Note; This will be updated in the future to make it a bit better, just a draft to get something out there.

A fair amount of people have been asking me what I do as a security consultant day to day. So I thought I would make this post so I can redirect everyone here.

The title of “security consultant” doesn’t say much, a more accurate title would be penetration tester. However, the “consultant” part does come in play. The day to day of a penetration tester/security consultant depends on where you work,

  • a consultancy/firm
  • an internal team.

I’m at a consultancy, so I get a variety of different types of jobs/clients (I’ll make a consultancy vs internal team post at some point), such as:

  • internals (going from low privileged user to higher internally)
  • externals (going from outside to internal network)
  • web application assessments (self explanatory)
  • compiled application testing (also self explanatory)
  • osint gathering (open source intelligence, aka stalk the company for juicy deets)
  • smart contract auditing (similar to code review, but targeted at smart contracts)
  • and many more.

The week generally begins with checking emails, and your schedule. Once you know what jobs you have for the week, you can plan it out. For the sake of this post we’re going to assume a simple 5 day external job. The way this is split is 3 days for testing, and 2 days for reporting. Most externals I’ve done have been for 10 days with the same split but for simplicity let’s stick with 5.

Given you know that it’s an external, you’ll need to check that you have

  • vpn access (if required)
  • a list of what is/isn’t in scope (usually covered in the Statement of Work)
  • say there’s a subdomain takeover phase to it, and you need a list of subdomains they want you to focus on (or a zone transfer for some)

Now say that you don’t have one or more of these pieces of information or some other tidbit, that’s where the “consultant” part of the role comes in. You actually have to be able to pick up the phone/write an email to the client and ask for what you are missing. It also plays a part in pre-job when you’re scoping the piece of work out, as well as as post-job when you’re presenting the report/findings to the executives of the client. In other similar roles, these consultative responsibilities maybe handed off to other roles of the business (e.g. scoping to sales/pre-sales). Personally I enjoy the consultative aspect of the role as I get to interact with clients, rather than be in my back of office just hacking away and not interacting. But some prefer that, and power to them.

From there you’ll carry on with your job (to go into this any further would be another post), and deliver a report at the end of the engagement.

From the above where I listed the various job types this might seem quite overwhelming, as you’d you be thinking to yourself “How is one supposed to be good at all this?”. Well the answer is: you don’t, but you also sorta kinda do. What I mean by this is that you’ll generally start out by doing web application tests/externals/internals as these security assessments are the bread and butter of most security firms. From there as you progress, you’ll find that you have an affinity, or just enjoy a certain aspect of security more than others, and you’ll start to specialise in that stream - this is the “you don’t” part. You’ll most likely get jobs that align with your speciality (if your firm is good), however from time to time you’ll get things outside your comfort zone. This is where you “also sorta kinda do”.

On the whole, it’s a rewarding career path where you’re constantly learning, and can pivot into various other security paths through this.