Last Updated: March 3, 2020
Also known as ethical hackers and assurance validators, penetration testers inform security improvements by detecting security weaknesses in information systems, networks, and web applications.
Unlike vulnerability assessors, who highlight security weaknesses during information security system set-up, penetration testers test established security systems. They put these systems to the ultimate test by conducting and documenting their own legal cyber attack simulations, which identify weaknesses without actually exploiting the accessed data. Penetration testers design and/or utilize hacking tools to access predesignated pieces of sensitive data in predetermined time frames.
These professionals work in many industries, including healthcare, government, and finance. Penetration testers earn an annual mean salary of $83,823, according to PayScale. Read on for more detailed descriptions of penetration tester roles and salaries. The following information also outlines the career steps and skills necessary to become a successful penetration tester.
What Does a Penetration Tester Do?
Companies employ penetration testers to improve information security by detecting and correcting system weaknesses before criminal hackers can exploit these weaknesses. This preventative measure lowers companies' risk of real cyber attacks, which can damage company finances and customer trust.
Penetration testers often work in teams to create new tests simulating cyber crimes. These professionals may identify application vulnerabilities or assess physical security of systems, servers, and network devices. Penetration testers suggest specific security strategies and solutions aligned with company budgets, and they may provide ongoing support as companies implement these new security measures.
Junior penetration testing roles usually require 1-4 years of information security experience, while higher-level positions require 3-10 years' experience related to vulnerability assessment or penetration testing. Recent graduates and professionals often use relevant internships or information technology (IT) support positions to qualify them for entry-level positions. Many degree programs include internship components, enabling students to network, gain mentors, and cultivate real-world information security skills.
Steps to Become a Penetration Tester
Professionals with relevant hacking skills and work experience do not always need specialized degrees to become penetration testers. However, many penetration testing jobs require bachelor's or master's degrees in cybersecurity, computer science, or IT.
Computer science or IT degree programs provide fundamental technical skills in operating systems, programming languages, network tools, and computer hardware and software. Cybersecurity-focused programs also provide specialized coursework in cryptography, forensics, vulnerability analysis, and security frameworks and tools.
To identify security problems, penetration testers also need analytical skills. To generate tools for breaking into security systems or creating new solutions, these professionals need creativity and problem-solving skills.
Lower-level penetration tester positions usually require 1-4 years' prior work experience performing IT functions like system administration, security administration, network administration, or network engineering. Because of the expertise required to hack into information systems, many penetration positions also need prior professional experience in penetration testing, vulnerability assessing, or information security.
Aspiring penetration testers can acquire skills online through training, courses, and certification programs. In fact, many positions require certifications in addition to the penetration tester education and work experience prerequisites described above. Popular certifications required include offensive security certified professional, certified penetration tester, and certified expert penetration tester.
Professional organizations, technology companies, and online schools offer several cybersecurity-related certification options, so take the time to research certification options carefully.
Top Required Skills for a Penetration Tester
This creative, detail-oriented profession requires innovative design and problem-solving skills, because penetration testers invent ways to breach and strengthen security systems. These professionals also require excellent oral and written communication skills to document and explain their work to colleagues and employers. For similar reasons, penetration testers usually benefit from project and people management skills.
Penetration testers also need an arsenal of IT, computer science, and cybersecurity-specific hard skills. PayScale data suggests that hard skills like black box testing, penetration testing, cybersecurity testing, auditing, and IT infrastructure boost penetration tester salaries. As they attempt to access sensitive data, penetration testers must also know how to navigate many systems including computer hardware and software systems, operating systems, security systems, and network systems.
Fortunately, computer science and IT degree programs provide relevant knowledge and skills in programming, computer engineering, and information systems. Many programs also offer courses in computer and network security, operating systems security, and database security. Students can take courses on computer hardware and software, reverse engineering, and common programming languages such as Java or C.
Meanwhile, cybersecurity degree courses in ethical hacking, cryptology, and system vulnerability assessment help students learn to penetrate and defend information security systems. Schools with cybersecurity majors or concentrations often provide the best preparation for information security careers.
As a skills-based career in a rapidly changing industry, penetration testing requires frequent acquisition of new skills. Aspiring penetration testers should take advantage of the networking and learning available through online platforms, professional organizations, and hacking conferences. Cybersecurity degree graduates usually need additional skills development through the certification programs described in the previous section.
Penetration Tester Salary
The rising importance of information security suggests promising career prospects for cybersecurity professionals. The BLS projects a high job increase of 32% from 2018-2028 for the related position of information security analyst.
According to PayScale, penetration testing careers tend to pay well, with salaries ranging from $57,0000-$134,000 based on experience level. PayScale data indicates that penetration testers make a median annual salary of $84,000 -- well above the national mean salary of $51,960 for all occupations.
PayScale places entry-level penetration testers at $67,442, early career professionals at $77,373, and mid-career penetration testers at $102,981. Penetration testers with 10+ years of experience often make up to $118,000 per year. Experienced penetration testers may seek promotion to potentially higher-paying positions, such as senior penetration tester, security consultant, or security architect.
The BLS and PayScale do not provide specific industry information for this career, but top-paying employers listed by PayScale and Indeed.com provide services in financial management, consulting and business, and information technology. Top-paying financial management, consulting, and business employers include E*TRADE Financial, Jacobs, and Booz Allen Hamilton. High-paying technology-related companies for penetration testers include IBM, Paylocity, and FireEye.
Located near some of the above companies' headquarters, Washington, D.C. tops PayScale's list of highest-paying metro areas for penetration testers, followed by Atlanta, Seattle, and Chicago.
Looking for More Cyber Degree Programs?
- Bachelor's in Cyber Security Programs
- Cyber Security Resources
- Best Online Master's in Cyber Security Programs