[runjake]

Parts of it can be fun, but much of the time is spent writing tedious (and repetitive) reports, documenting each step you took for each compromise. Dealing with unrealistically limited scopes. Often clients don't actually care about increasing their security posture -- it's usually about compliance with XYZ (PCI, etc).

(Good) pentesters don't just run hog wild on a network compromising things left and right with Chemical Brothers blaring through their headphones. It's pretty methodical, and it's all documented and screenshoted for the client's benefit. You want your clients, both the technical and executive people in the org, to understand what you accomplished and how they can mitigate.