A day in the life of a penetration and vulnerability tester

In a field as varied as cybersecurity, job overlap abounds. But certain roles have specific responsibilities that set them apart. 

The title “vulnerability and penetration tester” may be a long one, but we break it down with the help of Pluralsight’s own Cyber Threat Analyst, Ammon Rhodes. Let’s take a look at how this role differs from other cybersecurity positions and what skills you need to enter the fray.

Note: Throughout this blog post series, we refer to certain cybersecurity skill sets as "roles." We’ve done this to ensure we cover all security roles and align with the functions of the Cybersecurity Framework and  NICE Framework. Each organization may define these roles and responsibilities differently, and there can be many variations of specific title names. 

A vulnerability and penetration tester simulates cyber attacks and exploits cybersecurity weaknesses to find vulnerabilities before bad actors can take advantage of them. They share their reports and analyses with the team to fix issues and strengthen cyber defenses.

The short answer is yes. Here’s the long answer:

In penetration testing, or pen testing, a group of people (referred to as a red team) use ethical hacking methods and pretend to be bad actors. They simulate real-world cyber attacks against an organization’s system in order to find security weaknesses and vulnerabilities.

An internal team might perform penetration testing, but in most cases, a third party takes the lead. “Because I’m in it day in and day out, I can see some of the gaps more easily,” Ammon explains. “It's kind of an unfair advantage. You want more of a true result.”

While it may sound like a hacking free-for-all, that isn’t the case. “There’s a lot of red tape,” says Ammon. “It's a very structured event. You're not going to go in there and start breaking things.”

During vulnerability testing, or vulnerability scanning, an internal team looks at an organization’s web application and/or hardware, like a server stack or cloud environment. They complete scans and analyses to identify vulnerabilities, then provide reports and recommendations to fix any issues.

Like incident responders and SOC analysts, vulnerability and penetration testers never experience the exact same day twice. But they do perform certain activities on a regular basis:

Vulnerability scanning involves setting up a scanner to look at an organization’s internal network, servers, and web applications. A penetration tester may even use Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to examine an application and find vulnerabilities. The SAST method involves scanning an application’s code to find weaknesses, while the DAST method involves scanning the application itself to identify vulnerabilities.

Threat intelligence means staying on top of trends to defend against the latest attacks. Penetration testers try to determine who the attacker is, what kind of attack they performed, and why they targeted a certain user or used a particular tool.

“We have automated tools that will go and scan things, but it may not be a true vulnerability,” Ammon says. “So sometimes I need to go in there and play hacker. I try to confirm that exploit by actually doing it in a controlled environment.”

For the most part, though, vulnerability and penetration testers spend their time setting up scans and analyzing them. “I'm doing a lot of poking around, kicking over rocks, trying to figure out where the holes are and what we can do to fix them,” says Ammon.

Curious about vulnerability and penetration testers? Check out our learning path to grow the skills you need to excel. 

If you want to become a successful vulnerability and penetration tester, what do you need to do?

Let’s start off with hard skills. “I got my undergrad and graduate degrees in information systems,” says Ammon. “It's a great path that may not be for everybody.” 

If you don’t hold a relevant degree, don’t worry! You can earn cybersecurity certifications that give you the necessary skill set and showcase your value to employers. The Certified Information Systems Security Professional (CISSP) certification proves that you have a solid cybersecurity foundation and hands-on experience. If you’re interested in a certification specific to penetration testing, check out the Offensive Security Certified Professional (OSCP) certification course to prove your ethical hacking skills. 

Ammon also recommends the Protective Technology with Pi-Hole course, which teaches you how to use a Raspberry Pi to block ads. “It’s a cool one for beginners because it teaches you some of the fundamentals about how computers talk to each other. You’ll learn about cookies and DNS (Domain Name System) security. It’s a fun little lab, and you can set it up in your home.”

Soft skills are just as important in cybersecurity roles, though. Vulnerability and penetration testers can face multiple threats at the same time. That’s why you need to know how to manage competing priorities and resolve the most dangerous threats first. 

Ammon stresses the importance of tying cyber threats back to business outcomes. “We might be spending millions and millions of dollars to protect something that doesn't need to be protected. Or we're not spending a lot of time, money, or effort on something that we really should be.”

Penetration testers need to follow strict protocols when attempting to hack a system. This makes documentation a valuable skill.  

“If you're a third-party penetration tester and you're trying to hack somebody else's stuff, document your process or your findings,” advises Ammon. “If you're not documenting what you're doing, you can get in big trouble if you don't have explicit permission to do something. It’s a good way to cover your own back.”

This is especially true for organizations that store sensitive data like medical records and credit card information. If anything goes wrong, you can point to your documentation, describe your approach, and explain how it aligns to company or regulatory policies.

As a penetration tester, you’ll need to deliver bad news. Ammon likens it to asking someone to clean their room. “You air all the dirty laundry. You see all the mess. You have to explain why good security is important, but you have to do it in a nice way. You want them to help you clean the room, not yell at you and walk away. Be friendly. Be willing to admit that you don't know everything, and that'll go a long way.”

Jumping into a new field or role can be daunting. Besides certification and prep courses, where do you start?

If you’re just starting out in cybersecurity, get any experience that you can. Working at a help desk, for example, can deepen your networking knowledge and help you grow soft skills along the way. 

“I got a job doing frontline phone support for people with broken websites,” says Ammon. “I'd help them fix their servers, their code, or whatever they needed to help with. And then I went from that to helping people within the company. You start getting exposure to computer terms or technologies, and you just build from there.”

If you want to gain hacking-focused experience, try your hand at KringleCon. “It's a yearly hackathon where even beginners can jump in and learn a lot,” says Ammon.

When in doubt, think like a hacker and work your way backwards. Start with the job you’d love to have and explore the tools people use in that role. Then, find tutorials and courses that will teach you how to use those tools. If you don’t have a specific job in mind, figure out the skill you want to learn and uncover what you need to get there.

If you want more insight into a hacker’s mind, Ammon recommends the podcast Darknet Diaries. “They talk about ridiculous stories of people who have been hacked or what people have found or done.”

When your computer isn’t working, you probably turn it off and turn it back on to see if that fixes the issue. We all know to do this, because we’ve all run into this sort of problem. It works the same way for vulnerability and penetration testers. 

A mistake as simple as a typo or incorrect capitalization can derail a piece of code. But if you’ve made a mistake, chances are someone else has made the same mistake before, even industry veterans. 

“You learn that everybody else is human and making the exact same mistakes,” says Ammon. “I didn't get into security at first because I was kind of afraid. I didn't want to be the dumb guy who didn't know how to stop some twelve-year-old hacker who’s way smarter than me. But don’t be afraid of it, because anybody can learn it.”