Hands-On Pen Testing Experience: Its Importance and How to Get It

by James Stanger | Mar 04, 2019

Test your pen test skills with the Immersive Labs challenge.Even before we released CompTIA PenTest+, I had a strong feeling that not all was well in the pen testing world. You see, there have been so many environmental changes:

  • Morphing Endpoints: With the internet of things (IoT) and (years ago) mobile, the endpoint has changed radically in a short period of time.
  • Dissolved Perimeters: The terms ingress and egress mean radically different things today, now that we’ve seen true cloud adoption over the past three years.
  • Suspect Hardware and Software: We’re seeing an absolute flood of software and IoT devices that, frankly, aren’t ready for prime time. This has led to an unprecedented spike in the size of our collective attack surface.

With these changes, even the very term penetration test, which implies an inside and outside, appears outdated.

In addition to these environmental changes, we’re also seeing some organizational challenges:

  • Lack of Skill: I’ve talked with many people who have encountered pen testing services but find that the skills of the people conducting the service are not much greater than a script kiddie. Even those pen testers who know their stuff may not be able to differentiate between a pen test and a glorified hacking attempt.
  • The Checkbox Mentality: Some organizations still labor under the idea that a pen test is something you do to fulfill a quarterly obligation. If you don’t follow up on the pen test, you’ve got problems.
  • The Whack-a-Mole Mentality: I was discussing pen testing with a savvy group of IT pros recently and heard detailed stories about how some executives want to use pen testers alone to find and eliminate hacks. This type of approach doesn’t work very well and leads to a selective approach to security, to put it nicely. It’s a selective approach that doesn’t work very well.
  • Unclear Terminology: Some cybersecurity pros use the terms red team and pen testing team interchangeably, but others differentiate between the two. Those that differentiate say that the red team pursues the kill chain across an entire company while a pen tester attacks a specific vulnerability on a specific server or platform. If we can’t define our terms, then how can we move forward at all?
  • Seeking Automation: For almost 20 years, I’ve heard about how automation can replace a pen test. One IT pro even told me how he had to explain that the free Amazon Web Services (AWS) vulnerability scanner wasn’t the same as a pen test. While it’s important to respect an executive’s urge to save money and automate repetitive tasks, vulnerability management just isn’t the same thing as a pen test.
  • The Gandalf Mentality: In response to my comment in a presentation that “we’re not Gandalfs,” an IT pro said to me, “Actually, we are wizards – we’re the ones that have the knowledge.” He’s got a good point. But, do you really need the pen testing prince of darkness to show up every time? I’ve received a decided “no” from almost every hiring manager and pen tester I’ve asked.

As you can see, there are a few problems in how organizations are responding to today’s environmental and business challenges. But, all is not lost. Even the checkbox, Gandalf and whack-a-mole folks agree that successful pen testers need hands-on experience. And, more companies are realizing that you have to take the information that pen testers generate and then have teams analyze that data.

Why Pen Testers Need Hands-On Experience

But, that experience message keeps resonating in my mind. Most courses get people to a certain peak of knowledge. Any good course does more than teach acronyms. It can teach best practices, as well as offer lab-based learning. That’s terrific and useful. But, hiring managers are looking for what I call a second peak of knowledge. It’s a peak that students often find elusive.

This second peak is attainable only if a specific set of conditions is met.

  1. First, you need an authoritative resource and mentor to teach that information.
  2. Second, you need immersive experience.
  3. Third, you need validation of that experience so you can start thinking more deeply about your knowledge base.

Only then will students be able to think independently and engage in the kinds of troubleshooting and problem solving that we look for in a pen tester. I’d call this my twin peaks analogy, but I don’t want David Lynch to sue me.

How to Get Hands-On Pen Testing Experience

How do you get to that second peak? One option is by participating in mini bootcamps, train-the-trainer courses, pen testing contests and other hands-on activities.

Together with a company called Immersive Labs, CompTIA put together a challenging and fun hands-on pen test. It should take folks just a few hours to complete, and we’re starting it right away. Complete the challenge by March 25, and you’ll be entered to win a prize pack including a CompTIA PenTest+ certification and courseware bundle.

Learn more and register on the Immersive Labs website.

9 Comments

  • Sudeep Banerjee

    Tuesday, March 5, 2019

    I am Security porrfolio manager in IBM.

  • Subrata Sarker

    Wednesday, March 6, 2019

    I am working As a IT Security Specialist

  • Lamar Holmes

    Friday, March 8, 2019

    I am interested

  • John

    Friday, March 8, 2019

    Although I am not done with my certifications, I have started looking at the entry-level IT openings in a variety of industries. The jobs may be called "entry-level" but the hiring drones require at least 2 years of experience.

  • Santha

    Saturday, March 9, 2019

    I am nobody important 🤷🏼‍♀️😂

  • Ryan Rester

    Saturday, March 9, 2019

    I haven’t run a good CTF since the early 2000’s. Things have changed so much but I’ve been trying to update my skillset. I was SO close on the Pentest+ beta... but it showed me I need something like interactive learning to bring me back to current. I’m looki g forward to trying my hand at this and hope I’ll learn some updated skills. Thanks for the excellent article and the chance at something with which I might better myself. It will be an honor just to participate.

  • Shaikh Qadir

    Saturday, March 9, 2019

    I am a Risk and Complaince Specialist

  • Clayton Lorenz

    Saturday, March 9, 2019

    I’m one of the ones having issues finding work and the “experience” that employers are looking for. A lot of them around me want some one with 5+ yrs experience, some with an active security clearance and others with a bachelors degree plus 5+ yrs experience. I have some experience, I hold some CompTIA certs, but none of that appeals to employers. Hell some even laugh at the name CompTIA anymore and look for more specialized certs. CCNA-sec, CEH, CISSP and so forth.

  • AbdulRasheed

    Sunday, March 10, 2019

    Wao, James this is interesting. You hit the nail on the head pen test experience is had to get even with the certification under your arm. This is a good opportunity that should not be allowed to pass.

Leave a Comment

Boost your Career with a Certification

Find out more about our Certifications

How to get Certified

4 Steps to Certification

Already certified? Let us and others know!

Share Your Story