Penetration testers, also known as pen testers, help organizations identify and resolve security vulnerabilities affecting their digital assets and computer networks.
Some professionals hold in-house positions with permanent employers, functioning as part of internal cybersecurity or information technology (IT) teams. Other pen testers work for specialized firms that provide services to clients.
Industries that deal with sensitive, personal, classified, or proprietary information tend to hire penetration testers. Employers increasingly prefer applicants with a bachelor's or master's degree in computer science, IT, cybersecurity, or a related specialization.
However, some employers may care more about the candidate's knowledge and experience than their formal educational backgrounds.
The cybersecurity profession tends to attract people with advanced technical and problem-solving skills.
The Bureau of Labor Statistics (BLS) includes penetration testing in the job duties information security analysts perform. The agency projects a 35% increase in demand for information security analysts from 2021 and 2031. The BLS also reports a median annual salary of $102,600 in 2021.
What Does a Penetration Tester Do?
Some penetration testing jobs carry other titles, such as "ethical hacker" or "assurance validator." These positions have similar duties to a penetration tester: to seek, identify, and attempt to breach existing weaknesses in digital systems and computing networks.
These systems and networks include websites, data storage systems, and other IT assets.
Many people confuse penetration testing with vulnerability testing. These two cybersecurity specializations have distinct differences.
Vulnerability testers look for flaws and weaknesses during a security program's design and setup phases. Penetration testers specifically seek out flaws and weaknesses in active systems.
Penetration testing teams simulate cyberattacks and other security breaches designed to access sensitive, private, or proprietary information. They utilize existing hacking tools and strategies and devise their own.
During a simulated attack, pen testers document their actions to generate detailed reports indicating how they managed to bypass established security protocols.
Penetration testing teams help their employers avoid the public relations fallout and loss of consumer confidence that accompany actual hacks and cyberattacks. They also help businesses and organizations improve their digital security measures.
Key Soft Skills for Penetration Testers
A Desire to Learn: Hackers and cybercriminals constantly change their strategies and tactics as technology evolves. Penetration testing professionals need to stay updated on the latest developments on both fronts. A Teamwork Orientation: Penetration testers often work in teams; junior members perform duties with lower levels of responsibility and report to senior members. Strong Verbal Communication:Team members must share their findings in clear language that people without advanced technical knowledge or skills can understand. Report Writing: Strong writing skills serve penetration testing professionals well because their duties include producing reports for management and executive teams.
Key Hard Skills for Penetration Testers
Deep Knowledge of Exploits and Vulnerabilities: Most employers prefer candidates whose knowledge of vulnerabilities and exploits goes beyond automated approaches. Scripting and/or Coding: Testers with good working knowledge of scripting and/or coding can save time on individual assessments. Complete Command of Operating Systems: Penetration testers need advanced knowledge of the operating systems they attempt to breach while conducting their assessments. Strong Working Knowledge of Networking and Network Protocols: By definition, understanding how hackers and cybercriminals operate requires penetration testers to understand networking and network protocols like TCP/IP, UDP, ARP, DNS, and DHCP.
A Day in the Life of a Penetration Tester
Pen testers spend most of their timeconducting assessments and running tests. These duties may target internal or external assets. Pen testers can work both on site and remotely.
During the morning, the tester or testing team decides on a strategy for the project at hand, and sets up the required tools. In some cases, this involves rounding up what professionals call "open-source intelligence" or OSINT, which real-life hackers draw on when trying to bypass security measures and initiate attacks.
In the afternoon, teams carry out the tests they spent the morning designing. Other duties include performing simulations to assess other aspects of internal risk.
For instance, penetration testing teams may target select employees with phishing scams or other false breaches to see how those responses affect established security protocols.
