Today, there is a global shortage of experienced and talented pen testing security experts. The number of skilled and qualified IT security professionals in the field is insufficient to meet the demand of organizations that seek their services to increase their IT systems security; accordingly, pen testers have currently no problems finding companies ready to hire them. In fact, many employers are in search of talented technologists who will work closely with red teaming groups in activities devised to identify and evaluate potential vulnerabilities in their IT information systems and networks.
Through penetration testing, security experts collaborate with customers to check the target organization’s defenses to see that they are operating as intended and also suggest any changes to the security setup as necessary. With the system owner’s permission to take full control of computers on the network, “white hat hackers” will be able to check for holes that could be exploited and discover potential security weaknesses for which the organization should establish safeguards that will protect devices and critical data before they become compromised and used illegally.
A pen test is then a critical component for detecting and responding to InfoSec risks. So, thinking about a job in penetration testing? Well, learning about this line of work and understanding the field’s unique requirements will help IT Security-oriented personnel determine whether a career in this field is in their future.
What Does It Take to Be a Pen Tester?
“As cyber threats continue to grow so does the need for competent Ethical Hacking and Penetration Testing professionals,” suggests InfoSec Institute. Penetration testing is important as it allows organizations to test their resistance to real-world attacks in a controlled environment. Pentesters don’t simply audit the systems to identify issues that can lead to breaches and intrusions but apply techniques similar to those employed by malicious hackers in order to test the infrastructure’s resilience, the real-life effectiveness of the defense measures, the efficacy of the security policies and the ability of staff to recognize social engineering attempts. Organizations resort to both external and internal penetration testing—be it through white box, black box or gray box access methods (see: “The Types of Penetration Testing“) to identify potential security problems so that they can fix or avoid them altogether. After using real world’s attack techniques, any number of penetration testing tools, social engineering techniques, and unorthodox methods, pen testers perform a threat assessment and formulate analytic responses to relay findings to infrastructure and development security teams.
A career in penetration testing, then, can be exciting, rewarding and challenging! Also, professionals with good security testing skills currently have great earning potential—see Average Penetration Tester Salary 2016. And now it can be a great time to start a career in penetration testing.
In deciding to be a pen tester, one must first identify the essence of becoming one. Here are some of the fundamentals of what it takes to succeed in this profession:
- Solid theoretical knowledge. Penetration testing skills can be perfected only after being fully versed in the technologies that need to be evaluated and on core solutions
- Acquisition of professional qualifications (e.g. CPT, CEH, OSCP) to demonstrate different levels of competence derived from experience; various certification objectives include penetration-testing methodologies and use of techniques specific to conduct a pen test. Nowadays, many pieces of training and certification options are available that will ultimately lead to a career in penetration testing
- Recertification and continued learning (e.g., training courses, workshops, conferences) to keep skills up to date in relation to penetration testing
Also, soft skills are also very important. Technical abilities are just part of the make-up of a pentester. Creativity and the ability to think “outside the box” are essential components in always devising newer ways to defeat security countermeasures, just as they are essential components in the make-up of malicious hackers. As a pen tester, one must have the mindset of a hacker and possess analytical skills for testing cyber control defenses in a network and have the ability to identify issues and perform system assessments of any potential vulnerability long before they are actually under attack.
Pen Testing, Making it a Career: The Training and Certification Options Available
Penetration testing is a methodical profession; one must be prepared to be problems solvers and analytical thinkers. It can be one of the most uniquely exciting career paths an IT Security SME might undertake; the same can be said about an Ethical Hacking Career. Though very closely related and often used interchangeably, it’s important not to confuse the terms “Ethical Hacking” with “Penetration Testing,” as they have a different objective, focus, and outcome. (See Ethical Hacking vs. Penetration Testing.) Ethical hacking covers a wider range of techniques to penetrate systems (that can include pen testing). Pen testing is a more focused approach and includes cyber security assessments of specific systems.
So, how do professionals become pen testers? Pentesters can come from different walks of life. A common profile is that of professionals who have attended tech-centric schools or have InfoSec backgrounds through training and that have come acquainted with network security hardening principles and investigative methods for conducting comprehensive threat analysis and risk identification for remediation of identified issues. Professionals with this type of background might be suitable for this profession after acquiring practical familiarity with computer hacking methodologies and techniques.
Pentesters are often already IT professionals (network engineers, software developers, etc…) looking to specialize in a field. However, some testers might simply be students hacking for a hobby or actual malicious hackers changing hats.
Whatever their background, good pen testers have a good mix of theoretical knowledge and hands-on skills. Nowadays, there are a number of training opportunities that offer just the right mix of hands-on, practical skills-developing and formal knowledge in the subject, with universities offering cyber-security degrees with modules in professional ethical hacking and penetration testing. For example, National University offers an Ethical Hacking & Pen Testing specialization, while the SANS Technology Institute’s Penetration Testing & Ethical Hacking Certificate Program is another program with a cohesive and progressive set of learning outcomes.
The InfoSec Institute: Information Security Training also offers professional instruction; in fact, learners can find several courses they want or need for a career in penetration testing on their site. For example, taking the 10 Day Penetration Testing Boot Camp or skillsets (Penetration Testing and/or Ethical Hacking Basics) can help beginners understand if that field is for them. Also, those that have no experience with ethical hacking and penetration testing have the option to check out InfoSec Institute’s Intense School’s Penetration Testing Online for their training to see if it suits their needs. InfoSec Institute, in addition, offers vendor-specific certification programs including EC-Council, IACRB, and GIAC, just to name a few.
