Penetration testing and application security often get oversimplified. People think it's all about breaking in, grabbing data, writing a report, and walking away. But the truth is, there’s far more going on behind the scenes.
At The Missing Link, our security consultants combine ethical hacking, secure development practices, and hands-on technical skills to test, probe, and help improve real security. We simulate real attacks, find weaknesses before attackers do, and work closely with infrastructure and development teams to strengthen what matters.
This article is part of our ‘A Day in the Life’ series, where we go behind the scenes in each department at The Missing Link to explore how different teams work, collaborate, and deliver impact.
The team behind the work
Chief Technical Security Officer Sam Marshall leads the security consulting team. Reporting to him are specialists in offensive security, application security, and secure development. The team structure is intentionally flat, so everyone contributes and learns, from red teaming to secure code reviews.
They don’t operate in a vacuum. Consultants work with project managers, blue team analysts, and even sales now and then. Everyone plays a role in getting the job done. The culture? Low ego, high standards. This is a team that takes the work seriously, but not themselves.
What a typical day looks like
Every day’s different, but the rhythm is familiar. Mornings start with quick check-ins, a scan through briefs and scopes, and syncing with the project coordinator. Then it’s all about prepping the testing environment, spinning up VMs, reviewing configs, and making sure everything’s good to go.
Once the admin is out of the way, it’s game time.
Let’s debunk a classic myth. For many, The Matrix is the definition of hacking, lines of green code falling down the screen, numbers flying past your eyes, and somehow, just like that, you’re in. System hacked. Report written. Client happy.
But in reality? There’s no magic. No cinematic montage. Just a highly structured, methodical process grounded in real technical skill. Every test follows a clear methodology. Every vulnerability has to be proven. Every report tells a story backed by evidence. It’s not showbiz. It’s show and tell, and the stakes are real.
Take the Offensive Security Certified Professional (OSCP) exam as an example. It’s 24 hours of mental gymnastics. Consultants are tasked with compromising multiple machines using real-world techniques like enumeration, exploitation, and lateral movement, all while being monitored and timed.
“You might spend 12 hours stuck, just mapping out the environment. Then, after a break, it suddenly clicks. That moment feels incredible, but it only comes after hours of frustration.”
— John Kim, Application Security Consultant
That mindset carries into every engagement. Success takes patience, curiosity, and a lot of trying, failing, and trying again.
Some tests wrap in a day. Others stretch out over weeks. Most app assessments run across five business days. Red or purple team jobs? They can run for months. The pace changes, but the process holds. Break things legally, find the gaps, and help fix them.
And yes, there are challenges. Early morning test windows, unclear scopes, and tight deadlines are all part of it. So is juggling hands-on testing with documentation, reporting, and client communication. It’s not always smooth, but the team knows how to navigate the chaos.
Inside application security
App sec is a different beast. While some consultants focus on networks or infrastructure, this crew goes deep into the software itself, web apps, APIs, mobile platforms, and even thick clients.
Some tests are black-box. Others involve full access to the codebase. Either way, the goal is the same: spot weaknesses before attackers do.
The work blends technical skill with developer empathy. Consultants don’t just find the flaws; they explain what’s happening, why it matters, and how to fix it properly. It’s testing, yes. But it’s also teaching and translating.
Tools of the trade and the mindset behind them
The toolkit changes depending on the target. Web testing might use Burp Suite, Postman, or SQLMap. Internal jobs might involve Responder, BloodHound, or CrackMapExec. Mobile testing? Think Objection, Frida, or adb. Physical testing? Sometimes you need a lockpick set, and always a “get out of jail free” card.
But let’s be clear: tools don’t make the consultant.
“Anyone can download a tool. The challenge is knowing how and when to use it, and thinking critically about what the results really mean.”
The real value is in the mindset. Knowing how to chain weaknesses together. Knowing what to look for in the noise. Being able to explain complex issues in plain English.
That’s what sets great consultants apart.
Measuring impact
Every test starts with a simple question: how secure is this environment, really?
Consultants look at exposure points. They map out how an attacker might move through a system. They test whether controls like multi-factor authentication, segmentation, or endpoint security actually hold up.
They also assess alignment with frameworks like ASD Essential Eight, ISO 27001, or SOC 2, and provide practical, prioritised feedback that developers and infrastructure teams can act on.
The outcome isn’t just a report. It’s a clear roadmap to reduce risk and improve security posture across the business.
What success looks like
A win could be finding a critical vulnerability. Or proving that layered security worked exactly as it should. Or delivering a report that a developer actually wants to read. Sometimes, success is learning something new that improves the next test.
Sometimes, success means publishing a new Common Vulnerability and Exposure (CVE), something The Missing Link’s consultants have proudly achieved. View our security advisories.
Want to understand your attack surface?
Whether you're planning a security assessment or looking to improve your application security, we can help you find the gaps before someone else does. Speak with our team today.