Penetration Tester Main Responsibilities
Plan and Design Penetration Tests: Penetration testers must develop experiments and simulations that evaluate the effectiveness of specific, existing security measures. Carry Out Tests and Other Simulations: After planning and designing assessments, penetration testing teams carry out investigations and document their outcomes. Creating Reports and Recommendations: Penetration testing teams convey findings into reports to present to their supervisors and other key organizational decision-makers. Depending on the intended audience, these reports may use either lay or technical language. Advise Management on Security Improvements: Senior members of penetration testing teams often work directly with company management, communicating the level of risk posed by specific vulnerabilities and offering advice on how to address them. Work With Other Employees to Improve Organizational Cybersecurity: Penetration testing professionals cooperate with other cybersecurity and IT personnel to educate employees on steps to boost the organization's cybersecurity levels.
Learn More About a Typical Day for a Penetration Tester
Salary and Career Outlook for Penetration Testers
The BLS predicts explosive growth in the cybersecurity field. The projected employment growth for security analysts is 35% from 2021-2031, which far outpaces the average rate for all other occupations.
The BLS projects around 19,500 annual job openings for information security analysts, a field which includes penetration testers.
As of December 2022, Payscale reported a typical base salary of nearly $90,000 per year for pen testers. At the low end (bottom 10%), pen testers earn about $70,000 per year. At the high end (top 10%), they make up to $125,000 per year. Pay rates in major metro areas and leading tech hubs tend to be on the higher end of the scale.
As in many career paths, experience and education influence earning potential. With additional experience and skills,penetration testerscan make more money.
Annual Average Salary
$90,000
Source: Payscale
See How Location Affects Salary for Penetration Testers
History of Penetration Testers
In the 1960s, computer systems became capable of exchanging data across communication networks. Security experts quickly realized these data exchanges were vulnerable to external attacks.
The increasing role of computers in government and business made it necessary to create effective safeguards.
In 1967, more than 15,000 computing experts and public and private sector officials met at the Joint Computer Conference. They discussed the issue of network penetration, a concept that would become known as penetration testing.
Early efforts bythe RAND Corporation helped create a systematic approach to penetration testing. Advanced computer security systems like the Multiplexed Information and Computing Service (Multics) then emerged. Multics functioned as the industry's gold standard until about 2000.
Since that time, penetration testing has become increasingly complex and specialized. Today, pen testers draw on various advanced tools to identify and close off system vulnerabilities. Penetration testing has also become a big business, with 2021 estimates placing the value of the global cybersecurity industry at $217.9 billion.
Similar Specializations and Career Paths
Cybersecurity offers many career paths beyond penetration testing. Senior roles with high levels of responsibility often require multiple years of experience and advanced degrees.
Other positions are open to job-seekers with the same educational backgrounds as penetration testers. These include information security analysts, security software developers, and network security architects.
Candidates can pursue security-related career paths after earning a computer science degree with a cybersecurity specialization. However, general computer science, computer engineering, and information technology degrees may also qualify job-seekers for entry-level roles.
As their careers advance, professionals may choose to supplement their existing education with higher degrees. Others elect to pursue industry-standard certifications offered by organizations such as CompTIA, EC-Council, and GIAC.
Additional certifications can help cybersecurity professionals advance into roles with high pay and strong growth potential.
For instance, the BLS projects that demand for information security analysts will grow by 35% between 2021-2031. The median annual pay for information security analysts exceeded $100,000since May 2020.
| Description | Required Education | Required Experience | Median Annual Salary (2021) | |
|---|---|---|---|---|
Information Security Analyst | Security analysts plan and implement strategies to protect their employer's computers and networks from intrusions and attacks. | Bachelor's degree or higher in computer science, computer programming, information technology, or cybersecurity Some companies prefer candidates with specialized MBAs in information systems | Multiple years in a related position, such as database security or systems administration | $102,600 |
Security Software Developer | These professionals specialize in developing software-based tools for enhancing organizational computer and network security. | Bachelor's degree or higher in computer science, software development, information technology, computer engineering, or mathematics | Previous experience in quality assurance (QA) testing or a related position may be an asset | $109,020 |
Security Architect | Computer network architects design, implement, and monitor the security features used in communication network infrastructure. | Bachelor's degree or higher in computer science, computer engineering, or a specialized information systems discipline | 5-10 years in IT roles such as systems analysis or database administration | $120,520 |
Source: BLS
Explore more jobs in cybersecurity
How to Become a Pen Tester
The typical journey to becoming a penetration testerbegins in high school or college. During this time, people often discover and explore their interest in computer science and IT, building technical skills and knowledge of operating systems, scripting, coding, and programming.
