We think we know podcast

We think we know what makes a good pentester

Publisher
Pentest-Tools.com
Updated at
Tom Eston at We think we know

Who or what shapes the perception of penetration testing? How do you step away from firefighting and develop a more systematic approach in your work as a pentester? These are some of the questions we’re answering in this new episode. 


Today’s guest is Tom Eston, an experienced security professional, team manager, and a true leader in offensive security. 


With 20+ years of cybersecurity work, Tom unpacks the complexities of penetration testing, discussing the roles of vendors, practitioners, and technological advancements. 


He also shares his perspective on what makes a good pentester, the value of mentorship, and the ethical challenges in this line of work. 

We think we know what makes a good pentester

Tom Eston bio

Tom Eston

Tom is a distinguished leader in cybersecurity, known for his unique blend of technical skills and leadership acumen. With 20+ years of experience in both offensive and defensive security, he has a deep understanding of the hacker culture and what it takes to have a fulfilling career. 


He’s also a speaker at international conferences like SANS, OWASP AppSec, or Black Hat USA, playing a key role in keeping companies and employees safe worldwide.


Tom is the VP of Consulting at Bishop Fox and also the co-founder and co-host of the Shared Security Podcast, tackling various topics such as data protection, deepfakes, career growth, empathy in cybersecurity, and more.

Explore this conversation to learn:

  • How pentesting changed over the years and who’s shaping it [03:02]

  • How to avoid burnout and deal with imposter syndrome [09:13]

  • Why he seeks and values mentorship for personal and professional growth [19:44] 

  • The importance of constant learning and networking with your peers  [23:23] 

  • How compliance brings down the value of pentesting and what to do about it [30:04]

  • How cultivating range can help you in your pentesting career [37:24]

  • How to set healthy boundaries to protect your own health [41:11] 


This episode with Tom is a must-listen if you want to learn how to showcase your work and elevate your thinking and tactics.

Let’s get into it!

Resources from this episode

Tom’s personal website

Tom on LinkedIn

Tom on Twitter

The Shared Security podcast

The People Hacker book by Jenny Radcliffe

Tom’s journey from offensive security to leadership at the Phillip Wylie Show 

Ethical hackers and the legacy of the hacker manifesto for Cyber Empathy

Tib3rius

Jason Haddix 

Dave Kennedy

Listen to this conversation on:

Spotify 

Apple Podcasts

Amazon Podcasts

Google Podcasts

Episode transcript

Andra Zaharia: Only the most curious and persistent people thrive in offensive security. How do I become a better hacker? How can I build and maintain my advantage over adversaries? 

And what's limiting my ability to think creatively? 

This podcast is for you. If you're the kind who's always digging deeper for answers, join me as I talk to some of the world's best offensive security pros about their work ethic, thinking, and real-world experiences.

This is We think we know, a podcast from Pentest-Tools.com

Andra Zaharia: Who or what is shaping the perception about penetration testing today? 

How do you step away from firefighting and develop a more methodical approach to your work? 

These are some of the questions we're answering in this episode today on We think we know. 

We're thrilled to host Tom Eston, a true leader in offensive security. Dipping into his expansive, two-decades-long career, Tom unpacks the complexities of pentesting, discussing the role of vendors, practitioners, and technological advancements. He also shares his perspective on what makes a good pentester, the value of mentorship, and the ethical challenges in this line of work. 

Andra Zaharia: Plus, we also explore the delicate balance between developing and maintaining technical skills and leadership abilities. 

Now, this episode is a must listen if you want to learn how to better present the work you do and how to elevate your thinking and tactics. 

So let's get into it.

Andra Zaharia: Tom, so wonderful to have you on the We think we know podcast. I've been anticipating this conversation with such excitement and so much curiosity, and I cannot wait to just go straight into it. 

Tom Eston: Wow. Thank you. Thank you for having me on the podcast. It's been great. 

I think we've been trading podcast interviews back and forth here over the last month, so it is an honor to be on your podcast again. 

Andra Zaharia: Well, it is an honor for us to have you, especially because you're not just one of the most experienced people in the field, but you've also been such a vocal advocate of so many of the important topics in this space, and you also lead multiple teams of hackers, which is. That's a question unto itself. I can't wait to just get a glimpse into what it's like to actually do that.

But before we get there, I was wondering, because you have the big picture view, and you can zoom in and out on a bunch of different elements, who or what is shaping the perception about penetration testing today? Who really is behind that right now? Is it vendors? Is it practitioners? Who's influencing that perception the most today? 

