Spilling the Beans: How to Spot a Bad Pentest

so hey everyone I'm a doctor X as was introduced um senior security researcher cyber adapt and I am responsible for keeping everybody on track and presenting our speakers so here we have two awesome speakers we have kasim ijaz and he works from Blue Bastion and we have Adam Andrew Clinton and she works for a Vienna Healthcare and they're gonna make their introduction and they're gonna talk about stealing the beans so enjoy thank you thank you it's uh it's weird being in South and talking about beans like y'all probably know better how to spill beans than we do um so I'm uh Gossip as mentioned I work at Blue Bastion security I'm the director of offensive security there

and we've got Andrew I'm Andrew Clinton I'm a director of cyber security at Aviana Healthcare we're a large healthcare provider based out of Atlanta Georgia and uh this this talk really is a combination of text messages okay uh of course it's presented more in like a PowerPoint now because hey we are professionals after all uh but uh Andrew and I were for many years now just just complaining to each other how terrible the pen test was and how terrible the scope was or how we fired a consulting firm or something like that what did this company do what did this company do well what did they do poorly the original incarnation of this talk was

intended I don't need slides I just need 45 minutes and Podium I'm not complaint just give me like a lazy boy and just lay in there and just complain for a while yeah so the talk is really about the the ways we've found some consulting firms do good work the ways we found them not do great work and we'll talk about the perspective of a consulting firm and then the perspective of a client but also perspective for a candidate Okay so why don't we start with that so client wise you know it's going to be how do you evaluate a consulting firm it'll work on that how do you engage with your security partners and get the

most value out of those engagements you know what to keep an eye out for if there are good security consulting firms they're a not so good consumer security consulting firms and there are challenges with navigating those relationships and we'll talk through a little bit of that and then we'll jump into working as the consultant or the consulting firm how do you engage with client how do you push for transparency and really build that relationship and then as Q mentioned at the very end we've got uh we've got a section on as a potential employee of a consulting firm if you're looking for a job well can you keep an eye out for to try to avoid toxic workplaces or you

know places you don't want to wind up because we did line up in a few places that you shouldn't wind up real world stories um I think uh before we step into the actual details a little disclaimer so a lot of this stuff all this stuff it comes from Real World experiences like awesome will buy custom and I have had either together or at firms we've worked at other all points in time stories we're not naming and shaming in this session although we'd kind of love to well we're shaming but we're not naming shaming but not naming yeah but um it's as all all real stuff that we experience but it's all point in time so any uh any

firms that we encounter the problems with May no longer be the situation that they may have changed they may have updated but it's it's still a good story to tell so not not naming but uh but talking about frustrations and challenges and how to approach them all right so so for our first our first perspective here as the clients um one of the most important things that you want to talk to talk with your consulting firm about or your goals um this is a critical item to communicate especially in those initial discussions where you're talking to sales you're talking about engineering you're trying to arrange for a pen test or some sort of an audit you know any initial sales

discussions scoping discussions you want to make sure that your goals are brought to the table and that the company that you're talking to has the ability to help you achieve those goals there's sometimes there's a there's a breakdown there um a lot of the times the sales representatives will be happy to sell you whatever you're asking for but can they actually do it and do they actually have the staff to to achieve what you want to do you know are you looking for a a comprehensive mobile pen test for an application that needs three weeks worth of work do they have the skills on staff to do it do they have the uh do they have the availability

um and you want to have those conversations be upfront with that stuff make sure you get clear answers and make sure that that's a two-way conversation and that that it winds up in the documentation you know so you know as you're talking through hey these are my goals this is what I want to achieve with this engagement we're paying you x amount of money for for services rendered you know make sure that uh make sure that those details of your goals wind up in the contract the quote or the statement will work somewhere in writing so that they're actually followed through on as I've seen I've seen several situations where we have a really good conversation with sales

