Originally published on LinkedIn · April 2016.
Dear younger Jim — here is what I would tell you about penetration testing before you learned it the hard way.
What Pen Testing Is Actually For
Pen testing is fundamentally about changing the client’s beliefs. If you find a critical vulnerability and walk away without changing what that organization believes about their security posture — without actually moving them — your ROI is slim. Trophy hunting is not the goal. The goal is perspective change followed by action.
The Four Non-Negotiable Rules
- Define scope and goals clearly. Before a single test is run. In writing. Breaking this rule removes any real satisfaction from the work — and exposes everyone to legal and ethical risk.
- Obtain proper authorization. Full stop. No exceptions. Ever.
- Deliver practical solutions, not just findings. A finding without a recommended fix is a complaint, not a professional deliverable.
- Ensure the right stakeholders are informed. The people who need to know, need to know. Not everyone — but the right ones.
Rule #0, above all of these: absolute integrity and transparency with appropriate stakeholders at all times. This is the foundation before rule #1 even applies.
Pen Testing Is Not a Vulnerability Scan
A cron job can run a vulnerability scan. The difference between a scan and a pen test is skill, process, judgment, and the ability to operate within a defined timeframe to actually exploit and prove the vulnerability — not theorize about it. “We could have gotten in” is not a finding. Proof of exploitation is a finding.
Scope: Technical, Physical, and Human
Real pen testing encompasses all three vectors. Technical systems. Physical access controls. And the human element — social engineering, pretexting, tailgating. If you only test one, you have an incomplete picture and your client has a false sense of security in the other two domains.
On Learning and Integrity
Budget constraints are not an excuse for ignorance. Invest in your own training. Learn continuously. And never — not once — use illegal tactics. The moment you cross that line, you are no longer a security professional. You are a criminal. The integrity of the profession depends on every practitioner holding that line.