[03:02] Tom Eston: That is a great question, and I would have to say it's multiple people and things that influence the pentest industry as we know it today. Vendors obviously are a big part of that. 

We have definitely seen the pentest industry change over the last ten to twelve years, I'd say, where a lot of new vendors have entered the space with magical claims of fully automated penetration testing and AI and ML and all these buzzwords that are going to revolutionize the whole industry and even in some cases go as far to say, remove the human element that in my opinion makes penetration testing the real value of what a pentest is. 

Tom Eston: I think vendors have shaped it in a, I don't want to say negative way because there's a lot of positive things that vendors do with new technology and some of the things we've been seeing recently with AI and some other things that definitely benefit the pentester or the art of penetration testing. 

And then we've also seen a lot of just great innovations happening through the contributions of a lot of people in the industry. So I had mentioned this previously, I talked to Tiberius was on my podcast a while ago, and he's one of those people that loves to give back through training and a lot of free training to other pentesters on how to be a better web app pentester as something that he's an expert in. 

Tom Eston: And I have never seen, just in the last five years, more people like Tib3rius and others. Jason Haddix is another one that really showcase and try to teach others penetration testing and ways to do your job as a penetration tester better. And all of this is free or extremely affordable training. So I like to say we're kind of in the golden age of pentest training. I've never seen it like this before and that is actually a good thing. 

So there's more vendors providing training, more people, more content creation going on. I mean, just look at YouTube, there's so much material that's out there, but all of that is great. But it comes with a warning to everyone too, is that with all the good content that's out there, we have to be careful of the bad content or the things that are maybe misleading or flat out wrong. 

Tom Eston: And I've seen a lot of that as well, not as much, right?! Because I think people like myself and others in the industry try to promote the good content that's out there. 

And then we try to call out and hold accountable to people that are putting bad information or wrong information, or maybe they have different motives to put information out, like make money, right?! Click on my links, take me to your vendor site or what have you. 

So you have to be very careful out there as a pentester and really vet the training and the information that you're getting to make sure it's the right information, make sure it's good information and that it's valuable and that's been vetted. 

And I won't say approved by others in the industry, but everybody kind of knows who the core group of individuals, I'd say, that other pentesters look up to. They're doing a lot of their own mentoring, contributing back to the community. And those are usually the people that I tell others like, hey, follow these guys or this person. They're doing really good stuff for the industry. 

They're speaking at conferences and things like that. Yeah, it's really interesting space right now. 

Tom Eston: And so kind of, to answer the original question, it's really from multiple facets that we see the industry, how it's changed over the years and where it's going to go. I think we're instant for some very interesting times in the next three to five years. With all the things that I've been seeing lately. 

Andra Zaharia: Can't help but agree with you on this and thank you for sharing that. Let's say that puzzle like structure to the industry because all of these elements are so important to kind of balancing each other out. 

I mean, having these independent professionals who are creating their own educational resources counteract and balance things that may come from the vendor side that aren't as, let's say, well-intentioned or to the good of the people in the industry, but rather are more driven by commercial interests, but also having that technology come in and be used and evaluated and challenged and pushed to improve by these practitioners is also equally valuable. 

So that kind of, that power dynamic that you underlined is so, so important and helpful. And I can't help but feel really grateful for people who spend so much time, such as yourself, who spend so much time creating content and debating these topics and putting the energy in it, because that takes a lot of work. 

Andra Zaharia: It takes a lot of time spending just thinking about these things, articulating them in podcasts and conversations and articles and so on and so forth. So I was wondering, how do you balance that with having a leadership role that has so many responsibilities to having, of course, a life beyond all of these things? 

How do you manage to keep all of these things together? Because I think that many of the people who are coming into penetration testing and offensive security would like to pursue this kind of diversified path towards building their careers, but they aren't sure. How do you balance that? How do you not get overwhelmed? How do you avoid burnout? So what does that look like for you? 

[09:13] Tom Eston: That is another great question because I have dealt with burnout a few times in my career. In fact, I had one job that I was in that I became so burnout I had to leave and I had to find something else. I had to do that just for my own mental health. 

So burnout is a real thing in the industry, even just thinking outside of content creation. But sometimes it's a struggle, right? There are times that I don't want to do a podcast, or there are times I don't want to write a blog or think about what the next thing that I want to talk about, or how can I continue to contribute to the community. 

