We think we know podcast

We think we know how to explain the value of a penetration test

Publisher
Pentest-Tools.com
Updated at

Hey there! Welcome to We think we know, the podcast in which we flip the script on what you thought you knew about penetration testing.

Navigating a maze of tight deadlines and limited scopes while your expertise sometimes gets squeezed into a compliance checkbox can take a toll. Offensive security work is not about ticking off tasks. Many of us have a deep need for constant growth – and some overdue recognition.

And then there's the “dance” with clients – a delicate balance between their skepticism and the need for crystal-clear communication. The goal? To transform these interactions from apparently routine checks into insightful partnerships that don’t end when the engagement does.

The brilliant Alethe Denis joins us in this first episode to unravel the intricacies of security testing. As a seasoned offensive security pro who's breaking barriers and shattering myths, her insider stories are packed with tips on how to:

  • navigate security quandaries

  • build trust in pentest engagements

  • and break into the industry.

So, come along with us on We think we know, as we unpack the layers and narratives shaping offensive security work.

We think we know how to explain the value of a pentetration test - Ep. 1

Alethe Denis bio

Alethe DenisAlethe Denis is an experienced penetration tester and a senior security consultant for the red team at Bishop Fox. She holds the Certified Ethical Hacker (CEH) certification and has multiple awards and publications in social engineering and cybersecurity.

She started her career as a co-founder and CFO of two IT companies, where she gained experience in customer relationship management and market intelligence. She then pursued her passion for hacking and joined the cyber security industry after winning the prestigious DEF CON social engineering CTF competition in 2019 and a DEF CON Black Badge.

Join the conversation with Alethe to learn:

  • Why penetration testing is a unique, collaborative experience specific to each business (03:30)

  • Why a pentest sits between vulnerability scanning and a comprehensive red team assessment (07:55)

  • What automation cannot replace - and where it’s actually useful (16:40)

  • Why effective communication is the crucial factor in successful engagements (24:26)

  • How to build authentic trust and develop a collaborative relationship with your clients (39:20)

  • Why skills like communication and teamwork are key to getting into and succeeding as a penetration tester (48:00)

Resources from this episode:

Listen to this episode on:

Spotify

Apple Podcasts

Amazon Podcasts

Google Podcasts

Episode transcript

Andra Zaharia: Alethe, such a pleasure to welcome you to the We think we know podcast. Being one of the first guests here, it's really just an occasion to celebrate the fact that so many people, such as yourself, are investing their time and energy into sharing your experience and your knowledge and just your energy and time with all of us. So thank you for that.

Alethe Denis: Yeah, absolutely. Thank you so much for having me. It's a pleasure.

[03:00] Andra Zaharia: You have such a rich background, such incredible stories that you've told on a bunch of other podcasts that I've avidly listened to and very much enjoyed. But today I'm hoping to start off on a different track and one of the first things that I wanted to ask you is why do some people think penetration testing is a commodity?

[03:28] Alethe Denis: I think that currently most testing is driven by a compliance framework of some type. So most people who are purchasing pentesting are driven more by the compliance framework that requires it than they genuinely want to purchase the testing for the purposes of revealing any gaps or vulnerabilities within their systems, people, and processes. So it becomes a commodity because it satisfies a requirement. And the hope from those types of buyers is that it will check a box on a compliance check sheet and that they'll be able to move on with their lives. Unfortunately, pentesting really doesn't fall into that type of bucket in my opinion. I think it's less of a commodity and more of a service and that that service should be customized to the target client environment and that that should be a collaborative experience for both the testing firm, which is typically external to the company being tested to give that unbiased approach and the external no knowledge benefits of having a pentest conducted by an outside resource. I find that if you're doing internal testing, there are some things that you know as an internal employee that you can't unknow when you're doing testing. So if you hire an external vendor to perform that testing, which is most often the requirement, even from a compliance perspective, you get that unbiased opinion. But you also have an opportunity to learn and grow as a security team and collaborating with your pentesters and the firm that's providing those services to be more cooperative in the scope of the engagement will allow you to reveal vulnerabilities and gaps in security at many levels in the organization rather than just being fixated on the no knowledge external pentest view. So it can't really be a commodity if you're not purchasing something that is a standardized product. And for pentesting, it is unique every time. Every client organization is different.

