Penetration Tester - The Security Factory
A guided progression through the major disciplines of offensive security.
The Security Factory is a Belgian penetration testing consultancy that performs professional security assessments for clients across a range of industries. The internship program is structured as a guided, phased progression, each discipline building on the skills developed in the previous one.
The program started on 23 February 2026 with onboarding and an initial exploratory session against a vulnerable web application, followed by a personal planning covering the first four weeks.
Each phase followed the same professional workflow: a preparatory research period, hands-on testing, professional-grade reporting, and, where applicable, a mock client review meeting to develop communication skills alongside technical ones.
Weeks 1 - 4 · PortSwigger training, full pentest, reporting & mock client review
The PortSwigger Web Security Academy was used as the primary training platform, structured around the OWASP Top 10. SQL injection labs were completed ahead of schedule on day two, enabling early progression into XXE, path traversal, access control, XSS, CSRF, CORS, clickjacking, and Host Header attacks.
This phase established confident, hands-on familiarity with Burp Suite, Repeater, Intruder, and Decoder, and laid the technical foundation applied throughout all subsequent phases.
A full grey-box penetration test was performed on the Broken Crystals application (tSF Marketplace), following the OWASP Web Security Testing Guide. A valid user account was provided; source code access was not granted.
Testing progressed iteratively across several days with daily syncs and mentor feedback. A total of 23 vulnerabilities were identified across six severity levels. Critical findings included:
All findings were documented in a professional Security Assessment Report using The Security Factory's internal reporting platform, covering CVSS v3.1 scoring, technical description, business impact, annotated evidence, and remediation guidance.
Multiple mentor review cycles were incorporated, including requests to expand evidence and corrections to miscategorised findings. The final report included an executive overview, overall security posture rating, and a prioritised remediation roadmap.
A mock client review meeting was held at the end of week four, with mentors acting as a client with limited technical knowledge. The presentation covered key findings, business impact, and remediation priorities.
Translating findings such as Server-Side Template Injection and privilege escalation into business-relevant language for a non-technical audience was a distinct and valuable challenge, one that proved just as demanding as the technical testing itself.
Weeks 3 - 7 · GOAD lab deployment, Active Directory pentest & review meeting
The Game of Active Directory (GOAD) lab was deployed on a server at The Security Factory. A Debian VM was provisioned on VMware ESXi with hardware virtualisation passthrough for nested virtualisation.
Ludus was selected as the orchestration platform for its Ansible-based, fully automated, repeatable deployment - ensuring future interns can rebuild the environment from scratch. After resolving a configuration loop requiring a full reinstallation and timing issues during Windows VM provisioning, all five VMs were successfully deployed and the full GOAD domain became operational. Exegol was used as the attack platform, connected via WireGuard VPN.
Testing progressed through unauthenticated enumeration, credential acquisition, and escalation to full domain compromise. Key techniques applied:
Tools: Netexec, BloodHound/SharpHound, Impacket, Mimikatz, Exegol
The mock review meeting at the end of week seven required communicating Active Directory attack chains to a non-technical audience, a greater challenge than the web application review. The presentation focused on the consequence chain: from a single compromised low-privilege user account, full domain administrator takeover was achievable through a series of logical steps. Mentors assessed the technical content as well understood and the business implications as clearly communicated.
Weeks 6 - 8 · Static & dynamic analysis on InsecureBankv2 following OWASP MASTG
The InsecureBankv2 APK was decompiled using apktool and jadx. The AndroidManifest was reviewed for exported activities, overly permissive intent filters, and declared permissions. Source code inspection identified hardcoded credentials and a developer backdoor account allowing authentication without a password.
Sensitive data storage issues were found: data stored in external storage as a cleartext HTML file, in cleartext shared preferences, and in an unencrypted SQLite database. A MobSF automated scan cross-checked coverage and surfaced the StrandHogg 2.0 vulnerability, which was then demonstrated with a custom-written malicious application on a lower-API emulator.
Dynamic testing confirmed cleartext credential transmission over HTTP, absence of SSL pinning, and no Network Security Configuration. An IDOR vulnerability in the login flow and a broken access control finding were identified via source code review.
A particularly notable finding: an exported activity could be invoked directly via ADB intent call, bypassing the login screen entirely and granting unauthenticated access to all application functionality. Root detection was bypassed at runtime using Frida after re-enabling it via apktool repackaging. Stored XSS was found in the bank statements feature, which renders HTML files to external storage.
