Our dedicated, talented pool of pen testers is the beating heart of our cyber services team. But what’s behind these individuals’ ability to deliver for clients, to maximise protection and minimise risk? CCL’s Technical Director Seamus O’Reilly offers a personal view on what it takes to become a successful penetration tester.
At a recent training event, I was asked a simple yet profound question: “How do you become a successful penetration tester?”
This question sparked a lively discussion. Many shared their journeys into cyber security, while others expressed frustration at the misconception that penetration testing is not an entry-level job. We debated the barriers, including gatekeepers and the ‘nonsense’of job listings requiring five years of experience for an ‘entry-level’ role. The requirement to hold a CISSP for a junior penetration Tester role or the requirement to hold a slew of professional certifications marked as MUST-HAVE.
What was clear was that I would not escape this question without addressing the reality.
To illustrate my point, I drew a horizontal line on the board. "This," I said, "is the waterline. Everything above this line is visible to everyone." I then drew a small triangle above the line, labelling it ‘Success’. This represents the visible achievements—passing professional exams, landing a coveted job, getting promotions, and being invited to speak at conferences.
Next, I drew a much larger, inverted triangle below the waterline. "This," I explained, "is what no one sees. The foundation of hard work and effort that supports the success above." Inside this larger triangle, I wrote the following words:
· Hard Work
· Persistence
· Late Nights
· Rejections
· Sacrifices
· Discipline
· Criticism
· Doubts
· Failure
· Risks
Hard Work
No one sees the late nights spent bent over a computer or laptop, meticulously reviewing code and hunting for vulnerabilities, honing skills and learning tools of the craft. But people see success. And every moment of hard work, every skill honed, is a step towards personal growth and a testament to your dedication.
Persistence
‘Success’ is a result at a point in time. You don't see how many times a person had to keep trying. You don't know the willpower needed to keep going when labs fail. Persistence is a quality; without it, many of the successes we are familiar with would not exist.
Late Nights
You did not witness the long dark nights when it was me and my computer, alone, trying to solve a problem,forgoing sleep to work on something. People see 10% of the success; they don’t see the 90% of what made this.
Success for me is going above and beyond what others are doing, and those late nights are where the magic happens. When I crack something, when the puzzles fit—those late nights have always been my superpower. And every time you push through, every time you refuse to give up, you're building your own superpower of perseverance.
Rejection
This is a fact of life.Rejection is going to happen. But you never hear about the rejections. You don’t know how many of my papers have been refused at conferences, how many interviews I’ve sat through, or the draining letters of rejection.
Rejection has been my greatest teacher. It has shown me where I needed to grow and pushed me to develop a thicker skin. It’s important to remember that everyone faces rejection, but what sets successful people apart is their ability to persevere through it.Embrace rejection as part of the journey and let it fuel your determination to succeed. The key to rejection is persistence.
Sacrifices
The elephant in the room—no one wants to tell you this but to be a successful penetration tester, you must decide early on what you're willing to sacrifice. Whether it’s time with friends or family, something will suffer. Success depends on how much you are willing to sacrifice. It’s a balancing act, requiring hard decisions to get that initial success. And when you achieve it, remember—it’s not over. You need to keep your skills up to date, maintain keyboard time, and stay proficient.
Discipline
Discipline is the cornerstone of success in penetration testing. It drives us to develop good habits and stick to them, even when we don't feel like it. Discipline means committing to a study schedule, practising regularly, and staying focused on our goals. It’s what keeps us up-to-date with the latest threats, tools, and techniques in the ever-evolving field of cyber security. Without discipline, it’s easy to lose motivation and fall behind. It’s about making the hard choices.
Talent might get you started,but discipline keeps you going and ultimately leads to lasting success.
Criticism
Criticism, both external and internal, is part of the journey. Constructive feedback fuels growth. It’s essential to take the positive and discard the negative. Don’t allow others to fill you with their doubts and small thinking.
Constructive criticism provides us with insights into our weaknesses and areas for improvement. It’s a tool for growth and development, allowing us to refine our skills and approaches.Embrace and seek it out; some feedback may stem from others' doubts, jealousy,or limited thinking. Developing a thick skin is essential, as well as not letting negative or baseless criticism affect your confidence and drive.
Take the positive, discard the negative, and never let others limit your potential.
Doubts
Welcome to a field of work that will quickly humble the cleverest of people. I have seen capable people buckle under pressure, doubting themselves. Don’t feed doubt. It’s okay to take breaks. Burnout and self-doubt are serious issues. Know your worth and take a break if needed.
You have my permission to take a break and regroup.
Failure
If you’ve never failed, you've never tried something for yourself. Failure is the best learning opportunity. People never see our failures. I always share this with students:
I am not a good test taker; I have nerves and sleepless nights in the exam build-up. I recently took an exam that I was sure I would pass, and my colleagues were sure I would pass; it is considered a simple exam. I failed it. Doubt and imposter syndrome hit hard.
Enter my second superpower. I have been failing exams for years 😊 but I never give up. I am relentless when I want something. I was able to regroup and assess my weaknesses objectively on the exam. I committed the time and effort to the skills and areas I needed to improve on, and I went back to retake the exam, this time passing it very comfortably.
Failure only happens when you don’t get back up.
Risks
Risk scares many people, but we have to take calculated risks. In pen testing, being risk-averse can spell disaster. The difference between an excellent report and an okay report can be the tester's risk appetite. Will they play it safe or push harder?
Don’t play it safe, calculate,push hard, and don’t settle for ordinary.
If you're aspiring to become a penetration tester, remember: Success isn't a destination—it’s a journey that requires dedication every day. Embrace the lifestyle. The visible success is just a fraction of the story. Staying on top means continually learning old and new skills, keeping up with the latest threats, and maintaining the motivation to push forward. The hard work above the waterline is just as crucial as the effort to get there.
We currently have several roles on our penetration testing team. If you share our passion for honesty and integrity and the determination to be the best and secure some of the UK's most secure facilities, we would like to hear from you.
Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.
Get in touch