Alethe Denis: They have a different combination of vendors, services, applications that they use, people, processes, policies, all of those things come together to create something unique. So every client has to be approached from that perspective. And so if you've hired a firm that is worth their salt, so to speak, they're going to look at that organization, identify what services are being used, and adapt their strategies based on how they progress through the primary layers of pentesting. However, I don't think that there is any one set process or like a process document that you could follow to create an effective pentest.

Andra Zaharia: And there's a lot to unpack in your answer. And thank you for giving us this overview and for highlighting the uniqueness of every engagement. Because I feel like it holds up such an important mirror to all the systems that we've created, but especially to the humans who have created them simply because a company is as unique as the people who build it, as the people who choose its technology. And that's a layer that I feel a part of the industry is trying to codify into repeatable processes mentioned like a spec sheet. But you can't really do that. There are limits to that.

Andra Zaharia: So I first wanted to unpack from your answer the baggage that the term penetration testing carries. How do you think kind of that baggage form? Do you remember an inflection point that led to kind of the fall from grace of this term at times?

[07:55] Alethe Denis: Well, I went into this in quite a bit of detail during the presentation that I gave for the keynote at Security Fest earlier this year. So I won't go into immense detail. But essentially I think that there is a misconception from buyers, from our clients as to what a pentest is. And I feel that pentests sit in the middle between vulnerability scanning and a comprehensive red team assessment. And so a pentest is typically something that is going to hit every door and test and see if they're all locked and it's going to be very noisy and deploy every tool available to the tester to try to break through that series of doors. However, with vulnerability scanning, there's no requirement to actually walk through the door. That's something that can be automated, it's more process-driven. And essentially they're just looking from an external perspective as to what could be exploited, what could be vulnerable, based on a series of questions that essentially that tool goes out and asks from the environment that they're testing. Then you have Red team assessments which are trophy and goal driven. So the team that's performing a Red Team assessment can use any avenue to reach one final goal destination. There's one door that needs to be opened and one item behind that door that needs to be retrieved. And the team can take whatever is the shortest, most efficient route to that goal, but they will not go in and test all of the available options.

Alethe Denis: Their job is just to achieve the goal and then report back to the client. So we have a lot of marketing terms and things that have started to be used more readily in general marketing of pentests that confuse a lot of buyers, especially those who are non-technical, because they think all three of these things are the same thing, or they confuse a pentest with a Red Team. And that's where I see a lot of disconnect with the expectations of the client versus the products and services that they purchased from the offensive testing company. So to that end, I think pentesting has kind of received a bad rap because people don't fully understand what's involved. And so we're not setting the right expectations in our marketing, sales, and then prequalification of the client environment for that service. It's wonderful that clients want to spend money on a red team, for example. But if they're in a client organization that has a very low maturity level in their security program and they're not ready for that red team, then typically they come in expecting a pentest, and then we have that misalignment of expectations, and then there's a sour taste in everyone's mouths.

Alethe Denis: And I think the same could go for the selling of vulnerability scanning and the expectation of a pentest because we're not setting the right expectations there with what the service actually provides, what the output is, what does the report look like, what am I going to gain from this experience and what are the available options? To me, from the standpoint of adapting to a roadblock and moving past it? We don't typically want to put our consultants in a position where the client doesn't understand the service that they've purchased. And there's a lot of room for that to happen, especially at all the different layers of the sales process. And I think that that's where this requirement through compliance, coupled with the lack of full understanding of what the service does, what the consultants are actually doing, and what the output from this experience is, because I bought a pentest, we got a pentest, we did our annual thing like check the box, move on. And then you don't have any remediation efforts or the talents available in the client organization to go and remediate all the things that are found and it just kind of gets shoved under the mat until next year. So there are several different ways that the idea of pentesting has gained this sour, bitter kind of perception, especially from those who are essentially strong-armed into being tested every year. They're already sour about it. It's not something that they want to do. And then you have this sour kind of perspective because we have to go buy our annual testing and then you have the misalignment of what the client thinks they bought versus what they're actually getting. And I've seen that repeated throughout several different organizations that I've worked with or at over the years. And I think that we need to get better at communicating expectations to clients. What does this service include? What is the output? What are the expectations remediation-wise from the consulting firm? And how do we effectively improve client security programs through this testing rather than just saying, here's your report, check your box, see you again next year, and then we come back and everything is just as broken the following year?

