Have you ever wanted to use your cybersecurity know-how and skills to help organizations improve their information security and stamp out vulnerabilities? If so, the role of penetration tester is for you.
For those looking to obtain their first penetration tester role within an organization, do you know how to get to this role in the shortest amount of time possible? This article will detail the two different paths one can take to the role of penetration tester — the degree path and the certification path. We will conclude with a solid recommendation for which path you should take.
A little about the role
Penetration testing is a type of ethical hacking that tries to break into or find exploitable vulnerabilities in an organization’s network, computers and systems.
Penetration testers, or pentesters, run predetermined penetration tests or tests they designed themselves and then fill out assessments explaining the test’s findings. Those findings are communicated/presented to the organization. You can think of it as a sort of tune-up to the organization’s information security by filling in weaknesses in security and then periodically retesting to continually improve.
Some career path authorities hold that the role of pentester is not an entry-level role, but this assertion is inaccurate. According to a career path survey of current pentesters, it was found that nearly 10% of pentesters identify as being entry-level. This is a significant enough percentage to establish that while fewer pentesters may be entry-level than other cybersecurity disciplines, those with the right knowledge and skills can, in fact, reach this role right out of the proverbial gate.
The first path many think of for a cybersecurity role is the degree path. Think of it as the traditional route to a role: after all, isn’t getting a job the whole point of earning a degree?
Hiring organizations tend to request one degree more than in another in many cases and pentesting is no exception. Of hiring organizations seeking pentesters, below is a distribution of just how in demand the different degrees are.
- Sub-bachelor’s (associate degree) — 6%
- Bachelors — 72%
- Graduate (master’s) — 22%
After you have decided which type of degree to choose, you need to choose a major. The thing with pentesting is that there is not one major that fits this role. Instead, you should apply a major from a related discipline to this role. Some recurring majors that hiring organizations see on a regular basis are:
- Computer science
- Information technology
- Information security
- Information systems
Even more so than other cybersecurity roles, pentesting is possibly the most degree-agnostic of all of them. With that said, there is a stronger path for pentesting candidates to prove their prowess with the knowledge and skills for the pentesting role.
The other path aspiring pentesters can take is the certification path. This road takes you past the doors of many certifications that can single-handedly verify your knowledge and skills to hiring organizations, but some are indeed better than others. Below is a list of the top certifications for entry-level pentesters.
Certified Ethical Hacker (CEH)
Hosted by EC-Council, the Certified Ethical Hacker (CEH) certification is possibly the most respected ethical hacking skills certification around today, covering key entry-level pentester knowledge. CEH will verify that the certification holder has the ability to slip into the mindset of a hacker in terms of how they would view the organization’s information security environment in order to further improvement.
In terms of material, CEH represents a comprehensive universe of ethical hacking. It ranges from network and communication technologies and their respective security threats and attack vectors all the way to tools, analysis and ethics. Organizations tend to view candidates with this certification as being solidly suited for the role, making this certification essential for entry-level pentesters.
Released by the well-known certification organization CompTIA, this solid pentesting certification is a logical first certification to earn towards this role. This certification verifies a wide range of pentesting knowledge and skills and is composed of the following domains of knowledge:
- Planning scoping
- Information gathering and vulnerability identification
- Attacks and exploits
- Penetration testing tools
- Reporting and communication
This knowledge base is required of all pentesters, making this certification a good solid foundation to build a pentester career on. Certification candidates will need to pass a hands-on, 85-question exam to earn this certification.
Certified Mobile and Web Application Penetration Tester (CMWAPT)
Hosted by the Information Assurance Certification Review Board (IACRB), this certification is particularly valuable in a couple of ways.
First, mobile and web applications are typical points of vulnerability or security weaknesses, so a pentester will need a substantial amount of pentesting knowledge on this subtopic.
Second, not many certifications focus specifically on mobile and web applications aside from being just a fraction of material covered. This certification will give its holder a leg up on other job applicants that do not have the honed knowledge and skills this cert conveys. The domains of knowledge this certification covers are:
- Mobile and web application pentesting processes and methodology
- Web app attacks
- Web app vulnerabilities
- Android app attacks
- Android app components
- IoS app attacks
- IoS app components
- Secure coding principles
The role of pentester is valuable for organizations that want to improve their information security by using hacking skills against it. You could compare it to sparring, where the sparrer improves over time by constant practice and working on their own weaknesses.
Getting to the role of entry-level pentester is not the most common, but definitely doable. In terms of which path to take, the certification path wins big here. Certifications are far more on point in terms of verifying the knowledge and skills of pentesting than degrees are, as degrees normally only cover this material tangentially. If you are looking to obtain an entry-level pentesting role, aim for as many certifications as you can, and you will soon be a prime candidate for this great role in cybersecurity.