Day in the Life: Penetration Tester
A realistic account of what penetration testing engagements actually look like, from scoping and reconnaissance through exploitation and reporting. Covers the common misconception that the job is primarily hacking, the engagement types, deliverable expectations, and how pentest work maps to the VSD domain.
# Day in the Life: Penetration Tester
Overview
Penetration testing is the practice of authorized, simulated attacks against systems, networks, and applications to identify exploitable vulnerabilities before real attackers find them. A penetration tester operates with explicit permission from the organization being tested, attempting to compromise targets using the same techniques that actual threat actors use.
The popular image of a penetration tester, drawn from movies and television, is a lone expert typing furiously in a dark room until systems yield. The reality is less dramatic and considerably more methodical. Professional penetration testing is a structured consulting engagement with defined scope, explicit rules of engagement, careful documentation at every step, and a written deliverable that is the actual product the client pays for.
The work is genuinely interesting and technically challenging. It is also predominantly research and writing. The ratio that experienced practitioners commonly cite is roughly 70% reconnaissance and documentation, 20% testing, and 10% exploitation. The exploitation phase, which is what most people imagine when they think of penetration testing, is the smallest portion of the work.
Within the Planetary Defense Model, penetration testing is a primary execution method for the VSD (Vulnerability and Surface Defense) domain's CSR (Continuous Surface Reduction) methodology. A penetration test provides empirical evidence about what attack surface actually exists and whether it is exploitable, which is the foundation of evidence-based surface reduction.
Role Description
Penetration testers conduct authorized security assessments across multiple engagement types. The specific work varies considerably by engagement type, but the overall structure is consistent across professional engagements.
Network penetration tests assess the external or internal network infrastructure: discovering live hosts, identifying open services, testing for known vulnerabilities in those services, attempting credential attacks, and attempting to escalate access from initial foothold to privileged position on the network.
Web application penetration tests focus on specific applications: probing for injection vulnerabilities, authentication weaknesses, authorization flaws, business logic errors, and the full range of OWASP Top 10 vulnerability classes. Web application testing is the most common engagement type by volume.
Social engineering engagements test the human element: phishing simulations, vishing (voice phishing), and in some cases physical access attempts. These engagements are legally and operationally sensitive and require especially careful scoping and authorization documentation.
Physical penetration tests attempt to bypass physical security controls: bypassing badge access systems, tailgating into secure areas, accessing unattended workstations. Physical testing is specialized work that carries more risk and requires highly specific expertise and authorizations.
Red team engagements are the most comprehensive form: multi-week or multi-month adversary simulations where the red team attempts to achieve specific objectives (exfiltrate a defined dataset, reach a specific system, maintain persistence for a defined period) while evading the organization's defensive capabilities. Red team engagements test the SOC's detection and response capability as much as they test controls.
The unifying thread across all engagement types is that the tester is providing an adversarial perspective: finding what is actually exploitable, not just what a scanner reports as potentially vulnerable.
Required Skills and Knowledge
Networking fundamentals are non-negotiable: TCP/IP protocol stack, routing and switching concepts, common application protocols (HTTP, DNS, SMB, LDAP, Kerberos), and how traffic flows through typical enterprise network architectures. A penetration tester who cannot interpret a network diagram or read a packet capture is not functional.
Linux and Windows administration at an intermediate level are both required. Most penetration testing tooling runs on Linux (Kali Linux is the standard distribution). Windows administration knowledge is essential because most enterprise targets are Windows environments: understanding Active Directory structure, Group Policy, user privilege models, and Windows authentication protocols is prerequisite for network penetration testing work.
Web application testing using Burp Suite is the central skill for web application engagements. Burp Suite's proxy allows interception and modification of every HTTP request and response, enabling manual testing that automated scanners cannot replicate. Understanding HTTP protocol mechanics (headers, cookies, request methods, response codes), session management, and the OWASP Top 10 vulnerability mechanisms is required.
Password attacks using hashcat and John the Ripper, credential stuffing techniques, and understanding of how common authentication systems store and transmit credentials. Credential attacks are a component of almost every network penetration test.
Privilege escalation on both Linux and Windows is a core skill for post-exploitation. After gaining initial access to a system, the tester typically needs to escalate to administrator or root privileges to achieve test objectives. This requires knowledge of common misconfiguration patterns, outdated software vulnerabilities, and OS-specific escalation paths.
Active Directory attacks have become a dominant skill requirement as most enterprise environments are built on AD. Kerberoasting (requesting service tickets for service accounts and cracking them offline), AS-REP roasting (attacking accounts with Kerberos pre-authentication disabled), Pass the Hash, Pass the Ticket, and BloodHound (an AD enumeration tool that maps attack paths to Domain Admin) are all standard techniques. The 2023 revision of the OSCP exam reflects how central AD has become.
Report writing is a critical professional skill. The penetration test report is the deliverable: without it, the engagement has produced no lasting value. A professional penetration test report includes an executive summary (non-technical description of overall risk and most significant findings), technical findings (each vulnerability with evidence, risk rating, business impact, and specific remediation recommendations), and appendices with technical details. Reports for significant engagements are commonly 20 to 100 or more pages.
Career Path
Entry into penetration testing typically requires two to four years of foundational IT or security experience. The technical bar is genuine: testers who cannot enumerate a network, find and verify a web application vulnerability, and escalate privileges on a compromised system are not functional in the role.
Home lab practice is essentially mandatory for serious candidates: building virtual environments to practice network and web application testing, completing HackTheBox or TryHackMe machines, and eventually pursuing certification programs that include hands-on lab components. The IppSec YouTube channel, which provides detailed walkthroughs of retired HackTheBox machines, is widely regarded as one of the best free learning resources in the field.
