Positioning can be everything in life. Whether you are trying to apply the appropriate amount of torque to a nut when changing a tire or trying to establish the optimum amount of control over a jiu-jitsu opponent, this statement holds true. The same applies to a career in cybersecurity: you want to position yourself for success. When establishing position as a late-career penetration tester, there is a particular approach that will be most useful to you.
This article will detail the two different paths to reaching the late career for a penetration tester — the degree path and the certification — and will conclude with a solid recommendation for which approach you should take toward path selection.
What is penetration testing?
For those first encountering penetration testing through this article, penetration testing is a type of ethical hacking that tries to break into, or find exploits in, an organization’s network, computers, and systems. Penetration testers, or pentesters, run predetermined penetration tests or tests they designed themselves, and then fill out assessments explaining the test’s findings which are communicated/presented to the organization. You can think of it as a sort of tune-up to the organization’s information security by filling in weaknesses in security and then periodically retesting to continually improve.
Late career is the pinnacle of one’s career path and getting to this point will put you in an elite group of pentesters. In fact, the late-career field is composed of only 3.9% of all pentesters in the workforce, based on a survey of active pentesters.
Aiming for the late career of a pen testing role positions you well for earning an advanced degree. However, before you reach the graduate level, you will have to first earn your bachelor’s degree. Many hiring organizations will require at least a bachelor’s degree to earn a role as their late-career pentester, so much so that current mid-career pentesters should consider earning their bachelor’s degree if they have not already. Keep in mind that organizations sometimes sponsor education, so make sure you take advantage of that.
While there is yet to be a pentester undergraduate degree, pentesters bone up their education base with an adjacent discipline. Hiring organizations frequently see the following undergraduate majors applying for pentester positions:
- Information security
- Information technology
- Computer science
- Computer engineering
With the bachelor’s degree out of the way, competitive pentesters do not rest on their educational laurels. Rather, they continue their education by obtaining a graduate degree. This degree, normally a master’s, will also have to be in in of the adjacent majors listed above, as there is currently a lack of master’s degrees in penetration testing offered by graduate degree-issuing institutions. This may change over time as the field of pentesters and knowledge base grows.
The other path an aspiring late-career pentester can take is earning certifications. This is a great way to demonstrate to hiring organizations that you have the verified pentesting knowledge base and skill set required to competently and masterfully serve in this role. The following are the top certifications for the late-career pentester.
Licensed Penetration Tester Master (LPT)
Hosted by EC-Council, LPT is an expert-level certification which verifies to hiring organizations that you have the advanced penetration skills required of a late-career pentester. EC-Council has stated that the proposed intent of this certification is to “differentiate the experts from the novices” of pentesting — and this is exactly what you will want in order to reach in the late career.
The LPT certification exam is comprised of three six-hour-long sections. It is interesting in that it presents a simulated multi-layered network where candidates will have to make multiple decisions as they work through the network to attempt to exfiltrate data.
Certified Expert Penetration Tester (CEPT)
CEPT is offered by the Information Assurance Certification Review Board (IACRB. This certification is another verification of the advanced, expert-level pentesting skills that are necessary to reach this peak of the proverbial career path mountain.
You have worked hard and invested time, blood, sweat and tears in your career, so make sure you have enough certifications to back up this bold statement to hiring organizations. In fact, IACRB has forwarded a lengthy definition of what it means to be an expert penetration tester here.
The CEPT certification exam covers an extensive amount of material — nine domains of knowledge to be exact:
- Penetration testing methodologies
- Network attacks
- Network recon
- Windows shellcode
- Linux and Unix shellcode
- Reverse engineering
- Memory corruption/buffer overflow vulnerabilities
- Exploit creation — Windows architecture
- Exploit creation — Linux and Unix architecture web application vulnerabilities
As I promised earlier, there is one approach that is better than any other, and that is to earn an advanced degree and multiple certifications. Part of being at the late career level is that you have had the time to earn at least one degree (bachelor’s) and at least a couple of certifications. The certifications above only relate to advanced, expert-level pentesters and you will want to earn some more foundational level certifications previously.
While pentesting is far less of a jack-of-all-trades role than others in the cybersecurity family, it still requires an expert, well-defined and verifiable mastery of pentesting knowledge and skills. So buckle down, earn that last certification and go after your dream pentesting job. After all, this is what the career path is all about.
- How to Become a Penetration Tester, Cyber Security Education
- The Career Path to Becoming a Great Penetration Tester, EC-Council Blog
- Certified Expert Penetration Tester (CEPT), IACRB