So, pentester, what do you do?

[plik]

Since I'm looking at this as a career path I wanted to ask "what's an average day at work for a pentester?"

I know the answer will vary from job to job (and skill set), but I'd like to know the range of tasks out there. Do you just run standard tools against an IP? Poke holes in web apps by hand? Social your way into a building and install hardware keyloggers? Spend 80% of your time writing up reports? Is your life more "office space" than "war games"?

Obviously I'm after generals rather than NDA-breaking specifics

Thanks,
plik

[shawn]

For me alot of time is spent in the upfront work of the sale as well as the actual testing.  We have the sales staff to do it but the actual testers are always involved in the sales process from the beginning.  We do everything from the proposal, billing, testing, report writing, and presentation, our sales staff only gets the leads.  In some of the larger organisations they have staff dedicated to some of this stuff as well as dedicated people to write or help review their reports so I am assuming that if you get into a larger consulting firm you would get more face time testing.  On the other side if you ever want to go out on your own you will need the other skills as well.  I would say that I spend on an average week 30% testing, 20% selling, 25% report writing/presentation and reviewing others reports, and 25% work in lab environment testing tools and methodologies and reviewing information similar to this forum and others.  On average  I am doing 2 or 3 internal tests a month at 3 - 4 days each and 4 or 5 external tests from the office coming across the internet at there firewall and public facing DMZ.

[plik]

Cheers shawn,

I'm glad to see there's a sizable portion of testing new things in there. Too many jobs have "keeping up to day with new technology" in the job description then give you no time to do it in work (I'd be doing it anyway, but it's nice to see it recognised).

Thanks
plik