EH-Net

I was wondering...

To the professional pentesters, do you work alone or in team?

On one hand, working in team is probably better. It's impossible to "know it all" and you can have experts on different topics. You can also discuss ideas and try to help each other. You can also finish the pentest faster.

But my reality is that companies that I work for are cheap, especially these days. They want a cheap pentest completed as fast as possible. The last two contracts I have got wouldn't pay the salary of two pentesters.

Also, I didn't hear much of "teamwork" on this forum. So hence my question, do you work in team and why?

I am so curious...  ;D

We have a Tiger Team with 8 members, and depending on the dimension of the engagement and time we have to finish, we work either alone or in a small group (not more than 3).

I think working in team yields very good results, since as you say, a single person can't know everything.

I worked alone (for free / fun) at a company once, but later on I had to train another employee the basics to get started so I worked in a team but it wasn't really a team when the other employee was at that time just a trainee  :) But it was nice to have company instead of stressing about everything myself  ;) (I was under huge time pressure every time, like.. You got 2 hours to prove there's something big time wrong with their network :D )

However, back on topic. I believe a team of experienced Penetration Testers is definitely a big plus, in fact I believe they are probably able to achieve more if one is e.g. expert in Web App Sec, another in Software Exploitation, a third in Reverse Engineering, a fourth in Social Engineering etc.

I totally agree. I'm almost always alone, and I hate it. I'd much rather work with someone else. There's just a synergy that consistently produces better results; it goes beyond simply having different areas of expertise. Having someone else to brainstorm with really helps generate ideas.

I definitely wish that I was part of a team sometimes.   Bouncing ideas off another person can really save time and headaches.  Unfortunately, that rarely happens for me.  This is why this place is so valuable to me.  Even if it is after the fact, I can still learn something new.

It is the same with me. I am always alone and, even worst, I am still just starting in this field!!! I really work hard to check every little things, trying not to forget anything. But I have to figure out methodologies and tools all by myself. I would really appreciate working with a more experience pentester. I feel I would learn 6000 times faster...

But the worst thing is, did I miss anything?!? At least, everytime, I feel I gave everything I could. Ahhh, it's so hard to get experience!!!  :P

I do not know guys, I am still learning but why you do not partner with somebody that will help you remotely sometimes in some specific areas. It is not easy is like a marriage but you can try.

I'll occasionally text or email other members of my team who are back at the office or at some other location if I think they can provide some insight into what I'm dealing with. That's not the same has having multiple people dedicated to the same project/engagement though.

It’s been my dilemma for a long long time :) IN a perfect world ye right ???

I typically only take on Pen Tests that are larger, so I can incorporate a small team to get the best results. I am no expert in every area like Cisco, DB, Coding etc, so I plan the assessment based on doing what I can knowingly do very well and then bring in specific experts in the other areas where my skills are lacking expert levels. Its tough when companies dictate what resources you have available. So we just learn to be creative and think outside the box :)

This is a topic I am also very interested in.  I currently work alone and I am a junior level Pen tester! It frustrates me a lot because I want to learn from others and understand where I may miss things and maybe even show my seniors a thing or two. I asked a similar question in the thread below.  I believe it does depend on the company though as I have a few friends here in the UK whom have informed me that there must be at least 2 people working on one assignment.

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,6069.0/

Very good comment, which bring this question:

I am too, a junior pentester. I work in a small city where it is very difficult to find other pentesters. Can I work as a pentester, without having a more senior guy watching over my shoulder?

I try very hard to do the best job possible, but knowledge is power. I can certainly find the "low hanging fruits" and even the medium ones, but where I can maybe find one or two high ones, I am not sure at all if I had miss a few...

@H1tM0nk3y - I hear ya!

I too perform tests and 9 out of 10 times I will find XSS, XSRF, Logic Flaws, Access control issues, but have certainly realised that blind SQLi is not my strong point and am almost sure I have missed it on some tests... Format string vulnerabilities are not soo easy for me either.... I have been doing this for almost 6 months so am new to it but really really have a hunger to know that I have covered all areas.... Apparently my work is being checked by my more senior team members but what does "checked" mean?  If they are not performing a thorough test, surely they will only pick up the long hanging fruit also??

T_Bone, we are in the same boat...

And I see another one coming: being asked to be an incident handler at the last minute... Where I work, no one can do this job. Yes, I see this coming big time...

In this case, I will only accept to do it while a more competent company takes over (like, within an hour or so!). I could definitively stop an attack, but I will certainly screw up forensic evidences and so on.

Like being junior in the pentest world (but at least not in IT!), every security problems come to me since I am the only one where I work who "can" handle these things. I guess I have to see it as if I don't do it, no one will.

But that being said, I am not a complete ignorant either!  ;)

I'm my personal opinion, its always better to have a team, since working with other guys can be less stressful and besides can help you find out the things that you are missing.
you cant be a guru in everything.
besides you have somebody to talk too and discuss other ways of performing the tests.
 ;D

@ facsimil3

This is exactly how I see it!  :)

I think we all agree on that!

The problem is that more often than not, this is a luxury we can't afford...

Did you guys see that Metasploit Pro now offers team collaboration for pentests? You can all see the activities of all other members and create a report covering all team activities at the end:
http://www.rapid7.com/products/metasploit/features/team-collaboration.jsp (http://www.rapid7.com/products/metasploit/features/team-collaboration.jsp)

Here's the trial version download: http://www.rapid7.com/downloads/metasploit-pro.jsp (http://www.rapid7.com/downloads/metasploit-pro.jsp)