Schellman's Associate Penetration Tester Position: What to Expect
When you’re applying for a new job, you have your reasons—whether it’s to find a new challenge or to escape a toxic workplace, you want to trust that somewhere else will be better for you and your career. But when you’re sending off applications, it’s hard to know what you might be getting yourself into—most times, you won’t know until you’ve signed your new employment contract and are in (a new set) of weeds.
That uncertainty of not knowing whether you’re picking the right place can be uncomfortable, and the cybersecurity industry is no exception.
Maybe you've been in IT for decades, or maybe you're a security enthusiast who is ready to make your hobby a profession. For security professionals who either want to up their game or those considering a career move into penetration testing, you might be interested in Schellman’s Associate Penetration Tester position.
Even still, you may have lingering questions about what you’re really getting into, as well as what you can expect regarding the benefits and/or the real day-to-day experience.
At Schellman, we try to be as transparent as possible—we want to provide a fuller picture than most of what it’s like to work here. That’s exactly what we’ll do in this article—we’re going to go over what an Associate Penetration Tester at Schellman is and does, as well as what you can expect and what’s expected of you.
These details will either save you time in applying or help solidify your decision to apply—that’s a win-win, so read on for more.
What’s an Associate Penetration Tester at Schellman?
- Someone passionate about cybersecurity
- Someone who stays up to date with the latest attacks, tools, and security practices
- Someone of sound moral and ethical character
- Someone who can:
- Perform real penetration testing with manual and automated tools alongside a Senior Penetration Tester
- Write technical reports
- Be vocal and speak up when they have questions or suggestions
- Learn new processes and techniques
- Be trained to lead projects
Given all this, it’s important to know this position isn’t an internship or a temp position, nor should it be your first job in the IT industry.
Associate Penetration Tester Requirements
In fact, one of the first steps to becoming an Associate Penetration Tester at Schellman is to complete our custom-developed CTF to ensure you meet a baseline level of proficiency. Details of the CTF include:
- You’ll have 1 month to begin the 24-hour exam.
- It covers network, web application, and mobile pen testing.
- To pass, you’ll be required to score at least 85 points.
- If you fall short, you’re welcome to reapply after 6 months.
Even if you don’t pass the first time, our CTF benefits you in that, going forward, you’ll know the types of challenges the team faces and the requirements of a demonstrable level of expertise. But to begin your interview process with us, you do need to meet that point threshold, which will demonstrate that you’re familiar with the types of issues we come across daily.
As an Associate Penetration Tester, your main goal will be to learn as much as you can, including the facets of penetration testing, with an end goal is to perform assessments on your own. But you won’t just be thrown into the fire—we provide a wealth of resources that become available to you starting on day one:
- Buddy Program: You’ll be assigned a Senior Penetration Tester who will be your direct line for all of your technical and Schellman-related questions.
- Pen Test Baselines and Documentation: We keep an extensive internal documentation site detailing our daily procedures and methods, including documented unambiguous methodologies for each category of penetration test we perform—that takes a lot of the guesswork out of testing.
- Finding Library: We also have a finding library that contains several years of templated findings you can leverage for your report writing.
- An Available & Knowledgeable Team: If you’re lost, ask your team members with years of experience in the security field—we are available throughout our work day.
All this helps simplify your first steps here, and these resources will remain available as you move through Schellman’s goal-oriented training path designed to improve your skillset while performing real work.
What’s a Typical Day as a Schellman Associate Penetration Tester?
Once you are comfortable with our team, processes, and expectations, you’ll be assigned to a project alongside a Senior Penetration Tester. So, what will that look like? Here are three key facets of the job.
1. Penetration Testing
Of course, this is the first and primary responsibility.
Every 2 to 6 weeks, you’ll be given a project to work on—the duration will depend on the project scope. You’ll usually be working on different clients project-to-project, and that may mean performing different penetration testing services:
- External Penetration Testing: Attempting to exploit vulnerabilities from an unauthenticated external perspective.
- Web Application Penetration Testing: Attempting to exploit vulnerabilities inside of a web application or API from an authenticated and unauthenticated perspective.
- Phishing Exercises: Designing and submitting a crafted campaign to lure targets into submitting credentials.
- Internal Penetration Testing: Attempting to exploit vulnerabilities from within a compromised machine or assumed breach scenario from an internal corporate network.
- Mobile Penetration Testing: Attempting to exploit vulnerabilities inside of iOS/Android applications.
- Client-Side Application Testing: Attempting to exploit vulnerabilities inside desktop applications.
More often than not, these different tests and projects will serve our compliance services. Many compliance frameworks, including FedRAMP and PCI DSS, require some form of a penetration test.
2. Report Writing
While the testing itself is the crux of the work, you’ll also need to report the results using our custom penetration test report writing software to create a consistent report for every engagement.
Reports are provided to our clients after project completion but don’t worry, we have templates for you to use.
3. Client Contact
That won’t be the only time you interact with the client—be prepared to communicate with them via e-mail and video calls regarding testing progress, including regarding high-risk findings.
Those status updates are weekly and you should expect to answer technical questions on these live calls, although the project manager will be there to back you up. You also may be asked for separate troubleshooting calls to diagnose testing impediments.
Pay and Benefits for a Schellman Associate Penetration Tester
Speaking of benefits, Schellman offers a highly competitive compensation package that factors in performance, years of professional experience, and years with the company.
Here are some of our other unique benefits, aside from compensation:
- Minimal Travel: Our penetration testing positions are largely remote.
- Technology Reimbursement: A monthly reimbursement to assist in covering Internet, mobile phone, and other expenses.
- Paid Time Off: In addition to Federal Holidays and standard PTO, there are weeks the entire firm shuts down, as well as time off provided specifically for doing volunteer work.
- Retirement: 10% 401(k) match (opt-in w/ 5-year vesting period)
- Professional Training: We highly encourage professional development. For most certifications, we’ll pay for it and give you some time for training and the exam. Conferences are also encouraged.
- Practice Development: Dedicated time each quarter is provided so team members can take training, work on research, develop tools, and advance their knowledge.
There’s also our annual long weekend for our corporate retreat—that time is spent celebrating together at a chosen destination.
Interested in Joining the Team?
That may sound pretty good to those interested in penetration testing and cybersecurity. Though there is an expertise threshold you’ll need to meet before you can come aboard, you now have the information to help you make the right employment decision for yourself.
If you’re already interested in joining the team, check out our careers page for current opportunities. But if you’re still on the fence and want to learn more about Schellman, here is some more content that’ll shed light on the work experience and culture here, including specific penetration tester perspective:
About JOSH TOMKIEL
Josh Tomkiel is a Director and Penetration Tester based in Philadelphia, PA with over 10 years of experience within the Information Technology field. Josh has a deep background in all facets of penetration testing and works closely with Schellman's other service lines to ensure penetration testing requirements are met. Additionally, Josh leads the Schellman's Red Team service offering, which provides an in-depth security assessment focusing on different tactics, techniques, and procedures (TTPs) for clients with mature security programs.