Fancy a career in what one practitioner described as the ‘best job in the world’? Read on to find out how…
Since you’re reading The Daily Swig, you’re probably already aware that a pen tester isn’t somebody that reviews writing implements.
In fact, of course, a pen – or penetration – tester fulfils a specialist role that involves simulating cyber-attacks on computer systems, networks, and infrastructure in order to identify and report vulnerabilities.
“As a pen tester, you are responsible for identifying potential vulnerabilities in systems and reporting them, so they can be addressed,” Inti De Ceukelaire, head of hackers at bug bounty and pen testing firm Intigriti, tells The Daily Swig.
“Some will say that ethical hackers are a synonym for pen testers, but in my experience ethical hackers will focus less on reporting and more on identification of actual present cybersecurity issues, whereas pen testers may also give advice on theoretical future weaknesses in systems.”
What does a pen tester do?
The penetration testing process involves working with clients to establish their requirements and creating tests accordingly, using both manual techniques and automated tools. Testing for security weaknesses may be carried out on-site or remotely.
Every step is documented, with reports and recommendations presented to the client, and at the end of the process any changes are validated. Recommendations may also be made about security issues that could potentially arise in the future based on current configurations and architecture.
Pen testers can work in-house, for national and multinational companies, or within large public sector organizations, monitoring applications, network devices, and cloud infrastructures. Alternatively, they can work for a security firm, where they typically work on a variety of client contracts, or on a freelance basis.
How popular is pen testing as a career choice?
Demand for penetration testers is growing strongly. According to the US Bureau of Labor Statistics (BLS), growth is set to hit 35% for information security analysts, which includes penetration testers, between 2021 and 2031. This is much faster than the average for all occupations across the US.
Fuelling this growth are ever-stricter legal requirements around the world, forcing an increasing number of companies to prove that their products are being tested for security vulnerabilities.
“Despite more schools and universities offering ethical hacker trajectories, there is still a shortage of cybersecurity professionals, including pen testers,” says De Ceukelaire.
“Overall, I would estimate that pen testing as a career choice has become more popular over the years, but that the demand for pen testers is growing even quicker, especially in certain niche areas such as application, IoT, scada, or blockchain pen testing.”
How to become a pen tester
In terms of formal qualifications, most pen testers will have a degree in some sort of IT or cybersecurity discipline.
Penetration testers often start out in network administration, network engineering, or web-based application programming before undergoing specialized training in ethical hacking.
There are a number of certification schemes available from the likes of the Infosec Institute, the International Council of E-Commerce Consultants, Global Information Assurance Certification, CompTIA, Offensive Security, and (ISC)². Many of these can be achieved through self-study at home.
“Any entry-level job in the security field helps, or some certifications might also help to land a career in the area, like for example the OSCP certification,” Dave Miller, who leads the offensive security testing team at security firm Cyllective, tells The Daily Swig.
“An IT engineering background is also beneficial, like a sysadmin, software engineer, or similar.”
De Ceukelaire recommends brushing up on non-technical skills too.
“In larger consultancy companies with well-known logos, being able to write proper and self-explanatory reports is sometimes more important than deep-diving into technical vulnerabilities. Documenting and reporting is an underestimated skill you will need if you want to work for a big consultancy company,” he says.
“If you want to work for a consultancy gig, you may want to also get a course in technical business writing, reporting, and analysis.”
As for independent pen testers, he says: “A bit of sales knowledge and accounting is also needed if you want to attract new clients.”
It is also important to have good time management skills, to be able to work as part of a team, and to have a certain amount of business knowledge in order to understand and communicate the implications of any vulnerabilities found.
Alternative routes into pen testing
The ability to actually do the job is what matters, and it is possible to become a penetration tester without much in the way of academic qualifications.
Capture the flag (CTF) competitions, where teams or individuals hack deliberately vulnerable systems to ‘capture’ a file or code, will hone skills and make hackers some useful contacts. Examples include Hack the Box, Hack.me, Hack This Site, and WebGoat.
Meanwhile, bug bounty programs aren’t just for full-time freelancers, and can offer big payouts to anybody finding and reporting security flaws in companies’ code.
There are lists of available bounties on sites like Bugcrowd and HackerOne, while Intigriti connects independent pen testers to potential clients for its penetration-testing-as-a-service, ‘Hybrid Testing’.
“Like many roles in cybersecurity, becoming a professional pen tester is about having the right mindset and skills – [for example] logical thinking, problem solving, [and] creative approaches,” Jon France, CISO of training and certification non-profit (ISC)², tells The Daily Swig.
Meanwhile, Ed Williams, EMEA director of SpiderLabs at Trustwave, recommends a bit of profile-raising: “Start a blog, understand how things work, break things, write code to automate tasks, publish the code on GitHub to show passion,” he says.
Many penetration testers find work by approaching companies directly on spec, which can be a particularly effective strategy with smaller organizations.
Types of employment
Large organizations may have a team of full-time pen testers, with projects exclusively focused on the company’s own systems.
Smaller companies – and sometimes the larger ones, too – tend to turn to security firms, where salaried pen testers will work on a variety of projects, often more than one at a time.
“It’s good to spend my everyday work in a great team and with the possibility to exchange and learn from other team members. I also enjoy the flexibility and trust which my employer, Cyllective, enables me with,” says Miller. “And the stable income of course.”
A third option is to become a freelancer, many of whom will have their own trademark skillsets and methodologies and will already have developed a good reputation.
“It can be fun freelancing, as you get a broad range of engagements and get to work in a variety of vertical sectors,” says France.
How much money are pen testers paid?
In the US, according to Payscale, pen tester salaries start at around $58,000, with an average annual paycheck of $88,500. Bonuses or profit share schemes could add another $20,000 or so.
Starting salaries for pen testers are around £30,000 ($36,000) in the UK, with an average base salary being around £56,000 ($67,000), according to Indeed.
Freelance rates vary wildly depending on the expertise of the pen tester and the complexity of the job, but tend to be a few hundred pounds or dollars per day.
The job can eventually lead to more senior and lucrative roles, such as chief information security officer (CISO).
What are the best parts of the job?
Offensive security testing involves a lot of problem-solving and, for freelancers, can offer a great deal of flexibility.
“For me, pen testing is a hobby and lifestyle rather than a job. Analyzing and breaking new software in every assignment is very diversified,” says Miller. “And nothing beats the adrenaline rush of getting a shell on a system.”
Says Ed Williams, EMEA director of SpiderLabs at Trustwave: “I think being a pen tester is the best job in the world, you are actively encouraged to break into things and help organizations get better at their security – what’s not to like about it?
“If I think about my own career, I’ve been fortunate enough to travel the world through pen testing, and also been to some highly sensitive parts of the world.”
What are the challenges and frustrations felt by pen testers?
Sometimes a pen test is simply a tick-box exercise, which can be frustrating, and can even mean that the company has little genuine interest in actually seeing vulnerabilities identified and dealt with.
“Businesses often still need to see the need for proper security testing,” says Miller. “We have many requests from firms that just want a penetration test for a compliance check because a customer or regulatory instance asked them to do so.”
Meanwhile, says Williams, it can be a very high-pressure role, with all the stress that that entails.
“Cyber is constantly changing and keeping up with that can be difficult and time-consuming,” he says. “Quite often, I see people burn out by just doing too much for too long and they eventually leave pen testing, which is sad for the profession and industry.”
Stay tuned for part two of our feature on how to become a pentester.