Presentation of the Pentest Team

Rédigé par Lena David , Julien Legras , Damien Picard - 15/09/2023 - dans Pentest - Téléchargement
Are you a potential applicant wishing to know more about Synacktiv's pentest team before actually applying? Or someone considering relying on Synacktiv to perform a security assessment and wondering whether we can handle your project? Or just someone curious and eager to know more?

In any case, this blogpost will hopefully enlighten you about key aspects of what we do and how we work.

TL;DR

In case you're in a hurry but still want key facts about Synacktiv's pentest team, we've thought about you and gathered some right here:
  • 50 people in the team
  • 4 technical team leaders
  • Offices in 5 French cities: Paris, Rennes, Lyon, Toulouse and Lille
  • Full remote (in France) possible
  • Security assessments carried out in pairs
  • Dedicated red team within the pentest team
  • 10 trainings publicly available

The team

As of mid-2023, the team consists of about 50 people. Most of them are based in our main offices in Paris, whereas the others work either in our other offices in Toulouse, Lyon, Rennes and Lille, or in full remote from various cities in France.
We have profiles with various levels of experience in the team, from last-year interns to people who have been doing pentest for 10+ years. Accordingly, the team members are between 20 and 40 years old, the average being around 30. Most of them studied computer science/engineering or cybersecurity, but others pursued unrelated degrees and crossed paths with that field later on.

The team is currently led by four people: Julien Legras, Damien Picard, Lena David and Jérémy Luyé-Tanet. Among other things, they manage the team members day-to-day, and serve as an interface between them and Synacktiv's board as well as sales team. Because we want the team to be able to discuss technical matters with their managers, all of them have themselves been pentesters for several years before they switched to a management position.

Some team members are also eager to tackle further tasks than their sole security assessments, which we are completely open to. For instance, some of them are involved in the hiring process, and some are in charge of handling specific kinds of assessments (e.g. regulatory-constrained certifications), or the assessments performed for some specific clients. This is done on a voluntary basis: some people prefer focusing only on technical tasks and do not feel like taking on new responsibilities, which is totally fine with us.

Projects and day-to-day work 

The main task of the team consists in assessing the overall security level of various kinds of assets - except in the case of interns, whose work is described later on.

Depending on the needs of the client, this generally means performing intrusion tests or a security audit on these assets. Sometimes, regulatory constraints require following specific frameworks - for instance, that is the case for PASSI audits, CSPN evaluations and ANJ-related assessments.

Most of the time, the approach that will be taken for a given security assessment is discussed beforehand by the client and the member of the sales team who initially handles the project. Sometimes, a pentester is also involved in the discussion - for the most part, that happens when the topic at hand has a specificity of some kind and requires in-depth knowledge.

Some general steps are involved regardless of the considered project. To describe that process roughly, when the sales team handles off a project to the pentest team, one team leader takes charge of it: among other things, they select the auditors who will work on it, schedule it, and reach out to the client to organize a kick-off meeting, during which the auditors and the client's team will have the opportunity to discuss the upcoming security assessment. The kick-off meeting typically occurs a few weeks prior to the beginning of the tests, which leaves enough time for the client to gather the needed prerequisites.

Pentest projects are performed by a pair of auditors for the most part. In our experience, it is an effective way to support the overall growth in skills and knowledge of the team, and to encourage people to learn from one another, which in turns allows for a more homogeneous skillset in the long run.

Most times, the tests are performed remotely, but some projects require on-site presence, which led pentesters to travel to Tahiti, Colombia, Mexico and Austria in 2022 alone.

When the tests are over, the auditors must still write a report - which serves as an additional reason to make people work in pairs, as it allows each auditor to write a bit less, and also allows for cross-proofreading within the pair, although the report will also be proofread by someone else in the team before actually being delivered to the client. 

Overall, our projects can last from a few days to a few weeks - and sometimes span several months for things like red team engagements. Excluding the latter, the mean load for our projects is 16 man-days - which amount to 8 business days, because we work in pairs. This mean load includes both the actual tests and the writing of the report.

So, even though things can vary, in a typical week, a pentester will work with another on their assigned security assessment, either on the tests, the writing of the report, or a bit of both. They will likely also attend one, maybe two kick-off meetings for upcoming assessments, as well as a weekly one-hour team meeting on Friday morning. Apart from being an occasion to discuss the news pertaining to the company as a whole or the team more specifically, this meeting also creates a weekly opportunity for all team members to provide highlights on interesting resources, knowledge or tools they may have come upon in the week, to describe their progress on R&D topics, and to share ideas as to how to overcome technical hurdles encountered by others. An additional half-hour slot on Friday mornings, for which attendance is totally optional, serves as a means for everyone in the company to give short talks, about topics either technical or not.

