Image Description

After 8 weeks as a professional penetration tester, I finally achieved my first finding - a high severity vulnerability that led to an escalated incident. While I have found a few vulnerabilities in the past via responsible disclosure programs before getting a penetration testing job, it feels incredibly validating to succeed in a professional context!

I want to discuss my thought process, so I can teach other people what works and for personal reference in the future. I will be omitting any specifics about the finding for obvious reasons.

Towards the end of my work day, my mind felt incredibly fuzzy. I was unable to focus on anything mundane, so I decided to spend the last 30 minutes reviewing log outputs from an automated vulnerability scanning tool. Instead of focusing on finding a vulnerability, I simply enjoyed the process of looking at everything out of place that the tool had found. Of course, the vast majority of these logs were false positives.

One of the things I found looked very interesting. Here’s the thing - I would never have found it if I was hellbent on finding a vulnerability! As I said, I was just highly intrigued on the output of the scanner. So intrigued that it bordered on obsession. I forgot about the flow of time, and looked further than anyone else without my passion would have done.

I went home that night, turning over what I had found in my brain. The next morning, I got in early. I confirmed that the impact was indeed high, then thoroughly wrote up my report and escalated the finding.

The process was absolutely thrilling… I get such a rush of adrenaline when finding vulnerabilities.

My best penetration testing mindset is to enter a state of deep, obsessive intrigue with learning about the behaviour of a tech stack I am reviewing. My WORST mindset is to focus too much on getting cool findings.

What a great success! I am very proud, and I look forward to finding far more vulnerabilities in the future with this mindset.