What does a Penetration Tester actually do?

KNOWN ALIASES / DISGUISES:

MARKET AVERAGE

$154,208

* Top earners have reported making up to $265,128 (90th percentile). However, the typical pay range in United States is between $116,835 (25th percentile).

"A premium price for a role that often simulates threats rather than preventing real-world catastrophes, primarily generating compliance theater and an endless backlog for other teams."

[DIAGNOSIS]Their findings often expose uncomfortable truths or require significant investment to fix. When budgets tighten or an actual, unaddressed breach occurs, they are an easy target for layoffs or scapegoating.

"A penetration tester is responsible for testing computer systems, networks, applications and databases for vulnerabilities. The goal is to simulate a real-world attack and identify weaknesses in the system's security measures..."

OTIOSE TRANSLATION

You will be tasked with running the same automated scanners on the same legacy systems, then meticulously documenting 'critical' findings that the development team will triage as 'low priority' or 'won't fix' because the business cares more about features than actual security.

"Forming incident response teams to address any breaches · Creating potential loss reports to display the effects of security issues to other departments..."

OTIOSE TRANSLATION

Your primary output will be fear-mongering reports detailing hypothetical catastrophes, which will be filed away, unread, until an *actual* breach occurs, at which point you will be blamed for not having found the specific vulnerability that was exploited.

"Finally, they prepare and deliver the outcomes about security weaknesses. Penetration testers may also consistently test the security of their workplace to keep the system in compliance with the workplace's requirements."

OTIOSE TRANSLATION

You will spend an inordinate amount of time crafting elaborate presentations that distill complex attack vectors into easily digestible bullet points for executives who still think 'phishing' is a type of recreational activity. Then, repeat the same internal compliance checks you did last quarter, finding the same issues, generating the same tickets.

[10:00 - 11:00]

Automated Scan Review & False Positive Triage

Sifting through thousands of scanner alerts, mentally categorizing 90% as 'noise' but knowing each still requires a manual 'investigation' for the audit trail.

[11:00 - 12:00]

Crafting the 'Imminent Threat' Report

Translating a low-severity finding (e.g., outdated TLS version on an internal dev server) into a verbose report with a 'High' risk rating, ensuring maximum impact and minimum readability.

[14:00 - 15:00]

Simulating a 'Real-World' Attack

Attempting to exploit a vulnerability in a carefully cordoned-off test environment, often involving obscure attack vectors that would never materialize in production, for the sake of 'hands-on experience'.

"It can be if you are passionate about the work, otherwise you likely won’t reach the high salaries. In my experience, those in it for the money typically burn out and get frustrated, or just aren’t very good and don’t get promoted."

— r/Pentesting

"That seems terrible but I'm not from Canada. In the United States at least, that would be insanely low. For instance during the pandemic I saw McDonald's near me offering $21 USD per hour. Especially if you are working as a consultant that seems really low, I see ads all the time for pen tester contracts making 6 figures, and consultants in the US typically make more than in house IT"

— r/cybersecurity

"After the 500th 'critical' finding on a non-production dev environment, you start questioning if you're actually securing anything or just generating Jira tickets for the sake of 'compliance'."

— teamblind.com

"Half my job is writing reports that no one reads, the other half is explaining why 'CVE-2023-XYZ' isn't an actual threat to our bespoke, ancient stack, but we still need to 'mitigate' it for the quarterly audit."

— r/cscareerquestions