Penetration Tester Salary: What Professionals Who Identify Vulnerabilities Earn and Do

View all blog posts under Articles | View all blog posts under MSCS

A penetration tester evaluates network security.Protecting information systems and data from cyber attacks is a difficult, complex challenge that organizations large and small face daily. Unfortunately, it’s not hard to find examples of the damage those attacks can do. The 2020 cyber attack on software firm SolarWinds gave hackers access to the IT systems of 18,000 of SolarWinds’ customers, including the U.S. Department of the Treasury, the U.S. Department of Homeland Security, Microsoft and Intel. It was one of the largest cyber attacks that targeted the U.S. government in history and could even alter approaches toward stopping attacks in the future.

One of the best lines of defense against cyber attacks is penetration testing. Penetration testers (commonly known as ethical hackers) must stay on top of a rapidly changing landscape in which new hacks are discovered almost daily. Students who pursue Master of Science in Cyber Security programs must become lifelong learners, as forms of attack and techniques to stop hackers continue to evolve. Knowing about the profession and penetration testers’ salaries is important for anyone interested in a career in cyber security.

Salary for Penetration Testers and Job Outlook

Certified penetration testers can work in almost any industry, in any size organization, or they can take freelance gigs on their own via any number of online freelance marketplaces. Multinational corporations have as much need for penetration testing as small franchises, health care companies, government agencies and even sole proprietorships. The FBI, for example, hires ethical hackers to test its information technology (IT) infrastructure.

As of May 2021, PayScale reports that the median annual penetration tester salary is around $86,000. A host of factors impact the salary, including education, experience, job type and job location. For example, penetration testers with 10 to 20 years of experience in the field can earn more than $120,000 yearly.

According to the U.S. Bureau of Labor Statistics (BLS), the job outlook for the broader information security analyst field looks promising. The BLS projects 31% job growth for information security analysts between 2019 and 2029, much faster than the projected average growth for all occupations. The rosy projection is predicated on the ever-increasing number of cyber attacks, which can particularly impact organizations such as health care providers, banks and other financial institutions that store highly confidential customer or patient data.

What Does a Penetration Tester Do?

What is penetration testing exactly, and what does a penetration tester do? Penetration testing is one major tool in cyber security, a field that’s generally viewed as a crucial, requisite part of an organization’s IT department. The threat of security breaches by hackers is ever present in the minds of board members and upper management. Just one flaw is all it takes for a hacker to gain access to sensitive information, such as Social Security numbers, credit card data, account information, and even classified corporate or government secrets.

Security measures can be implemented to block attempts to gain access to networks, and software and hardware firewalls may be used to add an extra layer of protection between sensitive databases and the public. However, unless organizations can view their networks through the eyes of real hackers, they’ll never know for sure how secure their systems are.

What a penetration tester does in defending against cyber attacks involves many different tests and techniques, but all of them focus on two broad categories of potential cyber attacks:

  • “Inside” jobs. To thwart threats from within an organization, penetration testing involves tasks such as assessing internal network security and examining code.
  • “Outside” jobs. To combat external threats, penetration testing involves tasks such as assessing external network security, social engineering engagements (for example, penetration testers look for ways in which individuals are coaxed into giving up private information), and red team simulations (for example, testing that attempts to simulate attacks on multiple systems at the same time).

According to the FBI, some of the most common cyber crimes are:

  • A compromise of business email, which the FBI cites as among the cyber crimes that can cause significant financial damage
  • Ransomware attacks in which criminals block access to information systems and demand that victims pay a ransom
  • Phishing and spoofing schemes in which criminals obtain individuals’ sensitive information

How to Become a Penetration Tester

An individual can become a penetration tester and earn a penetration tester’s salary through a variety of avenues. The traditional steps are outlined below.

Obtain a Degree

Individuals who work in information security typically need to have a bachelor’s degree in a subject such as computer science or a related field. Depending on the employer, a master’s degree may also be a requirement. Earning a master’s degree in cyber security can help individuals hone their expertise and develop the skills to advance into leadership positions.

