Cyber penetration testers are in high demand. Every public and private organization in the nation is eager to bolster its security systems and penetration testers are there to ensure that everything is watertight. To become a penetration tester, you'll need to have loads of talent with computer programming, networking, and database technology, among other skill sets.
Most employers are seeking workers with a technical degree but also professional certifications in information security, including penetration testing credentials. While these employers are posting salaries that extend past $100k, they don't ask for much experience in the field. Thus, for those who have worked hard at their credentials, this is a highly rewarding career path.
What is a Cyber Penetration Tester?
A cyber penetration tester is a high-tech security professional whose job it is to hack into systems. They are often called white hat hackers because their purpose is to find weaknesses in a cyber security system so that they might be strengthened. Penetration testers (also known as pen. testers) often enter this specialty area after many years of work in the information security (InfoSec) field.
Steps to Becoming a Cybersecurity Penetration Tester
The first step to becoming a penetration tester is to discover a natural talent for technology, including mathematics. Many successful penetration testers began coding small projects in high school, if not before. They might also have built fun projects with an Arduino kit and might have built computers for their friends.
It's also important for future technology professionals to have strong math skills as well as keen problem-solving abilities. Youngsters who enjoy logic puzzles and even the games Chess or Go can demonstrate the sort of talent that will come in handy as a penetration tester.
On top of this, future penetration testers might have a deep dislike for injustices involving theft and deception. They could also express an early fascination with devising strong passwords for their computers and devices. Others might enjoy sleuthing and may enjoy games that involve uncovering a mystery. All of this adds up to a natural inclination towards both technology and securing information from bad guys.
Once it’s established that they want to become involved in information security and penetration testing, young people should not only work on their skills in and out of their school environment, but they should seek a college degree. For those who know that penetration testing and cyber security is their goal, they should seek out a bachelor degree program that has a strong reputation.
In particular, aspiring pen. testers need to find a program that is accredited by ABET or is considered a Center for Academic Excellence (CAE). The CAE credential is bestowed through a cooperation between the National Security Agency and the Department of Homeland Security. CAE programs are considered some of the best cyber security programs in the nation.
There are CAE accredited programs at the associate, bachelor's, and master’s degree levels. Since there are few of these programs available, a program with ABET credentials will suffice for many positions. ABET isn't specific to cyber security but it is considered a gold standard for STEM programs.
After they've earned their first cyber security (or computer science) degree, future penetration testers should seek that all-important entry-level position in a department that focuses on InfoSec. Once that job is underway, it's time for more learning and added credentials. The easiest way to start bolstering a resume is by earning professional certifications in specific areas and technologies.
There is a dizzying array of certifications available for cyber security professionals. Some certificate programs have prerequisites, such as a master’s degree or five years of experience. However, professionals with an associate or bachelor's degree in cyber security, computer science, or information technology can find ample choices. For instance, the Infosec Institute offers a certificate in ethical hacking that is available to anyone. In fact, those who have strong competencies with Windows OS and Linux can sign up and start learning.
There are also many other organizations that offer cyber security certifications such as NICCS, (ISC)2, ISACA, AWS, and many more.
After several years of work with an undergraduate cyber security degree and perhaps several certificates, it'll be time to think about graduate school. Cyber security and information security professionals have a few options for their advanced degree. Some may stick with a purely technological degree, such as a Master of Science in Computer Science, or a Master of Information Security. However, others might start to veer towards management and business.
Those who are seeking the c-suites and upper-level management positions can look for an MBA degree that includes a concentration in information security. Alternatively, students might look for a dual-MBA program that teams a traditional MBA with a master’s degree in cyber security, information security, or computer science (with a focus on InfoSec).
However, those who wish to stick with a purely technical path, a MIS or other technology degree will be optimal. There are bound to be master’s degree programs that feature coursework in penetration testing. With a graduate degree in information security or cyber security, it will be easy to become a highly sought professional in the field.
What Does a Cyber Penetration Tester Do?
A cyber pen. tester has a very interesting work life. They are known to spend many hours conducting research into their field. They might investigate the methods currently in use by black hat hackers so that they know what companies and governments are up against in the cyber security realm. They also investigate current cyber security tools, including software and hardware security solutions, with the purpose of discovering their weaknesses.
The more exciting part of pen. testing comes when they attempt to hack into a system. Once the pen. tester has evaluated possible weak spots in the cyber security system of their client or employer, they seek to exploit them. This might involve any methods, including trying to trick employees into giving up passwords over the phone or email. They might even use email phishing scams to help gather passwords or other valuable information.
Once a pen. tester has completed their hacking duties, they prepare a report for their employer or client. These reports detail their methods and the results of the tests. They might include suggestions for improvements to a network's security protocols, including new software or hardware. The penetration tester might even coordinate with a security architect to help them design or redesign the security systems.
Cyber Penetration Tester Skills to Acquire
There are many computer languages that will come in handy as a penetration tester. One of the more prominent languages is Python, which is lauded for its usability.
In order to hack into a network, it will first be important to fully understand how networks work. This vital skill can be obtained through most any InfoSec degree program and there are also non-academic programs that teach this vital skill.
- Linux OS:
This operating system is nearly ubiquitous in the tech world. It's even now found at the core of Windows and the MacOS. Once this OS is mastered, the others may come more easily.
