Every week, Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.

We recently spoke with Keiran Smith, Lead Pentest Engineer, N-able. Here are the top takeaways from the interview.

#1: Accept Failure as Part of the Process

“I get the tools I need, but I don't have the unlimited budget to go and do things whenever I want. So I'm going to fail.

“As a developer or DevOps or architect, you have an end goal. I don't, so I might look like I'm doing nothing. And some people will go, ‘What was the point of you doing that? Because you didn't find anything.’ But if I didn't do it and some did get found, people would be like, ‘Why did you not find that?’

“So you have to be fine with failure. You have to be fine. There are people a lot smarter than you. I might be a lead pentester working for a pretty decent company, but I'm not Mr. Reboot, who's a well known hacker.”

Actionable Takeaway: Understanding that not every test will yield vulnerabilities helps maintain realistic expectations and professional perspective. Success in penetration testing isn't just about finding bugs — it's about thoroughly validating security controls within given constraints and timeframes.

#2: Enhance Security Testing with Development Experience

“So if I find a blind SQL injection, it's there because engineers don't actually know what a plain SQL injection is. They'll just think that's an error or it's not even an error, it's just a white page.

“But that's what's blind about it. But if you can show an engineer, like with a Python script or something, or even a unit test, that this is how this SQL Injection exists, you make them a better developer, you give them a confidence boost so they can find that in the future, and then they can start building a regression suite around your pentest maintenance.”

Actionable Takeaway: Building a strong development foundation helps security professionals better understand system architectures, write custom tools, and identify vulnerabilities more effectively.

#3: Automate and Streamline Your Workflow

“When I'm pentesting, I'll take notes in Obsidian, mainly because it's free, you pay a $50 commercial license, and you can use it whenever you want. All my notes are Markdown based, I have a whole bunch of plugins. Best plugin I've got uploads any image I paste to an S3 bucket — and there's an encrypted S3 bucket, don't worry — which allows me to take those Markdown notes, run them through a Python script and generate a report.

“Our report template is written in LaTeX, I can use Pandoc to take that Markdown, run it through a LaTeX template and just spit out a report at the end, which allows me to have essentially a full CI/CD pipeline for reports. I commit my Markdown notes to GitHub. My Jenkins job can take it, run it, and inspire a report at the end.”

Actionable Takeaway: Create efficient workflows by automating repetitive tasks and documentation processes. Build systems that scale with your testing needs, from note-taking to report generation, allowing you to focus more time on actual security testing and less on administrative tasks.

Listen to full episodes out now

For more information about Ahead of the Breach, please visit www.sprocketsecurity.com/aob-podcast. Episodes are available on all major podcast platforms.

Apple

Spotify

YouTube

We look forward to bringing you more conversations with actionable insights that help in your pursuit to protect your most valuable assets — and help clients do the same!