Tools: MobSF, apktool, jadx, Frida, Burp Suite, ADB
Weeks 9 onwards · Real-world assessments alongside professional consultants
Client testing began with shadow engagements, where findings were submitted independently while a senior consultant remained responsible for the overall deliverable, and progressed to independent contributions across a range of assessment types:
Findings across these engagements ranged from information disclosure and input validation issues to session management failures and an incorrectly handled API edge case that returned more data than intended.
Working on live client engagements introduced a qualitatively different mindset from training targets. One application featured notably strong input validation and filtering that constrained the attack surface significantly, requiring more methodical exploration and a higher tolerance for unproductive test runs.
Client engagement reports are not included in this portfolio due to non-disclosure obligations. Their structure and format are equivalent to the mock reports attached as evidence below.
Three side assignments arising from operational needs at The Security Factory.
TraceHunt is a CTF platform under development with a stealth scoring mechanic, participant traffic is monitored and alerts reduce the score, modelling adversary simulation conditions. All traffic was routed through SSH SOCKS5 proxy tunnels across three rotating redirectors with randomised delays to avoid detection.
Four challenges were attempted across weeks five and six, covering web enumeration, SNMP credential extraction, C2 beacon interaction, and credential stuffing from a breach dataset.
A web-based internal tool to search client email addresses and domains against a large collection of breach credential data. Built with a Flask backend, Redis message broker, RQ for background job processing, and ripgrep as the search engine for performance on large plaintext files.
Results were delivered asynchronously to Slack via webhook. The tool was handed over as a functional internal utility for use during client engagements.
USB drop devices emulate a keyboard on insertion and execute a keystroke payload, effectiveness depends on balancing execution speed against character dropping. An existing payload showed inconsistent results across hardware configurations.
Systematic testing across varying inter-keystroke delay values yielded an optimised configuration achieving approximately 9 out of 10 successful executions, completing before an unknowing user could react, with zero dropped characters.
A personal reflection on the internship.
This internship was the thing I'd been working toward for three years. I came in knowing I wanted to do offensive security, but there's a big gap between studying it and actually doing it professionally, and this is where that gap started to close. The standards are higher, the feedback is more direct, and the results matter in a way that school assignments simply don't.
The most surprising growth wasn't technical. The mock review meetings, especially the infrastructure one, were harder than I expected. Explaining an ACL abuse chain to someone who doesn't know what Active Directory is, in a way that makes them understand why it matters to their business, is genuinely difficult. You have to understand something well enough to strip away all the technical language and still convey the real-world consequence. I wasn't good at this at first. By the end, I was.
I also grew in how I handle being stuck. There were days spent entirely on one problem, JWT vulnerabilities, LSASS dumping, NTLM relay attacks, without meaningful progress. Security work doesn't always have a clear answer or a deadline that forces you to move on. You develop a sense for when to keep digging, when to change approach, and when to ask for help. Getting that balance right took time, but it's one of the most transferable things I'm taking away.
Transitioning to real client work was its own adjustment. The first day of testing a well-secured application and finding almost nothing was deflating. Over time I learned to reframe it: no findings on a hardened target is a meaningful result, it means the application is doing something right. That shift in perspective changed how I approach every engagement.
I came in wanting to confirm that offensive security is what I want to do professionally. I'm leaving completely certain that it is, and as of the 1st of July 2026, I'll be doing it full-time at The Security Factory.
Supporting documents for my internship.
Internship project plan outlining scope, objectives, planning, and deliverables, reviewed by the internship supervisor.
An overview of everything realized during the internship — covering all testing phases, tasks completed, and deliverables produced.
Personal reflection on the internship — what was accomplished, what was learned, and how it shaped me professionally.
My own documentation produced during the internship.
Full penetration test report for a web application engagement, covering identified vulnerabilities, exploitation steps, risk ratings, and remediation advice.
Full penetration test report for an infrastructure engagement, network and host-level findings, privilege escalation paths, and remediation recommendations.
Full penetration test report for a mobile application engagement, covering client-side and backend vulnerabilities found during the assessment.
Step-by-step write-up of setting up the Game of Active Directory (GOAD) lab on The Security Factory's server.
Write-up of the Tracehunt CTF-style challenges completed during the internship.