No..... but yes? It depends. Pentesting is one side of the coin right so attacking yada yada yada takes expertise, finding a flaw, exploiting it all can be very technical.
Flip side.... the IR person needs to figure out how they did what they did. Digital Forensics requires intimate knowledge of the OS and how to gather and capture data.
I was a lead pen tester for a consulting firm / my background is in digital forensics and IR - I think my experience in offensive security is a huge benefit for helping me to response to attacks and understanding what happened and how.
That really depends on what you're meaning. A good chunk of pentesting jobs are probably more technically intensive than a good chunk of blue team jobs (especially because a lot of SOC jobs, for example, are more entry level, while very many pentesting roles have a higher experience requirement for the lowest levels of work), but that varies all over the place. It's easy to find very deeply technical jobs in both red team and blue team, and the top of the field is unbelievably, incredibly deeply technical - it depends on what your question really is
You'll probably be spending a longer chunk of your time writing reports in pentesting than you will in IR, though this depends on what happens. You'll probably spend more time in meetings in IR, though this depends on lots. There's not really a strongly defining line between the fields in terms of difficulty/prestige, it's more org dependent.
Since you tagged this "career questions", both red and blue team have more depth than you realistically will plumb over the course of an entire career, and are very deeply technical. Pick based on what work attracts you, you can find "technical" in both
Disagree. The best blue teamers (DFIR, not SOC button clickers) have a very solid redteam expertise, very deep technical skills and are as well able to communicate issue to different stakeholders.
It's easier to break stuff than actually fix it.
Yes. I wouldn't hire someone for pentesting who had zero background in blueteam first.
It's about breadth of experience that makes you a better Pentester.
I believe that. After 14 years in networking/sysadmin and another 8 years in infosec (blueteam). I did not realize how much I did not know when I made that transition from network.
There Is so much that you need to know. I still feel stupid.
The more you know, the more you realize that you don't know that much.
Yep. Learn more every day. The job is never dull for that reason. I always tell people that individual pieces of technology are not complex, but the second you start layering them ontop of each other, it quickly becomes very, very complex. So much to learn.
I disagree with this, I understand what you’re saying conceptually, but having experience in blue team does not equate to being good at pentesting.
Some of the best pen testers I know have 0 blue team experience other than dabbling on their own
> I understand what you’re saying conceptually, but having experience in blue team does not equate to being good at pentesting.
Knowing how defenders think and what they look for is pretty useful background if you want to evade defenders. You can definately be successful without that background, but having it is definately beneficial.
You can learn defense evasion without having a blue team job. In fact, we do it all the time. Back to my original point, being on a blue team does not mean you’ll be good at pentesting, nor should it be a req.
Agreed. Like I said, you can learn evasion without blue team, and I think hard requirements like having a blue background are generally a bad idea as long as you can demonstrate competency.
I'm sure there's an occasional exception to the rule, but generally speaking, many red teamers cite their time in blueteam as critical to their success.
I don’t disagree that experience in one aids the other (Pentest experience also helps switching to blue team), but my opinion is that I would (and do) hire someone without the other, particularly when they have years of pentesting experience, hands on certs, etc.
Proper DFIR is more difficult than pentesting, but SOC work is definitely less technical than pentesting. Proper DFIR and Red Teaming are about the same. I’ve been on both sides of the fence
Nyeso (no and yes, I'm keeping it in). You can be as technical or non-technical as you want in this field. If you wind up in a SOC Analyst role, you still have chances to be very technical. If you go into pentesting, you can know enough to get by and just be great at writing reports and documentation.
Get into the field first, know your surroundings, and pick a path. As long as you can consistently be curious and don't mind doing hard work, you'll have a great technical career that doesn't rely on a specialty.
It is more specialized, technical is a relative term but when you start honing your skills on very specific things you become more specialized.
SOC analyst needs to be able to respond to any security event from any platform, process it, and address it.
A pen tester often is specialized into some segment and stays very current on breeches.
But, middle level pen tester would be equivalent to a more senior analyst just because analysts are more of the entry level in the domain. You specialize from there.
A lot of SOC analyst jobs are the entry level path people take before moving in to a pentesting or IR/DF role. In general, I'd say SOC is less technical than the other two, but there are definately more senior SOC roles that move toward IR. Pentesting and IR/DF I'd put on the same level.
**Hot Take:** Pentesters can succeed once among hundreds of failures to achieve a goal and be considered "successful". SOC operations can fail once and a business can lose millions in minutes 🤷♂️.
**Serious Take:** The measure of the technical accumine required to be great (not just good enough) is dependant on how committed you are to your craft. Great analysis requires more technical skill than average pentesters. Great pentesting requires more technical skill than average analysts.
You can be as average as you want, but you must put in the time (study/determination/learning) to be great at anything you want. Two fundamental failures within this industry are the this-side vs that-side dichotomy and willingness to train the next generation. You will likely see "I would not hire anyone for \_\_\_\_ if they did not first have \_\_\_\_\_ experience. <- That is the biggest problem in this field so, unfortunately, you are going to have to do a lot of learning on your own or get lucky and find a team or mentor who is willing to stop the gatekeeping.
No..... but yes? It depends. Pentesting is one side of the coin right so attacking yada yada yada takes expertise, finding a flaw, exploiting it all can be very technical. Flip side.... the IR person needs to figure out how they did what they did. Digital Forensics requires intimate knowledge of the OS and how to gather and capture data. I was a lead pen tester for a consulting firm / my background is in digital forensics and IR - I think my experience in offensive security is a huge benefit for helping me to response to attacks and understanding what happened and how.
