Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ha yes, the famous cyber security experts that dont know what an HTTP request is but will run a nessus scan, charge 10k and tell you you are secure...


Quite a lot of years ago, when I was much younger (and incredibly naive about "consultants") and doing onsite support, I was tasked with helping out some security consultants as they ran some sort of pentest, in case they needed some assistance with the client computer they were assigned.

We chatted, and despite their being clearly disinterested in their work and talking to me (instead going on and on about which bar they were heading to), I learned they were literally doing this. They were running nessus with a default ruleset and turning that in as the flaws. That was it.

I felt incredibly disappointed, sorta kinda angry, and learned a huge lesson that day.


There is a large market for useless security work from companies that need to demonstrate that some kind of security activity has taken place but don't particularly care about security as an "end".

In these situations everyone is just "going through the motions", the PM who hired them, the pentesters, the devs who dutifully put pointless findings in the backlog, compliance people tracking stuff in their register...

The only thing worse is not having a process at all.


I've worked in various consulting roles, and one thing that's always been true is the "rank and file" don't like you and think they know better, can do better, and already know or have thought of everything you do. They miss that you're hired by leadrship, for other reasons (see my other post in the thread). I'd actually be worried (and it's happened) when the line employees like you as an external consultant and think you're adding value. It means you're engaging at the wrong level and probably not getting at the root of what you're there to address.


I got a call from one of them recently. It went like this.

Him: Hello Sean, have you got 5 mins? I’m from X and we are the world’s first company to offer penetration testing as a service…

Me: If I can just stop you there, penetration testing already is a service.

Him: … err … no well the thing is we offer the ability to…

Me: Instead of running the pen test for the company you have a web dashboard which allows the company to run it for itself?

Him: … err … yes.

Me: I can see how that’s convenient for you. Well if you were running it for me that would in fact be a service, yes?

Him: … err …. <long pause> … yes

Me: So your “Penetration testing as a service” is in fact less of a service than all the other penetration testing companies are offering.

Him: … err … perhaps you’re not our target customer.

Me: No


Hey, whatever gets me insurance, IDGAF if it's true.


This has me laughing so hard. So true.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: