Can you imagine getting paid to break into someone’s house? Penetration testers are cybersecurity professionals launching planned computer systems attacks to identify and assess security vulnerabilities. These ethical hackers are the secret service, club bouncers, and counterintelligence agents in the network security industry.
Known by many titles such as “pen testers,” information security analysts, and software developers, these positions have shared goals to protect privacy, eliminate threats, and prevent information theft. Corporations and government agencies such as the US Department of Homeland Security are prioritizing information security to maintain democracy, avoid litigation, prevent the spread of misinformation through disinfodemics, and keep supply chains resilient.
As proof of point, in 2022, the US News & World Report ranked information security analysts number one on three lists: best jobs, best STEM jobs, and best technology jobs. Notably, these positions are known for their growth potential, strong occupational outlook, and high salary while ranking low on stress overall. The Bureau of Labor Statistics (BLS 2022) shows the top three working environments for information security analysts are computer systems design services, finance and insurance, and information industries.
Not all combat heroes wear camouflage. Penetration testers protect our nation’s computer systems using a keyboard and computer science credentials. Read on to learn more about the career outlook, salary, educational programs, and certifications to become a pen tester.
Internet-based crimes are rising, and so is the demand for highly-qualified information security professionals. The FBI’s Internet Crimes Complaint Center (IC3) shows a record number of Americans filed complaints in 2021, ranging from ransomware to business email compromise schemes. This represents a 7 percent increase compared to 2020, with potential losses calculated at more than 6.9 billion US dollars.
The BLS data confirms these trends, showing that information security analyst careers, an occupation similar to pen testers, are highly in-demand. From 2021 to 2031, the BLS (2022) shows information security analyst jobs will grow by 35 percent. This is seven times the national average (5 percent), and will create an estimated 56,500 new jobs in the same decade.
As stated, the BLS doesn’t track salary data for penetration testers but shows the median annual wage for information security analysts is $102,600 per year (BLS 2022). However, PayScale (2022), an aggregator of self-reported salary data, shows penetration testers, on average, earn $88,376 per year, based on 408 reported salaries. This figure doesn’t include bonuses and profit-sharing, which can add $705 to $20,000 more to an annual salary. Self-reported annual salary percentiles are as follows:
|Career Quick Facts (Source: BLS 2022)||Information Security Analysts|
|Number of professionals employed||141,200|
|Annual mean wage||$113,270|
|50th percentile (median)||$102,600|
|Occupational growth from 2021 to 2031||35 percent (much faster than the national average)|
A key factor that affects salaries is the cost of living. The Missouri Economic Research and Information Center (MERIC) provides a cost of living data series that parses out each state’s housing, grocery, and utility costs and ranks them in terms of affordability. For example, MERIC shows that Mississippi is the most affordable state in the nation, while Hawaii is the most expensive. When considering salary offers, cost of living data helps determine a fair offer in the context of one’s place of residence.
Another significant factor to consider when job searching is which states employ the highest numbers of pen testers. Here are the top five employing states for information security analysts (BLS May 2021):
As for metropolitan areas, the BLS shows the following five cities employ the most information security analysts:
Interestingly, two of the top-employing states also pay the highest wages: New York and Maryland, meaning job prospects and compensation opportunities are high in these states. Iowa is the fifth most affordable state in the nation (MERIC September 2022) and the fourth-highest state for information security analysts, meaning those living and working in Iowa can statistically stretch their dollars the furthest.
Here are the top-paying states for information security analysts and their annual mean wages (BLS May 2021):
The metropolitan areas with the highest salaries according to the BLS are as follows:
In short, becoming a penetration tester or information security analyst is a lucrative career that pays nearly double the national average salary for all occupations: $58,260 (BLS May 2021). The highest concentration of jobs and top salaries are located in east or west coast states and a few inland states.
To learn how to pursue this career, read a step-by-step guide to becoming a penetration tester.
There are many ways to become a penetration tester, but here is one common career pathway.
Many careers begin with a solid foundation of a high school diploma or GED. High school students who know they want to pursue an information security career should take as many computer science, mathematics, and engineering courses as possible.
Paid or unpaid internship opportunities can be very valuable for gaining real-world experience and standing out on college applications. Some penetration testers can find entry-level work with high school-level education and additional certifications or experience.
Many penetration tester careers require a bachelor’s degree in a STEM field such as computer science, mathematics, or engineering.
Some colleges offer degree programs in cybersecurity, such as the University of South Florida (USF), which offers a bachelor of science in cybersecurity (BSCYS). This on-campus program teaches the foundations of cybersecurity, software systems, policy, human factors, risk management, and ethics. This 120-credit program includes core courses in IT concepts, foundations of cybersecurity, and information security & IT risk management. Graduates are prepared to work as information security analysts for private companies and government agencies.
Certification may not be required for all positions, but having it is a great way to stand out on job applications and demonstrate one’s knowledge and commitment to the field. Here are four certifications that enhance and verify the skillsets of a penetration tester.