Tom Eston: And I think all content creators struggle with that at times. But what keeps me motivated to keep doing it is really the comments and the impact that I feel that my contributions are making on somebody's career. So I'm really big on mentoring, mentorship in general. I have several mentors myself that I've had throughout my career. I continuously also seek mentors for whatever is next in my career and I encourage others to do the same. 

So that to me is probably one of the greatest things that I've been fortunate to have is really good mentors that have led me along the way. And when I'm kind of feeling that burnout or I'm feeling like I'm not really sure what I want to talk about, or if impostor syndrome hits, which that's a real thing, too. A lot of people and these content creators that you see out there, they're like, wow, look how successful they are. 

Tom Eston: Look at all the things they're doing. A lot of them struggle, just like everybody with imposter syndrome, we don't feel we're good enough, all of those things. And mentors really kind of help guide you through that and you work through that together, because even some of my mentors have told me I struggle with that as well. So that's motivating to me. 

I think it's important that everybody takes time to self-reflect and to journal or exercise or go outside for a walk. 

And I think a lot of times we get too caught up in the day-to-day or we're thinking about what am I going to talk about? Who am I going to interview? Or maybe what am I doing in my job and my role that could help in the content creation that I'm doing, and we worry about all these things. 

So it's taking that time to self-reflect on you as a human, as a person. 

How am I getting better? And that's something that over probably the last couple of years, I've done more of that self-reflection of my career and kind of the things that I'm doing, but none of that would be possible doing it by myself and doing it alone, I have to have those guides, and those guides for me are my mentors. 

Andra Zaharia: That is such a powerful thing to share and thank you for sharing so honestly and so openly. I appreciate you for doing this so consistently because I feel like it normalizes this type of conversation and seeking help and not braving it out all by yourself. 

And like Willa said in a previous episode, we do not develop or grow in a vacuum. We need teams. We can't master it all. We can understand it all. And we're not supposed to. We're supposed to work with others who either help us with this level of self-awareness, who either help guide us and getting clarity when we feel stuck, and who just help us figure out what we want to do next and what's the next thing that we want to learn or how to do less in general, which feels like such counterintuitive advice in a space where there's always so much to do and always so much to learn.

Andra Zaharia: And one of the key things that this brings up for me is that, for instance, in the past few years, where penetration testing has grown so much and has developed so much, we've seen this avalanche of critical CVEs permeating every layer of technology and just putting everyone in firefight mode, which seems to be the norm. 

So how do you help your colleagues, the people in the teams that you lead, step away from that reactive way of working and switch to a more methodical approach, a more cool-headed approach because I feel like that's one of the things that comes from this level of self-reflection and spending time thinking about these things and allowing yourself to have that space. So how do you actually guide them on this particular path? 

[14:13] Tom Eston: Yeah, there's a thing in life called temperance, right?! Is thinking about how you react to situations and not overreact, right?! And a lot of that comes down to critical thinking skills and managing your emotions in high-stress situations, in which everybody handles stress and new information very differently. 

Some want to just jump right into that firefighting mode, like when a new vulnerability comes out, right?! For a pentester, it might be, ooh, look at this new, shiny vulnerability. And I need the exploit. And I'm going to start getting shells on all these boxes because of this new shiny thing. 

And I'll always say, okay, that's great, this sounds really cool, but let's think about for a minute what is the true impact of this and think about how the vulnerability works. 

Employ more of those critical thinking skills before you just jump to something and thinking, it's the next best thing that I need to focus on because oftentimes you'll find out, okay, this isn't really that great. 

And I've just wasted all this time working on this tool or this exploit to take advantage of this vulnerability. So for me, it's about telling everyone first, acknowledging what they're feeling is very important, but then to also give them maybe a different perspective to think about before they just jump all in on it and to make them think, right?! Like I mentioned, some of the mentors I've had have always kind of challenged me to not just assume the obvious and to ask questions and to be curious. 

Tom Eston: And for me, as a hacker and a pentester, that's one of the most valuable things that you can have, is to be curious and you have to ask questions. We always say nothing is 100% secure. We all know that. And so you have to ask questions of why is it not secure? How was it designed? What potential errors could have someone made in the design of this technology? 

Tom Eston: And I try to challenge my team to really think critically and to ask those questions because I think curiosity is the one thing that we can't automate. AI is not going to replace that anytime soon, knock on wood, right?! But I really want to drive that curiosity from my teams. 

