Cyber Career Series: The Pen Tester

You’re closer than you think to a career in tech. Our grads have launched rewarding new careers — you can too.

View Our Jobs Report

Did you know that banks will pay you to rob them? We’re not suggesting that you go grab your favorite ski mask and try your luck at your local branch, because you’ll only be paid in the form of a jail cell and a new friend named Bubba. The point is that banks hire individuals to break their systems for the sole purpose of finding the weaknesses so that they can secure them. 

Although many classic films and tv have dramatized robbery, vulnerability assessment (red) teams are a workplace reality. In the aftermath of 9/11, the CIA developed an experimental red team, known as “ The Red Cell.” In cybersecurity, a red team is hired by an organization to break or bypass their security network. These organizations need ethical hackers, who can think and act like a criminal, but who can be trusted to document the vulnerabilities they find and refrain from stealing the valuable assets that they’re capable of procuring for their own personal gain. This is where Security Penetration Testers come in.

What does a Pen Tester do?

Cybersecurity hygiene

Pen testers make their living trying to break things. They are hired to probe computer networks and discover vulnerabilities that a truly malicious hacker could exploit. An organization will hire a pen tester to emulate an advanced threat actor. They allow them to simulate a cyber attack and attempt to breach their network. The insights from a pen tester’s report allow organizations to fill the security holes. Pen testers are an essential tool for mitigating future cyber attacks and preventing an organization from facing serious loss of assets.

Pen testers typically operate in phases when attempting a network breach. Phase one, reconnaissance, consists of sifting through a variety of outside sources (internet searches, social engineering etc.) to note clues that may reveal insights into how the organization’s security network operates. Phase two, scanning, consists of testing a network’s perimeter defense in search for glaring weaknesses. Gaining and maintaining access are phase three and four. These phases involve circumventing security measures and remaining within the network long enough to complete the tasks they’ve been given. This phase tests the security team’s ability to locate, contain the threat and the pen tester’s ability to remain elusive. The process ends with the covering tracks phase, as the pen tester attempts to leave undetected, so that if they were a real hacker, they could return for future attacks.

Skills you’ll need for breaking stuff.

While the level of technical aptitude that a security engineer possesses isn’t necessary to be an efficient pen tester, the more you understand what you’re hacking, the better you can bypass its security measures. Pen testers are experts in several technologies and platforms. They know the operating systems they’ll target, as well as network protocols, scripting languages and forensics (for the covering tracks phase). Pen testers must also be able to harness the mindset of a malicious hacker, so that they can outthink the security defense measures that are currently present in the targeted network. To be an efficient Pen tester, you must be passionate about constantly expanding your technical knowledge in addition to having an intrinsic desire to break something that has yet to be broken.

Image

Perhaps the most imperative soft skill for this role is the possession of a rock-solid moral compass. Pen testers who are successful in their endeavors are faced with the ultimate test of morality. Once they successfully breach a network, their self-control is the only thing keeping them from turning into a malicious hacker and exfiltrating assets for their own personal gain. Imagine breaking into a vault at Fort Knox, and leaving without a single brick of gold. Organizations usually set parameters for pen testing exercises. Operating outside these parameters or exfiltrating data without an organization’s consent can lead to termination of employment and can even incur legal repercussions.

Other soft skills that are advantageous for this role include creative thinking and communication skills.

Heroes reap many rewards.

It’s cool that you get to break into networks with no repercussions, but it’s even cooler that you get paid for it. According to Payscale, the average starting salary for security pen tester is around 71,000 a year. A pen tester’s salary will vary due to previous experience, technical abilities and the location of the job. As you continue to expand your resume as a pen tester, your salary can easily reach the six figure range. Cyber defense is extremely important, but in an ideal situation, an organization would rather prevent a breach, than contain one. Because of the pen tester’s ability to uncover vulnerabilities before a threat actor does, they are in high demand by organizations across all industries.

A complete picture of a security team.

The advancement of cyber threats has led many organizations to develop their own Security Operations Center (SOC). A SOC consists of a cohesive cyber-team made of security engineers, penetration testers, security analysts and data scientists. Each member of the team brings a unique skill set that assists in the efforts of preventing, detecting, analyzing and responding to security threats.

Image

The engineers are the technical experts that build and secure the networks and the detection tools of the company. The data scientists analyze the mass data that a company produces, in an effort to discover network insights. Analysts use these discoveries to actively search for anomalies in their network that might indicate malicious activity. When anomalies are spotted, analysts work with the engineers to set traps and contain threats. These traps can also be set preemptively in what’s known as “active defense.” Pen testers are white-hat hackers who simulate cyber attacks on their own network to discover its vulnerabilities. They report their findings to the team, so that together, they can fill the network’s security gaps.

Every team member in the SOC is an essential piece to the ongoing battle against cyber threats. The question is “which team member do you want to be?”

Where does the Pen Tester fit into the team?

Image

A pen tester’s report is the ultimate preemptive tool in cyber defense. If a pen tester discovers a vulnerability, they can immediately notify the security engineers to patch it up before it’s exploited by a real threat actor. With a security gap fixed, analysts can more easily spot a threat that attempts the same hack, thus making the defense process much easier. In a sense, pen testers give the SOC a clairvoyant advantage when preparing to face threat actors. Battles that may have been fought are already won because a vulnerability is no longer a viable target.

Here’s How You Get Started

Flatiron School is one of the most complete, immersive and compressed cybersecurity programs out there. Our Cybersecurity Engineering Program teaches the technical and analytical skills needed to become an effective pen tester. Our programs are a balance of classroom theory and hands-on lab time. This ensures that our students graduate with the level of skill and confidence needed to leave Flatiron School job-ready. 

While many students who enter our Cybersecurity Program tend to have an IT background, you may feel like there are some gaps in your fundamental skill set. We offer a preparatory workshop, Hacking 101, that will give you an introduction into Systems, Networking, and Python.

Are you ready to break systems?

The security pen tester role puts you head-to-head with the black hats (malicious hackers).This role is incredibly unique because the temptations and moral challenges you’ll face can be just as difficult as those that are technical in nature. At the end of the day, someone’s going to break into these security networks, but if you do it with the right intentions, you may be directly responsible for saving an organization millions of dollars or even protecting thousands of people from losing their personal information. If you can resist evil temptations and if you have an innate desire to break things (and get paid for it), then a pen tester career is calling your name.

Headshot of Flatiron School

Flatiron School

Blog Post Author

Read More Cybersecurity Articles

Since we opened our doors in 2012, thousands of students have joined Flatiron School to launch new careers in tech.

Explore our Courses

Find the perfect course for you across our in-person and online programs designed to power your career change.

Explore Our Courses
Join a Community

Connect with students and staff at meetups, lectures, and demos – on campus and online.

Join the Community
Schedule a Chat

Have a question about our programs? Our admissions team is here to help.

Schedule a Chat