Technical skill is still the foundation of penetration testing.
A tester needs to understand systems, exploit paths, evidence, controls and risk. That has not changed. What has changed is the amount of pressure around the work.
Clients want faster delivery. Sales teams want clearer scopes. Delivery managers want fewer escalations. Senior testers are often pulled into every awkward conversation because less experienced testers are not yet confident enough to explain their own findings.
That is where consulting skill matters.
Consulting skill is not polish. It is not presentation theatre. In a penetration testing team, it is the ability to understand the client’s environment, explain the evidence clearly, defend a finding under pressure and know when a technical issue does or does not matter commercially.
Technical accuracy is only part of the job
A technically accurate finding can still fail in practice.
It may be too vague for the client to fix. It may overstate the risk. It may miss the business context. It may create unnecessary argument during QA or debrief. It may force a senior tester to rewrite the finding before the report can be issued.
This is where many teams lose time.
The issue is rarely that the tester is careless. More often, they have not been taught how to connect technical evidence to client decision-making.
A good consultant can explain:
- what was found
- how it was proven
- what the realistic risk is
- what assumptions were made
- what the client should do next
That sounds simple. In delivery, it is often the difference between a clean report and a difficult escalation.
This is also why technical training does not fix every pentest team problem. Technical development matters, but it does not automatically create judgement, clarity or client confidence.
Client pressure exposes weak reasoning
Most penetration testers eventually face pressure from a client.
A client may ask for a severity to be lowered because the finding is inconvenient. Another may ask for a severity to be raised because an internal policy says the issue is important. Someone may challenge whether the issue is exploitable at all.
The tester needs to respond without becoming defensive, vague or overly accommodating.
That requires more than technical knowledge. It requires judgement.
A tester needs to know which parts of the finding are evidence-based, which parts depend on context, and which parts are professional judgement. They also need to explain that calmly.
This is particularly important when handling severity disputes. A severity discussion should not become a negotiation. It should be a structured review of evidence, exploitability, impact, assumptions and client context.
This is a teachable skill, but it is often left to experience alone. That means junior testers learn by watching seniors, copying report comments and surviving awkward calls.
That is slow, inconsistent and expensive.
AI makes this more important, not less
AI tooling can help testers move faster.
It can support note taking, payload generation, research, report drafting and review. Used carefully, it can improve delivery. Used badly, it can produce confident but weak output.
That creates a new problem for offensive security teams.
If a tester cannot judge whether an AI-assisted finding is accurate, relevant and defensible, the team has not improved. It has just moved the quality problem closer to the client.
This is one of the reasons AI changes the junior pentester role. It may reduce some mechanical work, but it increases the need for juniors to understand evidence, assumptions and client risk.
As AI becomes more common in testing workflows, teams will need stronger human judgement. Testers will need to understand what they are looking at, not just produce more content.
The important skills will include:
- validating evidence
- spotting weak assumptions
- explaining uncertainty
- prioritising findings
- handling client challenge
- knowing when not to overclaim
These are consulting skills as much as technical skills.
Senior testers should not be the permanent safety net
In many teams, senior testers quietly absorb the consulting gap.
They rewrite findings. They join client calls. They calm down escalations. They explain severity decisions. They fix vague recommendations. They mentor juniors informally while still carrying their own delivery workload.
This works for a while, but it does not scale.
The team becomes dependent on a small number of experienced people. Reports slow down. QA becomes a bottleneck. Senior people get frustrated because they are always correcting the same issues.
The same pattern also affects margin. Poor client communication can erode pentest margin through rework, delayed reports, client clarification, severity disputes and unplanned senior involvement.
A better approach is to develop consulting behaviour deliberately.
That means giving testers a clear standard for what good looks like, then coaching them against it. Not just “write better reports”, but specific behaviours:
- explain risk in plain language
- separate evidence from assumption
- ask better scoping questions
- handle challenge without folding
- understand what the client actually needs to decide
What this means for offensive security leaders
Technical development remains essential, but it is not enough on its own.
If a penetration testing business wants to scale, protect report quality and reduce dependency on a few senior people, it needs to develop consultants rather than just testers.
That does not mean turning technical people into salespeople. It means helping them communicate clearly, reason under pressure and produce work that clients can trust.
For most teams, that is now one of the main constraints on growth.