Students proceed into computer science, computer engineering, IT, or cybersecurity degree programs.
Entry-level penetration tester requirements include both education and experience. A bachelor's degree increasingly serves as the minimum necessary level of schooling.
Candidates then build penetration tester skills by working in entry-level IT positions, including system or network security and administration roles. Professionals can also pursue industry certifications. After 1-4 years of employment, emerging professionals may possess the knowledge and experience to land penetration testing jobs.
- Associate in Cybersecurity Programs
- An associate degree in cybersecurity offers a quick route to entry-level careers. Explore top programs here.
- Bachelor’s in Cybersecurity Programs
- A bachelor's degree is the most common entry-level education requirement for pen testers. Find your match with this resource.
- Master’s in Cybersecurity Programs
- Develop advanced cybersecurity and penetration testing skills by upgrading to a master's degree. This page lists leading opportunities.
- Bootcamp Programs in Cybersecurity
- People of all experience levels can build and sharpen penetration testing skills in bootcamp programs.
- Online Certificate Programs in Cybersecurity
- Certificate programs offer a compact path to valuable credentials. This page explains nondegree programs in cybersecurity.
- Certifications for Cybersecurity Professionals
- Established tech professionals often supplement their education by earning recognized certifications. This page explores certifications specific to cybersecurity.
Resources for Penetration Testers
Information Systems Security Association International: This collaborative professional network unites cybersecurity professionals worldwide through training programs, workshops, and career services. ISSA also maintains a fellows program for ambitious professionals. (ISC)2: This leading nonprofit cybersecurity organization features a membership base of more than 150,000 professionals. It offers respected certifications, exam preparation resources, career services, and many other perks. Comp-TIA: Another respected global leader in cybersecurity, the Comp-TIA organization offers specialized training programs, continuing education, and certifications. Members also gain access to an exclusive career center. ISACA:This enterprise-oriented organization offers benefits including members-only career fairs and job boards, international conferences, and more than 200 local chapters that host training workshops and events. ISACA offers student, recent graduate, and professional membership levels.
Learn More About Penetration Testing Careers
How to Become a Penetration Tester
To become a penetration tester, you will need specialized education and targeted skills. This guide explains the journey in detail.
Learn More
Salary and Career Outlook for Penetration Testers
Penetration testers enjoy strong job prospects and earning potential in an increasingly high-tech world filled with cyberthreats.
Learn More
Day in the Life of a Penetration Tester
What does a penetration tester do, exactly? This page breaks down a typical day on the job for a pen tester.
Learn More
Penetration Tester Certifications
Specialized cybersecurity certifications help pen testers advance in their careers. This page explores certification programs and exams from top providers.
Learn More
Frequently Asked Questions About Pen Testers
-
How long does it take to become a penetration tester?
Job-seekers often transition into penetration testing after earning a four-year bachelor's degree and obtaining 1-4 years of IT experience.
-
Is there a penetration testing degree I should get?
For some employers, knowledge and skills may take higher priority than formal education. However, many pen testers enter the field after completing a bachelor's or master's degree in computer science, IT, or cybersecurity.
-
How much does a penetration tester make?
Payscale reports an average penetration tester salary of $90,000 as of December 2022. Actual salary figures may vary, depending on industry, location, and experience.
-
What do I need to learn penetration testing and get a job?
Degrees and industry-standard ethical hacking and penetration testing certifications can help applicants land jobs. Typically, pen tester job requirements include advanced knowledge of the techniques and tools hackers use to breach protected information networks along with experience.
-
What does a penetration tester do?
Pen testers design and plan simulations and security assessments designed to probe existing cybersecurity measures for potential weaknesses. They also document their findings in reports and present them to their clients and employers.
Page last reviewed on Nov 18, 2022
