Security concerns are everywhere these days. From Russia’s war with Ukraine to ransomware attacks affecting major enterprises and organizations to ever-present data leaks, cybersecurity is an issue that every organization faces, and the need for skilled technologists is only increasing.
These and other cyber concerns are a major reason why penetration testers (pen testers for short) remain in demand with all types of organizations, from larger enterprises to smaller firms and government agencies. Pen testers simulate malicious intrusions on IT networks and other systems to point out weaknesses within the infrastructure, helping an organization identify security holes and shore up defenses.
Much like their cybercriminal or nation-state counterparts, pen testers use a wide variety of tools to find those weak points within the infrastructure. On occasion, commercial penetration testing tools like Cobalt Strike are turned into malicious hacking tools that threat actors then use as part of their attack.
With organizations of all sizes still investing heavily in newer applications, networks and infrastructure, the need for pen testers means that technologists (whether those starting out in the field or looking to move into more lucrative positions) can seriously explore pen testing for career advancement and better pay.
“The demand for this space is growing exponentially—we have seen a barrage of breaches over the last few months, theft of data and access are the new organized crime,” said Richard Fleeman, vice president at cybersecurity consulting firm Coalfire.
“Take a look at the number of companies hiring penetration testers—you will see everything from SMBs to large corporations and consulting shops,” Fleeman added. “This is one industry where a person could quit their job—while not having a new job lined up—start searching and get hired in a week to two at a new company.”
This increasing demand and wealth of opportunities have also helped bolster salaries for pen testers, with Glassdoor estimating total pay for these jobs at about $107,000 in the U.S., with the average salary standing at approximately $90,000.
Do I Need a Cybersecurity Background for Pen Testing?
While those with cybersecurity skills have some advantages in the context of landing a pen testing job, Fleeman notes that anyone with some technical know-how can make the jump and likely find employment. For those looking to enter the field, potential employers are especially interested in those who have a background in IT or application development functions, such as network and systems administration, database administrator, software or web developer or architect.
“These professions really build out the foundational skillsets on ‘how things work,’” Fleeman recently told Dice. “Having the know-how and then pairing that with the creativity of being able to think outside the box to make ‘things’ that were designed a specific way to do stuff that it was never intended to do is much easier. This foundation also provides the fundamental knowledge on why an exploit is successful or understanding what a proof-of-concept is doing to exploit a vulnerability.”
And while many IT and security professionals have these technical backgrounds already, Fleeman noted that certain certifications can help to distinguish tech pros in the pen testing job market. For that, he recommends CompTIA’s Network+ and Security+ certifications.
What Are Other Roots to Pen Testing?
While pen testers remain in demand, there are alternative roots to entering this part of the cybersecurity profession. Since penetration testing is related to white hat or ethical hacking, those who have experience doing part-time bug bounty hunting likely have the skills to enter the field, take a full-time position or make a career change, said Casey Ellis, founder and CTO at Bugcrowd.
“Pen testing means a lot of different things, from complicated and highly-skilled adversarial simulation with a focus on the most important risks to a company, right down to compliance-driven assurance to satisfy auditors or the tactical needs of a business,” Ellis told Dice. “This creates a lot of inroads for people in terms of what to learn and where to enter. My advice to folks getting into the field would be to consume a bunch of content, network with communities like Bugcrowd’s Discord and Forum to establish and build peers in the space, and sample as many different flavors of pen testing as you can until you find something that really ‘sticks.’”
What ‘Soft Skills’ Can Help?
As with other IT and cybersecurity jobs, so-called “soft skills” can also help technologists make the leap to pen testing, or help them move into a better-paying position or a manager’s role.
Sandy Dunn, the chief security officer at incident response firm BreachQuest, told Dice that while pen testers are in demand, the competition for the best-paying and prestigious jobs remains fierce.
“There is high demand for security testing. Pen tester is one of the roles people initially think is the most compelling in cybersecurity so a person should also expect more competition for available job openings,” Dunn said. “It can also take many years to become skilled at the level expected by organizations who specialize in pen testing.”
What can make a difference is brushing up on both technical skills as well as softer people skills that can show a candidate is an effective communicator who can contribute to an organization’s overall goals. Dunn suggests the following:
- Be insanely curious – think differently;
- Programming knowledge valuable;
- Understanding of networks and networking;
- Knowledge of authentication and cryptography;
- Knowledge of cloud architecture;
- Good communication skills: Must be able to explain issues and remediations, often to people who have less knowledge or technical skills so that the customer understands the problems;
- Should have excellent writing skills – report writing, email, etc.;
- Good people skills.
“There is a misconception that pen testers can have toxic personalities which isn’t true,” Dunn added. “Good people and social skills are a benefit in every type of cybersecurity role. Having outrageous ‘leet’ skills in pen testing won’t compensate for a terrible, toxic, bad personality.”
What Future Skills Are Needed?
Like other IT and cybersecurity fields, pen testing is changing, especially as organizations adopt newer technologies. As organizations continue to allow employees to work remotely, investments in cloud-based infrastructure and SaaS applications will continue to grow. This means the role of pen testers is also subject to change, Fleeman noted.
As part of this shift away from traditional and on-premises networks, cloud adoption is now highlighting the growing need for skilled workers who can test applications, APIs and other cloud-oriented environments (such as serverless), Fleeman said.
“Having the network background in penetration testing will certainly help in the event you compromise a web application, providing you with the ability to pivot to the internal network,” Fleeman noted. “Applications and cloud ‘are the now’—building your foundational network experience and pairing that with application-based penetration testing is your ticket to a lifelong career with great pay.”