Injects
CPTC injects involve interactions that could occur during an engagement.
For example:
- Tell the company what pentesting standard you are using
- Respond to an email asking about relevant compliance standards
- Explain to the client how to make passwords better
- Weigh in on if the client should incorporate MFA
- Make a social engineering phone call (This happened!)
- Make a phishing site for harvesting credentials
- Create a network diagram
It is also possible to have injects that involve physical attacks like that of lockpicking.
When doing an inject, make sure to remain in character and be professional.
You should be responding just as an actual pentesting firm would.
- If you are asked to disclose info about other clients/competitors or are asked to do something immoral (I'm unaware if these have ever been actual injects), you should decline and explain why.
If you do not know the answer to something, do not pretend that you do and try your best to answer properly.
- In the same vein, take accountability for something if you made a mistake.