A pen tester is an information security expert who cracks IT systems because companies have commissioned him to do so. This is an often-heard job description, but it paints a small and inconsistent picture of what a pen tester really does. A professional pen tester actively attempts to bypass existing security settings to reveal how vulnerable a system, web application, or operating system is. In doing so, he often finds alternative ways to gain access to a system’s functionality.
To put it briefly: A penetration tester breaks things. Most of the time, it is impossible to tell what he is actually doing, because his job requires a lot of creativity. Moreover, he spends a lot of the time creating reports about the progress of pen testing and about the vulnerabilities found.
What does a specialist earn?
First of all, the most important questions – what does a penetration tester earn, and what are the career opportunities?
As a rule, penetration testers work for medium-sized companies (with approximately 300 employees), corporations, or governments. IT structures can be tested either as an employee within a group or as a service provider for them.
As a service provider, there is a greater demand and more variety, since you are always testing and seeing new structures – and that across industries.
With professional experience, starting as a junior pen tester, in which one is only active in a supporting capacity or only performs smaller tests, one specializes as a penetration tester (usually after 3 professional years) in a special field.
There are often two main specializations: Network and Web Application Penetration Testing. After a further 3 years of experience, i.e. 6, the final specialization follows – either in the direction of social engineering, in-depth specialization in the form of industry specialization, or in the direction of team management with leadership skills.
What is the job of a pentester?
Certified penetration testers or ethical hackers are now represented throughout the world as part of cyber security.
The term pentester is used to describe independent security analysts who examine the IT system for security vulnerabilities or security weaknesses after being commissioned by the company. As a penetration tester, the goal is to exploit these security vulnerabilities by means of exploits and to prove them with “proof of concepts”. The IT security analyst, on the other hand, only points out such security gaps without finally testing them.
In security control, realistic attack scenarios are implemented in order to test and gain access to network security, e.g. via the operating system, software system, or web applications. In addition to known security weaknesses, IT security testing professionals also learn to look for unknown security vulnerabilities, so-called zero-day vulnerabilities, in order to identify them at an early stage and report them to the application developers.
There are no legal requirements. However, it is recommended to have at least an education as an IT specialist, focus on application development or system integration, and also 3 years of work experience. With a degree in computer science (not business informatics or comparable!) you also need at least 3 years of work experience, but then you can usually advance faster in the seniority class; however, this is not a guarantee but depends on performance.
Interested in learning a new profession?
We have created an education program to specifically train all three seniorities (Junior, Professional, and Senior). If you want to know more about this training course, we are happy to help, just give us a call.