what’s a pen tester

“So what’s a pen tester?”

That’s a question I’ve got used to answering a lot over the last year, while writing Zero Days, and I’m guessing it’s a question that’s going to come up a fair bit more over the next few weeks and months as I do events and interviews about the book.

That’s because Jack, my main character in Zero Days, is a professional pen tester, and her job becomes a really central part of the plot, and key to the spur-of-the-moment decision she makes, a decision which sets the events of the book in motion.

I’d already written one book where the main character’s job was an important part of the narrative – Hal, the heroine of The Death of Mrs Westaway, is a tarot reader and the skills she’s honed while doing readings for her clients are part of the reason why she’s able convince a family of strangers that she’s a long-lost relative. I loved researching tarot readings and figuring out how her experiences would inform Hal’s character – and when I stumbled over a very different but equally fascinating job – pen testing – I knew it would made a truly intriguing background to a novel. I just had to figure out which one.

 But back to the original question, what is pen testing? Well, first up, it’s got nothing to do with pens. It’s actually short for “penetration testing” which is equally unhelpful in terms of explaining what a penetration tester actually does.

In short, a penetration tester is a paid attacker – someone companies hire to test their security in an adversarial way. That could be their physical security – attempting to break into their buildings or gain access to unauthorised areas. It could be their digital security – trying to access secure databases or hack websites. Often, it’s a combination of both, although pen testers frequently specialise in one or other. But it’s a mistake to think that pen testers are only dealing with buildings and software – often the chink in the armour of a secure database is the same as the same as the chink in the amour of a secure building: the people who are supposed to help keep it secure.

Because although breaking into a building might be as simple as breaking a window, you can bar a window – but what you can’t do is bar the doors to the people who work there. They need access to do their job – so if you can persuade someone that you’re supposed to be there, or convince a genuine employee to open a door, it can be much easier to walk right in. Likewise, hacking a secure database might involve finding a flaw in the software, but it might equally involve tricking an authorised employee into giving up their password or credentials.

I first stumbled across the idea of pen testers when I was researching One by One, a book that’s centred on a tech company developing a social media app. I didn’t need a pen tester for that book, but the more I found out about their jobs, the more I knew one would make a great main character for a thriller. Pen testers, after all, are real life bad-asses, doing borderline illegal stuff for the best possible reason: to help keep the rest of us safe. But they’re also – and this was really important to me – real people, with real limitations. They’re not James Bond or Jason Bourne. They don’t zipwire down lift shafts, or have superhuman endurance, and they can’t actually do anything illegal or unethical, or act beyond the remit given to them by the companies they’re investigating. All this means they have to tread a pretty fine line between trying to act like a real hacker, while not doing anything harmful or unethical, and it sometimes means they find themselves in temporary hot water – a situation Jack encounters at the beginning of the book, when she’s mistakenly arrested by the police while pen-testing a company out of hours.

Researching Zero Days gave me a huge respect for pen testers and hackers, and a healthy appreciation of the risks we all take every day when trusting companies with our data.