What I look for when hiring junior pentesters that the industry doesn't.

The cybersecurity industry has converged on a hiring screen for junior pentesters that's loud, well-marketed, and only partially useful. OSCP. CTF wins. HackTheBox rank. Maybe a CEH for the procurement-driven shops. These are all fine signals for one thing — that the candidate has invested time and can do the technical work. They are weak signals, in my experience over a decade and a half of hiring, for whether the person will be a good consultant who clients want to keep paying for.

Here's what I actually look for now, in roughly the order I weight them. Almost none of this is on the standard rubric.

Stamina with frustration. Pentesting is hours of mostly-failing followed by a brief, punctuated success. The candidate I want has done something genuinely hard for a long time without a clear external reward — written a long technical blog series nobody read, completed a difficult build over months, debugged something nobody else cared about until it worked. CTF wins are okay for this but honestly they're too gamified — the dopamine arrives every few hours. I want to see proof the person can stay engaged when nothing is rewarding them for six weeks. That's pentest week three.

Written communication, judged on a real artefact. I ask candidates to send me a writeup of their best technical finding from the last year. Not a CV bullet. The actual writeup. I read it carefully. Is the argument structured? Do they explain why the vulnerability matters before they explain how it works? Is the remediation specific enough that the developer reading it could actually act on it without coming back to ask three questions? Most candidates fail this. The ones who pass are people who, ten engagements in, are going to be writing client-ready findings without me having to rewrite them. That's the unit economics of consulting. I cannot stress how much it matters.

Curiosity about the business, not just the bug. During interviews I describe a fictional client — a regional bank, say — and ask the candidate what they'd want to know about that bank before starting an engagement. The bad answer is "the scope, the assets, the rules of engagement." Those are table stakes. The good answer starts with questions like "what's their busiest week of the year — I don't want to test then," or "who's the actual decision-maker — the CISO or someone else?" or "what are their last three audit findings, are we expected to find those again or is the brief broader?" That's a candidate who's thinking about being useful to the client, not just being clever in front of them.

Ethical clarity under pressure. Every interview I run includes one scenario question. "You're three days into an engagement. You find a vulnerability that's clearly out of scope, but it's serious — say, exposed customer PII. The client said they don't want findings outside the agreed scope. What do you do?" There's no right answer in the abstract; what I'm listening for is whether the candidate has actually thought about it, or is improvising. The good ones articulate trade-offs, mention they'd raise it with the engagement lead, talk about disclosure obligations, and don't pretend it's simple. The bad ones either say "well, I'd just report it everywhere" (career-ending if they actually did it) or "I'd ignore it because the client said so" (also career-ending, just slower). Junior testers will face this kind of moment. I'd rather know now whether they have the muscle for it.

Willingness to be wrong in front of someone. I do a live technical exercise where I deliberately let the candidate go down a wrong path, watch them, and then ask "what made you think that was the right approach?" The candidates who can say "I assumed X, looks like X is wrong, here's what I'd try instead" are gold. The candidates who reflexively defend the wrong path are not, no matter how many CTF flags they've captured. Pentesting is, in practice, a lot of being wrong fast and updating. People who can't do that in a 45-minute interview can't do it in a 4-week engagement either.

A hint of being a real person. This is the most subjective one and the one I've come to value most. I want to see that the candidate has interests, opinions, friction with the world, that aren't all about computers. People who only do security all day, in my experience, plateau early as consultants because they cannot connect with clients who don't share that obsession. The seniors who do best at our firm are people who can talk about something other than the engagement for fifteen minutes at a client dinner. I'm now actively screening for this. It's hard to put on a rubric, but it's not subtle once you're looking.

What I've stopped weighting heavily. Certifications, in 2026, are a noisy signal. OSCP is fine; CEH is borderline negative because it correlates with people who've optimised for certificates over substance. CTF rank is fine for entry-level, but I've watched too many top-100 CTF players turn out to be middling consultants because the skills don't transfer. University name doesn't matter. Tier-1 college candidates and self-taught candidates, in our intake data, end up at roughly the same place after two years.

If you're a junior reading this and worried that none of the above is on your CV — write the technical blog series. Send your best finding to people whose work you respect and ask for feedback. Get past the pure-technical phase of your career and start practising the consulting half early. That's the gap nobody is teaching, and it's the one I'm hiring for.

—

Zuhair runs Wattlecorp Cybersecurity Labs. We hire two or three junior pentesters a year. The bar is honest work and honest writing.