Search For Schools


Penetration Tester (or Pen Tester): Career Outlook & Education Requirements

Can you imagine getting paid to break into someone’s house? Penetration testers are cybersecurity professionals launching planned computer systems attacks to identify and assess security vulnerabilities. These ethical hackers are the secret service, club bouncers, and counterintelligence agents in the network security industry.

Known by many titles such as “pen testers,” information security analysts, and software developers, these positions have shared goals to protect privacy, eliminate threats, and prevent information theft. Corporations and government agencies such as the US Department of Homeland Security are prioritizing information security to maintain democracy, avoid litigation, prevent the spread of misinformation through disinfodemics, and keep supply chains resilient.

As proof of point, in 2022, the US News & World Report ranked information security analysts number one on three lists: best jobs, best STEM jobs, and best technology jobs. Notably, these positions are known for their growth potential, strong occupational outlook, and high salary while ranking low on stress overall. The Bureau of Labor Statistics (BLS 2022) shows the top three working environments for information security analysts are computer systems design services, finance and insurance, and information industries.

Not all combat heroes wear camouflage. Penetration testers protect our nation’s computer systems using a keyboard and computer science credentials. Read on to learn more about the career outlook, salary, educational programs, and certifications to become a pen tester.

Job Outlook & Salary of Pen Testers (Information Security Analysts)

Internet-based crimes are rising, and so is the demand for highly-qualified information security professionals. The FBI’s Internet Crimes Complaint Center (IC3) shows a record number of Americans filed complaints in 2021, ranging from ransomware to business email compromise schemes. This represents a 7 percent increase compared to 2020, with potential losses calculated at more than 6.9 billion US dollars.

The BLS data confirms these trends, showing that information security analyst careers, an occupation similar to pen testers, are highly in-demand. From 2021 to 2031, the BLS (2022) shows information security analyst jobs will grow by 35 percent. This is seven times the national average (5 percent), and will create an estimated 56,500 new jobs in the same decade.

As stated, the BLS doesn’t track salary data for penetration testers but shows the median annual wage for information security analysts is $102,600 per year (BLS 2022). However, PayScale (2022), an aggregator of self-reported salary data, shows penetration testers, on average, earn $88,376 per year, based on 408 reported salaries. This figure doesn’t include bonuses and profit-sharing, which can add $705 to $20,000 more to an annual salary. Self-reported annual salary percentiles are as follows:

  • Entry-level (less than one year of experience): $70,000
  • Mid-career (5-9 years): $106,000
  • Experienced (10-19 years): $118,884
Career Quick Facts (Source: BLS 2022) Information Security Analysts
Number of professionals employed 141,200
Annual mean wage $113,270
10th percentile $61,520
25th percentile $79,400
50th percentile (median) $102,600
75th percentile $131,340
90th percentile $165,920
Occupational growth from 2021 to 2031 35 percent (much faster than the national average)

A key factor that affects salaries is the cost of living. The Missouri Economic Research and Information Center (MERIC) provides a cost of living data series that parses out each state’s housing, grocery, and utility costs and ranks them in terms of affordability. For example, MERIC shows that Mississippi is the most affordable state in the nation, while Hawaii is the most expensive. When considering salary offers, cost of living data helps determine a fair offer in the context of one’s place of residence.

Another significant factor to consider when job searching is which states employ the highest numbers of pen testers. Here are the top five employing states for information security analysts (BLS May 2021):

  • Virginia: 16,930 information security analysts employed
  • Texas: 13,530
  • Florida: 9,360
  • New York: 7,500
  • Maryland: 7,330

As for metropolitan areas, the BLS shows the following five cities employ the most information security analysts:

  • Washington-Arlington-Alexandria, DC-VA-MD-WV: 15,690 employed
  • New York-Newark, Jersey City, NY-NJ-PA: 10,250
  • Dallas-Fort Worth-Arlington, TX: 5,400
  • Baltimore-Columbia-Towson, MD: 4,050
  • Atlanta-Sandy Springs-Roswell, GA: 4,020

Interestingly, two of the top-employing states also pay the highest wages: New York and Maryland, meaning job prospects and compensation opportunities are high in these states. Iowa is the fifth most affordable state in the nation (MERIC September 2022) and the fourth-highest state for information security analysts, meaning those living and working in Iowa can statistically stretch their dollars the furthest.

