Cyber Security: Research development and design

Penetration testing

Role summary

Penetration Testing provides Cyber Security assurance by attempting to penetrate existing defences, to feed back on potential vulnerabilities (whether in a system, an application or across the entire IT estate) and co-ordinate the production of a remediation action plan.

Role levels are:

• Penetration testing associate
• Penetration testing lead
• Penetration testing principal

Entry routes

Internal: Suitable for an individual from the Government Security Profession, Digital, Data and Technology Profession, or Analytics Profession

External: Suitable for an individual who has worked in penetration testing or application security

Skills required in penetration testing

• Penetration testing. Penetration testing is a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the tools and techniques that an adversary might employ. Principles of the skill include contributing to the scoping and conduct of vulnerability assessments; knowing the tools and techniques needed to enumerate an environment and assess asset configuration; identifying and testing for public domain vulnerabilities, assessing the potential for exploitation, and conducting exploits where appropriate; reporting potential issues and mitigation options; contributing to the review and interpretation of reports; and coordinating and managing remediation action plan responses. This skill has broad applicability across many roles.
• Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.
• Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities
• Threat understanding. Threat understanding encompasses evidence-based knowledge, including context, about an existing or emerging threat to assets that can be used to inform decisions.

Penetration testing associate 

Typical role level expectations

• Support the scoping, conducting and procurement of penetration tests, red team exercises, vulnerability assessments of IT assets, and other tests to assess the robustness of a system, product or technology
• Disseminate the implications of test findings, relaying the potential business impact if vulnerabilities are exploited
• Engage with internal and external stakeholders to provide appropriate Cyber Security assurance in accordance with policy and regulations
• Report potential issues and mitigation options to appropriate stakeholders or governance forums
• Contribute to the review and interpretation of reports and contribute to remediation action plan production

Skills needed for this role

• Penetration Testing (Relevant skill level: working). At this level you:
  • Explain the principles of penetration testing, the main components of an infrastructure penetration test and the high-level processes involved, to practitioners and non-practitioners alike
  • Provide pragmatic input to assist in the development of penetration testing policies, procedures and guidelines and understands their business context
  • Help ensure compliance of working practices by educating colleagues in basic penetration testing policies, procedures and guidelines
  • Perform basic tests or attack exercises by following documented principles and guidelines for penetration testing activities and interprets results, with little or no supervision
  • Use preconfigured commercial and bespoke tools to conduct vulnerability assessments and basic penetration tests without supervision and complex infrastructure penetration testing under supervision
  • Understand the potential risks of security testing in different operational environments and takes them into account while developing plans
  • Make contributions to assessment reports that are factual and literal, rather than interpretive
  • Have solid rather than wide platform knowledge being strong on a single platform (e.g. Windows, Mac)
  • Have achieved recognised qualifications in appropriate and relevant subjects, including Offensive Security Certified Professional, CHECK Team Member or equivalent
• Information risk assessment and risk management (Relevant skill level: working). At this level you:
  • Support security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
  • Have an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making
• Protective security (Relevant skill level: awareness). At this level you:
  • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
  • Identify aspects from across the breadth of the security field
  • Promote protective security, providing advice to others
• Threat understanding (Relevant skill level: awareness). At this level you:
  • Describe specific threats and how they may manifest themselves in a local environment
  • Maintain understanding of local threat environment and can apply to inform and provide context for wider activities
  • Use local threat information in decision-making and planning
  • Demonstrate knowledge of current threats and trends affecting the landscape

Penetration testing lead 

Typical role level expectations

• Scope, conduct and procure penetration tests, red team exercises, vulnerability assessments of IT assets, and other tests to assess the robustness of a system, product or technology
• Disseminate the implications of test findings and explain the potential business impact if vulnerabilities are exploited
• Co-ordinate engagement with internal and external stakeholders to manage and provide appropriate Cyber Security assurance to the required standard and in accordance with policy and regulations
• Advise on potential issues and mitigation options to appropriate stakeholders or governance forums
• Review and interpret reports and co-ordinate and manage remediation action plan production

