Self-evaluation questionnaire

This self-evaluation questionnaire should help you identifying your strengths and weaknesses. We will not use the results for salary, job classification, bonuses, reference letters etc.

If you find a question ambiguous or unclear, please mark it, so we can improve it.
This questionnaire might imply things that might be expected from you.
- "I didn't know you expect this from me.", "I didn't know I'm allowed to do this."
- Let us discuss this!
If you think you can improve in some points, but you are missing guidance or documentation, please let us know.
We suggest that one of the founders keeps your filled-out questionnaire and returns it you when we fill out the questionnaire the next time.
- This is optional; you can disard it or keep it yourself.
- We keep it for the future "you". We will not evaluate it, apply any scores, etc.
- We will discard or return it if you leave the company.

After filling out the questionnaire

Select one questionnaire-section (e.g., "Report Writing", etc.) in which you want to improve: ________________________________________________________
How can we as a company or as a team support you with this? ________________________________________________________
Present your results to one of your colleagues (by selecting one or by drawing lots).
- Seek honest feedback.
Optional: Share your thoughts with the team.

Technical Competence

Web Pentesting

◯ 🌱 ◯ 🌿 ◯ 🌳 - I know at least the OWASP Top 10 and can identify simple vulnerabilities
◯ 🌱 ◯ 🌿 ◯ 🌳 - I conduct web pentests independently and analyze complex vulnerabilities
◯ 🌱 ◯ 🌿 ◯ 🌳 - I develop new testing methods
◯ 🌱 ◯ 🌿 ◯ 🌳 - I share my knowledge and train my colleagues in web pentesting

Active Directory / Internal Infrastructures

◯ 🌱 ◯ 🌿 ◯ 🌳 - I understand basic AD attack concepts
◯ 🌱 ◯ 🌿 ◯ 🌳 - I know basic concepts of Entra ID and hybrid identity environments
◯ 🌱 ◯ 🌿 ◯ 🌳 - I conduct AD pentests independently and analyze complex attacks
◯ 🌱 ◯ 🌿 ◯ 🌳 - I have in-depth AD and Entra ID knowledge and develop concepts and defense strategies for customers
◯ 🌱 ◯ 🌿 ◯ 🌳 - I share knowledge and train colleagues in AD/Entra ID pentesting

Tools & Automation

◯ 🌱 ◯ 🌿 ◯ 🌳 - I use standard tools confidently
◯ 🌱 ◯ 🌿 ◯ 🌳 - I automate recurring test steps with self-developed scripts/procedures (including Burp features)
◯ 🌱 ◯ 🌿 ◯ 🌳 - I develop my own testing approaches beyond automated scanners or existing tools

Report Writing

◯ 🌱 ◯ 🌿 ◯ 🌳 - I document simple and recurring findings in the report (e.g., session not invalidated after logout)
◯ 🌱 ◯ 🌿 ◯ 🌳 - I document complex finding descriptions well-structured, clearly and independently
◯ 🌱 ◯ 🌿 ◯ 🌳 - I write different report sections for different target audiences (developers, admins, management)
◯ 🌱 ◯ 🌿 ◯ 🌳 - I deliver solid presentations for technical audiences
◯ 🌱 ◯ 🌿 ◯ 🌳 - I deliver solid presentations for management audiences
◯ 🌱 ◯ 🌿 ◯ 🌳 - I describe findings technically correctly and reproducibly
◯ 🌱 ◯ 🌿 ◯ 🌳 - I formulate findings in a way that customers can understand
◯ 🌱 ◯ 🌿 ◯ 🌳 - I can explain risks in business-oriented terms
◯ 🌱 ◯ 🌿 ◯ 🌳 - My remediation recommendations are concrete and reasonably actionable
◯ 🌱 ◯ 🌿 ◯ 🌳 - I process peer review feedback purposefully and learn from it
◯ 🌱 ◯ 🌿 ◯ 🌳 - I start writing the report early, so I can finish the project in time

Engagement & Process

◯ 🌱 ◯ 🌿 ◯ 🌳 - I understand the scope, boundaries, and approach of a pentest
◯ 🌱 ◯ 🌿 ◯ 🌳 - I follow the pentesting operation rules
◯ 🌱 ◯ 🌿 ◯ 🌳 - I conduct kickoffs and prepare pentests
◯ 🌱 ◯ 🌿 ◯ 🌳 - I communicate critical findings promptly via the agreed channels
◯ 🌱 ◯ 🌿 ◯ 🌳 - I schedule mid-test check-ins early
◯ 🌱 ◯ 🌿 ◯ 🌳 - I conduct mid-test check-ins
◯ 🌱 ◯ 🌿 ◯ 🌳 - I own the entire engagement flow, including retest and remediation documentation
◯ 🌱 ◯ 🌿 ◯ 🌳 - I prepare findings during the test, so a later retest is possible without rebuilding the attack chain
◯ 🌱 ◯ 🌿 ◯ 🌳 - I document findings precisely enough that a retest can be performed (including by another person)

Self-Responsibility

◯ 🌱 ◯ 🌿 ◯ 🌳 - I complete tasks according to instructions
◯ 🌱 ◯ 🌿 ◯ 🌳 - I identify blockers early and report them when needed
◯ 🌱 ◯ 🌿 ◯ 🌳 - I seek feedback proactively
◯ 🌱 ◯ 🌿 ◯ 🌳 - I meet deadlines
◯ 🌱 ◯ 🌿 ◯ 🌳 - I plan projects independently, structure and prioritize tasks
◯ 🌱 ◯ 🌿 ◯ 🌳 - I own projects end-to-end: prioritize, make decisions, organize execution
◯ 🌱 ◯ 🌿 ◯ 🌳 - I identify and report weaknesses in our team and internal processes
◯ 🌱 ◯ 🌿 ◯ 🌳 - I suggest improvements to our team and internal processes

Communication

◯ 🌱 ◯ 🌿 ◯ 🌳 - I communicate clearly and give constructive feedback
◯ 🌱 ◯ 🌿 ◯ 🌳 - I explain technical topics in an understandable way
◯ 🌱 ◯ 🌿 ◯ 🌳 - I conduct myself confidently in customer meetings
◯ 🌱 ◯ 🌿 ◯ 🌳 - I can argue findings convincingly
◯ 🌱 ◯ 🌿 ◯ 🌳 - I ask follow-up questions when something is unclear

Teamwork

◯ 🌱 ◯ 🌿 ◯ 🌳 - I share knowledge actively within the team
◯ 🌱 ◯ 🌿 ◯ 🌳 - I work actively with colleagues on projects
◯ 🌱 ◯ 🌿 ◯ 🌳 - I give constructive feedback
◯ 🌱 ◯ 🌿 ◯ 🌳 - I accept feedback
◯ 🌱 ◯ 🌿 ◯ 🌳 - I work solution-oriented in projects in the customer's interest
◯ 🌱 ◯ 🌿 ◯ 🌳 - I lead project teams and/or provide mentoring
◯ 🌱 ◯ 🌿 ◯ 🌳 - My colleages enjoy working on projects with me

Documentation

◯ 🌱 ◯ 🌿 ◯ 🌳 - I fix minor errors in the handbook immediately
◯ 🌱 ◯ 🌿 ◯ 🌳 - I add topics to existing handbook pages
◯ 🌱 ◯ 🌿 ◯ 🌳 - I create new handbook pages on new topics

Customer Orientation

◯ 🌱 ◯ 🌿 ◯ 🌳 - I have a basic understanding of customer requirements
◯ 🌱 ◯ 🌿 ◯ 🌳 - I advise customers actively and adapt my communication to the target audience
◯ 🌱 ◯ 🌿 ◯ 🌳 - I build long-term customer relationships and provide strategic advice

Ethics & Confidentiality

◯ 🌱 ◯ 🌿 ◯ 🌳 - I treat customer data and findings confidentially and in accordance with agreements
◯ 🌱 ◯ 🌿 ◯ 🌳 - I strictly adhere to scope boundaries and test only with explicit approval

...one last thing

Is there anything you cannot implement due to external factors, which should be improved?
This could be something like, missing documentation, gatekeeping superiors, hindering culture, missing budget, bad processes, etc.

What would you like to improve? ________________________________________________________
Please approach us, so we can improve.

Self-evaluation questionnaire ​

After filling out the questionnaire ​

Technical Competence ​

Web Pentesting ​

Active Directory / Internal Infrastructures ​

Tools & Automation ​

Report Writing ​

Engagement & Process ​

Social Competence ​

Self-Responsibility ​

Communication ​

Teamwork ​

Documentation ​

Customer Orientation ​

Ethics & Confidentiality ​

...one last thing ​