Vitali Brunovski — mentor in Security Testing and SDET

If you want to go deeper after this article, also read a concrete example of security testing with Playwright and the AppSec learning path for QA and engineers.


1. The 2026 testing market: why standard automation is no longer enough for Senior and Lead

If you are reading this as an SDET or QA Automation engineer, you already know the basic market truth: being able to write tests is not a differentiator. It is the entry ticket.

In 2026, companies buy not “how many scenarios show up in Allure”, but risk reduction and faster delivery without incidents. The most expensive defect class is rarely “the button did not click”—it is broken trust boundaries: access to other people’s data, business-rule bypass, unsafe dependencies, weak authentication, clever injections in APIs.

For a concrete, code-level view (not abstract theory), start with GraphQL Security Testing with Playwright.

QA Automation has scaled horizontally: Page Object templates, report generators, and “best practices” are common knowledge. Competition at middle level is high, and employers increasingly expect automation engineers to understand not only how to click, but where the system lies about trust. Security incidents cost more than most functional regressions: investigations, customer communication, sometimes legal exposure, and mandatory access refactors.

The career mechanism is simple: if your contribution is measured as “UI coverage”, you compete with tens of thousands of similar CVs. If your contribution is measured as prevented vulnerability classes enforced with tests and pipelines, you enter a narrower market with higher compensation. That is not “AppSec fashion”—it is how modern products are built: microservices, API-first, complex boundaries between tenants and roles.

For Senior SDET / Lead SDET, teams expect not only stable UI and contract API tests. They expect someone who:

  • understands the product threat model and can turn it into testable scenarios;
  • can catch security regressions as routinely as functional regressions;
  • talks to engineering in the language of risk and evidence, not only “my test is red”.

That is why Security Testing for QA became one of the strongest levers for compensation: it is a scarce skill that hits P&L (incidents, downtime, compliance, reputation).

If you are shopping for SDET training or SDET courses in 2026, an honest filter is simple: does the program give you security test automation in your stack and artifacts that survive interviews (repo, CI, reports, reproducible PoCs)?

If you are coming from QA and want a map of the territory, this helps: Cybersecurity and OSINT roadmap (with emphasis on which artifacts to collect).

Interviews increasingly ask not “how do you wait for an element”, but “how do you prove a user cannot read another user’s entities”, “how do you catch authorization regressions”, “how do you separate a negative security case from a flake”. Without ready answers and real examples, you stay in the “good automator” bucket—not the “Lead candidate” bucket. Security Testing for QA is the layer that turns automation from a team service into an engineering loop for managing risk.

2. Security-Aware SDET: when test code hunts vulnerabilities, not only status codes

Security-Aware SDET is not “SDET + a certificate”. It is a role where you design tests to reflect access policy and data invariants, not only expected JSON.

Shift Left Security, in SDET terms, looks grounded:

  1. You pin down “who can do what” (roles, tenants, object ownership).
  2. You encode that as an automated security contract.
  3. You run it in CI so a failure means “we almost shipped a vulnerability”, not “random flake”.

The mindset shift: a successful HTTP 200 can be a security failure. Your test must be able to prove it—otherwise you remain in “functional automation” where competition is high and leverage is low.

A Security-Aware SDET does not replace an AppSec engineer and is not required to “break prod” every Friday. The job is to ensure typical access mistakes and trust-contract bugs do not land in main without drama. That is the practical meaning of Shift Left: not threat lectures, but checks that repeat on every PR and read like normal failing tests to developers.

A maturity signal is when tests describe policy: “role X must not see field Y”, “tenant A must not cross into tenant B’s data”, “a guest must not invoke an admin endpoint even with another user’s valid token”. That is security language, still in the SDET shape—code, assertions, reports, traces.

3. Five applied security areas SDETs should automate right now

This is not an abstract “security list”—these are zones where security test automation usually pays back fastest.

3.1. BOLA / IDOR on APIs

The most common real-world bug class: the user is authenticated, but the object is not theirs. For SDETs this is an ideal automation target: two contexts, an object table, negative expectations, stable fixtures.