Skills needed for this role

• Penetration Testing (Relevant skill level: practitioner). At this level you:
  • Lead teams undertaking complex penetration tests
  • Follow documented principles and guidelines for high-complexity penetration testing activities
  • Design and implements test programmes for mid-complexity systems, products, applications or processes, selecting suitable techniques, tools and test strategies without supervision
  • Identify vulnerabilities, and determines whether they are exploitable, adapting testing approach based on findings
  • Detect and investigates result aberrations, or absences of expected results
  • Create assessment reports, confirming technology compliance with standards and policies and vulnerabilities, and provides suggested remediation actions
  • Advise others on penetration testing processes, the implications of testing, and sharing penetration testing best practice
  • Have a broader platform knowledge and conducts assessments from a multi-platform perspective
  • Have achieved recognised qualifications in appropriate and relevant subjects, to a high-functioning level, including CHECK Team Leader, CREST Certified Simulated Attack Specialist or equivalent
• Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
  • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
  • Deliver or review risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
  • Inspect and report on the security characteristics of systems with straightforward scope
  • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
• Protective security  (Relevant skill level: working). At this level you:
  • Apply concepts of protective security within the context of the other specialisms/enablers, and keeps knowledge up to date
  • Champion protective security within the wider security function, providing advice to others
• Threat understanding (Relevant skill level: working). At this level you:
  • Interpret sources of threat information for the local environment and applies knowledge of the external environment
  • Maintain understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context
  • Use local and strategic threat information in decision-making and planning
  • Communicate tailored threat information to relevant local stakeholders within the organisation

Penetration testing principal 

Typical role level expectations

• Lead large-scale, cross-functional or highly complex penetration tests, red team exercises, vulnerability assessments of IT assets, and other tests to assess the robustness of a system, product or technology
• Disseminate the implications of test findings and explain the potential business impact if vulnerabilities are exploited to senior level leadership across government
• Lead engagement with senior internal and external stakeholders to manage and provide appropriate Cyber Security assurance to the required standard and in accordance with policy and regulations
• Advise on complex issues and mitigation options to appropriate stakeholders or governance forums, acting as an SME across government, the public sector, and industry
• Be the key decision maker on reports, overseeing the remediation of vulnerabilities post-penetration testing

Skills needed for this role

• Penetration Testing (Relevant skill level: expert). At this level you:
  • Take a multi-customer approach to establishing penetration testing policies, procedures and guidelines, taking into account organisational and national level perspectives
  • Have responsibility for penetration testing services and drives organisational and business change to better comply with policies, procedures and guidelines
  • Ensure effective delivery of penetration testing assessments for organisational benefit
  • Lead organisational teams in various stages of test design, execution, and assessment, for multiple customers, potentially across multiple organisations, and that comply with policies, procedures and guidelines
  • Improve organisational penetration testing processes, achieving high standards of excellence
  • Champion the organisational recognition of value of penetration testing services, and the benefits of addressing the results
  • Authoritatively influence the organisational management regarding penetration testing concepts and activities
  • Build on, and advances, practitioner level skills for self and colleagues
  • Communicate complex issues at the appropriate level for the audience
  • Have achieved appropriate level of qualifications, including CREST Certified Simulated Attack Manager or equivalent
• Information risk assessment and risk management (Relevant skill level: expert). At this level you:
  • Enable the organisation to deliver balanced and cost-effective risk management decisions on situations with complex scope or significant risk. Ensuring that risk is embedded into corporate governance processes
  • Integrate risk management processes into appropriate business activities such as system development, security architecture or procurement
  • Develop approaches to effectively report risk (including through system life cycles) to management who are responsible for risk to a given system or capability. This includes the ability to interpret management risk direction to others (such as developers or other security professionals)
  • Deliver comprehensive risk assessments for complicated or novel scenarios, using methodologies appropriate to the situation. Understands in detail how the risk assessment output dovetails into the risk management process
  • Determine and understand the security characteristics of complicated or novel systems
• Protective security (Relevant skill level: practitioner). At this level you:
  • Develop and applies new concepts in protective security, involving the other specialisms, including the Corporate Enablers
  • Develop individuals and contribute to the development of protective security practices
  • Promote protective security as a business enabler throughout the organisation
  • Engage with the UK security community
• Threat understanding (Relevant skill level: practitioner). At this level you:
  • Proactively identify, interprets and leverages a range of relevant sources of threat information, using a variety of techniques, to understand the threat environment (local and strategic), including its nature, capability, focuses of interest and other factors associated with relevant threats
  • Use lessons learned to maintain an understanding of the organisation’s attack surface, and uses local and strategic threat information in decision-making and planning
  • Communicate tailored threat information to relevant senior stakeholders across multiple sites and/or business functions
  • Combine external threat information, organisational context and situational awareness to provide a holistic threat understanding capability