- Windows OS:
Most people use Windows in their daily computing. For cyber security and cyber penetration testing, it will be important to have a strong competency in the Windows Server technology.
- Technical Writing and Communication:
This is one of the soft skills that is vital to most positions in computer science. This is because the results of a pen. test need to be reported to people who may not be tech-savvy. Thus, being able to clearly communicate complex concepts and procedures without overwhelming the audience with jargon and tech-speak is vital to ultimate success.
- Database Management:
Since most black hat hackers are seeking the bounty that lies in databases, a pen. tester must be fully versed in that technology. Thus, knowledge of SQL and other database-specific languages and technologies is vital.
There are many alternative paths to become a cyber penetration tester. For starters, tech-savvy individuals can teach themselves computer languages and even the basics of ethical hacking. There are many books and online resources that teach languages and more. For less than fifty dollars, it's possible to take an online course in ethical hacking or a computer programming language. Consider that one of the more infamous cyber security professionals, Edward Snowden, was completely self-taught. However, these days it will be important to show proof of this knowledge so that hiring managers take notice.
With a strong knowledge base, an aspiring penetration tester can take courses that lead to a non-academic certification. Since cyber security skills are in high demand, a professional who achieves one of these certificates is sure to land an interview with a top firm. It may even be possible to start working as a freelancer and thus build a resume filled with successful penetration tests.
While self-teaching the ins-and-outs of information security, a way to get one's foot in the door is to land an administrative job with an information technology department. This way, it will be easier to receive a promotion and even do some on-the-job training prior to landing the new cyber security job.
Cyber Penetration Tester Career & Salary
Where Might You Work?
Penetration testers are tech workers who spend all of their time on the computer, often combing through pages and pages of code. As such, these information security workers are generally found working in offices. However, that may be changing due to the rise in remote work. Penetration testers may be particularly good candidates for remote work since their job is to break into systems from outside.
Pen. testers also might do their work in a rather clandestine manner. That is, part of their testing will involve trying to cajole humans out of their passwords. For that reason, many pen. testers are outside consultants who may only be known to a select few executives.
Since many cyber penetration testers are outside consultants, they might need to travel a good deal for work. While they might be able to conduct their hacking operations from virtually anywhere in the world, they likely need to visit their client to present their findings. Depending on the client and the conditions of the project's contract, pen. testers might even be asked to conduct informational seminars for a company's employees, including upper management.
Cyber security experts are in high demand these days. Not a month (or less) goes by without a mention of a colossal breach of security at some major firm. Facebook and its subsidiaries have been hacked multiple times. A major credit reporting agency was breached several years ago, and many more such breaches may go unreported, if they are detected at all. Thus, since so much is on the line, every public and private entity is clamoring for the very best cyber security team to help keep its intellectual assets safe and sound.
The outlook for cyber pen. testers is rather rosy, according to the U.S. Bureau of Labor Statistics (BLS). Though the BLS doesn't track penetration testers specifically, they do keep statistics on information security analysts. That employment sector is expected to grow by 31% through 2029. On top of that, InfoSec analysts earn a median salary of over $100,000 with a typical education level of a bachelor's degree. Meanwhile, Payscale.com reports that penetration testers earn an average of $86,000 in base salary. Note that many tech workers may also receive healthy bonuses that are not tracked by these organizations.
By way of comparison, the BLS reports that computer and information research scientists earn over $126,000 and typically hold a master's degree. Their field is expected to grow by 15% through 2029.
The market for penetration testers is very hot right now. In the parlance of real estate, it's a seller's market. That is to say that those with cyber security credentials will find it rather easy to land a position in their field. When reviewing the job market, it's clear that the salaries for penetration testers is quite high with relatively few years of experience. However, the employers also like to see top notch credentials that include four or more certifications and knowledge of multiple programming languages. It's also easy to see that once hired as a penetration tester, employees will be expected to log extensive hours every week. Penetration testers are well-compensated, but they also work hard for their pay.
- Pen Testing Engineer:
The salary range for this position goes as high as $130,000 and usually requires around three years of experience. These positions can be carried out mostly remotely, though even remote employees may be required to go into the office for meetings.
- Penetration Tester:
The pay range for this position starts at $50,000 but goes as high as $130,000. Many employers are looking for experienced employees, but others are willing to help you learn on the job as long as you have the appropriate education under your belt. Preferred certifications include: OSCP, OSWP, GPEN, GWAPT, AWAE, CISSP, CISA, and CEH. On top of this, some employers ask that applicants be proficient in programming languages such as C, C#, C++, Java, and J2EE, among others.
- Penetration Tester – Advisory Consultant:
Consultant positions may pay up to $117,000+, with bonus and a benefits packages that could include tuition reimbursement, paid time off, and parental leave. OSCP, GPEN, and GWAPT are desired certifications but, just as employers vary greatly, the requirements and other credentials that may be considered acceptable can also vary.
Find Cyber Penetration Tester Jobs Near You
Advancing from Here
Penetration testers can go far indeed. Since the field tends to require a bachelor's degree, those who earn higher degrees are sure to receive even higher pay and more responsibilities. Penetration testers who spend five or more years in the field and who return to school for a master's degree are sure to land jobs in upper management. Further, after a bit of time in the field, pen. testers may consider opening their own consultancies. Others who have a vision might seek venture capital to fund the next best security software package.
Computer Career Paths