[Spencer Alessi] (0:00 - 0:33)

I asked the client, where are the skeletons in your network, in your environment? If they're honest, they'll tell you because it's just value for them, right? If, if you spend a week in a client environment bashing your head and then you have like three findings, it's like, it's great.

You know, you provided some value. In the kickoff call, I asked them, like, what are you concerned about in your environment? Like, what are the things that if a threat actor got onto it or they disrupted it or something happened to this thing, whether it's a server, a process, an application, whatever, you know, what are you most concerned about?

[Kyser Clark] (0:55 - 1:47)

Hello, welcome to the show today. I have Spencer Alessi, who has over 13 years experience in the field from help desk to system and network administration to IT consulting. Currently, he works as a senior penetration tester and is one of the hosts of the Cyber Threat Perspective, which is another podcast that I highly recommend checking out.

It's in my rotation and definitely a good podcast worth checking out if you are interested in cybersecurity podcasts, which you clearly are if you're here. For education, he has a bachelor's in computer science. For certifications, he has the CRTO, the GPEN, the PMPT, and the CISSP.

So, Spencer, thank you so much for taking your time to be here today with me. Go ahead and unpack some of your experience and introduce yourself to the audience.

[Spencer Alessi] (1:48 - 4:03)

Yeah, thanks, man. I appreciate it, Kyser. I appreciate you asking me to be on the show.

I feel a little bit of imposter syndrome because of all of the certifications and experience and knowledge you have in all those. It seems like I've been following you for a while. It just seems like every other month or something, it's like, got a new cert.

It's like OSCP or like, you know, those are like really, you know, not easy certifications by any means. So, kudos to you as well. So, yeah, I'm an IT guy, as you can see.

I wore this shirt on purpose because I want everyone to know I am a pen tester, but I'm very much a blue teamer, a CIS admin at heart. Often we'll say I'm a recovering CIS admin or a CIS admin in rehab or any of those flavors. And that's kind of how I approach the work that I do.

I'm very much offensive hearted or offensive minded in that in the work that I do with pen testing day to day. I primarily do internal pen testing. So, internal pen testing and assume breach, I'm very familiar in those worlds.

And I try to draw on a lot of that experience I got as help desk admin, as CIS admin, all those years doing that, to really draw on those lessons and those skills to provide more value to clients, especially when it comes to remediation. Because a lot of the findings that I'm looking at or identifying or discovering or talking with clients, I have experience either implementing or fixing or doing that thing that they're trying to do. So, I try to bring out that experience in my background in those engagements.

So, yeah, I do the Cyber Threat Perspective Podcast, which you just mentioned. We're like at 122 episodes or something like that. So, we've been doing that for the last few years.

I make content as well, which you've seen for those listening and try to do some of that stuff as well. And one of the things I'm proud of is tooling. So, open source tools.

I've created a few of my own. I help out on some projects as well. Like Locksmith, which I'm a super big fan of.

And yeah, it's pretty much most of what I do.

[Kyser Clark] (4:05 - 4:34)

Yeah, you're doing a lot. And when I listen to the Cyber Threat Perspective, I can just tell you're just super passionate about helping the clients with remediation and helping them really secure their posture. What would your advice be for someone who is getting into pentesting and they clearly like the technical work?

Maybe they're not so well versed in client communication. What would you recommend to them to go above and beyond when it comes to that client communication and those recommendations?

[Spencer Alessi] (4:35 - 7:14)

Yeah. So, everything that I've learned about client communication, or I would say a lot of what I've learned from client communication is from people I work with. So, the bosses and mentors that I've had at SecureIT360, which is where I work now.

When I first started, I joined the ISO team, which is the auditing, the assessing, gap assessments, and things like that. That's the team that does that, the VCSO type work. And my boss there, Rob, was very great and has developed a very good method for communicating with clients.

And same with the whole team over there. So, I learned a lot of the client communication chops that I have now from him and from his methodology and the way they do things there. And one of the lessons was to always keep line of sight with the customer or the client.

And what that means is you never want your client to be kind of in the dark on where the project is, what the status is, if you're waiting for any documents. So, for example, a lot of times when we're doing assessments, we look at their documentation first to get a sense of that, right? We never want them to be wondering like, oh, are they waiting for something?

