Before I became a vulnerability assessor I had the job slightly wrong in my head. If you only know security from films and TV, you probably do too. So here's the reality, including the parts that caught me off guard once I was actually doing it.
The reality is shockingly boring
The picture most people have is someone hammering a keyboard while text streams down the screen and they elegantly break into a system. That's not it.
Most of the work is taking nearly identical requests, changing one small thing, and comparing how the response differs. Change a parameter, send it, look at the result. Change it again, send, look. Over and over. You intercept a request in a tool like Burp Suite, edit it by hand, and check whether the behavior shifts, one at a time. There's no glamour anywhere in it.
I'll be honest, at first it felt like a letdown. But noticing those tiny differences turned out to be its own kind of fun, and I got pulled in. These days I think whether you can find that boring work interesting is the real test of fit for the job.
I didn't expect writing to be the hard part
This one I genuinely didn't see coming. Finding a vulnerability isn't the end of the job.
You have to explain where it is, what the problem is, how to reproduce it, and how dangerous it is, in words the other person can act on. That's the report. It doesn't matter how clever the bug is: if the developer reading it can't reproduce it, you get back "is this actually a vulnerability?" The job needs the hands-on skill and the ability to put it into writing. For someone who assumed it was a purely technical job, that was the biggest surprise.
You learn you can't say "it's safe"
Here's the one whose weight I only felt after starting. When an assessment turns up no vulnerabilities, you still can't say "this system is safe."
What you can say is that within the agreed time, scope, and methods, you didn't find anything. The chance you missed something is always there. "No issues within what we checked" and "definitely safe" are completely different statements. The quiet, honest part of holding that line mattered more on the job than any dramatic find.
It's still a good job
I've spent this whole piece on what surprised me, but I'm not trying to put you off. After stacking up enough of the boring checks, you hit a moment where something feels slightly off, you pull on that thread, and a real problem is sitting at the end of it. That feeling is hard to get anywhere else. Not glamorous, but genuinely interesting.
If you're drawn to this work, ask yourself less about the glamour and more about whether you could enjoy the careful, repetitive checking. Get that part right and it's a job you can do for a long time.
How I got into this work with no background, and the certs and career steps along the way, is something I've written up at length elsewhere. If this was useful, follow along.
Top comments (0)