What is a penetration tester? Cybersecurity roles explained

Cybersecurity is a big field with a wide range of roles, from SOC analysts to threat hunters. However, none is so iconic in the public’s mind as a penetration tester: that stereotypical hacker-in-a-hoodie who’s learned to use the bad guy’s techniques to crack into systems, but all for the public good.

In this article, we’ll peel back the Hollywood mystique around what penetration testers actually do, the technical and soft skills you’d need to make this a career, and what resources you can use to get them.

What a penetration tester is

A penetration tester’s job is to find weaknesses in a network, application, or system so its owners can patch these holes before actual bad guys exploit it (called “threat actors” in cybersecurity). Typically, this is done by simulating a cyber attack and reporting the findings.  They are also known as red teamers or offensive cybersecurity. 

Typically, pen testers are hired by other companies to test their infrastructure. Why? Internal cybersecurity teams typically have an unfair advantage, because they have all the “under-the-hood” knowledge of the company’s systems, making it a less authentic simulation of what would happen with a real-world attack. 

What are a penetration tester’s role responsibilities?

A typical pen tester position tends to have the following role responsibilities:

• Being able to understand a Scope of Work (SOW) and work within them professionally to meet customer expectations.
• Performing vulnerability assessments and penetration testing using commercial and open-source tools.
• Conducting pen testing in line with established frameworks (E.g. OWASP).
• Exploiting security flaws and vulnerabilities with attack simulations against specific customer systems and networks within the SOW.
• Being able to provide security assessments of technologies in networks, applications, and systems, as well as social engineering attacks.
• Review and analyze security vulnerability data to identify applicability and false positives.
• Ability to solve technical problems and articulate to non-IT personnel.
• Ability to research and develop testing tools, techniques, and process improvements.
• Knowledge of well-known information security requirements (E.g. PCI DSS, HIPAA, etc).

All of this might sound frankly overwhelming if you're brand new to cybersecurity or to the field of IT in general. Deep breaths! For now, just know there are a lot of great avenues to pick up all these skills, all without having to have a full-time job in cybersecurity. We’ll cover these later in the article.

Does penetration testing pay well?

It depends on several factors, with location being the biggest, but generally yes. According to Talent.com, penetration testers make on average $132k USD a year, or $58 an hour. It’s not uncommon to experience strong year-on-year wage growth, with starters earning $72k in their first role and over $150k later in their career.

What does a day in the life of a penetration tester look like?

“Like incident responders and SOC analysts, vulnerability and penetration testers never experience the exact same day twice,”  Pluralsight’s Cyber Threat Analyst, Ammon Rhode says. “But they do perform certain activities on a regular basis: vulnerability scanning, threat intelligence, and routine fixes.”

To read more, read our article: “A day in the life of a penetration and vulnerability tester.”

What kind of people are drawn to penetration testing?

While there’s no “recipe list” for being a pen tester, people who are attracted to the field and tend to thrive in it tend to have the following traits:

• Curiosity: “Can I break that system I’m looking at?”
• Competitiveness: “I bet I can break into that system I’m looking at.”
• Initiative: “Even though nobody’s told me to, I’m going to set time aside to break into that system.”
• Creativity and out-of-the-box thinking: “What if I create an attack with no application layer payload for the defenders to detect?”
• Adaptability: “Okay, that attack didn’t work. Let’s try something else.”
• Good communication: “All right, I’ve broken into the system. Now, how do I tell the company who owns it that their defenses are a hot mess?”

Where red team v.s. blue team comes in

Ever hear a cybersecurity expert yell out “I’m red team!” or “I’m blue team!” like they’re announcing which Hogwarts house they belong to? These are ways to refer to if someone is engaged in offensive security or defensive security.

Red team refers to a group of pen testers who are tasked with pretending to be bad actors and try to find security vulnerabilities and weaknesses (Basically, what we’ve described so far). This is also called “adversary emulation.” Meanwhile, blue team refers to defensive security experts who are putting defensive measures in place to stop these exploits from being possible. 

