Penetration Tester

Companies pay you to legally break into their systems and show them how. It's detective work with a lot of failed attempts, weird tooling, and writing reports nobody wants to read.

What Tuesday looks like

You're on day four of a two-week engagement testing a client's web application. Morning is spent poking at an authentication flow you suspect is broken — you try a dozen variations of a token replay attack, nothing works, until one does and you get into another user's account. You screenshot everything carefully because proof matters. You log the finding in your notes and keep going; one bug isn't enough. Lunch is a sandwich while reading a blog post about a new SSRF technique. Afternoon you switch to running automated scans against a staging environment and sorting through hundreds of false positives. A client calls panicking about an unrelated alert; you explain it's not from you. The last two hours are writing — translating today's findings into clear language for a report a non-technical executive will skim. You'll do this for nine more days, then start a new client and learn a completely different stack.

Career profile

Career shape

Tap or hover each point to explore a dimension

MeaningAutonomyWork-lifeCommunityStressAccessible

In the landscape

PayMeaning

Tap or hover any dot to identify a career

Salary range

No salary data

10-yr growth

+33%

AI reshaping

8/10 exposure

Reward profile

3 quick questions to see how this career fits the way you work.

What school costs — and when it pays off

Bachelor's degree · Four years at a public university. Costs here use the cheaper in-state rate.

The chart shows your annual salary over time alongside the annual loan repayment. The shaded band at the bottom is what goes to the loan each year — when it disappears, your full salary is yours.

Strong return

School cost fully covered by year 8, with strong earnings well beyond that.

Entry-level salary

$95K

25th percentile — what most people start at

Experienced salary

$158K

75th percentile — after ~10 years in the field

School & training cost

$80K

+ $29K interest over 10 yrs

Loan paid off

Year 14

$910/mo for 10 years

Annual salary
Loan repayment
GraduateLoan paid off$0$62K$124K$186KYr 0Yr 5Yr 10Yr 15Yr 20$101K/yr$145K/yr$158K/yr

First year of work

Gross monthly$8,442
Loan payment−$910
Left over$7,532

After loan's paid (yr 14)

Gross monthly$13,167
Take-home$13,167

Salary range reflects 25th–75th percentile nationally, growing from entry-level to experienced over 10 working years. School costs are national averages — yours will vary. Loan assumes you borrow the full amount at 6.54% interest, repaid over 10 years. Monthly figures are pre-tax.

The first years

Year 0: Getting In

You're finishing a CS or cybersecurity degree while grinding Hack The Box, TryHackMe, or PortSwigger Web Security Academy on the side. Coursework barely touches actual offensive security, so most of what you'll use on the job you teach yourself at night. You apply to 60+ junior pentester or SOC analyst roles and hear back from maybe five — most firms want a year or two of experience even for 'entry' roles. Many people take a help desk or SOC job first just to get a foot in the door, then pivot.

Year 1–2: Junior Pentester

You're the person running the scans, sorting through false positives, and writing the boring sections of the report while a senior tester handles the trickier exploitation work. Pay is usually $65k–$85k depending on the city. You're studying for certs (OSCP is the big one) on weekends because your employer half-expects it and your next raise depends on it. You'll fail a lot — most tests you run during this period, you barely scratch the surface before time runs out.

Year 3–4: Mid-Level, Pick a Lane

You've passed OSCP, you can lead a web app or network engagement on your own, and you're starting to find real bugs without hand-holding. Pay is $95k–$130k. The work is steadier but also repetitive — the same misconfigurations, the same SQL injection in legacy apps, the same report template. You realize 'pentester' isn't one job, it's ten, and the people who plateau are the ones who try to stay generalists forever.

Decision point

Do you specialize (red team operator, cloud security, hardware/IoT, application security engineer at one company) or stay a generalist consultant? Specializing means deeper work, better pay long-term, and harder job switches. Staying broad means more variety but you'll compete with cheaper offshore testing and AI-assisted scanning as the field automates the easier work.

Year 5–7: Senior / Specialist

You're leading engagements, scoping client work, mentoring juniors, and writing the parts of reports that actually matter — the executive summary and the strategic recommendations. Pay is typically $140k–$200k, more if you went the red team or appsec route at a big tech company. The grind is different now: less time hands-on-keyboard, more time on calls explaining risk to people who don't understand it. Some people love this shift; others miss the puzzle-solving and quietly start looking for bug bounty work on the side.

Related paths