How to Become a Pen Tester: Certs, Skills, Career Path
If you're the type of person who enjoys solving puzzles and cracking codes, you might be interested in becoming a pen tester. You'd be employed by organizations to test how secure they are â€” by legally trying to break and hack their systems.
Here, we'll look at what is needed to become a pen tester, including the best security certifications, and others things you might find helpful. There's a lot to take in and it's not as easy as just finding out where to apply. Let's see if we can point you in the right direction and excel as a security professional.
The Pen Tester Job Description
Penetration testers, commonly referred to as ethical hackers, look for and document security vulnerabilities. This is usually done within the limits set within an agreement between the client and the pen tester. Those limits could be a deadline, like trying to expose vulnerabilities in their network within a few days.
Before we go further, that last point is worth stressing: If you're going into pen testing defining scope of work is a must. Not too long ago we saw pen testers jailed in Iowa for burglary and possession of burglary tools. The testers were hired by the state government, and were caught breaking into a courthouse.
Because scope of work wasn't clearly defined and communicated to all stakeholders, felony criminal charges were pressed. They've since been dropped to misdemeanor trespassing with a trial scheduled for April 2020. Hopefully, the issue will be brought to a reasonable conclusion, but there is a lesson to be learned.
If you're launching your pen testing career, get into the habit of clearly defining scope of work in written agreements.
A little foresight can go a long way. With that aside out of the way, let's get back to the responsibilities of a pen tester. After the testing phase is complete, a report is provided to the contracting organization.
The report will generally enumerate vulnerabilities, attempt to quantify severity, and suggest steps for remediation. For example, maybe a phishing email exposed lack of user knowledge and awareness. In this case, an investment in end-user training and software like KnowBe4 may be suggested.
Specific tasks that fall under the umbrella of pen testing responsibilities include:
Network vulnerability and port scanning
Social engineering attacks
Physical security penetration testing
Creation of remediation recommendations
Initially, it may be hard to understand why an organization would want someone to attempt to compromise their network. However, it makes sense when you think about it from the perspective of a responsible organization focused on the long term. Who would you rather have identify a security flaw: a pen tester you contracted or an attacker with malicious intent?
Looking for an intro to pen testing and vulnerability scanning? Check out this How to Do Penetration Testing and Vulnerability Scanning MircoNugget!
Requirements for Pen Tester Hopefuls
As with most careers in IT, there's no single required skill set to be a pen tester. Some professional penetration testers have little in the way of academic credentials and certifications. With the right mix of skill and opportunity, you could become one by cultivating the right skills and hustling a bit.
However, in general, there are some qualifications and skills that you can consider "requirements". For example, pen testers often have a Bachelor's Degree (or higher) in a tech-related field (like Computer Science or Management Information Systems).
There are also a variety of certs that can help you break into the field and even demonstrate advanced skills (more on those below). For now, let's take a look at some of the hard and soft skills you'll need to be a pen tester.
Strong networking skills. Many vulnerabilities are network-based. Understanding computer networks at an expert level enables pen testers to exploit vulnerabilities and identify issues others may miss.
System administration skills. Understanding how computers, servers, and network appliances work and are configured is an important part of pen testing. For example, if you understand how to harden a server, you know where to look for misconfigurations.
*nix skills. While you should be familiar with a variety of operating systems, *nix systems are particularly important. Many network security tools are Linux-based and getting comfortable with the Linux terminal will be beneficial. If you are going to make a career out of pen testing, running an operating system like Kali makes sense.
Automation skills. Scripting languages help you automate tasks and hit the ground running with many tools. Web development languages get you familiar with a common attack surface. However, any language can prove useful given the right context. Even a general understanding of how different languages work can make you a better pen tester.
Communication and interpersonal skills. Soft skills are a big part of a pen testers job. For one, you'll need to be able to effectively craft social engineering attacks. Beyond that, you'll need to be able to document your findings and relay them back to others. These are often done by filling out written reports. You'll need to pay close attention to detail and be able to accurately document these findings. Even the smallest detail can make the biggest difference.
Lockpicking. While we don't often think about it, physical security is an aspect of IT security. That means that pen testers can benefit from physical skills like lockpicking.
Certs That Can Help You Become a Pen Tester
As you build your InfoSec career, there are a variety of security-related certifications that can help. Some of these certs help you break in to the industry while others help you advance within it.
CompTIA Security+ is a well-recognized entry level security cert. If you're looking to get your foot in the door in InfoSec, the Security+ is a great way to do so. It provides fundamental security knowledge and can help you land that first security gig. If you're looking to jump start your InfoSec career path, check out How to Study for CompTIA Security+ in 10 Weeks.
Global Information Assurance Certification Penetration Tester (GIAC) is a program that offers server hands on learning experiences while remaining vendor neutral. You'll go over best practices in several areas.
CompTIA PenTest+ is a newer pen testing cert but comes from a well known source. The PenTest+ will validate penetration testing and vulnerability assessments.
Offensive Security Certified Professional (OSCP) is entirely hands-on. In order to earn your certification you'll need to pass a 24-hour hands-on exam that will give you different targets that will be used to simulate a real-world scenario.
Certified Penetration Tester & Certified Expert Penetration Tester (CPT & CEPT). the CPT is a certification that consists of a two hour exam that will be used to demonstrate knowledge in identifying exploits and flaws. While the CEPT is an expert level cert that will be expected to identify vulnerabilities that are created from an improperly setup system and identify possible hardware flaws along with it.
Pen Tester Salaries
Even if pen testing is your dream job, knowing how well it pays the bills is important. According to Payscale, the average salary for a Penetration Tester is $82,000 (USD), ranging from $56,000 to $133,000. This puts the low range above the national average salary. On average, pen testers have a larger income growth rate than most occupations. This is likely related to the increased demand for experienced security professionals. You can further increase your salary and negotiating power by adding more certs to your catalog.
To provide a second reference point, Indeed shows an average salary for a Penetration Tester being $116,000 (USD) with a low of $50,000 and a high of $211,000. While the high of $211,000 skews the average a bit, they're relatively similar on both sites. Experience means a lot in the pen testing industry. The more experience you have, the better position that puts you as far as salary goes.
While it might feel like a lot to take in, don't be intimidated. There's a lot of crossover between traditional IT roles and pen testing, just start where you are. If you're new to IT, build a foundation in networking and system administration then grow from there. If you're already have a background in tech, consider a cert like Security+.
If you're further in your InfoSec journey, consider something more specialized like the CompTIA PenTest+ and start building real-world experience.