I think we had mentioned some of that in a previous podcast about the hacker manifesto and how that has kind of shaped the hacker ethos if you will. And I want to make sure I'm still bringing that into the teams that I lead and manage because I think that's so important.  We can't let that go out of our hacker culture. 

Tom Eston: No matter what role you're in as a pentester, an internal team, you're working for a big corporation or you're a consultant, I think we all have to share in that, and a lot of that is just from a leadership perspective. We need to encourage that type of thinking, and I think it provides a lot of resilience in somebody's career if you can have more of that mindset. 

Andra Zaharia: What an excellent point. And I can't help but notice that all of these elements that you're putting together make penetration testing a profoundly human type of discipline, which is not what, it's definitely not in the top ten things people think about when they think of penetration testing. Definitely not. They think about the skills, the technicalities of it, the operations, anything else. 

But again, the profoundly human aspect of it, which ties into everything from decision-making to how you just interact with a system and how you question its security and just its inner working. 

And when it comes to that profoundly human element of it, these experiences that people have with technology, these formative experiences they have when they're trying to develop this craft and understand it and build teams and just try to have a bigger impact.

Andra Zaharia: This leads me back to an episode, the episode that you did with Philip Willey, where you said that your interest in offensive security actually was born through the experience of hiring a pentester and working with them for the first time. 

So I was wondering, looking back to that perspective, do you take anything from that that you want to offer, like your clients, whether they're internal or whether they're like consultancy clients? What was that kind of reflection moment like for you? 

[19:44] Tom Eston: Yeah, it really takes me back to when I first was hiring pentesters and interviewing and really thinking about what makes a good pentester, like, who do I want on my team? 

And I think in that conversation, for me, it was about some of the mistakes that I made back then during the hiring process. And I think as leaders, we all have to accept that we will make bad hires. That's just inevitability. We are human, right?! We make mistakes. 

But I also have hired people that I didn't think they would be successful, I'll just put it that way. 

thinking that they were a bad hire, and they ended up being amazing hires. After I was able to let go of maybe some biases that I had or some things that maybe they said early on that just kind of questioned maybe their abilities or things like that. 


And I gave people a chance to succeed, and that's been a big thing for me. I felt that I've had to pay that forward in my career, too, because I've had people who have given me a chance. Early on, before I was even in security, I was hired into jobs that I was not qualified for. 

I was, frankly, underqualified, I would say. And I've seen that reflected in some of the hires that I've made, where I wanted to give them a chance, too. Could that come back and bite you as a leader? Of course, it can. But that is also life, right? 

Tom Eston: We have to take risks. We have to take chances, and I think we have to take chances on people, especially if we see talent in them. The other thing I'll say, too, is you can't just let them try and be successful. It is your job as a leader or manager that's running a pentest team as an example to really mentor and guide them in the right directions. You don't necessarily have to tell them what to do and you shouldn't, right?! We should be advising them and coaching them and not micromanaging them. But if we're guiding them and then helping them through their careers to become better, I think that's the best thing that you can do as a leader in this space. 

Andra Zaharia: You're definitely shaping this space and this community through all of this effort that is not exactly visible.

So what leaders like you do, and I want to say leaders, not managers, because I remember that one slide from your presentation, that you manage things, you lead people, which resonated with me so much. 

Andra Zaharia: You as leaders have such an important role in shaping this space and offering practical examples of what it's like to behave in the workplace, how you behave on a team, how you stick to a quality standard that you set together and that you honor by respecting and helping each other with work and just expanding your entire perspective through what you do, through how you do it, and especially why you do it because that is fundamental. 

And that being in that role, being in that leadership role comes with, again, so much responsibility. It comes with having to balance all of these expectations, external expectations, but also kind of, let's say specific, discipline-specific expectations. 

So I was wondering, how do you balance kind of maintaining your range and your know-how as an offensive security professional, with cultivating your leadership skills? Because obviously these are two disciplines with immense depth, and just keeping these together in your life takes such tremendous effort. So how do you even do that? 

[23:23] Tom Eston: Yeah, that's a good question. I guess I'd have to say I learn by doing, essentially. I was told long ago that the best way to learn anything is to actually teach it and become a teacher. I've done that, I think, through my whole career. I found an interesting niche or an interesting thing to focus on, and I quickly became very knowledgeable in that. Maybe not an expert. I hate using the term expert because is anybody truly an expert? I think we're always lifelong learners

Tom Eston: And to me, the way I've stayed up to date on the industry and things going on, for me, a lot of that's been content creation, whether that's talks and podcasts or blogs or what have you. For me, I will jump into a subject or learn about something by actually writing about it or speaking about it, or talking to others about it. The value of networking in this industry is just enormous. There are so many people out there who know so many different things, and it's really so easy to reach out, especially through social media or Twitter or any of these outlets, to connect with people that you want to learn from. 

