The role of penetration tester will suit you if you're a lateral thinker and have excellent attention to detail, analytical skills and strong technical abilities
As a penetration tester, you'll simulate cyber attacks in order to identify and report security flaws on computer systems, networks and infrastructure, including internet sites.
You can choose to specialise in manipulating a particular type of system, such as:
- Windows, Linux and Mac operating systems
- embedded computer systems
- SCADA (supervisory control and data acquisition) control systems
- Internet of Things (IoTs).
You may work in-house for large companies where system security is a crucial function. However, more commonly you'll work for a security consultancy or risk management organisation, where you'll work with external clients testing the vulnerability of their systems. It's also possible to work on a freelance basis, by securing contracts from organisations.
Penetration testers are also known as pen testers or ethical hackers.
As a penetration tester, you'll need to:
- understand complex computer systems and technical cyber security terms
- carry out remote testing of a client's network or onsite testing of their infrastructure to expose weaknesses in security
- work with clients to determine their requirements from the test, for example the number and type of systems they would like testing
- plan and create penetration methods, scripts and tests
- advise on methods to fix or lower security risks to systems
- consider the impact your 'attack' will have on the business and its users
- create reports and recommendations from your findings
- present your findings, risks and conclusions to both technical and non-technical audiences
- understand how the flaws that you identify could affect a business, or business function, if they're not fixed.
- Starting salaries for graduate or junior penetration testers typically fall between £20,000 and £30,000.
- With experience you can earn between £40,000 and £65,000, rising to in the region of £70,000 for senior and team leader roles. However, this figure can be significantly higher depending on the industry you work in.
- Freelance penetration testers can expect to earn in the region of £400 to £500 per day.
As an employee, you'll usually receive a range of employee benefits such as a company car, bonuses and sponsored training and development opportunities.
Income figures are intended as a guide only.
A 37-hour working week is standard in this role, but flexible working practices are common and you may need to work outside of a typical 9am to 5pm pattern.
As many penetration testers work from home and remotely (from locations outside of the organisation's workplace), you'll sometimes be able to choose your working hours.
Part-time work is possible, but not as common as full-time roles. Short-term contracts and freelance work are also readily available. With several years' experience, you can move into self-employed or consultancy work.
What to expect
- You may work in an office, or from home, and are likely to travel frequently to meet clients (unless you work in-house). Most, if not all, of your time will be spent at a computer when not in meetings.
- Jobs are mainly available in the South East of England, although most regions within the UK will have some vacancies, and consultants can work anywhere. Job security is good.
- You'll have a high level of responsibility and will need to feel comfortable with this, whilst at the same time maintaining a high level of concentration and attention to detail.
- Most professionals in this role are currently male. However, there are various schemes around to encourage more women into penetration testing and other technical roles, such as WISE (Women into Science, Technology, Engineering and Mathematics), Cyber Security Challenge UK, WSS (Women's Security Society) and Girl Geeks.
- You'll need to dress smartly when meeting clients.
To enter this industry, you'll usually need a relevant degree, in-depth knowledge of computer operating systems and at least two to four years of experience in a role related to information security.
Useful degree subjects include:
- computer science
- cyber security
- forensic computing
- computing and information systems
- network management
- computer systems engineering.
You're unlikely to go straight from graduation into a penetration tester role and will usually need some industry experience. However, some organisations have started to offer graduate penetration tester roles. Where graduate entry roles are offered, there are likely to be high levels of competition.
If you've got a related degree, further relevant study at postgraduate level could allow you to enter straight into trainee roles without several years of industry experience. If your degree is in an unrelated subject, studying for an information security related postgraduate qualification could enhance your employability prospects in the cyber security sector. You could then work your way up to penetration testing roles.
As well as relevant degree qualifications, you'll often be expected to have one or more professional qualifications (trainee and graduate roles will usually include training and certification in these qualifications as part of the role). These include:
- GIAC Penetration Tester (GPEN) Certification
- Offensive Security Certified Professional (OSCP)
- Certified Ethical Hacker (CEH) Certification
- company certification schemes from major vendors and equipment providers like Microsoft (MCP, MCSE) or CISCO (CCNA Security).
You may gain these qualifications and certifications through cyber security roles, but some can be obtained through self-study.
It's possible to work as a penetration tester without a degree if you have significant experience in information security and hold industry certifications.
The UK has a growing reputation as a world leader in the cyber security industry. However, there is a current skills shortage in this area, so if you're appropriately skilled and qualified you should be able to easily find roles.
You may need to undertake security clearance checks when applying for jobs.
You'll need to have:
- excellent spoken and written communication to explain your methods to a technical and non-technical audience
- an in-depth understanding of computer systems and their operation
- attention to detail, to be able to plan and execute tests whilst considering client requirements
- the ability to think creatively and strategically to penetrate security systems
- good time management and organisational skills to meet strict client deadlines
- ethical integrity to be trusted with a high level of confidential information
- commitment to continuously updating your technical knowledge base
- teamwork skills, to support colleagues and share techniques
- exceptional problem-solving skills and the persistence to apply different techniques to get the job done.
You should get as much relevant experience as possible so you can demonstrate and develop your skills and build contacts. There are a growing number of cyber security related work experience schemes and activities available.
CREST offers a Student Membership scheme, which is free to students studying information security-related degree programmes. A benefit of this membership is that CREST link students who are looking for experience to CREST approved organisations who may offer you a placement, internship or shadowing opportunity.
The Cyber Security Challenge UK, a series of competitions designed to test your cyber security skills, is another source of opportunities including virtual areas designed to support and enhance cyber talents through gamification. CyPhinx is one of these virtual areas and is relevant for all people from beginners to professionals in industry. A useful feature of the site is the 'lobby' area, where employers view the performance of 'players' and can network with you.
Other useful activities include capture the flag (CTF) events, where teams or individuals have to hack and defend systems in order to 'capture' a file or code. This type of exercise gives you the chance to hone your cyber security skills and develop your network. See Cyber Security Challenge UK's list of upcoming events.
You may also consider broader experience in IT development and programming, as these fields provide essential foundations of knowledge for penetration testers. Internships and sandwich-placement opportunities are available in these roles and can be found on large jobsites or by speculatively contacting employers.
There are lots of opportunities to work as a penetration tester across both the public and private sector, on an employed or freelance (contract) basis.
Typical employers include large companies such as financial services or government organisatians, as well as small and medium-sized companies. IT security consultancy firms also employ penetration testers.
Look for job vacancies at:
It's common to find work in this industry by making targeted speculative applications directly to companies. This can be an especially successful approach if you're looking for work with small and medium-sized organisations, who are more likely to take on less experienced penetration testers.
CREST has a list of member companies providing penetration testing, which you could use to target companies. They also have an approved list of contractors, so if you want to work as a freelancer, being on this list could provide a good source of publicity and credibility for your services.
Continuing professional development (CPD) forms a vital part of your career as you'll be expected to stay ahead of new hacking methods by keeping your skills and knowledge up to date.
It's common to undertake industry-specific qualifications to demonstrate your understanding, knowledge and experience. Professional industry qualifications are offered by a number of organisations, most of whom offer varying levels of accreditation from entry level through to managerial level. These include:
The CHECK scheme allows companies approved by the National Cyber Security Centre (NCSC) to provide qualified penetration testers to work on IT systems for the government and other public sector bodies. To qualify as a CHECK team member (CTM) or team leader (CTL), you'll need to pass an NCSC-accredited CREST, Tiger Scheme or Cyber Scheme examination.
Other relevant qualifications include:
For senior level roles, it's often a prerequisite to hold one or more of the advanced certifications, such as the CTL or CREST Certified Practitioner qualification.
Your first role will typically be in a junior systems administrator, IT development or IT support role. With experience and relevant professional qualifications, you can move into the role of penetration tester.
After working as a penetration tester for around three to five years, you can progress into a team leader position. Then, with a further two to three years of experience as a team leader, you'll be considered for larger-scale project leader and management roles and will also be considered to be a specialist practitioner.
With several years' experience, you can move into consultancy work or set up as a self-employed penetration tester.
Career prospects are good at all levels for people with the right combination of skills, qualifications and experience.