What people get wrong about penetration testing

Before I became a vulnerability assessor I had the job slightly wrong in my head. If you only know security from films and TV, you probably do too. So here's the reality, including the parts that caught me off guard once I was actually doing it.

The reality is shockingly boring

The picture most people have is someone hammering a keyboard while text streams down the screen and they elegantly break into a system. That's not it.

Most of the work is taking nearly identical requests, changing one small thing, and comparing how the response differs. Change a parameter, send it, look at the result. Change it again, send, look. Over and over. You intercept a request in a tool like Burp Suite, edit it by hand, and check whether the behavior shifts, one at a time. There's no glamour anywhere in it.

I'll be honest, at first it felt like a letdown. But noticing those tiny differences turned out to be its own kind of fun, and I got pulled in. These days I think whether you can find that boring work interesting is the real test of fit for the job.