Penetration testers simulate cyberattacks in order to identify and report security flaws on computer systems, networks and infrastructure, including internet sites
As a penetration tester, you will perform authorised tests on computer systems in order to expose weaknesses in their security that could be exploited by criminals. You can choose to specialise in manipulating a particular type of system, such as:
- networks and infrastructures
- Windows, Linux and Mac operating systems
- embedded computer systems
- web/mobile applications
- SCADA (supervisory control and data acquisition) control systems
- Internet of Things (IoTs).
As well as identifying problems, you may also provide advice on how to minimise risks.
You may work in-house for large companies where system security is a crucial function. However, more commonly you'll work for a security consultancy or risk management organisation, where you'll work with external clients testing the vulnerability of their systems. It's also possible to work on a freelance basis, by securing contracts from organisations.
Penetration testers are also known as pen testers or ethical hackers.
As a penetration tester, you'll understand complex computer systems and technical cyber security terms. You'll need to:
- work with clients to determine their requirements from the test, for example the number and type of systems they would like testing
- plan and create penetration methods, scripts and tests
- carry out remote testing of a client's network or onsite testing of their infrastructure to expose weaknesses in security
- simulate security breaches to test a system's relative security
- create reports and recommendations from your findings, including the security issues uncovered and level of risk
- advise on methods to fix or lower security risks to systems
- present your findings, risks and conclusions to management and other relevant parties
- consider the impact your 'attack' will have on the business and its users
- understand how the flaws that you identify could affect a business, or business function, if they're not fixed.
- Starting salaries for graduate or junior penetration testers typically fall between £20,000 and £30,000.
- With experience you can earn between £40,000 and £65,000, rising to £70,000 for senior and team leader roles. However, this figure can be significantly higher depending on the industry you work in.
- Freelance penetration testers can expect to earn in the region of £400 to £500 per day.
Salaries vary depending on a range of factors including your skills, experience and qualifications, your location, the type of employer you work for (e.g. in-house or consultancy) and the sector you work in.
You'll usually receive a range of employee benefits that may include bonuses, a company pension scheme, private medical insurance, gym membership and sponsored training and development opportunities.
Income figures are intended as a guide only.
A 37-hour working week is standard in this role, but flexible working practices are common and you may need to work outside of a typical 9am to 5pm pattern.
As many penetration testers work from home and remotely (from locations outside of the organisation's workplace), you'll sometimes be able to choose your working hours.
Part-time work is possible. Short-term contracts and freelance work are also available. With several years' experience, you can move into self-employed or consultancy work.
What to expect
- You may work in an office, or from home, and are likely to travel frequently to meet clients (unless you work in-house). Most, if not all, of your time will be spent at a computer when not in meetings.
- Jobs are available throughout the UK and job security is generally good.
- You'll have a high level of responsibility and will need to feel comfortable with this, while at the same time maintaining a high level of concentration and attention to detail.
- Women are currently underrepresented in the profession. There are various schemes around to encourage more women into penetration testing and other technical roles. These include WISE (Women into Science, Technology, Engineering and Mathematics), Cyber Security Challenge UK, WeAreTechWomen and Girl Geeks.
- There are opportunities for qualified cyber security experts to work overseas.
To enter this industry, you'll usually need a relevant degree, in-depth knowledge of computer operating systems and at least two to four years of experience in a role related to information security.
Useful degree subjects include:
- computer science
- computing and information systems
- cyber security
- forensic computing
- network management
- computer systems engineering.
You're unlikely to go straight from graduation into a penetration tester role and will usually need some industry experience. However, some organisations have started to offer graduate penetration tester roles. Where graduate entry roles are offered, there are likely to be high levels of competition.
If your degree is in an unrelated subject, studying for an information security related postgraduate qualification could enhance your employability prospects in the cyber security sector. You could then work your way up to penetration testing roles. Search for postgraduate courses in cyber security.
It's also possible to take a degree apprenticeship in cyber security, combining work with part-time study at university.
As well as relevant degree qualifications, you'll often be expected to have one or more professional qualifications (trainee and graduate roles will usually include training and certification in these qualifications as part of the role). These include:
- CREST Registered Penetration Tester (CRT)
- Offensive Security Certified Professional (OSCP)
- Certified Ethical Hacker (CEH) Certification
- GIAC Penetration Tester (GPEN) Certification
- company certification schemes from major vendors and equipment providers like Microsoft (MCP, MCSE) or Cisco (CCNA Security).