Do I have to do something? We never want the client to be kind of waiting or in the dark and whatnot. So, keeping line of sight with the customer is just a way to always keep them up to date on wherever the status of the project is.

So, Rob was a great mentor in kind of client communication and how to be a consultant, really. And then Brad, who's the VP of Offensive Security at Security360, kind of took it up a notch in how we do pen testing. And we communicate every single day of an engagement, letting the client know like, hey, this is what to expect today.

This is what we're going to be working on. You know, here's what to look out for. And we make sure that we include any pertinent information, like the IP addresses that we're pen testing from if we're doing an external, our phone numbers, you know, all that stuff.

And we communicate that every single day. And we try to over communicate as much as possible. I think that's really the goal, so that the client knows exactly what's happening, what to expect, all of the details, especially for pen testing, as you know.

You know, if you go through a whole week and you don't hear anything from the pen tester, and then you get this report, it's like, what did they do? Like, I'm not sure. Like, you know, they're left a little bit in the dark.

So, we kind of err on the side of over communication. But I learned a lot of those lessons from the consulting practice side of things. And then from the offensive side of things, just communicating every day and trying to be as open and transparent as we can with our communication to make sure the client knows what's going on.

[Kyser Clark] (7:16 - 8:48)

Yeah, I'm the same way. Like, I've learned pretty much all that through the company that I'm with now. And, you know, we're actually, we used to have it to where like, we'd have touch points.

We'd do like Monday, Wednesday, Friday throughout the week. And now we switch it to every day. Because we're going to that over communicating.

We're actually, like, usually what we do is like, we send a start email. And then an email every single day. And that's our new standard.

Because like you said, over communication is what clients value. Because we've got a lot of feedback. And the ones that we communicate a lot with, that's the good feedback we get.

When it comes with, like, when something I'm struggling with is when you're on a pen test, especially when you're with a client who has a very secure posture. Maybe it's a repeat client. Like, for example, my last pen test I did, my company, I've only been in my company for nine months, but my company has done like seven pen tests for them for seven years in a row.

So the environment's pretty secure, right? Because it's constantly being pen test. And I get in here for the first time, and I'm just like bashing my head against the wall because it's secure.

Like, I can't find anything. So what do you, I guess, what kind of communication would you say when you're not making any progress in a pen test? Like, sometimes I'm like, what do I tell the client?

Because I didn't do anything today because I just didn't find nothing. Like, what kind of update do you give in that situation?

[Spencer Alessi] (8:48 - 11:45)

Yeah, I have a great answer for this, I think. And I asked the client, like, where are the skeletons? Like, what are you concerned about in your network, in your environment?

And if they're honest, they'll tell you, you know, being a client for seven years plus and having that relationship, it sounds like they would be honest and transparent and tell you. Because it's just value for them, right? If you spend a week in a client environment bashing your head, and then you have like three findings, like, it's great.

You know, you provided some value. But I would ask, and this is something I do, is I, in the kickoff call, I ask them, like, what are you concerned about in your environment? Like, what are the things that if a threat actor got onto it, or they disrupted it, or something happened to this thing, whether it's a server, a process, an application, whatever, you know, what are you most concerned about?

And a lot of times, you'll have to dig into that a few times, because they'll just be like, well, we're concerned about ransomware. It's like, well, what specifically? What data?

What systems? Etc. So you kind of have to like dig into it and kind of use your like spidey senses, you know, like pentesters have spidey sense, I think, where you can like, because that's what helps us kind of navigate the network, right?

You find this thread to pull on, you're like, well, that's not really one that's super interesting, but you find this other one, you pull on it. So I would say, use kind of like your spidey senses, if you will, to kind of dig into that question a little bit and help the client discover for themselves, you know, what they're most concerned about. Maybe it's that they have a backup server that is not domain joined, but maybe they're concerned that like there's admins that have credentials for those servers in the share somewhere, or they're concerned about a SQL server, maybe that is domain joined, but maybe they're not sure if the admins are really securing it very well.

So you can kind of dig into that question a bit with the client and spend some time with it and ask them, you know, some leading questions or just ask them follow up questions to dig into that. And that oftentimes will kind of reveal some things, at least things to pay attention to, right? And if the client says, hey, I'm worried about my SQL server, and you show through your work or whatever you do in your evidence or your narrative or whatever, you show that like, hey, we did all these things to try and assess the SQL server, get onto it, pivot to it, whatever, they will be happy because that's what they wanted, right?

Like that's what they were concerned about. So whenever I'm in a tough network, especially a client that I have a good reputation with, I will ask them point blank, like, what are you concerned about? Because you've gotten rid of the low hanging fruit, like you've got, you're good here.

Maybe you're good on monitoring, you're good on these other things. But like, where do you want us to focus our efforts on? Because we have a limited time, right?

Attackers have as much time as they want. Generally, we just have a short time with the client. So try and ask them and dig into that and kind of get to the root of their concern of their environment is what I would say.

[Kyser Clark] (11:47 - 12:01)

Yeah, that's great advice. You know, we asked in our calls, like, you know, what are your goals for this pen test? And I think what I can do better is just ask those more questions, more follow up questions and go deeper and keep asking them.

[Spencer Alessi] (12:01 - 12:01)

Yep.

[Kyser Clark] (12:02 - 12:27)

You know, what is it? No, like, what actually is it? You know, just keep asking them more and more.

Because, you know, a lot of times you ask, like, hey, what's your goals? And it's like, oh, we just want to be secure. Or like, you know, we don't know.

We don't know. You know, and they don't. Sometimes they don't give you the best answers.

You know, sometimes they do. It depends, obviously, client by client. But I would say in my experience, like a lot of times they're just like, yeah, we just want to be secure.

We just want to be compliant, you know.

[Spencer Alessi] (12:28 - 13:39)

And you can kind of tell, like sometimes you can kind of tell in the kickoff call, they're just like in it for compliance or for, you know, for law firms. We do a lot of law firms and a lot of them have client requirements. So it's a client, a big client that pays them money that says, hey, you need to do all these security things.

And they're doing it to kind of like satisfy that requirement. Obviously, there's regulatory compliance for other industries and things like that. But you can kind of tell, you know, when you begin talking to someone, if they're kind of forward thinking or kind of thinking beyond the compliance checkbox.

You kind of ask them questions to kind of discover, you know, those goals more specifically, if they just say, well, we want to find our vulnerabilities. I'll say what vulnerabilities, right? Like, what are you concerned about?

Going back to that question just previously is like, what specifically are you concerned about? Because, you know, in many environments, they've got, even in small environments, you know, they might have 100 servers. They might have a few thousand accounts in their active directory.

It's fairly significant, right? And we can't possibly touch every single thing in a week. So getting to that root of like what they're concerned about is really important during that discovery call or kickoff call.

[Kyser Clark] (13:40 - 14:56)

Right, yeah. I'm excited to announce that memberships are now live for my YouTube channel. And if you decide to become a member, you'll get early access to videos, access to member-only polls, loyalty badges for the YouTube channel chat, and priority reply to the YouTube comments.

Of course, if you can't or don't want to become a member, that is totally fine. I will always release the same free content you've come to expect. And your support just by watching is more than enough to keep the channel going.

But for those who do join, your contribution helps invest into new tools, technologies, and people to help the channel go further. The goal is to create even more content and raise the quality of every video for everyone. Thank you for considering memberships.

And as always, thank you so much for your support. Okay, well, this has been great. But before we go deeper, we have to do the RAPFIRE questions.

So are you ready for the RAPFIRE round? I hope so. For those new to the show, Spencer will have 30 seconds to answer five questions.

If he answers all five questions, he will get a bonus six question unrelated to cybersecurity. Spencer, your time will start as soon as I get done asking the first question. Okay.

Here we go. Spencer, what is the most underrated cybersecurity tool?

[Spencer Alessi] (14:58 - 14:59)

Your brain.

[Kyser Clark] (15:00 - 15:08)

What was your first computer? A gateway, maybe? Do you pronounce it pseudo or su-do?

[Spencer Alessi] (15:09 - 15:09)

Pseudo.

[Kyser Clark] (15:10 - 15:44)

Do you think cybersecurity is underfunded in most organizations? 100%. Do you think privacy is dead in the digital age?

100%. That was 23 seconds. So very good time.

Congrats for unlocking the bonus question. The bonus question, you can explain as much or as little as you want. There's no pressure here.