sales engineering maybe we even got one of the engine and one of the testers on the phone and everything sounds perfect they're going to be testing everything to the spec that we are requesting in this specific specific scenario and then the paperwork comes through super generic high level and then when the actual testing comes down the pipe a month later we get we get the wrong tester and we get bad results and it's it's not what we asked for now what we expected so goals are really important you want to be upfront about them and want to make sure they're understood received discussed and then represented in the paperwork and otherwise you might run into some risk yeah and one thing that

also add to that you define the goals you had the conversation make sure it ends up on the sow on the statement of work okay because sales built that statement of work sales had that conversation with the client me as a tester I am maybe two or three layers broken diff further from sales so might not even hear about what conversations happened first thing I'm going to do as a tester is look at the sow the statement of work if it does not talk about those goals at least at a high level I don't know about them so if it is not on the paper you may not be as well covered as method Tech just because you had a competition

with sales who knows if sales even took notes sales love to sell yeah yeah no we can do that we can do that sure we got you sure two thousand dollars please so as we're talking about the goals and as we're talking about how make sure the goals on the paper and whatnot the flexibility to meet the goals is also a very important piece in there okay um are they going to have the skill set you want Andrew mentioned earlier getting mobile app and test oh yeah we got mobile app testers not a problem and then on the side they go to the hiring manager go hey can you hire a mobile app and tester before the test starts all

right can you can you subcontract another company to do the pen test for us because hey we're going to make the sale at the same time and there's this nothing wrong because then you're starting out as a consulting firm you may not have enough people to do all the tests that you're going to end up selling you want to sell more so your company gets bigger you get more clients at the same time if you do not have a mobile apps pen test skill set in the company right now how do you know the person you're hiring is actually a good good mobile app and tester well you already sold five pen tests already on that topic okay so a

lot of times as a client you want to ask those direct questions I've even had some clients ask me to get my tester on the line and they've interviewed them nothing wrong with that you want to spend fifty thousand dollars a hundred thousand dollars on a pen test there's nothing wrong with saying hey Consulting form can I talk to your tester can I evaluate their skill set you would do that if you're hiring a person why not do that with the company okay will the report reflect reality we'll talk about reports later but when you are talking about those goals it's important to have that conversation with the consulting firm and say is the report going to be related to my goals I

want a pen test because I want to comply with HIPAA right but the report is written for PCI would that even make sense so clarifying that beforehand and making sure the report isn't going to be just something like straight out of a template and then now you're looking at it going will my CFO like paying for this will my data governance officer like this will my HIPAA assessor look at the report and go this was written for a Healthcare Company you know I'm Healthcare company but your report talks all about credit card data we don't have any credit card data so no findings done no findings awesome you guys are looking good the finding is you

did not have credit card data um and this is where the buckets come in and I'll let Andrew talk about the bucket so so I want to talk about the bucket story I'm a shoehorn in one other thing real quick I want to mention it so I've worked for I'm currently working in an internal role as a director of cyber security for a large Healthcare organization but I've worked for three different uh consulting firms over the course of my career and on at least at least 10 or 15 occasions especially with the smaller firms sales has sold something and then the director calls me up and says hey we sold this thing we don't know how to do it figure it out

you know what do we need we got we got a mobile test in a week what do you need to accomplish that in an effective way and do we have what we need to conduct a presentation but uh yes um I'm gonna keep going but it's I think it happens a lot more often than you would expect and the the trouble there is it's not always transparent to the client the client doesn't always know hey company X said they'd be happy to give us a mobile test you know in reality they don't have the skills to do it and they're going to try to find the skills in three weeks leading up to the start

date and are those going to be good skills are those going to be comprehensive are they going to Outsource it you know what does that look like it gets Messier it's not saying it's not going to guarantee a bad result but the risk goes up and you as the client don't have visibility on that at all but um it doesn't fit into our bucket this was a real situation happened about a year ago I wanted a internal Network pen test we had some very specific goals and we didn't want a general you know drop into the network run run responder then try to Pivot through A.D we had some specific areas we wanted to Target with

