Day in the life of a senior penetration tester (APS 6)

Senior penetration testers in government serves as both a technical expert and strategic contributor to the department’s penetration testing program. Their primary responsibility involves guiding and contributing to technical security assessments. They serve as subject matter experts in advanced attack techniques and proactively refine testing methodologies and toolsets to enhance the team’s capabilities.

The day typically begins with a review of messages. I check my calendar to organise and prioritise tasks based on urgency and upcoming deadlines. This sets the stage for participation in the daily team stand-up, where the penetration testing team aligns on current engagements, progress updates and any emerging priorities.

After the stand-up, I host a debrief session with key internal stakeholders to present the findings from a recently completed penetration test. The session begins with a high-level overview of the engagement’s scope, objectives and methodology. It ensures all participants have a shared understanding of the context. I then walk through the findings section. 

We discuss identified vulnerabilities and focus on how they were discovered. We discuss their impact to the department and practical recommendations that could be implemented. Throughout the session, I encourage questions and discussion, clarify technical details and address concerns.

After lunch, I transition to an ongoing penetration test of a web application that commenced earlier this week. Earlier this week, I conducted a comprehensive review of the engagement scope. Initially, I researched the web application and performed automated vulnerability scanning to map the target infrastructure and identify areas that might be vulnerable to attack. 

Today, my focus shifts to manual exploitation. I actively probe for vulnerabilities using targeted techniques. This includes simulating real-world attack scenarios such as attempting to gain access to data stored within the system that I don’t have access to. Throughout the process, I thoroughly document each action taken and record any successful attacks. I also record the systems or data accessed, ensuring a clear and thorough audit trail.

In the afternoon, I document the vulnerabilities identified during the engagement. This includes providing detailed descriptions of the affected components, the exploitation techniques used and the potential impact of each issue. I also include advice on how to prevent future issues. I base these on industry best practices to help the project team make the necessary changes. 

Once I’ve completed my vulnerability write-ups, I perform a final review to ensure clarity and accuracy. I then share the documentation with our lead penetration testers, who are responsible for compiling the full penetration test report and providing final feedback.

Learn more about the skills, and how to upskill to be a senior penetration tester (APS 6) on APS Career Pathfinder.