Over a year ago I had a job offer from Foundstone. At the time I declined. There were several reasons for that. One of the larger was that the position was in NYC. I think NY is a wonderful city, but I just didn’t feel up to the move. Further, I felt a bit of reservation about Foundstone’s approach. Essentially, most of their pen test type work is very fast and formalized. I was interested in pursuing other approaches. So, I spent a year at a company that offered me that opportunity. When I had pen test work it was great. I could execute the tests mostly like I wanted. I could meet the customer’s need and do research type work too. Unfortunately the PT work didn’t come often enough.
I had considered several very well known shops in the DC area. Many of them follow a very similar mentality that I do. The problem is that they separate development from services — a pen tester generally won’t write code or exploits. To me, I just can’t fathom this. I’ve worked in this type environment and it just seems to me that the service people become too dependent on the developers and the tools…. at the same time the developers get too far away from hands-on the network.
All things considered, I’ve accepted a job with Foundstone (in the DC area). I think their unique mix of business, research, teaching, and writing should offer me the chance to grow in the ways that I want.