Looking back on a successful 2025, our Offensive Security Manager Koen Riepe shares his thoughts on dealing with end-year performance reviews and which vital skills are important for ethical hackers/red teamers.
A base for important skills
You'll likely be on the receiving end of at least one, and if you have a managerial/lead position, you may also have to conduct this review with one of your peers. I've been in a position for several years now where I have to rate my teammates and tell them what they are doing great and what they can improve, through some form of official report. Every time I struggle with putting my feelings about someone's performance into words that make sense and are transparent and clear. After all, I also have been on the receiving end of unclear performance reviews multiple times, and those never felt good. I hope this article can serve as some inspiration or base for what skills are important and why, and how to discuss/include them in performance reviews.
After reading thousands of pages about team performance, being a good manager and healthy work culture by for example, Simon Sinek, Adam Grant, Brené Brown and Bradley Kirkman, I felt equipped to write something about what skills are important for ethical hackers and how we can rate them. I've learned that being transparent and clear when advising your team "be better at their job", is basically impossible if you don't actually know what skills you are evaluating. Most of my time was therefore spent figuring out, "What skills are vital for ethical hackers/red teamers?" In my experience, teams are often quick to default to rating technical experts or their ability to perform complex technical work. While this is certainly very important, it doesn't mean the technical expert capable of complex work functions well within the context of all the work that has to be performed. Almost no one works alone all the time, most of us work in teams of experts. We also have to deal with other internal teams and maybe multiple teams of our customers. Therefore, we must take many other skills into account and cannot solely rate based on technical expertise.
Skill categories
After thinking long and hard, consulting books and of course the internet, I've settled for the following 10 skill categories that I think are vital for ethical hackers/red teamers. I'm quite sure that most of these categories work for other jobs as well. However, I'm dedicating this article to why I think they are important in my business of consultancy based offensive cyber security. The 10 categories, in no specific order, are:
- Technical proficiency
- Collaborative communication
- Adaptability and improvisation
- Tactical planning and foresight
- Resilient performance
- Professional confidence
- Ethical conduct
- Operational excellence
- Emotional intelligence
- Innovative team growth
Technical proficiency
Technical proficiency is about the mastery of cybersecurity tools and technologies. This is about a deep understanding of cybersecurity principles, the ability to conduct thorough technical analysis, the capacity for conducting sustained deep focus work, and keeping skills with new trends. It is absolutely vital for any ethical hacker to have technical proficiency to do their job well. The higher this skill, the more complex work the person is able to handle, and the more likely they are to find interesting and complex vulnerabilities.
Depending on someone's specific role, increasing this skill may mean improving the breadth or the depth of the skills they already have. This skill is very likely a primary factor in deciding if someone is a junior or senior. All ethical hackers should try to prevent this skill from degrading unless they want to move into managerial positions where technical proficiency is less required. Increasing or keeping technical proficiency is often quite easy (if time permits) by getting new/additional certificates showcasing the spent effort. Showing that this skill improves is also a great way to gain trust from your team by showcasing expertise.
Collaborative communication
Collaborative communication is about effective interaction and information sharing within teams. It encompasses the persons' interpersonal communication skills, their ability to actively listen to other team members' inputs, to clearly articulate complex technical concepts and share knowledge with both technical and non-technical stakeholders. Anyone working in a team needs to be able to collaboratively communicate with other team members, or they may as well be working alone. Worse, if the person is bad at the collaborative part, they may likely negatively impact the team and increase the stress of all involved members, including their own. It is a vital skill for building trust between team members and clients alike.
From my experience, bad communication is the root cause of many many problems. Just knowing the "rules" of good communication isn't enough though, since everyone has personal preferences for how they like their communication. I strongly advise drafting a clear communication plan for the team/company wherein expectations with regards to communication and response times are described. This will help synchronize preferences and allow those with a worse natural communication skill to better understand and improve more. This plan also helps new employees onboard faster and can help avoid frustrations from those new employees that may not be aware of all unwritten communication rules that have been established over the years.
Adaptability and improvisation
Adaptability and improvisation is about handling rapidly changing circumstances and unexpected challenges. Ethical hackers need to be able to be flexible and able to quickly adjust priorities, to solve (complex) problems under pressure, to creatively adapt existing (exploit) techniques to ever changing circumstances and stay composed amidst the chaos of all the work our technical experts are involved in.
I find that this skill is often tied to the breadth of experience ethical hackers have. The more they have already experienced, the more they are able to adapt and change. Therefore, this skill often naturally develops over the years as people keep working. Sometimes, however, experts stay trapped in old procedures and lack the ability to creatively adapt to the rapidly changing circumstances of the cybersecurity field. It is very important that ethical hackers adapt quickly and learn how to improvise with limited knowledge as it is very unlikely that the exact same test in the same testing conditions will be repeated several times.
