WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

Pentester Diaries Ep3: Time Management & Pentest Organization

Welcome back to Pentester Diaries, a podcast series that aims to take off the hacker hoodie and have a real conversation about this growing profession.

In this episode, Jon Helmus talks with Matt Buzanowski, a longtime offensive security professional who has done everything from Red Teaming, mobile, physical pentesting, social engineering, and more. 

Listen in on the conversation, as Jon and Matt talk about two important concepts related to pentesting: time management and pentest organization.

Pentester Diaries is multi-formatted, with audio, video, and written versions of the episode below.

Watch the video podcast here:

Prefer to read the episode? Below you can find a transcription of the podcast:

Jon Helmus: [00:24]

Welcome everyone to this episode of Pentester Diaries. I'm Jon Helmus and I'm here joined by our guest Matt Buzanowski. Matt, how are you sir?

Matt Buzanowski: [00:34]

I'm doing good, Jon. How are you?

Jon Helmus: [00:35]

I'm doing very well. Thank you for asking. So, Matt joins us today to talk about an interesting topic that a lot of us in the cybersecurity industry really have to one, utilize and then two, excel at because otherwise, we can become victims of our own exhaustion. What is that topic that we're going to be talking about today?

Today, we're going to be talking about time management and then for those of us in the Offseccommunity, we're going to be talking about pentest organization. So Matt with that being said, before we kick off the topic, we know who you are but I would love for you to tell the listeners and everyone listening a little bit about yourself.

Matt Buzanowski: [01:14]

Sure. I have actually been a professional penetration tester for well over 10 years. I'm also a U.S. Army veteran. I've worked at numerous Fortune 100 companies that stem from multiple verticals. I worked as a consultant for a while as well where I functioned as the Internal Red Team Practice Manager. Currently, I actually went back to another Fortune 100 finance company and I am one of the members of the Internal Red Team there.

My experience as far as penetration testing is concerned, honestly, it ranges the entire gamut. I've been doing it for a while so host network pentesting, all the way through mobile, social engineering, physical security assessments, full scope blended threat assessments - I’ve pretty much done it all.

Outside of that, I am a father of three and a husband to a beautiful wife. I've been with Cobalt for almost four years now.

Jon Helmus: [02:22]

Four years, wow! That's quite a while.

Matt Buzanowski: [02:25]

Four wonderful years.

Jon Helmus: [02:27]

Nice. One, you said the word veteran, first of all, of course, thank you for your service, sir. From one vet to another U.S. Navy, 2010 through 2014.

Matt Buzanowski: [02:40]

Awesome, very cool.

Jon Helmus: [02:44]

Awesome to see that there are veterans in the Core giving back and even more awesome that I get to talk to one today. And then one of the cool things that I got from that too was that you have a very vast amount of experience in different fields. Before we even start kicking off on the topic, I think it kind of goes around pentest organizational skills and things like that, is how have you managed to pivot from one type of offensive technique to another offensive field to another offensive field, if that makes sense?

Matt Buzanowski: [03:19]

Yeah, it does. I think it's a bit more difficult, honestly, for people that are coming into the industry now because they have so much to choose from in terms of target type, technologies that they're dealing with, all sorts of things. So, it's extremely overwhelming.

For me, since I came into this a while back and I know I'm dating myself, but there was not as much to choose from and the technologies weren't as complex yet so I had the ability to kind of build that skill set. First, it was network, your typical network penetration testing, host infrastructure testing. Social engineering's kind of always been there. Phone calls, emails, things like that. And then, when web and mobile really started to come into play, I had the ability to see that growth from static HTML pages and looking through that type of thing all the way to complex JavaScript applications like we deal with today.

For me, it was kind of a little bit at a time picking it up, picking it up, picking it up, until finally you look back at all that experience and wow, it's been quite a road. But I mentor a few people and they all say the same thing. Now, coming into it, it's very drinking from the firehose.

Jon Helmus: [04:46]

Yeah, 100%. As a mentor myself, I hear the same thing or I even get the question of, "Jon, where should I just even start?" because there's so much information. And even as a mentor and I think I'd love to get your input on it is that even as a mentor and telling an enthusiast looking on the outside trying to get in, most of the time I just tell them, "Hey, you got to tinker around with what you think you might like and see what catches your eye and what catches your niche, right?"

