An often undiscussed topic in the pentesting world is what truly sets apart a senior penetration tester from a junior or mid-level consultant? Today, you get my thoughts on this! If you are not a senior but want to climb the ladder, read on, you may learn a thing or two (or you’ll disagree, which is also fine)!
You see, there are thousands of blogs about how to get better technically at pentesting. Hell, there are entire platforms dedicated to it. But very few target the less technical side, the side that focuses on your personality, your characteristics, your unique charm! So, here we are.
Disclaimer: Views are my own, naturally, and never reflect my company or previous employers.
Introduction
First off, welcome to my new home. Do you like it? I hope so. This blog is now hosted on Hugo, rather than my old blog which ran on Ghost. It felt overkill, you know, having a database and barely using any of the features. Alas, I rebranded, how clean it is too. Indeed, I never wanted more than a place to share my thoughts and ramblings, so this should be fine for now.
So today I wanted to talk about seniority. Not getting old. But seniority as a penetration tester. This was a topic I saw raised recently by Erik Cabetas (Include Security) and it got me thinking… Why was I bestowed the senior role? Was it technical? Was it my charming personality? What about my ability to delegate? My nice smile?!
We give titles out and no doubt infer a sense of security and competence based on these, and I presume our clients do too! How much of a relief it would be to know you have a senior doing the testing over a graduate (not naming orgs here, but I very much disagree with any practice of a ‘pentest’ being performed solely by a junior without considerable oversight).
So I put my head into thinking mode and came out with the following attributes that I believe if you lean into, you will have a far greater chance of climbing the corporate ladder and becoming a better pentester by the day. You may disagree, or you may agree, both are great! Oh, these are not in any particular order, and the absence of trait X does not equate to someone not then being fit in my eyes to hold the title. They are merely things that I think HELPS someone become senior.
Project Management and Organization
First up; managing projects. Multiple projects concurrently, too. In my opinion, a senior understands the end-to-end process enough to be able to effectively wear many hats each day. They can often switch from talking to a client about their upcoming test, to sending a previous report, whilst also scanning and working on their current engagement.
They do this because they stay organized with checklists, scribbled to-do lists, and alarms on their phone. They can have a busy day of calls and a tight report deadline but somehow manage to produce it at 5pm, looking as good as ever, because they had already planned ahead for the deadline. Furthermore, they can often prioritize tasks well, without getting sidetracked by the one that feels the most productive and makes them look busy (action-faking I believe they call it, a play on action-taking).
Often, this efficiency allows people further up the chain (managers, directors, founders) to then focus on the strategy of the business, rather than worry about the day to day. Want to climb the ladder? Become a master of organization.
Building Relationships (Yes, Make Friends!)
A senior perhaps remembers that Joe from HurricanezAI (a ficticious startup for this post) went snowboarding last year and then notes that down to ask if he’s going again this year. They continue to remember previous client’s tech stacks so that in the event of a nasty bug dropping, they can drop them a quick email to check they saw it and are aware it exists.
Alas, we can deduce that whilst the senior is naturally mostly focused on nailing their day to day assessments, they are also somewhat involved in maintaining and growing relationships, which is especially important for smaller consultancies who may not necessarily be performing multiple job types for their clients (i.e. they are less likely to bundle an audit, pentest, and IR contract to tie a company in).
I guess this same advice applied for generally just being a likeable individual, but try it! You have nothing to lose here.
Clear Communication
A senior is able to convey their thoughts clearly and articulately. Whether this is internally in a team meeting, or externally, during a kick off call or debrief with a client. In particular, I would expect them to be able to distill complex topics down into simple terms. You do not have to be an expert at this, but having the awareness to try and do it naturally is important. Over time, this will improve, as your repotoire of anecdotes will increase and start to flow without you having to think.