OWASP API Security Top 10 calls this Broken Object Level Authorization. In practice it is boring and scary at once: change one ID in the URL—and the system returns someone else’s order, document, medical record, financial operation. The automated test must answer: can a legitimate user do an illegitimate action within the credentials they were given? That is why BOLA is the first candidate for security automation: it structures well, scales across endpoints, and produces measurable value.

3.2. Injections and “second layer” validation

Injections are not only SQL. APIs surface non-obvious surfaces: sorting, filters, search, reporting, templates. SDETs should build input sets and assert not only 4xx/5xx, but leak semantics (error distinguishability, side effects, extra fields).

Avoid turning this into “run sqlmap against staging”; embed it in your test-design style: parametrization, boundary values, control that responses do not expose internal error shapes to an attacker. Security Testing for QA overlaps with API quality here—the same defect can be UX/logic and a stepping stone for exploitation.

3.3. Authentication, sessions, tokens

Token refresh, session boundaries, context hopping between services, wrong audience/scope, aging refresh flows. Playwright helps because you can combine browser context and the request API in one style.

SDETs win when they validate invariants, not “login works”: you cannot swap the subject, you cannot reuse someone else’s refresh in your session, you cannot stay authorized after logout on another client if the product promises that. These flows often regress during identity-layer refactors—perfect for automated control.

3.4. Dependencies and supply chain

In 2026, SDETs should understand that CI is also an attack surface: lockfiles, SBOM-style thinking, version policy, vulnerability scanning, caches. You do not have to be a full-cycle security engineer, but not breaking pipeline security hygiene is part of maturity.

At Lead level, teams expect discipline: where secrets live, who can trigger deploys, what lands in artifacts, whether tokens leak into test logs. That is not DevSecOps buzzwords—it is daily hygiene without which pretty automation becomes an incident source.

3.5. Business-logic abuse in APIs

Sometimes the vulnerability is not a CVE but a combination of legal calls: races, double charges, limit bypass, splitting operations. SDETs win by modeling flows and building provable abuse scenarios.

Static scanners struggle: you need scenario, state, and call order. That is why companies look for people who can think like a tester and like an in-product adversary—without mythology and without breaking the law, on agreed test environments and rules.

4. Practice (Playwright): a test that hunts BOLA, not “200 OK”

Below is a teaching skeleton: user A tries to read user B’s profile. We expect 403/401/404 (policy-dependent), but not 200 with someone else’s fields.

TypeScript + Playwright: BOLA check on a REST API (foreign userId)
import { test, expect } from '@playwright/test';

type Profile = { id: string; email?: string };

async function getProfile(request: import('@playwright/test').APIRequestContext, userId: string) {
  return request.get(`/api/v1/users/${userId}/profile`);
}

test('BOLA: user A must not read user B profile', async ({ playwright }) => {
  const userA = await playwright.request.newContext({
    baseURL: process.env.API_BASE_URL,
    extraHTTPHeaders: { Authorization: `Bearer ${process.env.TOKEN_USER_A}` },
  });

  const victimId = process.env.USER_B_ID;
  if (!victimId) test.skip();

  const res = await getProfile(userA, victimId);
  expect(res.status(), 'BOLA: cross-user profile read should be denied').not.toBe(200);

  if (res.status() === 200) {
    const body = (await res.json()) as Profile;
    expect.soft(body.id, 'If 200 happens, at least it must not be victim id').not.toBe(victimId);
  }

  await userA.dispose();
});

What matters methodologically: the test does not celebrate 200—it checks response meaning against ownership. In a real repository you add stable fixtures, tenant markers, negative cases for partial leaks, and CI artifacts.

Typical first extensions: a role×resource matrix, careful checks around ID enumeration on test data, validation that access errors do not reveal existence if the product requires that, and header snapshots so you do not miss accidental Cache-Control on sensitive responses.

When the test fails, value is in bringing not abstract “we are insecure”, but a reproducible scenario: which user, which object, which request, actual status and body. That shortens fix time and increases engineering trust in QA—and accelerates the career of an SDET who communicates that way.

5. Mentorship: the fastest path to ship Security Testing in daily work

Articles and vulnerability lists do not raise salary by themselves. What raises salary is what you ship at work: real bugs caught, risk classes closed, checks embedded in CI, artifacts you can defend in review.

