Are you ready to find a school that's aligned with your interests?
Find the right education path to take advantage of this fast-growing industry and join the front-lines on technology and security.
Penetration testers, also known as pen testers, help organizations identify and resolve security vulnerabilities affecting their digital assets and computer networks. Some professionals hold in-house positions with permanent employers, functioning as part of internal cybersecurity or information technology (IT) teams. Other pen testers work for specialized firms that provide services to clients.
Industries that deal with sensitive, personal, classified, or proprietary information tend to hire penetration testers. Employers increasingly prefer applicants with a bachelor’s or master’s degree in computer science, IT, cybersecurity, or a related specialization. However, some may place more emphasis on the candidate’s knowledge and experience than their formal educational backgrounds.
The cybersecurity profession tends to attract people with advanced technical and problem-solving skills. The Bureau of Labor Statistics (BLS) includes penetration testing in the job duties information security analysts perform. The agency projects a 33% increase in demand for information security analysts from 2020 and 2030. The BLS also reports a median annual salary of $103,590 in 2020.
In the 1960s, computer systems became capable of exchanging data across communication networks. Security experts quickly realized these data exchanges were vulnerable to external attacks. The increasing role of computers in government and business made it necessary to create effective safeguards.
In 1967, more than 15,000 computing experts and public and private sector officials met at the Joint Computer Conference. They discussed the issue of network penetration, a concept that would become known as penetration testing.
Penetration testing has also become a big business, with 2021 estimates placing the value of the global cybersecurity industry at $217.9 billion.
Early efforts by the RAND Corporation helped create a systematic approach to penetration testing. Advanced computer security systems like Multics then emerged. Multics functioned as the industry’s gold standard until about 2000.
Since that time, penetration testing has become increasingly complex and specialized. Today, pen testers draw on various advanced tools to identify and close off system vulnerabilities. Penetration testing has also become a big business, with 2021 estimates placing the value of the global cybersecurity industry at $217.9 billion.
Similar Specializations and Career Paths
Cybersecurity offers many career paths beyond penetration testing. Senior roles with high levels of responsibility usually require multiple years of experience and advanced degrees.
Other positions are open to job-seekers with the same educational backgrounds as penetration testers. These include information security analysts, security software developers, and network security architects.
Candidates can pursue security-related career paths after earning a computer science degree with a cybersecurity specialization. However, general computer science, computer engineering, and information technology degrees may also qualify job-seekers for entry-level roles.
As their careers advance, professionals may choose to supplement their existing education with higher degrees. Others elect to pursue industry-standard certifications offered by organizations such as CompTIA, EC-Council, and GIAC.
Additional certifications can help cybersecurity professionals advance into roles with high pay and strong growth potential. For instance, the BLS projects that demand for information security analysts will grow by 33% between 2020-2030. The median annual pay for information security analysts exceeded $100,000 in May 2020.
Explore programs of your interests with the high-quality standards and flexibility you need to take your career to the next level.
What Does a Penetration Tester Do?
Some penetration testing jobs carry other titles, such as “ethical hacker” or “assurance validator.” These positions have similar duties to a penetration tester: to seek, identify, and attempt to breach existing weaknesses in digital systems and computing networks. These systems and networks include websites, data storage systems, and other IT assets.
Many people confuse penetration testing with vulnerability testing. However, these two cybersecurity specializations have distinct differences. Vulnerability testers look for flaws and weaknesses during a security program’s design and setup phases. Penetration testers specifically seek out flaws and weaknesses in active systems.
Penetration testing teams simulate cyberattacks and other security breaches designed to access sensitive, private, or proprietary information. They utilize existing hacking tools and strategies and devise their own. During a simulated attack, pen testers document their actions to generate detailed reports indicating how they managed to bypass established security protocols.
Penetration testing teams help their employers avoid the public relations fallout and loss of consumer confidence that accompany actual hacks and cyberattacks. They also help businesses and organizations improve their digital security measures.
Key Soft Skills for Penetration Testers
A Desire to Learn: Hackers and cybercriminals constantly change their strategies and tactics as technology continually evolves. Penetration testing professionals need to stay updated on the latest developments on both fronts.
A Teamwork Orientation: Penetration testers often work in teams, with junior members undertaking duties with lower levels of responsibility while reporting to senior members.
Strong Verbal Communication: Team members must articulate their findings in clear, easy-to-follow language that people without advanced technical knowledge or skills can understand.
Report Writing: Strong writing skills serve penetration testing professionals well because their duties include producing reports for management and executive teams to review.
Key Hard Skills for Penetration Testers
Deep Knowledge of Exploits and Vulnerabilities: Most employers prefer candidates whose knowledge of vulnerabilities and exploits goes beyond automated approaches.
Scripting and/or Coding: Testers with good working knowledge of scripting and/or coding can save time on individual assessments.
Complete Command of Operating Systems: Penetration testers need advanced knowledge of the operating systems they attempt to breach while conducting their assessments.
