Penetration Testers (or White Hat Hackers, Pen Testers) are paid to test the security weaknesses and vulnerabilities present in software, systems, networks, or web applications. They will often use the same tools and techniques as their black hat-wearing counterparts, the idea is to understand how a hacker might compromise a system.
At heart, a pen tester is a hacker, but the main difference is they are contracted, paid, and provided with a scope of the engagement. They are also expected to ethically report all vulnerabilities and security concerns that are present so that the target organization can fix and improve their security posture.
If you have a love of looking under the hood in order to understand exactly how something works. If your curiosity leads you to prod and poking something until you know it intermittently. If you love a good puzzle. Then penetration testing might be for you.
Pen Testing is not all hacking, there’s plenty of meetings, reporting, and discussing findings with clients. Which you’ll either love or you’ll hate.
In a typical engagement, you could be hired to test a range of IPs, and you’ll be expected to document every technique, method, and find as you go in order to produce a comprehensive penetration testing report.
No two engagement is likely to be the same and you’ll be constantly tested, requiring lateral thinking and creative ideas in order to overcome obstacles. You’ll have plenty of opportunities to test your technical knowledge to the max.
Becoming a Penetration Tester: Roles and Responsibilities
During an engagement, you can expect to carry out all stages of a penetration test, including:
- Planning and Reconnaissance
- Gaining Access
- Maintaining access
Not all penetration tests will result in system access or breaking an application, it may be enough to prove that exploitation is possible and that there are risks present in the system that coule be taken advantage of by an attacker.
“More than ever before, people understand the software security challenge, and penetration testing deserves credit for helping spread the word. But knowing a security problem exists is not the same as knowing how to fix it. In other words, penetration testing is good for finding the problem but does not help in finding the solution – and that is why it must take a long hard look at itself and then make a change.”
The tasks performed by a penetration tester can vary, and specializations within the field are possible:
- Penetration testing engagements against web applications, computer systems, and networks
- Test and create penetration testing scripts, tools, and methodologies
- Review and appraise the physical security protecting access to sensitive systems
- Identify techniques that attackers may use to abuse weaknesses present within application logic flows
- Carry out social engineering campaigns to assess the effectiveness of cyber education within an organization
- Perform risk assessments taking into consideration probability (likelihood of an event occurring) and loss (impact of the event taking place)
- Continuous research on the latest security findings and the potential impact for present and future clients
- Advise clients on methods and the best course of action to resolve outstanding security risks
- Review client remediation efforts for effectiveness and there ability to negate the security exposures previously identified
- Improve existing methods, documentation, and best practices to increase penetration testing teams effectiveness and efficiency
- Meet with and discuss penetration test findings at all levels, from techs through to C level executives
- Provide feedback and verification as an organization fixes security issues
PENETRATION TESTER CAREERS
Penetration Tester Career Paths
Pen testers come to the field from all angles. Some take up hacking in university; others use their CS degree to focus on cybersecurity. Regardless of your path, employers are unlikely to hire you straight out of school. You can always consider gaining experience in IT jobs such as:
- Security Administrator
- Network Administrator
- System Administrator
- Network Engineer
After you have proven your worth as a Penetration Tester, you may find better pay as a:
- Senior Penetration Tester
- Security Consultant
- Security Architect
Penetration Tester Vs. Vulnerability Assessor
There’s a lot of confusion about the difference between Penetration Testers and Vulnerability Assessors. We like Miessler’s explanation:
“Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system.”
“Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them.”
In simple terms, Vulnerability Assessors are list-orientated and Pen Testers are goal-orientated.
Penetration Testers are also known as:
- Ethical Hacker
- Assurance Validator
PENETRATION TESTER SALARIES
According to Payscale, the median salary for a Penetration Tester is $81,356 (2019 figures). Overall, you can expect to take home a total pay of $49,252 – $134,946. This includes your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay, and other forms of cash earnings, as applicable.
PENETRATION TESTER JOB REQUIREMENTS
Job descriptions for Penetration Testers can vary widely. For example, candidates for Red Team openings may need to have a BS or higher in cybersecurity, 2-5 years of experience, and OSCP certification. Applicants to Junior Penetration Tester jobs may only need 1-3 years of experience in information security, solid technical skills, and GPEN, OSCP, eJPT, or eCPPT certification. Take a minute to browse through the job openings in your chosen arena (e.g. finance) to see if you need buff up your résumé.
We also recommend that you hone your street skills any which way you can. Liaison with other pen testers at hacking conferences, research potential certifications, look into MOOCs and training courses, set up a pen testing lab, learn from other pen testers, read and read more.
A number of Pen Testers don’t hold a specialized degree. Since ethical hacking is more about skills than course credits, a bachelor’s or master’s degree in cybersecurity could be unnecessary if you have appropriate job experience. Having said that, we’ve noticed that intermediate-level job descriptions are increasingly demanding that candidates hold a BS or MS in IT, computer science, or cybersecurity. Talk to your mentors about your options.
NOTE: SANS offers a Graduate Certificate in Penetration Testing & Ethical Hacking for working professionals.
Overall, employers appear to be looking for 1-4 years of security-related experience with practice in penetration testing and vulnerability assessments. The range for Senior Penetration Testers is more variable. It may be as low as 3 years and as high as 7-10 years of experience.
Pen testers conduct security audits, develop code, automate processes, reverse engineer binaries – the list goes on. So try and learn as much as you can about operating systems, software, communications, and network protocols.
Here are technical skills we have seen employers favoring:
- Windows, UNIX and Linux operating systems
- C, C++, C#, Java, ASM, PHP, PERL
- Network servers and networking tools (e.g. Nessus, nmap, Burp, etc.)
- Computer hardware and software systems
- Web-based applications
- Security frameworks (e.g. ISO 27001/27002, NIST, HIPPA, SOX, etc.)
- Security tools and products (Fortify, AppScan, etc.)
- Vulnerability analysis and reverse engineering
- Metasploit framework
- Forensics tools
- Cryptography principles
Writing your résumé? Start with the standard list of soft skills: creativity, problem-solving and analytical thinking. Show them proof of your ethical high standards. Demonstrate your “out-of-the-box” approach. Note your scrupulous attention to detail.
Oral and communication skills are two other biggies. In addition to the amount of paperwork (writing reports and assessments), you might be surprised at how often you will have to talk to people. Part of your day will involve explaining your methods to technical and non-technical audiences. You could also be coordinating social engineering initiatives.
Certifications For Penetration Testers
There is no master list of preferred certifications for pen-testing. Although it’s popular within the IT industry, CEH is fairly loose. We recommend you ask colleagues about the pluses and minuses of accreditations like CPT/CEPT, GPEN, and – especially – OSCP.
- CEH: Certified Ethical Hacker
- CPT: Certified Penetration Tester
- CEPT: Certified Expert Penetration Tester
- GPEN: GIAC Certified Penetration Tester
- OSCP: Offensive Security Certified Professional
- CISSP: Certified Information Systems Security Professional
- GCIH: GIAC Certified Incident Handler
- GCFE: GIAC Certified Forensic Examiner
- GCFA: GIAC Certified Forensic Analyst
- CCFE: Certified Computer Forensics Examiner
- CREA: Certified Reverse Engineering Analyst