I’m sure that everyone starts with:
So DNS is like the phonebook… of the internet…
Over time you stop discussing specific ports and start talking about generic doorways into and out of the company. You start to talk about vulnerability categories and discuss overarching themes of a client’s weaknesses, rather than explicit vulnerabilities. Perhaps you’re able to explain why allowing legacy multicast protocols is an issue, without gargling LLMNR and NBT-NS acronyms! I doubt they care about the name of the protocol, yet I’m sure they do care that it led to full network compromise in 2026.
However, do bear in mind that you need to temper this to your audience: Are they technical themselves? Or are they an executive? Ahh, a senior will automatically switch to these modes when needed too.
Practice this! It does not happen overnight, and talking to your monitor for 30 minutes before a call is not crazy (promise).
Systemic and Chained Vulnerability Mindset
A senior has started to think in systems and goes beyond the initial vulnerability discovery. Let’s say you have an IDOR and can update the settings in a different tenant. Your first instinct may be to change the other tenant’s profile image, or name of their company, to show impact. You bet! Reputational damage! Powerful! And you are not wrong!
But the senior may realise that you can set up an IDP using Okta in your own tenant. OK, so what if you can update the other tenant’s settings to use your IDP? Then you may have escalated it to account takeover across tenants! But you realise you need to know a username that exists in the target tenant. Now you’re hunting for endpoints across the application that you can use to leak users across tenants, which leads to another issue - Unnecessary Data Exposure! But you need tenant IDs… Ah, you find an endpoint to leak that in the JS too!
In your report you report them as separate issues, but you discuss in the Impact section how they may be used in tandem. You justify their severity beyond the realm of theory. You can apply this to basically any vulnerability class. If you are finding surface level issues but not trying to escalate them, you are still doing a great job - The fix probably remains the same.
But sometimes, clients need a little more to actually want to fix it. Consider what sounds better:
We can update another tenants settings.
Or…
We can update another tenants settings which leads to us being able to take over any account on the application.
The senior evaluates and then states the problem and an explicit outcome.
Persistence and Going DEEPER!
For me… A senior needs to be a little like a sniffer dog. They are a little obsessive over finding issues (though not unhealthily like I am). They probably don’t relax until they have a good finding on an assessment. If they are doing the same assessment as they did the year before, they should (generally) find something they missed the year before, as they’ve both improved their skills, and are hungrier for more from that particular client.
A tester who continuously adds new and unique issues to their reports is a more likely to be considered senior, as they follow the theme of continuous improvement and embody what an adversary acts like: relentless. Alternatively, if you continually put the same issues in your reports because you’re comfortable finding them, and rarely try new techniques or hunt for recent bugs using new methods, you’re restricting both your ability to technically develop as well as not making the strongest case for promotion up the ranks… And ultimately doing your client a disservice!
Want to climb the ladder? Never stop improving your personal methodology. Read blogs. Don’t be scared to try new techniques!
Wider Contributions, Discussions, and Mentorship
Speaking of new techniques, a senior is raising these to their team’s attention and trying to start discussions. Yes, whilst being an exceptional pentester and a lone wolf is a valid way to spend your career, engaging as part of a wider team regularly and sharing the latest and greatest hacks is both liberating from a social perspective, and helps everyone grow technically. As a senior, your task is to help nurture, guide, and mentor those around you in your specialist field. For me, this is especially important in such digital times, whereby many firms no longer meet up physically, this is all the socialising you get at work! What better way to spend it than trying to understand a new topic that a colleague shared from a bug bounty report?!
Mentorship, you will also find, is a great way to start moving towards that senior title. There is equal value in being available for a new starter or junior consultant when they have process and organizational questions as well as being technically supportive. Hell, maybe you even offer emotional support and become someone they can talk to, if you’re enough of an empath.
Wanna become a senior? Start sharing quality with the rest of your team. If a channel doesn’t exist to share these, create it. Drive discussions about process improvement that benefits everyone. Stop being an observer performing the same repetitive tasks in your workflow and start enhancing your processes. Be the one to just get sh*t done!
