TLDR-It’s not all pen-testing!
My 2 cents on a day in a pentester's life from the vantage point of someone who does it (sometimes) but observes it (a lot). TLDR - it is not all pentesting!
Originally published on Quora (https://www.quora.com/How-is-the-day-of-Penetration-tester-will-be) by your truly, as an answer to a question.
Planning / Coordinating / Scheduling for a test
Arguably, one of the most important activity (sometimes, more important than the actual activity, i.e., pentest).
It involves one or more of the following activities:-
1. Understanding the scope (or getting it clarified with customer);
2. Guesstimating the time required to complete the test (and to provide the report);
3. Checking your calendar (and that of your team) to identify the potential dates for the test;
4. Preparing documentation about the pentest (scope, out-of-scope, constraints, assumptions, possible dates, deliverables, etc.), and
5. Communicating the dates to your customer.
Performing a test
This is where the rubber meets the road.
It may involve any type of test, viz.
- Network pentest
- Web application pentest
- Mobile application pentest
- IoT pentest
- Cloud pentest
- Compliance Test, etc.
Most importantly, this activity also involves using a note taking tool to capture all the evidences (screenshots, PoC videos, etc.). In some cases, collaboration tools like faraday, attackforge, dradis pro, etc. are utilized to ensure that all data related to the pentest are captured.
Preparing a report
Probably most boring, but one with the highest imapct (to customer). it usually involves
- adding all the evidences related to the pentest in one of the company-approved report formats / templates.
- adding more details (e.g., executive summary, updating impact statements, severity ratings, etc.)
- internal reviews, updates (if any)
Discussions with customer post report submission
This may happen more frequently than you can imagine and can be stressful if you are not prepared in advance!
The days of automated scans-to-metasploit-takeovers are over. Due to increasing awareness on security and the glamour associated with pentesting, customers have gained knowledge on different aspects of pentest. In many cases, you will find another pentester on the customer side, validating your findings!
In those conditions, you are likely to be asked questions on each finding. Expect to be challenged.
CTF / Bug Bounty / Reading
Although you may not get time for this, it may still happen during leaner stretches of time. It may also happen during pentesting as well. These activities are all part of continued learning that a penetration tester has to go through during his tenure as one.