Key role: Penetration tester
If you're looking for a new career in cyber security, penetration testing is currently in high demand. Hackers are always looking for new ways to gain access to businesses' systems, and therefore, firms need to know their defences are robust enough to keep criminals out.
As a result, individuals who can simulate the tactics of these attackers are hugely valued by employers. But what does this role involve, and what do you need for a successful penetration tester career?
What is a penetration tester?
A penetration tester's role is to help businesses identify weaknesses in their network security by attacking them from the outside, using the same techniques and tactics as a real hacker.
It is sometimes equated to ethical hacking, but it is a much more specific role. Their activities will be fully approved by the business and they will be seeking out vulnerabilities in a specific system to test out a firm's defences.
Penetration testing is also not to be confused with vulnerability testing. Vulnerability testing is performed as part of the design process, assessing where any weaknesses may lie across a system, and is usually heavily automated.
Penetration testing is much more targeted, primarily requires a human factor, and takes place on live systems, once the development team thinks they are secure. A penetration tester will be given a specific task, such as gaining access to a customer database, and will be free to try and complete it however they see fit.
What are the duties of a penetration tester?
The main day-to-day work of a penetration tester will be attempting to hack into their target systems using whatever methods they can think of to simulate real attacks. However, this is only one part of their overall responsibilities.
Penetration testers also conduct physical security assessments of systems, servers and networks. They may work on-site or remotely when attempting to gain access to systems.
Strong documentation is also a key part of a penetration tester's job. They must be able to keep a complete record of their activities, what worked, and explaining what the impact of their actions would be if they were real.
Creating final reports that offer conclusions including recommendations for improvements is vital. These will need to be tailored to multiple intended audiences, with those written for board members needing to be less technical than those for the use of the security team, for example.
What skills do you need for a penetration tester career?
To be successful as a penetration tester, you'll need a mix of technical knowledge and soft skills. Some of the essential hard skills you'll require include:
- Detailed knowledge of exploits and vulnerabilities
- Strong coding abilities
- Advanced understanding of operating systems
- Working knowledge of key networking protocols.
For softer skills, a desire to learn and a deep curiosity are hugely valuable for penetration testers. Penetration testers will find themselves working on a wide variety of systems, especially if they work on a consultancy basis, so those who enjoy new challenges will find this a rewarding career path.
Effective communication skills - both verbal and written - are a must to ensure that any recommendations you provide are understood and followed up on. The ability to collaborate well is also not to be overlooked, as penetration testers will often work in teams.
When it comes to qualifications, a degree in a field such as computer science, cyber security, network management or system engineering will be highly sought-after. In addition to this, you can study for several industry certifications that showcase your skills in this area. These include:
- CREST Registered Penetration Tester (CRT)
- Offensive Security Certified Professional (OSCP)
- Certified Ethical Hacker (CEH) Certification
What job roles are there for penetration testers?
Many businesses employ penetration testers in-house. This is especially true for larger enterprises and those that deal with highly regulated or sensitive data, where there is a constant need to evaluate their systems and stay ahead of the hackers.
Others work on a freelance or consultancy basis, which can allow them more flexibility in where and how they work - though these positions will usually require you to have already gained experience in the area.
For in-house roles, salaries for penetration testers can vary widely based on skills and experience, with entry-level professionals starting at £20-30,000, whereas the most in-demand consultants can command salaries of around £80,000. Freelancers can usually expect to charge around £400 to £500 a day for their services.
If you're looking for a career in this area, check out what penetration tester jobs are available today to find the role that's right for you.