If you’re studying cybersecurity and wondering what comes next, job titles alone won’t tell you much. Offensive consultant, security auditor, pentester. They sound technical but stay vague.
To dive deep into the reality of offensive consultancy, I interviewed Souad, an offensive cybersecurity consultant at Dataprotect, to understand what the work actually requires.
Background & career path
Cybersecurity jobs are flexible, from those who join with a uni degree, those who started hacking at 5, and career-shifters in their late 40s.
Our guest Souad got into offensive security during her final-year internship. A mobile penetration test was enough to introduce her to the practical side of security, vulnerabilities, real-world scenarios, and rewarding challenges.
Her cybersecurity consultancy career gave her the combination of compliance and technical exploitation, and drove her right to her speciality, PCI DSS, working mainly with banks.
PCI DSS stands for the Payment Card Industry Data Security Standard. The global information security standard designed to ensure that all companies dealing with credit card information maintain a secure environment.
Day-to-Day workflow
Offensive consultancy is the wrapper role that perfectly combines the strategic advisory elements and pure offensive skills.
Every new engagement is a new journey to experiment and grow. And surely, the first hours of an engagement are always crucial to ease the process and build a good foundation for the mission.
The very first step is to clearly understand and validate the scope of work.
For both penetration testing and audits, I make sure all assets, IPs, and applications are well defined to avoid any problems. Then, I review the available documentation, such as network diagrams and data flows.
A typical Monday starts with emails and catching up on updates from projects and clients.
My daily responsibilities vary depending on the mission, but they generally include conducting PCI DSS assessments or performing external or internal penetration tests.
Practically, a penetration test starts with reconnaissance and initial scanning to map the attack surface and identify potential entry points. In contrast, an audit begins with a kickoff meeting between the client and the audit team, followed by a structured review of policies, procedures, and supporting evidence.
Let’s break down the difference!
Penetration testing
Pentesting is about simulating cyberattacks to identify vulnerabilities before malicious actors do. The main goal is to implement offensive skills and assess the real security posture of an environment.
External tests focus on publicly exposed assets such as IPs and web applications, while internal tests simulate an attacker who already has access to the internal network. And each has similar procedures, with different flavors.
I asked Souad which type she finds more challenging, and her answer reflects the deep realities of each side.
She explains that both types are challenging, but for different reasons.
- External penetration testing: It requires a high level of concentration and analysis. The attack surface is exposed to the internet and often limited, so the process is deeper and more precise to identify exploitable vulnerabilities.
- Internal penetration testing: The challenge lies in the size of the scope. Larger environment, a lot to cover, and a deadline closing in. The game becomes about balancing full coverage of the infrastructure while still going deep where needed.
PCI DSS audits
On the other hand, PCI DSS audit is more about compliance and control validation. The objective is to assess whether the organization has implemented the required security controls and processes in line with the standard.
In other words, it is fundamentally an evidence-gathering and validation exercise. Desk work, reviewing documentation, conducting interviews for hours, and verifying evidence (access controls, multi-factor authentication, system logs, and even physical security).
Consultancy hat, how to deal with clients
Being a consultant is mastering not only the technical skills but also the art of communicating what you did. In cybersecurity, this includes a detailed report with the results, a clear presentation, a list of vulnerabilities impact and recommended remediation actions.
The communication skills are at the core of it, where you have to go out of your hacker hoodie and clearly explain to stakeholders and professionals your findings and next recommended steps.
It also includes continuous availability after the engagement and willingness to further clarify or guide the client during remediation. While implementing improvements remains the client’s responsibility, Souad describes that a re-test can be offered to verify whether the vulnerabilities have been properly addressed.
The challenges of a cybersecurity consultant
The process sounds exciting, but also loaded. To help break down the real challenges, I asked Souad specifically about what she finds challenging:
For me, I think that one of the biggest challenges is the depth of technical knowledge required. You need a strong understanding of networking, systems, and even development concepts.
She further mentioned the importance of communication and soft skills. It’s the core last layer that translates your technical skills into real, impactful interactions.
The job as a whole can be overwhelming at first, but it becomes manageable with time and practice. It requires a level of flexibility; different environments and clients, managing expectations, and sometimes working under tight deadlines.
In a Nutshell,
I expected the technical depth. I didn’t expect how much of Souad’s day is about translating findings to others.
And honestly, this part is what brings cybersecurity to life, outside the terminal, and far from your pentest friends who get you. Instead, a room of people from different backgrounds, and you defending the things you love, in simpler and clearer terms.
If you’re here to discover careers and get a cybersecurity job, you have your answer! Stay close to the blog for more discussions with experts.