I was always kind of shocked to think of my idols in the industry were unapproachable in a lot of ways, like, oh, my gosh, these rock stars, they would never talk to me like I'm nobody. 

And you would be surprised how many people would talk to you or you walk up to them at a conference or you're at an event. And my whole mindset was changed when people that I looked up to, I just had amazing conversations with, and they were so open to me, and we developed these relationships. 

Tom Eston: And I just encourage everybody, if there's somebody that you look up to in the industry, send them a message or walk up to them at a conference, and you'd be really surprised, first of all, how friendly and how nice and how they want to help you. 

Tom Eston: That's really cool. But also how you've now developed a connection with somebody that could potentially help you in your career. Like I said, could be your next mentor. You just never know. So for me, it's just been constantly talking to people, networking, learning about what's going on in the industry, how I can get involved. And like I mentioned, that teaching aspect. I really encourage people to, if you've never written a blog, start a blog. 

If you have something to say or you have an opinion about something, put it out there. It's tough to do that. It is really hard. 

Tom Eston: And the thing I'd say about that, too, is that unfortunately, there are trolls. There are people that will criticize you, maybe not make you feel so good, right? Especially on social media, we know how toxic it can be at times. But those are the things I encourage people. You got to power through it, right? Never feed the trolls, ignore your haters, and you just got to keep going because there's more people out there that will value the content that you're putting out there than the people that are not.

Andra Zaharia: This perspective is not just so optimistic, but it's truly inspiring. As much as this word has been devoid of meaning, and I'm sorry about that, it's not the word's fault, but it is very inspiring what you're saying, especially because there are two aspects to this. 

One, it reminded me of how important it is to cultivate our bias for positivity to outweigh the bias for negativity that we have. Ippsec actually mentioned this in a previous episode, and I thought that was such a good point that he made. 

And cultivating this ability of just showing up in the community and seeing, watching good things happen, it just puts you in this virtuous cycle where you get motivation to do more and more of it, just like you've done with the Shared Security podcast for what has it been, 14, 15? 

Tom Eston: Going on 15 years now, yeah. 

Andra Zaharia: Wow. Like, happy anniversary. 

Tom Eston: Oh, thank you. 

Andra Zaharia: Absolutely insane to have developed not just that body of work, but all of the community and the relationships and the experiences that come with it, and especially all of that personal growth that has been made so much richer and so much more powerful of an element in your life as compared to if the Shared Security podcast wouldn't have existed. 

So I really appreciate you sharing this with us, especially because I think that many people maybe kind of compare penetration testing to an art form, but they don't fully embrace that aspect because they get stuck on the like. Yeah, but I don't master the technology enough. And just like you said, there are no experts. 

Just like you can say that artists are experts in their specific field, but that doesn't mean they'll stop practicing and enjoying the process and trusting the process and where it might take them. And that place might be just very different from what they expect, but still definitely worth pursuing. 

Andra Zaharia: So that craft art aspect of penetration testing is something that we're talking about in these conversations because it gets played down in a commercial context. It gets played down because it's so much easier to focus on the money to be made, KPIs to be fulfilled, hich is not to say that those things don't happen when we focus on the craft aspect of it as well, but it diminishes the work that penetration testers do, which is so, so unfair.

And I was wondering, because you have, again, this really comprehensive perspective on this type of work, when do you feel like this conversation started to change? What was it like when penetration testing was a lot more, let's say, obscure, a lot less visible than just general conversations or even the industry as a whole? What element from that particular, let's say, period and time, can we bring forward and emphasize today to show how much this work counts and to show how important it is to do it as a craft and not as a commodity? 

[30:04] Tom Eston: Yeah, I think a lot of that had changed around compliance. So security compliance regulations, PCI, and all these things kind of changed the landscape quite a bit because I saw pentesting become more of a check box exercise than something to actually help secure your environment. And we still see this today, right?! 

There's still going to be compliance-based pentesting, and this is still where you'll get into that discussion and that argument about is it a vulnerability scan or is it a pentest? And that mindset still hasn't changed much at all. 