As we value the opportunity for the team to work on scopes as diversified as possible, we are always eager to tackle varied client projects. Of course, a substantial part of the projects are scoped to usual targets such as websites, Internet-facing services or internal networks, but we also encounter less common targets on a regular basis. To only mention a few, here are a few examples of somewhat uncommon targets we've encountered:

  • an automaton for analyzing blood samples
  • a facial recognition solution
  • a badge reading system
  • a demonstrator for a fiber optics-based plane infotainment network

This diversity in projects benefits all team members, as opposed to only those with a certain level of seniority/experience: everyone can work on every kind of assessment. Of course, this does not mean that people are affected at random to projects: a team member without much practical experience on a given topic is always paired with someone who can work autonomously on that topic. This also implies that on some occasions, a project is carried out by a pair consisting of one pentester and one member of another team, e.g. a reverser. This is something we encourage whenever relevant, as it allows for both people in the pair to diversify their skills.

Within the pentest team, we have no subteams specializing on specific kinds of targets or assessments, with the notable exception of red team engagements. More specifically, to make the handling and conducting of the latter more effective, a few members of the pentest team take care of the ongoing red teams at a given time. This makes it possible for them to spread their work on a given scope over an extended time period, while monitoring different targets at all times, which allows for more realistic engagements. For example, if they are spotted by a blue team at some point, this leaves them some time to get forgotten, and attempt something else later on. In the meantime, they can focus on a different target, or work on more internal-focused topics, for instance by enhancing the existing tooling or methodology. Practically, this red team subteam consists of one permanent member from the pentest team, and several rolling members who spend a few months within it before coming back to the pentest team and leaving their seat to someone else.

Apart from working on security assessments, sometimes team members also spend time looking into other security-relevant topics, either by researching a topic they choose or skilling up by attending an existing training or studying its content autonomously.

R&D

Synacktiv offers the possibility for the members of all technical teams to spend some time researching security-related topics, and the pentest team is no exception. Anyone in the team can come up with a subject they wish to dig into, or can choose a topic from a list curated by the team members who oversee the whole R&D process. R&D topics can have many origins: for instance, sometimes, someone encounters a technology, piece of software or hardware during a security assessment that focuses on something else, has no time to analyze it extensively during the tests, but deems it worth further scrutiny. Other times, someone notices that having additional tooling to assist in performing certain operations, or more thorough documentation on a given topic, would be helpful.

In any case, once a team member has decided on a topic to tackle, they can ask for some time to actually do so. They will generally be granted a few days, and more afterward if need be. It is possible for a team member to work alone on their chosen topic; it can also be the occasion to team up with people of either the pentest team or of a different team.

One rule about R&D is that it should end up being useful to someone else afterward, and therefore should lead to some kind of output. Depending on the subject, the output may be kept internal, and take the form of internal tooling, updates or enhancements of Synacktiv's internal knowledge base or trainings, an internal talk for the team, the development of payloads that may then be used during projects such as red team engagements.
Other times, the output of the R&D is shared with the outside world, in which case it can be tooling published on Synacktiv's GitHub, a blogpost or security advisory issued on Synacktiv's website, or a talk at a conference.

Here are some rough figures about our publications in 2022:

  • 8 blogposts
  • 9 security advisories
  • 6 talks in conferences
The current figures for 2023 tend to indicate an increase in publications, as at the beginning of September, those made by members of the team amount to:
  • more than 10 blogposts
  • more than 25 security advisories
  • more than 10 talks in conferences
Overall, the time spent on R&D topics within the team varies greatly from one pentester to the other: some people in the team almost never ask for such time, whereas others end up with about 25% of their time dedicated to such topics.

Internships

As mentioned previously, interns within the pentest team focus on tasks that are different from those carried out by the rest of the team.

More specifically, our interns work on a predefined topic for their whole internship. These topics are published yearly in early fall, and are intended to be of actual use to the team. As such, many of them result from someone in the team realizing that further tooling to do something, or an enhancement of an existing tool, would be beneficial and help make the team more efficient. For instance, in 2022-2023, internship offers covered improvements on our post-exploitation tooling for Windows systems, on our configuration analysis solution, and of our Wi-Fi attack automation platform.

Other internships may consist in studying software components commonly encountered during intrusion tests - e.g. Active Directory, or web frameworks. For that kind of subject, the aim is generally to analyze mechanisms that could be of use during security assessments and for which no or little documentation is publicly available, and to create (or enrich) a structured knowledge base and methodology so that it can be used by the team afterward. Publishing one or several related articles on Synacktiv's website is also strongly encouraged in that case.