Matt Buzanowski: [05:20]

Yeah, that's right. I think that people that are trying to come into the industry, they focus too much on what the big need is. Like, I need to learn web apps or I need to learn mobile because there's a vast need for it right now and that need will continually grow. But is it something that you really love to do? Are you passionate about it? Because I'm sure we'll talk about this later. Burnout is going to occur very quick or a lot quicker in something that you're truly not passionate about and you feel forced into it just because you wanted to get a seat at the pentester table.

Jon Helmus: [06:02]

100%. We'll definitely loop back around because all of these things have to do with everything we're talking about today. With that being said, I think even from what we just mentioned a big thing is that you have a vast amount of resources and you have to kind of compartmentalize what you think is going to be important. And then let's say we can give different compartments for different priorities and you have to prioritize what's most important to you first, second, and third. A lot of that plays within time management and then even time management within pentesting or training to be a pentester. With that being said, why is time management so important when it comes to pentesting or even just trying to become a pentester?

Matt Buzanowski: [06:53]

I think overall, time management will ensure that you're going to increase your productivity and efficiency. You're not going to miss as many deadlines, hopefully none. When done correctly, it's really going to enable you to almost take on more projects but not have it feel like more work without the risk of overworking yourself. And also, honestly, it's going to lower anxiety and stress and decreases any type of procrastination that might occur. That's what I found at least. And honestly, I think one of the big things that not a lot of people associate with time management is the fact that you get some of your personal time back for you, if that makes sense. In other words, it's time to spend with your family or your friends or going out doing something that you love and then kind of getting away from the screen for a little while. Because continually being plugged in while it might be fun for a while typically leads to bad things.

Jon Helmus: [08:07]

Do you think that the struggle is real in the sense of not making it such an exclusive hobby for yourself that it's the only hobby that you have so it keeps you in front of the screen?

Matt Buzanowski: [08:20]

Yeah, it happened to me multiple times when I was going through doing a lot of the initial certification courses that I was really interested in. I burned out a few times because you put so much pressure on yourself to succeed and then you start looking at what other people are doing and you start kind of aligning that with what you should be doing, your expectations for yourself which is one of the worst things you can do in my opinion. But it happens all the time. Go on Twitter for five minutes.

I think having a hobby or having multiple hobbies outside of information security, for me, at least is key and it helped me to kind of take a step back, relax and then approach whatever problem initially burned me out from a different angle.

Jon Helmus: [09:17]

Yeah, you got to kind of like when you hit burnout, or you finally hit that mismanagement point that kind of makes you start to stumble rather than walking or running. Like you said, it's best to take a step back, get some hindsight and insight on what you're doing and correct yourself and also be humble with yourself and understanding too that like, ‘Hey, this didn't work out and understand’ that ‘hey, it might happen again just because of the way how things flow’ but recognize it if it does start to come back up.

Matt Buzanowski: [09:46]

Yeah, unfortunately, one of the things this industry does very well is put a lot of pressure on people to succeed and to be better than their peers in some respects. People get too focused on that and really that's going to lead to burnout very quickly.

Jon Helmus: [10:06]

Yeah, and there's so many topics around what causes burnout and just kind of ] circling around with that is it's from the expectations that we put on ourselves. I was reading an article not too long ago where it even talked about the glamorizing of extensive hours for cyber professionals.

Matt Buzanowski: [10:24]

Oh yeah. I've worked at a couple employers a while back where it was a badge of honor to put in well over 60-hour work weeks or sometimes more and really at that point, there's no quality of life outside of what your job is. I think for me, once I realized that was happening, it was too little too late at that point. I was already kind of on that downward spiral of losing my passion for information security and it took me a while to find it again and figure out what I was doing and what went wrong.

Jon Helmus: [11:05]

Absolutely. That burnout point where it's hard to recover from and there's so many research articles around, so many talks, I feel like - especially over the pandemic and all of the Zoom conferences between Defcon, Grayhat and Black Hat and things like that. There's always a couple burnout talks that talk about how to manage and avoid burnout, especially during the COVID era because we're just already in front of a screen all day.

Matt Buzanowski: [11:38]

Yeah, it's unfortunate but it's good that they're addressing it. It helps when people put together resources or topics or open forum discussions surrounding that topic, the topic of burnout.

