Blog
Oct 4, 2022
See Yourself in Cyber with OffSec: Penetration Testing
As part of the Cybersecurity Awareness Month 2022, we share a complete guide to starting a career as a penetration tester.
9 min read
The Cybersecurity Awareness Month 2022 has officially started! This year’s theme “See Yourself in Cyber” demonstrates that while cybersecurity may seem like a complex subject, it’s ultimately all about people. With the global need for skilled workers to meet the cybersecurity challenges of tomorrow, it’s the ideal time to start thinking about and working towards a successful career in cybersecurity.
As part of CSA, we will be sharing the “See Yourself in Cyber with OffSec” blog series where we will detail each of the cybersecurity skill paths offered by OffSec so you can better determine in what role you see yourself.
Discover how our industry-leading training and certifications can help you achieve your training and career goals.
Modern organizations have increased the complexity of their IT infrastructures. And malicious actors continuously attempt to take advantage of this complexity to find vulnerabilities in systems, networks, and applications.
In this ever-evolving field of information security, a penetration testing career is something that remains in demand.
Penetration testing (also known as pentesting) is an offensive cybersecurity approach that identifies weaknesses and vulnerabilities before malicious actors do. The goal of a pentest is to emulate all possible ways an attacker could penetrate a given computer system, find security gaps and vulnerabilities, and produce findings that will steer further actions for remediation. This ultimately helps organizations improve their security posture and proactively protect against cyber attacks and data breaches.
It is important to understand what a penetration testing career entails before you begin your training and learning journey so you can take the right steps towards this rewarding career.
Why should you pursue a career in penetration testing
Penetration testing is a growing field that offers promising career opportunities for ambitious cybersecurity practitioners.
The average base salary of a penetration tester in 2022 is reported to be $88,206 per year.
A penetration testing career is rewarding in the monetary sense but also in terms of job satisfaction and career progression. It’s a fast-paced and challenging career path, making it appealing to many trying to break into the industry. Pentesters need to be creative, innovate in their techniques, and constantly stay up-to-date on recent developments and the threat landscape, making it an engaging career path.
Penetration tester tasks and responsibilities
The day-to-day tasks and responsibilities for pentesters depend on the project, organization, and scope but the usual workflow includes planning and launching assessments, writing reports, debriefing clients, and providing recommendations for security improvements. You may work at a customer site or work from your own home.
Some of the specific tasks penetration testers do as part of their assessments are:
- Testing applications, cloud infrastructures, and network devices
- Researching and executing different types of attacks
- Automating common scanning and testing techniques
- Performing code reviews
- Performing social engineering attacks
- Documenting security and compliance violations and issues
- Writing technical reports
- Suggesting remediation activities
- Communicating findings to stakeholders and executive leadership
- Validating new security controls and processes with further testing
Top skills needed to become penetration tester
Pentesting can be a competitive field and while there is plenty of job openings, it can be challenging to get the initial entry-level role. Aspiring pentesters need to maintain and demonstrate their skills in order to stand out from the crowd.
The foundational knowledge required to become a pentester is commonly developed in network and system administration, software development, and other IT roles.
A solid understanding of operating systems and systems architecture is one of the key areas of a penetration tester’s skill set. Other valuable skills needed to become a successful pentester include:
1. Networking
Knowledge of networking models, computer network architecture and networking protocols is a must for any aspiring pentester. This includes the knowledge of link-layer protocols (Ethernet/ARP, VLANs, and WiFi), network-layer protocols (IPv4, IPv6, and ICMP), transport-layer protocols (TCP and UDP), and application-layer protocols (DNS, HTTP, HTTPS, DHCP, LDAP, FTP, SMTP, SSH, and others).
2. Knowledge of exploits and vulnerabilities
While pentesters employ a wide range of automated tools and vulnerability scanners to uncover security issues, it’s important to have solid knowledge that goes beyond automated approaches. And while exploit development is not a requirement for pentesting, some basic knowledge on how to adapt certain exploits to work for a given environment is a great addition to the skill set.
3. Scripting and writing code
It’s well known that pen testers with a background in programming and development have an easier time getting their start. Code can introduce significant vulnerabilities in systems and networks, so it’s good knowing where and what to look for in code analysis. There are also a few languages that can help pen testers in exploit development and for scripting their tests. At the start of the career, it’s good to focus on learning tools for code analysis and have basic competency in Python, Bash, Java, JavaScript, C, C++, and PowerShell.
4. Soft skills
Perhaps equally important as technical knowledge and skills, are the pen tester’s mindset and soft skills. The nature of pentesting work requires professionals to possess certain qualities and soft skills to be successful.
Pentesting is all about being one step ahead of bad actors which means that pen testers must constantly learn new techniques and exploits, and gain and practice new skills to be effective in their roles.
In order to effectively handle operating in unknown environments, pentesters need to have a high tolerance for uncertainty. We encourage the Try Harder mindset for a reason!
