My first month working as a junior penetration tester

Entering the world of cyber security as a junior penetration tester has been an eye-opening experience for me. In my first month, I’ve encountered challenges, questioned the effectiveness of current certifications, and established valuable connections within my new team.

This blog post serves as a reflection on my first month working in the cyber security industry as a junior penetration tester, highlighting what I’ve enjoyed, where I see room for improvement in certifications, and how team collaboration has played a pivotal role in my journey so far.

About me

Hi, I’m Tom! My background is solely in finance, and I had a brief stint as part-time IT support for a SME about eight years ago whilst still doing my finance duties. Prior to this, I didn’t even own or use a computer at home. Having to learn on the job as a part-time IT support admin was something I really enjoyed. It was very fulfilling when I was able to fix a complex issue on a user’s machine, and really opened my eyes to a new interest and passion for technology.

During the upheaval of the Covid-19 pandemic, a close friend embarked on the CompTIA trifecta certifications (A+, Network+, Security+). Intrigued, I decided to delve into the syllabus alongside him, even though I hadn’t intended to pursue the exams at this stage. This significantly bolstered my understanding of IT fundamentals and networking, and further fuelled my desire to chase a career in IT.

My journey took an exciting turn when I explored TryHackMe (THM) during the Advent of Cyber (AoC) 2021 event, specially designed for newcomers like me. The event served as a gateway to an ongoing addiction to THM, where I immersed myself in various learning paths and participated in captivating Capture The Flag (CTF) challenges.

As my interest in penetration testing grew, I stumbled upon the eLearnSecurity Junior Penetration Tester (eJPT) certification, an accessible entry-level qualification, complete with complimentary training at the time. Achieving success in the eJPT propelled me further, leading me to undertake TCM Academy’s Practical Network Penetration Tester (PNPT) certification. I should mention that during this time I was actively learning python using Harvard’s edX CS50p, another free online resource, and further pushed myself to study technology in all directions. I was hooked and determined to find myself a place in the cyber security industry.

Interviewing for junior penetration tester jobs

When I first embarked on the journey to become a penetration tester, I encountered numerous challenges, including the struggle to receive callbacks despite holding industry-recognised certifications. In the UK, particularly in my area, the scarcity of junior roles compounded the difficulty. Many required prior experience, making it daunting for newcomers to break into the field without sufficient training opportunities.

Despite encountering scepticism and hearing discouraging remarks about the challenges of securing a junior penetration tester role due to fierce competition, stringent requirements, and my lack of IT background, I remained undeterred and started working harder than ever to land my dream role.

My journey underscores the importance of persistence and resilience in navigating the complexities of the cyber job market. It serves as a testament to aspiring penetration testers everywhere that with dedication and grit, and a little bit of luck for the right people to take a chance on you, breaking into the penetration testing field is achievable.

Before joining Sentrium, I secured an interview for a security consultant role, albeit not a junior position. Despite feeling confident about how the interview went, my lack of experience led to a disappointing but predictable outcome. Nevertheless, I reached out to the company for feedback, and they provided valuable insights. While acknowledging my potential, they cited my limited experience as the primary reason for not selecting me this time. However, they expressed willingness to consider me for a junior position in the future. Their encouragement fuelled my determination to continue my job search, affirming that I was indeed moving in the right direction.

I then saw a job posting by Sentrium on Indeed that I thought was perfect for me. I immediately applied and wrote a cover letter to accompany my CV. Shortly after, I received an email from Adam, inviting me to interview at Sentrium. Adam clearly laid out the whole interview process; a first stage online meeting consisting of a technical quiz followed by a coding challenge, and the second, a face-to-face interview comprising of a short-written skills assessment and a CTF-style challenge.

While the interview process sounded daunting, it turned out to be a lot of fun. The interview environments were relaxed and friendly, and I never felt stressed or under pressure despite the complexity of the challenges. This was only the second technical interview in my career, and it left me feeling not only accomplished but also grateful for the supportive atmosphere at Sentrium.

Starting as a junior penetration tester at Sentrium

My first month at Sentrium has been both rewarding and an eye-opening experience. The team has been incredibly welcoming, readily addressing my numerous questions and providing resources to deepen my understanding and learning. Despite the predominantly remote nature of the job, I’ve been pleasantly surprised by the sense of connection. We maintain an engaging chat group where we discuss both work-related matters and occasionally argue about which biscuits go best with a cup of tea. As well as company arranged get togethers for the team to come together for both work and social enjoyment.

Adam and Tim have also been nothing but supportive, giving me guidance when needed and fully communicating what is expected of me. They have helped guide me in a direction that I wasn’t previously going. From day one they mentioned things that they knew I probably hadn’t covered in my self-studies. Security headers and TLS issues for starters, not once had these been mentioned on THM or through eJPT or PNPT. Knowing how important certain security headers are for the security of a website, it is a little surprising how no training platform I have used mentions them in any great detail. That’s not to criticise these courses unfairly, they are exceptionally good resources for anyone studying to become a penetration tester.

Since joining Sentrium my main goal is to get to a standard where I can work on client engagements, but I have been given time to continue my training and I haven’t been rushed into testing. After numerous conversations with the team, I feel like an investment, and not just a number on some HR documents. They want to help me improve in every way; my writing skills, my testing methodology, and my coding.