Jon Helmus: [11:53]

Yeah, absolutely. It's like group therapy, man.

Matt Buzanowski: [11:56]

It is.

Jon Helmus: [11:58]

We're talking about time management and then we're also talking about pentest organization. To kind of pivot away from time management and more talking about organizing yourself during a pentest or as a pentester, just to go verbatim off the question is, what does pentest organization mean or what does it include?

Matt Buzanowski: [12:24]

If we're talking specifically about penetration testing, one of the biggest things for me is finding and implementing a repeatable methodology that's going to drive complete coverage on whatever tasks you're facing, whatever targets you're looking at. And the reason I say that is because sometimes if you don't have a repeatable methodology, you're just going to do what I call poke testing. It's like you're kind of drawn - especially on target-rich environments. You're going to start looking at pieces of the application or pieces of the network infrastructure that draw you in and you're going to go down that rabbit hole and before you know it, half the engagement's going to be over.

Well, at least with a repeatable methodology, off top of my head, a great one for web applications would be the OWASP testing guide. They're constantly updating that. I use it to kind of guide some of my testing from a very high level and to ensure that I'm hitting all the correct test cases. Using something like that is going to ensure that you can audit your time and identify areas that you may be able to automate without losing the value or the productivity that occurs during your testing. Does that make sense?

Jon Helmus: [13:49]

Yeah, it's an information flow and it's a map.

Matt Buzanowski: [13:52]

That's right. So, as long as you're not losing the quality of output, you should definitely look at automating where you can verify repeatable tasks. So, having that methodology, that repeatable methodology, it's going to ensure more efficient workflow. Aside from that, I live by my calendar and I'm a Trello user. I've been using Trello for a very long time as a Kanban board, and we can get into a little bit of that later if you want. But there are certain reasons that I use Trello or just use a Kanban board in general. Mentally, it helps to have columns such as ‘Completed Tasks’ so that you're almost mentally rewarding yourself as you're moving things across the board to finally complete an invoice or whatever you want to call it, depending on what projects you're working on. That's another thing that I use or that I implement to help me during my organization and penetration tests.

And then you have the task that I think everybody kind of goes through is going to review the scope, interacting with the customers to ensure that any issues are cleared up before you start the test. And then diving into the methodology, completing the test and allowing yourself for enough lead time to deliver whatever final deliverable or report you owe the customer.

Jon Helmus: [15:24]

Yeah, the center compass that I'm getting from this and even just time management is that they intersect with each other very heavily and the big thing is that if you have a map and you follow through with that map and you don't let procrastination take over, you're going to see a lot more efficiency when you're pentesting. And then also, with your general time management skills rather than during a pentest or just in general, you're going to see a lot of that, your time giving back as opposed to where you talked about with pentesting. If you don't use a map then you're going to essentially find yourself in a rabbit hole and then halfway down you're going to be like, "Oh wait, half the engagement's done and I haven't even done anything."

Matt Buzanowski: [16:12]

Yeah, it's something that I see newer people falling into, that type of mindset, unfortunately. It took me a while to figure it out, too, just to ensure that you're producing a solid penetration test for whatever client you're working with. They might have requirements for the tests that you're not even aware of unless you talk to them first. For example, I just worked with a client with Cobalt that said that they were extremely interested in authorization authentication issues only. They didn't care about anything else. And I ensure them that I was going to put special focus on those areas but then I also relayed that, "Well, while you are really interested in those areas, we still have to ensure coverage. We have to ensure that I'm not walking away from this test and somebody hits a cross-site scripting issue that I missed." And they understood after I talked to them for a while. They completely understood my point of view and I ensured that the focus was put where they wanted it within the time it was allotted. But constant communication with your customer and your client's going to drive a lot of how you're managing the time for specific tasks through your test as well if you're working with a client. I mean different for different environments. But if we're talking about from a consultant point of view, then it's very important.

Jon Helmus: [17:46]

Absolutely. There's all these model's tools. There's so much information out there to help us and guide us so why not use them. I mean, as pentesters, we're already really focused on a very low level kind of skill set so if we have ways to automate some of the more non-technical tasks such as like just creating a model to guide us during the pentest, we can focus more on the technical portion which is essentially going to provide the better impact for the organizations that we're working with.

