Putting on the White Hat: How to Become a Penetration Tester
If you’re good with computers and want a dynamic, competitive vocation, then penetration testing (or “pen testing”) could be a perfect fit. This cybersecurity role will keep you on your toes as you race against malicious hackers to discover vulnerabilities in digital systems and networks—then shore up those vulnerabilities before the real-world hackers gain access.
Whether you’ve established your cybersecurity career or are just starting out, becoming a pen tester is an achievable goal, even without a bachelor’s degree under your belt. Taking relevant cybersecurity courses and programs along with earning industry certifications can help you get started or transition from roles with adjacent skills in areas like information technology (IT).
What is Penetration Testing?
A penetration tester, or “pen tester,” searches digital systems and computer networks for potential vulnerabilities that could be exploited by cyber criminals, then works with company leadership to fix flaws before an outsider can launch a successful cyberattack. IT assets that pen testers may be responsible for include websites, web applications, data storage systems, and any networks used by the organization both on premise and in the cloud.
Penetration testing is different from vulnerability testing because it happens after a system is already active, whereas vulnerability assessment is part of the design and setup process. Both are equally necessary, since security threats evolve constantly and security measures must evolve along with them.
Pen testers also go by titles like “white hat” or "ethical hacker" and assurance validator. Ethical hacking means using the same methodology as the bad guys, but working for the good guys. Just think of them as your friendly neighborhood hacker.
A Range of Day-to-Day Responsibilities
On a typical day, pen testers may spend the morning designing a penetration test with their security team and then spend the afternoon executing that strategy. Simulated attacks are designed to measure the response of the company and its employees and identify ways to improve that response. For example, a false breach, social engineering, or phishing scam can reveal a need for better employee education around identifying and flagging suspicious emails.
Importantly, the job doesn't end when the simulation is over. Pen testers also must create reports and recommendations to advise management on potential vulnerabilities. That’s why communication skills rank high on our list of crucial soft skills needed for this career path.
High-Growth Job Outlook, Climbing Salaries
The need for cybersecurity professionals is growing faster than the employee base , with salaries averaging in the low six figures, according to the US Bureau of Labor Statistics. Pen testers are needed in nearly every industry: Financial services, healthcare, government, technology, and information security are just a few examples. Major employees like Amazon and IBM are constantly looking for talent.
The industry is expected to grow another 29% by 2030, with increasing reliance on technology in the workplace driving demand for qualified professionals. However, pen testing can be a competitive field, so despite its wealth of job openings, it can be difficult to get an initial foothold at the entry level.
DID YOU KNOW?
Even if you already have some education or work experience with cybersecurity, it pays to continue learning throughout your career to stay abreast of the competition. And if you already have an IT role, adding cybersecurity expertise to the package can net you a 9% raise, according to Forbes.
Penetration Tester Career Paths
Penetration testing can be a stepping stone to a variety of more advanced roles and career paths, but it also isn’t usually the first job new professionals will land in the field. It’s helpful to lay a foundation first in information technology or a related field, where you can gain intimate familiarity with the technology systems you’ll be responsible for protecting as a pen tester. Newcomers to the field usually have to pay their dues in a role like cybersecurity analyst or information security analyst before gaining enough expertise to become a penetration tester. Taking online courses with edX can help fast-track your entry into a cybersecurity analyst role.
Professionals with IT experience can leapfrog this step since they have already cut their teeth dealing with networks, operating systems, coding, and other key skills. According to Jonathan S. Weissman, senior lecturer in the Computing Security Department at Rochester Institute of Technology (RIT) and instructor for RITx’s MicroMasters® Program in Cybersecurity, the important thing is that you must take time to “learn the plumbing” before advancing to a job like penetration tester.
"This is a ‘put it all together’ type of a role, where you take a little bit of networking, programming, scripting, and reverse engineering, and you put them all together, solve puzzles, and find vulnerabilities."
“Pen testing is something that you'd be doing after you've mastered many of these subdisciplines,” said Weissman. “You've got to have the ability to think, the ability to solve puzzles, the ability to think like cybercriminals and attackers and emulate everything they're doing. It’s definitely not an entry level position. This is a ‘put it all together’ type of a role, where you take a little bit of networking, you take a little bit of programming, you take a little bit of scripting, you take a little bit of reverse engineering, and you put them all together and you solve puzzles and find vulnerabilities. And then you find ways to exploit those vulnerabilities.”