You may gain these qualifications and certifications through cyber security roles, but some can be obtained through self-study. Take a look at job adverts for penetration testers to get a feel for which certifications employers are looking for.
It's also possible to work as a penetration tester without a degree if you have significant experience in information security and hold industry certifications.
You may need to undertake security clearance checks when applying for jobs.
You'll need to have:
- an in-depth understanding of computer systems and their operation
- excellent spoken and written communication to explain your methods to a technical and non-technical audience
- attention to detail, to be able to plan and execute tests while considering client requirements
- the ability to think creatively and strategically to penetrate security systems
- good time management and organisational skills to meet client deadlines
- ethical integrity to be trusted with a high level of confidential information
- the ability to think laterally and 'outside the box'
- teamwork skills, to support colleagues and share techniques
- exceptional analytical and problem-solving skills and the persistence to apply different techniques to get the job done
- business skills to understand the implications of any weaknesses you find
- commitment to continuously updating your technical knowledge base.
You should get as much relevant experience as possible so you can demonstrate and develop your skills and build contacts. There are a growing number of cyber security related work experience schemes and activities available.
CREST offers a Student Membership scheme, which is free to students studying information security-related degree programmes. A benefit of this membership is that CREST link students who are looking for experience to CREST approved organisations who may offer you a placement, internship or shadowing opportunity.
The Cyber Security Challenge UK, a series of competitions designed to test your cyber security skills, is another source of opportunities including virtual areas designed to support and enhance cyber talents through gamification. CyPhinx is one of these virtual areas and is relevant for all people from beginners to professionals in industry. A useful feature of the site is the 'lobby' area, where employers view the performance of 'players' and can network with you.
Other useful activities include capture the flag (CTF) events, where teams or individuals have to hack and defend systems in order to 'capture' a file or code. This type of exercise gives you the chance to hone your cyber security skills and develop your network. Learn more about what Cyber Security Challenge UK do.
You may also consider broader experience in IT development and programming, as these fields provide essential foundations of knowledge for penetration testers. Internships and sandwich-placement opportunities are available in these roles and can be found on large jobsites or by speculatively contacting employers.
Other useful activities include following security experts on Twitter, setting up a LinkedIn profile and joining security groups, attending industry conferences and events, and reading cyber security publications, websites and blogs.
There are opportunities to work as a penetration tester across both the public and private sector, on an employed or freelance (contract) basis.
Typical employers include security consultancy firms who employ penetration testers to work on client contracts. You can also work in-house for national and multinational companies such as financial services, utilities companies or government organisations, as well as for small and medium-sized companies.
Look for job vacancies at:
It's common to find work in this industry by making targeted speculative applications directly to companies. This can be an especially successful approach if you're looking for work with small and medium-sized organisations, who may be more likely to take on less experienced penetration testers.
CREST has a list of accredited companies providing penetration testing, which you could use to target companies.
Continuing professional development (CPD) forms a vital part of your career as you'll be expected to stay ahead of new hacking methods by keeping your skills and knowledge up to date. You'll need to keep on top of current technologies and how they may be exploited by criminals.
There are some graduate schemes available, which will usually provide a structured development programme, mentoring and the opportunity to undertake placements in various departments.
It's common to undertake industry-specific qualifications to demonstrate your understanding, knowledge and experience. Professional industry qualifications are offered by a number of organisations, most of whom offer varying levels of accreditation from entry level through to managerial level. These include:
The CHECK scheme allows companies approved by the National Cyber Security Centre (NCSC) to provide qualified penetration testers to work on IT systems for the government and other public sector bodies. To qualify as a CHECK team member (CTM) or team leader (CTL), you'll need to pass an NCSC-accredited CREST, Tiger Scheme or Cyber Scheme examination.
Other relevant qualifications include:
For senior level roles, it's often a prerequisite to hold one or more of the advanced certifications, such as the CTL or the CREST Certified Practitioner qualification.
Your first role will typically be in a junior systems administrator, IT development or IT support role. With experience and relevant professional qualifications, you can move into the role of penetration tester.
After working as a penetration tester for around three to five years, you can progress into a team leader position. Then, with a further two to three years of experience as a team leader, you'll be considered for larger-scale project leader and management roles and will also be considered to be a specialist practitioner.
With several years' experience, you can move into consultancy work or set up as a self-employed penetration tester.
Career prospects are good at all levels for people with the right combination of skills, qualifications and experience.