Day in the life of a penetration tester (APS 4/5)

Find out what it’s like to work as a penetration tester (APS 4/5) in the Australian Public Service (APS).

We spoke to a number of penetration testers working in the APS to help us understand what their day involves.

Penetration testers in government play a vital role in safeguarding information systems against cyber attacks. Their primary responsibility is to simulate cyber attacks on government systems. Penetration testers identify vulnerabilities. They also work out how to prevent malicious actors from using those vulnerabilities. This approach helps protect critical government infrastructure and data, while helping to maintain public trust in government services.

The day begins with a review of messages. We check the calendar to plan out the day’s activities, prioritising tasks based on urgency, and upcoming deadlines. We attend a daily briefing with the wider penetration testing team to discuss upcoming penetration tests, current blockers and upcoming access requirements. This meeting helps the team stay aligned and ensures that everyone is aware of their responsibilities for the day. During the meeting, I take notes on any new tasks or priorities assigned during the briefing.

My first task of the day is to retest several vulnerabilities that were identified on a previous engagement. An internal project team has recently applied patches and configuration changes to address these vulnerabilities. I am asked to confirm whether the issues have been fully resolved. I review the original findings and begin a targeted retesting process. I use both automated scanning tools and manual techniques to verify the effectiveness of the mitigations. Retesting is a critical part of our workflow. It ensures that our recommendations lead to measurable improvements in public-sector systems.

After lunch, I rejoin the ongoing penetration test. I focus on identifying cross-site scripting (XSS) vulnerabilities. This is a very common and dangerous vulnerability class in web applications. I methodically assess various input fields, parameters and headers to detect anomalies that could indicate an underlying security vulnerability. These checks are crucial to ensure our systems remain secure and cannot be abused to steal data.

Throughout the process, I maintain detailed documentation. I record the components tested, any vulnerabilities discovered and potential areas for further investigation.

In the afternoon, I’m assigned a technical task by one of the senior penetration testers. I'm required to assist with an upcoming penetration test, by checking SSL/TLS ciphers across a range of target hosts. These ciphers are special keys used to encrypt information to keep it safe and secure. My testing helps assess the strength of these and identify any weak or deprecated ciphers that could pose a security risk.

I begin by prototyping a script to perform these cipher checks, focusing on script performance and stability while ensuring it is modular enough for reuse in future engagements. Once the initial version is complete, I validate its output against test infrastructure. I share it with the senior penetration testers for feedback and potential integration into our internal toolkit.

Before logging off for the day, I spend the last hour reviewing the latest exploits. I catch up on recent webinars or use our training subscriptions to stay updated with the latest offensive security trends and best practices. Staying up to date not only supports my professional growth but also allows me to apply new skills and knowledge directly to better protect Australian government systems.

Learn more about the skills, and how to upskill to be a penetration tester (APS 4/5) on APS Career Pathfinder.