Tactical planning and foresight
Tactical planning and foresight are about effective day-to-day planning and anticipation of challenges. While it is important that ethical hackers are able to be flexible and adaptable, not everything should be done on the fly. Even though the ethical hacker may be able to deliver a satisfying solution, the on-the-fly improvisation can cause immense stress for the client, project managers or sales because they do not know what and when to expect it.
For this skill, ethical hackers need to be able to plan and organize work, be good at estimating time requirements, identify (potential) roadblocks, and manage their workload. This skill is also very important to function well in the team they are working in as ethical hackers. If they cannot identify roadblocks or correctly manage their own workload, they will cause problems for clients, project management, or maybe themselves. This often leads to additional time that has to be put into causing additional stress that may bleed into personal time. Ethical hackers should feel empowered to push back if too much work is being put on their plate. By bettering this skill, issues can be raised before they occur, saving everyone from extra stress and time.
Resilient performance
Resilient performance is about maintaining effectiveness under pressure and adversity. It may seem like this skill is basically adaptability and improvisation again, but I'll argue that there is a very big difference. Surely, having adaptability and improvisation skills will help with resilient performance. However, it is not the same thing to be able to adapt when plans change with room for mistakes, and to perform under pressure and keep high performance when adversity strikes. All too often I've seen colleagues with a high level of adaptability and improvisation crumble when things got really rough. For example, team members could get sick leaving you to perform alone (for an extended time).
With a high resilient performance skill, you can maintain your same effectiveness under pressure; you can effectively manage your own stress levels, maintain composure when adversity strikes and take initiative in uncertain and high-stakes operations. Knowing or thinking of what to do and actually doing it are two separate things, and I think both deserve their own category. I'm also sure we all know some "rockstar" employees that are always just getting work done, no matter the circumstances, even though they don't stand in the spotlight much. Though it may seem that this is a very individualistic skill, it is important for the whole team to have this skill as high as possible because it builds trust. We automatically start trusting our team members that keep forging when things get hairy, and more trust is built when we can do it together for extended periods.
Professional confidence
Professional confidence is about self-assurance in technical abilities and decision-making. Based on my experience, the cybersecurity field is filled with excellent people suffering from imposter syndrome. There always seems to be some other experts that know more than us and that brings us down. Somehow, we do not see how well we are performing ourselves and that gets in our way, it could even impact the team we are working in. Low professional confidence can really break a team, specifically if senior employees are vocal about their low confidence. Often, these senior employees do not even realize the impact they have with the vocalization of their lower professional confidence. They often benefit when this is pointed out to them. On the contrary, too much professional confidence in a team can lead to overconfidence and bad decision making. Having the right level of professional confidence can therefore be quite hard to measure.
Professional confidence for an ethical hacker means, confidence in one's own technical abilities, how decisive they are in making security judgements, how resilient someone handles pushback on their decisions and their assertiveness in presenting problems, solutions and recommendations coming from (personal) experience. It is important to keep in mind that as ethical hackers we work in an expert and complex field. We are constantly understanding and explaining these complex environments and working with them every day. Because of the sheer breadth and depth of work in this field, we'll never know it all. But if we, as the people that work in it, day in day out, cannot confidently say how we can improve, who will? I think we all should be humble about what we really know, but it is important that we try to find confidence in ourselves and the teams we work in. The more confident we get, and the better we can express that confidence to our colleagues and clients, the more motivated we become.
Ethical conduct
Ethical conduct is about maintaining high ethical standards in security operations. It should really go without saying that ethical hackers should follow the highest standards of ethical conduct. We are constantly exposed to critical or very personal information; we may work with applications or systems that could greatly impact the lives of other people around the globe. This potential impact can cause immense stress, and immense stress is a primary catalyst for "ethical fading". Once ethical fading settles into a company or a team, its culture is likely to suffer. Bad culture leads to bad results and bad results over time lead to closure of a company.
Ethical hackers that score high on this skill have a high level of integrity and accountability; they know how to make the right calls in moral gray areas and can be trusted to handle sensitive information, be it the client's or internal. All too often it is easy to take shortcuts because "no one will notice". Too often ethical hackers will be pressured by sales/management to help sell assessments that customers do not require and are ineffective. Ethical hackers that can act with integrity, even with all the pressure, build trust with colleagues and clients very quickly. That trust will increase team performance and will lead to better outcomes than any sketchy pressured sale ever will.
Operational excellence
Operational excellence is about delivering consistent results and reliably executing assessments. Scoring high on operational excellence is what separates average work from high quality work. It is what puts someone in the "rockstar" or "superstar" category. This skill is about reliably executing assigned tasks, meeting deadlines and commitments, documenting processes and findings, following established (security) procedures and all with high quality. Scoring high on operational excellence will quickly build trust will colleagues and will show both internally and externally how you "go the extra mile".
I'm confident that any ethical hacker that focuses on the operational excellence will also see a boost in their professional confidence. If you know what you are doing, you are doing very well, it is much easier to be confident about it. Scoring high in this area will likely make colleagues want to work with you. Because they know they can trust, you will not give them some poor-quality reports that they'll have to fix later. Because they know that you are always trying to do the best you can do. This is fundamental for team performance and trust within the team. If bad work from a team member ever reaches your desk, it should always be because they don't have enough technical proficiency to do their job yet, and never because they didn't try their best.