You can even dot your question if you really want to. But we have to know, who is cooler, ninjas or pirates?

[Spencer Alessi] (15:46 - 17:03)

Ninjas or pirates? Definitely ninjas. And in part, I say that because our offensive security logo for our team, our offensive security department, our logo is like a ninja with a green headband kind of thing and green eyes or whatever.

So definitely ninjas. Pirates are just... Pirates smell.

They don't have any teeth. They're dirty. They are just like thugs of the world.

And I'm thinking of modern day pirates who raid container ships. So that's what my mind immediately goes to. But yeah, I'm looking at our logo now and it's...

Ninjas are just way cooler. Just way, way cooler. They've got cool swords and katanas or whatever ninja fantasy you're into.

And also Ninja Turtles. What's cooler than Ninja Turtles? I grew up watching Ninja Turtles, both cartoon and the originals, the movies.

So yeah, ninjas are just hands down. If you say pirates, you're just wrong.

[Kyser Clark] (17:05 - 17:35)

What a great answer. And yeah, I shouldn't think he's going to pick ninja because you said your logo. I also think it's ninjas.

You're talking all this bad stuff about pirates. And the first thing I think of when I think of pirates, I think of Assassin's Creed Black Flag. And that was one of the least favorite Assassin's Creed games that I played.

I love the Assassin's Creed series, up and up. But then they started bringing up pirates. I was like, dude, I like the assassin thing.

Not this pirate thing. You know what I mean?

[Spencer Alessi] (17:35 - 18:32)

Yeah, I think there's a lot of similarities with both for cybersecurity. Pirates are more like plunder and pillage and brute force, just like ragtag, kind of get in there, smash and grab. Pirates of the Caribbean style, maybe drunk half the time kind of thing.

Whereas ninjas are very much stealthy and evasion. And I think of bypassing defenses and silently crawling through networks. And that's what I like to do, especially during, even during pen tests or assume breach engagements, like stealth and bypassing and EDR and that kind of stuff has always been very interesting to me.

I follow kind of that community and I'm in some discords where we talk about that stuff and for tools and things. So I think it's a key part of offensive security is that aspect. So I think that naturally ninjas would be my go to for that.

Yeah, great.

[Kyser Clark] (18:33 - 19:08)

I agree 100%. So back to the ratfire questions, you said the most underrated cybersecurity tool was your brain. And I thought that was a really interesting response because that's not what people think of when they think of cybersecurity tools.

And I think it's a wonderful response because you got to get, to be a good pen tester or a good cybersecurity professional in general, you don't need to, you don't want to rely on tools because the tools constantly change. But the methodology is really where it's at. So can you explain why you said brain and maybe go more into that?

[Spencer Alessi] (19:08 - 23:45)

Yeah, I got a great example. So a guy on our team, Tyler Roberts, he's our external pen tester extraordinaire, like super good, super sharp, super smart, and kind of leads our external pen testing efforts. He's built a lot of the tooling, as far as our capabilities and kind of bringing open source and custom developed tooling and develop a really good process and a workflow for doing external pen tests.

He's starting to learn internal pen testing, right? And one of the things that he's getting hung up on is the tools are getting blocked, right? Like he's going through PNPT, he's like generating Metasploit shellcode and like, you know, trying to pivot with PS exec and stuff like that.

And naturally it's getting detected, right? Especially like when you talk about shellcode. At least the open source stuff.

A lot of the open source stuff is just going to get detected out of the box now, which is one of my core arguments for it's getting harder to be, you know, a red teamer kind of thing. But anyways, so he's going through the training and going through PNPT and he's like, you know, a lot of these tools are getting detected. And he's like, what's the point of like doing this if they're just going to get detected and stuff?

And it's like, well, first of all, you have to turn everything off. Like you turn EDR off, you turn antivirus off, turn everything off so nothing gets detected. And you learn the methodology, right?

Like you learn what technique you need for the given scenario and what other techniques you might be able to use. So if you're talking about lateral movement, you can use WMI, you can use, you know, like SMB, you can use various tools for that. PS exec, you can use PS remoting, you can use Metasploit, you can use C2 frameworks that have it built in.

