A Deep Dive into the Penetration Tester Cybersecurity Role

Do you want to be a penetration tester but don't know where to begin? Or maybe you're not sure what a penetration tester does. Penetration testing, also known as ethical hacking, is the process of identifying security flaws in an organization's internal systems and external-facing applications.

During our monthly role dive webinar series, we examine a specific role on a security team and explore what it takes to be successful and thrive in such a role. This month, we spoke to with Phillip Wylie, a penetration tester, instructor, keynote speaker, and published author, about what it's like to be a pentester.

How Phillip Started His Career in Cybersecurity

Phillip started his IT & cybersecurity career back in 1997 as a system administrator. He was doing AutoCAD for a living and saw what system administrators were doing looked like a lot more fun! So, he taught himself computers and took a Novell network operating course to get himself started.

He worked as a system administrator for about 6 and a half years and has continued to explore the field and his interests since then. Phil worked his way up to working on a network security team after studying for and taking the CISSP exam, as well as attending various security conferences. Phil was able to work on application security and vulnerability scanning as a result of this shift, and he also got to manage some of the third-party web application pen tests that they had performed. As a result, he became interested in pen testing.

This led him to take various ethical hacking classes, become a certified ethical hacker, and land his first penetration tester job at Verizon. The rest, as they say, is history!

Career Q&As

What advice do you have for those who want to enter the cybersecurity field and become a pentester?

Phillip: "To be successful, find one of those areas that you really like because if you’re passionate about something you’re going to work harder to learn it.

Make sure it’s something you want to do and go to some conferences, watch virtual talks online to look at the different areas.

If pen testing is what you want to do then you need to start learning the basics. If you’re already working in IT, you could probably start training but you need to have the networking basics and some web app basics, and understand how web applications work as well as the different operating systems. You have to understand the technology before you can defend it or break into it."

What technical skills do you need to become a pentester? Do I need to know any coding languages?

Phillip: "You don’t need it starting out but to progress in your career, it’s a good thing to know. However, don’t let it hold you back. Don’t let too many of the prerequisites stop you from learning.

Python is a good language to learn, you can learn it along the way. At least something simple like Python or Golang is a good language for pen testers and understanding how to code will help you reverse engineer stuff. So if you find an Andriod APK file, you can reverse engineer it and maybe find some credentials or information on how to connect to a database or some important information like that."

What skills do people need to have to upskill? What are some things that you see that pen testers need to learn constantly?

Phillip: "You always need to keep ahead and keep up with the technology because the tough thing about being a security professional, whether you’re a pentester or defender, is technology is rapidly evolving.

Some skills that are good to know now are Cloud. So if you’re getting started, a lot of our applications and infrastructure are cloud-based or hybrid. So learning cloud is definitely a good skill.

Even if you’re not going to be a web app pentester, knowing web app pen testing is helpful because sometimes the only way to get a foothold in an environment may be through a web application.

When you’re kind of starting, if you know a little bit of everything, it’s going to help you."

What tips would you give to those looking to get a pen testing role and what should they include on their resumes?

Phillip: "One of the things that I would do is make sure that you’re including everything in the education section that you’re doing. Mention any CTFs that you’re working on. If you’re in college and you’ve done CCDC, mention that in there.

Overall, let people know what you’re working on! Some people only put skills that they have experience with but you can list some skills in there that you’ve gained through education.

If someone sees that you’re putting in all of this time to learn, it’s going to help your chances."

What are some of the pros and cons of a pen tester career?

Phillip: "Some of the cons are the hours that you have to keep. A lot of companies want pen testing done after hours because they’re worried about disruption to production. So that’s one of the downsides.

If you don’t like report writing, you may not like writing pen testing reports.

But as far as the pros go, if you like puzzles, if you like to be challenged, if you like to tear things apart and figure out how it works, it’s probably a role for you. If you like a good challenge, it’s a good place to be."

Did you take the traditional schooling route to study pen testing or did you learn via online platforms?

Phillip: "I’ve used various online platforms. Cybrary is actually one of the platforms I’ve used. I used it for my pen testing classes at Dallas College. But I’ve used Offensive Security, eLearnSecurity, Sans, and then just following different people online. To see what some other researchers and pen testers are doing out there and following them and looking at what they’re doing is pretty helpful. There’s also a lot of great content on YouTube!"

Where do I go from here?

Prepare for your next cybersecurity job with our guided, job-specific experience. Develop the knowledge and skills needed to begin or advance your career with our Become a Penetration Tester career path.

Or, better yet, stay up to date on the latest role dive webinars by visiting https://www.cybrary.it/business/events/.