Penetration tester: Is it the career for you?
If you hear of cybercriminals hacking into a system and your first thought is to wonder which vulnerability they exploited, a career as a penetration tester might be the perfect fit. If you're also naturally curious and seeking a high-paying job within the growing field of cybersecurity, a penetration testing job checks all those boxes and more.
As hackers ramp up their attacks on organizations around the globe, penetration testers are in high demand, and they get paid well as a result. The 2021 national average salary in the U.S. for pentesters is $86,241 per year, according to Payscale, with some making more than $130,000.
Dr. Wesley McGrew is director of cyber operations for HORNE Cyber, an author of numerous pentesting tools used by other professionals, a digital forensics trainer, university adjunct professor and frequent presenter at DEF CON and Black Hat USA. He says as a pentester, "you see interesting new things every day, and it's an intellectually rewarding" career.
FREE role-guided training plans
What is penetration testing?
Cybercriminals usually start by searching for vulnerabilities to breach an organization. Their probing tactics vary widely and can target an IT system, web application and others.
Penetration testers are sometimes known as ethical hackers because in their work to identify and close off vulnerabilities before a hacker can find and exploit them, they sometimes perform the very same actions a hacker would use in their attempts to break in.
Penetration testing often starts with covering off on the low-hanging fruit, as the saying goes. Pentesters first search for publicly known vulnerabilities in the interest of addressing any potential entry points. "You can identify publicly known vulnerabilities easily," McGrew says. "Most of the known vulnerability information has documentation on how to test for something specific."
It's finding new vulnerabilities that offer the most significant challenge and reward. In recent years, as networks grow increasingly complicated with the addition of internet-connected devices such as cameras, printers, HVAC accessories and much more, finding new vulnerabilities has become part science, part art. It's also a race to find them before the hackers do.
What does a penetration tester do?
Whether working for a business or a pentesting consultancy, most penetration testers sit within a larger security team and spend their day using a mix of automated testing tools and manual processes, analyzing vulnerabilities or conducting reverse engineering. To learn more about the individual tasks they typically perform, read how to become a penetration tester.
Other professionals choose to work as freelancers, usually after gaining experience working for an organization as part of a team. To understand how to succeed in this type of role, read what is it like being a freelance penetration tester?
Often, vulnerabilities happen when those developing a system don't fully understand how the code is transformed into what the user sees and interacts with on the front end, says McGrew. For pentesters, it's therefore essential to have a lower level of abstraction than the person writing the code.
"The lower and lower you go in the technology stack and the more you understand it in a detailed way, the better," McGrew explains. "I encourage people to learn and to pick up some reverse engineering know-how so they understand vulnerabilities better."
Sometimes, the very nature of penetration testing can seem adversarial in an organization — but it shouldn't be that way, says McGrew. The goal of finding vulnerabilities is to remediate them, and "our goal is to empower clients to get the resources they need to make positive change. We'd rather not be a 'got you.'" Instead, the job of penetration testing is to fortify the security of an organization to stop data breaches before they happen.
How to become a penetration tester
To become a penetration tester, you need a broad knowledge of IT systems and networks and familiarity with cybersecurity principles, threat types and attack vectors.
Gaining this knowledge doesn't mean you have to have a degree, but computer science study is one way to get there. So are certifications that demonstrate your mastery of the subject.
A few to consider include:
- Certified Ethical Hacker (CEH) is valuable for understanding how to perform security assessments.
- PenTest+ is a newer certification from CompTIA that will test your skills around the pentesting process.
- Infosec Institute provides Certified Penetration Tester (CPT) and Certified Expert Penetration Tester (CEPT) certifications, as well as more targeted certifications, such as Cloud Penetration Testing, Mobile and Web Application Pentesting and Red Team Operations.
- Offensive Security Certified Professional (OSCP) is also a popular hands-on penetration testing certification.
While book study is helpful, so is gaining hands-on experience. You can find this through working as a systems administrator. You can also gain valuable insight into a home lab and participate in online capture the flags on virtual machines.
According to McGrew, writing code in multiple languages will also serve penetration testers well, particularly when searching for new vulnerabilities. At his firm, they look for "somebody who can write code in multiple languages, somebody who can demonstrate knowledge in reverse engineering and who can do both application security testing and vulnerability analysis on networks."
To learn more about what it takes to be a penetration tester, watch the Cyber Work Podcast, how to become a penetration tester, with Dr. Wesley McGrew.
What should you learn next?
Sources
Average Penetration Tester Salary, Payscale
Get unlimited and self-paced training for you or teams in your organization with Infosec Skills.
- 190+ role-guided learning paths
- 100s of hands-on labs & cyber ranges
- Custom certification practice exams
In this Series
- Penetration tester: Is it the career for you?
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity