Part 1 – Getting Started as an Industry Professional

Inti De Sekeler, head of the hacking department at security firm Intigriti, said a pentester is responsible for identifying potential vulnerabilities in systems. De Sekeler also noted that ethical hackers and pentesters are different specialists, contrary to popular belief.

According to him, ethical hackers are more focused on identifying real current cybersecurity issues than reporting vulnerabilities. And pentesters can also give advice on future potential vulnerabilities in systems.

What does a pentester do?

The penetration testing process involves working with clients to determine their requirements and create appropriate tests using both manual methods and automated tools. Security vulnerability testing can be done locally or remotely.

Each step is documented, reports and recommendations are provided to the client, and any changes are reviewed at the end of the process. Advice can also be given on potential future security issues based on current configurations and architecture.

Pentesters can work both within a company or government agency, monitoring applications, network devices and cloud infrastructures, or in a security firm, where they work on client contracts or on a freelance basis.

How in-demand is the job of a pentester?

According to the US Bureau of Labor Statistics (BLS), between 2021 and 2031, the number of information security professionals, including penetration testers, is expected to grow by 35%. This is much faster than the average for all professions in the US.

This growth is fueled by increasingly stringent legal requirements requiring companies to prove that their products are being tested for security vulnerabilities.

Despite the fact that more schools and universities offer training in ethical hacking, there is still a shortage of information security specialists, including pentesters, according to De Sekeler. In general, penetration testing as a profession has become more popular over the years, but the demand for penetration testers is growing even faster, especially in certain niche areas such as application testing, IoT (Internet of Things), SCADA or blockchain.

How to become a pentester?

In terms of formal qualifications, most pentesters have a degree in some IT or cybersecurity discipline.

Pentesters often start with network administration, network engineering, or web application programming before taking specialized training in ethical hacking.

There are several certification programs, many of which can be self-taught at home.

• Infosec Institute;
• The International Council of E-Commerce Consultants;
• Global Information Assurance Certification;
• CompTIA;
• Offensive Security;
• (ISC)².

In addition, notes De Sekeler, in large consulting companies, the ability to write correct and understandable reports is sometimes more important than a deep study of vulnerabilities. If you want to work as a consultant, you should take a course in technical business writing, reporting and analysis.

It is also important to have good time management skills, be able to work in a team and have a certain amount of knowledge of business processes in order to understand and communicate the consequences of any discovered vulnerabilities.

As for independent pentesters, they need to have sales and accounting skills in order to attract new clients.

Alternative Pentest Approaches

In this activity, penetration testing skills matter. In this case, you can become a specialist without an academic qualification.

Capture The Flag (CTF) competitions, in which teams or individuals hack into deliberately vulnerable systems to “capture” a file or code, will hone skills and make useful contacts for hackers. There are several CTF sites such as Hack the Box, Hack.me, Hack This Site, and WebGoat.

In addition, there are bug bounty programs in which companies pay large payouts to anyone (not just pentesters) who finds and reports vulnerabilities in the organization’s code. Bugcrowd and HackerOne have lists of available bounties.

SpiderLabs director Ed Williams recommends improving your profile by showing your knowledge and commitment to success in the profession. To do this, he advises to adhere to the following rules:

• maintain a thematic blog;
• understand how things work;
• constantly practice;
• write code to automate tasks;
• publish code on GitHub.

Many penetration testers find work by approaching companies directly for specs, which can be a particularly effective strategy in smaller organizations.

Types of employment

Large organizations may have their own team of information security specialists, and projects are focused exclusively on the company’s own systems.

Smaller companies may turn to other security firms, where hired pentesters work on many projects.

Another option is to become a freelancer. Assemble your own set of skills and methodologies to further earn yourself a good reputation.

How much does a pentester earn?

By dataPayscale, in the US, a pentester salary starts at $58,000 and the average annual salary is $88,500. Bonuses can add about $20,000 more.

By data Indeed, in the UK the starting salary for a pentester is about $36,000, while the average base salary is about $67,000.

Freelance rates vary greatly depending on the experience and complexity of the job, but tend to be in the hundreds of dollars a day. The specialist may eventually be promoted to a higher and more lucrative position, such as Chief Information Security Officer (CISO).

What are the benefits of being a pentester?

Pentest involves solving many problems and can offer freelancers a lot of flexibility.

Ed Williams, director of SpiderLabs, thinks being a pentester is the best job in the world. “You’re actively encouraged to hack things and help organizations improve their security” – what’s not to like about that? He also said that pentesting even allowed him to travel the world.

What are the disadvantages of a pentester?

Sometimes some companies are not interested in assessing the security and fixing vulnerabilities in their systems.

Dave Miller, head of the cybersecurity team at Cyllective, noted that a large number of companies still need proper security testing. Firms order a penetration test to verify compliance because a client or regulator has asked them to do so.

Ed Williams stated that the job of a pentester, on the other hand, can be very stressful with all the stress that comes with it. Cyberspace is constantly changing, and keeping up with it is a difficult task that takes a very long time. Quite often, people burn out simply by working too hard and end up quitting the pentest, which is bad for the profession and the industry.

Conclusion

In this article, we have analyzed the main details of the work that a novice information security specialist may encounter. We also looked at certification options for a pentester, as well as places to practice your abilities. Moreover, a good specialist receives a decent salary, interesting tasks, many useful contacts and increased confidence of colleagues.