Are you ready to discover your college program?
Penetration testers protect digital assets by finding weaknesses in existing computer systems or networks. Sometimes called ethical hackers or pen testers, these professionals work in teams to stop malicious hackers from accessing valuable data. Typical duties include conducting penetration testing and developing methods to improve penetration testing.
Payscale reports that penetration testers made an average annual salary of $87,440 as of September 2021.
These professionals also analyze penetration testing results and make recommendations for eliminating security weaknesses. A penetration tester typically needs relevant experience and a bachelor's degree in computer science, cybersecurity, or a related field. Payscale reports that penetration testers made an average annual salary of $87,440 as of September 2021.
This page covers the daily life of a penetration tester. We describe penetration testing and typical job duties, helping you decide if this career path is right for you.
What Is a Penetration Tester?
Penetration testers focus on a specialized area of cybersecurity, often working within IT teams to prevent data breaches. These professionals apply advanced cybersecurity expertise to find vulnerabilities in their organizations' existing computer systems by simulating attacks.
Penetration testers focus on a narrower area of cybersecurity than other security professionals. Typical penetration tester job duties include planning and carrying out penetration tests, writing reports, and making security recommendations.
Most employers require candidates to possess relevant professional experience and bachelor's degrees in computer science or cybersecurity. Professional certifications, like the certified information systems security professional, can increase career opportunities. Penetration testers may start their careers in entry-level IT positions related to network security before obtaining the experience to land more advanced cybersecurity roles.
What a Penetration Tester Does
As organizations increasingly store large amounts of sensitive and valuable data online, the frequency of cyberattacks grows. Penetration testers evaluate the effectiveness of organizations' cybersecurity policies and protocols by conducting vulnerability assessments.
Pen testers use advanced IT security skills to detect places where malicious hackers could successfully launch attacks and break into computer networks, systems, or other assets. These professionals find ways to prevent cyberattacks before they happen.
The typical day of a penetration tester varies but may include planning and launching penetration tests, writing reports and giving presentations after a penetration test, and making recommendations for security improvements. The penetration tester work environment is typically a standard office, but many work remotely.
Penetration tests can take place externally or internally. Pen testers gain access to computer systems using physical, wireless, web application, and network services. They also use social engineering techniques, tricking people into sharing passwords and granting access to sensitive information. Each type of penetration test involves different tools and knowledge of the field.
Over time, penetration testers can move from junior to senior roles. Senior penetration testers typically spend more time planning simulations and making recommendations for security improvements. Below, we describe key duties for these professionals.
Main Job Duties of Penetration Testers
- Planning Penetration Tests: Penetration testers plan and develop tests to find potential security problems. They use existing methods and sometimes make their own tools to launch tests. Creating a penetration test plan requires strong project management and time management skills.
- Enacting Penetration Tests: Penetration tests simulate malicious cyberattacks from outside individuals or organizations to detect internal vulnerabilities. This allows organizations to improve their security, stopping data breaches and other cyberattacks before they happen. Penetration testers use the same types of tools and methods as hackers to protect company data.
- Making Security Recommendations: Penetration testers can improve security by analyzing what went wrong in their simulations. They can make recommendations to address security weaknesses and suggest security education for employees. They may work with computer engineers or other cybersecurity team members to mitigate identified weaknesses.
- Writing Reports/Giving Presentations: After launching a test, penetration testers write reports to present their findings to management. Reports typically include recommendations about how to improve security for the future. Pen testers also sometimes give oral presentations describing the results of their tests.
- Track New Cybersecurity Developments: Penetration testers should follow professional publications or complete certifications to remain informed about emerging security threats and malware. It also helps to research general information technology and security trends.
Unusual Job Duties for Penetration Testers
- Investigate Cyberattacks: Penetration testers usually do not respond to or investigate security breaches, but they can in some positions. This work may involve collecting digital evidence, finding a motive, and locating suspects. Pen testers can also help patch holes and address vulnerabilities.
- Develop Cybersecurity Best Practices: Pen testers may develop cybersecurity best practices for their organizations. Their work includes finding vulnerabilities in existing systems, leading penetration testers to excel in providing computer security solutions.
- Upgrade Computer Systems: Penetration testers at smaller organizations may need to help with general computer system maintenance, including installing RAM, upgrading cloud storage, and adding or connecting hard drives. Upgrading computer systems can save money and improve security.