Tom Eston: In fact, it may have gotten a little bit worse considering that we now have a lot of newer automation-type technologies, a lot more vendors in this space that are providing automation or pentest automation, as we kind of see some vendors say. 

And it has kind of lost a little bit of its luster of being an art form and something that is of high value. And in a lot of cases, it's become, this is just something you have to do or something a company or organization has to do to meet audit or federal requirements or things like that. And while that is still important, right?! 

We have to still consider the real value of a pentest and what a really good pentester will bring to a company, or a real good pentest I would say brings to an organization. 

Tom Eston: And for me, and I think a lot of others, that really comes down to the attacker mindset. I think that is the thing that makes a pentest different, is those critical thinking skills that a pentester brings to the testing that they're doing. So they're not relying on automation. In some cases, they need automation. 

We have to automate the boring stuff, as I like to say, but we don't replace the human mind with the tools and techniques that we're doing on a pentest. That automation is really to supplement the brain of a pentester because we do need to script and we need to automate and use tools to our advantage, but we can't over rely on those tools to do our job for us.

So I often have this discussion with other pentesters about the use of AI and what we're seeing, how that is going to change and shape the industry. And I'm all for AI. I'm all for the technology. 

I think it's amazing. But I also think it should be used in moderation and only used in certain situations to assist the pentester. We can't rely on that. And frankly, I don't know if we ever could. 

Tom Eston: We still have to have a human involved to oversee the work of that automation and that tooling because a lot of the tooling is going to evolve with AI. It's just inevitable, right? We just can't stop these things. As much as people say, oh my gosh, this is going to change the industry, we're all going to lose our jobs. 

And I don't think that's the case. I think we have to think of it much broader than that and look to see how it can help us. But also be careful so it doesn't replace what we are really good at, which is that attacker mindset thinking like an attacker and actually how to break the technology. 

Tom Eston: I don't know if a computer or an AI could actually get to that point to actually replace our human mind. 

Andra Zaharia: Again, I'm a huge supporter of this nuanced conversation around AI and automation, simply because I feel like, again, we're a bit biased into thinking into black and white terms in this industry, simply because our vocabulary and ethos is borrowed from the military. 

So that shows. It shows, and we definitely need a lot more nuance and conversations in the work that we do and so on and so forth. But also one of the core things that this actually brings up for me is the fact that these conversations happen a lot in closed groups. 

So we do have some of them in public, but most of them happen in closed groups. And there's just so much change happening throughout the industry that we don't see. And just making this change visible for other people coming into the space, which might not necessarily be just like young hackers, but also people with a more mature background, a different background. 

Andra Zaharia: And offering these conversations in public, I think, is such a valuable tool, because one thing that I truly believe AI cannot replace is the ethics part of it. A tool without, like you said, without oversight. It might slip into unethical behavior because it can't regulate itself like a human does. It can make those difficult decisions and some key points of the process like a human does. 


And those are super complex. It's a very complex decision-making process that takes into account so many things that are entirely tied to the human experience because we know what it feels like to do something bad, whereas robot, to oversimplify it, doesn't have that experience. 


So it's a lot more tied into so many other disciplines that go into penetration testing, which are not just the technical aspects, but a lot of psychology and philosophy, many, many other concepts. It's such a multidisciplinary space and type of work, which is what makes it absolutely fascinating to me. And I was wondering, this multidisciplinarity do you think that this is something that could use a bit more, let's say focus? 

Andra Zaharia: Because we see a lot of young people coming in, focusing on the technical skills, which makes perfect sense. But at which point do you start developing other pulling from other disciplines to feed into your way of doing things like your methodology, your way of thinking about the pentest engagements that you do? 

Tom Eston: Yeah, I think people that have either just started as pentesters or have been doing it for a while, I think I always encourage broadening their horizons outside of just one particular interest or area of expertise. 

So we've talked for a long time, I think, how it's important for individuals to figure out what they're really good at, what they like. Do you like web applications? Do you like network pentesting, social engineering, all the different categories of skills that are required for different types of pentesting. 

[37:24] Tom Eston: But I always encourage people to step out of their shell a little bit and do something or take an interest in something else that might be somewhat related to. Let's just say you're really good at network pentesting. Try working on more mobile applications or web applications just to see how you like it. 


Tom Eston: And even if you didn't particularly like it, you can look back and say, well, I gained some skills at least doing this, or I learned how to use this tool, this technique. This really helped me because some of the best pentesters I've worked with are the ones that are most well rounded, where they have the most different types of experiences that they've had, not just in their career, but their life as well. 

