technical rating of penetration testing team

Posted by deaguero at 2020-02-27

Disclaimer: This article was first published by tide security team in freebuf, Please indicate the source for reprint.


At the beginning of the establishment of a penetration test team, there may be fewer personnel, or even one person may be a team. At this time, it's only necessary to be busy with projects, emergency response, and plan writing. No one can assess the performance alone. The salary of the leader is generally determined according to the height of your hairline.

But with more and more people, everyone is good at different directions and fields, so it is difficult to set a salary for everyone at this time. Some people also say that as long as the technology is good, the salary of the technical post will certainly be high, and the technical ability of the technical post will be assessed well, but the salary is not only a technical dimension, but also involves enthusiasm, fullness, contribution, etc., and the estimation of the evaluation of the technical ability is not considered carefully. For example, you can say that in a penetration test project, the holes dug by a are more prominent But it's a bit far fetched for you to judge a's ability better than others.

Based on these considerations, our team has developed a set of technical rating system for penetration testing team for your reference.

Because we are all from the technical background, without any salary and human related experience, and the rating system is only from the technical point of view, so there must be some unreasonable places. Don't laugh at them~~

Rating principle

The principles of our rating system are as follows:

01 principle of transparency

This is the design core of the whole technology rating system. As a small-scale start-up penetration testing team (more than 10 people, and the level is relatively water, so this mechanism may not be applicable to large-scale teams or laboratories), we need a transparent and automatic mechanism to ensure that the sensitive issue of technology rating (directly linked to salary) is as fair as possible.

02. Guiding technology as king

After all, it's still a start-up team, and everyone is in the primary stage of growth, so a good technology atmosphere can also guide you to study deeper and go further, try to avoid some people settle down to do projects after working for several years, the technology is more general and the growth is slower, but when the salary is adjusted, some capable new people will be suppressed by seniority. And a good rating standard can better guide everyone to a higher level of technology.

03 try to ensure that all items can be quantified

We have discussed whether the clause can be quantified in the design of each assessment index to ensure that the content is not very vague or broad, and try to make everyone match the assessment item according to their own work when applying for the level.

04 combination of multiple assessment

We will not only use this set of technical rating to finally rank team members, but also combine individual performance appraisal (mainly involving project quantity, project quality, report quality, work fullness, work enthusiasm, etc.) to determine whether the member can be promoted. Performance assessment is the assessment content of monthly performance pay, and it will also have a certain impact on members' monthly income, but it is not the focus of our discussion today.

Scope of application

01 small start-up team

The team is in a period of rapid growth, the ability and level of its members change greatly, and it is common for new employees to catch up with and surpass old employees. At this time, a set of better technical rating standards is needed to measure and assess the corresponding technical improvement.

02. The rating system can be recognized by all levels

Each level has 10 different evaluation rules. These 10 rules must be one-sided to measure a person's overall level, so we try to select some representative and universal technical points, which are recognized by both leaders and employees: as long as the individual's ability can reach this level, it means that they can be rated accordingly.

03 can be used for recruitment

The 10 requirements for each level have been carefully selected and recognized by everyone, so these information can also be used to design recruitment information or to interview interviewers of different technical levels.

Rating method

At present, we require members to meet 7 or more of the 10 assessment rules under each level when applying for the corresponding technical level.

In addition, it is also allowed to apply the provisions about level. For example, when a member is preparing to apply for level T3 at T2, he may not have some T3 requirements, but he has some T4 requirements, so he can also use one or more T4 requirements to make up for the deficiency of T3 application.

Grading rules

We have differentiated the penetration test technical capability into seven levels. Because our team name is tide, we use t to identify each level. In addition, some of our "capability descriptions" refer to Alibaba P-Level descriptions~~

T1 (Assistant Engineer)

Original intention of level design: new intern, web security beginner

Age requirement: 0-1 year

Salary level: 6k-8k





Capability description:

1) Relevant professional education background or working experience;

2) The knowledge of the company's standard requirements, policies, processes, etc. is in the stage of learning and growth;

3) Can assist to complete penetration test project.

