Early-Career Security Engineer: Anvil Offers a Foundation for Growth

The spring before landing the job at Anvil in July 2020, I was completing a Master's Degree in Cybersecurity at the University of Maryland. I had worked as a security intern at another firm in Summer 2019, so the job at Anvil was my first fulltime job. I recently was thinking about how I had wrapped up my first year of work at Anvil and thought I would share my experience.

Since I was somewhat new to the nature of security assessment work, I started by shadowing other engineers on various projects. This gave me the opportunity to observe and understand the work passively, then gradually engage more until I was able to tackle projects on my own.

The work here typically involves engaging on a client project to conduct security assessments on a client’s product or environment, preparing a detailed report on security weaknesses (“findings”) along with recommendations on how to fix them, and presenting this report to the client for discussion. Depending on the scope of the project, a project can typically last from a week up to a month or longer. My current area of interest is web application security, so I have mostly been working in that domain. Every project presents a different challenge and provides an opportunity to learn new skills - both technical and non-technical. The option to shadow other engineers working on projects in other domains such as IoT, embedded systems, etc., keeps things interesting.

In the last year at Anvil, I have gained a lot of technical as well as non-technical skills that have helped me transition from a student to a security professional. Before starting the work, I used to play online CTFs on platforms such as hackthebox, vulnhub, etc., and I assumed penetration testing would be similar. While CTF experience is very helpful for learning, I found that approach to be rather different than a real-world security engagement. In a CTF challenge, you know that there is a vulnerability and your only goal is to exploit it. When working on a client project, you have to focus on many more things than just finding the flag, and have to examine every issue, even if it is perceived at first as minor, to understand/evaluate the impact.  There may or may not be a vulnerability and, even if one is present, you might not get the chance to exploit it due to the time-bound nature of the work which requires you to focus on other parts of the scope. Additionally, you also need technical writing skills to create meaningful reports and communication skills to effectively discuss findings with clients and help them resolve the issues.

Anvil offers plenty of time and opportunities to learn new things. I have currently been working through the OSWE (Advanced Web Attacks and Exploitation - WEB-300) and some cloud security courses. Apart from that, numerous internal programs such as H3 (Hacking Happy Hour) dive into new interesting topics and provide opportunities to learn from experienced peers and generate ideas for new research.

Overall, the work culture at Anvil is professional yet relaxed. In addition to being industry veterans, the coworkers are very helpful, kind and supportive. The opportunities to hang out IRL with these cool folks have been limited so far due to the pandemic, but I have had some in-person contact. Fun occasions include crabbing trips, playing soccer, and watching/discussing soccer games. With the office located next to Seattle's famous Pike Place Market, we explore new restaurants and bars for lunch and happy hours. Outside of work, there will be only a few workplaces where you can play Call of Duty with the CEO (Chris Elbring)  

I have come to realize how unique Anvil is in providing opportunities to be mentored and work collaboratively. I can also conduct independent research and work with the CTO on responsible disclosure where applicable and publication, and Anvil promotes staff research through its social channels, so I can receive industry recognition. Overall, this fun yet professional environment has been pivotal in my career and has helped me create a strong foundation to build my career upon in the cybersecurity industry.