove them wrong on a regularly basis when you talk about the new “hot/secret/leet security techniques” with them at your favorite bar/strip club. Examples:

    “Yeah Bruce and Ron said it was enfeasible but the code I wrote did it overnight”, “Not exploitable?… Marcus lost many beers over that at Wu’s Slutdrome last week”, “Yeah but Matt had the source code, I had to reverse enginener the whole mother…”

    If anybody asks you who is {Bruce|Ron|Marcus|Matt} just stare at him for 5 seconds and change topic.

    Finally, do not use all uppercase MUST, SHOULD, SHALL in emails or any online document you write. It its RFCish, out-of-style old school and will damage your carefully polished neo-anarchist image

    oops I think I broke this one…ahh well

  • Pingback: SecuriTeam Blogs » Market hype: “Application Firewalls”, take #2

  • David

    Take the other site of it:

    - you wear nicely pressed shirts, and can fire up Newt, besides that, you’re the master in copy-pasting the outputs into MS Word.
    - you have a goatee
    - if a network doesn’t have dhcp, you have problems configuring it
    - you get scared when a subnet’s octet doesn’t contain 0 or 255,
    - you start a blog and critic everything and everybody, yet provide nothing useful
    - you gather vulnerabilities – and rate the about:alert… XSS vuln in IE a high risk
    - you think “tls” is some type of “mou” or “roi”
    - you love the sound of “mitigating risk factors”
    - you aim for all certifications that end in “P”, as long as they are not technical
    - every bug can be exploited “by sending a malicious specially crafted packet, it is possible to potentially compromise the entire network”.
    - you dont know how to program
    - you get upset, because the weird looking nerds don’t consider HTML as a programming language
    - what you mean, there’s another linux besides fedora?
    - you are techie enough, your motorola phone runs linux.

  • hamid

    Yet another rules;

    #Use as much switches as possible ,while using console applications .
    Nmap -T3 -sS -sV -O -r -v -F -P0 -o tmp -D,, -…

    #”Sorry, NDA does not permit me to leak more …”

    #grept the planet ! yeah, use grep where ever possible . of couse if you know the rule about NOT using windows. “FIND /N the planet” make no much sence …

    nice blog btw :)

  • Pingback: Howto Get A Job With A Pentesting Team | IT and Security Related Matters

  • Nuno Treez

    Rule 69 – There are no woman allowed in pen-test teams. That’s because there is no manual entry for woman.

  • Pingback: SnakeOil Labs » How to get a job in a pen test team

  • Pingback: average admins

  • Missy

    No women pen testers?!! Slightly unfair – yeah it’s a males world, but who says I am a lady?!!! Make way for us fem@les :>

  • RichardSW

    I think women make great penetration testers, but their specialty is in the social engineering aspect. An innocent-looking blonde with a nice smile can get her way through 3 layers of hardcore physical security, get someone in the datacenter to log her on with admin rights, and walk away with a new DVD containing their entire DB in 15 minutes or less.

  • jake

    true so true… most men are suckers for social engineering of beautiful blondes… especially if they play dumb but act interested in what I say… “ha I remember will bill said we wouldn’t need more then 640k”

  • cindy

    I’m going to get to work on my fuzzers/fuzies/whatever right now! thanks!

  • cindy

    Oh foget it – too hard. I’ll just buy one.

    “What does this button do?”

  • security war

    iam trying to be a good pentester

    and i will

    iam learning untill i reach for all i want