As with salaries in most fields, the answer here is it depends. In any field or industry there is a certain level of supply and demand that helps dictate salaries. Luckily in the field we’re discussing today, there is a pretty short supply of penetration testers out there and, therefore, the salaries we’re seeing tend to be higher. According to Indeed.com, the average salary of a penetration tester is $117,000. In addition to that, we’re seeing the market continue to trend higher. Today we will explore what impacts the salary of a penetration tester and, if you’re in the field, how you may be able to move the needle on your own salary more quickly.
1. Years of Experience
This may go without saying, but the more years of experience you have, the higher you should be getting paid. In the extremely specialized field of penetration testing, experience is crucial due to the technical expertise and risk of the job. But different than many other fields, it’s still a really young industry as a whole, and this experience won’t necessarily come in the form of directly holding a position as a penetration tester. Any technical experience is valuable for what a penetration tester does though, so years as a web developer, system administrator, or even IT helpdesk fit nicely here.
Additionally, all firms have different requirements that may elevate an engineer from a junior to senior level position, but this change in title usually comes with a salary increase as well. Some companies rely on years of experience, certain certifications, number of tests completed, and so on. And while it may not necessarily be the best way to determine salary, it can definitely factor in if you’ve currently got a senior-level position or are able to land one.
Wherever you land on the debate of whether certifications are necessary in this field, it’s the reality that the more credentials you possess the more favorably HR and hiring managers are going to look upon your salary request. There are some bare minimum certifications that are generally required to get you through whatever HR firewall is in place for a lot of large organizations, like the CISSP. Then there are more advanced certifications that may be a little more hands-on and valued to the more technical people in an organization, such as the OSCP. Anything you possess could potentially be used to validate your expertise to third-parties (e.g. when you are consulting) or even be marketing fodder when describing your organization (“Our team holds over 100 industry certifications…”). So certs can definitely factor into your salary.
There are a number of different security certifications out there now, and anything you’re interested in can make you a better penetration tester and further your career. SANS and Offensive Security put out some of the highest quality training out there, in my opinion. CREST and the EC-Council certifications are also gaining some steam. Here’s a few to consider:
- GPEN: GIAC Certified Penetration Tester
- GWAPT: GIAC Web Application Penetration Tester
- LPT: EC-Council Licensed Penetration Tester
- eCPPT: eLearnSecurity Certified Professional Penetration Tester
While the school that you graduated from is becoming less of a sticking point for hiring managers, it may still help you get your foot in the door for a junior level position. While education and formal degrees as a whole are becoming less emphasized, they do still make a difference at large organizations that have published standards for salary expectations and hiring thresholds. You may not be able to get a senior-level position in some organizations without a master’s degree, no matter how far behind security-related master’s degrees are for security-related fields right now. Similarly, any degree can help show a potential company that you at least have a solid baseline of written and verbal communication skills, which is very important for a lot of penetration testing positions, since we eventually have to write up our findings and present them to someone. If you’re more likely to be able to work with less hand holding, you may earn yourself higher pay.
In conclusion, after speaking with penetration testers across many different firms, we have seen a wide disparity in the salary of a penetration tester, ranging from ~$65k for a junior engineer to $200k+ for senior engineers. There are many things that can be done to help increase your salary (and you might learn something at the same time).