specific set of engineering skills and I even had a buddy of mine working at a large a large pen test firm who I knew had the skills to do it and he was excited about the idea so I got on the phone with him and one of his sales guys and we started talking through it it was now a long phone call talking about the engineering really exciting we are on the same page my goals are lining up with what he could do and everything was perfect there from an engineering discussion standpoint and what this should have boiled down to was hey let me pay for 80 hours worth of this guy's time and we'll get the job done

and then we'll write whatever report but we ran into a problem because because of the size of the consultancy and the the rigid way they do sales there were certain types of services that they offer certain types of buckets of services that they offer and what I was asking for didn't fit into any of those and so we got through this fantastic engineering discussion really excited to hey we're gonna we're gonna give EDR a run for its money we're going to do some Invasion stuff we're gonna really hit some areas hard on the network that don't normally get touched it's going to be really interesting and the sales guys like yeah it is it's not on my list here

and I I hate to say it but that's that's where that conversation died we tried to have follow-up discussions but the the quote the quoting process the statement of work just fell apart because of the bridges structured the way they do sales it didn't fit into what they normally sold even though on the back end it would have just been hours hey give me give me 80 hours of this guy's time you know it's a 225 250 an hour and let's go through and write me a report at the end not that complicated um all right responsiveness and project management exciting Okay so love-hate relationship with project manager I love it I love it a lot but

it's it uh it stays up you love to hate it I hate to love it yes yes okay is it Friday and my PM's asking for updates or is it Monday and I'm telling the team what to do um uh communication and project management so there's a recurring theme throughout this whole throughout this whole presentation about transparency and communication between client and consultant and you know that's a huge huge deal if you want to talk to each other have an understanding be open and honest and transparent um it's a in those initial stages when working with an outside consulting firm you want to make sure that they're that they're timely they're respectful of your time

um do they have the resources available do they have the time on their schedule to do what you're asking or are they just having to take your phone calls and potentially line up the sale um are they well organized do they miss meetings do they they uh you know do they ignore emails do they not get back to you for for weeks not not naming any names um but um is there a dedicated project manager on their side it's something that that I've run into quite a lot and it it surprises me um most most of consultants and firms will have project man dedicated project managers and they serve a critical role they let the testers do the testing the

directors do other things and management do other things and the project managers coordinate the meetings can coordinate the conversation and make sure things happen on schedule and get done but if you call it the consultancy firm and everything sounds good but there's no project manager oh that's kind of a red flag and who's who's keeping track who's making sure that we're hitting those milestones and and moving the project forward um yeah and again are they respectful of your time do they miss meetings do they show up late uh how do they communicate to you um said if uh if a firm is disrespectful or unorganized you know it could mean that their their overall overwhelmed

with other work and they're not they're not capable of taking on the project that you're asking for or maybe they don't have a project management team or they have a bad project management team and I think any of those you know they're not necessarily deal breakers but they're red flags it could increase the risk you know every any time I I sign a statement of work and I don't see a project manager on the other side I'm thinking to myself the report's going to be late [Laughter] that also is this time zones when it comes to practice management you gotta understand the start stop time when did the test start when does it end but time zone is very important it's

there's nothing wrong with hanging overseas testers there's a lot of really good talent in the US and outside the US but if your tester is going to be testing during the time all of you are sleeping and they have a question which is sometimes the question is important enough they cannot test without an answer to it you lost a whole day of testing really a whole night of testing right if they ran a scan for example or they were testing something and something went down and they were testing that specific application has gone down now well something pretty bad has happened I would write that down as a finding in my in my opinion but at the same time I

can't test anymore I gotta wait for your team to wake up next morning and then I'll test the night after that right so discuss the time zones understand when the testing is going to happen and make sure resources are available on both sides for that and it's it's critical for a number of reasons but I wanted I want that we're talking about we'll talk about price transparency a little bit further on but uh but on the back ends 99 of the time it boils down to engineering hours and so if if your tester is testing overnight and they run into a problem you know they're gonna test for an eight-hour block and at 2 A.M you know two hours into their