There's all these different ways to do a lot of different things. And it's important because when you get in a secure environment, like you were talking about, one method might be blocked, right? Like you might try to RDP to a server, right?

And then you might get a dual prompt for MFA, right? Like maybe you stole an admin account or you cracked a hash, you got the password and you want to pivot to a server, right? Maybe for some reason you choose RDP, but RDP is blocked by MFA, right?

Now what? If you only know one method or one technique to move laterally, you're going to kind of be lost or kind of be confused if you don't know those other methods like PS remoting and WMI and all those other methods for lateral movement. So it's important to learn the methodologies and use like your critical thinking and apply tools that are best suited for the job.

So you do need your brain, you do need to understand the environment, what you're working with, you need to understand the techniques that are possible or that you have available to you. And then you have to combine that with the tools, right? You have to find the right tool for the job, the right tool for the purpose.

So that's why I think the brain kind of is your most important tool because it all starts there, right? It all starts from methodology. It all starts from, you know, what is the goal of this?

What value am I trying to provide to the client? And a lot of times when I'm stuck on an engagement or if for example, I don't get domain admin on a pen test or something like that or on a soon breach, I have to reflect back and say, what is the value? What am I trying to accomplish here?

It's not just to gain elevated privileges and pivot across the environment, right? It's to provide value to the client in whatever that scenario is or situation or engagement is. So the brain is just a proxy for methodology.

It's your process. It's your workflow. It's the value that you're trying to provide.

And that's a constant thing that has to be played in our heads when we're pen testing because a lot of times, you know, this stuff is really fun, you know, and we enjoy poking at it. It's fun to do these things and use these tools. And it's super fun.

At the end of the day, we have to remember what we're here for and remember that there's a process that goes along with it. And if not, like you just get lost in the weeds, you get so encompassed or kind of obsessed with the tools, you kind of lose track of those goals and kind of of your process. And you kind of just are like grasping at straws trying to like find something that works as opposed to like really thinking through the problem and trying to figure it out and figure out what's the best tool or use case or what's the best thing that I can do at this given point in the scenario or in the engagement rather.

[Kyser Clark] (23:47 - 24:11)

A great response. Wow, that's really great insights. And yeah, I couldn't agree more.

And hopefully people listen and understand. It's like, yeah, the tools are going to change. But the brain, like you said, you got to think about what the goal is and that's to provide value to an organization, whether that's a client or it's your organization.

Yep.

[Spencer Alessi] (24:12 - 25:32)

And sometimes for red teamers, like sometimes that is staying undetected for as long as possible and achieving some objective, right? Or capturing some flag, if you will, that the client has set for the engagement. And in many cases, it's even more important to have a methodical approach, right?

Because WMI, lateral movement with WMI might get detected, right? RDP, maybe not. So you have to be methodical in thinking.

Less so with pen testing. I think pen testing can be much more smash and grab from that perspective, from like an evasion perspective. But many clients now, and I'm sure you can agree with this or maybe you've heard this, is many clients still want to know if something goes bump in their network, are they going to hear it?

Even on a pen test, even when we say like, hey, we're emulating the techniques that threat actors use, maybe not necessarily in the same order or through the same effectiveness that they might, but we're still using the same techniques, many of the same tools. It's just a little bit more abrupt or more shortened of a timeframe. So there's going to be more alerts and things like that.

But even in those cases, it's still important to have a good methodology and a good process, a good workflow to follow and plug stuff in as needed.

[Kyser Clark] (25:34 - 25:51)

Right. So one of your favorite sayings is 99% of vulnerabilities don't matter. And I had to bring it up.

And as a pen tester, what is your methodology when it comes to your pen test report? Are you putting the 99% of vulnerabilities that don't matter on a report or do you leave them off?

[Spencer Alessi] (25:52 - 30:08)

Yeah, that's a great question. I think it's a very contentious topic sometimes because at a meta, at a high level, of course, everything matters to some extent. When I say 99%, I mean, I'm talking from the context of an internal pen tester on an internal network, focusing on the GUI insides of a network.

A lot of the vulnerabilities, like SSL findings, right? Like you don't have certificates on your servers or something, or SSH, or sorry, old SSL algorithms themselves, right? Or encryption algorithms themselves.

