Can You Train A Great Penetration Tester?

As far back as I can remember, the industry has struggled to figure out the best way to train a penetration tester. Along similar lines, they’ve questioned whether the “hacking mindset” can be taught, or whether it’s a talent you’re born with. All new pen testers wrestle with this question early in their careers, but rarely has a definitive answer been offered.

As a penetration tester for the past decade, and as a manager of pen testers for half as long, I’ve observed and studied many testers. In the course of training, leading, and evaluating pen testers, I’ve come to a conclusion of my own:

Penetration testers can be trained -- to a point.

It is possible to teach someone the fundamentals of security, the attack methodology, and the testing techniques. That’s enough knowledge to make a novice -- an individual with basic proficiency in performing penetration testing. Adding experience to the mix may result in marginal skill improvements, but simply knowing a few techniques and trying them repeatedly will get you only so far.

The leap to a more advanced level of skill requires study. More often than not, this means self-study. In order to be better, a pen tester must understand the ins and outs of the system that he is targeting. Focused and continuous learning is essential in being effective as a pen tester. And that’s where passion comes into play because only those willing to dedicate their time (their free time, in many cases) to learning more will get to be stronger testers.

Sadly, that’s when your passion, learning, and, most important, your training will hit a wall.

Achieving expert pen-test skills requires a lot more than just passion and learning. And it can’t be trained. There are certain qualities that great pen testers exhibit, which combine into what many refer to as the “hacker mindset.” The hacker mindset can’t be taught; instead, it must be developed and refined over the years. Two key talents comprise the “hacker mindset." First is the ability to synthesize disparate data to create actionable information. Second is the knack for identifying and pursuing the most effective attack paths against a target. Some will bring these talents to the table, and some must develop them over time, but most testers will never possess them.

At the head of the class are the testers who I consider the masters. They’re very few and far between, and while they possess the same qualities as the experts, they have one secret that sets them apart from everyone else. We’ll reveal and explore that quality in subsequent articles. But it’s because of this one quality that they are now and probably will always be simply better than everyone else.

So pen testing can be taught to a degree, but the hacking mindset must be developed. Passion and learning play key roles in all stages, but certain qualities exist that make the experts and masters better than the rest. In following articles, we’ll explore these characteristics in more detail to truly understand the differences between the novice, advanced, expert, and master penetration testers.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless, 1st and 2nd editions, Hacking Exposed Web Applications, 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. He can be reached on Twitter @vinnieliu