So I think I've mentioned this to you before. Had a nurse that moved into cybersecurity and became a pentester. Probably one of the best pentesters I've worked with because this person had that bedside manner where they could talk to customers. 

So while they were great, technically, the real value I saw in this person was the way that they could explain technical findings to nontechnical executives or CEOs or people on the board of directors. That is huge value as a pentester. And so I always look know, and, you know, what are the things that maybe you did in a previous life that could apply to your job now? 

Tom Eston: I know at Bishop Fox we have a lot of pentesters that work with us and consultants that were in the military. That background alone is extremely valuable. There's a lot of self-discipline that goes into that. There's camaraderie. There are endless advantages. 

Someone from the military coming into a consulting role and vice versa. 

I mean, I have someone on my team that was a fine arts dealer and is now a director and she's absolutely amazing because she brings a different perspective. So I just encourage people to be as diverse as you can with your skillset. It doesn't always have to be about the next pentesting thing or the next type of expertise in pentesting that I have to focus on. 

But it's sometimes the things you do outside of cybersecurity that really make you a great pentester.

Andra Zaharia: What do you do outside of cybersecurity and outside of security? Podcasts. Do you nurture any type of hobbies? Because Willa talked about this and I really appreciate it for sharing the importance of this and the importance of us stepping away from our laptops, which we don't do nearly enough, and of just interacting in even offline type of activities. Gardening comes to mind or woodworking. Or like Dave Kennedy does, like hitting the gym really hard and focusing on health. He is fitness golf-like. Yes, totally overshooting in terms of objectives over there. 

Where do you get your energy from outside of these great relationships and great experiences that are tied to our work and our personal projects? But we do need to diversify our energy sources as well. 

[40:54] Tom Eston: Yeah, I have a lot of interests outside of cybersecurity and hopefully I've done a better job of balancing that. I'm very big on when the workday is done, I don't go back to my desk. I have a separate phone for work, a separate phone for personal use.

I really learned over the years I have to keep those two things separate. Same thing with podcasting and content creation, right? Like, if I'm done for the day, I'm done for the day. I really have to detach myself. So some of the things I do, I'm a big outdoors person. So I love to run, I love to work out, I love to kayak when it's not 10ft of snow outside. I love being outdoors, backpacking, hiking, that kind of thing really recharges me quite a bit. I'm also a video game nerd. Especially retro video games. Started getting back into electronics and electronics repair more recently. So fixing broken PS2s. 

Tom Eston: But still, those are things that reset my mind. But I can still use them for either it's self-reflection or enjoying the outside, or if I'm messing around with electronics, it's about using my critical thinking skills, thinking about how can I fix this? How do I not break it again as I've done with some things, but those are the things that I kind of do. 

Working out is also kind of a stress relief as well. I get a lot of energy after working out in the morning. I may not be the next Dave Kennedy, but I'm really trying to just take better care of myself, and I encourage other people to do the same. Just go for a walk. 

You don't have to be lifting weights every day or what have you. But those are the things for me in the last couple of years that have kind of changed my whole mindset about how I live my life so I don't get overwhelmed with my job and my career, because like I mentioned to you before, I've been burnout before several times. 

Tom Eston: I think it's a natural thing for a lot of people. Eventually you're all going to have burnout. It's just inevitable. It just depends on how you handle the situation and how you prepare yourself to get yourself through that. 

And that's why you have to have others, right?! Don't be afraid to ask for help. Find a mentor. Find others in your field or even outside of your field. They could be through friends and family or somebody else that you know, it doesn't always have to be somebody in our industry that's helping you, because, in fact, somebody outside of our industry could give you a completely different perspective on something. So I encourage people to do that as well. Don't always rely on the people that we work with every day. There's a whole world out there for people to connect with. 

Andra Zaharia: And that might be one of the reasons why people are so fascinated with OSINT because OSINT actually gets you to talk to other people. And social engineering in itself, I mean, Jenny Radcliffe's book comes to mind. Just reading The People Hacker was such a fascinating experience simply because so many things happen when we just go outside and talk to people, even related to cybersecurity or general, like our work, but just having that experience and just simply interacting with people in situations where we might not run into simply because, again, we're sitting behind the screen. 

Those experiences just amplify the type of work that we do, and I think they also solidify why we do it. They help us kind of sometimes reconnect with our motivation behind all of this really intense, labor-intensive work, not just mentally, but also emotionally as well, because that definitely takes a lot. 

