Pentester Foundations & CTF Practice.
Senior-tester skill rubric, repo-archaeology techniques for security engineers, and the CTF tooling and infrastructure references that keep practice sharp.
Senior-tester competencies
- Reconnaissance. Can build an asset inventory of a target from public sources alone, with confidence per asset. Knows when active scanning is the right next step and when it isn't.
- Web application. Can identify, exploit, and report every class in the OWASP Top 10 from memory. Can read source code in at least Python, JS, and Java to verify a finding.
- Identity and AD. Can run BloodHound, read its output, and pick the right edge to chase. Understands Kerberos delegation well enough to weaponize and to defend.
- Network and pivoting. Can stand up a SOCKS pivot, a reverse-tunnel through HTTPS, and a multi-hop ligolo chain without referencing docs. Knows when each is the right choice.
- Cloud. Comfortable in at least AWS or Azure: IAM model, metadata-service abuse, common SaaS-trust pivot patterns.
- Detection. Knows what each technique looks like in Sysmon / Defender / Crowdstrike. Picks tools by IOC profile, not by familiarity.
- Reporting. Writes findings that survive an executive review without losing technical correctness. Reproducible steps for every claim.
Git as a recon surface
- Secret hunting in history.
trufflehog filesystem --since-commit HEAD~1000 .,gitleaks detect. Secrets removed from HEAD often remain in history; check old branches and tags too. - Author archaeology.
git log --pretty=format:'%an %ae' | sort -ufor the contributor list — feeds OSINT for phishing recon. Commit timestamps reveal working hours. - Fork comparison for vuln triage. When upstream patches a CVE,
git log upstream/main..fork/maintells you which downstream forks haven't pulled the fix. - Reflog and unreachable commits.
git fsck --lost-foundrecovers committed-then-orphaned secrets that the author thought they'd erased. - GitHub-specific.
github-searchtooling for org-wide search; deleted-fork commits remain visible through API for ~90 days.
CTF tooling worth muscle memory
- Web. Burp Suite (with extender keymaps), ffuf, sqlmap, gobuster.
- Binary. Ghidra, gdb + GEF, pwntools, ROPgadget, one_gadget.
- Crypto. sage, cryptohack solvers, RsaCtfTool.
- Forensics. volatility3, autopsy, binwalk, exiftool, foremost.
- Steg. stegsolve, zsteg, stegseek, audacity for audio.
- Network/reverse. wireshark with custom dissectors, scapy for crafting.
Building a private attack/defense range
- VPN topology. WireGuard hub, one /24 per team. Egress to scoring loop only.
- Vulnerable services. Rotate the seeded vuln set every 15 minutes from a curated bank of historic CVEs — keeps participants from coasting on yesterday's exploit.
- Scoring loop. Out-of-band agent on each service that performs SLA checks (availability, correctness) and flag rotation. Agent runs from a network the teams cannot reach.
- Replay capture. tcpdump on the scoring network for after-action review. Most learning happens in the replay session, not in the live game.
Rule of thumbCTFs sharpen specific muscles. They do not substitute for real engagements. A senior tester does both: regular CTF practice to keep technique sharp, and real client work to keep judgment calibrated to production environments.
Related notes in this domain
- Featured Comprehensive Pentest Reference
- Featured Pentest Methodology — Canonical Reference
- Featured Advanced Penetration Testing & Red Team
- Featured Recon & Discovery
- Featured Web Server — Attack & Defense
- Featured Active Directory Pentest
- Featured Internal Pivoting & Lateral Movement
- Reference Recon Tooling — Operator Reference
- Reference Operator Toolkits — Catalog & Reference
- Reference Automation vs. Manual Testing
- Background Social Engineering & Phishing
From reference to evidence