How to Become a Penetration Tester [WITH INTERVIEWS]
This article is about the Penetration Tester career path and how to become a penetration tester. If you’re looking for information on the best resources to learn penetration testing, go to our penetration testing resources article here. If instead you need more information about penetration testing certifications, you can see our comparison reviews on PenTest+ and Certified Ethical Hacker.
What is a Penetration Tester?
A penetration tester is responsible for legally probing into a network to view potential vulnerabilities in their systems. Your job is to simulate real-life cyber-attacks. The U.S. Bureau of Labor Statistics states that penetration testers “ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure”. Like most jobs, the responsibilities will vary depending on the size and type of company that contracted you and the scope of the test. For example, a penetration tester might be working with a website that handles credit card information. The penetration tester would have a different approach to it compared to a website that just wants to make sure their online forums aren’t vulnerable to SQL attacks.
Job Outlook for Penetration Testers
The employment outlook for a penetration tester is much more than average, with the U.S. Bureau of Labor Statistics citing an expected growth of 28%, as compared to the 7% average for the U.S. economy overall (source).
With a growing need for jobs in the cybersecurity field, unemployment is very uncommon for penetration testers. There are still many openings that need to be filled with qualified penetration testers.
The strong job outlook for penetration testers is due to several factors, including a(n):
- Increase in data throughput
- Increase of online marketplaces
- Increase in companies required to have a penetration test
- Everchanging defense against cyber threats
- Increased concern about security
Primary job responsibilities for penetration tester, usually fall into these categories:
- Performing penetration tests. As a penetration tester, you must perform penetration tests.
- Provide remediation suggestions for potential vulnerabilities. This may include what systems or applications need to be patched, how to update certain firewalls rules, and much more. This could also include alternative fixes to these problems in case the best fix is too expensive/impractical.
- Document your findings. This can include what vulnerabilities you found, the impact that they could carry, the exact steps you took to exploit the vulnerability, and remediation tactics.
Here are a few examples of job responsibilities for a penetration tester, as listed directly in postings:
- Clearly communicate potential threats, vulnerabilities and control techniques
- Understand customer needs, risk tolerance, and business environments relating to information security
- Ability to manually examine the system and network configurations, system logs, and devices
- Develop and document new tactics, techniques, and procedures
- Develop scripts, tools, or methodologies to enhance red team processes
- Develop comprehensive findings and accurate reports and presentations for both technical and executive audiences
- Perform reconnaissance and discovery of systems available using scanning tools
Typical Job Requirements of a Penetration Tester
Job requirements for penetration testers will vary based on the position, responsibilities, and level, but will generally require the following:
Most penetration tester positions will require you to have at least a bachelor’s degree in computer sciences, information systems, or a related field. Some higher-level jobs will prefer that you acquire a master’s degree in the fields above. Most positions will also let you substitute this for substantial experience as a penetration tester.
Many penetration tester positions would like you to have prior experience in a related position. Experience requirements can generally range from 2 to 5 years depending on the position itself. Some jobs will also allow you to substitute degree requirements for additional experience in the field in addition to experience already required. Jobs may require experience in:
Industry certifications are sometimes required or preferred depending on the level of work you are doing. Some examples of certifications you may need for a penetration tester position are:
- OSCP (Offensive Security Certified Professional)
- CEH (Certified Ethical Hacker)
- CompTIA Pentest+
- CISSP (Certified Information Systems Security Professional)
- GPEN (GIAC Penetration Tester)
Technical skills for a penetration tester include either direct experience or familiarity of penetration technologies and knowledge, including but not limited to:
- Knowledge of C/ C++/ Python
- Experienced with SQL
- Networking and web-related protocol knowledge
- Active Directory
- Firewall configuration and rule maintenance
- Shell scripting
- Modifying exploit tools
- Reverse engineering malware
Non-technical skills often include:
- Excellent organizational and problem-solving skills
- Ability to work in an unsupervised environment
- Ability to communicate effectively, in English, using all standard forms of business communication
- Excellent people, verbal and written communication skills
- Ability to work well within a team
- Detail-oriented with good time and analytical skills
- Ability to manage production sensitive situations
- Ability to manage multiple projects and tasks
- Presentational skills
A vast majority of the work that you will do as a penetration tester will be indoors in an office environment. Most of the time you will not have to do much heavy lifting because your job mainly involves breaking into people networks in an ethical manner.
Typical Dress Code
As with most other professional jobs in the field, you should follow a business casual dress code. Some penetration tester positions will require you to wear more formal attire such as a tie while others are more lenient and will allow you to wear more casual clothing. Most penetration tester positions will not require you to dress in a suit unless there is a special occasion.
The average salary of a penetration tester in the United States is $80,000, according to payscale.com
There are positions in the cybersecurity field that have similar responsibilities and requirements but have different titles. This depends on the company and its choice of title. The most important factor to look at is the job’s list of responsibilities. For a penetration tester, these similar titles will include similar requirements just with a bit a variation. Some titles you can expect to see that are like a penetration tester are:
- Computer Security Analyst
- Cyber Security Engineer
- Cyber Security Consultant
- Malware Analyst
- Vulnerability Researcher
An Interview with a Penetration Tester
Ron W. is a penetration tester with three years of experience in the field.
Question: What is your primary job responsibility as a penetration tester?
My primary job responsibility is to test systems for vulnerabilities and communicate to my customer where their systems may be at risk.
Question: How would you describe the typical day of a penetration tester?
Much of my time is writing up something, such as a report or proposal. I also try to spend some time each day learning something, which is easier said than done.
Question: What do you enjoy the most about your job?
I really enjoy the process of trying to exploit systems. I always liked to tinker with technology that way.
Question: What do you dislike the most about your job?
It’s really difficult to stay up to date with everything that’s out there. I enjoy learning, but it can get tiring sometimes.
Question: How do you stay up to date with changes in technology?
My employer has paid for several trainings for me, and I also take online classes. But for the most part, I learn a good bit by doing. I love being hands on with the technology.
Question: Would you recommend becoming a penetration tester to someone just starting their career?
Sure, if you have a passion for it. If you have a clean background and are willing to invest the time to learn, it can be a great career field for you.
Question: What advice would you give to someone starting their career as a penetration tester?
Learn as much as you can. Learn to write well and communicate well.
Question: What do you believe the future holds for penetration testers?
I think the future is very bright for us. More employers are facing requirements or regulations that require some sort of vulnerability assessment. I think it will continue to be in demand for a long time.
Question: Are certifications valuable for penetration testers? If so, which ones?
Sure. CEH is pretty popular, and any certification that verifies your knowledge of networks and Linux are good. A lot of people also have the OSCP certification.
Question: Can penetration testers earn salaries of $100,000 or more per year?
Of course. If you’re good at what you do you can command a pretty good salary, which is one thing I certainly like about the field.
Question: What are some of the skills that you list on your resume?
Linux, Python, Splunk, Nessus and so on.