Andra Zaharia: Those nuances, I feel, is something that industry, let's say insiders, or even in this niche, honestly, that's penetration testing. There's a certain amount of knowledge, but the bias of knowledge is that you form, let's say, distorted expectations as to what the client should know.

[14:20] Andra Zaharia: And honestly speaking, we may sometimes tend to forget as an industry that information security is still a new thing. It's not only new as a discipline, but it's also extremely complex, extremely intricate, very technically dense. So it's unfair sometimes to get frustrated with clients, even technical people who don't understand all of these nuances and these differences. So while I know that many technical specialists, many ethical hackers, love the tinkering aspect of it, the challenge, the curiosity, all of the good stuff that they enjoy, perhaps they enjoy the communication part less, the expectations less. But to be able to do that work that you enjoy, that they enjoy, that aspect is essential because otherwise, this disconnect will continue to kind of breed frustration for absolutely all of the people involved, honestly.

Andra Zaharia: So this is one of the reasons why we actually wanted to talk about the craft aspect of penetration testing because it brings out all of these nuances and all of these unresolved problems that keep popping up again and again and making just life harder for everyone involved. So when we talk about it, I feel there's a tendency to leap over these problems and go straight into let's automate everything, right? Which, you know, and all of the people who have done the work know that is an absurd claim to be able to let's just automate the whole thing. And I wanted to ask, from your perspective of the person who has done it, who has worked with these incredible teams, who have brought their skills together, how does it feel when you see these claims, perhaps in the industry or just in articles, in trendy thoughts, leadership pieces and so on? What's that like?

[16:40] Alethe Denis: It's tough for me to say that every pentest has gone exactly the same way ever. So how do you automate something that is completely unique each time you have unique challenges, obstacles, communication milestones. And I think the closest thing that we'll ever be able to automate fully is, of course, vulnerability scanning. But still, it takes a human to read that vulnerability report and then translate that for a client organization and give them ideas as far as how they could potentially remediate these things. Are there one or two low lift items that we know wouldn't impact the budget significantly, that they could do to mitigate the majority of these types of vulnerabilities? I don't think we're ever going to get to that level where we don't need a consultant in the middle of that process. So I think there are a lot of opportunities for us to automate the more repetitive tasks, things like doing reconnaissance. A lot of those things have been somewhat automated using tools. But at the end of the day, you can't really task a tool to go out and do a full analysis of the target company and give you the intelligence that a real attacker would have to look at social media and examine pictures and just knowing how business works and the processes and practices that could result in compromise through the human experience. You can't expect a computer to have that perspective and it's something that even emerging talent won't have. It's something that develops over time. As you gain experience as a consultant, you start to see those patterns develop. So no, I don't think that we could ever fully automate any of these processes and deliver quality testing.

Alethe Denis: That's the caveat. I mean, you could, but it'll not be a great high-quality report and you're also going to have that gap between here's your report. Well now what? What do I do with it? And so having that ability to lean on folks who have the experience, who've done years of testing, who recognize the patterns and can identify ways that companies can start to close those gaps, starting with the most cost-efficient, lightest lift. Some organizations are still using very basic passwords for things like corporate wireless networks. Those are things that take time and it is a burden on the IT and security teams to make those changes because it affects so much. But those are recommendations that ultimately are achievable, whereas taking all the computers off the internet is not. And I could see an automated tool recommending something like that, like AI, automated tool, machine learning, whatever you want to call it, would just go easy fix. These are all vulnerable to the Internet. Remove the internet. So there are subtle nuances that I don't feel that we'll be able to educate any system on. But there are also those unique experiences that we have as consultants performing tests that allow us to make recommendations that are meaningful to our clients and allow them to make changes within their organizations that reduce their attack surface pretty quickly.  But also take into consideration the fact that they may only have one or two resources on their security and IT team combined, or lack of budget and funding. When I was working with critical infrastructure, the fact that they would be required to have pentests on an annual basis was something that scared the heck out of them because they knew they didn't have the budget for it. Because they're dependent on city, county, and state funding for those items. So it's something that I feel more automated vulnerability scanning could help to hit the baseline for those organizations. It's not ideal, but at least it's something. Whereas more comprehensive pentesting and then ultimately red teaming for the most mature organizations, will never be fully automated and result in any quality outcome.

