This is an automated archive.

The original was posted on /r/cybersecurity by /u/Alarmed-Tie-2251 on 2023-08-07 18:57:43+00:00.

Edit: TL;DR - Do you have advice for a penetration tester who is only being limited to web app pentests and wants to try other modes of testing without switching jobs?

Hey all, I’m a penetration tester with two years of experience, OSCP, OSWE, and CRTO without a college degree.

I love pentesting; however, I switched jobs eight months ago and feel stuck in my current position with the company because I have been limited to only doing web app testing, even though I have conveyed a significant interest in doing internal assessments alongside other modes of testing. Because I have been doing web app pentesting and nothing else for eight months now, I no longer get the satisfaction of doing the work because it has become monotonous. I have asked management a few times now within the past six months if I may be included in other opportunities to work on internals and different modes of pentesting.

Since up until now, everything has stayed the same, and I have exclusively been testing web applications. I was not told I would exclusively be testing web applications in the job description or hiring process. I was scheduled to do an internal twice previously; however, project management has canceled them and placed me on web apps instead a couple of weeks before the assessments. I have had good feedback in my quarterly reviews, finished projects early (in hopes that I could shadow others leading internals and help others inundated with their tests), I became CRTO certified, and am currently wrapping up OSEP.

Does anyone have advice on how I should convince management to give me a chance to work on other projects like internals (or anything else, I’m not that picky)? Should I earn my college degree and bounce after 2.5ish years of online school? This job is limiting my potential so far, but I prefer to avoid hopping jobs within a short time span, especially because of the great work culture at my employer aside from this complaint. Am I in the wrong here for wanting to do other modes of testing after asking for eight months with no improvement?