|Computer Systems and Software Engineering|
|Digital and IT services|
|Large business (250+ employees)|
Like this profile?
Add this profile to your favourites so you can return to it later from your account.
A day in the life of a Penetration Tester in the United Kingdom
>15 years in infosec, currently a hacker; in the past been an infosec policy consultant and ran my own business.
What I do
I'm an embedded penetration tester for BT. I attempt to break the security of products and devices that BT uses and sells.
Skills I use and how I developed them
Hacking, reverse engineering, *nix systems administration, C, python, assembler (inc MIPS and ARM), hardware attacks, cryptography.
Most skills were developed through own research via the Internet.
What I like most
I like having the time to develop a deep understanding of how an embedded device was put together, in order to break it.
What I like least
What surprised me most
It's a relaxed atmosphere that supports the development of new skills.
My career goals when I graduated
I really just wanted to write computer games but my industrial placements indicated that there was fun to be had in systems integration in the defence sector.
My career history
Sponsored by Siemens Plessey Systems (2 summer placements).
Employed by Siemens Plessey Systems as a software engineer. Business unit was sold to British Aerospace which later became BAE SYSTEMS. Progressed to systems engineer and designer running a prototyping team. (3 years).
Employed by VEGA Group as an information security consultant. I spent two years working within the Defence Procurement Agency advising on security policy and then qualified as a penetration tester (CHECK Team Leader). (3 years).
Started and ran my own consultancy, supplying infosec policy and penetration testing services to the defence sector. (6 years).
In tandem, started and ran the leading street hypnosis training company, Head Hacking, with my friend Anthony Jacquin.
Sold my consultancy and joined BT as a penetration tester. I specialise in embedded device hacking.
What has helped my career to progress
Dedication to completing tasks and attention to detail are the two things that provided the opportunities for progression. Knowing what I wanted and actively seeking them out provided the momentum for progression.
Courses taken since graduation
Coursera Stanford Uni Cryptography 1.
Coursera Maryland Uni Cryptography.
Coursera Maryland Uni Hardware Security.
Cryptography (often in the form of TLS) is appearing everywhere and there are many ways of getting it wrong, while still making it look right. These courses teach strong principles that are useful in multiple levels of crypto analyses.
How my studies have helped my career
Hacking is relatively unique within the IT industry as it is dependent on a mind set rather than a set of skills or qualifications. As such, this career requires continual learning and study, but not in the form of formal courses or reading recommended books.
Sometimes it is simply to keep abreast of developments, but often it is because we have to learn how something new works in a relatively short period of time, in order to find ways to break it. We refer to this as 'becoming an expert in an afternoon.'
It's fun because it is challenging.
What surprised me about my career so far
'Business' is just a more complex system with fewer controlled variables.
Where I hope to be in 5 years
I'd happily still be breaking things for BT. Maybe I would move into management again. Ideally I'll be building cool art installations, directing films or writing for famous magicians and hypnotists, but I guess I'll just continue with that in my own time.
My advice to students considering work
Work out what you'd ideally like to do and do that, even if it isn't in this field. It's far more important to enjoy your work than it is to get paid well or be respected by your peers.
Life is about having fun and work is such a huge part of that, that it has to be fun for it all to work.
My advice about working in my industry
If you want to be a professional hacker then either a) you're already an amateur hacker and you know your way around gdb and NOP-sleds; b) you've just got interested in security and you're not afraid of learning assembly and giving up your social life in favour of research; or c) you're probably not going to make it, sorry.
Security and hacking qualifications are worth less than hours in a darkened room reading the right bits of the Internet and trying things out.
You don't have to grow up to exist in the grown-up world. You don't even need to grow up to get a reasonably-well paid job that offers progression and development. You just need to be dedicated and competent. Happy people always get promoted first.
I'll happily mentor students wanting to get into information security, particularly hacking. I'll also answer questions on anything to do with work.
For those interested, I present at Cyber Security Challenge occasionally and I presented at Securi-Tay at Abertay Uni in Feb 2015.
If you like the look of Kevin’s profile, the next steps are down to you! You can send Kevin a message to find out more about their career journey. If you feel you would benefit from more in-depth conversations, ask Kevin to be your mentor.