How to Become a Penetration Tester: A Career Guide
Cyber security jobs remain in high demand among businesses of all sizes. With a continued skill shortage in the sector, professionals with the right experience and certifications may find great opportunities to find rewarding roles.
One key part of any cyber security strategy is ensuring that defences are robust enough to withstand any hacking attempts. In order to discover any weaknesses, the use of penetration testing is essential, and this offers great opportunities for cyber security professionals with the right skill and qualifications.
What is a penetration tester?
The job of a penetration tester - or pen tester for short - is to take on the role of a malicious hacker and try to break into a business' systems. This will help organisations identify any weaknesses within their networks that may not be obvious to internal cyber security teams or software developers.
What does a penetration tester do?
In essence, penetration testing simulates a cyber attack on a business' network looking for any exploitable vulnerabilities that a hacker may use. They then report on any weaknesses so that cyber security teams can address the issues.
The role has some overlap with the job of ethical hacker, but there are a few key differences. A pen tester will usually have a more limited remit than an ethical hacker. Typically, they will be employed to test the capabilities of a specific system - such as a web application firewall or a wireless network - and have a regular schedule, with a pen test of a certain application being conducted on a quarterly basis, for example.
What are the typical job duties for a penetration tester?
Once you have agreed the brief with an organisation, which will set out the scope of the task and what systems you'll be focusing on, the day-to-day work of conducting a penetration test can be split into a few key areas. These include:
- Planning attacks and conducting reconnaissance
- Scanning systems for entry points
- Staging attacks such as cross-site scripting, SQL injection and backdoors to gain access
- Conducting analysis of system vulnerabilities
Once the testing is complete, professionals will need to write detailed, clear reports on their findings, outlining weaknesses and making recommendations. As such, strong verbal and written communication skills are another essential requirement if you want to be a penetration tester.
Where can you work as a penetration tester?
Penetration testing has traditionally been an office-based role, while professionals in this area can expect to travel frequently in order to meet with clients, plan activities and deliver reports.
However, there are many opportunities for those who wish to be fully or partly remote in this area. In principle, all professionals need to undertake penetration testing services is a computer and an internet connection. In an environment where flexibility is increasingly being offered by employers in response to the changing expectations of workers, there are more remote working options than ever.
How to become a penetration tester
If you're searching for a penetration testing job, there are a few skills and experiences employers will expect. In many cases, pen testing can be an option for someone looking to enter the cyber security sector, though some experience in other fields of IT is often required first. However, there are also many opportunities for pen testers to advance their careers and climb the ladder.
Do I need a degree to become a penetration tester?
A Bachelor's level degree in a relevant field is a great first step if you're looking for penetration tester jobs, and will often be the minimum level of education recruiters will be looking for. Subjects that are likely to be especially useful include:
- Computer science
- Computing and information systems
- Cyber security
- Forensic computing
- Network management
- Computer systems engineering
Some senior penetration tester roles may even require a Master's degree in an area such as cyber security, which can provide a much more detailed education and teach you everything you need to know about how to become a penetration tester.
However, academic qualifications may not always be essential. If you can demonstrate proven skills and work experience in relevant fields, recruiters often view this as advantageous.
Job roles within the IT sector that can lead to a career in penetration testing include:
- Software development and coding
- Security tester
- Security analyst
- Network engineer or administrator
- Security administrator
What are the key hard skills for penetration testers?
To be successful at application penetration testing, there are a range of essential skills you'll need to have on your CV. These include 'soft' skills such as communication, problem solving and attention to detail.
However, while these can be learned through experience, there are also a few sector-specific 'hard' skills you'll need to demonstrate in order to conduct manual penetration testing. These include:
- Coding and scripting, especially in languages such as Python, Powershell and Golang
- Familiarity with common information security and penetration testing tools
- Understanding of various operating systems
- Knowledge of network security protocols
Are there any certifications related to penetration testing?
Industry qualifications and certifications can be another great way to get into a cyber security career as a pen tester. These can give you all the specific information security and network security skills you need to successfully conduct a pen test and make you more attractive to potential employers.
There are a wide range of options available, from entry-level courses and intensive cyber security bootcamp options to Master's level programs aimed at more experienced professionals, so it's essential you choose qualifications that match your level of experience.
An especially useful qualification may be the EC-Council's Certified Ethical Hacker. This is one of the most widely-recognised standards and offers a foundation in everything you'll need for pen testing or ethical hacking.
Other good options if you want to find penetration tester jobs include:
- Offensive Security Certified Professional
- CompTIA PenTest+
- EC-Council Licensed Penetration Tester
- Infosec Institute Certified Penetration Tester
Why pursue a career in penetration testing?
A career in penetration testing offers interesting, stimulating day-to-day work, as well as the potential for good future earnings and opportunities to move into other cyber security roles as you gain experience.
Are penetration testers in demand?
The cyber security sector as a whole continues to face a significant skills shortage, and pen testing is no exception. According to figures from the US Bureau of Labor Statistics, openings for these professions are expected to increase by 31 per cent between 2019 and 2029, much faster than the average for all occupations.
How much do penetration testers make?
Salaries for penetration testers can vary significantly depending on experience, but for those new to the role, earnings of between £20,000 and £30,000 are to be expected. For the sector overall, the average salary for an experienced professional is around £50,000, while senior personnel and those in the most in-demand sectors may be able to earn upwards of £80,000 a year.
What is a typical career path for penetration testers?
Future career paths for penetration testers can be varied. Some people remain in the field, going on to more senior roles or becoming team leaders. The experience gained can also set you up well for positions such as ethical hacking, information security managers or executive roles.
No penetration test is the same as the previous one, so if you're always up for a new challenge, enjoy solving problems and like keeping up with the latest innovations in the tech sector, a career in penetration testing could be right for you.