That's kind of what I mean. And I think what's important to kind of focus on or articulate to clients are the things that threat actors are going to abuse. So vulnerabilities that threat actors are going to abuse or are going to target or focus on or identify, right?

There are many cases where I will put a finding, like a 99% finding on a pen test because I think it's important. But in most cases, I'm focused on things that Nessus isn't going to discover or Qualys or whatever your vulnerability scanners are not going to discover. So a lot of it is active directory based, identity based.

A lot of it are lateral movement based findings or where there is the potential for a lateral movement, right? So when you have nested security groups. So a good example is like help desks as members of the domain administrators group, right?

I will traditionally write that up on a pen test because I know that help desk in most cases do not need to be administering the domain nor do they usually have the role or the experience to be administering the domain. So findings like that, unless you're running like Nessus's identity, I think they have like an identity module, maybe, but traditional vulnerability scanners previously would not identify things like that or they wouldn't identify insecure delegations on security groups or containers or OUs in active directory. Maybe there's a misconfigured delegation that allows domain users to add themselves to, you know, the print operators group in the domain or something weird like that.

Those things are really good to call out because those things are things you would not find unless you know what to look for and you know where to look. And that's really what I focus on on an internal pen test because a lot of the other stuff is commoditized. You can just run a vulnerability scanner.

You can find a lot of stuff, but I like to find the things that I know and I've identified over the years of being things that you won't find unless you know what to look for and where to look because those things are hidden. Those things are not easy to find. Like I said, if you're not experienced enough to know them or have seen them before and many times they will just sit there dormant for forever virtually, whether a threat actor finds them or not until something bad happens or they have an incident or something.

So that's what I like to focus on in terms of the 1% is things that based on experience, research, past history, past engagements are things that are hard to find that you wouldn't find if you weren't looking for and you didn't know where to look. Because like I said, a lot of that other stuff is more or less commoditized in the sense that your vulnerability management program should identify all those other things, right? You should find that you have out of date Windows servers and you should find that you have old SSL running on your web servers and things like that.

You should be able to find those relatively easily. We want to provide value and showcase that, hey, there's a vulnerability. It can be exploited in this way or it allows us to get access to this thing and pivot over here.

We want to articulate the risk of those findings, not just that there is risk of that finding. Does that make sense?

[Kyser Clark] (30:10 - 31:18)

Yeah, that makes sense. And we've been talking about this in my company and how about what goes on our report? Because we don't want to just repeat what Nessus is saying, but sometimes you get into a client environment and there's Nessus reports a lot of pages and pages of Nessus findings.

And it's like, well, if you try to verify all those and you're just wasting your time because you're not giving the value that you should be giving them. And it's definitely a struggle when you run into that situation because like you said, the client should know what's out of date already and they should know that they don't have the updated TLS and that their server clocks are in those Nessus findings that don't matter. Like, you know what I mean?

And yeah, it's definitely a debate there. Like, yeah, do you put those on the report? Do you not put them on the report?

But I think it's safe to assume it's like, yeah, we shouldn't focus on that. Maybe we do put on the report, but maybe not spend a lot of time on it. And that's where we're at with it.

[Spencer Alessi] (31:19 - 33:10)

It varies from engagement to engagement, firm to firm, right? Some firms will have like an appendix, like here's all the vulnerabilities we found and like here's the most important ones or the exploitable ones. And there are many options for that.

And it's, you know, I'm thinking the difference between like internal and external, even for us is very different from a finding perspective because we might find something that the client didn't know that they had. And even if it has like an old SSL or an out of date certificate or expired certificate, we want, we of course want them to know about it in the chance that they didn't know about it already. So external, I think it's more important to have as much all encompassing report as possible.

Whereas internal, I think it's a little bit different. I think you are afforded a little bit of luxury in terms of the findings that you identify or the findings that you call out and kind of identify or drop in your findings and within your evidence because you are, like you said, there's so many hosts, right? If you did a vulnerability scan and you included all of that in your pen test report, it would be a thousand pages, right?

Especially in large environments. And of course you can provide an appendix or things like that. But what we found is a lot of clients are already doing vulnerability management.

They're already scanning and we don't wanna just give them a report that says the same things. We wanna try to provide value above and beyond what they have got before or what they're getting currently. Even if it's us doing vulnerability management for them, which we do, we still want our pen test to be distinct in that we're trying to gain access to systems or exploit vulnerabilities or whatever the engagement calls for.