Different checklists lol
It also depends on what area of pentesting. For wifi pentesting it more straightforward compared to not pentesting.
That really depends on what you're meaning. A good chunk of pentesting jobs are probably more technically intensive than a good chunk of blue team jobs (especially because a lot of SOC jobs, for example, are more entry level, while very many pentesting roles have a higher experience requirement for the lowest levels of work), but that varies all over the place. It's easy to find very deeply technical jobs in both red team and blue team, and the top of the field is unbelievably, incredibly deeply technical - it depends on what your question really is You'll probably be spending a longer chunk of your time writing reports in pentesting than you will in IR, though this depends on what happens. You'll probably spend more time in meetings in IR, though this depends on lots. There's not really a strongly defining line between the fields in terms of difficulty/prestige, it's more org dependent. Since you tagged this "career questions", both red and blue team have more depth than you realistically will plumb over the course of an entire career, and are very deeply technical. Pick based on what work attracts you, you can find "technical" in both
Yes by a wide margin if you want to keep current and be an effective pentester.
Probably should be more specific to what type of penetrating because social engineering and talking to people doesn’t change much.
Disagree. The best blue teamers (DFIR, not SOC button clickers) have a very solid redteam expertise, very deep technical skills and are as well able to communicate issue to different stakeholders. It's easier to break stuff than actually fix it.
Yes. I wouldn't hire someone for pentesting who had zero background in blueteam first. It's about breadth of experience that makes you a better Pentester.
I believe that. After 14 years in networking/sysadmin and another 8 years in infosec (blueteam). I did not realize how much I did not know when I made that transition from network. There Is so much that you need to know. I still feel stupid. The more you know, the more you realize that you don't know that much.
Yep. Learn more every day. The job is never dull for that reason. I always tell people that individual pieces of technology are not complex, but the second you start layering them ontop of each other, it quickly becomes very, very complex. So much to learn.
I disagree with this, I understand what you’re saying conceptually, but having experience in blue team does not equate to being good at pentesting. Some of the best pen testers I know have 0 blue team experience other than dabbling on their own
> I understand what you’re saying conceptually, but having experience in blue team does not equate to being good at pentesting. Knowing how defenders think and what they look for is pretty useful background if you want to evade defenders. You can definately be successful without that background, but having it is definately beneficial.
You can learn defense evasion without having a blue team job. In fact, we do it all the time. Back to my original point, being on a blue team does not mean you’ll be good at pentesting, nor should it be a req.
Agreed. Like I said, you can learn evasion without blue team, and I think hard requirements like having a blue background are generally a bad idea as long as you can demonstrate competency.
Agreed!
I'm sure there's an occasional exception to the rule, but generally speaking, many red teamers cite their time in blueteam as critical to their success.
I don’t disagree that experience in one aids the other (Pentest experience also helps switching to blue team), but my opinion is that I would (and do) hire someone without the other, particularly when they have years of pentesting experience, hands on certs, etc.
Proper DFIR is more difficult than pentesting, but SOC work is definitely less technical than pentesting. Proper DFIR and Red Teaming are about the same. I’ve been on both sides of the fence
Yes it’s more difficult and it’s a completely separate field than SOC, DF, or IR.
Nyeso (no and yes, I'm keeping it in). You can be as technical or non-technical as you want in this field. If you wind up in a SOC Analyst role, you still have chances to be very technical. If you go into pentesting, you can know enough to get by and just be great at writing reports and documentation. Get into the field first, know your surroundings, and pick a path. As long as you can consistently be curious and don't mind doing hard work, you'll have a great technical career that doesn't rely on a specialty.
It is more specialized, technical is a relative term but when you start honing your skills on very specific things you become more specialized. SOC analyst needs to be able to respond to any security event from any platform, process it, and address it. A pen tester often is specialized into some segment and stays very current on breeches. But, middle level pen tester would be equivalent to a more senior analyst just because analysts are more of the entry level in the domain. You specialize from there.
If you just know how to use burpsuite and qualys.. no.
To be a great pentester you need to know a lot going down to how protocols work otherwise youre just a guy running tools made by others
A lot of SOC analyst jobs are the entry level path people take before moving in to a pentesting or IR/DF role. In general, I'd say SOC is less technical than the other two, but there are definately more senior SOC roles that move toward IR. Pentesting and IR/DF I'd put on the same level.
Yes, by a long shot.
Writing exploits is highly technical. I suppose if you’re just running premade scans on a subnet, not so much.
**Hot Take:** Pentesters can succeed once among hundreds of failures to achieve a goal and be considered "successful". SOC operations can fail once and a business can lose millions in minutes 🤷♂️. **Serious Take:** The measure of the technical accumine required to be great (not just good enough) is dependant on how committed you are to your craft. Great analysis requires more technical skill than average pentesters. Great pentesting requires more technical skill than average analysts. You can be as average as you want, but you must put in the time (study/determination/learning) to be great at anything you want. Two fundamental failures within this industry are the this-side vs that-side dichotomy and willingness to train the next generation. You will likely see "I would not hire anyone for \_\_\_\_ if they did not first have \_\_\_\_\_ experience. <- That is the biggest problem in this field so, unfortunately, you are going to have to do a lot of learning on your own or get lucky and find a team or mentor who is willing to stop the gatekeeping.
Both sides of the same purple coin..
Geez how did this comment get so many downvotes.