Introduction
Technical interviews can be a daunting part of the application process for a penetration testing role. This post is designed to offer guidance on how to prepare for a technical interview, including steps to take before applying and important things to remember during the interview itself. Hopefully, this post can help make the application and interview process a bit less stressful.
Before and during the application process:
Understand the company and role you’re applying for and study accordingly.
To know what skillsets to focus on training, you should make sure you understand the expectations for the role you’re applying for, as well as the types of work the company emphasizes. Be sure to carefully read over the job description. If there are any technical skillets mentioned in the description that you don’t feel confident in yet, you should be sure to train those
There’s a good chance that the role you’re looking at will require at least some web application testing skills.
https://portswigger.net/web-security/all-labs
Different interviewers will have different expectations for the appsec skills an applicant should have. However, broadly speaking, you should make sure you’re very comfortable using common tooling such as Burp Suite and some of its most common extensions. You’ll want a solid grasp of a wide variety of web vulnerabilities, and ideally you should have fairly deep knowledge of at least a few of those. Working through all of the PortSwigger Academy labs will help you gain exposure to these different vulnerabilities.
https://hackerone.com/hacktivity/overview
If the role you’re applying for also requires network security skills, there are some great training resources available. Perhaps one of the most widely used is Hack The Box, a platform that offers a variety of free vulnerable machines to attack and CTF challenges to complete. Hack The Box features training materials for many topics, including network pentesting.
Another free resource is VulnHub, an archive of community-created intentionally vulnerable machines to attack. Many of the vulnerable machines available here provide network-based attack paths.
Finally, if you’re just beginning to familiarize yourself with network pentesting, the TryHackMe platform contains challenges appropriate for beginners.
In addition to web app and network security, gaining at least basic familiarity with mobile testing can be valuable. Sometimes a web app will have a concomitant mobile app that will also need to be tested. Sometimes you may need to test a completely standalone mobile app. It’s worth investing some time learning how to proxy a mobile app’s traffic and how to perform basic static analysis on a mobile app.
Appsec is a crucial skillset for many pentesters. Even if application security isn’t the area of security you enjoy the most, make sure you don’t neglect it.
Be careful about what skills you claim to have
Your application process might involve rating your technical abilities across a variety of disciplines. Even if it doesn’t, you’ll certainly want to detail your skillsets on your resume. When you do this, it’s very important to be honest about your current skills.
If you’re asked to rate your technical abilities in a specific area, like Active Directory attacks, a particular web security technique, or reverse engineering, this is not a time to fake it until you make it. If you say you’ve got a skillset, you might be asked about it during the interview. If you claim to be strong in an area and then can’t answer basic technical questions about it, there’s really no positive way to interpret that. You can avoid this discomfort by focusing on honest self-assessment. Interviewers won’t (or at least shouldn’t) expect you to know everything about a broad range of topics, but they will expect you to be honest about what you can do and what you’re not able to do — yet.
Don’t use Large Language Models (LLMs) to do your writing for you
If as part of your application process you need to provide a few written answers to questions or a cover letter, do the writing yourself. It might be tempting to use an LLM such as ChatGPT or Gemini to simply write the answers for you. Don’t. This advice doesn’t stem from some insistence on doing things the old-fashioned way; here are a couple of reasons to avoid using LLMs for these tasks:
-It’s often not hard to tell when something is written by an LLM. When it’s obvious someone has relied on an LLM to do their work for them, it’s difficult to view positively. If the purpose of requiring some written answers or a cover letter was to see what security topics a candidate is excited about, then having an LLM do the writing shows that the candidate wasn’t even excited enough to answer the question in their own words.
-If you’re asked to provide writing samples, the point is probably to determine how strong your written communication is. If it’s clear that you’re offloading this task to an LLM, then your application reviewer won’t be able to assess your communication skills and might just assume that you’re not confident in your writing. Pentesting involves a lot of written communication, so if that’s not an area where you feel strong yet, you’d be well served by working on improving your technical writing skills.
Draw attention to hands-on work that you can show
One of the best ways to make your application stand out is to include links to public work you’ve done. Do you compete in CTFs frequently? Create writeups for the challenges you’ve completed and link to those in your application. This gives application reviewers a chance to see your technical skills and your writing. Do you work on security-related development tasks? Link to your GitHub profile and call out any projects you’re especially proud of. Have you created any security videos or blog posts? Be sure to reference those. All of these show that you have actually taken the time to learn something and demonstrate it to others.
