Insights into the world of pentesting
Interview with Erlend Depine, Head of Pentesting at BearingPoint in Graz
Interview with Erlend Depine, Head of Pentesting at BearingPoint in Graz
There is hardly any discipline in IT security as dynamic and demanding as penetration testing. We spoke with Erlend Depine, Head of Pentesting at BearingPoint in Graz. With over 26 years of experience, he offers fascinating insights into his career, the evolving challenges of pentesting, and why regular security assessments are essential for companies today.
Erlend Depine has been with BearingPoint for over 26 years and currently serves as Head of Pentesting at the Graz office. He is responsible for coordinating the pentesting team and managing ongoing projects. His tasks include defining scopes together with clients, preparing cost estimates, finalizing reports, and presenting the results. Erlend also acts as the primary technical contact for clients — particularly when it comes to translating complex technical findings into language that management can act on. As such, his role serves as a central sparring partner for clients throughout the entire project lifecycle.
According to Erlend, there is no single or classic career path to becoming a pentester. Early in his career, he worked on the defensive side of IT security — focusing on topics such as voice over IP, digital signatures, system architectures, firewalls, and network segmentation. His transition to offensive security came through a project within BearingPoint, where he was tasked with conducting technical due diligence on internally developed software products. This exciting challenge laid the foundation for the creation of the Pentesting+ service and the formation of his own dedicated team.
"Experience, enthusiasm, and practical skills," Erlend summarizes. "It’s not enough to simply know the tools and use them. You need to understand them in depth, know when to use which tool, and be able to play the full 'keyboard' of available techniques."
Pentesters should also be capable of adapting existing tools or developing their own exploits when needed. Erlend highlights the importance of platforms like Hack The Box and CTF (Capture The Flag) competitions for sharpening hands-on skills. Certifications such as the Offensive Security Certified Professional (OSCP) further complete the profile of a skilled and reliable pentester.
"It’s not enough to simply know the tools and use them. You need to understand them in depth, know when to use which tool, and be able to play the full 'keyboard' of available techniques. Pentesters should also be capable of adapting existing tools or developing their own exploits when needed."
- Erlend Depine, Head of Pentesting Graz
"The variety and dynamic nature of the tasks is what makes pentesting so appealing to me," explains Erlend. Every scenario is unique and demands an agile, creative mindset. He finds phishing campaigns particularly fascinating — an area where both technical precision and inventive problem-solving are essential.
Pentests are a fundamental component of any robust cybersecurity strategy. They verify the effectiveness of existing measures and uncover areas that require improvement. In light of regulatory frameworks such as NIS2 and DORA, as well as increasing expectations from cyber insurance providers, regular penetration testing has become essential — and in many cases, mandatory. "The more innovation, the more urgent a new pentest becomes," Erlend emphasizes. Especially after major changes — such as the rollout of new application versions, significant modifications to Active Directory, or the introduction of new systems like a CRM platform — companies should assess their IT infrastructure through a targeted penetration test to detect potential vulnerabilities
No, at least not exclusively. An external pentester brings an unbiased view and often finds vulnerabilities that internal teams overlook - whether due to operational blindness, routine assumptions or because certain scenarios have not been considered.
Erlend outlines the typical phases of a penetration test — from preparation and scoping to execution, reporting, and debriefing. Most importantly, critical vulnerabilities are reported immediately, while less urgent issues are explained in detail in the final report.
Some of his most memorable cases include attacks on booking systems, quality assurance portals or even gaining access to internal networks via manipulated phone jacks. These examples highlight a core truth in pentesting: security vulnerabilities are not always obvious — and identifying them often requires a high level of creativity, unconventional thinking,
"We always act on the basis of clearly defined agreements (LOA) and are aware of our ethical responsibility," explains Erlend. Reports are stored in double encrypted form and are permanently deleted after delivery — to ensure that even BearingPoint cannot become a target through retained sensitive data.
Artificial intelligence is playing an increasingly important role in pentesting. While AI-powered tools are already being used for incident detection and log analysis, Erlend’s team is also experimenting with AI-generated exploits and phishing campaigns to simulate real-world attack scenarios more effectively. "The real challenge," Erlend notes, "will be the balancing act — both attackers and defenders will be using AI."
With decades of experience, Erlend Depine offers valuable insights into the world of pentesting. One thing becomes clear: IT security is not a one-time effort — it’s a continuous process that thrives on a mix of expertise, creativity, and passion.
