hands-of-man-user-using-computer-notebook-laptop-typing-on-keyboard-picture-id1154020340-min

Search For Schools

1
2

Penetration Tester (or Pen Tester): Career Outlook & Education Requirements

“Penetration testing needs to be done regardless of whether it is a compliance requirement or not. Penetration tests assess the security from a threat actor or malicious hacker perspective.”Phillip Wylie, OSCP, GWAPT, CISSP, Offensive Security Expert at Horizon3.ai

Can you imagine getting paid to break into someone’s house? Penetration testers are cybersecurity professionals launching planned computer system attacks to identify and assess security vulnerabilities. These ethical hackers are the secret service, club bouncers, and counterintelligence agents in the network security industry.

Known by many titles such as “pen testers,” information security analysts, and software developers, these positions have shared goals to protect privacy, eliminate threats, and prevent information theft. Corporations and government agencies such as the US Department of Homeland Security prioritize information security to maintain democracy, avoid litigation, prevent the spread of misinformation through disinfodemics, and keep supply chains resilient.

As proof of the point, in 2025, the US News & World Report ranked information security analysts number three best technology job. Notably, these positions are known for their growth potential, strong occupational outlook, and high salary while ranking low on stress overall. The Bureau of Labor Statistics (BLS 2025) shows the top three working environments for information security analysts are computer systems design services, finance and insurance, and management.

Not all combat heroes wear camouflage. Penetration testers protect our nation’s computer systems using a keyboard and computer science credentials. Learn more about the career outlook, salary, educational programs, and certifications to become a pen tester below.

Meet the Expert: Phillip Wylie, OSCP, GWAPT, CISSP

Phillip Wylie

Phillip Wylie is a seasoned cybersecurity professional with over two decades of experience in information technology and security. He currently serves as an Offensive Security Expert at Horizon3.ai, where he focuses on penetration testing and red teaming to help organizations identify and mitigate security vulnerabilities. He is also the founder and director of the Pwn School Project, an educational meetup group dedicated to teaching penetration testing and ethical hacking.

Wylie is also an accomplished author and podcaster. He co-authored “The Pentester Blueprint: Starting a Career as an Ethical Hacker,” a book that provides guidance for individuals aspiring to enter the field of penetration testing. He hosts “The Phillip Wylie Show,” a podcast where he shares insights from industry experts and discusses various topics related to cybersecurity.

His certifications include Offensive Security Certified Professional (OSCP) GIAC Web Application Penetration Tester (GWAPT), and Certified Information Systems Security Professional (CISSP), underscoring his dedication to maintaining high standards of professional competence in the field of cybersecurity.

ForensicsColleges.com: What is something you wish the public understood about penetration testers?

Wylie: I wish the public realized the importance of pentesting, and this is mainly from an IT or cybersecurity perspective. Penetration testing can be treated as just a check box item and not taken seriously. Penetration testing needs to be done regardless of whether it is a compliance requirement or not. Penetration tests assess the security from a threat actor or malicious hacker perspective. Since that is what organizations are protecting against, it only makes sense to test the security in the same way as the threat.

ForensicsColleges.com: What advice would you give to aspiring penetration testers?

Wylie: Aspiring penetration testers need to learn the fundamentals of technology and security, including networking and operating systems. It is hard to secure something you don’t understand, and very difficult to assess the security. Apiring penetration testers need to be actively networking in person and virtually. LinkedIn is the primary virtual platform, but X and its alternatives, as well as Discord servers, are also great places to learn and connect. In-person networking is often overlooked, yet it is a powerful way to connect and discover opportunities.

Job Outlook & Salary of Pen Testers (Information Security Analysts)

Internet-based crimes are rising, and so is the demand for highly qualified information security professionals. The FBI’s Internet Crimes Complaint Center (IC3) shows a record financial loss from internet crimes is 2024, ranging from ransomware to business email compromise schemes. Potential losses are calculated at more than 16.6 billion US dollars.

The BLS data confirms these trends, showing that information security analyst careers, an occupation similar to pen testers, are highly in-demand. From 2023 to 2033, the BLS (2025) shows information security analyst jobs will grow by 29 percent. This is more than nine times the national average (4 percent), and will create an estimated 52,100 new jobs in the same decade.

As stated, the BLS doesn’t track salary data for penetration testers but shows the median annual wage for information security analysts is $124,910 per year (BLS 2025). However, PayScale (2025), an aggregator of self-reported salary data, shows penetration testers, on average, earn $100,708 per year, based on 426 reported salaries. This figure doesn’t include bonuses and profit-sharing, which can add $487 to $22,000 more to an annual salary. Self-reported annual salary percentiles are as follows:

  • Entry-level (less than one year of experience): $73,000
  • Mid-career (5-9 years): $121,000
  • Experienced (10-19 years): $131,000
Career Quick Facts (Source: BLS May 2024) Penetration Testers (i.e., Pen Testers or Information Security Analysts)
Number of professionals employed 179,430
Annual mean wage $127,730
10th percentile $69,660
25th percentile $92,160
50th percentile (median) $124,910
75th percentile $159,600
90th percentile $186,420
Occupational growth from 2023 to 2033 29 percent (much faster than the national average)

A key factor that affects salaries is the cost of living. The Missouri Economic Research and Information Center (MERIC 2025) provides a cost of living data series that parses out each state’s housing, grocery, and utility costs and ranks them in terms of affordability. For example, MERIC shows that Mississippi is the most affordable state in the nation, while Hawaii is the most expensive. When considering salary offers, cost of living data helps determine a fair offer in the context of one’s place of residence.