[21:55] Andra Zaharia: Absolutely true across the line. Also, I wanted to unpack just a little bit one of the things that you said is this deep understanding of context and honestly just a human connection, that human trust that you need to get people to go beyond their resources and do something because they understand how important it is or what a big difference it can make. What has changed around how you incentivize people to do these things, to carry out the remediation steps, to make some progress? How has it changed for you now compared to when you first started working in the space and working on engagement? When I first started working in the space, I was performing very passive security assessments. They were all based on self-attestation by the client as to the processes, procedures, and things that they were doing or understood that their teams were doing. But there was no real testing in those types of assessments.

Alethe Denis: They were purely discussion-based. And then the output would be a report with some recommendations. Things like you should explore MFA providers and then evaluate which option would be best for the organization. 

And we'd issue this report and then come back a year later and do the same assessment and learn that maybe they had figured out that they have MFA available but they hadn't made it a requirement. And it just seemed like things were moving very slowly and due to lack of budget resourcing and several other factors, the majority of these organizations were in the same state as they had been the last time we talked to them. So that was quite deeply frustrating. I also found that I didn't feel like I was being effective in this industry delivering those types of assessments. It felt very much like security theater in that they had an assessment done, they got their rubber stamp and then everybody moved on with their lives. 

[24:26] Alethe Denis: So, joining Bishop Fox, I was very excited to have the ability to test organizations with more mature security programs and also with the budget and resources to take action. As a result, it was quite humbling because I got brought to my knees a few times when the client organization was just so strong that it was very difficult for me to overcome the security controls and measures that they'd taken to protect themselves. I wasn't used to that coming out of critical infrastructure and public entities that just have much less mature security postures.

The thing that I find I use social engineering the most is communication with the client, regardless of what the actual service is that we're providing, and probably most often with the incident response. Red team tabletop exercises. Because I can come in there and I can be a big jerk, and I can make a really tough scenario with a bunch of injects that bring them to their knees and just thoroughly embarrass the entire team. Or I can take their incident response plan. I can make a scenario that allows them to validate that plan at every level against the injects that I provide them, and then I can coach them through that plan if they fail to make it to the next step on their own while maintaining this relationship and this sentiment overall of collaboration with them to improve the plan and to train the people.

Because let's be honest, a lot of the time, most of the people who are participating in the tabletop, they've never seen the plan before. And so this is a training opportunity just as much as it is an opportunity to test whether or not that plan is efficient and effective against a cybersecurity-style incident.

During that, I'm balancing testing this plan and delivering these injects against turning my client into my enemy. Because I want them to see the value in the exercise and collaborate with their team and add their feedback and insight and be vulnerable and tell me how they think they messed up when they created this plan so that we can identify those things and put them into the recommendations for improvement and help them close some of these gaps. 

But it is all very human, the delivery side of pentesting. And if you take the approach that I just want to pwn stuff and go home and celebrate, then I don't feel that you give yourself the ability to deliver something that is meaningful to your client. And also after receiving this report, you don't give the client the ability to resolve these issues without really giving them the tools and the trust in you to take your advice and your feedback.

Andra Zaharia: Definitely. And not just the fact that you're talking about all of these levels involved in the entire process of getting a client from the first step, from the first contact to meaningful change in their organization. That takes a lot.

[28:18] Andra Zaharia: It takes a lot of skill, it takes a lot of technical skill, it takes a lot of knowledge of psychology and behavior, which is something you excel at. And this is where I think that social engineering skills and experience are so valuable. Just like you mentioned, you probably use them more with your clients than against your clients, right? This is one of those patterns that I assume you've seen over and over again. And I was wondering if you have memories of specific moments where your customers realize their blind spots and realize that they thought they knew their infrastructure, they thought they knew everything that's going on in their companies, and then suddenly realize there's this big door that no one had opened to look behind, and it was just sitting there. What are some reactions that they had and what are some practical tactics that perhaps younger ethical hackers could learn from and could learn to just look into them?

[29:40] Alethe Denis: Sure. I think the most notable client reactions, the first few that come to mind, the first one was a medical organization that on an assessment call, they realized that a practice that they had felt was being followed by the team, which was not sending patient information outside of these applications, was not being followed. And so they had people who were making home care visits, who were being text messaged pictures and medical information about patients and it was completely outside of any HIPAA regulation, let alone just good security practice for them to be doing those things because they were using personal mobile phone devices to do that. And when the executive and management team learned this based on the testimony of someone who was in that line of work within the organization, in that job function, their eyeballs almost jumped out of their heads. And so I think that it's vital that management and executives are paying attention to the day-to-day processes and that they are knowledgeable of how data is moving through their organization and that they don't rely on the policy that dictates how it should be handled, to understand how it actually is being handled and that team members are aware of what the policy is and that they are empowered to bring challenges to their managers and say, hey, I know the policy is this I'm not supposed to send this way. We got no choice but to send it this way. Is there something else we can do here to follow the right procedure and try to have those conversations rather than just figuring out a workaround and then that becomes the process?