We try and showcase that we're doing that and providing value in that specific thing.

[Kyser Clark] (33:11 - 33:36)

Yeah, and you just made a light bulb go off my head. Maybe in a kickoff call, just like, hey, are you guys doing vulnerability scanning? And if they say, yeah, then it's okay.

Well, we can not put those on the report or we can not really spend a lot of time on it. But if they say, yeah, we're not doing vulnerability scanning, then maybe they're not even ready for a pen test at that point. But yeah, that's something we should be talking about in a kickoff call.

So we make sure we get it right.

[Spencer Alessi] (33:36 - 35:07)

Yeah, it's absolutely comes down to client communication as does 99% of anything in this world related to. It's always client communication. And having good expectations up front and making sure you understand what the client is hoping to get.

I think that's the biggest one that maybe gets missed out. And something that took me a while to learn because I came from internal IT. So I was very focused on the stakeholders of IT being like the IT team, leadership, and then the customers of the companies that we provided a service for.

It's very different from being internal IT to being a consultant because now you have a unique set of stakeholders that you might be talking to the IT director, but he probably reports to the CEO or the CO or something like that. So even he has stakeholders that he has to satisfy and regulators and external customers with client requirements and things like that. So it's important to understand their goals and communicate.

And I think a lot of things get solved. Just by communicating with the client and figuring out what is they want? What are they hoping for?

What are their expectations? And making sure that if expectations do change or if they somehow they get lost or you provide something that wasn't, they didn't expect that you kind of figure out the problem and kind of communicate with the client. But it's all communication, right?

It's so much.

[Kyser Clark] (35:08 - 35:31)

Yeah. Yeah. It's really important.

And sometimes I'm a routine kind of person but you can fall in a trap if you treat every client the same way. Because you want to give them a tailored experience. That's why they're coming to you for a pen test.

You got to give them... Every pen test is going to be different. You can't treat them all the same and every report is going to be different.

Yeah. And it's hard.

[Spencer Alessi] (35:31 - 36:20)

Like you said, it's easy. It's hard to do that, but it's easy to fall in that trap because like you said, we're very much process driven and methodology driven. So we're going to try and do the same thing every time.

We just have to tweak it a little bit to provide that little ounce of digging a little bit deeper. I think just asking another follow-up question is like one of the ways you do that, right? You just ask another follow-up question or ask them to explain a little bit or like, tell me what you mean.

Or can you provide a little bit more context? Just something to keep the client talking. And the more they talk...

And you probably experienced this too. The more they talk, they're like, oh, wait, actually there's this thing. And like, oh, actually, yeah.

And then they just solve it for you because they're like remembering like, oh yeah, that thing over there. So that is very real too. That happens all the time.

[Kyser Clark] (36:23 - 36:56)

All right, this is a question that I've also been wondering for myself. So when it comes to one's penetration testing career, what metrics matter? Like for example, if I want to ask my employer for a promotion or if I'm trying to apply for another job and this applies to anybody that's in pen testing, what metrics matter?

How much revenue you drive to the company? Does it... How many vulnerabilities you find?

Is it client satisfaction? All of the above. Like what resume bullets are the ones that matter when it comes to growing in one's career?

[Spencer Alessi] (36:58 - 40:06)

I think the easy answer, which is extremely difficult to quantify, is how good of a human being you are to your team and to your coworkers, to your clients and the value that you provide, which are obviously interlinked. I think it's extremely difficult to quantify if you don't have feedback from customers, if you don't get sentiment from your customers or from your team, from your coworkers, from leadership, things like that. And I think value can be created in a number of different ways.

But in everything that you do, if you try to over deliver and just be a good teammate, be a good person, be kind and respectful and empathetic of other people, I think you will do just fine. Many times the technical stuff, the technical acumen is very easy to obtain. There's tons of learning and knowledge and platforms and all sorts of stuff you can do to get the technical knowledge.

It's much harder to be... To think about other people in any given situation, like to go into a pen test and to really want to ransack their environment, but also know that if you don't provide value or the client doesn't even perceive that there was value, even if you objectively say like, hey, we found all these vulnerabilities, found these critical things, if they don't feel like they got value, the engagement to me is a loss. So the number one most important thing, I think in that situation or that question is just to find ways to provide as much value as you can.