Matt Buzanowski: [18:20]

Yeah, and it's more fun. I mean everybody wants to dive into the technical details and the tests and everything and have fun and find that really niche bug that's sitting somewhere in there. That's all cool. The ability to allow yourself more time for those tasks is developing boilerplate language for your findings that don't contain client specific data, things like that. That type of stuff is going to make your reporting more efficient, better as far as content goes because you will have had the time to tailor those findings and that language to where you can then massage it and ensure that the clients get the correct information to help during mitigation. That's another thing that I've done, same with reporting, templating and everything. I'm pretty sure a lot of other people do it as well. But again, it allows you more time to focus on the things that you would rather and decreases the overhead of more administrative tests.

Jon Helmus: [19:31]

Absolutely. I think this is a good point to segue into the next topic which is more around just general time management and burnout. Feeding based off of what we were just now talking about is, this is kind of a two-part question and then we can have a follow-up from that. One is, how do you personally manage your time? You're someone who has a very big day job and then you also do some moonlighting as a pentester here at Cobalt, plus you have a family. You're doing a lot of different things. How do you manage your time as a professional and individual and then also throughout your pentesting day? And then to follow up with that too, how do you avoid burnout or stress during the day through the week, the month, whatever it is that you have to do to get things done?

Matt Buzanowski: [20:29]

Sure. It's a constantly evolving process, figuring out what's important, your priorities, what tasks are coming up next week. To start with that, really, auditing your time for me was a huge deal. Starting with an audit of your daily tasks, seeing really where your time is spent during the day is going to tell you a lot about what's important, what's not and what can be cut out. What bad habits need to go so that you can create a more efficient schedule during the day?

Aside from that, once you kind of have that audit completed, like I mentioned before, automating repetitive tasks is huge. It's a huge deal and it's going to free up a lot of time for you to concentrate on things that you deem more important. So, I do a lot of automation as well. I mean it doesn't even have to be just technical automation. It can be automation of creation of calendar events or something for things that I know occur every other week. So, live by the calendar like I said before, but usually I like to ensure that there's some redundancy with the alerts that I'm receiving, and this probably has to do with me coming from the military. But you never want to be late for anything, always 15 minutes early.

Using Trello to map out all my tasks was a huge thing. And then before the beginning of each week, typically on Sunday night, I will evaluate everything I have going on for that week, readjust priorities as needed and then that way I can ensure that my upcoming week is custom tailored to include all of the priorities and the tasks that I want to complete that need to be completed and the time that they need to be completed in.

Jon Helmus: [22:34]

Absolutely. I love that you say live by your calendar and I think a lot of people say that and sometimes it can be a struggle to try to do it just with the automation of your tasks. I've heard some folks say, "Live by your calendar but also don't become a victim of your calendar."

Matt Buzanowski: [22:57]

That's right. This actually brings up a great point. Useless meetings - get rid of them.

Jon Helmus: [23:08]

In a perfect world.

Matt Buzanowski: [23:10]

Oh I know I get it but I'm just saying people having meetings, about meetings, you heard all the jokes about enterprises and it really happens, too. It's unfortunate. But getting rid as many of those types of - I hate to use the word useless but it really is.

Jon Helmus: [23:27]

Redundant.

Matt Buzanowski: [23:28]

That’s abetter word, redundant meetings. Getting rid of those, again, it's just going to free you up to do what you need to do and you're not going to become the victim of your calendar. Your calendar is not going to rule your life as much as your calendar can become an asset in ensuring that your stuff is getting completed on time and that you're not late for anything.

Jon Helmus: [23:52]

With all that, we kind of set up the stage of you get your methodology in place for your technical and your non-technical things. You have your calendar in place. You have all of these tools in place to help your success. However, the human mind is a funny thing and can interpret things differently and can also make us feel things differently. With all of that, what happens when you start to feel stress overload? You start to realize you're going to hit burnout. How do you avoid that? And then two, on the flip side of it, this is something that I really wanted to ask because a lot of people don't ask it is, what do you do if you do hit burnout? How do you recover from that? How do you evaluate it and assess it?