The gap between “I took a course” and “I implemented” is in details: how to shape test data, how not to break staging, how to write assertions that do not noise, how to explain a bug so it gets prioritized, how to stay inside company policy while testing. Individual format accelerates translating knowledge into working habit.

Individual SDET training with a mentor saves time because you do not wander generic labs—you:

  • move tasks onto your stack (REST/GraphQL, Playwright, GitHub Actions/GitLab CI);
  • learn to prove risk in a way developers and leads accept;
  • build a portfolio from real reports and tests, not “certificate for the checkbox”;
  • practice finding real bugs: from hypothesis to minimal reproduction to a test that prevents regression.

The format is not abstract lectures—it is review of your cases with a mentor who sits on the boundary of automation and Application Security. That matters for engineers who need outcomes in KPIs, not “another bookmarked course”.

If you need a cybersecurity mentor and practical Security Testing inside automation, the natural next step is a conversation about your current level and goals. In parallel, see SDET courses (2026) and Application Security Engineer—but this article’s focus is “security as a hard skill” for SDETs.

6. FAQ: 10 questions about moving from plain QA to Security Testing

6.1. Do I have to become a pentester?

No. SDET-level work is security in the product and CI context, not CTF for its own sake. You do not need every red-team skill; you need to systematically test trust boundaries in the application you already test, and automate those checks next to functional tests.

6.2. Where do I start if I only wrote UI for years?

Start with REST APIs and ownership: BOLA/IDOR, negative scenarios, stable tokens and roles. UI remains useful for some flows (cookies, redirects, OAuth), but the center of gravity for security is usually APIs and access policy. Reuse scenario structuring as contract checks and negative matrices.

6.3. Do I need OWASP Top 10 memorized?

No. You need to map risk classes to your endpoints and automate the checks. Top 10 is a useful dictionary; what moves interviews is linking a concrete risk to a concrete test suite and a “we no longer break this silently” metric.

6.4. Playwright or a plain REST client?

Playwright is convenient because it combines browser + request and fits CI. The tool is secondary—the threat model is primary. If the team standardized another HTTP client, that is not a blocker: BOLA and negative-testing principles transfer one-to-one.

6.5. How do I avoid drowning in flaky security tests?

Data isolation, deterministic users and tenants, explicit expectations, no magic sleeps. Separately: do not mix security checks with dependence on external rate limits without mocks; do not shoot production; agree on test accounts and data cleanup policy up front.

6.6. What affects salary more: test speed or security depth?

For Senior/Lead, risk impact matters more. Fast tests that never catch vulnerabilities are valued less. The ideal is fast and meaningful; if you must choose, depth often moves compensation more, but long-term winners optimize both.

6.7. Do I need DevSecOps as an SDET?

You need a minimum: secrets, pipeline permissions, artifact policy, dependency vulnerabilities—otherwise you automate in a sandbox that does not resemble prod. You do not have to become a Kubernetes expert, but understanding how tests get access to environments and secrets is part of a Lead profile.

6.8. What counts as “proof” in an interview?

A PR with tests, a short threat-model RFC, a CI report, a found risk and how you closed it. A strong story: “we caught BOLA before release” with numbers—how many endpoints the matrix covers, how fixtures work, how you reduced false positives.

6.9. How long does the mindset shift take?

Usually four to eight weeks to a tangible first suite if you have practice and feedback. Without practice, theory stretches for months because security does not stick as lists; it sticks through repeatable hunting patterns and postmortems of real failing tests.

6.10. Why is mentorship often faster than a course?

Because you do not spend weeks on someone else’s toy project: you move work onto your real service and get review of your artifacts. A course gives a frame; mentorship adapts the frame to your constraints—stack, process, CI maturity, company security policy.

A strong next step from here is the DevSecOps transition guide plus why many QA engineers hit a ceiling before adding stronger automation skills.

Similar articles

Get a free roadmap review in Telegram

Send your stack, role, target level (Senior/Lead), and what you already automate. We’ll map Security Testing into your daily work and CI.

Join the Telegram channel