Capability requirements:

1. Be familiar with web security, mobile security and other network security related knowledge, and understand network security laws and regulations and industry standards;

2. Familiar with mainstream security products and tools at home and abroad, such as Nessus, nmap, awvs, burp, appscan, etc;

3. Be able to complete the formulation of penetration test plan and document preparation;

4. Be able to test item by item according to test cases;

5. Have strong learning ability and research spirit;

6. Familiar with common security vulnerabilities and hidden dangers of various operating systems and databases, and familiar with OWASP TOP10;

7. Be familiar with all kinds of network security equipment and systems, such as firewall, VPN, IPS, WAF, firewall, webpage tamper proof system, etc;

8. Have a certain programming foundation, understand or be familiar with C / C + + / Perl / Python / PHP / go / Java and other development languages;

9. Good communication and language skills;

10. Own your own blog, GitHub, security circle, etc;

T2 (Junior Engineer)

Original intention of level design: able to complete the project independently, with certain vulnerability excavation ability and emergency response ability

Age requirement: 0-1 year

Salary level: 8k-10k





Capability description:

1) Relevant professional education background or working experience;

2) In the professional field, I have a good understanding of the tasks and outputs of my post, and can independently complete the routine penetration test projects, and can cooperate to complete complex tasks;

3) It has a certain ability of loophole excavation and emergency response.

Capability requirements:

1. Be familiar with the mainstream web security technology, master the principle and preventive measures of web security regular vulnerabilities, including SQL injection, XSS, xxE, rce and other security risks;

2. Be able to conduct in-depth test on test cases one by one, understand and test all loopholes in the test memo;

3. Be familiar with at least one programming language, such as C / C + + / Perl / Python / PHP / go / Java, etc., and be able to write or rewrite POC for script and vulnerability verification;

4. Be familiar with Linux and UNIX mainstream operating systems and databases (SQL, mysql, Oracle, etc.) and have penetration testing ability;

5. Be able to build the target skillfully and repeat the loopholes, and have more than 3 articles to summarize and output;

6. Submit vulnerabilities on major security vulnerability platforms and enterprise SRC platforms;

7. Experience in dealing with security emergencies such as Trojans, viruses, intrusions and network attacks;

8. Analyze the principle and utilization skills of high-risk vulnerabilities, and write relevant technical summary documents;

9. Have the implementation and delivery capabilities of Web / app (Android) penetration test, data privacy test, security assessment, security reinforcement, emergency response, security escort, etc;

10. Have some research experience on the web topics in CTF competitions, and understanding encryption and decryption is preferred.

T3 (intermediate Engineer)

Original intention of level design: good at security field

Age requirement: 1 year or more

Salary level: 10k-14k





Capability description:

1) In the professional field, basic knowledge of the standard requirements, policies, processes and other necessary knowledge of the company's position, good understanding of the task and output of the position, able to independently complete complex tasks, and able to find and solve problems;

2) In small and medium-sized projects can act as a project manager;

3) Have a certain understanding of reverse, have their own good security field.

Capability requirements:

1. Proficient in one of Perl / Python / PHP / go / Java, able to quickly and independently complete POC development, such as crawler and cracking class scripts;

2. Have a certain understanding of the bypass of various protective measures such as WAF;

3. Publish more than 5 articles of concern on well-known security media;

4. Have a certain ability of source audit (PHP / ASP / JSP / Python), have found common vulnerabilities or published articles;

5. Be familiar with assembly and SmalI code, have certain reverse ability, and be able to analyze viruses, Trojans, apps, etc;

6. Have certain ability of internal network penetration and domain penetration, and have successful cases;

7. Be familiar with windows and Linux platform penetration test, backdoor analysis and reinforcement; be familiar with various attack technologies, and be able to conduct intrusion analysis and forensics for various attack types;

8. Have CTF competition experience, network attack and defense competition experience, be familiar with CTF skills and get a certain score;

9. Have independently mined common vulnerabilities, with cnvd original certificate or CVE certificate;

10. Have some research and achievements in industrial control, Internet of things, cloud security, artificial intelligence, big data security and other fields.