Matt Buzanowski: [24:42]

Sure. So, we touched on this a little bit earlier but ensuring that you – so first of all, how do you avoid burnout? I'll just start there because I’m going to go down a rabbit hole with the other thing. But I'm going to come off sounding like a parent because I am. Eat well, your diet plays a lot into it. Again, this is something that I learned the hard way when I was working a lot, a lot more than I am now and everything. Just the lack of eating, constantly plugged in played a huge part. I found out later on into the kind of that burnout that occurred. Eating right, lots of exercise. I run marathons. I have become huge into running lately. But honestly, it improved my attitude a ton. It doesn't even have to be running. Any type of walking, cardiovascular activity, anything that's going to get you away from the screen, hopefully either outdoors or at the gym or on the treadmill or whatever. And then that way you have the ability to clear your mind while reaping some of the benefits that come from getting exercise.

Adequate sleep is another one. We touched on this earlier but getting the right amount of sleep is a huge deal because that in itself is a big contributor to burnout. And again, I mean if you're overworked, you're tired, I can guarantee your attitude is not going to be the best. If you're anything like me, your attitude will not be the best if you don't get enough sleep. And you know it's crazy because it's not only going to affect you but it's going to affect the morale of people around you. You don't want that to happen especially if you have to work with people every day. You're on an internal team or even as a consultant. You're on a team of some sort. You're interacting with clients. Having that type of morale kind of erosion that occurs from those things isn't necessarily a good thing. So, lots of sleep.

For me, going outside, appreciating the outdoors, just stuff like that, being with friends, family, and just relaxing and having fun once in a while because at the end of the day - I mean penetration testing is great. I love it. It's my life. But you have to unplug once in a while.

Jon Helmus: [27:30]

Absolutely. I recently got an article published by Security Info Watch and one of the bullet points I had mentioned there was - and this was talking about things to expect when coming on to a new job but it even falls in line with this– that -"Don't under appreciate the power of a walk."

Just being able to get - because you physically remove yourself from the building, whether that you're in or your house and you're literally distancing yourself from the computer, you know I do that. Sometimes I don't even take my phone especially now that we work from home. I'll just tell my spouse, "Hey, I'm going to go for a walk. I'm going to leave my phone here." I always recommend that to anyone if they're able to do that, just leave technology behind and go for a walk. I think even Bill Gates kind of created the epitome of the power of a walk because he talked about all his great ideas that came from reading hundreds of books and then just taking a walk and then letting ideas digest.

Matt Buzanowski: [28:43]

Another thing that I didn't mention was the idea of mindfulness. I've become really big into meditating as well. For me, it works. I like it a lot. I know some of my friends think it's silly but for me I absolutely love it. Once usually during the day around lunchtime. Set time for myself, relax, escape for a little bit and then get ready for the second part of the day.

Jon Helmus: [29:08]

Absolutely. I'm not sure if we touched on it. Do we touch on what to do if you do hit burnout?

Matt Buzanowski: [29:15]

From my experience, like we said before kind of unplugging, getting away and then coming back to that problem from a different angle as far as rekindling the passion, just realize it's not going to happen all at once and that can be extremely frustrating. I know it was for me. But allowing yourself the ability to kind of heal, come back, maybe get involved in something else that's isn’t in the same area of information security but some other niche part of information security, reverse engineering, something else that you've been wanting to get into for a while but maybe haven't had the ability, I've also found out that getting into something like that starts to rekindle the passion a bit quicker because you're learning and at the end of the day, if you're anything like me and I know a bunch of the other community, the continuous learning in this job field was one of the major attractions for all of us.

Jon Helmus: [30:19]

Absolutely. Yeah, I like how you said kind of go back to what interested you in pentesting. Like you said, it's that continuous learning mindset. To go back to your fundamentals, go back to your initial interest and just find a different topic.

Matt Buzanowski: [30:34]

Yeah, absolutely.

Jon Helmus: [30:37]

I love that. With that being said, you had mentioned some tools that you use - maybe for our listeners, you could give out a list of a few tools that even if you already mentioned them or if you haven't mentioned them, what are some of the things in your tool bag that you use to organize yourself?

