Penetration testers work in "engagements" — contracts where a client pays you to try to break into their systems. Here's what a typical day looks like mid-engagement at a financial services company:
08:30 — SCOPE REVIEW
Review the rules of engagement document. This defines exactly what you're allowed to test — which IP ranges, which applications, and what's strictly off limits. Staying in scope is critical: going outside it without permission is illegal.
09:00 — RECONNAISSANCE
Use open-source intelligence tools (OSINT) to map the company's external attack surface. Find subdomains, exposed services, employee names, email formats, and any information publicly available that a real attacker would use.
10:30 — VULNERABILITY SCANNING
Run automated scans using tools like Nmap and Nessus to identify open ports, services, and known vulnerabilities across the target systems. Build a picture of potential entry points.
12:00 — EXPLOITATION ATTEMPT
Attempt to exploit a misconfigured web application found this morning. Using Burp Suite to intercept and manipulate web traffic, you find an SQL injection vulnerability and document the proof of concept — how far in you can get and what data you can access.
14:00 — PRIVILEGE ESCALATION
Having gained a foothold on one system, attempt to escalate privileges to administrator or domain admin level. This demonstrates to the client how far a real attacker could go once inside.
16:00 — DOCUMENTATION
Write up every finding in detail — what the vulnerability is, how you found it, what the risk is, and how to fix it. Clear writing is as important as technical skill. Clients need to understand and act on your report.
17:30 — TEAM DEBRIEF
Quick call with the red team lead to share findings and coordinate the next day's approach. Large engagements are often team efforts with different testers covering different areas.
The reality: Some engagements are exciting — complex systems, clever vulnerabilities, satisfying moments when a technique works. Others are methodical and documentation-heavy. The report is often harder work than the actual hacking. Both matter equally to the client.