Penetration Tester Skills Assessment & Rubric

What this assesses (and what it intentionally avoids)

This assessment measures penetration tester skills as they show up in real engagements: decision-making, methodology, technical depth, and professional communication. It is designed to be job-relevant, time-boxable, and structured.

Intentionally avoided:

• “How to hack X” instructions, operational exploit steps, or production-impact techniques.
• Any guidance that enables wrongdoing.

The competency model: role-based skill matrix

Use this matrix as a taxonomy (what to assess) and a rubric anchor (what “proficient” looks like). It separates core skills from specialty depth and makes senior expectations explicit.

Proficiency levels (observable behaviors)

Level 1 — Foundation (Entry / Intern scope):‍

Explains concepts accurately; can follow safe procedures in a lab.

Produces basic notes and can reproduce steps with guidance.

Recognizes common vulnerability classes and can validate low-risk findings.

Level 2 — Practitioner (Junior Pen Tester scope):

Independently executes a scoped workflow in a lab.

Prioritizes enumeration based on evidence and constraints.

Writes clear technical findings with reproducible evidence and practical remediation.

Level 3 — Consultant (Mid-level scope):‍

Adapts methodology to novel environments; balances depth with timeboxing.

Produces client-ready deliverables: executive summary, risk narrative, and retest results.

Coaches stakeholders on remediation feasibility and verification.

Level 4 — Lead / Red Team (Senior scope):‍

Designs engagements, leads scoping/ROE, and manages risk to production.

Conducts attack-path analysis and designs objective-driven testing.

Improves team practices: playbooks, reporting standards, and ethical governance.

Skill domains with “proof artifacts”

Below are evidence artifacts (what a strong candidate can show or produce) without requiring unsafe activity.

‍

Assessment methodology (how to use this page)

This package supports two use cases:

A) Self-assessment (individual)

• Answer the scenarios below.
• Score yourself using the rubric.
• Identify your weakest domains and follow the roadmap by tier.

B) Hiring assessment (team)

• Use the same scenarios as a structured evaluation.
• Collect independent scores from interviewers and average them.
• Require a lab-only environment and focus on reasoning + reporting quality.

Design principles (why this is useful):

• Job-relevant coverage:

• Structured scoring: anchored behaviors support more consistent reviewer calibration.
• Work-sample realism: candidates produce artifacts you’d expect on the job.

Important: Use assessment results as one input for structured interviews and calibration. Do not use this content as the sole basis for employment decisions; humans make the final call.

Sample assessment: 10 scenario questions (challenging, job-realistic)

Use these as a 45–75 minute assessment. For hiring, pick 6–8 to fit a 60-minute screen.

1) Scope & ROE clarification (professional judgment)

Context: You are contracted to test “the customer portal” for AcmeCo. The statement of work says “external web application penetration test,” but the portal uses SSO and third-party payment processing.

Prompt: List the top 8 clarifying questions you would ask before testing begins. Include at least: authentication/SSO, third parties, rate limits, data handling, and safety constraints.

2) Recon to enumeration decision (methodology)

Context: You have a single public IP, one domain, and a 5-day test window. You can run safe scanning.

Prompt: Outline your first 90 minutes of activity: what you collect, what you defer, and what “stop conditions” look like (e.g., signs of production fragility).

3) Nmap output interpretation (internal/network literacy)

Context:You receive the following abbreviated scan summary from a lab segment:

• 10.0.2.10: 22/ssh, 80/http, 443/https
• 10.0.2.15: 445/smb, 3389/rdp
• 10.0.2.20: 53/dns, 88/kerberos, 389/ldap
• 10.0.2.25: 1433/mssql

Prompt: Prioritize what you would validate next and why. What are the top 5 risks suggested by this layout, assuming weak hardening?

4) Web access control scenario (OWASP thinking)

Context: In the portal, a user can view invoices at /invoice?id=18421. You notice invoice IDs are sequential.

Prompt: Describe a safe validation approach for an IDOR/access control issue, including what evidence you would capture and how you would avoid unauthorized data exposure.

5) Authentication/session handling (risk articulation)

Context: You observe session tokens are long random strings, but the app does not invalidate sessions on logout and allows sessions to persist for 30 days.

Prompt: How would you explain this risk to (a) a product manager and (b) an engineer? Provide remediation guidance and retest criteria.

6) Vulnerability scanner results triage (signal vs noise)

Context: A scanner flags 40 findings including missing headers, old jQuery, and “potential SQL injection” on three parameters.

Prompt: Describe your triage method. Which items do you validate manually first, and what evidence qualifies as “confirmed” vs “informational”?

