Pentester career: how to start and train properly

Before anything else, a pentester is a cybersecurity professional who carries out targeted attacks on a company’s IT infrastructure or any computer system. These attacks are authorized — that is, companies request these services to check for vulnerabilities in their infrastructure, with an ethical purpose and without actually compromising the company. 

This may mean that a certification or a degree related to cybersecurity is necessary to work in this field. However, some professionals in this area do not have formal training to work as pentesters. 

What does a pentester do? 

Their main goal is to help identify vulnerabilities and recommend solutions to these flaws, both in the digital and physical network, to prevent them from being discovered and exploited by a real hacker.

Therefore, a pentester must handle many technical tools such as Nmap, Wireshark, or penetration testing tools that help find these vulnerabilities. They also document the processes and activities carried out to later prepare a report of the entire audit for colleagues and clients. 

These are some of their functions: 

• Performing vulnerability assessments
• Network scanning with tools like Nmap
• Analyzing network structure and protocols with tools like Wireshark
• Searching for the most common vulnerabilities in IT systems, such as those listed in OWASP TOP 10
• Reviewing large amounts of company-related data, looking for passwords and user credentials
• Performing privilege escalation, lateral movements, pivoting, and post-exploitation

Typical characteristics of a pentester

Now that we know what a pentester does, it’s also important to know whether pentesting is the right type of work for you. This is not a strict rule, but the typical qualities are: 

Problem-solving skills

A good pentester is someone with great tenacity to solve problems, who wants to get to the root of the issue and think creatively. 

Creativity

To be able to defend against an attacker, you have to act like one. This requires thinking beyond simply scanning for common vulnerabilities. 

Curiosity

In cybersecurity, you never stop learning new technologies, vulnerabilities, and concepts. It’s a very rewarding career, but also a demanding one.

Within pentesting, there are several disciplines, as you can specialize in web pentesting or in network pentesting. 

In general, the basic technical skills are:

• Knowledge of networks
• Knowledge of Linux
• Knowledge of Windows and Powershell
• Bash scripting
• Another scripting language — Python is recommended since it’s very versatile

These concepts can take many months to study. Moreover, there are many cybersecurity courses that provide a much more focused learning path and allow you to enjoy this type of career more fully. 

What should a web pentester know? 

Now, if we focus on a web pentester, they should have knowledge of several web technologies: 

• HTML, CSS, and JavaScript: the pillars of website construction, HTML, CSS, and JavaScript are fundamental to understanding the basic operation of web applications.
• Server-side programming languages: knowing languages such as PHP, Python, Ruby, Node.js, and Java — commonly used on the server side of web applications — is vital to understanding underlying logic and detecting vulnerabilities.
• Web frameworks and libraries: pentesters should be familiar with popular frameworks such as Django, Flask, Ruby on Rails, Express.js, React, Angular, and Vue.js, as these can be vulnerable.
• Communication protocols and technologies: working with protocols such as HTTP, HTTPS, REST, and SOAP, and related technologies such as JSON and XML.
• Databases: knowing query languages such as SQL and NoSQL, and popular database management systems like MySQL, PostgreSQL, MongoDB, and Oracle can be useful for identifying SQL injection vulnerabilities.
• Web content management: becoming familiar with web content management systems like WordPress, Drupal, and Joomla.
• Front-end technologies: understanding front-end technologies such as jQuery, Bootstrap, ReactJS, and AngularJS can help uncover client-side application vulnerabilities.
• Web services and APIs: working with web services and APIs, including RESTful, SOAP, and GraphQL.

Pentesting is a career of constant learning; therefore, it’s essential that you enjoy it, as cybersecurity is always changing and evolving, and it’s necessary to keep up with that progress.