T4 (Senior Engineer)

Original intention of level design: focus on reverse technology and guide internal and external contributions

Age requirement: 2 years and above

Salary level: 14k-20k





Capability description:

1) In the professional field, have a certain forward-looking understanding, which has an impact on the company's technology or management in this regard;

2) They have their own opinions on solving complex problems, especially on problem identification and priority allocation, and are good at seeking resources to solve problems;

3) Some research has been done in the aspects of Intranet penetration, security development, reverse analysis, etc

Capability requirements:

1. Proficient in more than one scripting language, able to independently complete the development of small and medium-sized security platforms or customized development of docking business security needs;

2. Have a deep research on WAF bypass, be able to write WAF rules and bypass a variety of protective equipment;

3. One of the certificates of nsatp, CCNP, RHCE, CISSP, CISA, etc;

4. Have strong ability of internal network penetration and domain penetration, and have more than 3 successful cases of medium-sized internal network;

5. Be familiar with J2EE or PHP development architecture and mainstream web framework; have Java / PHP development experience or code security audit ability (white box test) and output results;

6. more than 5 articles and 1 articles are published in the column or official account every year.

7. Be familiar with X86 / x64 assembly language, C / C + + language, IDA, WinDbg, OllyDbg, immunology debugger and other analysis tools, static analysis, dynamic debugging and code tracking methods, and have strong reverse analysis ability;

8. Participate in domestic CTF competition of higher level, take more scores to assist the team to get better ranking, familiar with general encryption algorithm, reverse or PWN is preferred;

9. There are more than 3 high-risk vulnerabilities submitted independently, such as mending the day or SRC, etc., with SRC accumulating more than 10000 reward;

10. Have more than 3 original cnvd certificates or CVE certificates.

T5 (safety researcher)

Original intention of level design: specialize in a certain field, with in-depth research

Age requirement: 3 years and above

Salary level: 20k-35k





Capability description:

1) In a professional field, I have a better understanding of the relevant resources and levels of the company and the industry;

2) Start to participate in the formulation of relevant strategies of the Department and influence the judgment of the Department Management in a certain field;

3) Is a well-known person in the professional field.

Capability requirements:

1. Be familiar with reverse knowledge, have multi platform reverse experience (IOS / Android / windows), research on simulator detection and confrontation, and be able to conduct in-depth analysis on viruses and Trojans;

2. Familiar with browser, office, adobe, flash and other software internal working principles and the corresponding software vulnerability analysis and utilization technology;

3. Have deep research experience on PWN and reverse in CTF; be familiar with common encryption and decryption algorithms of symmetric and asymmetric cryptosystems; be familiar with traffic analysis, data steganography, forensics and other technologies;

4. Ranked in the top three of famous SRC, such as Ali, ant financial, Tencent, 360, Baidu, etc;

5. every year, more than 10 articles are published in columns or official account, and 3 papers and periodicals are accumulated.

6. Be able to master one or more of the following technologies: PHP / Python / shell / JavaScript / Ajax for system development, at least proficient in one database application, such as mysql, redis, mongodb, etc;

7. Research and track the cutting-edge attack and defense techniques in the industry, be able to independently handle common information security events and hot event tracking, and respond to the latest security vulnerabilities and security events;

8. Have in-depth research and output on Intranet penetration, apt attack and defense, black ash production analysis, etc., and have the ability of anti fraud / anti Crawler / business risk control / threat information analysis;

9. Have a deep research on the security technology of operating system (win / MAC / win), mobile terminal, industrial control, Internet of things and other aspects, and output the results;

10. Master the mainstream framework of a language, such as TP5 of PHP, flash and Django of Yii or python, and master the security vulnerabilities and utilization of the framework.

T6 (safety specialist)

Original intention of level design: technical experts to guide the technical trend within the team

Age requirement: 5 years and above

Salary level: 35k-60k






Capability description:

1) He is a senior expert in a certain field of the company;

2) Influence the planning and future trend of a professional direction of the company;

3) Impact on business decisions;

4) Mission driven.

