Getting out of a college as an IT graduate might be stressful. There are plenty of opportunities and chances to work in various industries while different interesting technologies. IT is always evolving and there are endless options where you can realize yourself. But with that many options, it is very hard to decide where do you want to be in the future. If for someone interested in cybersecurity penetration testing is a good career choice, for others building applications sounds more fascinating.
As not so long ago I was still in a college, I can share my own experience and observations about the career path I choose and I am currently working in – penetration testing.
With over two years of penetration testing experience under my belt (I started working on the second year of my studies). I can clearly see the advantages and disadvantages that comes with this career.
This article is for those who were wondering if penetration testing is a good career choice.
What Is a Penetration Testing?
Penetration test is an authorized cyberattack against a website, computer, or other device. Pentester during the test tries to identify vulnerabilities and advice remediation techniques. Usually there are a few different types of penetration tests:
- White box – when the tester has all the information about the system
- Gray box – when the tester has limited information about the system
- Black box – when no information is provided for the penetration tester
Penetration testing has different phases:
- Reconnaissance – during the phase important system related information is gathered. Usually open source search engines are used for gathering the data
- Scanning – dedicated tools are used for gathering information about the system and its vulnerabilities
- Gaining access – using the gathered data, penetration tester uses (or crafts) payloads that will let him to gain access to the system
- Maintaining access – after gaining the access, pentester tries to maintain it by altering system’s configuration or by using other methods
- Covering tracks – as the intrusion leaves tracks, the last phase is to delete evidence – log events
Is ethical hacking the same as penetration testing?
Even though these two might sound very similar, it does differ in a fundamental way. While the penetration testing focuses on finding and exploiting vulnerabilities, ethical hacking covers a wider variety of activities. Penetration testing is a subset of the ethical hacking. Ethical hacker has to understand best security practices, vulnerability management process, has to know how does the malicious actors act, know different attack vectors, etc. Part of the ethical hacker’s duties might be to to assist blue teams.
How to Become a Penetration Tester?
The simple answer to this is this – if you want to become a penetration tester, you must have a passion for the cyber security.
There is no formula how to become a penetration tester. Everyone has their own story how did they got into the field. I, personally, was not interested in the cyber security during the first two years of my studies. When I got internship as a QA in the company (I was still studying at the time), I’ve decided to focus on security testing explicitly. So, I started learning various subjects related to security in my free time, also during my studies. Eventually I gained the skillset necessary for a penetration tester.
But usually, if you do want to get started in this field, there are a few things that raises your value and increases your chances of landing a job:
- Strong IT background – understanding the technologies you will have to find vulnerabilities in, is a must. Even though you don’t have to be a senior develo[er to become a pentester, you should have programming basics, as well as networking basics
- Certificates – a good cybersecurity certificate, such as OSCP, will open you doors. But it’s more than that, having this or other similar certificate shows that you have the skills needed for the job. While the OSCP is widely respected, other certificates that you hold, such as CEH Practical, will also show your motivation and willingness to learn.
- General IT experience – one of the ways of becoming a pentester, is to start by working in the help desk. You will learn ton of things working there while solving user’s problems. When you just had finished a college, you shouldn’t expect to become a pentester if you had no previous interest in this field. It takes time to build the crucial skills before switching to cyber security. The penetration testing is not an easy field, and you shouldn’t expect to land an entry-level position in a pentesting.
- Willingness to learn – again, certificates is one way of showing that you are highly motivated and you have some knowledge. But if you can show a potential employer a GitHub repository with the ethical hacking tools you built, or you can show your profile on bug bounty platforms, or your progress on learning platforms such as Tryhackme, or Hackthebox, this increases your chances of landing a job.
If you are interested in other cyber security career paths, there is a great article written by Daniel Miessler.
Advantages of Becoming a Penetration Tester
Being a penetration tester is a rewarding career in a financial perspective – penetration testers earns 88 144 USD on average. But money is not everything, and if you want to become a pentester only for the money, you won’t last long. However, if you are passionate enough to stay in the field, you will be awarded not only in the monetary way, but you will have a satisfactory job. These are the advantages of being a penetration tester:
- You will get to work with different types of systems. If you are a developer, you usually master one or another tech stack. But if you are a penetration tester, you get to touch many different applications built with different programming languages.