Entry-level penetration testing positions (often titled Junior Penetration Tester or Associate Security Consultant) are available at consulting firms and some internal red team programs. Many practitioners enter consulting at the analyst or associate level and progress based on technical skill demonstrated in the field.
Mid-level and senior penetration testers typically specialize: web application testing, network testing, red team operations, cloud penetration testing, or mobile application testing. Senior testers lead engagements, manage client relationships, and contribute to proposal and methodology development.
Principal consultant, technical director, or red team lead roles represent senior individual contributor or management tracks. Some experienced practitioners move into adversary simulation leadership, CISO advisory roles, or build independent boutique consulting practices.
Certifications and Education
OSCP (Offensive Security Certified Professional): The most respected practical offensive security credential in the industry. The OSCP exam requires 23 hours and 45 minutes of hands-on exploitation against a set of systems in an isolated lab environment, followed by 24 hours to write a detailed penetration test report. The credential cannot be passed by memorizing knowledge: it requires demonstrating actual exploitation capability. Employers universally recognize OSCP as evidence that the holder can actually do the work. The current exam (PEN-200/OSCP+) includes a significant Active Directory component.
eJPT (eLearnSecurity Junior Penetration Tester): An appropriate entry-level certification for practitioners who are not yet ready for OSCP. It establishes basic penetration testing methodology and tool proficiency.
PNPT (Practical Network Penetration Tester): Offered by TCM Security, the PNPT is a practical certification with a 5-day exam that has gained significant industry recognition as a more affordable alternative to OSCP. TCM Security's Practical Ethical Hacking (PEH) course is widely recommended as preparation.
CEH (Certified Ethical Hacker): EC-Council's certification is recognized in government and some enterprise contexts, particularly for compliance-driven hiring requirements. It is knowledge-based rather than practical and is not well-regarded among technical practitioners as evidence of hands-on capability, but it satisfies certain contractual requirements.
GPEN (GIAC Penetration Tester) and GWAPT (GIAC Web Application Penetration Tester): GIAC's penetration testing credentials are well-regarded in the industry. GWAPT specifically covers web application testing methodology at a solid technical level.
Education: Computer science, information systems, or cybersecurity degrees are common but not required. The penetration testing field is more credential-by-demonstration-oriented than most security disciplines: actual capability, demonstrated through certifications with practical components and a portfolio of engagements, carries more weight than academic credentials.
CDA Perspective
Penetration testing is the primary empirical validation method for VSD CSR (Continuous Surface Reduction). Security controls, hardening configurations, and vulnerability management programs all make claims about attack surface reduction. Penetration testing tests those claims against adversarial reality.
The CSR methodology emphasizes continuous reduction, not periodic assessment. A single annual penetration test is insufficient for environments that change continuously. Mature security programs incorporate penetration testing at multiple cadences: annual scope-comprehensive tests, quarterly assessments of high-risk areas, and continuous automated scanning that feeds the periodic manual validation cycle.
CDA operatives who conduct penetration testing as part of mission execution are not just performing a compliance activity. They are generating empirical attack surface data that feeds back into the VSD domain's continuous reduction cycle. Each finding is a data point: this surface was exposed, this control failed, this path to impact existed. That data shapes remediation priorities, detection rule development, and architecture decisions.
The OSCP-level technical standard is CDA's expectation for operatives conducting VSD CSR offensive security assessments. The OSCP credential demonstrates not just knowledge of technique but the ability to apply technique methodically against real systems under time pressure and produce a professional report documenting the work. That combination of technical capability and professional documentation is exactly what effective penetration testing requires.
Key Takeaways
- Penetration testing is authorized, simulated attack to identify exploitable vulnerabilities. The work is approximately 70% reconnaissance and documentation, 20% testing, and 10% exploitation.
- Engagement types include network penetration tests, web application tests, social engineering, physical tests, and red team adversary simulations. Each has distinct scope, authorization requirements, and technical demands.
- The penetration test report is the actual deliverable. An engagement without a clear, actionable written report documenting findings, evidence, risk ratings, and remediation recommendations has produced no lasting value for the client.
- Core technical skills include networking fundamentals, Linux and Windows administration, Burp Suite web application testing, password attacks, privilege escalation on both platforms, and Active Directory attack techniques.
- OSCP is the industry-recognized standard practical credential. It cannot be passed without demonstrating actual exploitation capability in a hands-on exam environment. TCM Security's PNPT is a well-regarded practical alternative at lower cost.
- Entry requires two to four years of foundational experience. Home lab practice, HackTheBox completion, and certification programs with hands-on components are the standard preparation path.
- In the PDM framework, penetration testing provides the empirical attack surface data that VSD CSR uses to drive continuous reduction. Each finding demonstrates real exploitable surface, making remediation prioritization evidence-based rather than theoretical.
Related CDA Missions
CDA Theater missions that address topics covered in this article.
Related Articles
Day in the Life: SOC Analyst
A realistic hour-by-hour account of what SOC analyst work actually looks like across a full shift, from handoff review to alert triage, investigation, escalation, and shift reporting. Includes the career progression path and an honest assessment of the demands and burnout realities of the role.
CISSP Preparation Guide
A comprehensive guide for the Certified Information Systems Security Professional credential, covering the CAT exam format, all eight CBK domains, experience requirements, the management mindset the exam rewards, study resources, and how CISSP aligns with the Planetary Defense Model.
Written by Evan Morgan
Found an issue? Help improve this article.