To learn how to pursue this career, read a step-by-step guide to becoming a penetration tester.

How to Become a Penetration Tester

There are many ways to become a penetration tester, but here is one common career pathway.

Step 1: Graduate from high school (four years)

Many careers begin with a solid foundation of a high school diploma or GED. High school students who know they want to pursue an information security career should take as many computer science, mathematics, and engineering courses as possible.

Paid or unpaid internship opportunities can be very valuable for gaining real-world experience and standing out on college applications. Some penetration testers can find entry-level work with high school-level education and additional certifications or experience.

Step 2: Earn a bachelor’s degree (four years)

Many penetration tester careers require a bachelor’s degree in a STEM field such as computer science, mathematics, or engineering.

Some colleges offer degree programs in cybersecurity, such as the University of South Florida (USF), which offers a bachelor of science in cybersecurity (BSCYS). This on-campus program teaches the foundations of cybersecurity, software systems, policy, human factors, risk management, and ethics. This 120-credit program includes core courses in IT concepts, foundations of cybersecurity, and information security & IT risk management. Graduates are prepared to work as information security analysts for private companies and government agencies.

  • Location: Tampa, FL
  • Duration: Four years
  • Accreditation: Southern Association of Colleges and Schools Commission on Colleges (SACSCOC)

Step 3: Pursue professional certification (timeline varies)

Certification may not be required for all positions, but having it is a great way to stand out on job applications and demonstrate one’s knowledge and commitment to the field. Here are four certifications that enhance and verify the skillsets of a penetration tester.

Certified Information Systems Security Professional (CISSP)

Offered by (ISC)², the CISSP certification validates the knowledge and abilities of advanced cybersecurity professionals. The CISSP exam covers eight domains, and applicants can prepare with online self-paced, instructor-led, or in-person courses. The CISSP credential is accredited and recognized worldwide for its high standards of information security professionals.

CompTIA Security+

CompTIA Security+ is an entry-level network security exam. Credential holders can assess, monitor, secure, operate, and identify, analyze, and respond to security incidents. This exam is compliant with ISO 17024 standards and is approved by the US Department of Defense. The exam is 90 minutes in length and includes multiple-choice and performance-based questions. To pass, applicants must earn a minimum of 750 on a scale of 100-900.

EC-Council

Short for International Council of E-Commerce Consultants, EC-Council offers several cybersecurity certifications, including the Certified Penetration Testing Professional (CPENT) credential. The training consists of 14 modules focused on penetration scoping and engagement, and wireless penetration testing. Optional self-study modules are available in PowerShell scripting, Python environment and scripting, and mobile device penetration testing.

Those who score 70 percent or higher earn the CPENT certification, and those who score above 90 percent earn the LPT (Master) credential. EC-Council also offers a Certified Ethical Hacker (CEH) credential.

GIAC

GIAC offers the Penetration Tester (GPEN) credential, which vouches for an individual’s skills in conducting penetration tests to find exploits and approaching pen testing projects with a process-oriented approach. This exam is ideal for security personnel, penetration testers, ethical hackers, and other related professions. The proctored exam is 82 questions and must be completed in three hours with a passing score of 75 percent. The cost of GIAC exams starts at $849 per attempt.

Step 4: Get a master’s degree (optional; two years)

After gaining some experience in entry-level cybersecurity, those who want to blend their computer networking skills and lead information security teams can pursue a master of science in cybersecurity. Graduates from these programs are well-positioned for management careers and C-suite level positions such as chief security officers (CSO), chief information officers (CIO), and chief information security officers (CISO).

The University of Houston (UH) offers a master of science (MS) in cybersecurity. This 30-credit on-campus program features core courses such as project management principles, secure enterprise computing, and cryptography & cybersecurity.

Applicants should submit an application, official bachelor’s degree transcripts, letters of recommendation, a personal statement, and a resume. GRE and GMAT waivers are available for those who have recently graduated from the University of Houston or meet minimum GPA requirements.

  • Location: Houston, TX
  • Duration: Two years
  • Accreditation: Southern Association of Colleges and Schools Commission on Colleges (SACSCOC)

Online Penetration Tester & Cybersecurity Programs

Here are six programs offering bachelor’s and master’s degrees in IT security and cybersecurity. Many of these programs offer both on-campus and online programs.

Oklahoma State University

The Institute of Technology at Oklahoma State University (OSUIT) offers a fully online bachelor of technology in IT-cybersecurity & digital forensics. This 121-credit program prepares graduates for specialized work in protecting computer systems and networks from hackers, cyber terrorists, and viruses.

