Thank you for applying to work for PEN Consultants as a Security and Penetration Tester!

Full Interview Process

Each candidate applying to work for us must complete a 4-phase interview process before being extended a Conditional Job Offer (CJO).

  1. In this first phase, you get to talk-the-talk.
  2. After that, the 2nd phase is a phone interview with PEN Consultants where we drill into more details about the position and your background.
  3. The 3rd phase is to help us ensure you understand our company, allows you to demonstrate some basic hands-on challenges, and communicate what you found.
  4. The 4th and final phase is as close as we can get you to performing a small pentest against a web app to see if you can walk-the-walk. You’ll exploit the web app, and write-up your findings as if you were presenting them to a client.

After receiving a CJO, the candidate must pass a full-scope background check (criminal, civil, drug screening, identity verification, credit history, employment and education verification, etc.).

Phase 1 – Talk-the-Talk


  • Don’t overthink this! We’re just looking to make sure you understand some general security topics. Each question should only take you a couple of minutes – a couple of sentences (max).
  • When you are finished, please respond to our original email with a PDF of your responses.
  • Honesty and transparency are always best. If you get into this and realize it’s not the type of work you were hoping for, it isn’t in line with your career goals, etc., feel free to respond with a “Thanks for the opportunity, however, I don’t believe I’m interested at this time” email.


  1. Tools
    1. What are some common sys|net admin tools you’ve used?
    2. What are some “hacker” tools you’ve used before? Favorites? Stories? (“hacker tools” == tools that are commonly used by attackers, whether intended by the creator or not.)
  2. Networking
    1. How well do you understand networking and protocols?
    2. How are IP and TCP different?
    3. What service usually runs on ports: 22, 25, 53, 80, 443?
    4. Do you know CIDR addressing? How many IPs are in a /24?
    5. What are the three most common private, non-routable, IP ranges?
  3. Web
    1. What is OWASP? Name some of the top-10 weaknesses listed (any year)?
    2. What is: (1) XSS, (2), SQLi, (3) clickjacking?
  4. Operating Systems (OSs)
    1. What OSs are you familiar with? Favorite/most used?
    2. Windows
      1. What is a common location of OS and global application settings?
      2. What command: (1) displays the IP address(es), (2) lists the routing information, (3) displays file contents on the command line?
    3. Linux/macOS
      1. What is a common location of OS and global application settings?
      2. What command: (1) lists files in a directory, (2) changes file/folder permissions, (3) displays file contents on the command line?
  5. Encryption
    1. For web traffic, is TLS 1.3 or SSL 3.0 more secure?
    2. Are MD5 or SHA256 password hashes harder to crack?
  6. File Analysis / RE
    1. What are some tools you’d use to perform RE of a binary?
    2. What is UPX and why would one use it?
    3. Is a cryptographically secure file hash a good way to identify the majority of malicious files? How about identifying known good files? Why?
  7. Coding
    1. What programming languages have you coded in?
    2. What are the advantages and disadvantages of compiled, JIT compiled, and scripting languages?
  8. Password attacks
    1. What is a brute force attack?
    2. A dictionary attack?
    3. What is a password spray and how is it different from the above?
    4. Where are password hashes stored in Windows and Linux/macOS?
    5. What are some tools you’ve used to extract and crack password hashes?
    6. What is the difference in using (for example) JTR vs Hydra?
    7. What are rainbow tables, and what weakness are they exploiting?
  9. Wireless
    1. Is WEP or WPA more secure?
    2. What sets WPA-PSK/personal apart from WPA-enterprise?
    3. With WEP, all users’ traffic is encrypted using the same key, and, it is, therefore, easy to eavesdrop on other’s traffic. WPA-2 uses temporal keys (unique key for each client). Can one client still eavesdrop on another’s traffic? If so, how?
    4. Assuming all wireless clients have line-of-sight, is it better to have a small number of massively powerful APs, or a greater number of lower-powered APs? Why?
  10. Sysadmin
    1. What does GPO stand for, and why is it important?
    2. What does AD stand for, and why is it important?
  11. Cloud
    1. What are some of the most common cloud vulnerabilities, and how are they mitigated?
  12. Mobile
    1. What is the danger of allowing a mobile application to view/capture the screen when it is not at the forefront?
    2. What about allowing the app to access the clipboard?
    3. Is code obfuscation important or not? Explain.
  13. Social engineering
    1. Remote: What is the most common type of remote social engineering? Provide a convincing theme/pretext.
    2. Physical: If you were asked to social engineer your way into the data closet of a bank in the middle of the day to surreptitiously insert a hardware implant into their network|system, what pretext do you think could be successful?
  14. Misc / Split hairs
    1. What, in your opinion, is the difference between a vulnerability scan, penetration test, and red teaming?
    2. If you’re on an engagement and find a vulnerability, how do you decide if you need to notify the client immediately vs waiting until the testing is complete? What are the pros/cons?
    3. Should passwords be force rotated every 90-120 days? Why or why not?
    4. Scenario: You gain VPN access using the creds test/test:
      1. Do you tell the client immediately so they can mitigate?
      2. How would them mitigating it affect testing?
      3. What’s a solution that would allow the client to mitigate the risk, but not negatively impact testing?
      4. Bonus: What if the client says “no” to your proposal and you lose access? What would be your response?

© PEN Consultants, LLC 2013 -