- Assist Computer Users: Some penetration testers provide one-on-one assistance or group workshops to provide training in new cybersecurity procedures and products. Pen testers are more likely to provide tech help and customer service in smaller organizations. Large companies usually have dedicated computer support professionals.
- Mount Incident Responses: Although pen testers usually do not participate in incident response, some may help respond to cyberattacks and security threats as part of incident response teams. The first 48 hours after an attack are crucial, so incident response ideally happens in this period.
Top Online Programs
Explore programs of your interests with the high-quality standards and flexibility you need to take your career to the next level.
A Typical Day of a Penetration Tester
Penetration tester duties vary depending on employer, industry, location, plus experience levels and education. Below, we outline what to expect during a typical day of a penetration tester.
Jeff Barron, Director of Professional Services — Offensive Security
What previous cyber-related experience did you have, if any, and what prompted your journey to become a penetration tester?
I worked as a security engineer who wrote detections for IDS systems, analyzed and responded to alerts, as well as developed code to scrape data from places on the darknet. Prior to working in cyber, I worked as an indie game developer. I’ve had a lifelong interest in how systems work and how to make things behave in unexpected ways.
If you specialize in a particular subject or work in a particular industry, what prompted this choice and/or how did it evolve?
I specialize in offensive security. I love all aspects of cybersecurity, but I’ve got a knack for the offensive side of things. I don’t know if it was a choice. It was just what I was attracted to and good at. A good offensive security program not only delivers high-quality results to clients, it also feeds intelligence and guidance to defensive security for detections and response. I feel like I can bring more value on this side of cybersecurity while helping the whole of it. It helps that it’s a lot of fun.
For whom do you think this career is a good fit? Why?
Anyone who loves solving puzzles. If you’re a fan of figuring out really tough video games, then this is for you. Do you like technology and solving puzzles? Then this is for you. There is a wonderful feeling when you solve a problem in this career. It’s ineffable.
What educational path did you take to become a penetration tester? Did you pursue additional education at any point? What was your educational experience like?
You can have almost any educational background in this field. You have to have a solid understanding of operating systems, networking, and programming. The great thing is you can be completely self guided in your studies. There are resources today where you can legally hack things in bug bounty programs, break stuff in your own VM lab, or break things in other people’s labs like Hackthebox and TryHackMe. I took my own path, as do a lot of folks who find themselves in this job. I think that is changing. My own experience was 95% self taught. But I did use college to help fortify subjects and fill in the blanks. A standardized education helps you speak the language when you get into the job market. You’re always going to be learning in this job. This isn’t something where you can study a set amount of years, get a piece of paper, and be done.
What certifications or tests did you need to pass, if any, to enter the field and/or progress in your career?
There are a ton of certifications. It’s easy for people to get overwhelmed by them and focus on them a little too much. I’d recommend CompTIA and eLearnSecurity certifications to start out with.
What's a typical day like for you?
Today I’m working on the internal phase of a penetration test. We use an assumed breach method when conducting this phase. That means we have a device on the client’s network that we attack them from. Sometimes we sneak this device in, but most times, we mail it to them.
The goal of the internal test is to emulate a threat actor once they are inside the network. So today, I will be a threat actor. I’ll check their computers for vulnerabilities. When I find them, I’ll exploit them and begin spreading across the network. Four or five machines have already been compromised but none of them are joined to the domain. I’ll have to find another way in, so I’m going to return to those hosts and pillage them for passwords and any other sensitive data they might contain. While I’m doing that, I’ll also be taking notes and screenshots and adding them to my report.
I’m not always a threat actor. Some days I'm researching vulnerabilities and how to fix them. Other days I’m writing detections for our security operations center so that they can better detect the bad guys and my team.
What's your favorite part of being a penetration tester?
My favorite part is bypassing the security controls and popping shells on compromised machines. Beating the challenges, hacking the things. It also feels great to be able to look a client in the eye and know that they are better protected than they were before.
You can have almost any educational background in this field.
The most challenging part?
I find the most challenging part to be translating technical speak to easily actionable and understandable business language. It may be the hardest part of the job, at least for me.
What advice do you have for individuals considering becoming a penetration tester?
Do it! It’s as fun as it sounds. Even with the reporting. Even with the responsibility. It is a fantastic job. Learn Linux, live in it. Get comfortable with a scripting language like Python. It will make your job a lot easier and efficient.
What do you wish you'd known before becoming a penetration tester?
