- Penetration testers are paid to attack systems legally, find exploitable vulnerabilities, and report them before malicious hackers do.
- Median salary: $116K to $206K (Glassdoor, 2026). Entry level starts at $70K to $96K. OSCP-certified testers command significant premiums.
- The fastest entry path: build networking and Linux fundamentals, earn CompTIA Security+ and eJPT or PenTest+, then pursue OSCP as your mid-level credential.
- OSCP appears in 35% of job postings and is the single most in-demand certification. CEH appears in 30% but carries less technical weight among practitioners.
- Essential tools: Burp Suite (required in 55% of job listings), Metasploit, Nmap, Kali Linux.
- Build a portfolio before applying: a public GitHub with documented lab writeups, CTF solutions, and a home lab is more valuable than most certifications at the entry level.
Penetration testers earn between $116K and $206K to do something most people would consider hacking. They attack systems with written permission, document what they find, and hand organisations a report proving their defences fail before a real attacker finds out the hard way.
The field is growing at 33% through 2033 according to the BLS. Demand is outpacing supply in cloud security, AI systems testing, and red team operations. Entry barriers are skills-based, not degree-based: 30% of job postings do not require a degree.
This guide covers the complete path from beginner to first penetration testing job in 2026: skills, certifications, portfolio requirements, salary data, and the sequencing no competitor article includes.
What does a penetration tester actually do?
A penetration tester conducts authorised, structured attacks on client systems to find vulnerabilities that an attacker could exploit. The work follows a defined methodology across five phases: reconnaissance, scanning and enumeration, exploitation, maintaining access, and reporting.
1 Reconnaissance
Gather information about the target system. Passive recon uses public sources: WHOIS, DNS records, job postings, LinkedIn, code repositories. Active recon makes direct contact with target systems to enumerate services, open ports, and software versions.
2 Scanning and enumeration
Use tools like Nmap to identify open ports, running services, and operating systems. Identify the attack surface: web applications, network services, exposed APIs, authentication endpoints.
3 Exploitation
Attempt to exploit discovered vulnerabilities to gain unauthorised access. This includes SQL injection, cross-site scripting, authentication bypass, buffer overflows, and exploit framework usage (Metasploit). Exploit vulnerabilities on web applications, internal networks, cloud environments, and operating systems.
4 Maintaining access
Demonstrate post-exploitation capability: lateral movement through the network, privilege escalation from standard user to administrator, persistence mechanisms. This phase proves the impact of the initial compromise.
5 Reporting
Document every finding with severity ratings, exploitation evidence, and specific remediation steps. Write two versions: an executive summary for non-technical leadership and a technical report for the security team.
Penetration tester salary in 2026
| Level | Typical role | Salary range (US, 2026) | Key cert |
|---|---|---|---|
| Entry (0 to 2 yrs) | Junior pen tester, security analyst | $70K to $96K | PenTest+, eJPT, CEH |
| Mid (2 to 5 yrs) | Penetration tester, ethical hacker | $96K to $140K | OSCP, PNPT |
| Senior (5 to 10 yrs) | Senior pen tester, red team operator | $140K to $180K | OSCP + GPEN or GWAPT |
| Principal / Lead (10+ yrs) | Red team lead, offensive security engineer | $180K to $206K+ | OSEP, OSED, CRTO |
Penetration testers with cloud security specialisation (AWS, Azure, GCP) command a 25% premium above the baseline. Red team operators with OSCP plus a specialisation certification routinely close at $160K to $200K in major metro areas (KORE1, 2026).
The skills every penetration tester needs
Technical foundation
- Networking: TCP/IP, DNS, HTTP/S, firewalls, routing. You cannot find vulnerabilities in protocols you do not understand.
- Operating systems: Linux proficiency is non-negotiable. Windows internals and Active Directory are essential for internal network testing.
- Programming and scripting: Python appears in 40% of job postings as a hard requirement. Used for custom exploit development, automation, and post-exploitation scripting. Bash for Linux, PowerShell for Windows environments.
- Web application security: SQL injection, cross-site scripting (XSS), authentication bypass, IDOR, API security vulnerabilities, OWASP Top 10.
- Network security: Port scanning, service enumeration, protocol-level attacks, firewall evasion, VPN analysis.
- Exploitation frameworks: Metasploit for network exploitation, Burp Suite for web application testing. Burp Suite proficiency was a hard requirement in 55% of analysed job postings (Programs.com, 2026).
Soft skills that separate good testers from great ones
- Technical writing: The report is the deliverable. A penetration tester who finds critical vulnerabilities but cannot communicate them clearly produces incomplete work.
- Creative problem-solving: Real-world systems do not have textbook vulnerabilities. The ability to chain multiple weaknesses into a single attack path requires creative reasoning under realistic conditions.
- Client communication: Penetration testers regularly brief non-technical executives. Translating a buffer overflow into business risk language is a skill that determines career progression.
