The Broader Application of Pentesting Skills

Entering or advancing in an information security career requires an investment in training and certification. Whether you’re new to infosec or interested in transitioning from another industry, a few certifications are frequently recommended. We’re proud that one of those is our Offensive Security Certified Professional certification, or OSCP. 

The OSCP is based on penetration testing skills – but why take the foundational course, Penetration Testing with Kali Linux (PWK/PEN-200), if you don’t plan to become a penetration tester?

The skills and mindset learned in PWK are applicable beyond penetration testing. Let’s look at the big picture, explore the different areas covered in the course, and see how a few key skills can apply to other roles in IT and information security. 

Learning vulnerabilities and exploitations

Successfully defending systems, networks, and applications requires not only an understanding of the tools an attacker could use, but how they use them. One of the big benefits of taking a course like PWK/PEN-200 is learning how attackers approach a challenge, how they evaluate it for vulnerabilities, and how they exploit those vulnerabilities. 

This in turn helps information security professionals think more broadly about how they respond. Even if you don’t want to become a penetration tester, a range of other cybersecurity roles can benefit from a deeper understanding of attacks and vulnerabilities, including:

• Forensics investigators and analysts
• Information systems security managers
• Security control assessors
• Cybersecurity policy and strategy planners
• Incident responders
• Web developers
• Leadership / CISOs

Lacking an understanding of how an attacker views a target makes it harder to see how and where it needs to be defended, or how to repair damage after an attack. A course like PEN-200 can remedy that lack.

Knowing and understanding attack stages

Imagine responding to an incident that compromised your network – you need to identify the situation and react to the incident in an effective manner. Every moment and action you make is critical to remediate the incident that is impacting your network. That is why it is important to understand how an attacker can compromise a system or a network.

Knowing the attack stages that an attacker conducts means you have a better chance of catching a malicious action in progress or investigating the breach after the fact. An experienced attacker will stage their attacks in the following process:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Action on Objectives

Without having a solid foundation in these concepts, you could miss important information that could lead to re-infection or increase the time it takes to respond to the incident.

In other cases, it can also help you implement effective security controls to mitigate further impact to your network based on which link in your chain is the weakest.

Applying information security principles to organizational needs

It falls to a variety of roles to ensure data confidentiality, integrity, availability, authentication, and non-repudiation. Gaps can come at various points: during software development, while using in-house or third party systems and platforms, while interacting with colleagues and clients, or in the setup and use of networks or devices.

That means the IT team can’t be the only people in an organization with an understanding of security risks to data. Learning how data can be targeted and stolen supports the work done by: 

• Systems security analyst
• Enterprise architect
• Software developer
• Security assessor
• Systems requirements planner

Taking a penetration testing course can teach people in these roles how data can be stolen – and with that knowledge, how to better protect it.

The right mindset

“Try Harder” has become synonymous with Offensive Security. While it has been used in a variety of contexts, at its heart, Trying Harder is about being persistent, creative, and perceptive. When taking technical training courses, students and trainers often focus on the hard skills, sometimes even walking through a checklist to make sure a certain skill has been learned.

Hands-on infosec training and certification like that offered by Offensive Security help develop those Try Harder soft skills that are often overlooked. 

Get training

Offensive Security has offered information security training since 2008. Our Penetration Testing with Kali Linux course trains the foundational skills for career pentesters, and also offers benefits to other security roles. Learn more about it, or check out these resources:

• My OSCP Guide: A Philosophical Approach
• PWK 2020 Update: Should You Upgrade?
• A Path to Success in the PWK Labs