It doesn’t matter whether you’re a cybersecurity professional looking to level up your skills or an executive-level IT decision-maker trying to ensure that your company’s data remains secure – access to the right penetration testing tools is essential for your success.

In a vacuum, it’s easy enough to understand why this is important: pen testing simulates an attack on your computer systems to identify potential weaknesses and allow your team to shore up its defenses. It’s a hack that is focused on exposing (not exploiting) network security issues, unauthorized access points, and other potential threats. Pen testing can also be used to highlight the system’s strengths and is a vital component of a full risk assessment.

Pen test certification is important…but not all tests are created equal.

For starters, there are several different types of penetration test types. A white box penetration test, for example, requires that the company being tested provides the tester with relevant security info. A Black box test, or blind test, leaves the penetration testing team in the dark to mimic a real-world situation. A covert test takes that to the next level by not even informing the company that its system is being tested. There are also internal tests, external tests, social engineering tests, and more.

With so many varied options, there is no one true way to learn penetration testing – each test needs to be tailored to the company’s unique requirements. If you rely on outdated methods or implement the wrong type of test, the entire process is useless. Malicious threat actors are continually updating their capabilities and developing new tools and techniques for gaining unauthorized access to computer systems and wireless networks. You need to keep pace with these developments continually.

At Sprocket Security, we want to make this easier. In addition to our focus on continuous penetration testing, which provides pen test certification via an organic, ongoing process, we’ve compiled an overview of some of our favorite pen testing learning resources. Check out the list below:

Here are a few of the top resources for improving your pen testing capabilities in 2022:

Watch Tutorial Videos

Online video platforms like YouTube are a mixed bag when it comes to self-paced education. For every insightful, informative lecture or tutorial, there are tens of thousands of crowdsourced videos of pet compilations, video game streams, and pranks. The ratio for cybersecurity content isn’t quite as drastic, but it definitely tends to skew toward low-value content.

To navigate your way around this, look for channels from reputable cybersecurity experts and penetration testing tool providers. There are hundreds of popular and knowledgeable content producers - the best option for you will depend on the type of pen test certification you’re looking for and how deep you want to dive into the information.

For example, when I first started out, I watched YouTube channels like [IppSec] over and over again. (I'm not kidding!) While channels like these are necessarily representative of real-world penetration testing scenarios, I have always touted the importance of building a "testing flowchart" in your head. Knowing what to do next when hacking and building your overall methodology is so insanely pivotal to a successful penetration testing career. You can't get creative and develop new attack paths without first building your hacker spidey-sense!

card-image

IppSec on YouTube

A collection of videos helping design overall methodologies and testing flowcharts to better equip penetration testers.

icon-globe: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA

Analyze Penetration Testing Articles

Cybersecurity blogs are another great way to learn penetration testing, and unlike videos, quality content can be easily bookmarked and copied for future reference. Blogs can run the gamut of quality, but it’s typically pretty easy to differentiate content produced by reputable pros vs. content mills.

The bigger danger here is outdated information – penetration testing best practices can change in the blink of an eye. Ideally, you want to be referencing content that was produced within the past year. At Sprocket, we frequently post informative, up-to-date pen test tutorials to our website and many other providers do the same.

A great place to source penetration testing articles and methodologies is Twitter. If you follow the right people and avoid the fluff, you can learn a lot by browsing. To avoid this fluff, ignore "thought leader" accounts and mute certain words. A great source for cybersecurity articles I wouldn't have found without Twitter is the BadSectorLabs blog. Every week, the author curates and shares a list of new valuable research articles released in previous days.

card-image

Bad Sector Labs Blog

Weekly curated lists of research articles, cybersecurity news, techniques, tools and exploits..

icon-globe: https://blog.badsectorlabs.com

Listen to Cybersecurity Podcasts

The popularity of podcasts has been growing rapidly over the past decade, and if you think the medium is just for true crime documentaries and stand-up comedians, you haven’t been paying attention.

Fire up ‘Penetrating Testing Tools’ or ‘Learn Penetration Testing’ on your favorite podcast platform and you’ll generate dozens of informative results. This isn’t just limited to pen testing, by the way – podcasts are an outstanding way to learn all sorts of practical cybersecurity and IT skills.

Again, some may argue that podcasts such as Darknet Diaries do not showcase real-world penetration testing scenarios and instead stay very high-level. I'm afraid I have to disagree and personally believe that Darknet Diaries and similar podcasts do an excellent job of getting you acquainted with topics relevant to all aspects of cybersecurity.

card-image

Darknet Diaries

Podcast hosting true stories from the dark side of the internet about hackers, breaches, shadow government activity, hacktivism, cybercrime, and all the things that dwell on the hidden parts of the network.

icon-globe: https://darknetdiaries.com

Improve Your Skills with Courses & Bootcamps

Online skill development courses exploded in popularity during the early stages of covid, and this growth hasn’t slowed. Platforms like Udemy, Thinkific, and Teachable offer courses from a wide spectrum of subject matter experts (including pen testing specialists). The cost of these courses varies significantly, from free to thousands of dollars, but even the more expensive enrollment fees are cost-effective compared to courses at traditional colleges and universities.

Though typically thought of for software development and coding rather than cybersecurity, online boot camps are also viable when you want to learn penetration testing quickly.

Mostly free platforms like HackTheBox and TryHackMe used to be what we in the industry call "CTFy," meaning that, again, they weren't very representative of real-world penetration testing. These platforms, in recent years, have significantly improved and share free challenges often created by active penetration testers and bug bounty hunters. Spend 1000 hours doing challenges on these sites, and I'd venture to say that you are ready to enter the industry.

card-image

Hack The Box

A massive hacking playground with a dynamically growing hacking community. Take your cybersecurity skills to the next level through a captivating, gamified & hands-on training experience.

icon-globe: https://www.hackthebox.com

Pay Attention to Cybercriminals

This is a big one. An NFL quarterback might watch Tom Brady and Aaron Rodgers on his own time, but when he’s in the video room preparing for a game, his focus is typically going to be on the opposing defense rather than his superstar counterparts. The same logic applies here – if you want to implement the most effective, up-to-date pen testing processes, you need to know what’s going on with the other side.

Learning directly from hackers isn’t the greatest idea (unless you want to wind up in jail), but there are plenty of other effective ways to monitor who you are up against. In addition to government organizations like the CISA and DHS, there are many private sector think tanks and industry groups that publish up-to-date information and statistics about domestic and international cyber threats.

When studying the tactics, techniques, and procedures (TTPs) used by real-world actors, you might find that they operate very similarly to offensive security professionals. To get an idea of what the bad guys are doing, I recommend watching Twitter, CVE Trends, and AttackerKB closely.

card-image

CVE Trends

Website collating real-time information about tweeted CVEs. CVE Trends gathers crowdsourced intel about CVEs from Twitter's filtered stream API and combines it with data from NIST's NVD, Reddit, and GitHub APIs.

icon-globe: https://cvetrends.com

Learn Directly from Trusted Providers

When developing your skills or protecting your digital assets, identifying the right penetration testing tools is only the first step of the equation. To extract maximum value from the process, you also need to find the right partners.

At Sprocket Security, we work closely with clients throughout the entire continuous pen testing process to ensure that they always understand exactly what’s happening (and why). This knowledge transfer, combined with our comprehensive database of technical and strategic resources, can serve as a launchpad for your team to learn penetration testing.