选择你当前的职位
选择角色和级别——我们会展示成长路径、技能和差距分析。
发展路径
Junior
0-2 years
职责: Выполнение задач под руководством старших коллег. Изучение кодовой базы, стандартов и процессов команды. Написание кода по спецификациям, исправление простых багов, написание тестов.
关键技能:
Middle
2-5 years
职责: Самостоятельная разработка фич от декомпозиции до деплоя. Участие в code review. Оптимизация производительности. Менторинг junior-разработчиков. Участие в архитектурных обсуждениях.
关键技能:
Senior
5-8 years
职责: Проектирование архитектуры компонентов и сервисов. Решение сложных технических проблем. Ведение технического долга. Code review как gatekeeper качества. Менторинг middle-разработчиков. Выбор технологий для новых задач.
关键技能:
Lead / Staff
7-12 years
职责: Техническое лидерство команды или направления. Проектирование системной архитектуры. Координация с другими командами. Формирование стандартов и best practices. Участие в найме. Планирование технического roadmap.
关键技能:
Principal
10+ years
职责: Техническая стратегия на уровне компании или домена. Кросс-организационное влияние. Решение системных проблем бизнеса через технологии. Менторинг lead-инженеров. Публичное представление компании.
关键技能:
差距分析:待发展的技能
要达到下一级别,你需要发展:
Conducts security testing of JWT/OAuth2 implementations: exploits JWT algorithm vulnerabilities, tests OAuth2 flows for CSRF and code interception, and identifies token leakage through side channels. Uses specialized tools (jwt_tool, OWASP ZAP) for automated authentication testing. Creates proof-of-concept exploits for identified vulnerabilities.
Applies OWASP Testing Guide methodology for web application penetration testing. Conducts security assessments identifying OWASP Top 10 vulnerabilities with manual exploitation techniques. Uses specialized tools (Burp Suite Professional, sqlmap, custom scripts) for deep vulnerability validation and proof-of-concept development.
Tests RBAC and ABAC implementations for privilege escalation and authorization bypass. Conducts penetration testing of access control mechanisms across application layers. Uses specialized tools to enumerate roles, permissions, and detect misconfigurations.
Uses DAST tools alongside manual penetration testing to discover runtime vulnerabilities. Validates SAST findings through exploitation to confirm real attack vectors. Integrates dynamic scanning into penetration testing workflows to maximize coverage of web application attack surfaces.
Performs security assessments of Kubernetes clusters identifying misconfigurations in RBAC, network policies, and pod security. Uses tools like kube-hunter and kubeaudit to discover vulnerabilities. Tests container escape scenarios and lateral movement paths within cluster environments.
Performs cloud penetration testing across AWS, Azure, and GCP environments. Conducts security reviews targeting IAM misconfigurations and exposed services. Uses cloud-specific exploitation tools and techniques to identify privilege escalation paths and data exfiltration vectors.
Independently applies threat modeling to identify attack surfaces before penetration testing engagements. Maps MITRE ATT&CK techniques to system components. Understands trade-offs between different attack paths and prioritizes testing efforts. Creates threat-informed test plans covering network, application, and social engineering vectors.
Uses digital forensics fundamentals to document exploitation evidence during penetration tests. Captures system artifacts, file hashes, and timeline data to support findings. Analyzes disk images and memory snapshots to identify indicators of compromise and validate attack paths.
Applies secure coding knowledge in penetration testing — reviews source code to identify exploitation vectors, maps code weaknesses to MITRE ATT&CK techniques, and develops proof-of-concept exploits from code analysis. Uses SAST tools alongside manual code review to prioritize penetration testing targets.
Supports incident response by providing offensive security expertise during active incidents. Validates attack vectors and helps determine scope of compromise. Documents exploitation paths for post-incident analysis and contributes to lessons-learned reviews with remediation recommendations.
Independently performs network penetration testing: conducts host discovery, service enumeration, and vulnerability scanning across subnets. Exploits misconfigured firewalls, weak VPN setups, and unpatched network services. Writes clear findings on network segmentation gaps and proposes remediation for IDS/IPS evasion techniques discovered during engagements.
Uses dependency scanning results from Snyk, Grype, or OWASP Dependency-Check to identify attack vectors during penetration tests. Maps known CVEs in third-party libraries to practical exploit scenarios. Understands the difference between reachable and unreachable vulnerable code paths when prioritizing findings. Validates whether dependency vulnerabilities are exploitable in the application's specific deployment context.
Discovers and validates vulnerabilities through penetration testing and exploitation. Assesses vulnerability severity using CVSS scoring and real-world exploitability analysis. Uses vulnerability management platforms to track findings and verify remediation effectiveness across tested systems.