<-- Go Back

Life of a Penetration Tester

A Penetration Tester (A.K.A Ethical Hacker) probes for and exploits security vulnerabilities in web-based applications, networks & systems.

In other words, you get paid to legally hack. In this “cool kid” job, you'll use a series of penetration tools — some predetermined, some that you simply design yourself — to simulate real-life cyber attacks. Your ultimate aim is to assist a firm to improve its security.

What are the requisites to be a Penetration Tester?

While it's possible to seek out employment as a penetration tester based solely on having the proper set of skills, most employers like better to hire penetration testers who have previous relevant work experience. Some employers want employees who have at least a bachelor’s degree. Additionally, employers may require that penetration testers have certification in ethical hacking and other IT security areas.

Degree Requirements

Most Pen Testers don’t hold a specialized degree. Since ethical hacking is more about skills than course credits, a bachelor's or master’s degree in cybersecurity makes no sense if you've got appropriate job experience.

Hone your hacking skills by attending Security Conferences , earn some Certifications, look into SANS courses, set up a pen testing lab , learn from other pen testers, read and read more.

Work Experience

Overall, employers appear to be looking for 2–4 years of security-related experience with practice in penetration testing and vulnerability assessments. The range for Senior Penetration Testers is more variable. It may be as low as 3 and as high as 7–10 years of experience.

In addition to education, penetration testers are required to possess certain skills. They must have excellent computer skills to be able to attempt hacking systems. Most importantly, penetration testers must have exceptional problem-solving skills to be able to determine the best course of action when resolving issues and protecting networks from potential threats or breaches.

Hard Skills

Pen testers conduct security audits, develop code, automate processes, reverse engineer binaries — the list goes on. So attempt and learn as much as you can about OS(linux, windows etc), software, communication and network protocols.

Here are technical skills we have seen employers favoring:

  • Windows, UNIX and Linux operating systems
  • Network servers and networking tools (e.g. Nessus, nmap, Burp, etc.)
  • Web-based applications
  • Security frameworks (e.g. ISO 27001/27002, NIST, HIPPA, SOX, etc.)
  • Security tools and products (Fortify, AppScan, etc.)
  • Vulnerability analysis and reverse engineering
  • Metasploit framework
  • Forensics tools
  • Cryptography principles
  • Certifications For Penetration Testers

    There is no master list of preferred certifications for pen testing. Although it’s popular within the IT industry, CEH is fairly loose. We recommend you ask colleagues about the pluses and minuses of accreditations like CPT/CEPT, GPEN and — especially — OSCP.

  • CEH: Certified Ethical Hacker
  • CPT: Certified Penetration Tester(Now LPT)
  • CEPT: Certified Expert Penetration Tester
  • GPEN: GIAC Certified Penetration Tester
  • OSCP: Offensive Security Certified Professional
  • CISSP: Certified Information Systems Security Professional
  • GCIH: GIAC Certified Incident Handler
  • GCFE: GIAC Certified Forensic Examiner
  • GCFA: GIAC Certified Forensic Analyst
  • CCFE: Certified Computer Forensics Examiner
  • CREA: Certified Reverse Engineering Analyst
  • What Are Some Penetration Tester Roles and Responsibilities?

    Penetration testers seek to identify security vulnerabilities in an organization’s networks, and then resolve them, sometimes creating new or improved security protocols. This involves many responsibilities and tasks.

    As A Penetration Tester, You Will Likely Be Required To:

  • Perform penetration tests on computer systems, networks, and applications
  • Create new testing methods to identify vulnerabilities
  • Design and create new penetration tools and tests
  • Perform physical security assessments of systems, servers, and other network devices to identify areas that require physical protection
  • Pinpoint methods and entry points that attackers may use to exploit vulnerabilities or weaknesses
  • Search for weaknesses in common software, web applications, and proprietary systems
  • Research, evaluate, document, and discuss findings with IT teams and management
  • Employ social engineering to uncover security holes (e.g. poor user security practices or password policies)
  • Review and provide feedback for information security fixes
  • Establish improvements for existing security services, including hardware, software, policies, and procedures
  • Identify areas where improvement is needed in security education and awareness for users
  • Be sensitive to corporate considerations when performing testing (minimize downtime and loss of employee productivity)
  • Stay updated on the latest malware and security threats
  • While the above are typical responsibilities for a penetration tester, you may have additional duties depending on the organization you work for. Sometimes there is overlap in IT positions, so it is important to be flexible and to work as part of a cohesive team.

    Ethical hacking is a mix of sexiness and boring bits. Unlike real-life hackers, you may only have days to compromise systems. What’s more, you'll be expected to document and explain your methods and findings. Penetration testing has been called one of the most frustrating jobs in the infosec field.

    During the penetration test, you will typically focus on exploiting vulnerabilities (e.g. making it a goal to break part of a system). But as Daniel Miessler points out in The Difference Between a Vulnerability Assessment and a Penetration Test, you don’t have to go all the way to prove your point:

    “A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could.”

    A Day In The Life Of A Penetration Tester

    A typical day for one penetration tester may look a lot different from another’s depending on the organization they work for. For some, there may be travel required between different sites, they may be required to work evenings or weekends to not disrupt the work flow of the company, or they may be able to perform some duties remotely or by telecommuting. But, the heart of the penetration tester position is identifying security system vulnerabilities by attempting to exploit them and then coming up with solutions to resolve the weaknesses to keep their organization’s information safe.

    The Normal day of a Pen Tester may include the following tasks:
  • Plan a specific penetration test
  • Create or select the appropriate testing tools
  • Perform the penetration test on networks, applications, or systems
  • Document methodologies
  • Identify vulnerabilities using the data gathered
  • Review and evaluate findings
  • Establish possible solutions for the weaknesses
  • Provide feedback and recommendations to management or clients
  • For all the aspiring pen testing experts, I would love to share an All in One Link which will help you out in your way:

    Awesome Pentest