Obtain Work Experience

Having previous IT-related work experience is important. For example, experience in computer programming, as a network administrator, or in database security can be critical.

Develop Key Technical Knowledge and Skills

To be an effective penetration tester, individuals need to have knowledge and skills in:

  • Types of security vulnerabilities
  • Coding
  • Operating systems
  • Networking and network protocols, such as TCP/IP and Domain Name System (DNS)
  • Physical security
  • Server equipment
  • Enterprise storage systems

Hone Soft Skills and Abilities

Penetration testers can maximize their effectiveness by demonstrating:

  • Strong oral communication skills
  • Skills in simplifying complex concepts
  • Leadership skills
  • Creativity

Penetration Tester Certification

Certifications can affect penetration testers’ salaries and their career progress. Penetration tester certification programs are available through several different sources. In its article titled “Top 10 Penetration Testing Certifications for Security Professionals,” Infosec Resources lists the most popular and widely accepted certification offerings:

  • EC-Council Certified Ethical Hacker (CEH), a wide-ranging certification that covers various types of attack technology, security domains and hacking tools
  • EC-Council Licensed Penetration Tester (LPT) Master for individuals at the expert level, which tests those individuals’ abilities to address real-life scenarios
  • IACRB Certified Penetration Tester (CPT) focuses on specific penetration testing knowledge and skills in areas such as network protocol attacks and web app vulnerabilities
  • IACRB Certified Expert Penetration Tester (CEPT) is for individuals with expert-level skills and covers topics ranging from memory corruption to Windows shellcode
  • IACRB Certified Mobile and Web App Penetration Tester (CMWAPT) focuses on web apps and mobile operating systems
  • IACRB Certified Red Team Operations Professional (CRTOP) focuses on large-scale, in-depth penetration testing
  • CompTIA PenTest+ focuses on the latest test and assessment skills for penetration testing
  • GIAC Global Information Assurance Certification (GIAC) Penetration Tester (GPEN) focuses on best practices in penetration testing and the legal matters related to penetration testing
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) focuses on advanced penetration testing techniques and the connection between security flaws and business risks
  • Offensive Security Offensive Security Certified Professional (OSCP), a completely hands-on, comprehensive certification earned by working through a 24-hour scenario from the real world

Charting a Course for a Career Defending Against Cyber Attacks

In a connected world, where everything from smartphones to watches, vehicles, TVs, appliances and even warehouse inventory equipment is on a computer network, having strong cyber security is critical in protecting systems and data. Individuals who aspire to a career defending against cyber attacks (and earning the salary of a penetration tester) can explore the University of North Dakota’s online Master of Science in Cyber Security program to see how it can help them achieve their professional goals. Start on a path to a rewarding career in cyber security today.


Recommended Readings

10 Cyber Security Trends to Look for in 2021

The Cyber Security Talent Shortage

What Is Vulnerability Analysis? Exploring an Important Cyber Security Concept


CSO, “What Is Ethical Hacking? How to Get Paid to Break Into Computers”

FBI, The Cyber Threat

Forbes, “Successful Cybersecurity Training Is Done, Not Discussed”

HP, “How to Get Started in Cyber-Security”

Imperva, Social Engineering

Infosec Resources, “Penetration Testing: Career Path, Salary Info, and More”

Infosec Resources, “Top 10 Penetration Testing Certifications for Security Professionals”

Insider, “The US Is Readying Sanctions Against Russia Over the SolarWinds Cyber Attack. Here’s a Simple Explanation of How the Massive Hack Happened and Why It’s Such a Big Deal”

PayScale, Average Penetration Tester Salary

Rapid7 Global Consulting, Under the Hoodie 2020

The Register, “Penetration Tester Pokes Six Holes in Dell EMC’s RecoverPoint Products”

U.S. Bureau of Labor Statistics, Information Security Analysts