Tips for an Information Security Analyst/Pentester career - Episode 102 - No DA, No Party? No, No Problem!

Today I interacted with a post on LinkedIn that made me think of an important difference between AD pentesting in real world compared with practice environments.   

In practice environments, such as CTFs, GOAD, Vulnhub, Hack The Box. etc., once you gained DA (Domain Administrator) you're done, you own that network. 

Not so much in real world, where the goal is rather to gain access to sensitive and confidential information.

This goal doesn't necessarily imply you need to get DA. If you can along the way that's good but it's not the end goal, as standard credentials might be enough for that. DA without proof of impact is totally useless to the client.

This is a very important concept, but often overlooked.

As a result of that, beginner/junior pentesters might stick with the wrong idea DA is the ultimate goal and get hurt by that, both emotionally and in terms of the quality of their work, so I feel the need to talk about it.

However, at this point in my career I'm too busy and exhausted to write a long post and don't want to copy/paste it from AI, so it's much easier for me to turn my camera on and voice my thoughts.

Please check the embedded video for the whole conversation.