How to Become a Penetration Tester
A penetration tester is a security professional hired by a company to assess their information security defenses — and find vulnerabilities. That can mean network, application, or even physical security (i.e. - gaining access to buildings). Penetration testers, or "pen testers", may also try to gain access to a system through social engineering measures like phishing, impersonation, or elicitation.
Penetration testers are hackers hired by a company to help defend against other hackers. It’s a lucrative, challenging line of work that’s currently in high demand.
For anyone with dreams of becoming a pen tester, just note that it’s a journey. Don’t expect to snag a pen testing job straight out of college. It takes years to build the necessary experience and knowledge to become a penetration tester.
Steps to becoming a penetration tester
There’s no single path to becoming a penetration tester. Like most security jobs, penetration testers end up in their position after years of experience in another technical role like network engineer, sysadmin, or software engineer. So, the first step to becoming a penetration tester is having a technical job in the first place.
Enroll in our Cybersecurity Bootcamp program to launch your career in cybersecurity.
Step 1: Step into a technical role
It’s relatively uncommon to start an IT career in security. Most IT professionals who eventually end up in security learn the basics in another technical role first.
If you’re considering a career in security, those years as a sysadmin or network tech will serve you well in the future.
Ethical hacking is all about finding the cracks in relatively secure systems. Even the smallest vulnerability you find can save your organization time, money, and energy otherwise spent addressing one or more cyberattacks.
To find those cracks, security professionals need a solid fundamental understanding of networking, systems administration, databases, and even scripting. To understand how someone might break into your system, you have to understand how all pieces operate and fit together.
During those first couple of years in a non-technical role, you’ll gain a thorough, practical understanding of how networks, applications, and systems work. Once you know how they work and interact with each other, it’s easier to defend and secure them.
Those initial years will also allow you to assume security roles to build your security resume. It may not be penetration testing right away. Instead, it might be running vulnerability scans. Or checking logs. Or the routine, low-level security work that needs to get done. If you’re already in a technical role, there are plenty of these tasks to go around. You can start building a security resume by simply asking these tasks.
Once you’ve got the basics down, then you can start learning the tools of the trade — and use them confidently.
Step 2: Learn the tools of the trade: Kali Linux
The journey to becoming a penetration tester often runs through Kali Linux, which is a free Linux distro designed for, and by, penetration testers. Kali Linux has more than 600 penetration testing tools — and it’s hot out of the box.
When first encountering Kali, it can be overwhelming. Throughout your career, you may want to experiment with each of these enumeration and exploitation tools. However, there are four tools you should learn first.
4 best Kali Linux tools for penetration testing
These four penetration testing tools are the ones you’ll find yourself reaching for regularly throughout your career and while earning your pen-testing certifications:
1. Nmap. Nmap is the most-used pen testing tool in a white hat hacker’s toolbox. Nmap is a network mapper that scans a network looking for open ports. You can do a lot with open ports as a penetration tester.
2. Burp Suite. Web applications are constantly sending and receiving requests to services on the internet. Sometimes these requests have valuable information like credentials. Burp Suite intercepts and collects these requests so you can modify and issue them, or even evaluate the payloads for the information you can use elsewhere.
3. SQLmap. SQL injection is one of the most common hacking techniques — and it comes in a few different flavors. With a SQL injection, malicious actors can query username and passwords, destroy databases, or even place code onto a website. SQLmap is a tool that detects and exploits SQL inject flaws automatically.
4. Hydra. Quite simply, Hydra is a login cracker, which means it quickly runs lists of usernames and passwords against a login page whether it’s a command line, GUI, or HTTP. Hydra is touted as the fastest cracker that supports the most protocols.
These aren’t fire-and-forget tools. You have to understand how they work, where to deploy them, and often how to interpret the output they produce.
Step 3: How to get pen testing experience
Hands-on experience is essential when learning any new skills, and that’s particularly true while learning penetration testing. As noted before, penetration testers:
- Diagnose vulnerabilities
- Determine which attacks might exploit those vulnerabilities
- Identify how to use the tools to deploy the attack
- Document how to fix the vulnerability
There’s no better way to learn these skills than get hands-on experience, with one important caveat: hacking is illegal. So, you’ll need to find legal ways to practice your newfound skills.
Pen testing bootcamps
There’s no better way to both learn penetration testing skills and use them than under the watchful eye of an instructor. Cybersecurity bootcamps, like the one offered by QuickStart, build their penetration testing curriculum around lab environments. Penetration testing is difficult. Qualified instructors can teach you the basics of penetration testing in as few as five days.
There are a number of excellent penetration testing lab products out there. Lab environments are designed by training companies to develop challenges that simulate common vulnerabilities you’ll find out in the wild. The most popular lab environment for up-and-coming pen testers is Hack the Box, which has a free and paid tier of pen testing challenges.
The Hack the Box challenges range from beginner to advanced with challenges added regularly. In addition to the challenges, Hack the Box is also a community with points, badges, and rewards.
While HTB certainly isn’t the only lab environment out there, it’s free, community-oriented, and often the first place new pen testers find themselves — as long as they can figure out the Invite Challenge.
Capture the flag competitions
Capture the Flag (CTF) competitions are essentially just gamified lab environments. Just like in the kid’s game, CTF competitors are given a “flag”, which might be a piece of data or credential in a lab environment. In order to “capture” the “flag”, you’ll need to complete a series of increasingly more difficult challenges that fall into five categories:
- Binary exploitation
- Reverse engineering
- Web exploitation
Start poking around your own network
Finally, just start poking around with Nmap, Burp Suite, and other enumeration tools. There’s no harm in performing port and vulnerability scans on your own network — whether that’s at home or work. You may be surprised at what you find.
