Consulting Versus Internal - A Penetration Tester’s View

Welcome to 2025 which marks a little over five years of my professional career in cyber security. I was inspired one day during a shower thought to reflect over the last five years of experience as I’ve moved my jobs a bit in the early part of my career. Ever wonder what you would prefer; consulting or internal for offensive cyber work? I plan on discussing these two and my anecdotal experiences in both.

Disclaimer: I’ll talk about the two in my anecdotal experiences, this is meant to be particular to my roles and experiences and not fully representative of what is best for you or the group.

Consulting

I put consulting first as it’s what I am more confident in as I spent ~4 years doing it. Doing offensive cyber work in the consulting world can range from kicked back, feet up, vulnerability scans all the way to continuous complex red team engagements. Consulting can be very dependent on the client and type of work that was sold.

Doing Penetration Testing consulting you will get to see so many different infrastructures and networks. Sure you will see the common managed M365 on external and LLMNR traffic on internals but each network i’m confident you will come across a new service or technology you haven’t seen before. This keeps you on your toes and often a cool peak that comes with it. This will always keep you wet behind the ears and give plenty of opportunity to help share this with our other practitioners in the industry. A good example of this is a cisco phone service I ran across that got me initial credentials during an internal - https://trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems

Another great perk of this is the offering tha your consulting will offer. For example when I was working at Deloitte, we only offered X amount of work and often it was more monotonous web work. When I moved to Optiv, the offerings really got fun to do. A client would want a wireless, external, and targeted internal where we could share the findings between all to enhance the attack scenario. A good example is I did an on-site wireless and internal in the DMV area which was almost a sudo on-site insider threat. I was able to breach the internal network using a wifi vulnerability and escalate my basic user permissions into local host admin rights on most of their machines before being interrogated by the IT folks in the room next to me. Fun stuff and this leads to a bigger point. Consulting is FUN and keeps you young, domain admins rush on internal networks of F500 companies has and always will keep you addicted to this niche field.

Another impact point here is what the client is and what type of work was sold to them. In my experience, one of the biggest problems I saw was lack of communication and expectation between sales teams and the folks doing the work (like myself). A lot of time there was an expectation gap between what they are getting VS what we could do with the Statement of Work (SoW).

The last big con for me was reporting. Writing a report for clients was always a PITA and I didn’t have ChatGPT like the young bucks now working there. Writing summaries and root cause analysis graphs were some of my deathly tasks I did. While not many people like doing it, it’s one of the most important parts and the skills that have more gaps than the technical chops. A great old director of mine, Ryan D, always said “Clients are giving us 5-30k for a few PDFs, make them good” which is very true. All of the fancy technical things we do have to be clear and transparent to the client.

Pros

  • Lots of clients and different networks
  • Opportunity for Travel
  • Types of Offerings
  • Opportunity to share work outside of company with the industry

Cons

  • Report Writing
  • Consulting life - Client is always right and changes their mind a lot
  • Utilization requirements and relying on sales/gigs

Internal

As I am writing this I am 1 year and five months into my tenure at Amazon Web Services as an Offensive Security Engineer. I moved out of consulting for a few different things but the three things I love the most is the room for impact. When I do engagements now, I can identify findings and recommendations that affect more than the service I am touching. It’s really scalable that you find an issue with a AWS service and can root cause and address it in many more places, it’s very rewarding.

I also love the part of less report writing. Don’t get me wrong, Amazon is heavy on document driven business but I don’t find myself writing executive summaries unless asked for leadership emails. Writing is a key skill at Amazon, they pride themselves in it, there is classes, quarterly meetings about it. Just have to do less BS writing.

Lastly, the room to grow my engineering skills. Penetration Testing in the consulting life is a lot of keyboard jockey work. Using tools and techniques from existing researchers and doing it in client networks. Internally, I can identify a use for a tool or code that might help others and take time to develope that and share with engineers within our sister teams. This is cool, I’m working on a super cool Burp Suite Extension at the time of this writing but won’t be able to share. That’s a con that comes with internal, sharing tools or TTPs during work isn’t encouraged like it is at consulting firms.

A con would be the bureaucracy of working at a F100 company. Role guidelines, slower management guck, politics, promotion timelines, etc. All of these Amazon prides themselves in being agile but it still exists like every F100 company I assume.

A con is not having the dopamine rush I had in consulting. I can count on two hands the amount of remote code execution (RCE) I’ve gotten at AWS as the security bar is normally much higher than a random companies external perimeter with 100s of hosts running multiple software. When I do find these they are much more rewarding as they are far scarce but I really do miss the Domain Admin Rush on day 1 of a test.

Pros

  • Time for development/trainings
  • Impact/Scale

Cons

  • More bureaucracy
  • Less fun / dopamine work

Overview

You’ll notice how I didn’t mention job security in either one; that is because it’s very dependent. For example, a consultant could be fired due to low utilization but they don’t have control on what the sales team is able to sell. An internal employee like myself at AWS, AMZN stock price could go down 20 percent and the executive team could decide to do layoffs. In the great words of Pat McAfee, situations are very situational; I won’t give one a higher rating than the other.

I hope some of these insights guide you in the right direction or just share some of my experiences with you. Reach out to me if you ever need any advice on what is right for you; I love giving my solicited advice lol.