Another example that was kind of like this one was kind of interesting because it was also a medical industry type of organization. They had a phishing and security awareness training platform that they were using. It's not the one you're thinking of, but they were using this to do training and testing. And they were absolutely certain that all of their employees, their entire employee population, would just be stellar against any phone phishing activities based on the fact that their click rates for email phishing were extremely low. And so they'd done so many tests and they'd done so much training, everybody was super competent when it came to identifying email fish. So the next logical step was for them to explore phone phishing and they were certain that their team would just not be vulnerable to this style of attack at all. And so they wanted for us to test three different functions within the business human resources, IT, and executives, and executive support team members, people like executive assistants and people that support the executive team.

Alethe Denis: And we had gained phone numbers for the IT help desk, like the internal help desk number. And we had gained the HR help desk number, which was an internal number, but it was available publicly on the Internet. And we then sourced the direct phone numbers for the number of executives.

And those numbers may be answered by their assistants, but they were their direct desk phone numbers. So we tested first human resources and I developed a pretext around employment verification. I was going to try to elicit employee PII, and this HR person just shut me down so hard.

They followed the process perfectly. They were like, we don't do those over the phone.

You need to send an email. And email phishing was not in scope, so I couldn't do that.

So I was like, well okay, what's the right email address? And I took down all the notes of proper procedure and I was posing as a property management person from the local area. And then I called back 4 hours later and I said, I sent the email, did you not get it?

And I had her on the phone and she's like, well send me the email now while we're on the phone. And I was like, oh man, she's good. Wow. And then eventually I kind of sweet-talked her into looking the employee up. And then for it, I developed a pretext where I was going to pose as an internal employee and have them go to a website that could potentially be malicious, but I had no intention of delivering anything malicious or even trying to capture credentials.

It was just, would they go to this potentially malicious site and that every single person I talked to went to it. And if they had been reporting internally, effectively they would have caught that over all the repetitions of the same pretext.

And then with the folks that were working on the executive team and to support them, I just wanted to find out about procedures to come on site, where the security is, how I check in, what the expectations are. Is your It team on site if I need help setting up my projector because I'm doing a presentation, that kind of stuff. And they just gave me everything, including COVID procedures and where the desks were for security so I could avoid them, names of buildings on the campus, and which I was posing as a cafeteria employee for the vendor that provided cafeteria services.

So they gave me the names of the cafes and what buildings they were in and all these really great details. So I reached out to the client and I was like, I've done between five and ten calls in each department. I know that we had scoped up to 30 per department, but I think I've got a great sampling of data, enough for me to create the report.

Can I stop now? And this is always the point where I reference, it feels like I'm clubbing baby seals and I don't want to keep going because it doesn't give any additional benefit to the reporting, and it just starts to feel bad.

So they responded and they're like, well, is it safe to assume that no one fell for your ruse?

And I was like, I think we need to schedule a call. So there are very different types of factors in play when it comes to social engineering. When you have the time to process and contemplate your response before you have to make it as with an email fish, it's much easier to avoid that emotional manipulation.

However, when you're on the phone with someone, especially if they're calling a number that's supposed to be internal, there's that level of trust that can have employees negate the process.

For example, the IT help desk should have verified I was an employee, made me prove it, then opened a ticket, then we can talk, kind of a thing. So that was an eye opener for them.

And then, I think the final one, and it just slipped away from me, this moment of realization.

I can't recall. Oh, yes. Now I remember.

So there was a client who we were performing an assessment for. This is not a Bishop Fox. None of these instances were at Bishop Fox, actually, but we were performing an assessment for a client. They were on the phone with us, and we were asking them, how would you respond to someone gaining access to a Microsoft account? What steps would you take if you feel one of your user accounts has been compromised?

And one of the individuals on the It team was like, well, you're just describing what exactly happened to us yesterday. And we were like, go on. And they said, well, we had an individual whose account was compromised.

They accidentally put their credentials into a credential phishing and within a few minutes, we had a report of the issue, and we had changed the employee's password. And my teammate said, Is that it? That's all you did was just change the password?

And they're like, yes, totally good. All fine. And he goes, well, did you cancel any open sessions after you reset the password? And they were like, no, I don't think so.

And he's like, I think you should probably do that and then change the password again because you may have somebody, like, persisting in your environment as we speak.

And so this really shook them.

[39:17] Alethe Denis: But the most interesting part about this response is that they were more embarrassed than they were concerned about the threat. So their response was that they all started we could tell they started chatting in a different channel about what to do.

But my teammate was like if you'd like some guidance, his specialty is incident response.

If you'd like some guidance on how to work through this, if you want us to take a look at it, if you want us to double check that they're, in fact out, like, can we help you further?


We're working off of hours. If you want to use them for this really quick, we're happy to help.

And they were just like, no, I think we're good, let's just move on. And I think that that was the most shocking response.

And that's why I stress that when you're performing an assessment like that, you really have to build that trust between your team and the other team so that they don't feel like it's an audit type of a scenario and it's more of a collaborative service where we're working together for a positive outcome.

[40:27] Andra Zaharia: And one of the key things that red line through all of your stories is that these are all opportunities to kind of lend elements from your culture and your way of talking people through these issues, of coaching them to someone else who may not have them.

Because culture dictates these types of reactions, the types of patients that customers have in their environment. And maybe they haven't had a chance to feel vulnerable in a workplace setting to someone. Maybe they just don't know how to do it. They don't have the words, they don't have the approach.

And seeing you do it, seeing someone else that you work with do these things, talk to them like this. I think that's such a great way to learn how to model your own communication towards teams and employees and team leaders and everyone that's truly involved in making all of these millions of tiny pieces work together in a way that's truly beneficial for everyone.

[41:41] Alethe Denis: Yeah, absolutely. I think it's all in the delivery. I actually started my consulting journey in the staffing industry. So I worked for a multibillion dollar global staffing company on their global market intelligence team as a consultant. And some of the types of projects that they'd come to us for were why are we retaining full time employees but we can't keep contractors? Or why are we able to retain talent at this location but not at this location?

And so some of the things I would do are just go on job review and company review websites and then give them the feedback that's there that they could see on the internet, but it's all in the delivery. And being able to go to clients and say not only here's your problem, but here's a solution that you can try I think is critical.

And so I try to do the same thing in my communication to my management, even internally.

I try never to go to them with just like a gripe. I'm like, okay, so this is what I'm seeing, this is what I think is creating difficulty here.

This is a problem with how this cycle happens and this is how I think we can fix it, or this is my idea and offering to help with that, makes a huge difference. And so if we can approach our clients in the same way with pentests, you're saying, these are the things that I've identified, like gaps in your processes or just technical vulnerabilities in your systems and here's how you can overcome it.

And coupling those things together rather than just delivering a finding and being like you're on your own, that's much more beneficial, in my opinion. And it helps to create that trust and build that relationship. And that's how you get repeat business. A lot of our current clients are constant customers because they appreciate not only the level of expertise but the professionalism related to how we construct and deliver reports and then the comprehensive report readouts and remediation that we offer with certain projects.

Andra Zaharia: Do you find that people coming into penetration testing nowadays, especially younger people, or people who are just choosing to refocus their professional paths towards this, do you find that they're coming into this with wrong expectations, with expectations of a very, let's say, thrilling adventure that nonstop dopamine hits one after the other as you find things, and then you get to give talks at conferences and people cheer for you on Twitter.

Alethe Denis: Well, X, or whatever we're calling it.

[44:38] Andra Zaharia: Now, and everything else. Is there a kind of this, let's say, pop culture phenomenon that's altering perceptions as to what this work really entails and where the value truly lies?

[44:55] Alethe Denis: Absolutely. I would say I get paid to write reports and I do all the hacking for free hours. The actual hacking part is probably 25% of the time that I spend working. If we're being honest, it's probably less.

But the report writing and the communication and the administrative stuff and the real adulting, that's the bulk of being an excellent consultant and the ability to communicate findings and do so in a way that doesn't create an adversarial relationship with the client while still acting like an adversary is something that's kind of tricky for some folks.