Picture a medieval wall. On the one side, the attackers are trying to bypass it by any means necessary—digging tunnels, tricking the guard at the gate, catapulting themselves over—while the other side is trying to stop them by putting defenses below ground level, hiring better guards, and putting nets to capture any sailing assailants on top of the wall. This is the dynamic in a nutshell, except both sides are working together to compare notes.

What should I learn to become a penetration tester?

1. Pick up some cybersecurity certifications

There are a number of industry-recognized certifications that are a great place to start if you’re thinking of becoming a pen tester, such as the Certified Informations Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Offensive Security Certified Professional (OSCP). All of these teach you relevant skills and look good on your resume. You should also look at CompTIA’s PenTest+.

Note that if you’re brand new to cybersecurity, you might want to start instead with the lighter ISC2 CC or CompTIA Security+. This will help you dip your toe in rather than going all in on something like CISSP, which can be a bit overwhelming if you’re completely fresh to IT, even if they don’t have the same industry gravitas.

Here are some expert-led Pluralsight preparation courses that can help you ace these certifications. From personal experience, the Pluralsight courses for ISC2’s CC and CISSP are particularly good, with Kevin Henry providing a very gentle and easy to understand teaching style.

• Pen testing learning pathway (This course aligns to industry-recognized frameworks for this type of professional role)
  
• Certified Ethical Hacker (CEH)
• Certified in Cybersecurity (CC)
• CompTIA Security+
• Certified Information Systems Security Professional (CISSP)

Unless you’re a recent high school graduate or at the very start of your career, I personally wouldn’t recommend going back to university to pick up a degree. In my experience, you can pick up more valuable experience in a faster, more cost-effective way through certifications, learning platforms, and hands-on projects. I know people in cybersecurity who argue both for and against it, and the only reason I can think of to do this is because you’re being blocked by overzealous HR officers who are using a degree mandate to cut down on applicants.

2. Get hands-on experience

You should always supplement your certifications with hands-on experience. I’ve written a discipline-agnostic guide on how to go about getting it here, which includes specific examples for cybersecurity projects: “5 ways to get practical experience in tech (so you can land a job).”

3. Work on your soft skills

In terms of soft skills, you should learn the following and showcase them when going for pen testing roles:

• Communication with non-technical stakeholders
• Prioritization and time management
• Good process documentation
• The ability to deliver bad news with grace
• Thinking like a hacker (Cybersecurity expert and PCI Security Standards advisor John Elliott wrote a really good piece on how to do this here.)

Soft skills often matter more than technical skills in IT, including cybersecurity. You’ll often find people are willing to forgive your temporary knowledge gaps in a tool or service than if you can’t simplify things for clients or handle your time. Thankfully, contrary to common belief, these are skills you can work on and improve (and your job prospects as a result).

4. Sign up to cybersecurity and ethical hacker news sites

I haven’t met a cybersecurity professional yet who doesn’t listen to the podcast Darknet Diaries, and strongly recommend it to anyone in the field. It’s full of stories about people who have been hacked or what people have found or done, allowing you to get into a hacker’s mind—an essential quality for any aspiring pen tester. 

Additionally, I’d suggest the following resources:

• Dark Reading
  
• Hacker News
• CyberWire Daily
• Krebs on Security
• Hacking Humans
  

Conclusion

Being a penetration tester can be an exciting and rewarding field where you get to put your creativity and ingenuity to the test, and be part of a fairly amazing global community of like-minded folks. 

If all of the above sounds like you, or even 70% of it, you might want to test the waters by sitting for a certification or engaging in a personal cybersecurity project. It might just be the career that’s the right fit for you. If not, there’s tons of other cybersecurity roles to try that might be.

Some other articles you might enjoy

If you’re interested in getting your foot in the door as a pen tester—or in cybersecurity as a whole—here are some other articles that might help you out:

Cybersecurity role series

• What is a GRC analyst?
  
• What is an SOC analyst?
• What is a security engineer?
• What is a security software developer?

General cybersecurity career article

• A day in the life of a penetration and vulnerability tester.
• How to get into cybersecurity with no prior experience
• Starting in cybersecurity: FAQs about how to get your first job
• Cybersecurity jobs: Key skills, certificates, and traits leaders want
• From Air Force pilot to CISO: How this security leader landed the top job
• 5 ways to get practical experience in tech (so you can land a job)