testing they uh they run into a problem and that stops them dead in the water is that and then your team can't respond to their emails for another six hours is that six hours lost yeah you know how does how does that company handle it is there an escalation chain to try to resolve it is there other stuff that can be done to to give them work to do to keep working because six hours could be a lot of money and if you have multiple testers working on a single project it just it just multiplies yeah I mean average rate is like 200 250 an hour right now in the consulting firms that's a lot of money

there for sure so very important piece of information if there's one thing you walk away with from here ask for a sample deliverable ask for a sample report from the consulting firm if you don't know what the report is going to look like you're not gonna like whatever you receive after spending fifty thousand dollars because it will either not be something that fits your organizational culture or it is maybe great quality but they're wrote it from a different perspective okay I had a pen test where I was testing 35 applications when you're doing that it's very important to know if you want all 35 in one report or 35 separate reports okay and at the same time understanding what

the client was looking for is important so ask for a sample report if the company doesn't have it because something firm doesn't have it ask them to go and redact the clients report and send it to you right I I don't want to spend fifty thousand dollars or something that I have not seen if they don't have a sample report that might be another red flag yeah so as we're talking about reporting it's very important that when you look at the report it speaks to you about your environment okay if you for example are heavily Linux environment and the report is all about Windows did they just not touch the Linux environment did they not have

the skill set for it if I am Healthcare company and there's no discussion of ephi in there they gained domain admin they gained access to databases but they did not even attempt to gain access to ephi do they even know what business I'm in I was working for a healthcare provider and they wrote a critical finding we saw your critical information for doctors online okay what information is it oh we saw the NPI numbers do you know what MPS stands for no national public identity but it is it's it's public information all right like you are telling me that you found public information is critical it's and nothing wrong with with you thinking that right

you saw some random numbers in front of a name that looks kind of serious but Google see what that actually means right uh use one finding the road was sensitive Services exposed to the internet the sensitive Service Port 22 SSH all right or sensitive it's very sensitive yeah and they also a lot of findings stating that we had uh really outdated SSH server now realizing it was a red hat with backboarded patches and headers okay so yeah they never tried to log in there was no attempt of trying to go the next step okay you give me a report and you said you guessed a password that doesn't mean anything to me what did you do with

that password did you even find that we have MFA that you couldn't use that password with did you even try to log in to email did you even try to log into maybe a payroll system what do you do with that information is what's going to be important show me impact in that report don't just give me a finding the self-signed certificate on the internal network is not going to matter as much as a self-science certificate on the external network okay and I I still see reports with oh you're using TLS 1.1 it's a high risk issue well show me like show the impact don't just hand me a fine name right so as you're looking at

the sample deliverable look for those things and I'll end that way then I'll hand it over to you vulnerability scan is not a pen test give me a nest Report with your logo on it this is not a fantastic report I could run NASA scan myself for 2500 pay 50 000 for a NASA scan okay so be very mindful of these things because there is a lot of that still happening nowadays we've been making jokes about nasus as a fantastic tool for many years now and that stuff is still happening if you find a consultancy firm that sells you a full-fledged pen test for two thousand dollars you're probably getting an essay scan [Laughter] so this is kind of

hired a seat but we're moving on to the consultant section and uh you know I drink and I know things because I'm a consultant I had I actually have a news story about the reporting piece oh I'm going back yeah so so this is this is actually a nice story is that about it it's new no no no it's not you not you it's someone else and it's not a catastrophic but it goes to show it was a failure on my part we had a uh we had a purple team operation conducted with in conjunction with an external third party and the the purple tea mop itself was fantastic huge huge value there the Tactical level you know

teams were working together well we got a lot of great results out of it a lot of great takeaways and you know it gave us ideas and pushed us further but the report that we got so it was a purple team op the report that we got was very much structured like a pen test report and it kind of outlined technical risk it highlighted the attacks that were performed um but the attacks that were performed were conducted in a purple team context so it's not necessarily that we're vulnerable to the attacks but that's what was used to exercise the detection and response systems however if you glanced at the report it looks like a pen test report and it looks like we're

