I have to start by stating that I do not work for a security company, I work as a pentester for a tech company.

The company which I'm working at is very active on preemptively detecting CVEs (with tools like Snyk for example) in our dependencies so Metasploit doesn't really fit the kind of pentests we typically. Most of our products are either built in-house or heavily scanned before being deployed. I do however use tools that are a little more focused on certain aspects to do my reconnaissance or to catch reverse shells when it comes to it like Burpsuite, Pwncat, Feroxbuster, etc..

In terms of findings CVEs, since I only do research on our own product, I don't really "find CVEs" which will get indexed into the CVE databases. I will typically find flaws that will get patched before reaching production or that will quickly get hot-fixed.

I have to say what I enjoy the most is the cliche "I'm in" feeling. It's usually very hard to find serious vulnerabilities in well designed product but once in a while you'll find a very unique or odd way of making something do something it's not supposed to and it's an insanely satisfying feeling :) I am also a staunch believer that what I'm doing is "for the greater good".

Oh and I do create exploits but typically they are very specific to the use-case and wouldn't be very useful in the wild. I do however work on some internal projects that should be made open-source at some point but they are typically more recon centric.