TL;DR: I have shifted more to the blue team side of things as I have progressed in my career. Not out of a lack of love of pentesting, but moreso because I am always curious about what I don’t know, and hopping over the fence was an easy way to learn. This has been a great opportunity personally and professionally, and I encourage fellow pentesters to give it consideration.
Estimated Reading Time: 4 minutesEver since I first discovered hacking in high school, I had wanted to be a pentester.
No other career path or title fit me spiritually. I would go on to get a degree in Computer Forensics, sure, but only because they didn’t have a PhD program in Hacking. I spent nights and weekends doing CTFs, practicing buffer overflows, attending cons, and generally living in the infosec space. When I finally did land my first freelance pentest job, and later got hired on as a full-time pentest consultant, it felt like I had everything I wanted.
But around the four-year mark at Surescripts (c. 2023), roughly six years into my pentesting career, I started to get a bit bored with things. Software at a company like that does not tend to change drastically from one year to the next, so testing the same app lineup year over year became tedious. New apps would be added to our list, and that provided some excitement, but they largely worked on the same data and processes as other apps, so it wasn’t like it was a whole new toy.
So I asked my boss if I could help with the SDLC side of things, advising and mentoring the developers on security matters. He did one better, and handed over the reins to our Security Champions program. I would lead semi-monthly meetings in which the security-minded devs meet and I cover topics ranging from the OWASP Top 10 to secure handling of in-memory data. Leading this program and the resulting goodwill between the Security and Development departments is one of the proudest achievements of my career.
And for a while that kept things fresh and interesting. From there I was invited to monthly meetings with some of the dev managers and architects to do vulnerability code review, improve our SAST program (and later migration), advise and mentor on security best practices, develop guidelines and procedures, and more. Even though it was a different set of mental muscles than pentesting, I found the work rewarding and it taught me a lot about the other side of the fence.
While continuing that work, an opportunity arose to peek over into the Incident Response team. We were in search of a new Director, and my Manager (who was the Acting Director) was out for a week, so for five days I held the distinguished but unofficial title of “Acting Acting Director of Vulnerability and Threat Management“. During that time, I reached out to the various teams under my purview to see if they needed help with anything. Blockers I could work to remove, technical assistance they needed, escalations up the chain.
The Incident Response team ended up being my main focus for that week and for the months to follow. There was a need to clean up the response playbooks, address some bugs in need of squashing in our SOAR platform, implement process improvements, and provide mentorship generally. Given my background in security and automation, I fit the bill nicely. I may do a deeper dive into the process at some point, because I feel there is some value there, but essentially I:
- standardized the human-readable playbooks based off a template and example playbook I wrote
- fixed the high-priority bugs in our SOAR platform, cutting down on manual work and improving their response time
- formalized a Jira workflow to help track and remediate the bugs and feature requests from the team
- provided technical mentorship on everything from attack indicators, to Linux basics, to networking concepts
This process took me away from my pentesting responsibilities somewhat. My boss encouraged this, as the other pentester on my team had by this point been there long enough to handle it on their own for the most part. I could devote more time and expertise to a team that really needed it, and this paid off in the long run. It didn’t hurt that the work was new and interesting as well.
And that’s roughly where I am today. I am still officially on the pentest team, but I spend much of my time more on the blue team side of things. I am overseeing the migration to Google SecOps, which is both an exciting challenge and a shiny new toy. I’ve left behind a trail of closed Jira tickets, with more to come in the backlog. I’m working on formalizing an every-other-week informal training session called a “Lunch and Learn”, something I took with me from my Nagios days and which was hugely successful.
In closing, I’ve always liked the Purple Team concept: Devs and pentesters working together to secure code; IR and redteamers working together to test and improve alerts; Builders and breakers working toward a shared goal. And while I have a solid track record on the red side of things, I’m genuinely enjoying applying that to the blue. The interplay between these two sides of the same coin is one I am excited to see play out and evolve.
My heart will always be firmly rooted among buffer overflows and SQL injections, but the change of pace has been a welcome one and the knowledge and skills gained are valuable. I encourage any pentesters who are reading this to take a peek, even if only briefly, over the fence.