The certification roadmap
| Cert | What it proves | Exam format | Cost | Stage |
|---|---|---|---|---|
| CompTIA PenTest+ | Pentesting fundamentals, methodology, vulnerability scanning | MCQ + performance-based | ~$392 | Entry |
| CEH (EC-Council) | Ethical hacking tools and concepts. HR filter cert. | MCQ | ~$1,199 | Entry/Mid |
| eJPT (eLearnSecurity) | Practical entry-level pentesting. Fully hands-on. | Practical lab exam | $200 | Entry |
| OSCP (OffSec) | Gold standard. 24-hour practical exam on live network. | Practical (24hrs) | $2,499 to $5,499 | Mid |
| PNPT (TCM Security) | Practical network pentesting. Excellent OSCP alternative. | Practical + report | $399 | Mid |
| GPEN (GIAC) | Pentesting methodology and ethical hacking techniques. | MCQ (proctored) | $2,499 | Mid/Senior |
| OSEP / OSED / OSMR | Advanced exploitation, evasion, and specialised areas. | Practical (48hrs) | $5,499+ | Senior |
OSCP is the gold standard and appears in 35% of job postings. CEH is an HR filter with limited technical weight among practitioners. Start with eJPT or PenTest+ to build foundational practical skills before spending $2,500 to $5,500 on OSCP. PNPT is a strong, affordable OSCP alternative for budget-conscious candidates.
Step-by-step: from beginner to first penetration testing job
1 Build networking and OS fundamentals (months 1 to 2)
CompTIA Network+ curriculum for networking. OverTheWire Bandit for Linux command line. TryHackMe Pre-Security path for foundational concepts. No cert required yet.
2 Earn CompTIA Security+ (months 2 to 4)
The baseline that appears in 25% of pen tester job postings. Required for DoD contractor roles. 6 to 8 weeks focused study.
3 Start offensive security labs (months 3 to 6)
TryHackMe Jr Penetration Tester path. Hack The Box Starting Point machines. Write up every completed room. Begin building your portfolio on GitHub.
4 Earn eJPT or PenTest+ (months 4 to 6)
Both are practical entry-level credentials. eJPT is fully hands-on and affordable at $200. PenTest+ is DoD-recognised. Either validates foundational offensive security skills before OSCP.
5 Build a portfolio (months 3 to 8)
10 or more documented HTB or TryHackMe machine writeups. Completed CTF challenges with writeups. A home lab with a vulnerable VM environment you attack and defend. All on public GitHub with clear readmes.
6 Apply for entry-level roles (months 6 to 8)
Junior penetration tester, junior ethical hacker, red team analyst, security consultant (offensive). Many entry roles are at consulting firms where you support senior testers before running solo engagements.
7 Earn OSCP (year 1 to 2)
Pursue OSCP after 6 to 12 months of professional experience. The 24-hour practical exam simulates a real engagement on a live network. Passing it is the signal most employers use to evaluate mid-level offensive security candidates.
How Metana’s Cybersecurity Bootcamp gets you started
Metana’s Cybersecurity Bootcamp covers the foundational offensive and defensive security skills that underlie penetration testing: network security, ethical hacking methodology, vulnerability assessment, and incident response. Live instruction, 1:1 mentorship, hands-on labs, and a job guarantee of at least $50,000 per year within 180 days.
Explore the Metana Cybersecurity Bootcamp
See the full curriculum, graduate outcomes, and guarantee terms. Ready to start your path into penetration testing?
Explore at metana.io/cybersecurity-bootcamp →FAQ
How long does it take to become a penetration tester?
From zero to first entry-level pen tester role: 6 to 12 months with focused daily study, hands-on lab practice, and a Security+ plus eJPT or PenTest+ certification. From entry level to OSCP-certified mid-level tester: 1 to 3 years total. The timeline compresses significantly for candidates with prior IT or software development experience.
Do you need a degree to become a penetration tester?
No. 30% of penetration tester job postings do not require a degree or accept relevant experience as a substitute. The field is skills and certification-based. OSCP, CEH, and a documented portfolio carry more hiring weight than a computer science degree without hands-on experience. 45% of postings do list a degree as preferred, so it helps, but it is not required.
What is the most important penetration testing certification?
OSCP (Offensive Security Certified Professional) is the most in-demand certification, appearing in 35% of job postings. Its 24-hour practical exam on a live network simulates a real engagement and is the most reliable signal of hands-on offensive security competence. CEH appears in 30% of postings but is considered more of an HR filter than a technical credential by practitioners.
What programming languages do penetration testers need?
Python is the most important language, appearing in 40% of job postings as a hard requirement. It is used for custom exploit development, post-exploitation scripting, and automation. Bash for Linux environments and PowerShell for Windows and Active Directory testing are also essential. Full software development skills are not required, but functional scripting ability is expected at all levels.
How much do penetration testers earn?
Entry-level penetration testers earn $70K to $96K. Mid-level testers with OSCP earn $96K to $140K. Senior testers and red team operators earn $140K to $206K+. Cloud security specialisation and OSCP plus a domain-specific certification push salaries toward the upper end. Major metro areas (New York, San Francisco, Washington D.C.) pay significantly above the national median.