Keep in mind that you should only share work that you feel is high quality, though. If you have lots of technical blog posts or writeups for CTF challenges, but they’re filled with grammatical errors and poor explanations of technical topics, an application reviewer probably won’t be impressed. Similarly, if you link to your GitHub profile but all your content is composed of hello world programs or barely-modified forks of other repos, you’re probably not going to stand out as much as you’d hope. Your work doesn’t need to contain earth-shattering technical breakthroughs, but you should make sure that you’ve carefully reviewed it for errors and are proud of the end result.
During the interview:
Be prepared to gracefully navigate questions when you don’t know the answer.
As mentioned earlier, no reasonable interviewer should expect you to answer every single technical question flawlessly. They may just keep asking technical questions of escalating difficulty until you’re not able to answer one, so that they can get an idea of your current depth of knowledge. When you do arrive at a question you can’t answer, there are a couple of things you should definitely not do:
-Don’t make up an answer. The chances of this working out are exceedingly low.
-Don’t give an intentionally vague answer in the hopes of not being outright wrong. When an interviewee does this, it’s usually really obvious that they don’t know what they’re talking about and are trying to mask this fact. Don’t forget that part of an interview is to see how you respond to questions and convey information, and in an interview for a pentester role, the interviewer might be trying to determine whether you can meet with clients and help answer their questions. If you interviewed a candidate who gave confusing, vague answers to questions, would you feel confident about putting them in front of a client?
Here are some things you should do:
-When you don’t know something, try to talk through what you do know and explain your thought process. Ideally, don’t just stop at “I don’t know”. Instead, try to reason about the question using anything you do know about the topic, and make it clear this is what you’re doing. An answer like “I don’t know how XYZ vulnerability is commonly exploited, but I do have some ideas that might work. This is just me coming up with some possible attack ideas that I’d have to try hands-on, but maybe I could…” is a whole lot more compelling than a flat “I don’t know.” It gives the interviewer a chance to see your ability to reason through something or brainstorm. Obviously, if you really don’t know anything about a topic at all, then it’s better to just say so than to make blind guesses, but when you can, expanding on an answer to show the knowledge you do have can be valuable.
-Expand on answers when you can. If you’re given a reasonably open-ended question, the interviewer probably wants to hear your thought process to get a feel for how you approach problems. For example, this might be a chance to explain some clever ways that you know a particular bug class can be exploited, or to explain your workflow for source code review. If you’ve personally encountered a bug or tech stack the interviewer is asking about, then talk about that.
Focus on clear explanations without rambling
When you’re asked a technical question, first focus on answering the specific question as clearly as you can, without jumping to other topics or delaying with details that aren’t relevant to the question. Recall that a technical interview is a chance for you to showcase your ability to explain technical topics, since this is something you may need to do for clients. If your answer to a technical question is so long and convoluted that it’s difficult to follow, your interviewers may not be confident that you can clearly answer a client’s questions about technical findings. As mentioned earlier, you can certainly expand on your answer and showcase additional related knowledge you have, but be sure you do this after you’ve thoroughly addressed the original question.
Try to frame the interview as a conversation about something you enjoy
One way to help manage nerves during an interview is to try to reframe the interview as a chance to chat about technical things that you (presumably) enjoy. If your interviewers are good, they shouldn’t try to make you feel like you’re being grilled and they’re just waiting to pounce on any flaws in your answers. Their main goal should just be to learn what your current skill level is and how well you can communicate your knowledge. With that in mind, try to remember that you’re just getting a chance to talk shop with some other people who are probably excited about the same security topics you are.
Conclusion
When initially applying for a pentest position, be sure you’ve built up a strong technical skillset, especially in the application security discipline. Be honest about your current skillset and try to demonstrate any hands-on work you’ve done if possible, since this can help set you apart from other candidates. During the interview, focus on reacting gracefully when you can’t answer a technical question, providing clear explanations, and thinking of the interview as a chance to talk about a topic you’re passionate about. The job application and interview process can be stressful, but hopefully this blog post has provided some guidance to make the process a little bit easier.
Written by: Josiah Pierce