Emotional intelligence
Emotional intelligence is about understanding and managing emotions in team settings. Not just your own emotions, but also the emotions of your colleagues and clients. We live in a world where most people have learned to hide their emotions, increasing the difficulty of correctly understanding someone. Furthermore, we also work behind screens and exchange large pieces of information via text that is mostly devoid of emotion. Asking about emotions and learning to deal with them will allow anyone to perform better in a team context. Being in tune with your own emotions and showing vulnerability about them will make communication with you easier and build trust with your team.
Therefore, this skill is about the capacity to show empathy towards team members, self-awareness about your own emotions, being able to regulate and deal with emotions, and doing that in team dynamics. It is important to note that pretending to have this skill can very easily destroy trust instead of building it. No one likes to feel that someone is faking to care about you. When you show your empathy, make sure it is genuine! Like technical proficiency, emotional intelligence can also be trained. There might not be a shiny certificate to add to a CV, but there are plenty of books that can help those less skilled in emotional intelligence learn to understand better. This holds true even if you are less of a neurotypical person that doesn't really experience emotions as much. Understanding what others go through can still enable genuine care even if you don't "feel" the same thing.
Innovative team growth
Innovative team growth is about proactively driving team improvement through creative initiatives. The old business saying of "standing still is the same as going backwards" feels mostly true for cybersecurity. Technology is still advancing at an incredibly rapid pace; new vulnerabilities are discovered every day and advances in detection/prevention engines invalidate old attacks. If teams want to continue to be relevant, it is important that innovation is encouraged, and an innovative team growth mindset is a skill that members are scored on.
This skill involves identifying or implementing opportunities for team process improvements, sharing knowledge within the team, mentoring less experienced team members, and researching/developing new attacks and strategies. It is important to realize that team improvements have many forms. Very often I see this take the shape of new technological implementations or technical development. This can feel alienated for those that are less versed in programming. However, another way of supporting the team growth could be improving sales/reporting text. It could be thinking of new advanced phishing scenarios. It may be analyzing how much time is wasted because the wrong expert is planned on wrong tasks.
Rating the skills
Now that we know what skills we deem important, we need to figure out how to rate them if we are going to provide any meaningful feedback. After thinking some more, I settled for the system that I was already unconsciously doing in my brain, namely rate skills from 1 to 10. An advantage of rating the skills simply numerical from 1-10, is that you can take a look at the averages in the skills I defined earlier. This allows you to quickly identify areas of improvement for the entire team.
Rating from 1-10 of course still makes the system based on feeling and not just on observable data. It does force me to be able to explain the number I'm assigning every team member for every skill. It also allows me to compare my feelings about different team members to the numerical data I'm writing down and forces me to rely less on personal preferences that I may have for people that I "like" more. I'm rating without regards for the position of the team member, senior or junior, it doesn't matter. We'll be adding weights to the scoring to represent how important skills are for different roles.
To score, we also need to know what the numbers represent. In my model, a score of 5 represents what I would expect to see as a minimum for a team member, to be satisfied with their level of skill. Anything below a five is something that needs to grow, or the team member will likely start causing issues in the long run because of their poor skill. This means that scores between 1-4 serve generally as, incredibly poor to just below expectations. It allows me to differentiate team members that may be lacking in a skill, but some are better than others.
A score of 10 represents me not knowing how to advise my team member to further improve the skill. That doesn't mean they have no room for growth; it simply means that I won't be able to coach them on that skill and have no notes. I want to stress that even if your skill is lower than one of your team members, it doesn't mean you cannot give them any advice on how to increase their skills. These skills factor in many things, and even if you cannot execute something yourself, you may still be able to give good pointers for others to improve. The 6-9 is reserved for differentiating between the skill levels of distinct team members.
Weighing skills
I also decided to add weighing to the skills to better represent the importance of certain skills for different roles in the team. The exact weights should be tailored to meet the specific responsibilities for every role in a team. For ethical hackers' technical proficiency is a vital skill to be able to do their job. However, for a junior employee it is likely not the most valuable skill. I would argue that adaptability and improvisation are more important for a junior as they will likely have to learn to adapt often and improve a lot of the time because of their limited knowledge. Also, for team leads and project management I value collaborative communication more than technical proficiency, for example. The more roles you have in the team, the longer it will take to tweak the weights. I do believe it is possible to plot basically every role in the 10 skill categories that I've described in the article, since they apply to basically any job if you change some details.
Closing
I hope the skills I describe here can help shape how you rate and provide feedback to your team members. I also hope that this article can grant some insight into what other skills are vital for ethical hackers and valuable team members. I encourage everyone to look through the skills described here and rate yourself as well. Try to keep track of your progress and see where you improve.
This article has prior been shared by Koen on LinkedIn. You can read the original article here.