Offered by (ISC)², the CISSP certification validates the knowledge and abilities of advanced cybersecurity professionals. The CISSP exam covers eight domains, and applicants can prepare with online self-paced, instructor-led, or in-person courses. The CISSP credential is accredited and recognized worldwide for its high standards of information security professionals. The cost of the exam is $749.
CompTIA Security+ is an entry-level network security exam. Credential holders can assess, monitor, secure, operate, and identify, analyze, and respond to security incidents. This exam is compliant with ISO 17024 standards and is approved by the US Department of Defense. The exam is 90 minutes in length and includes multiple-choice and performance-based questions. To pass, applicants must earn a minimum of 750 on a scale of 100-900. The exam costs $381.
Short for International Council of E-Commerce Consultants, EC-Council offers several cybersecurity certifications, including the Certified Penetration Testing Professional (CPENT) credential. The training consists of 14 modules focused on penetration scoping and engagement, and wireless penetration testing. Optional self-study modules are available in PowerShell scripting, Python environment and scripting, and mobile device penetration testing.
Those who score 70 percent or higher earn the CPENT certification, and those who score above 90 percent earn the LPT (Master) credential. The cost for this training program starts at $2,199. EC-Council also offers a Certified Ethical Hacker (CEH) credential.
GIAC offers the Penetration Tester (GPEN) credential, which vouches for an individual’s skills in conducting penetration tests to find exploits and approaching pen testing projects with a process-oriented approach. This exam is ideal for security personnel, penetration testers, ethical hackers, and other related professions. The proctored exam is 82 questions and must be completed in three hours with a passing score of 75 percent. The cost of GIAC exams starts at $849 per attempt.
After gaining some experience in entry-level cybersecurity, those who want to blend their computer networking skills, and lead information security teams can pursue a master of science in cybersecurity. Graduates from these programs are well-positioned for management careers and C-suite level positions such as chief security officers (CSO), chief information officers (CIO), and chief information security officers (CISO).
The University of Houston (UH) offers a master of science (MS) in cybersecurity. This 30-credit on-campus program features core courses such as project management principles, secure enterprise computing, and cryptography & cybersecurity.
Applicants should submit an application, official bachelor’s degree transcripts, letters of recommendation, a personal statement, and a resume. GRE and GMAT waivers are available for those who have recently graduated from the University of Houston or meet minimum GPA requirements.
Here are six programs offering bachelor’s and master’s degrees in IT security and cybersecurity. Many of these programs offer both on-campus and online programs.
The Institute of Technology at Oklahoma State University (OSUIT) offers a fully online bachelor of technology in IT-cybersecurity & digital forensics. This 121-credit program prepares graduates for specialized work in protecting computer systems and networks from hackers, cyber terrorists, and viruses.
Core courses include an introduction to computer logic, hardware systems support, and information security principles. Students can complete this program in two, three, or four years depending on transfer credit.
Purdue Global University offers an online bachelor of science degree in cybersecurity. Students in this 180-credit program can expect to spend 15-18 hours per week in classes that last for ten weeks. Students can choose from six cybersecurity concentrations in CISSP certification prep, cloud computing, data management, game development, programming & analytics, and supply chain management and logistics.
Students in this program are prepared to analyze computing problems and develop solutions to information security vulnerabilities. Purdue Global University is designated by the National Security Agency (NSA) and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education (CAE-CDE).
The Carlos Alvarez College of Business at UTSA offers an online bachelor of business administration in cyber security. Students in this program are well-positioned for IT management careers that require leadership and computer science skills.
Courses include programming languages with scripting, network security, and intrusion detection and incident response. UTSA also offers a minor in digital forensics. Graduates from this program pursue careers in cybersecurity analysis, information security, network security, and vulnerability assessment.
A joint program administered by the Eller College of Management and the College of Engineering, the University of Arizona offers a 33-credit masters of science of cybersecurity. Students in this program choose to specialize in information systems (eight weeks) or physical systems track (16 weeks).
Students in this program learn through didactic and interactive courses in information security management. Students in this program can opt to earn an Enterprise Security Certificate through the National Security Agency and the U.S. Department of Homeland Security.
Located in Manchester, New Hampshire, Southern New Hampshire University (SNHU) offers an online master of science in cyber security. Students in this 36-credit program can complete their studies in as few as 15 months and opt for an IT management concentration.
Courses include information security governance, management, leadership, collaboration, and communication. Applications are accepted on a rolling basis, and this program is designed for those aiming to advance their IT careers.
Georgia Tech offers an online master of science (OMS) in cybersecurity that reflects the same educational quality as the on-campus equivalent. The 32-credit program consists of ten courses and can be completed in two or three years part-time.
The curriculum includes 12 hours of required courses, such as an introduction to information security and information security policies and strategies. Election courses consist of six hours of courses in advanced operating systems, database system concepts & design. A five-hour capstone course is required for graduation requiring students to identify and solve a real-world security problem.
Rachel Drummond is a freelance writer, educator, and yogini from Oregon. She’s taught English to international university students in the United States and Japan for more than a decade and has a master’s degree in education from the University of Oregon. Rachel writes about meditation, yoga, coaching, and more on her blog (Instagram: @racheldrummondyoga).