Me, without shame:
Log, Log, Log
Probably one of the most important skills I look for when talking to non-senior consultants is the quality of their notes. A mistake I made early on in my pentesting career was finding a wicked SQL injection in a heavily, heavily tested bit of software. But I didn’t even realise I’d found it! Nothing on my end had triggered anything to suggest an injection, despite it being found as part of an Active Scan. Anyway, the client reached out as they had an alert and asked me to look into it. Haha, how my heart sunk when I realised the default log size on Burp was tiny and that it did not persist between reboots, despite having a project for the test (only repeater and proxy history saved).
Well, you bet I never had that happen again. Logger++ and regular auto exports. I never suffered from such a situation again, but also, I wouldn’t let myself.
A senior is counting for these eventualities and knows the value of logging, both in their notes and their tooling. This is especially important (in my opinion) for internal networks. I don’t want someone asking if the credential dumping alert on WKSTN-12ab0f is me and then not being able to confirm it properly. Furthermore, imagine as a consultant, you go sick suddenly. I come to finish your test, but your notes don’t really tell me about where you got to, what you’d tested already, what looked funky or threw an interesting error.
It’s kind of like insurance; you may never need the notes, but hell, when you suddenly do need them, you need them.
Certifications (HOT TAKE)
Ahh Toby, seriously? You think a certification defines seniority? Haha. No. But I do think they demonstrate baseline technical ability in a specific realm, which in turn, helps you become more suited for a senior position. Also, it depends how you went through it. Did you blaze through it to get to the exam, ask some people on Discord for tips, then pass it to just get that Credly badge? Or did you take the time to learn the content, inside and out, and now you happily demonstrate that to a technical client on a debrief when they ask why you suggested X fix instead of Y?
Also, once you’re in the club, it’s very easy to cruise (IMO) and be a ‘steady eddie’ sort of pentester who stops developing. Certifications, in my opinion, can be evidence that someone is continually adding to their knowledge arsenal, and perhaps, worthy of taking a chance on.
Autonomy
This may seem obvious, but a senior should not need their hand held to perform their day to day activities in most situations. They should be able to be given a test brief in their specialist area and subsequently perform the test to the expected standards of the consultancy, every time. This includes instances where, perhaps, a new technology is in use. It is expected that they can research and subsequently create a testing methodology for said technology without needing help.
But stop Toby, they shouldn’t ask for help?! No. That is a very different thing. Autonomy is described in the Oxford dictionary as:
the ability to act and make decisions without being controlled by anyone else
That does not mean no questions. In fact, being comfortable asking questions is a trait I believe also points towards seniority. However; the senior decides on either direction X or Y as per their own prerogative. It is the ability to decide from A and B based on data and experience.
If you want to become a better and more senior consultant, look at your day to day workflows. Look at your client interactions. Identify areas where you could be more autonomous and, once you have checked it is aligned with your manager’s view of your ability, take the initiative!
Closing Thoughts
I often see yearly promotional cycles in several bigger firms, whereby, provided you aren’t making a complete mess of your role, you are lifted up a tier yearly. I don’t think this is a good way to judge seniority. Not only does it hamper those putting in extra work to upskill early (which, you’ll likely then lose to other firms), but may also result in a barrage of potentially unqualified seniors who coasted just enough to get through each year. I’m not saying there’s anything wrong with doing the minimum - I think that’s a perfectly valid choice in employment - but I do question if it should result in seniority being assumed. Alas, that’s another debate.
Bye, all!
If you got this far, thanks for reading! I appreciate your time - Feel free to ping me on LinkedIn if you want to discuss anything I mentioned here, or perhaps, something I missed!
I hope your reaction to the new blog was somewhat similar to the clip below:
Lots of stuff in the pipeline, lots of learning, leaning into new technologies, feeling stupid, constantly… Catch you later!