- And if you are mad about learning new things, you will get to learn a lot. And constantly. When you are performing actual penetration tests, you can test yourself what you are actually capable of. With every pentest you will learn something new, and will be improving as a specialist.
- Penetration testers are in demand. If you are experienced, motivated pentester, you can be sure that you will have job.
- Satisfaction after managing to achieve the planned objectives. The feeling of taking over a system by exploiting a serious vulnerability is great. Trust me, the moment when you’ve managed to implement the things you’ve learned, and you succeeded taking over a system, feels great.
- You can brag that you are a hacker. However most of the time non-technical people do not understand what you are really doing on your job. But everyone knows what a stereotypical hacker is, so you might impress a girl on the bar by introducing yourself as a hacker (although, I take no responsibility for this advice, and I think that the chances of this pick up line actually working, are slim).
Disadvantages of Being a Penetration Tester
Just like with any other career, there are pros and cons. Penetration testing is no exception. From my personal experience, these are the cons of penetration testing:
- You get to write reports often. Usually there is a „fun“ part where you get to actually hack things. And there comes the reporting part, where you have to transfer everything you done and found, into a paper. And as often the clients’ aren’t that technical, you will have to explain everything in simple words
- Job can see too technical at the beginning of your career. You might find yourself spending hours while trying to understand if the vulnerability in a web application, identified with an automatic security scanner (scanning with vulnerability scanners is often an activity of the penetration testing process), is a false positive or not. Every tool (even the expensive commercial security scanners) do produce a significant amount of false positives. And at the beginning of your career, when you do not have much experience, you will have to refer to external information sources a lot. And even then, you will still not be sure and might make false assumptions.
- There might not be so much communication. But that really depends in what company you work. If you are working as the only penetration tester in a smaller company, you will have to do many things. This might include consulting of other IT guys, making information security trainings, etc. But if you are working in a big consulting company, you might spend most of your day doing penetration tests and writing reports.
But you know how it says:
While reporting might sound as a disadvantage for others, for someone, who loves writing, this might sound like an advantage. And for an introverted person the aspect of the job that you get to spend most of your time on technical things, might not sound so bad.
Will Penetration Testers Still Be Needed in the Future?
There are many serious cybersecurity tools for network, or endpoint security. Of course, AI that analyzes companies’ network traffic and makes a prediction on happening attacks, is handy. But it does not eliminate the need of a human being.
Every tool, no matter how advanced it is, is just a tool. Someone has to run it, and interpret the results.
That’s why it is not possible to automate penetration testing.
When we are talking about if the penetration testing is a good career choice, we should understand one thing, There is a shortage for real penetration testers. Some of the companies providing service only do the vulnerability scanning and sell it as a penetration testing. For some that are not familiar with the penetration testing, a vulnerability scanning is often synonym for a penetration testing.
But the thing with the vulnerability scanning, is that the results that the tool generated, are not accurate, there are plenty of false positives. An experienced penetration tester still has to review the findings. And even then, you can’t know if the scanner covered all parts of the system.
And of course, as the technology evolves, new vulnerabilities are arising. For example, new security domains becomes actual, as hackers starts exploiting vulnerabilities in them:
- Cloud security
- IoT security
- Automotive security
And of course, a shortage of talent makes the penetration testers needed more than ever.
Answering to the question if the penetration testing is a good career choice, is a little bit tricky. Everything depends on the individual and IT experience he or she has. While in general penetration testing is an interesting and perspective profession, it comes with its own disadvantages (just like any other profession). For some it might be too technical, too boring, or even too hard.
Before making drastic career changes you should make your first steps and try hacking. You might start with the DVWA, or with some learning platforms, such as TryHackMe, or Hackthebox. Only then you should consider if you are willing to put the effort and become a penetration tester.
Highly passionate about cyber security (penetration testing, bug bounty hunting, cybersecurity in general), and blogging. I am experienced in vulnerability assessments, penetration testing, various security audits, had worked with various clients, most of them were in finance sector. Currently holder of CompTIA Security+, CEH, CEH Practical, and CEH Master certificates.