Hey
gentlemanscratch and welcome to EZ first of all! (Nice nickname btw
).
I sort of fit in your profile, with the exception of not working for a company which outsources penetration testing, but rather I work for a software development company and conduct penetration testing on internal products before they hit the market.
Now on to the questions (answers in italics):
1) How did you get your foot in the door? (Did you specifically look for a pen testing job, did someone come to you, etc?)
After doing a Bachelor of Engineering (I.T. specialization) and in parallel studying relevant sub-fields of the Security domain I set up my LinkedIn profile in such a way that it would come up as a hit for headhunters/recruiters looking to hire in the Sec industry (I wasn't fixed on pen-testing at the time and was interested in working in basically any field of Sec - RE, Malware Analysis, AV development, Pen Testing, Red Team, Blue Team, etc.). Apart from that I also looked at what skills are required at entry level for the jobs I was interested in, focused hard on broadening my knowledge in that particular field as fast as possible and applied to those particular companies as well.
In the end I got my previous job by applying (I didn't like it much) and got my current job (which I love) by getting recruited.2) Were there any specific qualifications your employers looked for? (Degree in some area, published papers, code, etc?)
Degree in I.T. or related. Everything else was interview-based. No requirements for certifications, papers or code although they can be useful. But because I did not have any hard proof of my knowledge I had to undergo a more rigorous technical interview (like a multiple-choice exam combined with a couple of hypothetical case studies).3) What's the pay like?
In my country it's great. Entry level pay is somewhere in the vicinity of 4-5 times the minimum wage. With experience and time it can go as high as 15-20 times the minimum wage.4) Do you enjoy your job?
My current job, yes, yes I do. I actually love it and come to work happy and go home happy. Of course no job is without its idiots/fucktards/autistic fuckers, but knowledge and confidence pwn in the Sec industry. Prove you got dem skillz and people tend to listen.5) What exactly is your position and what do your specific duties entail?
Penetration Tester. Part of Red Team. Duties entail conducting full penetration testing for any application that gets produced by my company, as well as various other Red Team tasks (custom protocol reverse engineering, exploit development, reverse engineering for the purpose of testing anti-cracking hardening, etc.). The applications range is quite broad and I've had projects which involved auditing web apps, PC client apps, PC server apps and mobile apps with everything that this entails (client-side, server-side, server posture, communications, etc.).6) Do you work for a company or do you do freelance work?
I work for a company. Never did or tried freelancing.I hope this answers some of your questions.