vulnerable to all these you know like a legal team glancing at those reports gonna be like did you guys fix all these you guys fix all these attacks that were vulnerable to it no no no that's not that's not what that was but the structure of the report was such that it gave that perspective and it it's it led to confusion and we we had to we had to fix the report on the back end but that was a situation where I should have asked for a sample report we should have talked over it ahead of time and resolved that so we weren't trying to fix it afterwards um that way the the report communicated

what we were trying to achieve and what we actually achieved in the exercise rather than looking like a pen test Report with a whole bunch of unfixed vulnerabilities that weren't really vulnerabilities that's you all right so so stepping into the consultant perspective um or the consultancy perspective I think the one of the best things you can do is you can tailor tailor the work to the clients you know it's kind of calls back to that initial talking about goals you know engage with the client talk about talk about their environment talk about what they want to do talk about what they want to achieve talk about how testing should be performed where the focuses should be

where the risks are you know we already talked about uh um about reporting and tailoring reporting accordingly but I think transparency about how the work is being done open communication and respectful communication of hey this is how we're going to step through our process and help you achieve your goals and deliver that final high value report you know it's it's it's critical and there's a lot of companies that will that will go through the initial stages sign off on the work and then quietly do the tests in the backgrounds and the the tester is never actually on the phone with like the blue team or the uh the internal representatives and sometimes that's okay you know sometimes as a

client you know it's it's a fairly isolated test and you know if it's a web app that's that we just need to you know do our annual annual pen test or mobile app where we don't need to necessarily chat about it of course in the process sometimes that like working in a box is okay but if you're if you're doing an internal pen test in a large Network and uh and scope is only so much but the Network's massive and you're trying to find out how best to use your time talk to the client you know have those discussions about what the client wants to test you know what are the areas of focus and what are

they concerned about and uh and work through it adjust your communication level to what the client prefers you know some clients want start and stop emails every day or an end of the week wrap-up email saying hey we tested all week long we found these high value findings you know you'll get more details in the report some clients don't want to talk to the the Consultants at all and that's okay too but have those discussions ahead of time so you can get out in front of uh in front of that and make sure that you're fitting what the client's expected so uh we already touched quite a bit of this one thing I do want to mention here

and it goes into the transparency slide um if you are that's you um if you want a pen test to be done and report to be delivered on December 31st you may want to tell and schedule that before December 25th okay had a client a really big very big name in the industries wanting a pen test they were going live with the product on January 1st but they came to us end of the December like week or two left we still got the pentas done okay money money money um but uh we had critical findings where you could see patient data without providing credentials on public internet they still went live January 1st okay so speak to the as a consultant

it's important for us to speak the client about their goals and their method and uh you know capabilities at the same time speak to your own capabilities about timing if you want a good pen test go to the consulting firm and have them do it in q1 or Q2 Q4 is a really busy time and the worst time to do the pen test right we're competing against PTO versus getting billable hours and then you end up with some places where we were in one place where they're paying us extra as testers to work as robbers okay so just be careful with that uh priced transparency all right price this was a huge pet peeve for my oil

tried to run through it quickly so I'm gonna try not to complain too much that's uh there's there's a huge amount of companies out there that will happily hand you a code this is one pen test fifty thousand dollars please and there's no additional details no no detailed statement will work just uh yeah no we'll do that pen test and this is how much it's going to charge um but uh but as as we kind of talked about it a little bit already on the back end the price is almost always determined by the number of hours worked so one one thing that I've seen inside inside the consulting firms is sometimes the consulting firm will undercut their

competition and slash engineering hours to to fit that without making it transparent to the customer so you know pen testing from one you know quotes at 50 000 pen testing firm two says oh they quoted fifty thousand we'll do it for we'll do it for thirty thousand and there's without transparency the client may not be aware that you're getting the same deal on an hour-by-hour basis yeah but you're just not seeing those hours disappear um you know I needed 250 an hour one engineer for 40 hours a week is ten thousand dollars if uh if you get you know client or Consulting for May I think coach 10 000 and consulting firm B uh quotes five thousand consolidate firm