Here are the top-paying states for information security analysts and their annual mean wages (BLS May 2021):

  • California: $135,200 per year
  • New York: $133,210
  • Maryland: $126,650
  • Iowa: $125,650
  • District of Columbia: $124,980

The metropolitan areas with the highest salaries according to the BLS are as follows:

  • San Jose-Sunnyvale-Santa Clara, CA: $150,820 average annual salary
  • San Francisco-Oakland-Hayward, CA: $149,250
  • Des Moines-West Des Moines, IA: $135,080
  • New York-Newark-Jersey City, NY, NJ, PA: $134,390
  • Idaho Falls, ID: $134,100

In short, becoming a penetration tester or information security analyst is a lucrative career that pays nearly double the national average salary for all occupations: $58,260 (BLS May 2021). The highest concentration of jobs and top salaries are located in east or west coast states and a few inland states.

To learn how to pursue this career, read a step-by-step guide to becoming a penetration tester.

How to Become a Penetration Tester

There are many ways to become a penetration tester, but here is one common career pathway.

Step 1: Graduate from high school (four years)

Many careers begin with a solid foundation of a high school diploma or GED. High school students who know they want to pursue an information security career should take as many computer science, mathematics, and engineering courses as possible.

Paid or unpaid internship opportunities can be very valuable for gaining real-world experience and standing out on college applications. Some penetration testers can find entry-level work with high school-level education and additional certifications or experience.

Step 2: Earn a bachelor’s degree (four years)

Many penetration tester careers require a bachelor’s degree in a STEM field such as computer science, mathematics, or engineering.

Some colleges offer degree programs in cybersecurity, such as the University of South Florida (USF), which offers a bachelor of science in cybersecurity (BSCYS). This on-campus program teaches the foundations of cybersecurity, software systems, policy, human factors, risk management, and ethics. This 120-credit program includes core courses in IT concepts, foundations of cybersecurity, and information security & IT risk management. Graduates are prepared to work as information security analysts for private companies and government agencies.

  • Location: Tampa, FL
  • Duration: Four years
  • Accreditation: Southern Association of Colleges and Schools Commission on Colleges (SACSCOC)
  • Tuition: $106 per credit (in-state); $212 per credit (out-of-state)

Step 3: Pursue professional certification (timeline varies)

Certification may not be required for all positions, but having it is a great way to stand out on job applications and demonstrate one’s knowledge and commitment to the field. Here are four certifications that enhance and verify the skillsets of a penetration tester.

Certified Information Systems Security Professional (CISSP)

Offered by (ISC)², the CISSP certification validates the knowledge and abilities of advanced cybersecurity professionals. The CISSP exam covers eight domains, and applicants can prepare with online self-paced, instructor-led, or in-person courses. The CISSP credential is accredited and recognized worldwide for its high standards of information security professionals. The cost of the exam is $749.

CompTIA Security+

CompTIA Security+ is an entry-level network security exam. Credential holders can assess, monitor, secure, operate, and identify, analyze, and respond to security incidents. This exam is compliant with ISO 17024 standards and is approved by the US Department of Defense. The exam is 90 minutes in length and includes multiple-choice and performance-based questions. To pass, applicants must earn a minimum of 750 on a scale of 100-900. The exam costs $381.


Short for International Council of E-Commerce Consultants, EC-Council offers several cybersecurity certifications, including the Certified Penetration Testing Professional (CPENT) credential. The training consists of 14 modules focused on penetration scoping and engagement, and wireless penetration testing. Optional self-study modules are available in PowerShell scripting, Python environment and scripting, and mobile device penetration testing.

Those who score 70 percent or higher earn the CPENT certification, and those who score above 90 percent earn the LPT (Master) credential. The cost for this training program starts at $2,199. EC-Council also offers a Certified Ethical Hacker (CEH) credential.


GIAC offers the Penetration Tester (GPEN) credential, which vouches for an individual’s skills in conducting penetration tests to find exploits and approaching pen testing projects with a process-oriented approach. This exam is ideal for security personnel, penetration testers, ethical hackers, and other related professions. The proctored exam is 82 questions and must be completed in three hours with a passing score of 75 percent. The cost of GIAC exams starts at $849 per attempt.

Step 4: Get a master’s degree (optional; two years)

After gaining some experience in entry-level cybersecurity, those who want to blend their computer networking skills, and lead information security teams can pursue a master of science in cybersecurity. Graduates from these programs are well-positioned for management careers and C-suite level positions such as chief security officers (CSO), chief information officers (CIO), and chief information security officers (CISO).

The University of Houston (UH) offers a master of science (MS) in cybersecurity. This 30-credit on-campus program features core courses such as project management principles, secure enterprise computing, and cryptography & cybersecurity.

Applicants should submit an application, official bachelor’s degree transcripts, letters of recommendation, a personal statement, and a resume. GRE and GMAT waivers are available for those who have recently graduated from the University of Houston or meet minimum GPA requirements.