4 Steps to Become a Penetration Tester
If penetration testing is the next step on your career roadmap, here are the steps you can take to get there.
1. Earn a Bachelor’s Degree (Optional!)
Having a formal degree in some branch of computer science will give you an edge if you hope to become a penetration tester, but it’s not necessarily required. Employers value technical skills, knowledge, and work experience most highly.
DID YOU KNOW
edX MicroBachelors® programs can help you build relevant, career-ready skills while earning real, transferable college credit along the way.
2. Learn Fundamental Skills
To guard digital systems against intruders, you must first understand those systems intimately. You’ll need a lot of practice with skills like coding, software development, systems administration, networks and network security, application security testing, and vulnerability testing to get a job as a penetration tester.
edX programs like the Introduction to Networking course from NYUx can be a powerful upskilling tool. Gaining at least a year of experience in lower-level IT, network administration and engineering, or information assurance can also help boost your resume to the next level.
3. Get the Proper Certification
Certifications show employers that you have specific skill sets even if you’ve never earned a traditional degree in the field. For penetration testing, there are several certifications you can earn to improve your job prospects.
The CompTia PenTest+ is an intermediate, multiple-choice and applied formats exam that can open doors to entry-level pen testing jobs.
The EC-Council Certified Ethical Hacker (CEH) exam goes much deeper, requiring comprehensive knowledge of the latest hacking and malware strategies. This makes it one of the most prized certificates you can earn in the information security field.
The OSCP exam is the fastest way to get started, as you can become a junior penetration tester with just this certificate. It includes a self-paced, online ethical hacking course that introduces penetration testing tools and techniques via hands-on experience, culminating in a 24-hour network simulation test where students can prove their skills and earn the coveted Offensive Security Certified Professional (OSCP) certification.
The GIAC Certified Penetration Tester GPEN exam , administered by the Global Information Assurance Certification Organization, covers both skills as well as key legal and ethical implications.
IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. While it does not offer certifications a la carte, your employer may leverage the IEEE certificates program to provide continuing education units (CEUs) and professional development hours (PDHs). Individual IEEE members also gain access to community and networking resources.
The SANS Technology Institute offers certification opportunities tailored to working professionals in IT or information security positions, as well as full-fledged, prestigious undergraduate and graduate programs in cybersecurity.
Networking is one of the most critical activities you can do to propel your cybersecurity career forward, and it’s not just about meeting other people in the field. Networking keeps you on top of the latest threats, tools, and trends. Cybersecurity conferences and hackathons often host gamified drills such as "capture the flag" challenges or red team/blue team competitions, which can provide an excellent setting to share best practices among security professionals.
“A lot of cybersecurity is about experience. And there are communities of people who will do activities, such as capture the flag events, where they're trying to get into systems and find some hidden piece of information, or what are called red-blue team events, where one team is defending systems and one team is attacking systems. There's a lot of life experience that can happen in those stressful moments of competition, said Aspen Olmsted, adjunct professor at New York University’s Tandon School of Engineering and instructor for the Cybersecurity Fundamentals MicroBachelors® Program from NYUx.
Penetration Tester Hard and Soft Skills
To become a penetration tester, you will need to develop industry-specific skillsets. There’s a lot of technology involved, but don’t neglect the soft skills--remember that you’ll be working as part of a team!
• Scripting and coding
• Systems Administration
• Networking and network protocols
• Operating systems (Windows, Linux, and Mac OS)
• Computer languages such as Python, Powershell, Golang, and Bash
• Mobile pen testing on iOS and Android
• Web applications
• Continual learning
• Problem solving
• Organizational skills, documentation, and report writing
• Strong sense of ethics
• Cool under pressure
“A security mindset makes you go through the world a little bit paranoid, which is how we have to be,'' said Olmsted. “We say in cybersecurity, ‘trust no one.’ Once you get into that mindset, you start to see vulnerabilities everywhere, and that comes back to the ethical side of it. Once you see these vulnerabilities everywhere, you can't take advantage of them. You have to have the ethical framework that your job is to make the world better, because you've opened up a lot of opportunities to cheat the system.”
Build Skills to Become a Penetration Tester
Last updated: August 2021