Capability requirements:

1. Excavate the common vulnerabilities of browser, office, adobe reader, flash and other client software and network protocol; be familiar with the relevant security mechanisms of the operating system, and master the basic methods to bypass the vulnerability mitigation measures;

2. Having published e-books or physical books in a certain field with certain influence;

3. Familiar with common algorithms and data structures, proficient in one or more of C / C + + / Java / go / Python / shell / perl language, capable of vulnerability scanner, web crawler architecture design and product development; capable of independently completing automatic security scanning or defense framework;

4. Have published in-depth technical paper or independently explored the high-risk vulnerabilities of well-known open source applications / large manufacturers;

5. Familiar with the principles and behaviors of Trojans and rootkits, and do in-depth technical analysis and reverse;

6. Participated in the speeches of geekpwn, xcon and other large-scale safety meetings;

7. Be proficient in the basic principles and security deployment of information security products such as firewall, intrusion prevention, virus protection, vulnerability scanning, audit system, identity authentication, etc., and provide solutions according to customer needs;

8. Conduct incident investigation / trace the attacker's experience, IOC's large-scale processing experience, apt attack and defense capabilities, the ability to find threats from traffic, logs, events and other data, and threat intelligence analysis capabilities;

9. Be proficient in the principles, test methods and solutions of various common vulnerabilities, have the ability to analyze and research security vulnerabilities, and have rich experience in attack penetration, and fuzzy test ability;

10. Have the experience of winning large CTF competitions (Defcon, xctf, etc.) or top domestic competitions.

T7 (chief safety officer)

Original intention of level design: famous experts in the industry, basic omnipotent

Age requirement: 8 years and above

Salary level: 60k-1000000k






Capability description:

1) Well known in the industry, familiar with domestic / international related fields;

2) Make important contributions to the development of the company or have a considerable success record in the industry;

3) The research or work has a considerable impact on the company;

4) Mission driven; faith-based; loyalty to the organization and the cause.

Capability requirements:

1. Participate in the development of information security standards of national, local or industry related departments;

2. Leading the security construction of large and medium-sized networks and Internet applications;

3. Research and utilization of frontier security attack and defense technology, be familiar with the security attack and defense trends of the industry, and master the latest security attack and defense technology at home and abroad;

4. Have a deep research on big data, artificial intelligence, Internet of things, industrial control security, blockchain and other emerging technologies, and be familiar with the latest attack methods, penetration technologies and defense technologies in the industry;

5. Have rich experience in emergency response and incident investigation, and be able to use technology for incident investigation / retroactive attack;

6. Rich experience in the construction of security system, planning and design of security architecture, and implementation of development life cycle security specifications;

7. Familiar with the general information security risk management process and framework, have a deeper understanding of international and domestic information security standards such as ISO27001, level protection standards, etc., and have rich experience in standard integration, system implementation and promotion;

8. Have some attainments in code virtualization, anti debugging, anti hook, etc., and have strong abilities in reverse analysis, attack and defense, shelling, and anti confusion;

9. Have a deep understanding of the loopholes of various operating systems and application systems, and have experience in the implementation of security services such as security reinforcement, penetration testing, emergency response, etc;

10. Own its own R & D patents and intellectual property rights; have published books with high evaluation in relevant fields.

Two questions

Q1: is open salary standard not afraid of other companies to dig people

After all, for most start-ups, there are plenty of richer and more local companies in the market. For most small companies, there is no way to bring in talent by money alone. So we think that through a good team atmosphere, working environment, with a suitable and competitive salary level, is a better way to win talents. Besides, I didn't disclose my salary, which was purely made up...

Q2: determine whether a person is not suitable based on 10 requirements

Definitely not. As mentioned above, these 10 lines are only a horizontal standard line, a guiding direction, and represent the ability to reach the corresponding technical level, including but not limited to these items. Accordingly, we will not only know these lines when you reach the corresponding level. In addition, we also have performance appraisal, which will evaluate more dimensions than technology.

Electronic download

Technical Rating electronic version of tide security team: link: extraction code: eo4g

Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.

For more Tide security teams, please pay attention to the official website of the team: or official account No.