In this series, we’re excited to introduce Mohika Gupta, a key member of our Penetration Testing team at Equilibrium.
Mohika’s journey into Cyber Security began in Incident Response, where she developed a keen interest in identifying vulnerabilities. Now, as a qualified Pen Tester with experience in web application and internal testing, she brings a proactive approach to helping clients stay secure. With a focus on continuous learning, Mohika is dedicated to fortifying defences and sharing her expertise within our collaborative team.
Her mission? To help you uncover and address vulnerabilities for a stronger, safer business.
What’s your professional background, and what inspired you to pursue a career in penetration testing?
I joined KPMG’s cyber graduate scheme with the goal of moving swiftly into the Incident Response team. I found their work on cyber incidents fascinating. Helping clients recover from attacks like ransomware especially interested me.
Since incident response and penetration testing are two sides of the same coin, whilst working in the incident response team I would work on upskilling in penetration testing in my own time. When the opportunity arose I made the move from incident response to penetration testing. I started out performing web application tests and code reviews before moving onto internal testing and purple teaming, before moving to Equilibrium to polish my skills working on a different set of clients!
The most relevant qualifications I have completed are the CREST Practitioner Security Analyst and Crest Registered Penetration Tester (CRT). I am working towards completing the CREST Certified Infrastructure Tester (CCT-Inf), which will also allow me to become a CHECK Team Leader.
The most useful training I have done has been through TryHackMe and HackTheBox. I find the written content to be of high quality, and the practical labs allow me to cement my learning.
What does a typical day look like for you as a penetration tester?
Surprisingly a typical day doesn’t just consist of testing!
There are often scoping calls with clients to ensure both parties understand what is expected of testing, daily updates to the clients, and then of course, testing.
When testing I’ll start of with exploring the environment I’m testing to help me quickly identify which areas are more likely to be vulnerable, or which areas are most critical to operation – and therefore a good target. I spend most of my days testing and troubleshooting exploits, and where possible I take the time to upskill so that I can keep up to date on new vulnerabilities and exploits.
What programming languages and tools do you use most frequently in your work?
I most commonly use python, JavaScript and C/C++. Although as a tester you need to know the basics of a range of programming languages as you never know what might have been used to build the environment you’re testing in.
It can be overwhelming to keep up to date, but I’ve found that following security researchers and companies on Twitter allows me to keep up-to-date on the latest threats most easily.
Can you share a memorable experience or an interesting bug you’ve found during your testing?
I was working on an internal and external penetration test for a client who dealt with very sensitive information. They had no breakout protections in place for their externally exposed VDI, so using some of the techniques listed here. 👆
It was possible to gain access to their internal network, browse files shares, launch a command prompt and escalate privileges to local administrator. Then a combination of weak passwords and ADCS vulnerabilities allowed me to gain full domain compromise. This was one of my very first internal tests, so I was very surprised that it was possible to gain domain admin so easily!
What do you enjoy most about working with your current team?
Everyone genuinely enjoys what they do and we all have different things we are trying to upskill on, so it’s a great environment for knowledge sharing.
How do you see the role of penetration testing evolving in the next few years?
There is already a big push for companies to move infrastructure to the cloud, and I think that will be reflected in an increased demand for penetration testing of cloud hosted infrastructure.
Advancements in AI may lead to more sophisticated vulnerability scanners. This would allow pen testers to focus on complex exploits during engagements, like chaining multiple, seemingly unrelated, lower-severity vulnerabilities. Increased AI use by clients could also raise demand for testing services. For example, there may be more testing for data loss in chatbots using techniques like prompt injection.
What advice would you give to someone interested in becoming a penetration tester?
Try not to get overwhelmed by how much there is to learn, once you start testing things will start to make more sense and how knowledge will naturally expand as you hit new challenges.
It’s impossible to know everything, so learn some of the basics, then go and do some practical testing e.g. using on a CTF platform such as HackTheBox or on available training environments such as WebGoat and the DVWA. As you get stuck and work your way through the challenges, you’ll naturally start learning more.
Can you share a tip or trick you’ve learned that has been invaluable in your testing?
Know your tools well. This is essential for troubleshooting when an exploit you thought would work…doesn’t.
Additionally, often the tools we use have so much built-in functionality, so taking the time to understand to make the best use of all the features of your tools can really help save time during an engagement, letting you focus more of your energy on finding more interesting vulnerabilities.
Outside of work, what are your hobbies or interests?
Outside of work I enjoy trying different afternoon teas, learning how to crochet and volunteering.
How do you balance the demands of your job with your personal life?
Thankfully I really enjoy what I do, so I try and treat more demanding times as another challenge to overcome. That said, I’ve learnt to enjoy the quieter times when they come to avoid burnout.
Need a Cyber Security partner who genuinely understands the stakes?
Our Penetration Testing team, including dedicated experts like Mohika, is here to help you tackle your toughest security challenges. Whether it’s uncovering hidden vulnerabilities or staying ahead of the latest threats, we go beyond the basics to provide the depth of insight your organisation deserves.
Reach out at 0121 663 0055 or email us at enquiries@equilibrium-security.co.uk to learn how we can support your Cyber Security journey. Discover what makes our team stand out—take a look at our 5-star Google Reviews and experience Cyber Security delivered with genuine commitment.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.