I would say those who are transitioning into information security cybersecurity from another industry, even if it's just information technology somewhere else in the space, but totally if it's from somewhere like marketing or other types of consulting like consulting is consulting. It's just a different item that you're selling. But overall consulting is pretty much the same across all industries.

Those people have a better opportunity to transition smoothly into the space because they have those soft and transferable skills like writing and communicating in PowerPoint slides. And I mean, let's be honest, most of this is PowerPoint and Excel and a lot of different organizations that do consulting in the pentesting space. But yes, there are two different extremes that I see with the people who approach me who are trying to get into this space. One is the people who are genuinely driven by the desire to learn and break things and get paid for it.

And then there are the people who just really want to pwn people and do a touchdown dance and go home. And those folks are the ones that I feel are slightly misguided. And they're going to have a lot tougher time remaining an employee of any organization for a long period.


Because ultimately, those individuals who don't have the client's best interest at heart and aren't good team players because they just want to do the pwning and have somebody else deal with the adulting. Those are the people that are going to struggle to become part of a team and they're more likely to become dissatisfied and move on on their own or be the result of an involuntary termination when either there's a reorg or business priorities change, et cetera.

[48:00] Alethe Denis: So I would say if you want to get into pentesting, the most important thing is that you are an excellent communicator, that you are very well-written because the bulk of your job is going to be writing, whether it's an email, status update report, whatever, and the technology piece.

Even if you aren't the most exceptional pentester, demonstrating that you're learning and that you're growing, and that you're taking the initiative to be proactive in that learning, whether that is through certifications or participating in CTFs on the hobby side of security, all of those things give a good picture of you as a person. And your commitment to the industry and your desire to work in this space will probably be realized a lot more quickly if you can demonstrate those things rather than just write them down.

So looking to highlight those outside of work experiences as well as your transferable skills or degrees and certifications help to bypass HR, but learning outside of those and just keeping track of like, I took this course, I attended this talk, I went to this conference, I participated in a CTF. Those types of things all add up, and they give a good picture of your level of commitment.

[49:32] Andra Zaharia: What's something you're learning right now?

[49:36] Alethe Denis: Right now, let's see I've actually gone back kind of to the drawing board to start over and then grow beyond my current level with wireless and learning how to create malicious implants that leverage wireless. So I just recently had the opportunity to do a physical pentest that focused very much on social engineering. So there's the human aspect of bypassing the people and there's the physical aspect of bypassing all of the locks and doors and cameras and all the things badge readers. But there's also that technical aspect of configuring the devices that you're going to implant hopefully on the network and making sure that those things can communicate with wireless networks and things like that. So that's where I'm focused right now, is getting very adept at setting those up and then more confident in my payload development and execution to make sure that we're bypassing things like EDR.


Andra Zaharia: Thanks so much for sharing all of this and for going into so much detail, especially on the example side, especially in all of these nuances that all kind of center around. Just like you said, adulting just grows up with your profession and sometimes even letting your profession develop you. Well, not just sometimes, but most times. Spending so much on work, it's such a huge part of our makeup as humans and again, highlights just the unique human abilities that are involved in this space. I feel this is still one of the key things that we need to keep talking about because technology can be fascinating, it can be trendy, it can be inviting, but at the end of the day, it's still just a component in a much bigger system that's a human system. At the end of the day, absolutely. I really appreciate you coming on and sharing all of these stories with us.

I've really enjoyed your talks and everything that you've shared in the podcast and how candid you've been about your development. And I just wanted to kind of give my public appreciation for how you're inspiring and guiding others through your examples, through your vulnerability and openness, and by just investing so much time and energy into giving talks and being there for the people who truly want to learn, just like you mentioned. So thanks so much, Alethe.

This has been just a really great conversation full of teachable examples that we can't wait to share.

Alethe Denis: Thank you. No, I appreciate that so much because I'm sure that you could listen to some of my older podcast recordings and talks and go, wait a second. That is not exactly what she said the last time she spoke. And it's true because I reserve this right to change my mind as I learn more. And so even my perspective on things like social engineering has changed dramatically, even in the last one to two years. So just having that openness to allow yourself to be vulnerable and admit that you probably had a wrong opinion and adapting and overcoming that and continuing to grow, I think is the one message that I would want to share with everyone.

So thank you again for allowing me to come on today and sharing all this with you.

Andra Zaharia: My pleasure!

Get vulnerability research & write-ups

In your inbox. (No fluff. Actionable stuff only.)