Matt Buzanowski: [31:00]

Whenever I get a new Cobalt project, I'll kind of walk through my methodology real quick or whatever my first, second, third steps that I do. When I get a new project, I put that project and the time span of that project right onto my calendar and this could be any calendar. I work on a Macbook. I just use the native calendar application and then that syncs up with a couple of my different Gmail accounts. I ensure that it's on there with a reminder and then I ensure that if I'm the lead on the project the report date, that SLA, is covered as well with the reminders so that I'm consistently delivering the report a day before it's actually due at the least. So, that's the number one thing I do.

The second thing, I mentioned Trello, I have Trello and I can go through But I wanted to go through some of the columns real quick that I put in here. You've probably heard of the same type of setup with any Kanban, but I have a planned column that didn't go into that hopper basically, that queue. And that queue is exactly what it sounds like. It's the test that I have coming up, so I know what the start date is going to be. Trello also allows you to designate a start and an end date so you have the ability for those visual cues which I like a lot. I'm not trying to sell Trello or anything here. I promise I have no stake in Trello. But from planned, it'll then go into progress then into reporting, if you're a lead, and then into delivery. Like I was talking about before, having some sort of completed or delivered column mentally helps you kind of celebrate small achievements. I know it might not sound like a big deal, but it always feels very good to move it into the complete or the delivered column because we know that one's complete, everything's been delivered, all requirements have been met and you can go to the next one in the queue. And before you know it, honestly, five, ten whatever tests will start peeling through and you look at your completed column - “did I just finish all those? Wow!” Three months later or whatever, four months later, I've already finished all those. These are great.

So, I use that as well and honestly, I don't really use an extensive toolset. I make use of whatever is native to my iPhone as well. Just anything that's going to signal you that there's something that needs to be delivered or there's something that's coming up. That's it. I try not to take it to too much of a granular point as far as project tracking just because me, as a single person doing these projects, I don't need to get too granular because then that creates more overhead and we're trying to strip the overhead away and trying to get down to what we love to do, not necessarily too much of an administrative task.

Jon Helmus: [34:20]

Absolutely. Don't underestimate the power of a Kanban board and don't understand the power of those little wins like even I do the same thing. I use a different - I don't use Trello but I use a different app that does the same thing essentially and just tracks your progress. And even if you're like, “okay, needed to recon today” and then you check that off and then you see it is like an achievement for the day, even that little win is just like it's the right kick in your motivation.

Matt Buzanowski: [34:47]

Now, you brought up a really good point. So, for daily tasks, I accidentally left this out but the reminders application for Apple, for macOS, I use that every single day. What I'll do is I'll divide whatever tasks I have on my calendar so that again like you were talking about I can check them all. I really think that's it honestly. I set Slack reminders a lot. I use a lot of the great tools that are available in the Cobalt Slack to my advantage but nothing too granular because it'll just create more work.

Jon Helmus: [35:26]

Well, there's always the SSS model, “Keep it short, simple, and sweet.”

Matt Buzanowski: [35:30]

That's right.

Jon Helmus: [35:30]

Don't over complicate things.

Matt Buzanowski: [35:33]

You can't, seriously, because then like you were talking about before, the calendar becomes in charge of you instead of the other way around.

Jon Helmus: [35:42]

That is for sure and I think sometimes we all know that happened. We all know to avoid that but I think humbly speaking, we'll practice it but it still can be an issue.

Matt Buzanowski: [35:56]

Yeah, definitely.

Jon Helmus: [35:59]

Awesome. With that being said, before we start closing up here. You had mentioned about yourself as how you organize yourself when you're a lead on a Cobalt project or even in your day job. How do you organize your team? Do you use them essentially the same skill sets, the same methods or is there anything that deviates?

Matt Buzanowski: [36:20]

They are different and that's due to the fact that Cobalt has different requirements for their leads. Things that have to occur during the project are different from my internal team where things that occur during those projects or during those engagements are a little bit different just because of the nature that we're dealing with not external customers but our internal co-workers when we're performing tests or offering services.

For Cobalt though, I typically start the engagement with some sort of introductory post to let everybody know that I'm available, I'm there just in case anybody has any questions. That includes the testers and obviously the client as well. After that, I typically go to review the scope and if I have any questions at all, I engage in discussions with the client right away.