Core courses include an introduction to computer logic, hardware systems support, and information security principles. Students can complete this program in two, three, or four years, depending on transfer credits.

  • Location: Okmulgee, OK
  • Duration: Two to four years
  • Accreditation: Computing Accrediting Commission of ABET

Purdue Global University

Purdue Global University offers an online bachelor of science degree in cybersecurity. Students in this 180-credit program can expect to spend 15-18 hours per week in classes that last for ten weeks. Students can choose from six cybersecurity concentrations in CISSP certification prep, cloud computing, data management, game development, programming & analytics, and supply chain management and logistics.

Students in this program are prepared to analyze computing problems and develop solutions to information security vulnerabilities. Purdue Global University is designated by the National Security Agency (NSA) and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education (CAE-CDE).

  • Location: West Lafayette, IN
  • Duration: Four years
  • Accreditation: Computing Accrediting Commission of ABET

University of Texas-San Antonio

The Carlos Alvarez College of Business at UTSA offers an online bachelor of business administration in cyber security. Students in this program are well-positioned for IT management careers that require leadership and computer science skills.

Courses include programming languages with scripting, network security, and intrusion detection and incident response. UTSA also offers a minor in digital forensics. Graduates from this program pursue careers in cybersecurity analysis, information security, network security, and vulnerability assessment.

  • Location: San Antonio, TX
  • Duration: Four years
  • Accreditation: Association to Advance Collegiate Schools of Business (AACSB International)

University of Arizona

A joint program administered by the Eller College of Management and the College of Engineering, the University of Arizona offers a 33-credit masters of science of cybersecurity. Students in this program choose to specialize in information systems (eight weeks) or physical systems track (16 weeks).

Students in this program learn through didactic and interactive courses in information security management. Students in this program can opt to earn an Enterprise Security Certificate through the National Security Agency and the U.S. Department of Homeland Security.

  • Location: Tucson, AA
  • Duration: Two years
  • Accreditation: Higher Learning Commission (HLC)

Southern New Hampshire University

Located in Manchester, New Hampshire, Southern New Hampshire University (SNHU) offers an online master of science in cyber security. Students in this 36-credit program can complete their studies in as few as 15 months and opt for an IT management concentration.

Courses include information security governance, management, leadership, collaboration, and communication. Applications are accepted on a rolling basis, and this program is designed for those aiming to advance their IT careers.

  • Location: Manchester, NH
  • Duration: 15-24 months
  • Accreditation: New England Commission of Higher Education (NECHE)

Georgia Institute of Technology

Georgia Tech offers an online master of science (OMS) in cybersecurity that reflects the same educational quality as the on-campus equivalent. The 32-credit program consists of ten courses and can be completed in two or three years part-time.

The curriculum includes 12 hours of required courses, such as an introduction to information security and information security policies and strategies. Election courses consist of six hours of courses in advanced operating systems, database system concepts & design. A five-hour capstone course is required for graduation requiring students to identify and solve a real-world security problem.

  • Location: Atlanta, GA
  • Duration: Two to three years
  • Accreditation: Southern Association of Colleges and Schools Commission on Colleges (SACSCOC)
Writer

Kimmy Gustafson

Kimmy Gustafson’s expertise and passion for investigative storytelling extends to the world of forensics, where she brings a wealth of knowledge and captivating narratives to readers seeking insights into this intriguing world. She has interviewed experts on little-known topics, such as how climate crimes are investigated and prosecuted, and has written for ForensicsColleges.com since 2019.

Kimmy has been a freelance writer for more than a decade, writing hundreds of articles on a wide variety of topics such as startups, nonprofits, healthcare, kiteboarding, the outdoors, and higher education. She is passionate about seeing the world and has traveled to over 27 countries. She holds a bachelor’s degree in journalism from the University of Oregon. When not working, she can be found outdoors, parenting, kiteboarding, or cooking.

Writer

Rachel Drummond, MEd

Rachel Drummond has given her writing expertise to ForensicsColleges.com since 2019, where she provides a unique perspective on the intersection of education, mindfulness, and the forensic sciences. Her work encourages those in the field to consider the role of mental and physical well-being in their professional success.

Rachel is a writer, educator, and coach from Oregon. She has a master’s degree in education (MEd) and has over 15 years of experience teaching English, public speaking, and mindfulness to international audiences in the United States, Japan, and Spain. She writes about the mind-body benefits of contemplative movement practices like yoga on her blog, inviting people to prioritize their unique version of well-being and empowering everyone to live healthier and more balanced lives.

Related careers
Related programs
Related posts
May 6, 2025
Forensics Casefile: Stopping the Craigslist Killer

In order to catch tomorrow’s killers and to protect the innocent, forensics experts will need to look for critical evidence in the places it’s now most likely to be found: a stray email address, a grainy clip of surveillance footage, a single incriminating IP address pulled from a list of countless others.

April 18, 2025
Forensics Casefile: Catching the BTK Strangler

When BTK resumed his communication with the media in 2004, he overlooked a critical fact: this was now the 21st century, and law enforcement officers were becoming increasingly adept at forensic science.