And like I said, be kind, be a good teammate, be respectful, be responsive and all those kind of like soft skill things, work on those and be really good at that and try to provide value. And that's been my goal. That's what I try to do with content and try to make sure the stuff that I post, I think about like what's in it for the person that I'm posting or what value do they get from this post and things like that, the podcast.

That's very much how we see the engagements is if we do this engagement for the client, what value do they get? What do they achieve from this? So when it comes to career and asking for promotions, if you provide value and you think you did, you've done an amazing job the last year, you think you've gone above and beyond and you think you've been a great teammate and things like that, I would encourage people to ask for the promotion, ask for the raise, ask for whatever it is you're asking for because you'll be able to rest your head knowing like I did the best I can, I'm doing the best I can and I'm trying to provide as much value as I can.

And the worst that somebody says is no but most likely it's gonna be like, hey, we can do this or what about this or we can do this now and we'll work on a plan for this later kind of thing. But that's what I would say.

[Kyser Clark] (40:08 - 40:18)

Great advice. And unfortunately, we're running out of time so I have to ask you the final question. Do you have any additional cybersecurity hot takes or hidden wisdom you would like to share?

[Spencer Alessi] (40:20 - 42:59)

I think I've got lots of hot takes, many of which I don't share online because of the value thing. Me just tweeting something just to start an argument is not super fun. I don't really enjoy that.

I do enjoy discussing topics that are debated when it comes to vulnerabilities and like which ones matter or like CVSS ratings or when it comes to like EDR bypassing or like this or that. I think there's value in the nuanced discussion of that to help people understand the topic more but I don't like just like blasting stuff out just to like cause controversy and stuff like that. But I would say my advice is to...

If you're into internal pen testing, let's say specifically, have a lab. Like that would be one tangible piece of advice I would say is have a lab or use some lab platform whether it's on the cloud or on an old computer or something or your computer, spin up VMs, you know, roll out an active directory, domain controller in a domain and set up Forrest and set up Forrest Trust and set up ADCS, set up WSUS, Exchange even if you want to go through that process. Think like a system administrator, try to like administer your environment, your lab and set it up.

I think that will really help you when it comes time to talk remediations or just, you know, just findings in general. I think that's the best thing you can do as an internal pen tester is play with the technologies that you're pen testing against. So you can have some of that experience, particularly if you don't come from a sysadmin IT background.

I think that's very, very helpful because a lot of the findings you're going to identify are going to be things that a sysadmin is going to already know about. They just might not know about the attack vector for it or how to abuse it kind of thing. They're going to know how to administer it and kind of modify it or make changes to it.

And I think that's helpful to understand because when you're in those meetings with clients, they're going to ask like, well, where do I go to change that setting? Or where do I, you know, where do I go to, you know, fix this thing? They might have a rough idea of like how to administer that thing.

But having that additional context, I think helps. So if you're an internal pen tester doing anything with Windows, Active Directory, internal networks, assume breach. I think it's having a lab and being able to play around in a lab, an isolated sandbox environment is super pivotal.

It's been super critical for me and my learning and continues to be. So that would be my advice.

[Kyser Clark] (43:00 - 43:13)

Great advice. Thank you so much for sharing that. Spencer, thank you so much for being here today and providing incredible value to both me and the audience.

Where can the audience get ahold of you if they want to connect with you?

[Spencer Alessi] (43:14 - 43:45)

Yeah, I appreciate it, Kyser. It's been super fun. I appreciate you asking me to come on.

It's been awesome. So I appreciate that. If you are listening and you want to check me out, you can find me on LinkedIn at Spencer LSE somewhere down there.

I'm pointing to the text. I'm at Tech Spence on X or Twitter. And I'm pretty much like Tech Spence on those platforms.

So LinkedIn and X are kind of two popular platforms that I post on a lot. So you can find me there. Yeah, that's it.

[Kyser Clark] (43:47 - 43:59)

Great and audience. Best place for me is KyserClerk.com and on LinkedIn audience. Thank you so much for tuning in.

And hopefully I'll see you in the next episode. Until then, this is Kyser signing off.