B may present the same the same statement of work but really they're only putting 20 hours into that test instead of 40. yeah I mean put the number of hours what are the cost on the sow let's be transmitted and there's I don't think there's any good reason to hide that breakdown so price transparency is critical of me um if I have to reverse engineer your quote your statement will work to find out like where that money is where my money's going I'm gonna be annoyed at the outside um but uh but yeah that can be a little bit of a red flag but it's it's fairly common just to kind of Disguise it yeah

so uh one more thing in the console important perspective and this really dives into the next topic which is going to be by the candidate perspective but training and culture as consulting firms one things that we often fail at is the training perspective I've seen some forms require things like you have to have oscp to be a consultant I teach oscp in the after hours and I can tell you now it doesn't create good Consultants it doesn't create good pen testers all right but across training among your organization is great creating a culture of positivity we've got a lot of negativity in this industry you know we are all leads we all feel like we know

the best we all have opinions on things but when you do not have a culture of collaboration you have a culture of competition among your own employees and that just creates a terrible work environment right so as we talk about that we jump into the interview red flags it's we're running a little short time we'll run through this really quick um so there's a couple more stories here but I think I think really the the high level takeaways here is if you're a candidate if you're looking to get a job with a consulting firm keep an eye on the documentation keep an eye on what they're offering you you know look at look at ndas non-compete agreements as

you're walking in the door you know those are pretty standard non-compete Agreements are fairly standard ndas are extremely standard because you're dealing with sensitive information from a bunch of different clients but keep an eye on the time frame you know it a five-year NDA you know is a little unreasonable a three-year NDA might make sense in some contexts but generally like 12 months 12 months after leaving the company is is my experience pretty standard um non-competes are pretty vicious too especially in certain contexts sometimes companies will put unenforceable non-compete agreements in the documentation that you sign you're pressured in signing it and you know it's got like I said unenforceable from a legal standpoint but it's meant to

scare you it's meant to so I've seen non-compete agreements that say that you can you cannot go work for another consulting firm for five years it's like yeah and that's that's not really it's state by state that's not really something that can be enforced yeah but the employee doesn't always know that and so you feel like you're stuck in this job and you can't go take those skills elsewhere when you discover that as a highly toxic workplace and you want to leave um if you're in the interview process and they're disrespecting your time or if you're unable to meet with your future team or your future manager those are huge red flags you know keep an eye

out for those an interview should always be a two-way street it should always be mutually respectful and a good productive conversation if it's if it's six interviews of them grilling you on technical skills and you never get to actually meet the people you ground will be working with or working for uh maybe go find something else there's a whole lot of openings in the field um grilling the interviewee is is a serious problem or uh being elitist if you walk into an interview in the uh in the interviewer is is elitist like no no just don't put up with that go uh go hunt some more somewhere else yeah and you know what turn it around ask the

hiring manager when was the last time they took PTO right I asked them when was the last time they went for a training um why are you hiding right now did you have layoffs recently it's a two-way interview why not okay so as you are going to the interview process assess the employer also think about the reputation check glass door glass door is great place for you to see sort of Yelp reviews for employers um what kind of Technology do they use I was working at a place where I was using a Dell Inspiron for my pen testing I will do pen testing the daytime and I would take it to my hotel room in the evening and it would

be cracking passwords okay while I'm sleeping and it's running in the background tracking passwords the hotel didn't have a heat bill because my laptop was hitting the room up but uh it was terrible and then I would use the same laptop to run NASA scans as I'm writing report for the previous client so think about that what kind of Technology are they using internally um how often are the double triple booked on an engagement that's a that's a big red flag okay um and what is the billable goal if their billable goal which is the goal for you how many hours you spend on a client engagement if it's 100 well when do I go to the bathroom all right so