7) AD attack-path reasoning (no exploit steps)

Context: In a lab, you are given read-only directory data showing:

• A service account is a local admin on multiple servers.
• Several users have passwords that never expire.
• A helpdesk group can reset passwords for a privileged group.

Prompt: Explain the most likely attack paths and which single control improvement would reduce risk fastest. Justify your choice.

8) Cloud misconfiguration scenario (shared responsibility)

Context: A storage bucket is publicly readable and contains application logs with email addresses and password reset tokens.

Prompt: Write a short finding summary (6–10 sentences) including impact, exposure, evidence expectations, remediation, and logging/IR considerations.

9) Reporting quality test (executive summary)

Context: You found three issues: (1) IDOR exposing invoices, (2) weak session invalidation, (3) verbose error messages.

Prompt: Draft a 5–7 sentence executive summary that a CIO would understand, including prioritization and a recommendation.

10) Ethics & safety checkpoint (professionalism)

Context: Mid-test, you discover a path that appears to allow downloading a full customer export, but you are not sure if downloading it violates ROE.

Prompt: What do you do next? Provide the steps you’d take to confirm risk while minimizing harm and staying authorized.

Scoring system (transparent, role-mapped)

This rubric is built for structured calibration. Score each scenario 0–4 and sum for a total out of 40.

Per-question scoring anchors (0–4)

• 0 — Unsafe/incorrect: proposes unauthorized actions, misunderstands core concepts, or gives tool-only answers with no reasoning.
• 1 — Partial: recognizes the topic but misses key constraints, lacks evidence standards, or provides vague remediation.
• 2 — Competent: sound approach, basic prioritization, reasonable evidence and remediation; some gaps in clarity or risk framing.
• 3 — Strong: structured methodology, correct prioritization, clear evidence plan, balanced risk framing, and role-appropriate communication.
• 4 — Excellent: anticipates edge cases, articulates tradeoffs, embeds ROE/legal safety, and writes client-ready language.

Domain weighting (optional, for hiring)

If you want closer job alignment, apply weights:

• Fundamentals + Methodology: 30%
• Web or Internal/AD (choose based on role): 30%
• Reporting/communication: 25%
• Ethics/legal safety: 15%

This helps teams balance technical depth with communication and safety signals.

Score bands (out of 40)

Use these bands as discussion prompts and development planning guidance, not as automatic hiring outcomes:

• 0–14 — Foundation focus: prioritize fundamentals + methodology.
• 15–24 — Entry scope: can contribute with guidance; tighten reporting and prioritization.
• 25–32 — Practitioner scope: can run discrete workstreams with limited oversight; deepen specialization.
• 33–37 — Consultant scope: strong end-to-end execution and client-facing reporting.
• 38–40 — Advanced indicator: follow up with deeper work samples (scoping, full report review, stakeholder simulation).

Minimum bars (recommended):- Any role: Ethics/ROE questions must average ≥ 2/4.- Client-facing consultant: Reporting questions must average ≥ 3/4.

Interpretation: what your score suggests about strengths and gaps

If you scored 0–14 (Foundation focus)

What it often suggests: you may know tools, but need more consistent reasoning about protocols, evidence, and safe validation.

Focus next:- TCP/IP + DNS + HTTP fundamentals (be able to explain, not just run commands)- Linux navigation and scripting basics- “Methodology muscle memory”: scoping, enumeration, validation, documentation

Career guidance: Consider roles that build operational context (internships, IT support, junior security analyst) while building lab-based evidence.

If you scored 15–24 (Entry scope)

What it often suggests: you can follow a workflow and identify common issues, but consistency and reporting maturity are uneven.

Focus next:- Evidence quality: reproducible steps, screenshots/requests, exact affected scope- Risk articulation: separate technical severity from business impact- Timeboxing and prioritization: show why you chose next steps

If you scored 25–32 (Practitioner scope)

What it often suggests: you can execute meaningful testing without constant direction.

Focus next:

• Specialize: Web, Internal/AD, or Cloud.
• Retesting discipline: define “fixed means verified” criteria.
• Stakeholder communication: deliver clear narratives under time pressure.

If you scored 33–37 (Consultant scope)

What it often suggests: you can produce deliverables that engineers can fix and leaders can act on.

Focus next:- Engagement leadership: scoping calls, ROE negotiation, expectation management- Repeatable quality: templates, checklists, consistent severity rationale- Broader coverage: AD + cloud + modern auth flows

If you scored 38–40 (Advanced indicator)

What it often suggests: you demonstrate strong judgment, safety, and communication maturity.

Follow up with:

• A full work sample: executive summary + findings from a provided case pack.
• A stakeholder simulation: explain tradeoffs to engineering and leadership.

Professional development roadmap (30/60/90 days by tier)

Choose the plan that matches your score band.

