SANS Penetration Testing

So You Wanna Be a Pen Tester? 3 Paths To Consider

(Blog Updated: 1/10/18)

Tips for Entering the Penetration Testing Field

By Ed Skoudis

It's an exciting time to be a professional penetration tester. As malicious computer attackers amp up the number and magnitude of their breaches, the information security industry needs an enormous amount of help in proactively finding and resolving vulnerabilities. Penetration testers who are able to identify flaws, understand them, and demonstrate their business impact through careful exploitation are an important piece of the defensive puzzle.

In the courses I teach on penetration testing, I'm frequently asked about how someone can land their first job in the field after they've acquired the appropriate technical skills and gained a good understanding of methodologies. Also, over the past decade, I've counseled a lot of my friends and acquaintances as they've moved into various penetration testing jobs. Although there are many different paths to pen test nirvana, let's zoom into three of the most promising. It's worth noting that these three paths aren't mutually exclusive either. I know many people who started on the first path, jumped to the second mid-way, and later found themselves on path #3. Or, you can jumble them up in arbitrary order.

Path A: General Enterprise Security Practitioner Moving to Penetration Testing

First, you could parlay a job in the security group of an enterprise (whether a corporate, government, or educational position) into vulnerability assessment and then penetration testing. For example, today, you may be a security auditor, administrator, analyst, or a member of a Security Operations Center (SOC) team. Tell your management that you are keenly interested in vulnerability assessment and penetration testing, and offer your support in existing projects associated with those tasks. You might have to start by taking one for the team and putting in your own hours in helping out, without getting a break from your "regular" job. Consider this extra time an investment in yourself. At first, you could help with tasks such as project scoping, false positive reduction, and remediation verification. Later, offer help in preparing a high-quality penetration testing report. Over the space of several months or even a year, you'll demonstrate increasing skills and can ask management or other groups in your enterprise for a move more directly in the heart of penetration testing work.

Path B: Working for a Company or Division that Focuses on Penetration Testing

There are many companies that provide third-party penetration testing services to other companies, including organizations such as Verizon, Trustwave, and FishNet Security. Many of these organizations are looking to hire exceptional penetration testers, especially those who have experience. If you have no direct penetration testing experience, you may still want to try your hand by applying for a junior role in such organizations. A solid background in secure networking, development, or operations will prove helpful. But, if experience is absolutely required, consider moving through Paths A or C to hone your skills before jumping to Path B.

Path C: Going Out on Your Own

If you are more entrepreneurially minded, you may want to consider forming your own small company on the side to do vulnerability assessment for local small businesses, such as a local florist or auto mechanic. Start with just vulnerability assessment services, and build your skills there before going into full-blown penetration testing. There are a couple of huge caveats to take into account with this path, though. First off, make sure you get a good draft contract and statement of work template drawn up by a lawyer to limit your liability. Next, get some liability and errors & omissions insurance for penetration testing. Such protection could cost a few thousand dollars annually, but is vital in doing this kind of work. Once you've built your vulnerability assessment capabilities, you may want to gradually start looking at carefully exploiting discovered flaws (when explicitly allowed in your Statements of Work) to move from vulnerability assessment to penetration testing. After your small business is humming, you may decide to stick with this path, growing your business, or jump into Paths A or B.

Regardless of whether you go down paths A, B, C, or your own unique approach to entering the penetration testing industry, always keep in mind that your reputation and trustworthiness are paramount in the information security field. Your name is your personal brand, so work hard, be honest, and always maintain your integrity. Additionally, build yourself a lab of four or five virtual machines so you can practice your technical skills regularly, running scanners, exploitation tools, and sniffers so you can understand your craft at a fine-grained level. Learn a scripting language such as Python or Ruby so you can start automating various aspects of your tasks and even extend the capabilities of tools such as the Metasploit framework. And, most of all, give back to the community by writing a blog, sharing your ideas and techniques, and releasing scripts and tools you've created. You see, to excel in pen testing, you can't think of it as a job. It is a way of life. Building a sterling reputation and contributing to others is not only beneficial to the community, but it will provide many direct and indirect benefits to you as you move down your path from new penetration tester to seasoned professional.


Additional SANS Penetration Testing Resources

Upcoming SANS Webcasts:

Being Offensive in the Workplace - presented by Derek Rook - March 29th, 2018 - 3:30pm EST

Hitting every rock on the way down: A look back at 15 years of pentesting with John Strand - presented by instructor, John Strand - April 12th, 2018 - 3:30pm EST

So, You Wanna Be a Pen Tester? 3 Paths to Consider - presented by instructor, Ed Skoudis - June 19th, 2018 - 3:30pm EST



Pen Test Cheat Sheets:









SANS Pen Test Posters:

Blueprint: Building a Better Pen Tester - PDF Download

White Board of Command Line Kung-Fu - PDF Download

Attack Surfaces - PDF Download



Build your Skills (Free): - Available 24/7/365 to build your InfoSec skills. Holiday-themed challenges from the makers of SANS NetWars and our Penetration Testing Course. - A massive and up-to-date list of places to practice InfoSec skills online



SANS Penetration Testing Webcasts:

How Not to Suck at Pen Testing - presented by SANS Instructor, John Strand

How to Give the Best Pen Test of Your Life - presented by SANS Fellow, Ed Skoudis

Which SANS Pen Test Course Should I Take? - Feb 2018 Edition - presented by Ed Skoudis and Joshua Wright. Includes bonus content, "How to Reverse Mobile Apps"

Build your Own Home Lab - presented by SANS Instructor, Jeff McJunkin. Jeff walks through a step-by-step process for building your own home lab so that you can develop the skills you need to be a professional penetration tester.

Blueprint: Building a Better Pen Tester - presented by SANS Fellow, Ed Skoudis. Listen as Ed teaches penetration testing by using the tips on the SANS Pen Test Poster - Blueprint (PDF).

Physical Security - Everything Wrong With Your Typical Door - presented by Deviant Ollam. This is a great introduction to physical pen testing.

SANS Penetration Testing YouTube Channel - filled with numerous SANS Webcasts and InfoSec Conference talks given by SANS Penetration Testing Instructors.



SANS Pen Test Training:

SEC560: Network Penetration Testing and Ethical Hacking - our core penetration testing course. Prepare for GIAC - Penetration Testing Certification (GPEN)

SEC542: Web App Penetration Testing and Ethical Hacking - introduction to intermediate web application penetration testing. Prepare for GIAC - Web Application Penetration Tester Certification (GWAPT)




I am teaching SEC560: Network Penetration Testing and Ethical Hacking at SANS Pen Test Austin in March 2018.


SANS Pen Test Austin 2018 - Training Event:


  • Choose from 12 world-class training courses w/ our best instructors!
  • Play in (3) Nights of NetWars
  • Join a team as you hack/defend SANS CyberCity
  • Enjoy a special night of networking and fun for all attendees
  • Earn up to (5) SANS Pen Test Challenge Coins during Coin-A-Palooza
  • March 19 - 24, 2018 - Austin, TX
  • Learn more:


Posted July 8, 2013 at 7:42 AM | Permalink | Reply

backwaters kerala

Great blog nice n useful information , it is very helpful for me , I realy appreciate thanks for sharing. I would like to read more information thanks.

Posted January 6, 2014 at 11:27 AM | Permalink | Reply

star hotels in calicut

This is really informative. I have been searching on line for an effective system.I think this is the one. thank you so much! More power to you and to your site.

Posted January 9, 2018 at 8:38 PM | Permalink | Reply

Ian Lee

Is the link to the Security Bistro article dead? (

Post a Comment


* Indicates a required field.