Other educational sites exist and offer similar education opportunities, but as the overture of learning programs are widening, the best advice is always to make sure to consider options only from reputable vendors with specific training courses or methodology that can meet the learner’s needs and requirements for certification. It is important especially to make sure the program also offers a valuable hands-on component to practice skills and apply concepts; to be fit for this occupation, one will need to master the latest advanced level methodologies, tools, and manual techniques used by ethical hackers in this line of work which is something that can happen only through hands-on practice. In fact, though education is an asset, demonstrated experience with a deep level of technical knowledge and know-how on the use of existing tools to hack into a system might be more important to an employer than formal degrees.
So, many options for refinement of skills and knowledge, including role mastery and professional development, are available beyond traditional training that contributes to learning opportunities for job fulfillment. What if you are unsure about where to begin? A good start is to try Penetration Testing skill sets; this tool assesses knowledge of possible topics that you can run into during your course of study. A look at the Hacker Tract that is geared towards those interested in Hacking and Pen Testing topics could also be beneficial. Instructor-led training (ILT) as well as self-paced, mentored computer-based training (CBT) options are offered for students who cannot attend classes on-site.
Pen-Testing Training – Resources (InfoSec)
The Roadmap to Pentesting
A roadmap is designed to help people determine what career path and training—be it penetration testing or ethical hacking—is right for their specific job needs or career goals. A GIAC Roadmap, for example, is an effective tool that shows what could be the knowledge progression of a pen tester. Needed training and certifications at various stages of the pentester’s career are listed and can guide a professional in choosing the best and most meaningful options to grow in the field. The roadmap shows how to progress from beginner status with the acquiring of the fundamentals of information security to intermediate with certifications in security administration and forensics. At the advanced level, a pentester will need to prove knowledge of legal issues in data security, forensic analysis, secure software programming, reverse engineering malware and more to progress to the expert level. Certifications like GIAC can help build a career in the field and cover the basic knowledge of different security mechanisms specific to the trade. Available certifications include:
- GIAC Penetration Tester (GPEN)
- GIAC Web Application Penetration Tester (GWAPT)
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
InfoSec Institute, also, has a comprehensive training path to follow, such as the one for CEH that starts with beginner skills on up to advanced ethical hacking and reverse engineering malware skills. For certifications, the InfoSec Institute is an IACRB-approved training provider with course-related certs, including:
- CPT – Certified Penetration Tester
- CEPT – Certified Expert Penetration Tester
What’s more, the Institute offers training services for the following EC-Council certifications:
- CEH – Certified Ethical Hacker (see: Roadmap to CEH Certification)
- CHFI – Certified Computer Hacking Forensic Investigator
- ECSA – EC-Council Certified Security Analyst
- LPT – Licensed Penetration Tester
Both the CEH and CPT courses (now available in online format) cover in-depth hacking techniques to be learned from lectures and hands-on lab exercises.
Pen testers are capable of encompassing all hacking techniques to find system flaws in a targeted environment with the aim to help improve or strengthen the infrastructure’s security defenses as well as mitigate any risks. Why businesses need pen testers is obvious; the rise of InfoSec concerns pushes organizations of any size and industry to increase efforts in security testing to improve their network defenses. In addition to the work of internal, traditional security professionals or external consultants, modern organizations are learning to rely more and more on the work of pentesters who are able to apply hacking techniques and creatively bring “real world” attacks to the network to discover faults and expose vulnerabilities prior to them being exploited by malicious hackers. A simple pen test whether specifically designed to test the entire IT substructures or just individual systems can effectively determine the weakness in the infrastructure (hardware) and application (software) but also assess the readiness and resilience of the workforce along with the efficacy of the security policies (if any) already in place within an organization.
As mentioned by Help Net Security, “Pen testing should be undertaken after deployment of new infrastructure and applications as well as after major changes to infrastructure and applications (e.g. changes to firewall rules, updating of firmware, patches, and upgrades to software).” Such a vital service can only be entrusted in the hands of a capable professional that can show their employer a proven track record of continuing education and training which is essential that pen testers maintain in order to have the up to date skills and knowledge needed to practice in a real job environment while developing their career that has made them more employable.
Clark, D. (2014, March 3). Skills in demand: Pen testers. Retrieved from http://www.scmagazine.com/skills-in-demand-pen-testers/article/334590/
Cyber Degrees. (n.d.). Become a Penetration Tester. Retrieved from http://www.cyberdegrees.org/jobs/penetration-tester/
Das, C. (2013, December 16). Why Businesses Need Ethical Hackers? Retrieved from
Help Net Security. (2013, September 9). How important is penetration testing? Retrieved from
Monnappa, A. (2015, July 1). How to become a qualified Ethical Hacker? Retrieved from
Skamser, C. (2015, December 17). InfoSec Institute is Worth a Look in 2016 for Your Enterprise Security Centric Technology Training Requirements. Retrieved from http://ediscoverytimes.com/infosec-institute-is-worth-a-look-in-2016-for-your-enterprise-security-centric-technology-training-requirements/
The Ethical Hacker Network. (2011, May 25). Course Review: CPT by InfoSec Institute. Retrieved from https://www.ethicalhacker.net/features/root/course-review-cpt-by-infosec-institute
Verma, E. (2015, April 8). Roadmap to CEH Certification. Retrieved from http://www.simplilearn.com/why-you-should-not-use-smartphone-fingerprint-readers-article