  • Location: Houston, TX
  • Duration: Two years
  • Accreditation: Southern Association of Colleges and Schools Commission on Colleges (SACSCOC)
  • Tuition: $642 per credit (in-state); $1,150 per credit (out-of-state)

Online Penetration Tester & Cybersecurity Programs

Here are six programs offering bachelor’s and master’s degrees in IT security and cybersecurity. Many of these programs offer both on-campus and online programs.

Oklahoma State University

The Institute of Technology at Oklahoma State University (OSUIT) offers a fully online bachelor of technology in IT-cybersecurity & digital forensics. This 121-credit program prepares graduates for specialized work in protecting computer systems and networks from hackers, cyber terrorists, and viruses.

Core courses include an introduction to computer logic, hardware systems support, and information security principles. Students can complete this program in two, three, or four years depending on transfer credit.

  • Location: Okmulgee, OK
  • Duration: Two to four years
  • Accreditation: Computing Accrediting Commission of ABET
  • Tuition: $6,702.75 per year

Purdue Global University

Purdue Global University offers an online bachelor of science degree in cybersecurity. Students in this 180-credit program can expect to spend 15-18 hours per week in classes that last for ten weeks. Students can choose from six cybersecurity concentrations in CISSP certification prep, cloud computing, data management, game development, programming & analytics, and supply chain management and logistics.

Students in this program are prepared to analyze computing problems and develop solutions to information security vulnerabilities. Purdue Global University is designated by the National Security Agency (NSA) and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education (CAE-CDE).

  • Location: West Lafayette, IN
  • Duration: Four years
  • Accreditation: Computing Accrediting Commission of ABET
  • Tuition: $371 per credit

University of Texas-San Antonio

The Carlos Alvarez College of Business at UTSA offers an online bachelor of business administration in cyber security. Students in this program are well-positioned for IT management careers that require leadership and computer science skills.

Courses include programming languages with scripting, network security, and intrusion detection and incident response. UTSA also offers a minor in digital forensics. Graduates from this program pursue careers in cybersecurity analysis, information security, network security, and vulnerability assessment.

  • Location: San Antonio, TX
  • Duration: Four years
  • Accreditation: Association to Advance Collegiate Schools of Business (AACSB International)
  • Tuition: $450 per credit hour

University of Arizona

A joint program administered by the Eller College of Management and the College of Engineering, the University of Arizona offers a 33-credit masters of science of cybersecurity. Students in this program choose to specialize in information systems (eight weeks) or physical systems track (16 weeks).

Students in this program learn through didactic and interactive courses in information security management. Students in this program can opt to earn an Enterprise Security Certificate through the National Security Agency and the U.S. Department of Homeland Security.

  • Location: Tucson, AA
  • Duration: Two years
  • Accreditation: Higher Learning Commission (HLC)
  • Tuition: $1,332 per credit

Southern New Hampshire University

Located in Manchester, New Hampshire, Southern New Hampshire University (SNHU) offers an online master of science in cyber security. Students in this 36-credit program can complete their studies in as few as 15 months and opt for an IT management concentration.

Courses include information security governance, management, leadership, collaboration, and communication. Applications are accepted on a rolling basis, and this program is designed for those aiming to advance their IT careers.

  • Location: Manchester, NH
  • Duration: 15-24 months
  • Accreditation: New England Commission of Higher Education (NECHE)
  • Tuition: $627 per credit

Georgia Institute of Technology

Georgia Tech offers an online master of science (OMS) in cybersecurity that reflects the same educational quality as the on-campus equivalent. The 32-credit program consists of ten courses and can be completed in two or three years part-time.

The curriculum includes 12 hours of required courses, such as an introduction to information security and information security policies and strategies. Election courses consist of six hours of courses in advanced operating systems, database system concepts & design. A five-hour capstone course is required for graduation requiring students to identify and solve a real-world security problem.

  • Location: Atlanta, GA
  • Duration: Two to three years
  • Accreditation: Southern Association of Colleges and Schools Commission on Colleges (SACSCOC)
  • Tuition: $310 per credit

Rachel Drummond, MEd

Rachel Drummond has given her writing expertise to ForensicsColleges.com since 2019, where she provides a unique perspective on the intersection of education, mindfulness, and the forensic sciences. Her work encourages those in the field to consider the role of mental and physical well-being in their professional success.

Rachel is a writer, educator, and coach from Oregon. She has a master’s degree in education (MEd) and has over 15 years of experience teaching English, public speaking, and mindfulness to international audiences in the United States, Japan, and Spain. She writes about the mind-body benefits of contemplative movement practices like yoga on her blog, inviting people to prioritize their unique version of well-being and empowering everyone to live healthier and more balanced lives.