Full Report
There is a serious skills shortage in our industry. There are just not enough skilled hackers out there to fill all the open positions. In November of last year, I proposed a new approach for us at SensePost to address these concerns. I looked at what we could do as a company to ensure the next generation of hackers were being educated correctly (no, itβs not about how you use a tool) and moulded into what we, at SensePost, perceive to be good penetration testers.
Analysis Summary
# Best Practices: Developing Skilled Penetration Testers Through Structured Training
## Overview
These practices derive from an internal corporate strategy (the 'SensePost Academy') aimed at addressing the industry-wide shortage of skilled offensive security professionals. The focus is on structured, multi-phase training that integrates **foundational technical skills** with **offensive attack methodologies** and essential **client interaction competencies** to mold effective penetration testers.
## Key Recommendations
### Immediate Actions
1. **Establish a Formal Recruitment Filter:** Implement rigorous interviews and selection processes to ensure initial recruits possess the necessary aptitude for high-level security work, even if they lack extensive pre-existing tool knowledge.
2. **Define Core Competency Standards:** Clearly document the specific technical skills, attack methodologies, and professional interaction standards ('what we perceive to be good penetration testers') that all recruits must achieve.
### Short-term Improvements (1-3 months)
1. **Deploy Structured Training Modules:** Initiate a dedicated, structured training program (e.g., a 6-month academy model) for all new offensive security hires, combining formal coursework with hands-on guidance.
2. **Mandate Internal Training Rotations:** Integrate new recruits into sessions led by senior assessment team members to expose them directly to proven "ways of the pwnage" (advanced techniques and methodologies).
3. **Implement Continuous Performance Monitoring:** Establish a dedicated oversight body (e.g., a Review Board) responsible for grading, testing, and mentoring recruits through every phase of the training.
### Long-term Strategy (3+ months)
1. **Incorporate External Presentation Experience:** Require recruits to prepare and present security topics (e.g., at internal or external conferences) to develop communication skills and solidify their technical understanding.
2. **Develop and Attack Custom Applications:** Assign recruits the task of developing and subsequently breaking custom applications internally to test their ability to apply comprehensive offensive testing techniques beyond standard tool usage.
3. **Culminate Training with a Capstone Exercise (CULEX):** Institute a final, high-stakes, real-world simulation (e.g., a fictitious client assessment accompanied by a final client feedback meeting) that requires independent performance without direct assistance.
4. **Implement a Formal Graduation/Certification Process:** Require a final review board vote and assessment decision post-CULEX to formally transition successful recruits into unmonitored Junior Penetration Tester roles.
## Implementation Guidance
### For Small Organizations
- **Focus Heavily on Mentorship:** Since formal resource allocation may be limited, pair each technical recruit with a single senior tester acting as their primary mentor for the duration of the initial 3-6 month embedding period.
- **Leverage Free/Low-Cost Modules:** Prioritize training on foundational concepts (e.g., networking, core exploitation logic) over expensive, proprietary tool-specific training.
### For Medium Organizations
- **Create a Dedicated Review Board:** Formalize a small cross-functional group (SARB equivalent) responsible for training oversight and standardization, ensuring mentorship scales with intake.
- **Mandate Client Simulation Training:** Begin mandatory role-playing sessions focusing on client communication, scoping, and reporting from the second month onward.
### For Large Enterprises
- **Standardize Tool Agnostic Training:** Ensure the core curriculum emphasizes the *understanding* of vulnerability classes and exploitation theory rather than just proficiency in specific commercial tools, mitigating future technical debt from tool obsolescence.
- **Develop Internal Knowledge Repository:** Require senior testers to document key findings and methodologies developed during their work to feed directly into the ongoing academy curriculum.
## Configuration Examples
*(Note: The source article focuses on pedagogical structure rather than specific technical configuration details. The following maps the structure to generalized security best practice implementation.)*
| Training Component | Desired Outcome / Configuration Goal |
| :--- | :--- |
| **Technical Training** | Mastery of core OS internals and network protocols (TCP/IP stack proficiency). |
| **Attack Training** | Ability to chain multiple low-severity findings into a critical path exploitation scenario. |
| **Client Interaction** | Successful completion of a "client feedback meeting" simulation assessed on professionalism and clarity. |
| **CULEX Environment** | Isolation of the final assessment target environment to ensure zero risk to live client or production systems. |
## Compliance Alignment
While the primary goal is workforce development, successful adherence to this structured methodology supports the following governance objectives:
- **ISO/IEC 27001 (A.7 Personnel Security & A.8 Asset Management):** Ensures personnel competence is verified before granting access to sensitive systems.
- **NIST SP 800-53 (AT - Awareness and Training Controls):** Provides a robust framework for specialized technical training beyond baseline awareness.
- **Cybersecurity Framework (Identify Function):** Directly strengthens the capability to Identify internal risks by proactively building highly competent risk assessors.
## Common Pitfalls to Avoid
1. **Focusing Only on Tool Mastery:** Avoid allowing training to devolve into simple command repetition. If recruits cannot explain *why* a tool works or devise an alternative attack path, training is insufficient.
2. **Lack of Independent Assessment:** Do not substitute senior staff oversight for genuine, unassisted testing during the CULEX phase. Hand-holding invalidates the purpose of the final evaluation.
3. **Ignoring Soft Skills:** Failing to integrate client interaction and professional presentation training will result in technically competent but ineffective penetration testers.
4. **Inconsistent Mentorship:** Allowing the oversight and grading process (SARB) to become inconsistent or subjective compromises the integrity of the final certification (Junior Tester status).
## Resources
- **Internal Documentation:** Comprehensive curriculum map defining competencies for each phase of the 6-month academy.
- **Methodology Documentation:** Internal standards defining "good penetration testing" practices (Attack Approach documentation).
- **Program Oversight Body:** Established SensePost Academy Review Board (SARB) structure for governance and grading.