So, You Want to Be a Pen Tester?

Penetration testing (or pen testing) has emerged as one of the most exciting and rewarding careers in the field of cybersecurity. A pen tester essentially simulates attacks on a company’s systems, networks, and applications to identify vulnerabilities before malicious hackers can exploit them. If you’re intrigued by the idea of testing the defences of organisations while helping them stay secure, pen testing could be the perfect career for you.

What Does a Pen Tester Do?

Pen testers, also known as ethical hackers, assess the security of systems by attempting to breach them, either through manual techniques or by using automated tools. Their findings are reported back to the organisation, along with recommendations on how to fix the vulnerabilities.

Pen testers often work in-house for companies or as external consultants, performing tests on a range of systems, including web applications, networks, mobile apps, and even physical security measures. They play a vital role in strengthening cybersecurity.

What Skills Are Needed?

If you want to break into pen testing, you’ll need a solid foundation in:

1. Networking: Understanding TCP/IP, network protocols, firewalls, VPNs, and other network-related technologies is critical.
2. Operating Systems: You should be proficient in Linux (especially distributions like Kali Linux), Windows, and Unix systems. Each has its own unique vulnerabilities.
3. Scripting: Familiarity with scripting languages such as Python, PowerShell, and Bash is essential. Scripting is often used to automate tasks and create custom tools.
4. Cybersecurity Fundamentals: Knowledge of how various security controls work, such as firewalls, IDS/IPS, encryption methods, and access control, will be crucial.
5. Ethical Hacking Techniques: This involves knowing how to exploit vulnerabilities, use tools like Metasploit, and understand methods used by attackers.

Which Courses Will Help?

There are several recognised certifications that can boost your credentials as an aspiring pen tester:

1. Certified Ethical Hacker (CEH) – This is one of the most popular entry-level certifications and provides a broad understanding of hacking techniques and tools.
2. CompTIA PenTest+ – Another excellent certification, designed for those who have a few years of experience in the field, covering vulnerability assessment and exploit techniques.
3. Offensive Security Certified Professional (OSCP) – Highly regarded in the industry, the OSCP certification is a practical, hands-on exam that requires candidates to hack into systems in a controlled environment.
4. Certified Information Systems Security Professional (CISSP) – While more general than the others, this is a highly respected cybersecurity certification and shows a broad understanding of security principles.
5. GIAC Penetration Tester (GPEN) – This certification is offered by the Global Information Assurance Certification body and is focused on network security and advanced techniques.

Gaining Experience

It’s one thing to know the theory, but in pen testing, practical experience is invaluable. Luckily, there are several ways to get hands-on practice before landing a job:

• Capture the Flag (CTF) Competitions: These are cybersecurity challenges that allow you to test your skills by attacking simulated environments. Platforms like Hack The Box, TryHackMe, and OverTheWire offer real-world scenarios that closely mirror actual penetration testing work.
• Bug Bounty Programmes: Websites like HackerOne and Bugcrowd offer opportunities for ethical hackers to find vulnerabilities in real systems in exchange for monetary rewards. Many companies, such as Google, Facebook, and Microsoft, run bug bounty programmes to uncover vulnerabilities in their products.
• Build a Home Lab: Setting up your own home lab is a fantastic way to learn. With virtualisation tools like VirtualBox or VMware, you can simulate networks, servers, and devices to practice hacking without risking legal trouble.

How to Spend Your Spare Time

If you’re serious about becoming a pen tester, dedicate some of your free time to continuous learning and practice. Here’s how:

1. Stay Updated: Cyber threats are always evolving, so keeping up with the latest trends, vulnerabilities, and tools is crucial. Follow blogs like Krebs on Security, The Hacker News, and Reddit’s /r/netsec, and of course, mrwhitehat.net. to stay in the loop.
2. Learn to Code: Many pen testers find it beneficial to dive deeper into programming languages like Python and even assembly language to better understand exploit development.
3. Contribute to Open-Source Projects: Many cybersecurity tools are open-source, such as Nmap, Wireshark, and Metasploit. Contributing to these projects will help you learn and showcase your skills to future employers.
4. Read Books and Watch Videos: There are several great books available for aspiring pen testers, such as “The Web Application Hacker’s Handbook” by Dafydd Stuttard and “Hacking: The Art of Exploitation” by Jon Erickson. Additionally, platforms like Udemy, Cybrary, and YouTube offer a wealth of tutorials and courses.

Where to Find Work

Pen testers are in demand across various industries. Here are some of the most common places you’ll find work:

• Tech Companies: Tech giants like Google, Amazon, and Facebook employ large cybersecurity teams, including pen testers, to defend their systems.
• Financial Services: Banks and financial institutions like HSBC, Barclays, and Lloyds rely heavily on pen testers to safeguard sensitive financial data.
• Consulting Firms: Companies like Deloitte, PwC, and KPMG provide penetration testing services to other organisations. Working for such firms gives exposure to a wide variety of industries.
• Government and Defence: Public sector organisations, including the Ministry of Defence and the National Cyber Security Centre (NCSC), require pen testers to protect critical infrastructure and national security.

Salaries in the UK

In the UK, salaries for pen testers can vary depending on experience and location:

• Entry-level: £30,000 to £45,000 per year.
• Mid-level: £45,000 to £65,000 per year.
• Senior-level: £65,000 to £85,000 per year.
• Lead or specialised roles: £85,000+ per year, with some highly experienced pen testers earning six-figure salaries, especially if working in consulting or for financial institutions.

The demand for skilled pen testers continues to grow, and those who constantly develop their skills and adapt to the ever-changing cybersecurity landscape can expect strong job security and salary progression.

So, What Now?

Becoming a pen tester is a challenging yet rewarding career that offers the opportunity to make a real impact on the security of organisations. By gaining the right skills, pursuing valuable certifications, practising in real-world environments, and staying current with the latest cybersecurity trends, you’ll be well on your way to a successful career in penetration testing.

If you’re passionate about ethical hacking and security, the path to becoming a pen tester can be both thrilling and financially rewarding. Good luck!