At Triaxiom, we modeled our engineer training pipeline after pilot training in the Air Force. Why? Simply put, because we think it works and there are a lot of parallels. The Air Force wants to make absolutely sure a pilot is qualified to fly a plane before they allow them to hop in a multi-million dollar aircraft. Similarly, we want to make sure our engineers are qualified before they perform any penetration tests. This helps us to ensure we are upholding the highest quality and giving you an accurate view of your risk. Additionally, this helps us prevent problems from occurring during our tests. Ultimately, all engineers we hire will go through the training pipeline we’ve laid out below. Engineers hired who have direct penetration testing experience may be able to progress more quickly through these stages, but must still meet the initial qualification requirements and be signed-off prior to performing a real test.
The first time being exposed to a particular module or service, the engineer will shadow an engineer that is qualified as an instructor in that area. This will be on the job training where the qualified engineer walks them through our methodology, step-by-step, as the trainee observes during a live test. Even if a trainee comes in with experience, this step is necessary to emphasize Triaxiom’s approach and methodology. Depending on experience, a trainee may need to shadow several tests until they are comfortable enough to progress to the next step.
Once an engineer is comfortable with the process and tools expected to be used during a test, the roles will switch. The trainee will perform the actions on the testing platform with heavy oversight from the instructor. The instructor will monitor each step of the test to ensure it is done efficiently, effectively, and without disruptions to the client environment. Depending on the trainee’s proficiency, this step will range from the instructor telling the engineer verbatim what to do at each step and complete over-the-shoulder observation, to simply monitoring progress during each phase of the assessment and providing real-time approval/correction as needed. This step will be repeated multiple times until the trainee is able to perform the test with minimal correction/guidance. Once the instructor deems the trainee has reached a minimum proficiency, the trainee will progress to the next phase: check ride.
During a check ride, the trainee will perform the test solo from beginning to end. The instructor will observe the entirety of the test and fill out an evaluation sheet that will rate their performance across each major step. The instructor will not provide any hints or corrections, unless absolutely necessary. The trainee is allowed to ask questions or collaborate with other engineers where necessary, just like a real test, as we encourage all of our penetration testers to collaborate. At the end of the check ride, the instructor will go over the results of the check ride with the engineer and provide feedback on what they did well, as well as areas to improve.
Once the check ride is complete, the evaluation will be submitted to the principal security engineers at Triaxiom and they will provide the final approval for the trainee to be qualified on that module.
Once an engineer is qualified, they are able to perform that particular assessment with only the standard technical QA process that all of our tests undergo. More specifically, they will no longer require an instructor to monitor their progress throughout the test. Occasionally, engineers will be re-evaluated with another check ride to ensure they are adhering to Triaxiom’s standards and to evaluate whether they have the mastery required to become an instructor.
Not all engineers will progress to this level, nor are they required to progress to this level. However, after a particular engineer has demonstrated a mastery of a particular module, quantified through several high scores on check rides and positive client feedback, the principal engineers may make that engineer an instructor for that module. Instructors are able to train on that assessment, as well as form the advisory committee that updates that assessment’s methodology and techniques over time.
Outside Engineer Training
Triaxiom realizes that internal training programs alone are insufficient for information security. So as a result, all of our engineers are required to hold a minimum number of industry recognized certifications. In order to allow engineers to meet this, Triaxiom provides compensation for certification-related expenses, allows time to prepare for certifications, and regularly sends engineers to training classes. Further, Triaxiom encourages ongoing training and education through industry conference attendance and research time. Triaxiom attends one major conference as a company each year and then encourages all engineers to attend as many regional conferences as they are able.