Furthermore, pentesting requires excellent problem-solving skills, determination to not give up, creativity, and the ability to think on the spot. Good communication skills to explain findings in a language understandable to non-technical individuals are also crucial. And next to good communication skills is report writing.
When working with clients, pen testers need to showcase their understanding of business objectives and key concerns, empathize with developers and IT staff, know how to set the scope and negotiate with clients and maintain a positive relationship with them over time.
Penetration testing career path
There are several ways aspiring pen testers can into the field. Usual career paths start with a background in security administration, network administration, network engineering, system administrator, or programming. However, penetration testers can follow unusual paths and come to the field from various technical and non-technical backgrounds. They usually start their career thanks to personal skills and hobbies which are followed by specialized training and certifications.
While college degrees have become commonly required for pentesters, self-taught, or individuals with degrees in other disciplines of cybersecurity or IT still have a solid entryway to the field.
Aspiring pentesters usually get their first job as Junior Penetration Testers. Middle-level roles include Penetration Tester which then advances into senior roles such as Senior Penetration Tester.
In order to land that first job as a pentester, there are several steps to take.
Start with the basics
The first step to kickstarting your pentesting career is a strong foundation. Good knowledge of the skills we highlighted above and an understanding of foundational cybersecurity concepts are crucial. There are several resources available to help you get a grasp on the fundamentals of penetration testing. OffSec’s PEN-100 is the ideal training to equip aspiring pentesters with confidence towards their career goals and prepare them with prerequisites for entry-level roles.
Build a portfolio and a professional network
Before applying for pen testing roles, a good portfolio and presence in the community can be a good push. Furthermore, if you are coming from an unrelated field, a good portfolio that showcases skills and activities will get you in front of employers. You can build your pentesting portfolio by writing pentesting-related scripts or programs, and starting a blog to share your activities.
Getting involved with the community is a great way to build a presence so make sure to have a professional LinkedIn profile, connect with industry experts, and contribute to open source projects.
Take cybersecurity training and get certified
Employers commonly want to see professional certifications when they receive your resume. Taking industry-leading courses and obtaining respected certifications is an important step in any pentester’s career path.
Penetration Testing with Kali Linux (PWK/PEN-200) is a hands-on, self-study foundational course for pentesting that aims to teach the mindset, skills, and tools needed for a successful pentesting career.
Students who complete the course and pass the exam earn the coveted Offensive Security Certified Professional (OSCP) certification. The PEN-300 (Evasion Techniques and Breaching Defenses) is an advanced penetration testing course for pentesters that want to grow in their career path. This course builds on the knowledge and techniques taught in PEN-200, teaching students to perform advanced penetration tests against mature organizations with an established security function. Students who complete the course and pass the exam earn the Offensive Security Experienced Professional (OSEP) certification.
Encouraging the development of the Try Harder mentality in our students distinguishes our approach. Our courses offer the most rigorous penetration testing training in the industry. An OffSec certification is a clear sign of a skilled and experienced penetration tester.
Get your first pentesting job
Now that you have prepared your resume, and portfolio of work and have obtained professional certifications, it’s time to apply for pentesting jobs. When looking for roles to apply ensure that you apply only for those positions that are a good fit for your current skill level. While it can be challenging to find your first entry-level role, connecting with the community and organizations that are hiring at cybersecurity conferences can be beneficial.
You can download the Penetration Testing Career Path PDF for easy access to these tips!
Everyone’s path into cybersecurity is unique, especially in the pentesting field. Whatever background you are coming from, you will find that it is a career where you will be constantly learning and adapting to new challenges. This can make for an exciting and rewarding journey, and starting your cybersecurity career as a pentester can set you up for plenty higher-paying opportunities down the line.
While it might be challenging to get your initial foothold into the pentestning field, there are well-established resources that can help you get your break and beyond.
Learn Fundamentals is designed to help aspiring cybersec practicants learn technical adjacent concepts, cultivate the mindset necessary for a successful career, and provide the prerequisites for advanced courses. Check out this page to learn more.
Sara Jelen
Cybersecurity leader resources
Sign up for the Secure Leader and get the latest info on industry trends, resources and best practices for security leaders every other week
Latest from OffSec
Enterprise Security
Red Team vs Blue Team in Cybersecurity
Learn what a red team and blue team in cybersecurity are, pros and cons of both, as well as how they work together.
Dec 13, 2024
13 min read
Enterprise Security
Building a Future-Ready Cybersecurity Workforce: The OffSec Approach to Talent Development
Learn all about our recent webinar “Building a Future-Ready Cyber Workforce: The OffSec Approach to Talent Development”.
Dec 13, 2024
4 min read
Enterprise Security
How to Become the Company Top Cyber Talent Wants to Join
Become the company cybersecurity talent wants to join. Learn how to attract, assess, and retain experts with strategies that set you apart.
Dec 4, 2024
5 min read