I was contacted by the NetSPI recruiter who explained to me who NetSPI was and what they were looking for.
Each interview was a series of technical questions usually between 15-30 questions. For example what is the difference between stored and reflected XSS? If you found a website vulnerable to a XSS attack how would you go about fixing the issue?
After about 3 or 4 phone interviews with different NetSPI employees I moved to the next phase of their interview process where I had 3 hours to perform some Pen-Testing in their lab and create a PowerPoint presentation on my findings. I could only use the tools that NetSPI had on the "Tester" box they gave me access to and they had an IP range of about 20 address that I was allowed to do my Pen Testing on. After the 3hrs were up I presented my PowerPoint Presentation to a few NetSPI employees. They had Nessus, Metasploit, along with some tools I was familiar with and others I was not. There were also obviously tools that I like to use that were not available like the Zed Attack Proxy.
Then there was a series of face to face interviews some just one on one and others with two or three NetSPI employees interviewing me at once. In one of the interviews one NetSPI employee brought in his laptop and spent 90% of the hour behind the laptop screen typing away while the other NetSPI employee asked me a series of technical questions.
Besides the technical questions and the lab assessment they also had me do things like a writing test with questions like "What is a noun?" and a little report essay where it was something like you found this vulnerability during your testing write up a summary describing the vulnerability, the severity of the vulnerability, and some ways the client could go about fixing this vulnerability.
Through the NetSPI interview process I wasn't able to ever really get to know much about what my role would be or how well I would fit in at NetSPI. There was very little time if any to ask questions of the people who interviewed me. I never got to meet the whole Pen Test team I would be working with to see the different team dynamics and see what type of group they are.
Overall it was a huge time commitment probably spanning about 30-40hrs of very technical interviews and assessments. I thought the office was kind of dirty and it was strange that in a company of 30-50 people with 10-15 Pen Testers that I didn't get to meet the entire Pen Test team. After all the interviews I just walked away with the impression that maybe NetSPI has some talented people maybe they don't, but either way I didn't think they handled themselves in a professional manner.
