I would like to draw a simple analogy between professional soldiers and professional penetration testers. I find a lot in common between them and I believe that this exercise may help some members of the audience to clarify their understandings regarding our industry.

We will drill into several categories where both professions will be compared to each other:

Skills

Both, professional soldiers and penetration testers, have professional set of skills which were build over years of experience. Although the soldier/pentester can be a specialist in several areas of combat, s/he is extremely capable in a few areas of interest. That could be foreign weaponry, tactics, vehicles, etc when it comes to soldiers or information gathering, infrastructure testing, application testing, etc when it comes to penetration testers.

Nobody is good at everything. This is why both professions are based around the idea of working in teams.

Weapons

Professional soldiers use professional tools. They can probably wipe out a small army with a knife, ala Chuck Norris and Steven Seagal, but that is besides the point. Professional soldiers can afford the toys. This is what makes them professionals and this is what differentiates them from the rest.

If you are a professional penetration tester, you should stick to the same principle. Very few of us can afford to have a range of the best penetration testing tools which usually cost too much money. We say that if you are a good hacker then you can hack with just telnet but that is besides the point. If you want to be treated as professional you have to project an image of professionalism.

You have to learn that no tool will make you redundant. The nuke did not make soldiers redundant. However, you have to equip yourself with the best tools if you want to play the game and having Nessus and Backtrack wont cut it.

Professionalism

If you screw up then it is very hard to pick yourself up. This applies mostly to professional soldiers. I guess they have more at stake than us. However, penetration testers should not feel like an exception to this principle. This is a rudimentary ideal which all of us should follow.

If you want to become a professional penetration tester then learn how to build and encourage professionalism in you and your clients. This means that you have to pay attention to all details but most of all strive to provide a quality service.