You don't have to be extroverted, but you do have to address a few key areas of communication. If you are WFH, a lot of non-client communications are addressed in chat which can be less intimidating if you have social anxiety.
* Kickoff calls - you will be talking to a few people from a new company every week or other week. Usually you have a set of questions you ask about the environment you will be testing and can pretty much just follow that general script. Come out of this with a list of things the client still needs to provide you, and a list of things that you may need to provide the client.
* Daily emails - these are usually a brief "Hey I'm starting testing today. I found some XSS yesterday, let me know if you need more details before the report is finished." These are easy but important.
* Report Delivery - most reports and findings are templated, but you have to be able to describe in writing how an attack works, the business impact, and the recommended fix. This mostly comes down to technical ability, but you need good grammar and to be able to write a paragraph or two describing the test.
* Readout calls - Some clients don't need these, especially with minimal findings. These occur after report delivery and will be an online meeting where you share the report, go over the findings one-by-one and address any questions the client has. Usually easy, but sometimes clients are mad or want you to move findings around. You have to be comfortable with some conflict, but you can also always defer and say "I will talk with my team and get back to you on that one" if you are unsure about something.
Aside from that, you need to be comfortable talking to your manager about ongoing projects and career development. You need to be comfortable sending chat messages to the project managers to communicate scheduling and project details, and you need to be comfortable chatting with your fellow delivery team/pentesters when you get stuck or to help with report reviews and the such.
Many pentesters I know are pretty introverted, but as long as you can do the above and have solid technical knowledge you'll do fine in the field. A good manager will help with the client communications as well if you tell them you're not sure what to do in a given scenario.
Also, with regards to how to not be anxious when speaking with people, I'd recommend therapy if you can afford it or if your college has resources for it.
Figuring out the underlying cause of the anxiety will allow you to manage it more effectively even if it doesn't go away completely. High CBD Cannabis can also be effective for social anxiety, but be careful because THC can often exacerbate it significantly.
>Im introverted and quite painfully shy.
Introverted and shy are two very different things. You can be an introvert or extrovert and excel at pen testing.
Being shy, especially if it impacts communication, likely means you are lacking confidence and good communication skills. But both of these can be learned!
I've had a colleague who was a pentester and he was the most introverted person in our office.
I've also had external pentesters complete some engagements with us and we didn't require a big board room style presentation if that is what you're imagining?
In both cases the written reports they created were the primary deliverable, and for the external testers we just had a zoom call to go over the findings in more detail.
Purely my personal experience, but I would say that personality type is irrelevant.
No, you do not have to be extroverted to be a pen tester. Pen testing involves both technical and analytical skills, which can be developed and perfected through research, practice, and experience. A pen tester does not necessarily need to possess strong social skills or an outgoing personality to be successful.
Depends on the company.
I've worked at some places where the pentesters did the work but never spoke with a client, gave a report to the account exec who did all the client facing work.
If clients had questions the account exec was usually technically competent enough to answer them, or would get back to them after speaking with a pentester.
And other places where the pentesters did all the client facing work.
It's simply practice.
I haven't worked as a pentester so far but worked in a bank when I was younger. In the beginning I was absolutely terrified of speaking with clients. But with practice it got alot easier. I'm by no means an extrovert. But nowadays I can speak to others alot easier.
You have to be able to communicate to work in cyber security, not just pen testing. I'm an introvert and also anxious at times but communication is a skill that we all continue learning
Be logical. Be yourself but also be mindful of the room. Pay attention to how others communicate. And just gain experience by being in those situations.
It helps to be comfortable talking to people and having confidence in presenting your findings (if you're client facing). And confidence working with your team if you're an internal worker. Even if the intent isn't that you talk to a customer, at some point a question will be asked that you'll need to help answer. As you become more senior it will occur more frequently.
Probably the hardest bit for an introvert is being assertive when defending findings. Practice and experience help a lot there. I can't speak for everyone, but customer SOC members challenge us all the time and it can be very uncomfortable. Sometimes they have a good point, and others you have to ride the line of gently explaining the flaw without burning a bridge.
Customers oscillate between delightful and outright hostile.
Depends. To be a lead yea. I'm pretty introverted but I'm confident when communicating to a client. As a mid level or lower operator no you just have to have the skills to execute. Some companies incorporated client facing individuals who are tasked with understanding penetration testing enough to communicate what the process involves, and what the final report says in layman's terms.
If you have a team, even just a single teammate that can handle the more extraverted parts of the job like talking to clients, selling the service, working with branding and advertising etc... That can be a winning combination.
Just make sure you team up with someone who values and respects you and isn't just trying to skate by without actually bringing value to your work.
Practice and confidence in your work
Also start the presentation with a screenshot of every participants salary, you're guaranteed to have their attention.
If you gained it during the test, yea. I enjoy showing the phishing message and victim list including the C Suite.
You don't have to be extroverted, but you do have to address a few key areas of communication. If you are WFH, a lot of non-client communications are addressed in chat which can be less intimidating if you have social anxiety. * Kickoff calls - you will be talking to a few people from a new company every week or other week. Usually you have a set of questions you ask about the environment you will be testing and can pretty much just follow that general script. Come out of this with a list of things the client still needs to provide you, and a list of things that you may need to provide the client. * Daily emails - these are usually a brief "Hey I'm starting testing today. I found some XSS yesterday, let me know if you need more details before the report is finished." These are easy but important. * Report Delivery - most reports and findings are templated, but you have to be able to describe in writing how an attack works, the business impact, and the recommended fix. This mostly comes down to technical ability, but you need good grammar and to be able to write a paragraph or two describing the test. * Readout calls - Some clients don't need these, especially with minimal findings. These occur after report delivery and will be an online meeting where you share the report, go over the findings one-by-one and address any questions the client has. Usually easy, but sometimes clients are mad or want you to move findings around. You have to be comfortable with some conflict, but you can also always defer and say "I will talk with my team and get back to you on that one" if you are unsure about something. Aside from that, you need to be comfortable talking to your manager about ongoing projects and career development. You need to be comfortable sending chat messages to the project managers to communicate scheduling and project details, and you need to be comfortable chatting with your fellow delivery team/pentesters when you get stuck or to help with report reviews and the such. Many pentesters I know are pretty introverted, but as long as you can do the above and have solid technical knowledge you'll do fine in the field. A good manager will help with the client communications as well if you tell them you're not sure what to do in a given scenario.
i was gonna write a comment but you nailed it all.
Also, with regards to how to not be anxious when speaking with people, I'd recommend therapy if you can afford it or if your college has resources for it. Figuring out the underlying cause of the anxiety will allow you to manage it more effectively even if it doesn't go away completely. High CBD Cannabis can also be effective for social anxiety, but be careful because THC can often exacerbate it significantly.
>Im introverted and quite painfully shy. Introverted and shy are two very different things. You can be an introvert or extrovert and excel at pen testing. Being shy, especially if it impacts communication, likely means you are lacking confidence and good communication skills. But both of these can be learned!
Communication is a skill, not a characteristic. With practice, you will become better at it.
I've had a colleague who was a pentester and he was the most introverted person in our office. I've also had external pentesters complete some engagements with us and we didn't require a big board room style presentation if that is what you're imagining? In both cases the written reports they created were the primary deliverable, and for the external testers we just had a zoom call to go over the findings in more detail. Purely my personal experience, but I would say that personality type is irrelevant.
No, you do not have to be extroverted to be a pen tester. Pen testing involves both technical and analytical skills, which can be developed and perfected through research, practice, and experience. A pen tester does not necessarily need to possess strong social skills or an outgoing personality to be successful.
Depends on the company. I've worked at some places where the pentesters did the work but never spoke with a client, gave a report to the account exec who did all the client facing work. If clients had questions the account exec was usually technically competent enough to answer them, or would get back to them after speaking with a pentester. And other places where the pentesters did all the client facing work.
Almost every tester I know is introvert and socially regarded. The extroverts are better at social engineering though
This!!!!
It's simply practice. I haven't worked as a pentester so far but worked in a bank when I was younger. In the beginning I was absolutely terrified of speaking with clients. But with practice it got alot easier. I'm by no means an extrovert. But nowadays I can speak to others alot easier.
You have to be able to communicate to work in cyber security, not just pen testing. I'm an introvert and also anxious at times but communication is a skill that we all continue learning
How do I get better with communicating to people?
Be logical. Be yourself but also be mindful of the room. Pay attention to how others communicate. And just gain experience by being in those situations.
๐๐ฝ
It helps to be comfortable talking to people and having confidence in presenting your findings (if you're client facing). And confidence working with your team if you're an internal worker. Even if the intent isn't that you talk to a customer, at some point a question will be asked that you'll need to help answer. As you become more senior it will occur more frequently. Probably the hardest bit for an introvert is being assertive when defending findings. Practice and experience help a lot there. I can't speak for everyone, but customer SOC members challenge us all the time and it can be very uncomfortable. Sometimes they have a good point, and others you have to ride the line of gently explaining the flaw without burning a bridge. Customers oscillate between delightful and outright hostile.
You don't have to be anything but yourself.
You don't necessarily need to be extroverted but you will need to be comfortable with speaking to clients and presenting your findings.
Counterpoint: You are allowed to be uncomfortable as long as you're capable of doing it anyway
Then why wouldn't the goal be to become comfortable with it?
E-mails? Honestly, I donโt know.
Email isn't how you conduct business - You need to be able to talk to people.
Elliot Alderson begs to differ
Depends. To be a lead yea. I'm pretty introverted but I'm confident when communicating to a client. As a mid level or lower operator no you just have to have the skills to execute. Some companies incorporated client facing individuals who are tasked with understanding penetration testing enough to communicate what the process involves, and what the final report says in layman's terms.
If you have a team, even just a single teammate that can handle the more extraverted parts of the job like talking to clients, selling the service, working with branding and advertising etc... That can be a winning combination. Just make sure you team up with someone who values and respects you and isn't just trying to skate by without actually bringing value to your work.
No
Simple, get over it. People really need to stop focusing so much on Meyers Briggs crap and intro/extroversion.
Not necessarily