Plan A: 0–14 (Foundation reset)

Next 30 days:

• Master: subnetting basics, DNS flow, HTTP request/response anatomy, cookies/sessions.
• Daily Linux reps: files, permissions, processes, networking commands.
• Write one script: parse logs or scan output into a table.

Next 60 days:

• Build a mini methodology: recon → enumerate → validate → document (on intentionally vulnerable labs).
• Practice evidence capture: screenshots, request/response, exact reproduction notes.

Next 90 days:

• Produce 2 sanitized findings using a consistent template.
• Get peer feedback on clarity and severity rationale.

Plan B: 15–24 (Junior development)

Next 30 days:

• Reporting upgrade: rewrite two findings until they’re readable by engineers.
• Learn risk language: impact, likelihood, exposure, compensating controls.

Next 60 days:

• Pick a track (Web or Internal/AD) and deepen core patterns.
• Practice “triage discipline”: scanner output → validation plan → confirmed vs informational.

Next 90 days:- Build a portfolio: 1 executive summary + 4 findings (sanitized) + a retest note.

Plan C: 25–32 (Practitioner development)

Next 30 days:

• Timeboxed case practice: 90-minute scenarios where you must prioritize and justify.
• Communication reps: explain one issue in 60 seconds (exec) and 3 minutes (engineer).

Next 60 days:- Specialization depth:  - Web: access control + auth/session + API testing patterns  - Internal/AD: identity misconfig reasoning, segmentation and credential hygiene narratives  - Cloud: IAM misconfig patterns and detection-aware write-ups

Next 90 days:- Simulate a full engagement deliverable: scope assumptions → findings → executive summary → retest plan.

Plan D: 33+ (Consultant/lead development)

Next 30 days:- Standardize quality: templates/checklists for findings, severity rationale, evidence, remediation, retest.

Next 60 days:- Lead-level skills: scoping call script, ROE negotiation checklist, deconfliction playbook.

Next 90 days:- Mentorship and calibration: run a mock assessment with juniors; align scoring across reviewers.

Benchmarks, standards, and terminology (for credibility and alignment)

Hiring managers routinely look for signals that your penetration tester skills align to recognized standards—without requiring you to name-drop them.

Methodology alignment (how you work):

• PTES-style phases:

Risk and vulnerability language:

• CVE/CVSS

Selection best practices (for hiring teams):- Structured rubrics and work samples can improve consistency versus unstructured interviews.- Keep assessments time-bounded and transparent.

Curated resources (skills improvement by domain)

These are intentionally “means to mastery,” not a shopping list.

Fundamentals

• Books:
• TCP/IP Illustrated (Vol. 1) for protocol truth
• The Linux Command Line (Shotts) for CLI fluency
• Practice: build a home lab; document network flows and HTTP sessions.

Web application security

• Tools to learn deeply: Burp Suite (repeater, intruder basics, proxy history discipline)
• Body of knowledge: OWASP Top 10 + WSTG categories (auth, access control, injection, SSRF, API)

Internal/AD

• Concepts: identity, groups, delegation, Kerberos basics, attack-path thinking
• Tools (conceptual competence): BloodHound-style graph reasoning, packet analysis with Wireshark

Cloud baseline

• Concepts: IAM, least privilege, key management basics, logging and incident response considerations

Reporting and communication

• Build a personal template:
• Title, summary, affected assets, severity rationale, evidence, reproduction outline, remediation, references, retest criteria.
• Practice writing two versions of every finding: executive and engineering.

Optional add-on: minimum viable checklists (quick screens)

Minimum viable junior penetration tester skills

• Explains HTTP, cookies, DNS, and basic authentication flows
• Runs safe enumeration and interprets results logically
• Writes one clear finding with evidence + remediation + retest criteria
• Understands authorization and stops when ROE is unclear

Minimum viable consultant skills

• Produces a client-ready executive summary
• Prioritizes findings by impact/exposure
• Provides feasible remediation guidance and verification steps
• Communicates tradeoffs and timeboxes effectively

How to use this as a 60-minute hiring screen (lab-safe)

1) 10 min: ROE/scoping questions (Scenario #1 + #10)2) 20 min: enumeration and prioritization (Scenario #2 + #3 + #6)3) 20 min: web or AD depth (choose #4/#5/#7/#8)4) 10 min: executive summary writing (#9)

Decision guidance: Use the outputs to structure follow-up questions on judgment, safety, and reporting clarity. Combine results with additional signals (portfolio/work sample, references, and role-specific interviews) and apply the same criteria consistently across candidates.

If you want to operationalize this internally, convert the scenarios into a shared scorecard, require two independent raters, and review a short writing sample. Used together, those artifacts can support more consistent evaluation and clearer interview conversations.