Strong Working Knowledge of Networking and Network Protocols: By definition, understanding how hackers and cybercriminals operate requires penetration testers to understand networking and network protocols like TCP/IP, UDP, ARP, DNS, and DHCP.
A Day in the Life of a Penetration Tester
Pen testers spend most of their time conducting assessments and running tests. These duties may target internal or external assets. Pen testers can work both on site and remotely.
During the morning, the tester or testing team decides on a strategy for the project at hand and sets up the required tools. In some cases, this involves rounding up what professionals call “open source intelligence” or OSINT, which real-life hackers draw on when trying to bypass security measures and initiate attacks.
In the afternoon, teams carry out the tests they spent the morning designing. Other duties include carrying out simulations to assess other aspects of internal risk. For instance, penetration testing teams may target select employees with phishing scams or other false breaches to see how those responses affect established security protocols.
Penetration Tester Main Responsibilities
Plan and Design Penetration Tests: Penetration testers must develop experiments and simulations that evaluate the effectiveness of specific, existing security measures.
Carry Out Tests and Other Simulations: After planning and designing assessments, penetration testing teams carry out investigations and document their outcomes.
Creating Reports and Recommendations: Penetration testing teams convey findings into reports to present to their supervisors and other key organizational decision-makers. Depending on the intended audience, these reports may use either lay or technical language.
Advise Management on Security Improvements: Senior members of penetration testing teams often interface directly with management-level employees, communicating the level of risk posed by specific vulnerabilities and offering advice on how to address them.
Work With Other Employees to Improve Organizational Cybersecurity: Penetration testing professionals cooperate with other cybersecurity and IT personnel to educate employees on steps to boost the organization’s cybersecurity levels.
The BLS predicts explosive growth in the cybersecurity field. The projected employment growth for security analysts is 31% from 2020-2030, which far outpaces the average rate for all other occupations.
As of September 2021, PayScale reported a typical base salary of nearly $87,000 per year for pen testers. At the low end (bottom 10%), pentesters earn about $59,000 per year. At the high end (top 10%), they make up to $138,000 per year. Pay rates in major metro areas and leading tech hubs tend to be on the higher end of the scale.
The projected employment growth for security analysts is 31% from 2020-2030, which far outpaces the average rate for all other occupations.
As in many career paths, experience and education influence earning potential. With additional experience and skills, professionals can make more money.
The typical journey to becoming a penetration tester begins in high school or college. During this time, individuals with the necessary aptitudes often discover and explore their interest in computer science and IT, building technical skills and knowledge of operating systems, scripting, coding, and programming.
Students proceed into computer science, computer engineering, IT, or cybersecurity degree programs. Entry-level penetration tester requirements include both education and experience. A bachelor’s degree increasingly serves as the minimum necessary level of schooling.
Candidates then build penetration tester skills by working in entry-level IT positions, including system or network security and administration roles. Professionals can also pursue industry certifications. After 1-4 years of employment, emerging professionals typically possess the knowledge and experience to land penetration testing jobs.
This collaborative professional network unites cybersecurity professionals worldwide through training programs, workshops, and career services. ISSA also maintains a fellows program for ambitious professionals.
This leading nonprofit cybersecurity organization features a membership base of more than 150,000 professionals. It offers respected certifications, exam preparation resources, career services, and many other perks.
Another respected global leader in cybersecurity, the Comp-TIA organization offers specialized training programs, continuing education, and certifications. Members also gain access to an exclusive career center.
This enterprise-oriented organization offers benefits including members-only career fairs and job boards, international conferences, and more than 200 local chapters that host training workshops and events. ISACA offers student, recent graduate, and professional membership levels.
How long does it take to become a penetration tester?
Job-seekers usually transition into penetration testing after earning a four-year bachelor’s degree and obtaining 1-4 years of IT experience.
Is there a penetration testing degree I should get?
For some employers, knowledge and skills may take higher priority than formal education. However, many pen testers enter the field after completing a bachelor’s or master’s degree in computer science, IT, or cybersecurity.
How much does a penetration tester make?
PayScale reports an average penetration tester salary of $87,436 as of August 2021. Actual salary figures may vary, depending on industry, location, and experience.
What do I need to learn penetration testing and get a job?
Degrees and industry-standard ethical hacking and penetration testing certifications can help applicants land jobs. Typically, pen tester job requirements include advanced knowledge of the techniques and tools hackers use to breach protected information networks along with experience.
What does a penetration tester do?
Pen testers design and plan simulations and security assessments designed to probe existing cybersecurity measures for potential weaknesses. They also document their findings in reports and present them to their clients and employers.
Born and raised in upstate New York, Brian Nichols began his IT education through a vocational high school where he focused on computer science, IT fundamentals, and networking. Brian then went to his local community college, where he received his associate of science in computer information science. He then received his bachelor of science in applied networking and system administration from a private college. Brian now lives in Kansas City, where he works full-time as a DevOps engineer. Brian is also a part-time instructor in cybersecurity. He’s passionate about cybersecurity and helping students succeed.
Brian Nichols is a paid member of the Red Ventures Education freelance review network.