Andra Zaharia: And thank you for sharing all of those examples that highlight how important it is that you can still thrive and build a remarkable career and a remarkable contribution to the industry while also having all of these things that you enjoy. In your life, it doesn't have to be an either or situation. 

You actually need one for the other. And that's something that, honestly, I feel like we can't emphasize or repeat frequently enough. We just need a lot more of that. Case in point, I don't know how we've come, like, almost to the end of our conversation. How does time fly when we have these kinds of just conversations around the things that we love?

Andra Zaharia: But I just wanted to ask, what's something that you're particularly passionate about these days? What's something that you're spending time on that gives you all of that reward for all your curiosity and kind of hard work? 

[46:12] Tom Eston: Wow. There's definitely a few things, but if I had to pick one, I'd say just the podcast that I continue to work on and grow, and seeing that evolve over the years has been really amazing. The friendships I've made, the connections I've made through that, the people I've interviewed, it just gives me so much happiness, really. 

And I don't look at it as like, this is something that I have to do. It's really just kind of the labor of love, as we all say, and wish I could do it full time, but I just don't think that right now in my career, that's something that I want to jump right into. 

I've always felt that it's been something that I'm known for, that I kind of do this on the side if you will. But I've also seen how content creation and the podcast have really helped my own career. It's amazing to think, too, like, I've done all these, I've hosted these live streams at Bishop Fox, at DEFCON, at RSA, and a lot of this transfers over into know your job. 

Tom Eston: And what I mean, I wasn't necessarily like, that's not in my job description, is to host a live stream at DEFCON. But because I do the podcast and I love talking to people and interviewing, it was just a natural thing to do, and I love doing that, too. So I guess the thing I encourage people to do is even if you have these hobbies and interests, some of that could cross over into your career or your job. 

I always tell people, if you're an outdoorsy person like myself, I mean, at work, there are other outdoorsy people, too, and you should connect with them and you should see, hey, could we get together and could know, go hiking together or go running, or there are people with those same interests. And what's important about that is that creates a cohesive culture within an organization, right?! 

Tom Eston: And to me, that's one of the great things I love about working at Bishop Fox, is just the culture, right?! The way that we share our interests with each other and how we can learn from each other from that, too. So it's not always about, like, let's be the best consulting team in the world, right?! But it's about coming together and working together. And I think a lot of our interests, even outside of work, can transfer into that workplace environment, too. 

Andra Zaharia: Wow. And it's teams like that, like yours, that actually make work, not just like a commercial thing, but something that actually introduces positive change in a space and that makes a meaningful difference for customers lives and for the people that depend on them. 

And then just all kind of, it overflows, the good overflows into the wider community, and it also lifts up the entire industry. So I love these kind of stories. I love that you these things and why it's worth going the extra mile sometimes, just to say on the hiking analogy and the running. 

Tom Eston: Yes, I love it. 

Andra Zaharia: It's totally worth going that extra mile and doing things that initially feel uncomfortable but then actually evolve into something that gives us so much reward and so many opportunities. 

Thank you for going the extra mile today to sharing all of these elements of your experience and all of these insights and just bringing up the essence of what makes this type of work so fascinating and rewarding. I'm so grateful that we have you in this community to learn from and to just follow along and kind of get so much inspiration from. Thank you so much, Tom. This has been such a pleasure. 

Tom Eston: Well, thank you, Andra. It's been an absolute pleasure as well, being on your podcast. And thank you for all that you do for the community as well. So we all appreciate your insight and the things that you do as well. 

Andra Zaharia: I'm so very grateful for this. Thank you so much.


[50:34] Andra Zaharia: Ever wondered how deep the rabbit hole goes in the world of ethical hacking? Well, we're still falling, and we're dragging you along with us. One question at a time. 


Thanks for wandering through this maze with us as we tackle the nitty gritty flipped misconceptions on their heads and maybe, just maybe, made you rethink some of the things that are important to you. 


This has been the We think we know podcast by Pentest-Tools.com and before I sign off, keep this in mind. 


There's always a backdoor, or at the very least, a sneaky side entrance. 


See you next time.

Get fresh security research

In your inbox. (No fluff. Actionable stuff only.)

I can see your vulns image

Related articles

Suggested articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account

Footer

© 2013-2024 Pentest-Tools.com

Pentest-Tools.com has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn!

Pentest-Tools.com has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge

Pentest-Tools.com recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo

Pentest-Tools.com is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.