Michael Randall on pentesting

Michael Randall is a pentester who volunteers for a lot of events, such as The Diana Initiative. My article about the difference between vulnerability scans and pentests caught his attention. Although I’m a cybersecurity generalist, I have spent a lot of time researching and writing about pentesting and working behind the scenes on Capture the Flag events and helping pentesters write reports. So when I can pick a pentester’s brain, I will.

Crawley: “How did you get into pentesting?”

Randall: “My start in pentesting began with a realization that the career path existed during the dark days of Covid. I was field technician with a lot of self taught IT training at the time. Being stuck at home without available work in my current role, I began exploring jobs that would allow remote work using that IT expertise. I happened to stumble upon TryHackMe.com and found that I had an immediate passion for securing network environments, and find ingholes that could be patched. That began a journey that I am continuing today. After about 6 months of learning on THM’s platform, I decided to go back to university. I was able to achieve my Associates in Networking and Cybersecurity, then went on to complete my Bachelor’s in Cybersecurity and Information Assurance. By this time I had amassed quite a few certifications and began looking for opportunities to work in the industry. This lead me to my current role as a support technician with the unofficial title of Junior Pentester from my supervisors. I have been able to use my time in this position to not only gain experience adjacent to pentesting, but also utilize my skills to improve the environment I am in. This has lead to real world pentesting experience by demonstrating to my supervisors my passion and knowledge. I have also spent time outside of work to gain valuable insights into the industry through volunteering at infosec conferences such as BSides, The Diana Initiative and a local group The Red Team Association. These experiences have not only provided great pentesting experience, but has developed amazing friendships within the infosec community.”

Crawley: “It seems like lots of laypeople don't know the difference between vulnerability scans and pentests. Is that frustrating? Do a lot of people sell vulnerability scans but call them pentests?”

Randall: “First off I do believe that there is an industry of selling vulnerability scans as pentests. This being the case I believe that speaks to your first question on the lack of knowledge between the two. Both salespeople and customers can lack the required understanding to make a good distinction between the two.

From a customer standpoint securing an environment and meeting compliance requirements can be extremely challenging without a team that is dedicated and educated to meet those challenges. This can lead to the checkbox syndrome that can make vulnerability scans look like a solution for certain requirements in instances it is not.

From a salesperson perspective the potential lack of knowledge between a vuln scan and pentest, as well as potential communication difficulties with the customers needs can make selling one vs the other difficult. These challenges with the added weight of sale metrics create more opportunities for the confusion to propagate.

For me it is frustrating when due diligence is not completed on either end. From the customers side this can be done by not have a team educated on the needs of the company. These individuals in charge of the security and compliance requirements must have the skills necessary or given the time to learn what is required.

For me it is more frustrating from the sales side, because I feel they should be in a position to help educate their customers if need be. If there is an communication barrier I understand that maybe difficult, but outside of that they would be the subject matter experts there to provide a quality service.”

Crawley: “Do you have anything else to add?”

Randall: “The only thing I would like to add would be to encourage anyone in a position to make these decisions to understand the importance of securing their environments. If there is any doubt on how to manage this, take the time to use all the great resources available to fill in those gaps. We are all in this together and the more we can help one another, the more secure everyone will be. It was a pleasure speaking with you and I hope everyone has an amazing year ahead, as always stay awesome, and keep learning!”