Recently, I have struggled a lot with my motivation to do pentest at work or do any security-related outside work activity. Even though I have been able to achieve good results in many of my pentest, I have not enjoyed it as before. Now, looking back in time I think that was mainly because of two reasons. Firstly, I was putting too much pressure on myself. Secondly, my planning of work was missing some structure. I know most of the folks are struggling with the same, as that leads to stuff like impostor syndrome or burnout which are common in the InfoSec industry.

In this post, I would like to share with you my method of helping myself with the second problem. Why second, not first? There were many methods on how to let it go described in the past, so you would probably find some good resources, but the Internet is missing the answers to the second problem. So, this post aims to give a framework for planning your tasks in time as the pentester. This blog post won’t be about the checklists or test cases, but rather how to use various productivity methods like Pomodoro, To-do lists, Getting Things Done, Eisenhower’s Matrix without describing them. If you are not familiar with those methods, then I would recommend introducing yourself. However, those are only methods, one must also have a framework to apply them correctly. Now, I will give you my framework for managing the tasks in time.

Starting with the statement that everyone’s situation is different, so to set the stage I first need to describe how my normal working day is structured and what kind of assignments I get. This would help you understand how I plan my tasks in time to execute the pentests efficiently.

As with every corporate position, we all have meetings - those seem to break your productivity. Usually, I have around 1-4 meetings (30 minutes) a day, mostly in the afternoon hours. Then, there is a type of work which one is doing. In my case, this is the security assessment work - code review/security testing which can vary in size but the general rule is 1-2 weeks assessments. In the ideal situation, you only have one assignment at a time, but there are other things involved like retests or other operational responsibilities involved which can break your flow.

So, as one can see I have the luck that my responsibilities are mostly Important and Not Urgent (from Eisenhower’s Matrix). This is the advantage compared to for example Incident Response (I used to work there), where everything you do is always Urgent (Important or Not). That also brings different obstacles in managing the tasks on time. When working in Incident Response, the severity of the incident manages what you do in time. When doing the pentest you are the king of the castle, when it comes to managing your tasks in time. That is why, it is crucial to have the framework for doing so, using the methods I have mentioned before.

I try to use all of the mentioned methods to make this work for me. You should try to check all of them yourself and create whatever works for you. This is what my framework looks like:

  • Each morning I take a look at my calendar to see what time slots do I have between the meetings for productive work.

  • I write down those timeslots. At this time, I also plan the breaks, etc. So at the end of this stage, I should be left with only the timeslot for productive work time.

  • Then, I have got prepared a general To-Do list with the things to do for a week. This To-do list is not static and can change at any time.

  • Now, I try to put the task to work on in the available timeslot, with the condition that this task should be completed in this timeslot.

If the task is too big to be completed at the timeslot, I try to break down the task for smaller tasks to be completed in this timeslot. Each timeslot should also have the buffer to extend the task without compromising the break, but not too big 10-20 minutes (Parkinson Law).

Let’s check it on the example:

  • I start my work at 9 am, I suppose to finish at 5:30 pm.
  • I can see in my calendar that there are three meetings 30 minutes, first - 10:30 am, second - second 4 pm, and third 4:30 pm.
  • Now we plan to do at least two 15 minutes breaks. 12:30 pm and 2:30 pm.
  • That gives us the following timeslots for productive working - 09:00 - 10:30, 11:00 - 12:30, 01:00 - 02:30, 03:00 - 04:00, 05:00 - 05:30;
  • Now we take a look at our to-do list and see that there are the following items: 1. Do the pentest of a new application, 2. Retests findings a,b,c, 3. Prepare slides for the presentation.
  • Each of those To-do list items must be broken down into small tasks, that can be completed in the timeslot. The biggest task is the pentest as the other tasks can probably fit in the timeslots. For this example, let’s focus on breaking down this task.
    • Let’s say that you are starting your pentest, first thing you would do is to check the correct access have been granted to the app, get the source code, configure the Burp, setting your screen with all the tooling. You can spare one timeslot for that.
    • The second thing can be to familiarize yourself generally with the app/API whatever. You can spare the second big timeslot for that. You kind of has a feeling now, where that goes.
    • Once you have everything planned, you try to follow your plan as best as you can. You would not succeed every time, but at least you are going in the correct direction…

Few pieces of advice from me: Do not spend too much time breaking down the tasks to the smallest possible - that should be intuitive and done in seconds - it is better to assign to sessions to one task, than breaking it down if you do feel it. If you fail to complete any of your tasks, it can go to the next day or next timeslot - you can always rearrange your plans quickly. I believe you can use the same framework for any activity that is Important and Not Urgent - like learning new stuff or some long-term projects. If you find this post useful, feel free to send me a message on LinkedIn or Twitter.