Grey bar Blue bar
Share this:

Fri, 27 Jun 2014

The SensePost Academy: Wrecking Balls

There is a serious skills shortage in our industry. There are just not enough skilled hackers out there to fill all the open positions. In November of last year, I proposed a new approach for us at SensePost to address these concerns. I looked at what we could do as a company to ensure the next generation of hackers were being educated correctly (no, it's not about how you use a tool) and moulded into what we, at SensePost, perceive to be good penetration testers.


I termed this the SensePost Academy and it is a structured training programme for all new recruits looking at a life at SensePost in the Assessment team. It is a combination of basic technical + offensive attack approaches and client interaction skills that provide an excellent stepping stone for those looking at starting a career as a penetration tester. The academy runs for a period of six months, finishing with a final culminating exercise (CULEX) before the decision is made to accept the recruit into the assessment team as an unmonitored penetration tester. The SensePost Academy Review Board (SARB) oversees each recruit and is responsible for grading and testing the recruit on each phase, in addition to mentoring (or should that be tormenting?) them.


Interviews were performed, we wanted the right recruit and had to turn down a lot of people in the process, but we did find two gentlemen, and as a team, decided on our first ever recruits:


wreckingballs
On their first day, we reminded them that they were recruits and as a result, needed a special theme tune:



This theme tune would be played whenever they were addressed and as often as possible.


Over the past six months, they've been on many training courses internally, been shown the ways of the pwnage by the assessment team, presented at conferences and also developed and broken applications. Each phase was carefully monitored by the review board to ensure they were being moulded into a form we felt was right.


Finally, the CULEX week was upon us. A client application assessment (fictitious German company) and client feedback meeting. No hand holding, just perform the test like you've been shown and don't mess up.


After making them sweat, we took a vote this morning and I'm happy to welcome both Johan and Dane to our assessments team as Junior penetration testers.


If you think you'd be a good addition to the next academy intake, we've love to hear from you. Tweet us on @sensepost or email us at jobs@sensepost.com