What Does a Penetration Tester Do?
What is a Penetration Tester?
A Penetration Tester (a.k.a. Pen Tester or Ethical Hacker) probes for and exploits security vulnerabilities in web-based applications, networks and systems. Simply put, you get paid to legally hack. In this fascinating job, you get to use a series of penetration tools – some predetermined, some that you design yourself – to simulate real-life cyber attacks. Your ultimate aim is to help an organization improve its security.
Ethical hacking is a mix of sexiness and boring bits. Unlike real-life hackers, you may only have days to compromise systems. What’s more, you will be expected to document and explain your methods and findings. Penetration testing has been called one of the most frustrating jobs in the infosec field, but it’s also one of the most creative. You’ll have plenty of opportunities to employ your technical skills and you’ll almost always be thinking on your feet.
Penetration Tester Job Responsibilities
During the penetration test, you will typically focus on exploiting vulnerabilities (e.g. making it a goal to break part of a system). But as Daniel Miessler points out in The Difference Between a Vulnerability Assessment and a Penetration Test, you don’t have to go all the way to prove your point:
“A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could.”
Overall, you are likely to be required to:
- Perform formal penetration tests on web-based applications, networks and computer systems
- Conduct physical security assessments of servers, systems and network devices
- Design and create new penetration tools and tests
- Probe for vulnerabilities in web applications, fat/thin client applications and standard applications
- Pinpoint methods that attackers could use to exploit weaknesses and logic flaws
- Employ social engineering to uncover security holes (e.g. poor user security practices or password policies)
- Incorporate business considerations (e.g. loss of earnings due to downtime, cost of engagement, etc.) into security strategies
- Research, document and discuss security findings with management and IT teams
- Review and define requirements for information security solutions
- Work on improvements for security services, including the continuous enhancement of existing methodology material and supporting assets
- Provide feedback and verification as an organization fixes security issues
Penetration Tester Careers
Penetration Tester Career Paths
Pen testers come at the field from all angles. Some take up hacking in university; others use their CS degree to focus on cyber security. Regardless of your path, employers are unlikely to hire you straight out of school. You can always consider gaining experience in IT jobs such as:
- Security Administrator
- Network Administrator
- System Administrator
- Network Engineer
After you have proven your worth as a Penetration Tester, you may find better pay as a:
Penetration Tester vs. Vulnerability Assessor
There’s a lot of confusion about the difference between Penetration Testers and Vulnerability Assessors. We like Miessler’s explanation:
“Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system.”
“Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them.”
In simple terms, Vulnerability Assessors are list-orientated and Pen Testers are goal-orientated.
Penetration Testers are also known as:
- Ethical Hacker
- Assurance Validator
Penetration Tester Salaries
According to Payscale, the median salary for a Penetration Tester is $81,356 (2019 figures). Overall, you can expect to take home a total pay of $49,252 – $134,946. This includes your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable.
Penetration Tester Job Requirements
Job descriptions for Penetration Testers can vary widely. For example, candidates for Red Team openings may need to have a BS or higher in cyber security, 2-5 years of experience, and OSCP certification. Applicants to Junior Penetration Tester jobs may only need 1-3 years of experience in information security, solid technical skills, and GPEN, OSCP, eJPT, or eCPPT certification. Take a minute to browse through the job openings in your chosen arena (e.g. finance) to see if you need buff up your résumé.
We also recommend that you hone your street skills any which way you can. Liaison with other pen testers at hacking conferences, research potential certifications, look into MOOCs and training courses, set up a pen testing lab, learn from other pen testers, read and read more.
A number of Pen Testers don’t hold a specialized degree. Since ethical hacking is more about skills than course credits, a bachelor or master’s degree in cyber security could be unnecessary if you have appropriate job experience. Having said that, we’ve noticed that intermediate-level job descriptions are increasingly demanding that candidates hold a BS or MS in IT, computer science or cyber security. Talk to your mentors about your options.
Overall, employers appear to be looking for 1-4 years of security-related experience with practice in penetration testing and vulnerability assessments. The range for Senior Penetration Testers is more variable. It may be as low as 3 years and as high as 7-10 years of experience.
Pen testers conduct security audits, develop code, automate processes, reverse engineer binaries – the list goes on. So try and learn as much as you can about operating systems, software, communications and network protocols.
Here are technical skills we have seen employers favoring:
- Windows, UNIX and Linux operating systems
- C, C++, C#, Java, ASM, PHP, PERL
- Network servers and networking tools (e.g. Nessus, nmap, Burp, etc.)
- Computer hardware and software systems
- Web-based applications
- Security frameworks (e.g. ISO 27001/27002, NIST, HIPPA, SOX, etc.)
- Security tools and products (Fortify, AppScan, etc.)
- Vulnerability analysis and reverse engineering
- Metasploit framework
- Forensics tools
- Cryptography principles
Writing your résumé? Start with the standard list of soft skills: creativity, problem-solving and analytical thinking. Show them proof of your ethical high standards. Demonstrate your “out-of-the-box” approach. Note your scrupulous attention to detail.
Oral and communication skills are two other biggies. In addition to the amount of paperwork (writing reports and assessments), you might be surprised at how often you will have to talk to people. Part of your day will involve explaining your methods to technical and non-technical audiences. You could also be coordinating social engineering initiatives.
Certifications for Penetration Testers
There is no master list of preferred certifications for pen testing. Although it’s popular within the IT industry, CEH is fairly loose. We recommend you ask colleagues about the pluses and minuses of accreditations like CPT/CEPT, GPEN and – especially – OSCP.
- CEH: Certified Ethical Hacker
- CPT: Certified Penetration Tester
- CEPT: Certified Expert Penetration Tester
- GPEN: GIAC Certified Penetration Tester
- OSCP: Offensive Security Certified Professional
- CISSP: Certified Information Systems Security Professional
- GCIH: GIAC Certified Incident Handler
- GCFE: GIAC Certified Forensic Examiner
- GCFA: GIAC Certified Forensic Analyst
- CCFE: Certified Computer Forensics Examiner
- CREA: Certified Reverse Engineering Analyst