think about and ask those questions directly because they're gonna have a big role in your work there most consulting firms should have a very specific billable goal that they're targeting for any consultant working for them and 80 is generally a good number it's probably the highest I would go for 60 to 80 yeah you start going north of 80 and you're stressing out and you know overworking people you're pushing them in the 50 60 hour weeks because when you take PTO you're not billable yeah so in conclusion you know beans have been spilled it's kind of hard to see in there I love that picture yeah but always look for transparency both client and the consultant okay and the

candidate look for transparency in there I think that's it um five minutes for questions and we've got some stickers and business cards in here if you want any but questions

no no and so the question was uh asking about the project manager on from The consultancy Firm during those initial conversations I would say so long as a project manager is present that's that's a good sign it's it's when you're going through those sales and early engineering discussions and building out the scope of work if there's no project manager present um then you maybe want to ask about it but uh depending on your circumstance you might want to ask for specific PM yeah I have some more questions there but uh I think the biggest word flag for me is when we start having those discussions and the project managers just non-existent yeah that author tells

me they don't have project managers or they've got a very limited project management team and there could be some disorganization there is no industry in the world that has more ADHD than pen testers all right you you expect others to manage our time not going to happen okay if it was up to me I would never stop and testing which means I will never end up writing a report which I'll I nobody loves writing a report okay so project manager plays a very important role in that making sure things are on time making sure that we are delivering on time making sure that goals are met of the test so it's definitely a dedicated product manager not

necessarily a product manager specific to that client maybe they're taking on 10 clients but their job is to make sure that goals are met and timelines are bad that yeah are there any uh projects that make you stand out more you want to take that one sure the question is are there any projects that make you stand out more at as a candidate uh one of those is right now right here you're at a conference right it's it's a little difficult to show your work in pen testing than it may be in development okay you don't have a portfolio that you can chill but doing things like hack the Box try hack me and most importantly being at a

conference especially a small conference like B size amazing place for hiring there are probably a lot of hiding managers in here right now a lot of candidates in here right now and also one thing I would recommend for everybody wanting to get their own pen testing figure out a way to present at a conference everybody has something to share we all do we may feel like we don't but we all have something to share or at least do what we are doing stand up and just complain right these are all the terrible firms I tried to get hired by yeah but definitely find a way to present Duke ctfs um and most of all make connections to

people as I'd say as a hiring manager one of the things that I love to hear most from a prospective candidate is like a passion project something technical either from a previous job or something outside something you're excited about that's it's Technical and just something that you can just ramble on and on about because I'll let you go and just listen yeah because the passion is the passion is really important you know technical skills you know details can be learned along the way they can be trained but uh that that drive is huge well one last question yeah go ahead

so the question is what are your thoughts about clients requesting in ndas for the testers for that project

oh I'm not allowed to talk about that so the question is the tests are signing an NDA individually for the client um so as a hiding manager as a manager inside a consulting firm I would push back against that right I'm not having my tester sign an idea to you for two reasons one I don't know if that tester is gonna do the test for you things can change maybe they need a PTO right at last minute maybe they end up in a hospital okay so that's gonna be a nightmare in terms of scheduling because now we have to find another tester to sign in any a second I'm gonna lose people if I ask them to sign ndas with a

client individually because now they're individually responsible so that the legal backing of the company gets getting muddy water in there uh I mean I sometimes have clients asked me to do a background check for a tester from them and that's that's a pain yeah MBA is going to be even bigger pain yeah yeah I think the the request for individual background checks and the repressor individual ndas have fallen to similar bucket and in my experience I've seen I've seen testers refuse because I mean from a legal standpoint the relationship between the two companies there's an overarching NDA that should cover everything and most clients 90 of clients are happy with that I think some clients do get specific they get picky

they want to run individual background checks and new individual ndas but that that gets messy real quick all right I'm with Q I would push back against that but it does happen and sometimes sometimes your consultancy firm and you've got a multi-million dollar client that's throwing their weight around and you have to play ball it's and it's a rough situation but uh I said I'm opposed to it but sometimes it's just the reality of working with really big companies all right thanks everybody uh we got stickers take the stickers you need to get rid of stickers yeah I'm going to get rid of the stickers