Interview Questions for a Pen Tester
Completing practical skills assessments and other challenges is only half the hurdle to jump over in a Penetration Tester interview, as then come the questions.
In terms of the types of questions you may be asked, expect them to get fairly technical and specific about the various elements involved in penetration testing. They may start with the obvious ones, such as what the advantages are to penetration testing and what it is exactly; this gives the interviewer a good understanding of how you relate to your chosen profession, your knowledge and whether you’re able to align that with the needs of the business.
What are the different kinds of penetration testing?
Here they want to know that you are familiar with the various methods of pen testing. Blind testing, external testing, internal testing, targeted testing and double-blind testing should all be in your professional vocabulary. Your interviewer may be sneaky and throw out a term like Phishing or DNS servers and expect you to relate that back to the particular method of pen testing they’re referring to, so the more prepared you are the better.
How to scan a network?
They may ask you about the tools you would use to run reconnaissance of (scan) a network. Your answer should take into consideration the ports you’d scan to make the process more efficient and the commands you would run. If you’ve previously run nmap or a similar scanning tool then this shouldn’t be too tricky to answer, if you haven’t then get experimenting!
Stages of pen testing?
Your interviewer may quiz you on a particular portion of a penetration test, prepare thoroughly so that you’re confident to answer a question about any stage of the test. Know the process inside and out, from the planning and recon stage to running scans, gaining access, maintaining access and the analysis and configuration stage.
How would you begin?
There may be questions about scanning and enumerating so make sure you’ve done your research prior to interview so that when they ask how you’d begin a penetration test, you know how to answer. This will show them how you operate in the space.
The mechanics of a buffer overflow attack?
A popular entry-point into learning exploitation, knowing how this type of attack works will show your employer that you know your stuff because you have mastered the basics.
Tell us about your interests/hobbies?
Working in pen testing is more than what you present on paper, your employer wants to know how you spend your free time. For example, if you dedicate your personal time to coding projects and playing about with penetration testing scripts then clearly you are passionate about a pen testing career.
Do you have a blog?
This is how you demonstrate your passion, credibility and flair for technical writing. You may find an earlier opportune moment to bring up your blog or involvement in a Github or other projects but this is definitely something that will peak your interviewer’s interest. Report writing is an important part of working in penetration testing as you relay your findings and recommendations to people involved with the business but outside the cyber security space in a way they can relate to and understand.
There will be plenty of other questions, specifically around the individual company you’re interviewing with and around your knowledge and expertise in pen testing. Do your research into both, be confident in your ability and smile.