In the Name of Security: Insights into the World of Penetration Testing

CANCOM Slovakia: What exactly are penetration tests?

Philipp: A penetration test—or “pentest” for short—is a controlled, authorized attack on a company to find security vulnerabilities before real attackers do. We take on the role of a hacker and try to uncover technical, organizational, or physical vulnerabilities. These can include software bugs, weak passwords, outdated systems, or easily exploitable processes. A pentest is always clearly defined: The client specifies exactly which areas may be tested. Ultimately, it’s not about exposing anyone, but about providing companies with concrete and actionable measures they can use to improve their security.

CANCOM Slovakia: Have you specialized in a particular area?

Philipp: Yes, the field is very broad. Specializations therefore make sense. My areas of focus are OSINT, web application penetration testing, social engineering, and physical security.

In social engineering, I focus on attacks that center on people. For example, we test whether sensitive information can be obtained through phone calls, emails, or in-person interactions. We observe how employees react in certain situations and whether they trust existing processes or critically question them. For example: If I show up with a forged order, an employee should verify whether it actually exists—it is precisely these kinds of observations that help us improve processes.

In the area of physical security, we attempt to gain access to buildings through break-ins: Can a locking system be picked? Is there a tilted window that can be opened? These tests show how well a company would be protected in an emergency.

CANCOM Slovakia: What exactly does a social engineering operation look like?

Philipp: That depends on whether we’re testing online or on-site.

Online, for example with phishing, emotions play a major role. I like to develop campaigns that fit the season. To kick off barbecue season, we ran a phishing campaign where we sent an email that looked as if it had come from the company’s internal marketing department. The email was an invitation to an exclusive barbecue seminar with an external event partner and limited spots. So, those interested had to register quickly. Especially when there’s a time pressure element, many people don’t look at an email properly, click on a link, and fall into the trap.

On-site social engineering is about subtly influencing people. In the past, it was common to unsettle people, put them in an uncomfortable situation, and then offer them a way out. Nowadays, many people are well-trained to recognize this scenario and no longer fall for it. Today, you’re much more successful with friendliness and humor. I strike up small talk, make people laugh, create a positive vibe, and then ask for small favors, such as unlocking a door to a room. Another simple but effective method is to find a door near an ashtray. I stand with the smokers, strike up a conversation, and—depending on the situation—pretend to be a new employee or a company electrician, and when everyone goes inside, I just go with them. This works very well.

CANCOM Slovakia: What about a break-in? How do you proceed in that case?

Philipp: Before every job, we receive clear instructions from the client—e.g., gain access to the office, take photos, steal sensitive data. The client also specifies which areas we’re allowed to enter and which are off-limits to avoid hazardous zones. To prepare for the break-in, we first scout the premises, often using Google Maps or Street View, or sometimes even fly a drone. Are there shift changes? Weak spots in the fence? During the actual break-in, we’re not allowed to damage anything. We usually operate at night, trying to enter the premises unnoticed and then unlock the building’s door. As soon as we’ve reached our goal, the “fun” is over—we have to leave and start drafting the report.

CANCOM Slovakia: Does anyone know that you’re going to commit a break-in, and have you ever been caught?

Philipp: We always receive a “Permission to Attack” from the client. Additionally, a few people within the company are in the know. If we’re caught by the police or others, they act as our point of contact. Then we can only hope that this contact person doesn’t have their cell phone in airplane mode at night, so the police can verify the authorization.

I haven’t been caught myself, but some of my colleagues have. Once, a resident noticed suspicious activity and called the police. At that moment, it’s clear: the break-in has failed, even if the person isn’t affiliated with the company. Most of the time, the client subsequently grants us permission again for another break-in attempt.

CANCOM Slovakia: Were there any surprising or bizarre situations during your tests?

Philipp: Yes, some situations have stuck in my memory very vividly.

Once we were on a job at a company where we’d already been caught on our first social engineering attempt. On the second try—at a different location—the person we approached this time suddenly displayed the same skeptical behavior as the employee from the first attempt. When she said she needed to check something quickly, I looked at my colleague and said, “I think we’re about to get caught again.” We were practically ready to admit defeat. But then she came back beaming, triumphantly holding up a key and saying, “I found it!” No trace of suspicion left. She willingly opened the exact area we wanted to access.

Another audit went just as curiously. We were standing in front of a locked door that we intended to bypass using social engineering when someone in the adjacent room addressed us and asked where we needed to go. What we didn’t know: He was one of the few insiders who knew about our mission—though he didn’t know our names or what we looked like. I explained that we needed to check the network printer. He didn’t hesitate for a second and unlocked the door for us. Inside, we reached our destination without any trouble. On the way back, the nearby server room caught our eye—also locked. My colleague looked at me: “Do you think we can ask him again?” We just gave it a try, and sure enough: The employee came with us immediately, unlocked the door, and said in all seriousness: “It has to stay locked at all times so that no unauthorized people can get in.” We had to really pull ourselves together not to burst out laughing. I replied dryly: “Oh, that’s good that you’re so careful about that.” No sooner had he left than we were standing in a server room where a real attacker could have caused massive damage.

CANCOM Slovakia: And during a break-in? What’s the weirdest thing that’s ever happened to you there?

Philipp: There was one experience that was almost like something out of a movie: a nighttime operation on a dark industrial site where numerous night-shift employees were on the move. According to regulations, we should have been wearing protective gear like helmets and vests. We weren’t wearing any of that. That should have been noticeable, and someone should have stopped us and asked who we were. Instead, we marched past an office with our backpacks full of burglary tools and greeted five employees who were taking a coffee break. We didn’t even get a passing glance. Behind the building, we finally found a slightly recessed door that we wanted to break into. I pulled out my continuously adjustable flashlight, turned it on very dimly at first, and kept increasing the brightness until the entire backyard was brightly lit. It was as if day had suddenly broken. No one reacted. No window opened, no shout, no question. We were able to continue undisturbed and eventually break in successfully.

CANCOM Slovakia: With all the assignments, moments of surprise, and sometimes bizarre situations—what is it that personally fascinates you most about penetration testing?

Philipp: All these experiences—the moments of surprise, the bizarre situations, and the assignments where you never quite know what’s happening behind the next door—make my job incredibly exciting. No two days are alike. Sometimes I sit in front of systems for hours, looking for a way to exploit a vulnerability. Other times, I’m out in the middle of the night on an industrial site, sneaking across rooftops or chatting with complete strangers to gain access to restricted areas.

What all these experiences have in common is the moment when it becomes clear just how well security mechanisms really work—or don’t. Sometimes it’s frustrating, sometimes absurdly funny, and often just plain fascinating. But in the end, it’s always about delivering real value to companies: We uncover where attackers would have an easy time of it and make sure that’s exactly what doesn’t happen.

For me, this blend of technology and real-world action is what makes penetration testing so fascinating. And it’s also why I can wholeheartedly recommend this profession to anyone who is curious, tenacious, and eager to learn—because it’s guaranteed never to be boring.

CANCOM Slovakia: Thank you so much for these incredibly fascinating insights. A second part of the interview will follow soon, in which Philipp explains how to become a pentester, what typical vulnerabilities exist in companies, and what the future of pentesting will look like. Stay tuned!