With that said, don’t start pointing any of the Kali exploitation tools at anything that you don’t own — and don’t want to break. Kali Linux is a suite of powerful tools that can get you into trouble.
If you really want to hack something, there are lab environments, bootcamps, and this site: Hack This Site, which is exactly what it sounds like.
Step 4: Earn a penetration testing certification
Certifications are the easiest way to validate your skills in penetration testing.
Start your 30-day FREE TRIAL and begin your Pen Test certification journey today!
While it may not seem like CompTIA Network+ is a penetration testing certification, it’s a common entry point into the world of offensive security — particularly if you’re coming from a system or engineering background. It’s very rare that you’re going to have physical access to a physical machine while penetration testing. Instead, you’ll be hunting for vulnerabilities over the internet (just like a hacker). That means you need to have strong fundamental networking skills. Many of your daily responsibilities involve networking — and the Network+ certification validates those fundamental networking skills.
Admittedly, the CompTIA Security+ doesn’t mean much on your penetration testing resume. After all, it’s an entry-level security exam, but that’s exactly the point. As we discussed earlier, most IT professionals don’t go straight into security. The typical career progression into security stems from a non-security role. You build your security resume, then move laterally into security — and proving your initial commitment to security often starts with an entry-level security certification like Security+.
The CompTIA PenTest+ is a theoretical exam with a handful of performance-based questions, so it’s not as intimidating as the CEH Practical and OSCP. Yet the PenTest+ is still an excellent option for anyone looking at penetration testing as a career. Just like how Security+ proves your initial commitment to the security field, PenTest+ serves as a waypoint in your career and certification pathway. For those seriously considering a career in pen testing, you’ll likely want the CEH or OSCP.
Certified Ethical Hacker Practical
The CEH Practical exam is the EC-Council’s answer to the OSCP or other hands-on offensive security exams. The CEH Practical exam tests technical offensive security skills in a massive virtual environment. It’s not as long or rigorous as the OSCP, which is notorious both in difficulty and length, but still a well-respected cert in the security community. There are key differences between the CEH and OSCP, which are covered in another blog post: CEH vs OSCP: Which to Choose.
The Offensive Security Certified Professional (OSCP) accreditation is the gold standard among penetration testing certifications. Pen testers who earn this certification must pass a 24-hour practical exam where they attempt to penetrate as many systems as possible in an emulated environment. It’s a grueling, notorious exam, but passing it puts you in the top tier of penetration testers.
Which certification to choose: PenTest+ vs CEH vs OSCP
The most respected penetration testing certifications validate not only technical prowess, but also the creativity and quick-footedness required of a pen tester. However, there’s another factor to consider beyond skill validation and that’s certification reputation. When a hiring manager sees a certification on a resume, it serves as shorthand for ability and knowledge.
In this evaluation of PenTest+, CEH, and OSCP licensure, we considered difficulty, exam requirements, and reputation.
1. OSCP. If you really want to be a pen tester, this is one certification you should pursue. In terms of reputation, OSCP is the most respected penetration testing certification in the industry. The OSCP is so respected because it’s the most difficult. Passing this certification course will provide foundational instruction that prepares candidates like you for a professional penetration testing environment.
Expect to spend at least six months in pursuit of your OSCP certification. This timeline includes the Offensive Security course and labs, in addition to any additional preparation. Participating in a Cybersecurity Bootcamp — particularly one that includes penetration testing instruction — can further accelerate your timeframe and improve your candidacy for post-certification hire.
2. CEH Practical. The CEH Practical is a relatively new penetration testing certification. The EC-Council only introduced the CEH Practical to the cybersecurity industry in 2018. Despite its newness in comparison to the OSCP certification, the CEH Practical is far from an easy exam. The exam itself is six hours, and with a certification that caries that accredited CEH name, it's both ANSI-accredited and designed with the NICE 2.0 framework. For security professionals in larger organizations, or for pen testers seeking federal employment, CEH Practical may be a solid option over the OSCP.
3. PenTest+. Though high-quality, the PenTest+ doesn’t carry the same weight as the hands-on certifications. CompTIA's PenTest+ is a theoretical exam with a handful of performance-based questions. By comparison, the OSCP and CEH Practical certifications are rigorous, hands-on exams.
Still, the CompTIA PenTest+ certification offers its own positives. The PenTest+ certification is the cheapest way ($349) to validate your offensive security skills, compared to the OSCP ($999+) and CEH Practical ($1,199+). The PenTest+ also isn’t as intimidating as the CEH Practical and OSCP. For anyone seeking a worthy introduction to the world of pen testing, PenTest+ can provide an encouraging confidence boost — and there’s plenty of value in that.
Becoming a penetration tester
Becoming a penetration tester means thinking like a hacker. It means using the same tools as a hacker. It’s ostensibly becoming an ethical hacker, someone who keeps valuable information safe from hackers who want to exploit data vulnerabilities.
It’s a difficult profession because it combines so many different aspects of IT: networking, systems, applications, hardware, and code. Penetration testing truly bridges the gap between technical knowledge and technical ability. It combines considerable knowledge with technical prowess — and creativity.
If that sounds like fun, you might be the ideal candidate for the cybersecurity industry's next penetration testing vacancy.