How to run a shit Pentester interview

Are you a security company, and trying to hire new staff? Want to do it poorly? Try out the following tips and tricks, broken into before, during, and after!

Job advertisement:

• Use vague, hip terms such as “ninja”, “code monkey”, and throw as many stereotypes as you can in
• Bonus points if this does not accurately reflect the culture of your organisation
• never list salary, expectatations
• No spellchecking. It’s for nerds anyway, and you want at least 10 typographic errors to show that your megacorporation is human
• The title is everything - Ensure it’s suitably vague, and could easily be spotted in retrospect as a policy orientated job, rather than a technical one

Try the following canned statements for your advertisement:

• “Looking for an exciting role?” - This shows not only that you are hiring (tick!), but the role is exciting.
• Ask for experience in a specific tool, such as “Kali Linux” or Metasploit
• If possible, ask for experience in tooling which is licensed - you only want experienced Cobalt Strike users here!

Qualfiications to look for:

• Bachelors degree, minimum for an entry level job
• 20 years in kubernetes
• Anything returned by “qualifications for penetration testers”

If you have any applicants, ensure to ignore their emails for a few weeks. Set expectations properly early!

During the interview:

• Always read from the script. Do not, under any circumstances, deviate from the script.
• Ask open ended questions to your interviwee, then stare blankly when they answer. Ensure to use lots of silence so they feel extra uncomfortable.
• Stay on your phone the entire time - make sure your candidate gets a taste of your management style. In consulting, this is called setting expectations :)
• On the topic of consulting, ask specific questions around when the candidate has had a project fail catastrophically. Do not, under any circumstances, acknowledge their growth since.
• Have a panel of 3 people, ensure to have at least one member walk out during the interview, only to walk back in and ask the same question twice.
• Ask questions about random boxes in the Offensive Security Certified Professional (OSCP) exam. People never forget such details ever!
• never engage in hypotheticals, or allow the question to be rephrased. Bonus points for reading verbatim, including grammar issues.

For the unimaginative, 100% billed out consultants out there that need some easy copy-paste questions for the important script, try out the following:

• What is your favorite tool?
• When phishing, what is your favorite template to use?
  • Put extra emphasis on template, and do not allow context specific answers!

It is awful to write out such obvious sarcasm - however if you’re running a hiring process like this, you’re making it way harder than required, and likely pruning out good candidates that can smell nonsense from miles away. This post came mostly out of my notes on previous, real interviews at large organisation(s), which I’m fairly glad I didn’t end up at!

On a more serious note, do the complete opposite - anyone who passes with the above is probably incredibly resilient, or is going to make your workspace a lot shittier, and you’re a dick for doing that to someone.