From SysAdmin to Pentester - Part 1 - The hard way

Posted on 2022-10-05 by Nathan Jarvie in Industry

This is the first part of a 5 part series in which I will walk through the decision making process and the steps involved in transitioning from a system administrator to a penetration tester. The certifications taken and the the issues and obstacles that I faced along the way.

This is my story, and I hope it helps to inspire people who are considering a mid-life career change that it is possible to do so and to take the leap.

Continue reading

PEN-300 Course Review

Posted on 2021-05-21 by Alexei Doudkine in Industry

It’s done! I just completed my OSEP exam and submitted the report. In true Offensive Security style, the course was challenging but very doable given enough motivation. But was it worth it? Did PEN-300, one of Offensive Security’s new replacement courses for the outdated and retired Cracking the Perimeter course live up to the expectations? If you’re thinking about taking the course, read on as I go into the good parts and bad parts of the course.

Continue reading

The Volkis independence policy

Posted on 2021-02-16 by Matt Strahan in Industry

When setting up Volkis, we wanted to set up a team the way we perceive that it should be set up. With quality, skill, effectiveness, ethics, and transparency. We didn’t only look at the security industry for inspiration, though. Instead of just looking in we looked around at other industries as well. Cyber security is barely a child, only having really been around for a few decades. Other industries have centuries if not millenia on us.

We looked over at finance and found that what their auditors do is in essence similar to what we do, but their processes and standards have a maturity that we don’t have. After all, cyber security isn’t known for being mature in processes, standards, personality…

Let’s take a look at one standard in the finance industry but practically unheard of in cyber security: the independence policy.

Continue reading

Three crazy ideas for reforming the penetration testing industry

Posted on 2020-10-02 by Matt Strahan in Industry

In two posts I looked at how it’s almost impossible to validate penetration testing results and where an Evilfirm penetration testing firm might cut costs and invest.

As much as we like to think we’re unique, there are other industries that have exactly the same issues as we do. In other industries there’s the situation where you can’t really verify the results because you’re after the skills of the other party. Some do it badly (I still don’t quite trust my mechanic), but others have made great strides in solving this problem.

Could we potentially use some of the ideas from other industries to do things better?

Continue reading

Telling whether a pentesting firm is good (and how they might get around it)

Posted on 2020-09-30 by Matt Strahan in Industry

I’ve talked about how it’s almost impossible to validate penetration testing results. Are we done then? Doomed to be left in the dark by ineffective testing?

There are other ways where you could figure out whether or not a penetration tester is good or not. We’ve already talked about things to look for when choosing a penetration testing company. I’d like to be a bit darker in this blog post and put my Evilfirm hat back on. Let’s say you’re a penetration testing firm. How could you present as a good penetration testing company but still deliver shoddy work for cheap?

Continue reading

How do you know if you've had a good pentest?

Posted on 2020-09-28 by Matt Strahan in Industry

There’s a fundamental issue with penetration testing that people don’t really talk about very much. It’s not a fun issue to talk about, because it leads to what effectively becomes corruption in the industry, which then leads to the vulnerabilities that are missed being used to cause huge damage to businesses, everyday people, and society.

The issue is simple: there’s no good way to tell whether the penetration test you have had done has found all the vulnerabilities.

This is the first of a three part blog post where I’ll be describing why it’s just so damn hard to validate penetration testing results. In the next post I’ll talk about side channels and ways to at least ensure you’re not getting ripped off, but also how an evil firm might present a good face. Finally in the third post I’ll be talking about three pie-in-the-sky crazy ideas for reforming the industry.

Before I go on I should make it clear that I am in no way saying penetration testing is bad. I do think that there are penetration testers and penetration testing firms that are bad, but a good penetration test is crucial for finding those security vulnerabilities you’re concerned about and keeping you safe.

As long as it’s a good penetration test.

Continue reading

Business partnerships in infosec

Posted on 2020-05-08 by Alexei Doudkine in Industry

Partnering with other business is a huge part of the Volkis business model. We spend significant effort finding, talking to, and proving our worth to potential partners. But why do we do it? It goes back one of our core principles:

Do what you love

This motto is the reason we don’t sell product or do IT managed services for our customers. However, we don’t want to outright dismiss a customer asking us for security products, engineering, managed services, programming, business consultancy or incident response. That wouldn’t be helpful. This is where business partnerships come in. We leverage our partners who DO enjoy those other parts of security and recommend them to our customers.

The inverse is also true. Because we specialise in security services, our partners who lack the capability come to us as their trusted provider. Even in our short lifetime as a company, we’ve proven this to work.

But why is it so important? Why can’t companies just start their own pentesting teams? This is what I want to explore.

Continue reading