Main image of article Pen Tester: Growing Opportunities for a Cybersecurity Career Path

Due to an ever-growing number of cybersecurity threats, enterprise networks and infrastructure remain vulnerable to attacks. A recent White House estimate, for example, found a 45 percent increase in ransomware attacks in the first half of this year compared to the same period in 2022.

A separate report from the U.K.-based NCC Group found ransomware attacks increased a staggering 150 percent year-over-year.

With enterprises facing constant pressure to protect their valuable data and information from cybercriminals and nation-state actors, finding vulnerabilities in infrastructure and web applications (as well as understanding how attackers may target a network) is more important than ever. It’s why the need for penetration testers is increasing, with career opportunities for tech and security professionals who want to increase their salary, explore other opportunities, or position themselves for advancement.

Pen testers, also called vulnerability testers and ethical hackers, find vulnerabilities by thinking and acting like malicious actors when scoping out an attack. This approach to cybersecurity helps uncover and identify flaws in applications and IT networks while allowing the organization to fix these bugs before they are exploited. These exercises also help shore up enterprise defenses. (The most dedicated pen testers are also known to go overboard on occasion.)

The interest in enterprises and organizations hiring pen testers is evident in the more than 18,800 job openings listed at CyberSeek, a joint initiative of the National Institute of Standards and Technology’s NICE program, Lightcast and CompTIA. The pen tester position is also listed as a stepping-stone to advanced-level careers such as cybersecurity engineer and cybersecurity architect.

For industry insiders, pen testers will also remain in demand as businesses operate in hybrid modes (i.e., employees coming into the office a few days per week). The remote nature of work and the reliance on cloud-based applications can make finding vulnerabilities and ensuring secure networks even more difficult, noted Dave Gerry, CEO at Bugcrowd.

“Security organizations face an incredible challenge in securing their company in what continues to be the most remote-first environment we have ever seen,” Gerry recently told Dice. “Over the past few years, there has been a race to ensure business-critical applications are available to remote employees and the attack landscape has never been greater. Providing scope-focused pen testing provides security teams a human-intelligence-led, focused approach to securing the applications their customers—both internal and external—rely on.”

Pen Testers: Salary, Education and Certifications

Besides career growth, a significant benefit to pursuing a pen tester career is salary. CyberSeek lists the average U.S. pay for penetration testers at approximately $124,400 annually. The site also notes that about 69 percent of job listings require a bachelor’s degree, while 21 percent require a master’s degree. (According to the most recent Dice Tech Salary Report, the average tech salary stands at $111,348, a 2.3 percent increase from 2022.)

To work toward that salary, pen testers are usually required to hold one or more of the most well-known cybersecurity certifications. CyberSeek lists the main ones for the position as:
 

For those looking to start in the pen testing field, especially those who recently graduated and are moving into cybersecurity, gaining a certification is a helpful first step, said Billy Giles, an attack and penetration leader at Optiv.

“The most common things employers will look for are entry-level penetration testing certifications and experience. Preparing for and successfully earning the necessary certifications requires a solid foundation in information technology including the skills listed in question two,” Giles told Dice. “While preparing to apply for positions individuals can build experience through ‘capture the flag’ exercises, where they can safely attack vulnerable machines and learn the methodology, tools and techniques necessary to succeed in penetration testing.”

Giles added: “Tracking the number of vulnerable machines successfully completed can also help communicate to employers a commitment to learning and applying the skills necessary to succeed as a penetration tester.”

Pen Testers: What Tech Skills Are Needed?

Since pen testing requires tech pros to think like malicious actors, as well as intimate knowledge of systems, platforms and apps that are tested, a thorough knowledge of technology is required. When recruiting pen testers, Giles noted that he looks for a solid foundation in IT. Those job seekers seeking penetration testing roles must know:
 

  • Command line administration of Windows and Linux machines
  • Networking
  • Cybersecurity fundamentals
  • Basic reading and editing of scripts such as Bash and Python
  • Active Directory
  • Web technologies
  • Firewalls
  • Antivirus

These are the types of hard, technical skills that Patrick Tiquet, vice president for security and architecture at Keeper Security, also requires. Besides knowing how the major operating systems work, pen testers must show a solid understanding of the complete network stack as well as wireless technologies, encryption technologies, Javascript and web interfaces. Candidates must also know how all these technologies work together with the final product.

“Using this knowledge, a pen tester tests for known vulnerabilities and looks for vulnerabilities that may not be immediately obvious from standard use cases,” Tiquet told Dice. “Pen testing is increasingly a requirement for cloud-based services in the commercial sector and government sector. With the recent focus on supply-chain risk mitigation in the cybersecurity industry, the demand for pen testers will only increase.”

For those who have already worked in technology for many years and who are looking for a new career path, developers or system/network administrators can make an easier transition to pen tester, said Richard Miller, a purple team engineer Critical Start.

“A good penetration tester will have a mind for problem-solving and experience,” Miller told Dice. “Experience in general computing and a strong grasp of general security concepts. Penetration testing is a vast field with some common specialties being network, application, social engineering, cloud and embedded devices and hardware. Some testers will have a vast knowledge of several domains while some prefer to deep dive into one field or even specific application stacks.”

Pen Tester: What Soft Skills Are Needed?

No cybersecurity jobs discussion is complete without looking at what so-called “soft skills” are needed to help a career along. While certifications and academia tend to focus on technical skills, experts see business or soft skills, such as writing and communication, as keys to success.

“Many jobs provide skills that are directly transferrable to penetration testing. The most obvious are other IT positions such as systems administrators or help desk; however, most penetration testing jobs either involve working internally at a large company or conducting penetration tests as a consultant,” Giles said. “For these roles, many traditional business skills are directly transferable.”

These types of business and soft skills can include:
 

  • Communication
  • Public speaking
  • Explaining technical subjects
  • Organization
  • Time management
  • Problem-solving
  • Critical thinking
  • Self-awareness

Pen Tester: What Type of Career Path Do You Take?

While enterprises and other organizations are eager to hire pen testers to bolster security, experts note that candidates need to ask: What kind of pen tester do they want to be? Is the goal to research and find vulnerabilities in hardware and software? Or should pen testers focus on longer-term business goals?

Warren Kopp, a senior manager at consulting firm Coalfire, sees an increasing amount of nuance in a pen tester career path.

“Sometimes pen testers are researchers, finding new vulnerabilities and classes of flaws. Sometimes pen testers are leaders and entrepreneurs as they find new, different, or better ways to approach business problems. Many companies are hiring their internal pentest teams and consultancies are growing as well. Pen testing is not restricted to a single role or title,” Kopp told Dice.

“Experience with finding flaws, building attacks and using them to subvert access can be transferred continuously from one job to the next,” Kopp added. “Changing roles may be more about following your interests to a particular field, business sector or methodology. My career pivoted from pen testing to security program development because I found I enjoyed the people problems more than the technological ones.”

Other industry experts noted that as newer technologies come into use, such as generative artificial intelligence, pen testers have new opportunities if they adjust their skills.

“As technology adapts, the key vulnerabilities do, too,” John Bambenek, principal threat hunter at Netenrich, told Dice. “A few years ago, there was a focus on automobile pen testing. Today there is a focus on finding vulnerabilities in A.I. and machine learning. Look at whatever is the ‘hot’ new tech thing… then figure out how to break it.”