Make sure to address any tester questions right away and I bring that up because the past few engagements, I've had the pleasure of working with a couple of new people, people that are newer to the Cobalt platform and they had a lot of questions about how things work and things like that. I make sure to address those right away because then, there's no impact to the test timeline later on and it's good that they have the questions. I'm not saying it's not by all means. I mean they're new to the platform and honestly, I like when they ask questions because it gives me the ability to kind of ensure that they get the direction they need right away without too much delay which again helps the client.

After I've addressed any questions that the testers have,. during the engagement, I tend to keep an open dialogue with the clients as much as possible. I know that Cobalt is huge on making sure that there's a good bit of constant communication with the client. I think it's very very important and I agree.

One of the things I loved about being a consultant, believe it or not, was actually working with the clients. I really do. I enjoy working with people just as much as I do with testing. I try to ensure that we're meeting all the marks, meeting all their requirements during the tests. And then after that, I typically send out obvious test updates during the test and then I will have a reminder usually saying the end of the test is coming up. That signifies that I need to go back around and make sure no one else has any issues, there are no tests remaining, the coverage tracker has been filled out completely. In all the typical Cobalt requirements for a lead and then just doing a quick recap with the team and the client to ensure that everyone is good to go, everything's satisfied. Let them know we're moving into the reporting stage and when they can expect that report.

After that, at that point, I already have a lot of the boilerplate language done for the report and I'm filling in technical details at that point, things that are specific to that test. That's it, honestly. And then I send out my final update, letting them know that I have delivered the draft report into the internal QA process and they should hear something soon.

Jon Helmus: [40:09]

Yeah. Sticking to those fundamentals, man, it's all about how you're managing your time and how you place everything in front of you to make sure that it works for you and then in this case it's going to hopefully work for everyone.

Matt Buzanowski: [40:23]

That's right, yeah. Its discipline. That's really what it comes down is having the discipline to follow your own framework.

Jon Helmus: [40:31]

100%. We always hear it, too. If you want to get something done, you have to put in the work.

Matt Buzanowski: [40:38]

It is true. But I mean after you do it, a lot of good bit of times, a lot of rotations. It becomes like clockwork

Jon Helmus: [40:47]

Absolutely. All right, Matt, well thanks again, man, for being on the show today. We're coming here to the end to close out. But before we close out, I'd love for you to kind of like just to give a quick recap for all the listeners that are listening in on the show is, what are the three big takeaways from what we just talked about?

Matt Buzanowski: [41:10]

I think that the first big takeaway is probably making sure you're auditing your time because that's the perfect place to start. Audit your time, make sure you're developing a plan to get rid of things that aren't necessary. The next thing would be finding pieces of your day or finding tasks that continually repeat, repetitive tasks that you can do some sort of automation or something to ensure that you're not consistently manually doing a repetitive task over and over.

And honestly, I think the final point is take care of yourself, just make sure that you are getting enough view time that you're getting outside, that you're unplugging once in a while because at the end of the day, that's going to drive your passion even more for penetration testing.

Jon Helmus: [42:04]

Absolutely, man. Yeah, time auditing, I think those are three essential things that I think we all talk about but they get overlooked and I really like the ending though like sympathize with yourself, take care of yourself and I always tell that to everyone, too. Understand that you might need to take a break from whatever it is that you're doing and that's okay. You have to do it because you have to take care of you because at the end of the day, whoever you're working with or whatever you're doing whether it's in your personal life or your job or whatever, needs the best you and the only way for them to get the best you is for you to take care of you.

Matt Buzanowski: [42:44]

Absolutely.

Jon Helmus: [42:46]

So awesome. Thanks again, Matt, for being on the show today. For everyone listening, again, we had Matt Buzanowski. He's one of the leads here at Cobalt Core. We'll make sure that if anybody wants to check out Matt and what he does, we'll make sure to put anything in the show notes that are relevant to that. So thanks again, Matt, for being on the show and we'll see everyone next time.

Matt Buzanowski: [43:08]

Thanks a lot, Jon, appreciate it.

Back to Blog
About Cobalt
Cobalt combines talent and technology to provide end-to-end offensive security solutions that enable organizations to remediate risk across a dynamically changing attack surface. As the innovators of Pentest as a Service (PtaaS), Cobalt empowers businesses to optimize their existing resources, access an on-demand community of trusted security experts, expedite remediation cycles, and share real-time updates and progress with internal teams to mitigate future risk. More By Cobalt