I have shadowed multiple web application penetration tests and external infrastructure pentests already in my short time at Sentrium. Each time the team have given me guidance on best practices and tricks of the trade to help. I ensure to take plenty of notes, recognising that certain details may slip my memory, yet I am confident that this will become more manageable with time.

Sitting on an assessment is completely different to a CTF, which I did expect, but it will take a little getting used to. On platforms like THM or HackTheBox, the primary focus typically centres around obtaining a shell on the target system, often overshadowing other considerations or functionalities of the web application. However, testing a real web application requires a different approach, as we must ensure comprehensive examination of all functionalities.

If I could go back six months and advise myself, I would emphasise the importance of dedicating more time to studying web applications, particularly through resources like PortSwigger. Before joining Sentrium, I recognised that my proficiency in web application testing needed improvement. However, I underestimated its significance, believing that excelling in easy and medium HTB machines was sufficient. Looking back, I realise this mindset was somewhat naive. In today’s world, strong skills in web application testing are indispensable, and I now understand the critical need to prioritise and enhance them. I’m particularly grateful to Sentrium for providing me with the opportunity to refine my web testing methodology, but I cannot stress enough how important this aspect is for anybody studying to become a penetration tester.

Penetration testing certifications and training

I have completed both the eJPT and PNPT certifications, yet my experiences with these certifications have led me to question potential areas that might have been overlooked. When I took the eJPT on October 21st, 2022, it was version 1, but since then, they have updated to version 2, which I haven’t encountered yet. Hence, any points raised here refer to the older version and may be outdated at the time of writing.

Without THM, my journey in cybersecurity would never have begun. Not only does THM offer CTFs to test your skills, but it also provides excellent learning paths that guide you from being a novice to understanding the core principles and fundamentals necessary for success in this industry. The only aspect I wish THM focused on more is web application testing; however, for this, you can utilise another free resource in PortSwigger’s Academy.

PortSwigger’s Academy stands out as a premier resource for web application testing, offering comprehensive content entirely free of charge. Since joining Sentrium, I’ve dedicated the majority of my first few weeks to this platform, and I’ve observed a significant improvement in my methodology and bug detection abilities. For anyone considering entering the industry as a junior penetration tester, I highly recommend PortSwigger’s Academy as the go-to resource for web applications. Looking back, I wish I had explored it more extensively in the past.

The eJPT certification served as an excellent entry point for me, providing valuable hands-on experience with essential tools like Metasploit, NMAP, Nessus, and Hashcat, all of which have been instrumental in my journey so far. Reflecting on my experience, I believe that their web module wasn’t optimal at the time. While it covered essential skills necessary for a web application tester, I felt it lacked the depth required for a junior-level penetration tester. However, it’s worth noting that eLearnSecurity updated their eJPT certification in 2023, significantly expanding the course content from 46 hours to 144 hours.

PNPT focuses on Active Directory and network testing while also providing insights into the life of a penetration tester. It covers essential aspects required to excel in this field, including Linux fundamentals, networking, report writing, client debriefs, OSINT, and more. Notably, PNPT is updated regularly, and purchasing the exam grants lifetime access to their ‘Practical Ethical Hacking’ course. Based on my limited experience, I highly recommend PNPT for those considering certifications, as it closely mirrors real-world penetration testing scenarios.

The PNPT certification has been instrumental in shaping not only my technical skills but also my understanding of the ethical and legal dimensions of penetration testing. Sections like ‘A Day in the Life of a Penetration Tester’ and ‘Legal Documents and Report Writing’ have proven to be invaluable in my journey searching for a role. It’s a testament to the depth and relevance of the certification that aspects I initially overlooked are essential to becoming a security consultant.

One significant issue I’ve noticed with many training platforms and certifications is the dominance of major vulnerabilities in the assessments. While this serves to gauge someone’s passing merit, it may not adequately simulate real-world scenarios. I would love to see a certification that includes multiple applications or networks to test, where only one contains major vulnerabilities, while others involve smaller misconfigurations or are secure. Such an approach would better equip candidates for a career as security consultants and mimic real-life engagements more effectively, as not every application will be vulnerable to SQL injection.

Looking forward and final thoughts

Looking forward to my next few months as a junior penetration tester, I know there’s still a long journey ahead of me. I feel incredibly privileged to be in this position at Sentrium. Here, I’m afforded the time to learn and grow while being compensated for something I would primarily be doing in my spare time. Moreover, I have the opportunity to collaborate with colleagues who are experienced consultants with diverse backgrounds, generously sharing their wisdom and expertise with me on a daily basis. Their guidance will undoubtedly aid me tremendously on my journey toward becoming a successful consultant.

My focus for the next few weeks is being able to find and understand common web application vulnerabilities and misconfigurations thoroughly. I aim to answer three fundamental questions about each vulnerability:

1. What is the vulnerability?
2. What can you use the vulnerability to do?
3. How do you remediate the vulnerability?

I believe that if I can answer these three simple questions for most common vulnerabilities, I will be better equipped as a consultant to test client applications and communicate these findings to a client professionally.