That anyone can do it. That anyone who spends time studying this and practicing this can become an expert in it. Hollywood and folks with more ego than brain have really given this job an undeserved “rockstar” status. It may seem or feel unattainable, but it isn’t. It’s very much a learned thing.
Director of Professional Services - Offensive Security
Jeff works as the Director of Professional Services — Offensive Security for Critical Path Security. Before that, he has worked as a penetration tester, security engineer, and software developer. Jeff has been interviewed as an expert on 11Alive NBC News. He enjoys drum and bass music, anime, and ASCII art.
Work Environments for Penetration Testers
Penetration tester work environments vary by position, employer, industry, and location. Typical employing industries include computer systems design and related services, finance and insurance, and management. Other industries that hire penetration testers include information and administration and support services.
Major companies that employ penetration testers include Amazon and IBM. Pen testers can also apply at firms that specialize in cybersecurity or penetration testing, like FireEye, RSI Security, CrowdStrike, and McAfee.
Although penetration testers' main tasks usually remain the same regardless of the work environment, the job setting can affect their scope of duties. At smaller organizations, pen testers may handle more general computer maintenance and support in addition to their specialized work.
The top-paying states for security professions are California, New York, New Jersey, and Washington, D.C.
Location can affect the number of available jobs, along with average salaries and types of employers hiring pen testers. The Bureau of Labor Statistics reports that the top-employing states for information security analysts (which encompasses penetration testers) include Virginia, Texas, California, and Florida. The top-paying states for security professions are California, New York, New Jersey, and Washington, D.C.
Consider cost of living and quality of life when researching average salaries. Information security analysts make an average annual wage of $125,990 in California as of May 2020, but the state also ranks second in the country for the highest cost of living.
Think about how relocating for a job in penetration testing may affect other aspects of your life, like proximity to family and friends, housing affordability, and the presence of desirable amenities.
Should You Become a Penetration Tester?
The growing penetration testing field offers many lucrative opportunities. Becoming a penetration tester takes hard work, time, and money. Most employers require at least a bachelor's degree in a tech field, like computer science or cybersecurity.
Prospective penetration testers include information technology professionals and college students pursuing computer science or cybersecurity degrees. An individual already working in a computer-related field can often land a job by earning a professional certification in penetration testing. Future pen testers may currently work in other fields.
Preparing for Life as a Penetration Tester
Preparing for the life of a penetration tester usually requires earning a bachelor's degree in a field like cybersecurity or computer science. Most employers also require relevant experience and may prefer applicants with professional certifications in the field. Candidates can also gain advanced penetration tester knowledge in cybersecurity bootcamps.
Companies rely on penetration testers to find potential security vulnerabilities and avoid cyberattacks. Knowing that you are responsible for preventing the loss of valuable or sensitive data can be stressful, especially amid breaches. Becoming a penetration tester requires candidates to stay calm under pressure, develop advanced technical expertise, and continually research emerging security threats.
Learn More About Penetration Testers
What Is a Penetration Tester?
This page describes typical penetration tester job duties and work environments, along with major employers and industries.
How to Become a Penetration Tester
We describe the typical education and experience requirements to become a penetration tester.
Penetration Tester Certifications
We explain the potential benefits of earning penetration tester certifications on this page. This guide also includes a list of relevant certifications to consider.
Questions About a Pen Tester's Day to Day
Is the life of a penetration tester stressful?
The life of a penetration tester can be stressful, depending on the position and employer. In some cases, failing to identify a vulnerability can lead to massive financial or data losses for companies.
How is job satisfaction for penetration testers?
Penetration tester job satisfaction varies by position, employer, industry, and location. These professionals can find satisfaction knowing that they identified potential weaknesses to stop cyberattacks before they happen.
What does a penetration tester do on a daily basis?
Penetration testers plan, carry out, and evaluate penetration tests. They also write reports and make recommendations. Pen testers may work alone or with IT teams to evaluate the effectiveness of organizations' computer security.
What skills do you need to be a penetration tester?
Penetration testers need coding, hacking, problem-solving, and communication skills. They must possess an advanced understanding of computer security issues, how breaches happen, and the wide-reaching impacts of cyberattacks.
Featured Image: Thomas Barwick / DigitalVision / Getty Images
View hand-picked degree programs
Tell us what you’d like to specialize in, and discover which schools offer a degree program that can help you make an impact on the world.