What does a penetration tester do?

The Pentester is a certified ethical hacker, who performs penetration tests. These are authorized simulated cyberattacks on a computer system to assess an organization's security. Pentesters identify and resolve vulnerabilities that may affect digital assets and computer networks.

Learn more about the role from our exclusive 9-question interview with our Pentest Team Lead. 

Due to the nature and specifics of the profession, we won't disclose personal information about our colleague; who we will refer to as Joe (or Jane) Doe. 

Find below a brief overview of Joe (or Jane) Doe's many years of experience within cybersecurity: 

  • In 2011, Joe (or Jane) Doe started working as a freelance software developer.
  • In 2012, Joe (or Jane) Doe signed up for a couple of hacker forums, where they started to study the basics of ethical hacking and cybersecurity. 
  • In 2013, Joe (or Jane) Doe took a sabbatical, but returned re-energized and fully devoted to growing within the cybersecurity world. 
  • Joe (or Jane) Doe started their AMATAS journey in 2019.

Why did you choose to work at AMATAS? Describe the first steps you took within your AMATAS career. 

I joined AMATAS in 2019. The story goes that I was just about to leave for the United States, in search of better career opportunities, when a friend told me about AMATAS. They described it as: "a Bulgarian cybersecurity company that offers a range of innovative services in the field of cybersecurity and that it was also trying to set industry standards." 

Back in 2019, there weren't any Bulgarian cybersecurity companies that could provide a full range of services and solutions; and at the same time prioritize professionalism and quality of work.

Thus began my Pentester career. I am responsible for security and risk assessment tests of servers, websites, and mobile applications. These controlled, simulated cyberattacks are performed by the so-called "White Hackers" or Pentesters. The position and the overall AMATAS service are the most popular ones on the market. Due to this, our team grew rapidly in a very short time span.

What are the main tasks and responsibilities performed by Pentesters?

Pentesters provide security assessments and aim to detect problems and malfunctions that can lead to data breaches and risk the reputation of the company or business assets. 

We provide recommendations, register and report identified vulnerabilities, and advise how to eliminate them. As Pentester Team Lead, I supervise and train the team, and fully assist them in fulfilling their professional duties and responsibilities.

If I have to describe the Pentester career in a single word, that would be "challenge".

What kind of madness is it to daily "break" something (that has already been built by someone else) to make a system work against how it was intended to - all to discover its kryptonite (or weakness/-es)?!

What kind of projects do you work on? Also, which colleagues (or departments) do you communicate most often with?

We conduct tests in almost all industries and prevent real-time threats that could lead to production crises due to the collapse of one of the integrated solutions or one of the systems.

Fintech projects have the largest scale and are the most challenging for Pentesters. This is also one of the most vulnerable industries as its organizations don't have the resources physically and the assets belong to someone else (e.g. banks or institutions that manage money). We also work on projects related to crypto wallets, healthcare, production and manufacturing, and many more.  

All social and economic spheres are exposed to cyber risks - taking this into account, we protect virtually everything.

Describe your typical work day.

I have had those work days that have spanned 21 hours. But those are one-time exceptions. The Pentester role is very responsible and requires a solid investment of both time and effort. The key to being successful at it consists of organization, time management, and professionalism. These three skills help you work normally - without any stress - and also provide you with the necessary time for every other emergency that is typical for the Pentester. Within the role, our days, and sometimes even our nights, pass behind the computer screen, but it's all a matter of balance.

What technical and soft skill set is required for this profession?

Pentesters require a full range of skill sets. Other professions perform one main activity, take for example programmers, who have to program; system administrators mainly administer; architects usually just deal with design. As ethical hackers, we need to know everything, because the nature of our work requires a unique combination of knowledge and skills.

Consequently, the soft skills that are a necessity for all Pentesters are:

  • persistence
  • curiosity - striving to gain new knowledge at a fast pace
  • adaptability - applying your experience from one field to another
  • learning quickly and efficiently

How do you keep your knowledge and qualifications relevant?

With perseverance, hard work, continuous accumulation of knowledge, and skills improvement. Also, by maintaining a solid network of contacts; keeping up appearances; and having good, professional relationships in the cybersecurity environment. Last but not least, every day I'm "reminded" by my work at AMATAS of what I need to know and continue to study.

What are the opportunities for growth and development in the field?

The cybersecurity road can lead you to a variety of roles - from technical manager to senior manager.

What are the biggest myths about the Pentester profession?

  1. Unlike the rest of the roles in the field, Pentesters have to combine the knowledge and skills of all cybersecurity professionals.
  2. Unrealistic salary expectations - often there is a huge gap between the expected vs the actual reality.
  3. The moment you start thinking of yourself (or your organization) as "untouchable". For most people, the hackers' profession is a riddle, wrapped in a mystery, inside an enigma. They think it's not a process that occurs, as it doesn't materialize in space. This results in an ever-rising number of hacker attacks. People all together tend to neglect the absolutely real danger of them falling victim to the so-called Black Hat or "Bad Hacker".
  4. That the word "hacker" (and the way it's used in day-to-day conversations and slang) has only a negative connotation. This is not the case - there are good and bad hackers.  

What are your hobbies? What do you like to do after work? 

I love fast cars, playing chess, working out, and cooking. Most recently, I won a baking competition, which was a company-wide charity initiative organized by Ocean Investments* to support nursing homes.

Looking forward to your next cybersecurity career? Check out our open positions and apply.


Ralitsa Kosturska in AMATAS