This is actually quite similar to the origin of certain R&D topics; the main difference is that the latter are intended to be handled in a few days or weeks, whereas an internship subject should keep the intern busy for 5 to 6 months.

Because Synacktiv's aim is to hire interns as security experts when their internship is over, we also want them to be able to grasp as accurately as possible what a security assessment practically consists of. This is why throughout their internship, they are given the opportunity to take part in a few intrusion tests, along with seasoned team members who will be able to provide them with relevant advice, both technically and methodology-wise. Whenever possible, we have them contribute to assessments on which what they are otherwise working on can be used: for instance, a security assessment comprising Wi-Fi tests if they are tasked with improving our platform for Wi-Fi attack automation, or a whitebox intrusion test on a website relying on a common web framework if their subject involves producing documentation about that framework's internals.

Just like the rest of the team, interns participate in the weekly meeting, during which they can describe the progress they have made on their assigned topic, and the issues they encounter or envision for the near future. They are also welcome to share their thoughts about what the topics brought up by others, and more generally to contribute to the meeting just like everyone else.

Trainings

Because we want all the team to feel as comfortable as possible with the various technical topics that can be encountered during security assessments, it is possible for everyone to attend trainings or study our internal training material autonomously.

More specifically, Synacktiv offers trainings intended for an external audience, pertaining to topics such as Active Directory or cloud environments pentesting. When a team member is interested in learning more about the topic covered by a training, it is possible for them to ask to attend a session otherwise intended for people external to the company. We also plan internal sessions of some of our trainings at least once a year to ensure everyone ends up being able to attend them.

In case a team member needs to learn more about a topic covered by a training but no session is planned in a suiting timeframe, it is also possible to access and study the training's material autonomously. If there is a hands-on part to the training that is expected to be carried out on a lab, they can also ask for such a lab to be deployed for them so that they can practice on it. This ensures they can get both the theoretical knowledge and practical skills the training is intended to bring.

Additionally, when someone needs to learn more about a subject that is not tackled in one of Synacktiv's trainings, they can ask to attend an external training matching that subject. 

Working remotely

As mentioned above, several people in the team work completely remotely. It is possible for experienced profiles to start directly in remote (apart from the first week, which is dedicated to onboarding and therefore spent in Paris). This is decided on a case-by-case basis, depending on factors such as the prior experience in pentest of the new hire.

Apart from these full remote cases, it is also possible for everyone to work from home from time to time or on a more consistent basis. We have no thresholds such as a minimal or maximal weekly presence days, and prefer to let everyone decide for themselves what works best for them.

Practically, when someone wishes to work remotely on some day, they just have to notify the team leaders and the HR team via email, for matters of traceability.

Whom are we looking for?

Basically, people with strong technical skills and a will to keep learning and progressing on the ever-evolving subject of pentesting and IT security more generally. You do not need to have dozens of years of professional experience to apply: we hire recent graduates on a regular basis, and most of our last-year interns come back as pentesters once they have finished their studies. Besides, we value not only academic experience, but also involvement on personal projects, participation in CTFs or in challenge platforms such as root-me.org or HackTheBox, and more generally any concrete experience or achievement related to IT security.

At the moment, the whole team is francophone. French is the language we use for most of our resources - e.g. processes, methodologies, and documentation - as well as our day-to-day internal communication; therefore, you will need to be fluent in French in order to join in. Because communication with our clients also occurs in English on a regular basis, you will also have to be fluent in English.

Our recruitment process is arguably challenging, but still doable; the idea is not for applicants to get everything right, but rather to show that they hold a reasonable level of technical skills and general knowledge security-wise.

Something noteworthy is that there are open positions for permanent contracts year-long; there is no such thing as a job-opening season for such positions. This means that if you want to apply, you do not have to wait for a job opening, and you can simply send an email and your CV at apply+pentest@synacktiv.com whenever suits you best. Our hiring process is described here (in French).

Things are somewhat different for internships: we publish offers yearly, generally in September or October. There is no firm deadline for applying, but colleges and the like generally implement constraints as to the duration and timeframe of internships, which makes it so that most of our interns start off roughly between February and April and finish in the late summer. Of course, if your academic planning differs from that, feel free to apply for an open internship position whenever suits you.

We are also open to applications for apprenticeships, with some restrictions regarding the duration of the time periods spent in the company. More specifically, given the nature of our work, we reckon that apprentices should spend at least a few weeks at a time working with us between two periods at school.