JobCannon
All skills

Penetration Testing (Ethical Hacking)

Find vulnerabilities before attackers do: pentesting, exploits, CTF

⬢ TIER 2Tech
High
Salary impact
12 months
Time to learn
Hard
Difficulty
3
Careers
TL;DR

Penetration testing (ethical hacking) is simulating attacks on systems to find security weaknesses before malicious actors do. Career path: Junior Penetration Tester (OWASP Top 10, Burp Suite, web apps, $95-130k) → Senior Pentester (network pentesting, exploit development, $140-200k) → Red Team Lead (zero-day research, advanced persistence, strategic advisory, $180-280k+) over 12-24 months. Certifications matter heavily: OSCP (Offensive Security Certified Professional, industry gold standard) = immediate credibility, CEH (Certified Ethical Hacker) = breadth, OSWE (web exploitation) = specialization. Typical toolkit: Burp Suite (web apps), Metasploit (network exploits), Nmap (reconnaissance), Wireshark (traffic analysis), Kali Linux (penetration platform), Cobalt Strike (red team), BloodHound (Active Directory), plus custom scripting (Python/Bash). High salary premium: +$40k-$80k above base due to specialization, direct security impact, and limited talent pool.

What is Penetration Testing (Ethical Hacking)

Penetration testing (pentesting) is the authorized practice of simulating attacks on computer systems, networks, and applications to identify security weaknesses before malicious actors exploit them. Unlike passive vulnerability scanning, pentesters actively exploit vulnerabilities to prove impact and assess damage potential. Modern pentesting spans three domains: web application testing (OWASP Top 10 vulnerabilities), network/infrastructure testing (lateral movement, privilege escalation), and red team operations (advanced persistence, evasion, reporting business impact). In 2026, pentesting is table stakes for compliance (PCI-DSS, HIPAA, SOC 2) and a business necessity for any company handling sensitive data. Ethical hackers earn premiums because the alternative—data breach—is catastrophic: average breach cost is $4.5M (IBM 2025), making a $50k-$200k annual pentesting contract a risk-reduction bargain. Career scope: junior pentesters focus on web apps and vulnerability discovery; seniors handle network pivoting and multi-stage exploitation; red team leads design full attack campaigns and teach defensive teams to detect them.

🔧 TOOLS & ECOSYSTEM
Burp SuiteMetasploitNmapWiresharkKali LinuxCobalt StrikeBloodHoundMimikatzHydraJohn the RipperHashcatOWASP ZAPsqlmap

💰 Salary by region

RegionJuniorMidSenior
USA$130k$180k$240k
UK£85k£120k£160k
EU€90k€130k€180k
CANADAC$135kC$190kC$250k

🎯 Careers using Penetration Testing (Ethical Hacking)

Cybersecurity Analyst
Penetration Tester
Security Engineer

❓ FAQ

OSCP vs CEH — which certification should I get first?
OSCP is harder but more respected. OSCP = hands-on lab work (40h+ exploitation), exam = proctored 24h live hacking challenge, teaches practical skills. CEH = multiple choice study path, easier to pass, but industry perception = 'checkbox cert'. Rule: OSCP first if you want to do real pentesting; CEH for breadth. Most senior pentesters have OSCP + OSWE or GWAPT. Don't skip fundamentals just to get a cert.
Web pentesting vs network pentesting vs red team — what's the difference and which should I specialize in?
Web pentesting = OWASP Top 10, SQLi, XSS, CSRF, insecure deserialization, API abuse. Tools: Burp Suite, sqlmap. Jobs: web appsec, bug bounty. Network pentesting = scanning, exploitation, post-exploitation on internal networks. Tools: Metasploit, Nmap, Mimikatz, BloodHound. Jobs: infrastructure pentest, red team operator. Red team = adversarial mindset, persistence, lateral movement, avoiding detection, reporting impact. Tools: Cobalt Strike, custom scripts, zero-days. Red team pays more (+$40-60k) but demands social engineering + patience. Most pentesters start web, transition to network if they enjoy systems, red team if they want the highest pay and longest engagements.
Should I do pentesting as an in-house security analyst or join a consulting firm?
In-house (AppSec team at big tech): salary stable $120-160k, fixed schedule, one codebase you know well, less pressure, easier WLB. Consulting (Mandiant, Cigital, Stratics): salary $130-200k, travel (15-30% per engagement), constant new challenges, client pressure, faster skill growth. Consultants burn out in 5-7 years; many move in-house. Rule: start consulting for 2-3 years to build skills fast, then move in-house if you want stability. Freelance? Avoid — clients don't pay well, liability is yours, reporting is hard.
Can I make money doing freelance bug bounties instead of employment?
Theoretically yes, practically rare above $80k/year. HackerOne top hunters earn $200k+, but 99% of bounty hunters earn <$30k. Requires: (1) elite skill (top 10% on platforms), (2) rapid exploitation speed (find bugs before 1000 other hunters), (3) market knowledge (know which programs pay well). Better approach: employment + bug bounties on the side. Freelance pentesting (not bounties) is possible ($5-15k per engagement) but requires existing client network and insurance. Start employed, build reputation, transition later if you want.
Is tooling or technique more important in pentesting?
Technique > tooling, but tooling amplifies technique. A novice with Burp Suite is still novice; an expert with wget can exploit anything. Focus on understanding: (1) network stacks (TCP/IP), (2) authentication/crypto basics, (3) common CVEs, (4) exploitation methodology. Then learn tools as force multipliers. Most jobs care about: can you find real vulnerabilities, not can you use this 1 tool. Tools change; methodology doesn't.
How important is writing and reporting skills in pentesting?
Critical. A pentester who finds 50 vulnerabilities but writes vague reports creates no impact. Clients pay for (1) finding bugs, (2) explaining business impact, (3) fixing priorities. Weak pentesters: 'SQL injection in login form' (what's the risk?). Good pentesters: 'SQL injection in login allows extracting password hashes, enabling account takeover of any user including admins; fix by using parameterized queries.' Invest in: technical writing, presentation skills, understanding compliance (GDPR, PCI-DSS). Communication skills = 40% of your job.
Do I need to know a specific programming language for pentesting?
No required language, but Python is essential. Use Python for: exploit automation, custom scanner extensions (Burp), post-exploitation scripting. Bash for quick one-liners. C/ASM only if you're doing kernel exploits or shellcode. Ruby/Go for Metasploit modules. Recommendation: strong Python (500+ lines), comfortable Bash, read other languages. Don't spend 6 months on C; spend it on methodology and tools.

Not sure this skill is for you?

Take a 10-min Career Match — we'll suggest the right tracks.

Find my best-fit skills →

Find your ideal career path

Skill-based matching across 2,536 careers. Free, ~10 minutes.

Take Career Match — free →