In a way, it’s like conducting a medical test. A doctor may be able to diagnose the symptoms that you are having but will more than likely require further testing in order to determine the root cause of the medical problem. This is where the role of the penetration tester comes into play. These are the cybersecurity professionals that conduct this much deeper analysis in order to discover where the security vulnerabilities and weaknesses are. But in addition to conducting these kinds of activities, the penetration tester (also referred to as a “pentester”) also provides recommendations and solutions as to how the vulnerabilities can be corrected. Because of this, it takes a very unique combination of quantitative and qualitative skills in order to be a successful pentester. Not only must they have the technical knowledge/skills to think and act like a real-world cyberattacker, but they must also possess the ability to work very long hours and be able to work in a team. Because business entities are always wanting to know how to best protect themselves, the demand and need for pentesters is expected to one of the hottest areas of growth in the cybersecurity industry.
How to Use CyberSeek in Becoming a Pentester
There are many different avenues one can take on their road to becoming a pentester. But determining the best route to take can be difficult, because there are so many resources out there that provide differing pieces of information, advice, online tools and more. Anyone who is contemplating a career in pentesting would be greatly assisted by having all of this information in one place. This option does exist, and it is known as “CyberSeek.” CyberSeek is an online portal that is designed to provide all of the resources one needs with just a few clicks of the mouse, and it can be accessed here. But CyberSeek is not just meant for the person aspiring to have a career in pentesting; it can be used by others who are also involved in the job recruitment process, such as:
Educators and career counselors Cybersecurity employers Government policy makers
Let’s use the resources and information available from CyberSeek to take a closer look at the role of pentester.
What Exactly Is a Pentester?
Because of the different roles that a pentester can take on, it is important to define what a pentester really is. A good technical definition is as follows: “Penetration testers, also known as ‘ethical hackers,’ are highly skilled security specialists that spend their days attempting to breach computer and network security systems. These testers work in the information technology (IT) field to ensure that those without authorization cannot access an organization’s data. They do this by trying to hack into networks to identify potential vulnerabilities in the system.” (Source) As you can see, a pentester acts like a cyberattacker would and deliberately goes against the IT/network infrastructure of an organization. It is important to note that the pentester can either work on a Red Team or Blue Team. With the former, the goal is to launch any and all kinds of cyberattacks from the external environment into the internal environment of the business entity (this team can be considered as the “bad guys”). The specific job duties of a pentester include the following:
Launching and conducting real world cyberattacks on Web-based applications, servers, databases, network connections and computer systems Initiate actual physical security assessments of an organization’s data center, which can include the network security devices, servers and all relevant IT systems Take part in the effort to create new kinds of penetration tests and the tools that are needed to execute them Probe for the unknown security vulnerabilities and weaknesses in the software applications (even including their source code) Find and determine those areas in the IT/network infrastructure that the cyberattacker can easily exploit Launch social engineering attacks against the employees of a company in order to get them to reveal private and confidential information/data Document the results of the pentesting activities that been executed Determine the best solutions that can be implemented to plug the security holes discovered Formulate a new set of requirements that best fit the security environment of the organization being tested Provide recommendations and guidelines as to how the existing security practices of the business or corporation can be continuously improved upon Offer any feedback to the IT staff of the organization as they put into practice the findings and recommendations of the pentesting document (which basically provides details of the pentesting activities that were carried out, their results and the solutions to fix the problems that were discovered)
The Job Titles Leading to Becoming a Pentester and Afterwards
The job duties of a pentester are very unique; therefore, you will not see a lot of variations to the job title, as is the case with other cybersecurity professions. Therefore, having the title of a pentester does have a certain amount of prestige with it. But there are some other titles that have been used in conjunction with the pentester:
Security analyst Security engineer Security architect Security administrator
In this role, having the appropriate certifications will add much more value than just having a degree. But of course, if you have both (a college degree in either Information Technology or Computer Science, as well as the preferred certs), this will be most advantageous. Also, in order to become a mid-level pentester, you will need to have at least seven to 10 years of solid work experience. Unless you have the right mix of experience and the appropriate certs, you may not start out as a pentester right away. The job titles that can provide this needed experience include the following:
Cybersecurity specialist/technician Cybercrime analyst/investigator Incident analyst/responder IT auditor
After you have achieved the rank of pentester and have gained extensive experience from it, many advancement opportunities abound. Examples of titles that can be obtained at this level include the following:
Cybersecurity engineer Cybersecurity architect
The specific experience that is required will vary; this is because pentesting involves the examination of different aspects of an IT Infrastructure, as reviewed in the last section. However, the common technical skills that are required of any pentester include the following:
A thorough understanding of both Windows and Linux operating systems The ability to conduct in-depth vulnerability assessments A very strong knowledge of the Java software development environment (this is because many Web-based applications are built on this framework) A firm grasp of the fundamentals of the Open Web Application Security Project (also known as OWASP) Strong project management experience. This will be especially needed if the pentester is leading either a Red Team or a Blue Team — in these cases, even having the PMP cert will be of great value
The Salaries for a Pentester
Although cybersecurity professionals can command high salary levels, pentesters are among the highest because their much sought-after skill sets. The average salary is at $102,000.00. However, keep in mind that this can vary greatly depending upon the experience and the certs that you have. Geographic location can play a key role as well. The following matrix demonstrates the specific salary breakdowns based strictly on the level of work experience: (Source)
The Most-Requested Certs
As it has been pointed out in this article, having the right certs is almost mandatory for becoming a well-regarded pentester. The following are the most in-demand certs:
Any of the GIAC certs The CISA The CISM The Security+
The NIST NICE Framework
The NICE Framework, which is an acronym for the National Initiative for Cybersecurity Education (also known as the “NIST Special Publication 800-181”), is an initiative that has focused on describing the various roles, job titles and work responsibilities for the cybersecurity industry. This specialized framework is intended to be used in the private, public and academic sectors. It comprises the following aspects:
Seven categories: These describe the commonalities that are found among the different cybersecurity professions. The categories are Securely Provision, Operate and Maintain, Protect and Defend, Investigate, Collect and Operate, Analyze and Oversee and Govern Thirty-three specialty categories: These are the unique and distinct categories that describe the various work duties of a specific job title Fifty-two work roles: These describe the detailed skills, tasks and knowledge that are required for each cybersecurity job title
The penetration tester title fits into the following NICE framework categories:
Analysis Protection and Defense
Conclusion
We’ve looked at what is involved in becoming a mid-level pentester, making use of the CyberSeek job portal. As mentioned, the demand for pentesters is only expected to grow at an astounding rate. The demand is expected to be high in the coming years because just about every organization requires the services of a pentester at some point. According to CyberSeek, there are almost 10,000 job openings just in pentesting alone. But remember, it is not easy to become a pentester. It takes a unique blend of technical know-how and expertise, as well as superior teamwork and management skills. This is because you will be working in teams and must be able to work as a cohesive unit in order to carry out a successful pentesting exercise.
Sources
CyberSeek Penetration Tester Job Description, Jobhero Cybersecurity Career Pathway, CyberSeek Average Penetration Tester Salary, PayScale NICE Cybersecurity Workforce Framework, NIST Become a Penetration Tester, Cyber Degrees Penetration Tester: Requirements, Training & Certification, Study.com Top Penetration Testing Certifications, Alpine Security